Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DDS log & GMER logs for some Trojans I can't remove?


  • This topic is locked This topic is locked
27 replies to this topic

#1 wtfer

wtfer

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:03:48 AM

Posted 09 August 2009 - 03:26 PM

Hey,

I posted this on the "Am I infected? What do I do?" board, but none of the rootkit removal programs are helping. Referred from here: http://www.bleepingcomputer.com/forums/t/247184/i-just-got-infected-big-time-my-pc-hijacked-help-please/ ~ OB
I tried Sophos Anti-toolkit & removed a ystas.... .sys file & rebooted & did another scan with Sophos which showed all the Unknown hidden files gone, except for one exe file in C:\WINDOWS\I386\AUTOFMT.EXE.
Thing is after that I scanned with GMER & DDS & they show the same ystas.... files still there.


I also can not run RootkitRepeal, it worked the day I downloaded it, but now it just gets stuck on the initializing box & after 15 minutes of that & slowing my PC to a crawl, a window appears & tells me that "Virtual memory Minimum is too low".
The only way to turn off my system after that is to unplug my PC cord. I'm not sure if it is because of the Trojan or because of some conflicting file or whatnot?

MY system is an XP SP3, with all the latest updates. My PC is a HP Pavilion a510n Desktop. I'm using a D-Link DIR-655 router right now as well if it matters.

I have also ran CCleaner, TweakNow RegCleaner, Eusing Free Registry Cleaner, Ad-Aware, SUPERantispyware & Malwarebytes' Anti-Malware. I have also set my PC to not hide any file extension & to view hidden files in my tools option.

My DDS log:
DDS (Ver_09-07-30.01) - NTFSx86  
Run by Owner at 17:38:17.12 on Sat 08/08/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.447.213 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

mStart Page = about:blank
uInternet Settings,ProxyOverride = localhost
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: HP View: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187662952171
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {F18C8103-AD7C-494D-849F-B1E4075A0DDA} = 66.215.64.14,24.205.1.14
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\npsim8rj.default\
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\mozilla firefox\plugins\np32asw.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\opera\program\plugins\nprpjplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota",	  5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history",	 true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata",	true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords",   false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads",   true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies",	 true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache",	   true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions",	true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history",				 true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata",				true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords",			   false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads",			   true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies",				 true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache",				   true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions",				true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps",			 false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings",			false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs",	false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-8-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480]
R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [2007-6-4 2368]
S3 mbr;mbr;\??\c:\docume~1\owner\locals~1\temp\mbr.sys --> c:\docume~1\owner\locals~1\temp\mbr.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1.tmp --> c:\windows\system32\1.tmp [?]
S3 ProtoWall;ProtoWall Network Service;c:\windows\system32\drivers\protowall.sys --> c:\windows\system32\drivers\ProtoWall.sys [?]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 7408]

=============== Created Last 30 ================

2009-08-07 17:47	<DIR>	--d-----	c:\program files\Sophos
2009-08-06 19:31	<DIR>	--d-----	c:\program files\common files\Wise Installation Wizard
2009-08-06 19:28	1,343,651	a-------	C:\MGtools.exe
2009-08-06 09:31	<DIR>	a-d-----	c:\windows\system32\images
2009-08-05 20:47	<DIR>	--d-----	c:\docume~1\owner\applic~1\Malwarebytes
2009-08-05 20:47	38,160	a-------	c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-05 20:47	<DIR>	--d-----	c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-05 20:47	19,096	a-------	c:\windows\system32\drivers\mbam.sys
2009-08-05 20:47	<DIR>	--d-----	c:\program files\Malwarebytes' Anti-Malware
2009-08-05 19:22	<DIR>	--d-----	c:\program files\Trend Micro
2009-08-05 19:14	284,160	-c------	c:\windows\system32\dllcache\pdh.dll
2009-08-05 19:14	729,088	-c------	c:\windows\system32\dllcache\lsasrv.dll
2009-08-05 19:14	473,600	-c------	c:\windows\system32\dllcache\fastprox.dll
2009-08-05 19:14	453,120	-c------	c:\windows\system32\dllcache\wmiprvsd.dll
2009-08-05 19:14	401,408	-c------	c:\windows\system32\dllcache\rpcss.dll
2009-08-05 19:14	227,840	-c------	c:\windows\system32\dllcache\wmiprvse.exe
2009-08-05 19:14	110,592	-c------	c:\windows\system32\dllcache\services.exe
2009-08-05 19:14	714,752	-c------	c:\windows\system32\dllcache\ntdll.dll
2009-08-05 19:14	617,472	-c------	c:\windows\system32\dllcache\advapi32.dll
2009-08-05 19:02	2,560	--------	c:\windows\system32\xpsp4res.dll
2009-08-05 19:02	1,203,922	-c------	c:\windows\system32\dllcache\sysmain.sdb
2009-08-05 19:02	215,552	-c------	c:\windows\system32\dllcache\wordpad.exe
2009-08-05 19:02	455,296	-c------	c:\windows\system32\dllcache\mrxsmb.sys
2009-08-05 18:57	337,408	-c------	c:\windows\system32\dllcache\netapi32.dll
2009-08-05 18:57	1,106,944	-c------	c:\windows\system32\dllcache\msxml3.dll
2009-08-05 18:56	91	a-------	c:\windows\system32\ytasfweecblcvn.dat
2009-08-05 17:45	19,968	a-------	c:\windows\system32\ytasfwpucrjiks.dll
2009-08-05 17:43	20,662	a-------	c:\windows\system32\ytasfwlltlyioy.dat
2009-08-05 17:43	44,032	a-------	c:\windows\system32\ytasfwbwfwrgsk.dll

==================== Find3M  ====================

2009-06-29 09:12	827,392	a-------	c:\windows\system32\wininet.dll
2009-06-29 09:12	78,336	a-------	c:\windows\system32\ieencode.dll
2009-06-29 09:12	17,408	a-------	c:\windows\system32\corpol.dll
2009-06-16 07:36	119,808	a-------	c:\windows\system32\t2embed.dll
2009-06-16 07:36	81,920	a-------	c:\windows\system32\fontsub.dll
2009-06-03 12:09	1,291,264	a-------	c:\windows\system32\quartz.dll
2006-05-03 03:06	163,328	---shr--	c:\windows\system32\flvDX.dll
2008-10-02 19:29	32,768	a--sh---	c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100220081003\index.dat

============= FINISH: 17:39:00.01 ===============


My GMER log:
GMER 1.0.15.15020 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-08-08 20:03:14
Windows 5.1.2600 Service Pack 3


---- Services - GMER 1.0.15 ----

Service  system32\drivers\ytasfwemoyxtlr.sys (*** hidden *** )									[SYSTEM] ytasfwmqfwxwbw						   <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg	  HKLM\SYSTEM\CurrentControlSet\Services\ytasfwmqfwxwbw@start							  1
Reg	  HKLM\SYSTEM\CurrentControlSet\Services\ytasfwmqfwxwbw@type							   1
Reg	  HKLM\SYSTEM\CurrentControlSet\Services\ytasfwmqfwxwbw@group							  file system
Reg	  HKLM\SYSTEM\CurrentControlSet\Services\ytasfwmqfwxwbw@imagepath						  \systemroot\system32\drivers\ytasfwemoyxtlr.sys
Reg	  HKLM\SYSTEM\CurrentControlSet\Services\ytasfwmqfwxwbw\main							   
Reg	  HKLM\SYSTEM\CurrentControlSet\Services\ytasfwmqfwxwbw\main@aid						   10002
Reg	  HKLM\SYSTEM\CurrentControlSet\Services\ytasfwmqfwxwbw\main@sid						   1
Reg	  HKLM\SYSTEM\CurrentControlSet\Services\ytasfwmqfwxwbw\main@cmddelay					  14400
Reg	  HKLM\SYSTEM\CurrentControlSet\Services\ytasfwmqfwxwbw\main\delete						
Reg	  HKLM\SYSTEM\CurrentControlSet\Services\ytasfwmqfwxwbw\main\injector					  
Reg	  HKLM\SYSTEM\CurrentControlSet\Services\ytasfwmqfwxwbw\main\injector@*					ytasfwwsp.dll
Reg	  HKLM\SYSTEM\CurrentControlSet\Services\ytasfwmqfwxwbw\main\tasks						 
Reg	  HKLM\SYSTEM\CurrentControlSet\Services\ytasfwmqfwxwbw\modules							
Reg	  HKLM\SYSTEM\CurrentControlSet\Services\ytasfwmqfwxwbw\modules@ytasfwrk.sys			   \systemroot\system32\drivers\ytasfwemoyxtlr.sys
Reg	  HKLM\SYSTEM\CurrentControlSet\Services\ytasfwmqfwxwbw\modules@ytasfwcmd.dll			  \systemroot\system32\ytasfwbwfwrgsk.dll
Reg	  HKLM\SYSTEM\CurrentControlSet\Services\ytasfwmqfwxwbw\modules@ytasfwlog.dat			  \systemroot\system32\ytasfwlltlyioy.dat
Reg	  HKLM\SYSTEM\CurrentControlSet\Services\ytasfwmqfwxwbw\modules@ytasfwwsp.dll			  \systemroot\system32\ytasfwpucrjiks.dll
Reg	  HKLM\SYSTEM\CurrentControlSet\Services\ytasfwmqfwxwbw\modules@ytasfw.dat				 \systemroot\system32\ytasfweecblcvn.dat
Reg	  HKLM\SYSTEM\ControlSet003\Services\ytasfwmqfwxwbw@start								  1
Reg	  HKLM\SYSTEM\ControlSet003\Services\ytasfwmqfwxwbw@type								   1
Reg	  HKLM\SYSTEM\ControlSet003\Services\ytasfwmqfwxwbw@group								  file system
Reg	  HKLM\SYSTEM\ControlSet003\Services\ytasfwmqfwxwbw@imagepath							  \systemroot\system32\drivers\ytasfwemoyxtlr.sys
Reg	  HKLM\SYSTEM\ControlSet003\Services\ytasfwmqfwxwbw\main (not active ControlSet)		   
Reg	  HKLM\SYSTEM\ControlSet003\Services\ytasfwmqfwxwbw\main@aid							   10002
Reg	  HKLM\SYSTEM\ControlSet003\Services\ytasfwmqfwxwbw\main@sid							   1
Reg	  HKLM\SYSTEM\ControlSet003\Services\ytasfwmqfwxwbw\main@cmddelay						  14400
Reg	  HKLM\SYSTEM\ControlSet003\Services\ytasfwmqfwxwbw\main\delete (not active ControlSet)	
Reg	  HKLM\SYSTEM\ControlSet003\Services\ytasfwmqfwxwbw\main\injector (not active ControlSet)  
Reg	  HKLM\SYSTEM\ControlSet003\Services\ytasfwmqfwxwbw\main\injector@*						ytasfwwsp.dll
Reg	  HKLM\SYSTEM\ControlSet003\Services\ytasfwmqfwxwbw\main\tasks (not active ControlSet)	 
Reg	  HKLM\SYSTEM\ControlSet003\Services\ytasfwmqfwxwbw\modules (not active ControlSet)		
Reg	  HKLM\SYSTEM\ControlSet003\Services\ytasfwmqfwxwbw\modules@ytasfwrk.sys				   \systemroot\system32\drivers\ytasfwemoyxtlr.sys
Reg	  HKLM\SYSTEM\ControlSet003\Services\ytasfwmqfwxwbw\modules@ytasfwcmd.dll				  \systemroot\system32\ytasfwbwfwrgsk.dll
Reg	  HKLM\SYSTEM\ControlSet003\Services\ytasfwmqfwxwbw\modules@ytasfwlog.dat				  \systemroot\system32\ytasfwlltlyioy.dat
Reg	  HKLM\SYSTEM\ControlSet003\Services\ytasfwmqfwxwbw\modules@ytasfwwsp.dll				  \systemroot\system32\ytasfwpucrjiks.dll
Reg	  HKLM\SYSTEM\ControlSet003\Services\ytasfwmqfwxwbw\modules@ytasfw.dat					 \systemroot\system32\ytasfweecblcvn.dat

---- EOF - GMER 1.0.15 ----

Attached Files


Edited by Orange Blossom, 09 August 2009 - 03:35 PM.


BC AdBot (Login to Remove)

 


#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 20 August 2009 - 03:07 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

#3 wtfer

wtfer
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  

Posted 20 August 2009 - 04:44 PM

Hi, I performed several scans, but didn't remove anything as I'm not sure what to remove.


I have a rootkit that may be a Application level one as I read from the wikipedia page:

Application level rootkits may replace regular application binaries with Trojan fakes, or they may modify the behavior of existing applications using hooks, patches, injected code, or other means.

There are unscrupulous companies whose business consists of disseminating rootkits for the purpose of generating paid involuntary page referrals. Such programs would redirect a visit to a popular website like Google to that of a client of the distributor of the rootkit.


This is what happened to me, I go to google & click on a link & the page gets redirected & on top of that my PC out of nowhere gets reboots & hijacked. After that I can't access any programs & a fake anti-virus program keeps popping up non-stop.
I used Maleware-Bytes in safe mode to get rid of that program, but did not get rid of the rootkit.

I have been only coming here & disconnecting my cable modem after that for the past few days.
I tried using RootRepeal ( I even renamed the file), but it just hangs on the start up & freezes my PC.

All the ytasfw files in my GMER log seem to be the problem, but not sure how to go about getting rid of all of them.
Here are all the full system logs I made in safe mode just a few days ago, I didn't make any changes to them:

GMER
GMER 1.0.15.15020 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-08-10 15:19:10
Windows 5.1.2600 Service Pack 3


---- Devices - GMER 1.0.15 ----

Device   \FileSystem\Cdfs \Cdfs																   F6E5D400

---- Services - GMER 1.0.15 ----

Service  system32\drivers\ytasfwemoyxtlr.sys (*** hidden *** )									[SYSTEM] ytasfwmqfwxwbw						   <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg	  HKLM\SYSTEM\CurrentControlSet\Services\ytasfwmqfwxwbw@start							  1
Reg	  HKLM\SYSTEM\CurrentControlSet\Services\ytasfwmqfwxwbw@type							   1
Reg	  HKLM\SYSTEM\CurrentControlSet\Services\ytasfwmqfwxwbw@group							  file system
Reg	  HKLM\SYSTEM\CurrentControlSet\Services\ytasfwmqfwxwbw@imagepath						  \systemroot\system32\drivers\ytasfwemoyxtlr.sys
Reg	  HKLM\SYSTEM\CurrentControlSet\Services\ytasfwmqfwxwbw\main							   
Reg	  HKLM\SYSTEM\CurrentControlSet\Services\ytasfwmqfwxwbw\main@aid						   10002
Reg	  HKLM\SYSTEM\CurrentControlSet\Services\ytasfwmqfwxwbw\main@sid						   1
Reg	  HKLM\SYSTEM\CurrentControlSet\Services\ytasfwmqfwxwbw\main@cmddelay					  14400
Reg	  HKLM\SYSTEM\CurrentControlSet\Services\ytasfwmqfwxwbw\main\delete						
Reg	  HKLM\SYSTEM\CurrentControlSet\Services\ytasfwmqfwxwbw\main\injector					  
Reg	  HKLM\SYSTEM\CurrentControlSet\Services\ytasfwmqfwxwbw\main\injector@*					ytasfwwsp.dll
Reg	  HKLM\SYSTEM\CurrentControlSet\Services\ytasfwmqfwxwbw\main\tasks						 
Reg	  HKLM\SYSTEM\CurrentControlSet\Services\ytasfwmqfwxwbw\modules							
Reg	  HKLM\SYSTEM\CurrentControlSet\Services\ytasfwmqfwxwbw\modules@ytasfwrk.sys			   \systemroot\system32\drivers\ytasfwemoyxtlr.sys
Reg	  HKLM\SYSTEM\CurrentControlSet\Services\ytasfwmqfwxwbw\modules@ytasfwcmd.dll			  \systemroot\system32\ytasfwbwfwrgsk.dll
Reg	  HKLM\SYSTEM\CurrentControlSet\Services\ytasfwmqfwxwbw\modules@ytasfwlog.dat			  \systemroot\system32\ytasfwlltlyioy.dat
Reg	  HKLM\SYSTEM\CurrentControlSet\Services\ytasfwmqfwxwbw\modules@ytasfwwsp.dll			  \systemroot\system32\ytasfwpucrjiks.dll
Reg	  HKLM\SYSTEM\CurrentControlSet\Services\ytasfwmqfwxwbw\modules@ytasfw.dat				 \systemroot\system32\ytasfweecblcvn.dat
Reg	  HKLM\SYSTEM\ControlSet003\Services\ytasfwmqfwxwbw@start								  1
Reg	  HKLM\SYSTEM\ControlSet003\Services\ytasfwmqfwxwbw@type								   1
Reg	  HKLM\SYSTEM\ControlSet003\Services\ytasfwmqfwxwbw@group								  file system
Reg	  HKLM\SYSTEM\ControlSet003\Services\ytasfwmqfwxwbw@imagepath							  \systemroot\system32\drivers\ytasfwemoyxtlr.sys
Reg	  HKLM\SYSTEM\ControlSet003\Services\ytasfwmqfwxwbw\main (not active ControlSet)		   
Reg	  HKLM\SYSTEM\ControlSet003\Services\ytasfwmqfwxwbw\main@aid							   10002
Reg	  HKLM\SYSTEM\ControlSet003\Services\ytasfwmqfwxwbw\main@sid							   1
Reg	  HKLM\SYSTEM\ControlSet003\Services\ytasfwmqfwxwbw\main@cmddelay						  14400
Reg	  HKLM\SYSTEM\ControlSet003\Services\ytasfwmqfwxwbw\main\delete (not active ControlSet)	
Reg	  HKLM\SYSTEM\ControlSet003\Services\ytasfwmqfwxwbw\main\injector (not active ControlSet)  
Reg	  HKLM\SYSTEM\ControlSet003\Services\ytasfwmqfwxwbw\main\injector@*						ytasfwwsp.dll
Reg	  HKLM\SYSTEM\ControlSet003\Services\ytasfwmqfwxwbw\main\tasks (not active ControlSet)	 
Reg	  HKLM\SYSTEM\ControlSet003\Services\ytasfwmqfwxwbw\modules (not active ControlSet)		
Reg	  HKLM\SYSTEM\ControlSet003\Services\ytasfwmqfwxwbw\modules@ytasfwrk.sys				   \systemroot\system32\drivers\ytasfwemoyxtlr.sys
Reg	  HKLM\SYSTEM\ControlSet003\Services\ytasfwmqfwxwbw\modules@ytasfwcmd.dll				  \systemroot\system32\ytasfwbwfwrgsk.dll
Reg	  HKLM\SYSTEM\ControlSet003\Services\ytasfwmqfwxwbw\modules@ytasfwlog.dat				  \systemroot\system32\ytasfwlltlyioy.dat
Reg	  HKLM\SYSTEM\ControlSet003\Services\ytasfwmqfwxwbw\modules@ytasfwwsp.dll				  \systemroot\system32\ytasfwpucrjiks.dll
Reg	  HKLM\SYSTEM\ControlSet003\Services\ytasfwmqfwxwbw\modules@ytasfw.dat					 \systemroot\system32\ytasfweecblcvn.dat

---- EOF - GMER 1.0.15 ----






These two Trojans reappeared after I already scanned & clean all the previous infections with Malewarebytes:
Malwarebytes
Malwarebytes' Anti-Malware 1.40
Database version: 2568
Windows 5.1.2600 Service Pack 3 (Safe Mode)

8/10/2009 5:24:36 PM
3 -mbam-log-2009-08-10 (17-24-21).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 198595
Time elapsed: 1 hour(s), 3 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ytasfwbwfwrgsk.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\ytasfwpucrjiks.dll (Trojan.Agent) -> No action taken.







DDS
DDS (Ver_09-07-30.01) - NTFSx86  
Run by Owner at 17:37:59.03 on Mon 08/10/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.447.196 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\WDBtnMgr.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

mStart Page = about:blank
uInternet Settings,ProxyOverride = localhost
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: HP View: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187662952171
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {F18C8103-AD7C-494D-849F-B1E4075A0DDA} = 66.215.64.14,24.205.1.14
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\npsim8rj.default\
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\mozilla firefox\plugins\np32asw.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\opera\program\plugins\nprpjplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota",	  5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history",	 true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata",	true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords",   false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads",   true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies",	 true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache",	   true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions",	true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history",				 true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata",				true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords",			   false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads",			   true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies",				 true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache",				   true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions",				true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps",			 false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings",			false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs",	false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-8-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480]
R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [2007-6-4 2368]
S3 iexplore;iexplore;\??\c:\windows\system32\drivers\iexplore.sys --> c:\windows\system32\drivers\iexplore.sys [?]
S3 mbr;mbr;\??\c:\docume~1\owner\locals~1\temp\mbr.sys --> c:\docume~1\owner\locals~1\temp\mbr.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\1.tmp [2009-8-10 6144]
S3 ProtoWall;ProtoWall Network Service;c:\windows\system32\drivers\protowall.sys --> c:\windows\system32\drivers\ProtoWall.sys [?]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 7408]

=============== Created Last 30 ================

2009-08-10 17:33	6,144	--------	c:\windows\system32\1.tmp
2009-08-10 17:30	6,144	--------	c:\windows\system32\92.tmp
2009-08-10 17:29	6,144	--------	c:\windows\system32\91.tmp
2009-08-07 17:47	<DIR>	--d-----	c:\program files\Sophos
2009-08-06 19:31	<DIR>	--d-----	c:\program files\common files\Wise Installation Wizard
2009-08-06 19:28	1,343,651	a-------	C:\MGtools.exe
2009-08-06 09:31	<DIR>	a-d-----	c:\windows\system32\images
2009-08-05 20:47	<DIR>	--d-----	c:\docume~1\owner\applic~1\Malwarebytes
2009-08-05 20:47	38,160	a-------	c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-05 20:47	<DIR>	--d-----	c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-05 20:47	19,096	a-------	c:\windows\system32\drivers\mbam.sys
2009-08-05 20:47	<DIR>	--d-----	c:\program files\Malwarebytes' Anti-Malware
2009-08-05 19:22	<DIR>	--d-----	c:\program files\Trend Micro
2009-08-05 19:14	284,160	-c------	c:\windows\system32\dllcache\pdh.dll
2009-08-05 19:14	729,088	-c------	c:\windows\system32\dllcache\lsasrv.dll
2009-08-05 19:14	473,600	-c------	c:\windows\system32\dllcache\fastprox.dll
2009-08-05 19:14	453,120	-c------	c:\windows\system32\dllcache\wmiprvsd.dll
2009-08-05 19:14	401,408	-c------	c:\windows\system32\dllcache\rpcss.dll
2009-08-05 19:14	227,840	-c------	c:\windows\system32\dllcache\wmiprvse.exe
2009-08-05 19:14	110,592	-c------	c:\windows\system32\dllcache\services.exe
2009-08-05 19:14	714,752	-c------	c:\windows\system32\dllcache\ntdll.dll
2009-08-05 19:14	617,472	-c------	c:\windows\system32\dllcache\advapi32.dll
2009-08-05 19:02	2,560	--------	c:\windows\system32\xpsp4res.dll
2009-08-05 19:02	1,203,922	-c------	c:\windows\system32\dllcache\sysmain.sdb
2009-08-05 19:02	215,552	-c------	c:\windows\system32\dllcache\wordpad.exe
2009-08-05 19:02	455,296	-c------	c:\windows\system32\dllcache\mrxsmb.sys
2009-08-05 18:57	337,408	-c------	c:\windows\system32\dllcache\netapi32.dll
2009-08-05 18:57	1,106,944	-c------	c:\windows\system32\dllcache\msxml3.dll
2009-08-05 18:56	91	a-------	c:\windows\system32\ytasfweecblcvn.dat
2009-08-05 17:45	19,968	a-------	c:\windows\system32\ytasfwpucrjiks.dll
2009-08-05 17:43	20,662	a-------	c:\windows\system32\ytasfwlltlyioy.dat
2009-08-05 17:43	44,032	a-------	c:\windows\system32\ytasfwbwfwrgsk.dll

==================== Find3M  ====================

2009-06-29 09:12	827,392	a-------	c:\windows\system32\wininet.dll
2009-06-29 09:12	78,336	a-------	c:\windows\system32\ieencode.dll
2009-06-29 09:12	17,408	a-------	c:\windows\system32\corpol.dll
2009-06-16 07:36	119,808	a-------	c:\windows\system32\t2embed.dll
2009-06-16 07:36	81,920	a-------	c:\windows\system32\fontsub.dll
2009-06-03 12:09	1,291,264	a-------	c:\windows\system32\quartz.dll
2006-05-03 03:06	163,328	---shr--	c:\windows\system32\flvDX.dll
2008-10-02 19:29	32,768	a--sh---	c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100220081003\index.dat

============= FINISH: 17:38:39.42 ===============







SysProt AntiRootkit
SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No

Name: System
PID: 4
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\smss.exe
PID: 652
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\csrss.exe
PID: 716
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\winlogon.exe
PID: 740
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 788
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\lsass.exe
PID: 800
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 948
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1024
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1064
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1112
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1184
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\spoolsv.exe
PID: 1460
Hidden: No
Window Visible: No

Name: C:\WINDOWS\explorer.exe
PID: 1480
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1580
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1636
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
PID: 1668
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
PID: 1732
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1776
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\WDBtnMgr.exe
PID: 312
Hidden: No
Window Visible: No

Name: C:\WINDOWS\ALCXMNTR.EXE
PID: 320
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ctfmon.exe
PID: 336
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\alg.exe
PID: 1260
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wscntfy.exe
PID: 1316
Hidden: No
Window Visible: No

Name: C:\Documents and Settings\Owner\Desktop\SysProt\SysProt.exe
PID: 472
Hidden: No
Window Visible: Yes

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \systemroot\system32\drivers\ytasfwemoyxtlr.sys
Service Name: ytasfwmqfwxwbw
Module Base: ---
Module End: ---
Hidden: Yes

Module Name: \??\C:\Documents and Settings\Owner\Desktop\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: EFF85000
Module End: EFF90000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\kmixer.sys
Service Name: kmixer
Module Base: EFBBC000
Module End: EFBE7000
Hidden: No

Module Name: \WINDOWS\system32\ntoskrnl.exe
Service Name: ---
Module Base: 804D7000
Module End: 806ED700
Hidden: No

Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806EE000
Module End: 8070E300
Hidden: No

Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: F7A69000
Module End: F7A6B000
Hidden: No

Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: F7979000
Module End: F797C000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: F751A000
Module End: F7548000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\WMILIB.SYS
Service Name: ---
Module Base: F7A6B000
Module End: F7A6D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: F7509000
Module End: F751A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: F7569000
Module End: F7573000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pciide.sys
Service Name: PCIIde
Module Base: F7B31000
Module End: F7B32000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: F77E9000
Module End: F77F0000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\viaide.sys
Service Name: ViaIde
Module Base: F7A6D000
Module End: F7A6F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: F7579000
Module End: F7584000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: F74EA000
Module End: F7509000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: F77F1000
Module End: F77F6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: F7589000
Module End: F7596000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: F74D2000
Module End: F74EA000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\fasttx2k.sys
Service Name: fasttx2k
Module Base: F74AF000
Module End: F74D2000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\SCSIPORT.SYS
Service Name: ScsiPort
Module Base: F7497000
Module End: F74AF000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: F7599000
Module End: F75A2000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: F75A9000
Module End: F75B6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\fltmgr.sys
Service Name: FltMgr
Module Base: F7477000
Module End: F7497000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: F7465000
Module End: F7477000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PxHelp20.sys
Service Name: PxHelp20
Module Base: F75B9000
Module End: F75C5000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: F744E000
Module End: F7465000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: F73C1000
Module End: F744E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: F7394000
Module End: F73C1000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\viaagp1.sys
Service Name: viaagp1
Module Base: F77F9000
Module End: F7800000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\SISAGPX.sys
Service Name: SISAGP
Module Base: F75C9000
Module End: F75D3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ohci1394.sys
Service Name: ohci1394
Module Base: F75D9000
Module End: F75E9000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\1394BUS.SYS
Service Name: ---
Module Base: F75E9000
Module End: F75F7000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\nv_agp.sys
Service Name: nv_agp
Module Base: F7801000
Module End: F7807000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: F737A000
Module End: F7394000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\nic1394.sys
Service Name: NIC1394
Module Base: F7649000
Module End: F7659000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\amdk7.sys
Service Name: AmdK7
Module Base: F6CFF000
Module End: F6D09000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\vtmini.sys
Service Name: viagfx
Module Base: F689A000
Module End: F68C5000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: F6886000
Module End: F689A000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\AGRSM.sys
Service Name: AgereSoftModem
Module Base: F6781000
Module End: F6886000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Modem.SYS
Service Name: Modem
Module Base: F78F1000
Module End: F78F9000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pfc.sys
Service Name: Pfc
Module Base: F7A41000
Module End: F7A44000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\AFS2K.SYS
Service Name: AFS2K
Module Base: F6955000
Module End: F695E000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: F6945000
Module End: F6955000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: F6935000
Module End: F6944000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ks.sys
Service Name: ---
Module Base: F675E000
Module End: F6781000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: F6925000
Module End: F6930000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbuhci.sys
Service Name: usbuhci
Module Base: F78F9000
Module End: F78FF000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: F6729000
Module End: F674D000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: F7901000
Module End: F7909000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ALCXWDM.SYS
Service Name: ALCXWDM
Module Base: F64FC000
Module End: F6729000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: F64D8000
Module End: F64FC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: F6915000
Module End: F6924000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys
Service Name: FET5X86V
Module Base: F6905000
Module End: F6911000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\serial.sys
Service Name: Serial
Module Base: F68F5000
Module End: F6905000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\serenum.sys
Service Name: Serenum
Module Base: F7A4D000
Module End: F7A51000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\parport.sys
Service Name: Parport
Module Base: F64C4000
Module End: F64D8000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: F68E5000
Module End: F68F2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\IPFilter.sys
Service Name: IPFilter
Module Base: F7A51000
Module End: F7A54000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: F7911000
Module End: F7917000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\PS2.sys
Service Name: Ps2
Module Base: F7A55000
Module End: F7A59000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: F7919000
Module End: F791F000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: F7B98000
Module End: F7B99000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: F68D5000
Module End: F68E2000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: F7A59000
Module End: F7A5C000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: F64AD000
Module End: F64C4000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: F68C5000
Module End: F68D0000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: F7629000
Module End: F7635000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: F7921000
Module End: F7926000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\psched.sys
Service Name: PSched
Module Base: F649C000
Module End: F64AD000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: F7639000
Module End: F7642000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: F7929000
Module End: F792E000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: F7931000
Module End: F7936000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: F7659000
Module End: F7663000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: F7A8D000
Module End: F7A8F000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\update.sys
Service Name: Update
Module Base: F63EE000
Module End: F644C000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: F6FED000
Module End: F6FF1000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: F7669000
Module End: F7673000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: F7689000
Module End: F7698000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: F7A91000
Module End: F7A93000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\flpydisk.sys
Service Name: Flpydisk
Module Base: F7939000
Module End: F793E000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: F7A9D000
Module End: F7A9F000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: F7C0A000
Module End: F7C0B000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: F7A9F000
Module End: F7AA1000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: F7949000
Module End: F794F000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: F7AA1000
Module End: F7AA3000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: F7AA3000
Module End: F7AA5000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: F7951000
Module End: F7956000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: F7959000
Module End: F7961000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: F79F9000
Module End: F79FC000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: F5373000
Module End: F5386000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: F531A000
Module End: F5373000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: F52F2000
Module End: F531A000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\ws2ifsl.sys
Service Name: WS2IFSL
Module Base: F7A01000
Module End: F7A04000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: F52D0000
Module End: F52F2000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: F7699000
Module End: F76A2000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\srvkp.sys
Service Name: SiSkp
Module Base: F7A05000
Module End: F7A08000
Hidden: No

Module Name: \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
Service Name: SASKUTIL
Module Base: F52AB000
Module End: F52D0000
Hidden: No

Module Name: \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
Service Name: SASDIFSV
Module Base: F7961000
Module End: F7967000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: F5280000
Module End: F52AB000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: F5210000
Module End: F5280000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: F76B9000
Module End: F76C4000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: F51EA000
Module End: F5210000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: F76C9000
Module End: F76D2000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\arp1394.sys
Service Name: Arp1394
Module Base: F76D9000
Module End: F76E8000
Hidden: No

Module Name: \??\C:\WINDOWS\System32\Drivers\sunkfilt.sys
Service Name: SunkFilt
Module Base: F7831000
Module End: F7838000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS
Service Name: USBSTOR
Module Base: F7841000
Module End: F7848000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Service Name: Fastfat
Module Base: F4EAF000
Module End: F4ED3000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: F4E97000
Module End: F4EAF000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F7AD3000
Module End: F7AD5000
Hidden: Yes

Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: F51E6000
Module End: F51E9000
Hidden: No

Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: F78E1000
Module End: F78E6000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: F7C4B000
Module End: F7C4C000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: F065F000
Module End: F0663000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: F043A000
Module End: F0467000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Service Name: ParVdm
Module Base: F7B1F000
Module End: F7B21000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\srv.sys
Service Name: Srv
Module Base: F0320000
Module End: F0372000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\SVKP.sys
Service Name: SVKP
Module Base: F7C31000
Module End: F7C32000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: F0103000
Module End: F0118000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: F0228000
Module End: F0237000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: EFFA5000
Module End: EFFB5000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: EFDF2000
Module End: EFE33000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\fdc.sys
Service Name: Fdc
Module Base: F7909000
Module End: F7910000
Hidden: No

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
No IRP Hooks found

******************************************************************************************
******************************************************************************************
Ports:
Local Address: YOUR-AT5QGAAC3Z:1025
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\alg.exe
State: LISTENING

Local Address: YOUR-AT5QGAAC3Z:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: YOUR-AT5QGAAC3Z:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: YOUR-AT5QGAAC3Z:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: YOUR-AT5QGAAC3Z:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: YOUR-AT5QGAAC3Z:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: YOUR-AT5QGAAC3Z:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: YOUR-AT5QGAAC3Z:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}
Status: Access denied


I have downloaded several more anti-rootkit programs like Combofix, but held off running them.

Edited by wtfer, 21 August 2009 - 03:12 AM.


#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:48 AM

Posted 24 August 2009 - 08:48 AM

Hello wtfer :thumbup2: Welcome to the BC HijackThis Log and Analysis forum. Sorry about your wait, but I will be assisting you in cleaning up your system from here on out.


I ask that you refrain from running tools other than those we suggest while we are performing the clean-up. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.


Delete any version of ComboFix you have on your Desktop now and download a version from the link below. If you did not install the Recovery Console when you downloaded the version you have it is imperative you do so now. Do not run CF without the RC installed. If you have trouble let me know. If you did install it then just skip that part of the instructions.


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.












Please do not post any logs as an attachment unless asked to do so.





Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 wtfer

wtfer
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:03:48 AM

Posted 24 August 2009 - 06:34 PM

Hell, this is combofix log:

ComboFix 09-08-24.05 - Owner 08/24/2009 16:16.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.190 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\14c08.msi
c:\windows\system32\1.tmp
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro\Windows Antivirus Pro.lnk
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\ytasfwbwfwrgsk.dll
c:\windows\system32\ytasfweecblcvn.dat
c:\windows\system32\ytasfwlltlyioy.dat
c:\windows\system32\ytasfwpucrjiks.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NETCARD
-------\Legacy_ytasfwmqfwxwbw
-------\Legacy_ZESOFT
-------\Service_ytasfwmqfwxwbw
-------\Legacy_MEMSWEEP2
-------\Service_MEMSWEEP2


((((((((((((((((((((((((( Files Created from 2009-07-24 to 2009-08-24 )))))))))))))))))))))))))))))))
.

2009-08-24 00:14 . 2009-08-24 00:14 -------- d-----w- C:\rsit
2009-08-11 21:41 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-08 00:47 . 2009-08-08 00:47 -------- d-----w- c:\program files\Sophos
2009-08-07 02:33 . 2009-08-07 04:40 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-07 02:31 . 2009-08-07 02:31 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-07 02:28 . 2009-08-07 02:28 1343651 ----a-w- C:\MGtools.exe
2009-08-06 03:47 . 2009-08-06 03:47 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-08-06 03:47 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-06 03:47 . 2009-08-06 03:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-06 03:47 . 2009-08-06 03:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-06 03:47 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-06 02:22 . 2009-08-06 02:22 -------- d-----w- c:\program files\Trend Micro
2009-08-06 02:14 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-08-06 02:14 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-08-06 02:14 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-08-06 02:14 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-08-06 02:14 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-08-06 02:14 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-08-06 02:14 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-08-06 02:14 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-08-06 02:14 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-08-06 02:02 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-08-06 02:02 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-08-06 02:02 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-08-06 01:57 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-08-06 01:57 . 2008-09-04 17:15 1106944 -c----w- c:\windows\system32\dllcache\msxml3.dll
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-07 04:26 . 2004-06-02 03:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-07 02:35 . 2007-07-29 23:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-07 02:32 . 2007-07-29 23:21 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-08-07 01:09 . 2008-11-02 19:39 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2009-08-07 01:08 . 2008-08-15 02:52 -------- d-----w- c:\program files\CCleaner
2009-08-07 00:03 . 2005-10-15 05:56 -------- d-----w- c:\program files\TweakNow RegCleaner Std
2009-08-06 02:18 . 2008-09-21 07:59 -------- d-----w- c:\documents and settings\Owner\Application Data\HPAppData
2009-08-06 01:21 . 2004-06-02 03:20 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-06 00:47 . 2005-03-29 00:19 -------- d-----w- c:\program files\SpywareBlaster
2009-08-06 00:44 . 2007-01-07 06:59 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-08-05 09:01 . 2002-12-12 15:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-02 04:07 . 2004-05-28 02:53 -------- d-----w- c:\program files\Soulseek
2009-07-17 19:01 . 2004-02-12 20:44 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 06:43 . 2004-09-23 02:46 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 00:28 . 2004-05-15 05:15 42424 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-29 16:12 . 2004-08-24 03:32 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-02-12 20:44 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-18 19:54 . 2009-08-11 00:30 6144 ------w- c:\windows\system32\92.tmp
2009-06-18 19:54 . 2009-08-11 00:29 6144 ------w- c:\windows\system32\91.tmp
2009-06-16 14:36 . 2004-02-12 20:45 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-02-12 20:23 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-01-21 00:04 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 16:19 . 2004-02-12 20:46 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-02-12 20:44 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-01-21 00:04 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2003-05-31 00:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2006-05-03 10:06 . 2007-03-10 01:12 163328 --sh--r- c:\windows\system32\flvDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WD Button Manager"="WDBtnMgr.exe" - c:\windows\system32\WDBtnMgr.exe [2005-08-16 335872]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
backup=c:\windows\pss\spamsubtract.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\{45B6180B-DCAB-4093-8EE8-6164457517F0}\\hphver05.exe"=
"c:\\Program Files\\Audacity\\audacity.exe"=
"c:\\Program Files\\Webteh\\BSplayer\\bsplayer.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\eMule\\LinkCreator.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\7-Zip\\7zFM.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\My Programs\\utorrent.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\mozilla.org\\Mozilla\\mozilla.exe"=
"c:\\Program Files\\TweakNow RegCleaner Std\\RegCleaner.exe"=
"c:\\Program Files\\Eusing Free Registry Cleaner\\Regcleaner.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [6/4/2007 11:51 PM 2368]
S3 iexplore;iexplore;\??\c:\windows\system32\drivers\iexplore.sys --> c:\windows\system32\drivers\iexplore.sys [?]
S3 ProtoWall;ProtoWall Network Service;c:\windows\system32\DRIVERS\ProtoWall.sys --> c:\windows\system32\DRIVERS\ProtoWall.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2004-05-15 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-01-21 08:17]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)


.
------- Supplementary Scan -------
.
mStart Page = about:blank
uInternet Settings,ProxyOverride = localhost
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\npsim8rj.default\
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Mozilla Firefox\plugins\np32asw.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-24 16:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2196)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\Dantz\RETROS~1\retrorun.exe
c:\progra~1\Dantz\RETROS~1\wdsvc.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-08-24 16:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-24 23:30

Pre-Run: 79,533,064,192 bytes free
Post-Run: 79,580,774,400 bytes free

269 --- E O F --- 2009-08-11 23:39



Running combofix changed my wallpaper to a previous one I had & a My Network Places to the Start > pop up menu that was never there before, it only contains a link to MSN in there.

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:48 AM

Posted 24 August 2009 - 07:09 PM

The CF log shows it has been run twice. Did you run it before this time or did you have to run it twice?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 wtfer

wtfer
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:03:48 AM

Posted 24 August 2009 - 07:35 PM

The CF log shows it has been run twice. Did you run it before this time or did you have to run it twice?


I originally downloaded combofix about a week ago & only ran today, a window popped up & said something about it being outdated & click yes to go on to the scan or not. So I did not choose to scan with it & just deleted it. I re-downloaded/saved to desktop the newer one in your link & ran it.


Did this cause any problems?

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:48 AM

Posted 24 August 2009 - 08:10 PM

Well I was fairly explicit in my instructions about what to do: :thumbup2:


Delete any version of ComboFix you have on your Desktop now and download a version from the link below. If you did not install the Recovery Console when you downloaded the version you have it is imperative you do so now. Do not run CF without the RC installed. If you have trouble let me know. If you did install it then just skip that part of the instructions.


I don't see this as a major problem but I will have to go do some research on it. I didn't want you to have to stop the program unless it was finished as it can sometimes be an issue.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 wtfer

wtfer
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:03:48 AM

Posted 24 August 2009 - 08:19 PM

Well I was fairly explicit in my instructions about what to do: :thumbup2:


Delete any version of ComboFix you have on your Desktop now and download a version from the link below. If you did not install the Recovery Console when you downloaded the version you have it is imperative you do so now. Do not run CF without the RC installed. If you have trouble let me know. If you did install it then just skip that part of the instructions.


I don't see this as a major problem but I will have to go do some research on it. I didn't want you to have to stop the program unless it was finished as it can sometimes be an issue.


I didn't know Combofix had a expiration date of some sorts. Did not see the harm of trying to run a version I already downloaded from these forums just from a week ago, which I never ran & never scanned with after seeing the pop-up notification.

I hope I didn't mess up.

Edited by wtfer, 24 August 2009 - 08:20 PM.


#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:48 AM

Posted 24 August 2009 - 08:27 PM

I doubt you did any serious harm but what we tell you is important with using these tools so please read what I put down and if you have any questions ask me. It's really easy for things to go south anyway when you are dealing with a lot of these infections because no two computers ever react exactly alike thus the reason we have whole forums out of sight to the general users dedicated to the training and use of them.

I'll have something for you but it may be tomorrow. I wouldn't despair over it any.

By the way other than what you told me is your computer performing better now that you have ran CF?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 wtfer

wtfer
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:03:48 AM

Posted 24 August 2009 - 10:30 PM

I doubt you did any serious harm but what we tell you is important with using these tools so please read what I put down and if you have any questions ask me. It's really easy for things to go south anyway when you are dealing with a lot of these infections because no two computers ever react exactly alike thus the reason we have whole forums out of sight to the general users dedicated to the training and use of them.

I'll have something for you but it may be tomorrow. I wouldn't despair over it any.

By the way other than what you told me is your computer performing better now that you have ran CF?



I just re-ran a scan with GMER & the new log is looking good:

GMER 1.0.15.15020 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-08-24 20:26:41
Windows 5.1.2600 Service Pack 3


---- Kernel code sections - GMER 1.0.15 ----

? Combo-Fix.sys The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- EOF - GMER 1.0.15 ----


Just three problems & they all seem to be missing files from Combofix.
None of the previous ytasfw... files are showing up.

I'll do a full system scan with Malewarebyte now & see if it picks up anything old or new as well, I'll hold out from deleting anything until I hear back though.

Edited by wtfer, 24 August 2009 - 10:32 PM.


#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:48 AM

Posted 25 August 2009 - 08:18 AM

Wtfer, here's our problem. I am going to let you do this because it's obvious to me that you are not going to follow the way I have asked you to do it. I haven't asked you do any other scans and you didn't follow the instructions I gave you with CF so I'll just go away and let you work this out yourself.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 wtfer

wtfer
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:03:48 AM

Posted 25 August 2009 - 05:58 PM

Wtfer, here's our problem. I am going to let you do this because it's obvious to me that you are not going to follow the way I have asked you to do it. I haven't asked you do any other scans and you didn't follow the instructions I gave you with CF so I'll just go away and let you work this out yourself.



I was just checking to see if the previous program logs confirmed the previous infections gone. The redirecting of google web pages has stopped & there are no suspicious programs in the Task Manager when I boot my PC.
I just used both GMER & Maleware-Bytes to see if they confirmed the previous infections gone which they did. I was not trying to mess up your analysis or go against your instructions. I'm sorry if it appeared that way.

I am very appreciative of your help & your time. I will absolutely support & donate to this site as it helped me out before. I currently do not have a paypal account, I just want to be sure if it safe to make transactions on my PC again.

Edited by wtfer, 25 August 2009 - 05:59 PM.


#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:48 AM

Posted 25 August 2009 - 06:29 PM

I understand what you are saying and I am not trying to be a butthole, but what I need for you to understand is that the instructions we give are given for explicit reasons. That's why in the very first post we post things like the below:

I ask that you refrain from running tools other than those we suggest while we are performing the clean-up. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.


By getting ahead of what we are doing and not following what I ask you are causing me more work. At any given times we are working on several different logs and time is at a premium.

Case in point here is the running of a Full Scan with MalwareBytes after running ComboFix can at times cause files which have been saved in quarantine to be totally removed from the system to where they cannot be accessed anymore should we need to restore them for some reason.

Now I want to help you or I wouldn't be doing this but I have to have your assurance that you will only do what I ask for right now. I totally understand it is your computer and you can do anything you want to with it but I can't help you if you don't follow what we instruct and if you continue to run programs I haven't asked you to.

OK? :thumbup2:
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 wtfer

wtfer
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:03:48 AM

Posted 25 August 2009 - 07:32 PM

I understand what you are saying and I am not trying to be a butthole, but what I need for you to understand is that the instructions we give are given for explicit reasons. That's why in the very first post we post things like the below:

I ask that you refrain from running tools other than those we suggest while we are performing the clean-up. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.


By getting ahead of what we are doing and not following what I ask you are causing me more work. At any given times we are working on several different logs and time is at a premium.

Case in point here is the running of a Full Scan with MalwareBytes after running ComboFix can at times cause files which have been saved in quarantine to be totally removed from the system to where they cannot be accessed anymore should we need to restore them for some reason.

Now I want to help you or I wouldn't be doing this but I have to have your assurance that you will only do what I ask for right now. I totally understand it is your computer and you can do anything you want to with it but I can't help you if you don't follow what we instruct and if you continue to run programs I haven't asked you to.

OK? :thumbup2:


I see, I understand now. I apologize for not taking all the information strictly to the letter.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users