Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.TDss and Win32:Alureon-CO


  • This topic is locked This topic is locked
14 replies to this topic

#1 Brigun

Brigun

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 23 August 2009 - 02:49 PM

I really need some help with the following three rootkits:

Trojan.TDss.WQ located in c:\windows\system32\kbiwkmlkkuvqff.dll

Trojan.TDss.WQ located in c:\windows\system32\kbiwkmqieydtqm.dll

Win32:Alureon-CO located in c:\windows\system32\kbiwkmrrupukfn.sys

AVG didn't even know they were present. GData acknowledges the, but cannot quarantine or delete the files. I have also run Sophos and SDFix - both unsuccessful. Any help you could give would be most appreciated.


DDS (Ver_09-07-30.01) - NTFSx86
Run by User at 15:28:58.56 on Sun 08/23/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.513 [GMT -4:00]

AV: G Data InternetSecurity 2010 *On-access scanning enabled* (Updated) {71310606-6F3B-49F2-9A81-8315AA75FBB3}
FW: G Data Personal Firewall *enabled* {6E6F4BA6-C07D-443F-A130-0A57DA59A082}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\G DATA\AVKProxy\AVKProxy.exe
C:\Program Files\G Data\InternetSecurity\AVK\AVKService.exe
C:\Program Files\G Data\InternetSecurity\AVK\AVKWCtl.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Nuance\PDF Professional 5\PDFProFiltSrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\G DATA\GDScan\GDScan.exe
C:\Program Files\G Data\InternetSecurity\Firewall\GDFwSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Nuance\PDF Professional 5\pdfpro5hook.exe
C:\Program Files\G Data\InternetSecurity\Firewall\GDFirewallTray.exe
C:\Program Files\G Data\InternetSecurity\AVKTray\AVKTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Cobian Backup 9\Cobian.exe
C:\Program Files\Cobian Backup 9\cbInterface.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\g data\internetsecurity\avkkid\avkcks.exe
BHO: G Data WebFilter: {0124123d-61b4-456f-af86-78c53a0790c5} - c:\program files\g data\internetsecurity\webfilter\AvkWebIE.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: ZeonIEEventHelper Class: {da986d7d-ccaf-47b2-84fe-bfa1549bebf9} - c:\program files\nuance\pdf professional 5\bin\ZeonIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Nuance PDF: {e3286bf1-e654-42ff-b4a6-5e111731df6b} - c:\program files\nuance\pdf professional 5\bin\ZeonIEFavClient.dll
TB: G Data WebFilter: {0124123d-61b4-456f-af86-78c53a0790c5} - c:\program files\g data\internetsecurity\webfilter\AvkWebIE.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PDFHook] c:\program files\nuance\pdf professional 5\pdfpro5hook.exe
mRun: [PDF5 Registry Controller] c:\program files\nuance\pdf professional 5\RegistryController.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [Nuance PDF Professional 5-reminder] "c:\program files\nuance\pdf professional 5\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\nuance\pdf professional 5\ereg\Ereg.ini"
mRun: [GDFirewallTray] c:\program files\g data\internetsecurity\firewall\GDFirewallTray.exe
mRun: [G DATA AntiVirus Trayapplication] c:\program files\g data\internetsecurity\avktray\AVKTray.exe
dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
StartupFolder: c:\docume~1\user\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append the content of the link to existing PDF file - c:\program files\nuance\pdf professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Append the content of the selected links to existing PDF file - c:\program files\nuance\pdf professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML
IE: Append to existing PDF file - c:\program files\nuance\pdf professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Create PDF file - c:\program files\nuance\pdf professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF file from the content of the link - c:\program files\nuance\pdf professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF files from the selected links - c:\program files\nuance\pdf professional 5\bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Open with Nuance PDF Converter 5.0 - c:\program files\nuance\pdf professional 5\cnvres_eng.dll /100
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {3BB1D69B-A780-4BE1-876E-F3D488877135} - hxxp://download.microsoft.com/download/3/B/E/3BE57995-8452-41F1-8297-DD75EF049853/VirtualEarth3D.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1221264355453
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\wvyidkig.default\
FF - prefs.js: browser.startup.homepage - hxxp://operationworld.org/
FF - component: c:\program files\mozilla firefox\extensions\{9aa46f4f-4dc7-4c06-97af-5035170633fe}\components\AvkWebFilterFF.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 GDNdisIc;GDNdisIc;c:\windows\system32\drivers\GDNdisIc.sys [2009-8-22 22272]
R1 GRD;G Data Rootkit Detector Driver;c:\windows\system32\drivers\GRD.sys [2009-8-22 68424]
R2 AVKProxy;G Data AntiVirus Proxy;c:\program files\common files\g data\avkproxy\AVKProxy.exe [2009-4-9 1043528]
R2 AVKService;G Data Scheduler;c:\program files\g data\internetsecurity\avk\AVKService.exe [2009-4-9 388168]
R2 AVKWCtl;G Data Filesystem Monitor;c:\program files\g data\internetsecurity\avk\AVKWCtl.exe [2009-2-25 1206096]
R2 GDTdiInterceptor;GDTdiInterceptor;c:\windows\system32\drivers\GDTdiIcpt.sys [2009-8-22 51016]
R2 PDFProFiltSrv;PDFProFiltSrv;c:\program files\nuance\pdf professional 5\PDFProFiltSrv.exe [2008-2-2 144672]
R3 GDFwSvc;G Data Personal Firewall;c:\program files\g data\internetsecurity\firewall\GDFwSvc.exe [2009-3-10 1416216]
R3 GDMnIcpt;GDMnIcpt;c:\windows\system32\drivers\MiniIcpt.sys [2009-8-22 50632]
R3 GDScan;G Data Scanner;c:\program files\common files\g data\gdscan\GDScan.exe [2009-3-10 298568]
R3 HookCentre;HookCentre;c:\windows\system32\drivers\HookCentre.sys [2009-8-22 32328]
RUnknown SASKUTIL;SASKUTIL; [x]
S2 gupdate1c98ee01cf4fe6a;Google Update Service (gupdate1c98ee01cf4fe6a);c:\program files\google\update\GoogleUpdate.exe [2009-2-14 133104]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-9-26 33752]
S3 MEMSWEEP2;MEMSWEEP2; [x]
UnknownUnknown SASENUM;SASENUM; [x]

=============== Created Last 30 ================

2009-08-23 15:10 <DIR> --d----- c:\program files\Cobian Backup 9
2009-08-23 13:55 <DIR> --d----- c:\program files\Trend Micro
2009-08-22 21:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-08-22 21:57 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-08-22 21:40 <DIR> --d----- c:\program files\Sophos
2009-08-22 21:00 <DIR> --d----- c:\windows\ERUNT
2009-08-22 20:56 <DIR> --d----- C:\SDFix
2009-08-22 20:10 68,424 a------- c:\windows\system32\drivers\GRD.sys
2009-08-22 19:44 50,632 a------- c:\windows\system32\drivers\MiniIcpt.sys
2009-08-22 19:43 32,328 a------- c:\windows\system32\drivers\HookCentre.sys
2009-08-22 19:43 51,016 a------- c:\windows\system32\drivers\GDTdiIcpt.sys
2009-08-22 19:43 22,272 a------- c:\windows\system32\drivers\GDNdisIc.sys
2009-08-22 19:41 <DIR> --d----- c:\program files\G Data
2009-08-22 19:41 <DIR> --d----- c:\program files\common files\G DATA
2009-08-22 19:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\G DATA
2009-08-20 14:31 <DIR> --d----- c:\windows\pss
2009-08-20 13:29 <DIR> --d----- c:\program files\Ace Utilities
2009-08-20 12:51 <DIR> --d----- c:\program files\TweakNow RegCleaner
2009-08-20 12:51 <DIR> --d----- c:\docume~1\user\applic~1\TweakNow RegCleaner
2009-08-20 12:43 <DIR> --d----- c:\docume~1\user\applic~1\Uniblue
2009-08-19 22:21 <DIR> a-d----- c:\windows\system32\images
2009-08-19 22:08 <DIR> --d----- c:\docume~1\user\applic~1\Malwarebytes
2009-08-19 22:08 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-19 22:08 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-19 22:08 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-19 22:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-14 17:01 <DIR> --d----- C:\6da57eaac2adf33bfab3682c2404

==================== Find3M ====================

2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-12 12:21 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-06-29 12:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 12:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 12:12 17,408 a------- c:\windows\system32\corpol.dll
2009-06-25 04:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 04:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 04:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 04:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 04:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 04:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 08:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 08:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 10:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 02:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll

============= FINISH: 15:30:46.17 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:27 PM

Posted 23 August 2009 - 03:07 PM

Hello Brigun and welcome to BC forums.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
Posted Image
If you are a casual viewer, do NOT try this on your system!
If you are not Brigun and have a similar problem, do NOT post here; start your own topic


Do not run or start any other programs while these utilities and tools are in use!
Posted Image Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.

Please do the following:
1. Go >> Here << and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
2. Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
3. Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
4. Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
5. Make sure that at least the first two check boxes are ticked
6. Press OK
7. Press YES to create the folder.

=

1. Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

=
Important! => Open Notepad > Click on Format > Uncheck Word wrap, if checked. Exit Notepad.

Next, Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Files to delete:
    C:\WINDOWS\system32\drivers\kbiwkmrrupukfn.sys
    c:\windows\system32\kbiwkmrrupukfn.sys
    c:\windows\system32\kbiwkmqieydtqm.dll
    c:\windows\system32\kbiwkmlkkuvqff.dll
    C:\WINDOWS\system32\kbiwkmpysgmqna.dat
    C:\WINDOWS\system32\kbiwkmqieydtqm.dll
    C:\WINDOWS\system32\kbiwkmugltvkwb.dat
    C:\WINDOWS\Temp\kbiwkmcwejxoidsm.tmp
    C:\WINDOWS\Temp\kbiwkmdgtaosphwd.tmp
    C:\WINDOWS\Temp\kbiwkmkeokdeuttt.tmp
    
    Drivers to delete:
    kbiwkmqlmiryla
    kbiwkmrrupukfn.sys
    kbiwkmrrupukfn
    
    Registry keys to delete:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\kbiwkmrrupukfn.sys
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\kbiwkmrrupukfn.sys
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\kbiwkmrrupukfn.sys 
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\kbiwkmrrupukfn.sys
    HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kbiwkmrrupukfn.sys
    
    Folders to delete:
    C:\Resycled
    D:\Resycled
    E:\Resycled
    F:\Resycled
    G:\Resycled
    H:\Resycled
    I:\Resycled
  • In the avenger window, click the Paste Script from Clipboard icon, Posted Image button.
  • :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.

Doubleclick RootRepeal.exe icon on your Desktop.
Click on the Report tab at bottom of window and then click on Scan button.

A Windows will open asking what to include in the scan. Check all of the below and then click Ok.

Drivers
Files
Processes
SSDT
Hidden Services
Stealth Objects


You will then be asked which drive to scan.
Check C: (or the drive your operating system is installed on if not C) and click Ok again.
The scan will start.
It will take a little while so please be patient. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should default there).
When you have done this, please copy and paste it in this thread.

Reply with copy of C:\Avenger.txt
and RootRepeal.txt

There will be much more to do after this.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#3 Brigun

Brigun
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 23 August 2009 - 03:17 PM

Got it. I'll get to work on it right away, and will post as soon as it's done.

#4 Brigun

Brigun
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 23 August 2009 - 03:44 PM

I followed your instructions exactly. Here are the two reports:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not delete file "C:\WINDOWS\system32\drivers\kbiwkmrrupukfn.sys"
Deletion of file "C:\WINDOWS\system32\drivers\kbiwkmrrupukfn.sys" failed!
Status: 0xc0000156


Error: file "c:\windows\system32\kbiwkmrrupukfn.sys" not found!
Deletion of file "c:\windows\system32\kbiwkmrrupukfn.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not delete file "c:\windows\system32\kbiwkmqieydtqm.dll"
Deletion of file "c:\windows\system32\kbiwkmqieydtqm.dll" failed!
Status: 0xc0000156


Error: could not delete file "c:\windows\system32\kbiwkmlkkuvqff.dll"
Deletion of file "c:\windows\system32\kbiwkmlkkuvqff.dll" failed!
Status: 0xc0000156


Error: could not delete file "C:\WINDOWS\system32\kbiwkmpysgmqna.dat"
Deletion of file "C:\WINDOWS\system32\kbiwkmpysgmqna.dat" failed!
Status: 0xc0000156


Error: could not delete file "C:\WINDOWS\system32\kbiwkmqieydtqm.dll"
Deletion of file "C:\WINDOWS\system32\kbiwkmqieydtqm.dll" failed!
Status: 0xc0000156


Error: could not delete file "C:\WINDOWS\system32\kbiwkmugltvkwb.dat"
Deletion of file "C:\WINDOWS\system32\kbiwkmugltvkwb.dat" failed!
Status: 0xc0000156


Error: file "C:\WINDOWS\Temp\kbiwkmcwejxoidsm.tmp" not found!
Deletion of file "C:\WINDOWS\Temp\kbiwkmcwejxoidsm.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\Temp\kbiwkmdgtaosphwd.tmp" not found!
Deletion of file "C:\WINDOWS\Temp\kbiwkmdgtaosphwd.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\Temp\kbiwkmkeokdeuttt.tmp" not found!
Deletion of file "C:\WINDOWS\Temp\kbiwkmkeokdeuttt.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Driver "kbiwkmqlmiryla" deleted successfully.

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\kbiwkmrrupukfn.sys" not found!
Deletion of driver "kbiwkmrrupukfn.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\kbiwkmrrupukfn" not found!
Deletion of driver "kbiwkmrrupukfn" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\kbiwkmrrupukfn.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\kbiwkmrrupukfn.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\kbiwkmrrupukfn.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\kbiwkmrrupukfn.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\kbiwkmrrupukfn.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\kbiwkmrrupukfn.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\kbiwkmrrupukfn.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\kbiwkmrrupukfn.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kbiwkmrrupukfn.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kbiwkmrrupukfn.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "C:\Resycled" not found!
Deletion of folder "C:\Resycled" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open folder "D:\Resycled"
Deletion of folder "D:\Resycled" failed!
Status: 0xc0000013


Error: could not open folder "E:\Resycled"
Deletion of folder "E:\Resycled" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open folder "F:\Resycled"
Deletion of folder "F:\Resycled" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open folder "G:\Resycled"
Deletion of folder "G:\Resycled" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open folder "H:\Resycled"
Deletion of folder "H:\Resycled" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open folder "I:\Resycled"
Deletion of folder "I:\Resycled" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Completed script processing.

*******************

Finished! Terminate.



ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/23 16:31
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xED80C000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B29000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF702B000 Size: 49152 File Visible: No Signed: -
Status: -

Name: vpxmi.sys
Image Path: C:\WINDOWS\system32\drivers\vpxmi.sys
Address: 0xF779B000 Size: 61440 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\kbiwkmlkkuvqff.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmpysgmqna.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmqieydtqm.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmugltvkwb.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\kbiwkmrrupukfn.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\old_Cache_000\f_0043b9
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\old_Cache_000\f_0043ba
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\old_Cache_000\f_0043bb
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\old_Cache_000\f_0043bc
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\old_Cache_000\Windows Antivirus Pro.lnk
Status: Locked to the Windows API!

Path: C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\old_Cache_000\f_0043be
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\old_Cache_000\f_0043bf
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\old_Cache_000\f_0043c0
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\old_Cache_000\f_0043c1
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\old_Cache_000\f_0043c2
Status: Could not get file information (Error 0xc0000008)

Hidden Services
-------------------
Service Name: kbiwkmqlmiryla
Image Path: C:\WINDOWS\system32\drivers\kbiwkmrrupukfn.sys

==EOF==

#5 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:27 PM

Posted 23 August 2009 - 04:04 PM

That had a small bit of success, but not all the way. Let's have you do this.
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image


* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on Combo-Fix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-------------------------------------------------------

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.
=

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of C:\Combofix.txt
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#6 Brigun

Brigun
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 23 August 2009 - 04:45 PM

Combo-Fix did not produce a log for me when the computer rebooted. Upon reboot, CHKDSK ran and performed the following functions:

Deleting f_0043b9 in index $I30 of file 2052
Deleting f_0043ba in index $I30 of file 2052
Deleting f_0043bb in index $I30 of file 2052
Deleting f_0043bc in index $I30 of file 2052
Deleting f_0043bd in index $I30 of file 2052
Deleting f_0043be in index $I30 of file 2052
Deleting f_0043bf in index $I30 of file 2052
Deleting f_0043co in index $I30 of file 2052
Deleting f_0043c1 in index $I30 of file 2052
Deleting f_0043c2 in index $I30 of file 2052

When the boot-up was complete, the computer froze for a lengthy time and needed to be re-booted. Everything finally booted up fine, but no txt log was available.

#7 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:27 PM

Posted 23 August 2009 - 05:09 PM

Please locate (look for) C:\Combofix.txt
Use Notepad to Open, then select all lines. and Copy and paste into a reply
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#8 Brigun

Brigun
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 23 August 2009 - 05:18 PM

I searched through my system and cannot find a Combofix.txt. I looked in the address you suggested, then performed a file search. It is no where to be found. Should I run a new Combofix? As I was waiting for your response, I ran another Root Repeal.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/23 17:59
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEDD93000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B23000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF6383000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\documents and settings\user\local settings\temp\etilqs_dvemecoghdosxadtabzx
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: c:\documents and settings\user\local settings\temp\etilqs_xa22jnttbrph9rh7iqop
Status: Allocation size mismatch (API: 8192, Raw: 0)

Path: C:\Documents and Settings\All Users\Application Data\G DATA\ISDB\avSU.isdb
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\All Users\Application Data\G DATA\ISDB\avSU.isdb.save
Status: Could not get file information (Error 0xc0000008)

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\system32\drivers\HookCentre.sys" at address 0xf79343b0

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\drivers\HookCentre.sys" at address 0xf7935090

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\drivers\HookCentre.sys" at address 0xf79351b2

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\HookCentre.sys" at address 0xf79351d4

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\drivers\HookCentre.sys" at address 0xf7935118

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\HookCentre.sys" at address 0xf79342d6

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\HookCentre.sys" at address 0xf7935184

Hidden Services
-------------------
Service Name: kbiwkmqlmiryla
Image Path: C:\WINDOWS\system32\drivers\kbiwkmrrupukfn.sys

==EOF==

#9 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:27 PM

Posted 23 August 2009 - 05:32 PM

You will want to print out or copy these instructions to Notepad for offline reference!

A: Disconnect the pc from the internet. Disconnect the cable to the internet.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KILLALL::

Driver::
kbiwkmqlmiryla

File::
C:\WINDOWS\system32\drivers\kbiwkmrrupukfn.sys
c:\documents and settings\user\local settings\temp\etilqs_dvemecoghdosxadtabzx
c:\documents and settings\user\local settings\temp\etilqs_xa22jnttbrph9rh7iqop
C:\recycler
D:\recycler
e:\recycler
f:\recycler
g:\recycler
h:\recycler
i:\recycler


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

=
Now, one pass with Malwarebytes MBAM.

Start your MBAM MalwareBytes' Anti-Malware.
Click the Settings Tab. Make sure all option lines have a checkmark.

When done, click the Scanner tab.
Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Close/exit MBAM.

Now, reconnect to the internet.

Start your MBAM MalwareBytes' Anti-Malware.
Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.
At this time of posting, the current definitions are # 2682 or later. The latest program version is 1.40

When done, click the Scanner tab.
Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Reply with copy of the C:\Combofix.txt
and the 2 latest MBAM logs.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#10 Brigun

Brigun
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 23 August 2009 - 06:27 PM

Here are the reports. Thanks for the time you're taking to resolve this issue.

ComboFix 09-08-22.06 - User 08/23/2009 18:50.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.579 [GMT -4:00]
Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
AV: G Data InternetSecurity 2010 *On-access scanning disabled* (Updated) {71310606-6F3B-49F2-9A81-8315AA75FBB3}
FW: G Data Personal Firewall *disabled* {6E6F4BA6-C07D-443F-A130-0A57DA59A082}

FILE ::
"c:\documents and settings\user\local settings\temp\etilqs_dvemecoghdosxadtabzx"
"c:\documents and settings\user\local settings\temp\etilqs_xa22jnttbrph9rh7iqop"
"C:\recycler"
"c:\windows\system32\drivers\kbiwkmrrupukfn.sys"
"D:\recycler"
"e:\recycler"
"f:\recycler"
"g:\recycler"
"h:\recycler"
"i:\recycler"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\Installer\1292c6.msi
c:\windows\Installer\5895b04.msp
c:\windows\Installer\a502d5.msp
c:\windows\Installer\e19753d.msp
c:\windows\Installer\e19753e.msp
c:\windows\Installer\e19753f.msp
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro\Windows Antivirus Pro.lnk
c:\windows\system32\drivers\kbiwkmrrupukfn.sys
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\kbiwkmlkkuvqff.dll
c:\windows\system32\kbiwkmpysgmqna.dat
c:\windows\system32\kbiwkmqieydtqm.dll
c:\windows\system32\kbiwkmugltvkwb.dat
c:\windows\wpd99.drv

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_kbiwkmqlmiryla
-------\Legacy_kbiwkmqlmiryla
-------\Service_kbiwkmqlmiryla


((((((((((((((((((((((((( Files Created from 2009-07-23 to 2009-08-23 )))))))))))))))))))))))))))))))
.

2009-08-23 22:22 . 2009-08-23 22:22 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\G DATA
2009-08-23 20:20 . 2009-08-23 20:20 -------- d-----w- c:\program files\ERUNT
2009-08-23 19:10 . 2009-08-23 19:10 -------- d-----w- c:\program files\Cobian Backup 9
2009-08-23 17:55 . 2009-08-23 17:55 -------- d-----w- c:\program files\Trend Micro
2009-08-23 01:57 . 2009-08-23 01:57 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2009-08-23 01:57 . 2009-08-23 03:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-23 01:40 . 2009-08-23 01:40 -------- d-----w- c:\program files\Sophos
2009-08-23 01:00 . 2009-08-23 01:00 -------- d-----w- c:\windows\ERUNT
2009-08-23 00:56 . 2009-08-23 02:58 -------- d-----w- C:\SDFix
2009-08-23 00:10 . 2009-08-23 00:10 68424 ----a-w- c:\windows\system32\drivers\GRD.sys
2009-08-22 23:44 . 2009-08-22 23:44 50632 ----a-w- c:\windows\system32\drivers\MiniIcpt.sys
2009-08-22 23:43 . 2009-08-22 23:43 32328 ----a-w- c:\windows\system32\drivers\HookCentre.sys
2009-08-22 23:43 . 2009-08-22 23:43 51016 ----a-w- c:\windows\system32\drivers\GDTdiIcpt.sys
2009-08-22 23:43 . 2009-08-22 23:43 22272 ----a-w- c:\windows\system32\drivers\GDNdisIc.sys
2009-08-22 23:41 . 2009-08-22 23:48 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\G DATA
2009-08-22 23:41 . 2009-08-22 23:42 -------- d-----w- c:\program files\Common Files\G DATA
2009-08-22 23:41 . 2009-08-22 23:41 -------- d-----w- c:\program files\G Data
2009-08-20 17:29 . 2009-08-20 17:29 -------- d-----w- c:\program files\Ace Utilities
2009-08-20 16:51 . 2009-08-20 17:55 -------- d-----w- c:\program files\TweakNow RegCleaner
2009-08-20 16:51 . 2009-08-20 17:55 -------- d-----w- c:\documents and settings\User\Application Data\TweakNow RegCleaner
2009-08-20 16:43 . 2009-08-20 16:43 -------- d-----w- c:\documents and settings\User\Application Data\Uniblue
2009-08-20 02:08 . 2009-08-20 02:08 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2009-08-20 02:08 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-20 02:08 . 2009-08-20 02:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-20 02:08 . 2009-08-20 02:08 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-08-20 02:08 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-14 21:01 . 2009-08-14 21:02 -------- d-----w- C:\6da57eaac2adf33bfab3682c2404

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-23 18:48 . 2009-02-14 20:05 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Google Updater
2009-08-23 14:24 . 2008-09-25 18:58 -------- d-----w- c:\documents and settings\User\Application Data\U3
2009-08-23 12:55 . 2008-11-25 20:21 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-08-23 03:00 . 2008-09-28 12:48 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-20 23:06 . 2008-12-01 16:12 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Apple Computer
2009-08-20 18:01 . 2008-09-13 16:30 73192 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-20 17:55 . 2008-12-10 13:29 -------- d-----w- c:\documents and settings\User\Application Data\Move Networks
2009-08-20 17:44 . 2008-10-14 15:39 -------- d-----w- c:\program files\e-Sword
2009-08-20 14:05 . 2008-09-13 19:49 -------- d-----w- c:\program files\Windows Media Connect 2
2009-08-18 16:19 . 2008-09-25 18:54 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-08-13 23:18 . 2009-06-22 19:20 -------- d-----w- c:\program files\Graboid
2009-08-05 09:01 . 2008-04-14 09:42 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-31 15:51 . 2008-09-13 19:33 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-26 02:51 . 2009-03-09 14:24 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\pdf995
2009-07-17 19:01 . 2008-04-14 09:41 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 16:21 . 2008-04-14 09:42 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-11 15:04 . 2009-06-22 19:22 -------- d-----w- c:\program files\Mozilla ActiveX Control v1.7.12
2009-07-11 13:24 . 2009-07-11 13:24 -------- d-----w- c:\documents and settings\User\Application Data\ScummVM
2009-07-08 01:30 . 2009-07-08 01:30 -------- d-----w- c:\program files\Oldgames
2009-07-07 13:50 . 2009-07-07 13:50 7406 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{5BBFB0E4-2250-49C3-A8A3-65BE2197D13B}\_bb32ea6.exe
2009-07-07 13:50 . 2009-07-07 13:50 1078 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{5BBFB0E4-2250-49C3-A8A3-65BE2197D13B}\_5af141bb.exe
2009-07-07 13:50 . 2009-07-07 13:50 1078 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{5BBFB0E4-2250-49C3-A8A3-65BE2197D13B}\_26e91eb.exe
2009-07-06 23:27 . 2009-02-09 15:57 -------- d-----w- c:\program files\Google
2009-07-06 20:26 . 2009-07-06 19:58 -------- d-----w- c:\documents and settings\User\Application Data\Azureus
2009-07-06 19:58 . 2009-07-06 19:58 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Azureus
2009-07-06 19:24 . 2008-09-13 19:28 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-06 16:16 . 2009-07-06 16:16 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\PC Drivers HeadQuarters
2009-07-06 16:04 . 2009-07-06 16:01 -------- d-----w- c:\program files\SMPlayer
2009-07-06 15:23 . 2009-07-06 15:10 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-07-06 15:12 . 2009-07-06 15:12 -------- d-----w- c:\documents and settings\User\Application Data\AVS4YOU
2009-07-06 15:12 . 2009-07-06 15:12 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\AVS4YOU
2009-06-29 16:12 . 2008-07-05 17:39 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2008-07-05 17:38 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2008-07-05 17:38 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-27 12:58 . 2009-03-07 22:07 -------- d-----w- c:\documents and settings\User\Application Data\TaxCut
2009-06-25 08:25 . 2008-04-14 09:42 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2008-04-14 09:42 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2008-04-14 09:42 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2008-04-14 09:42 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2008-04-14 09:41 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2008-04-14 09:41 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2008-04-14 04:01 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2008-04-14 09:42 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2008-04-14 09:41 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 06:35 . 2009-06-16 06:35 97144 ----a-w- c:\documents and settings\User\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-06-12 12:31 . 2008-04-14 09:42 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2008-04-14 09:42 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2008-04-14 09:41 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2008-09-12 23:37 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2008-04-14 09:42 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2008-04-14 09:42 1291264 ----a-w- c:\windows\system32\quartz.dll
.

------- Sigcheck -------

[-] 2008-07-05 17:39 1614848 362BC5AF8EAF712832C58CC13AE05750 c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"PDFHook"="c:\program files\Nuance\PDF Professional 5\pdfpro5hook.exe" [2008-02-02 795936]
"PDF5 Registry Controller"="c:\program files\Nuance\PDF Professional 5\RegistryController.exe" [2008-02-02 58656]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2007-03-26 210472]
"Nuance PDF Professional 5-reminder"="c:\program files\Nuance\PDF Professional 5\Ereg\Ereg.exe" [2007-08-31 328992]
"GDFirewallTray"="c:\program files\G Data\InternetSecurity\Firewall\GDFirewallTray.exe" [2009-04-09 882352]
"G DATA AntiVirus Trayapplication"="c:\program files\G Data\InternetSecurity\AVKTray\AVKTray.exe" [2009-04-09 918600]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]

c:\documents and settings\User\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Graboid\\GraboidVideo\\1.6.5.0\\GraboidClient.exe"=

R0 GDNdisIc;GDNdisIc;c:\windows\system32\drivers\GDNdisIc.sys [8/22/2009 7:43 PM 22272]
R1 GRD;G Data Rootkit Detector Driver;c:\windows\system32\drivers\GRD.sys [8/22/2009 8:10 PM 68424]
R2 AVKProxy;G Data AntiVirus Proxy;c:\program files\Common Files\G DATA\AVKProxy\AVKProxy.exe [4/9/2009 5:09 PM 1043528]
R2 AVKService;G Data Scheduler;c:\program files\G Data\InternetSecurity\AVK\AVKService.exe [4/9/2009 5:09 PM 388168]
R2 AVKWCtl;G Data Filesystem Monitor;c:\program files\G Data\InternetSecurity\AVK\AVKWCtl.exe [2/25/2009 3:32 AM 1206096]
R2 GDTdiInterceptor;GDTdiInterceptor;c:\windows\system32\drivers\GDTdiIcpt.sys [8/22/2009 7:43 PM 51016]
R2 PDFProFiltSrv;PDFProFiltSrv;c:\program files\Nuance\PDF Professional 5\PDFProFiltSrv.exe [2/2/2008 2:20 AM 144672]
R3 GDFwSvc;G Data Personal Firewall;c:\program files\G Data\InternetSecurity\Firewall\GDFwSvc.exe [3/10/2009 3:31 AM 1416216]
R3 GDMnIcpt;GDMnIcpt;c:\windows\system32\drivers\MiniIcpt.sys [8/22/2009 7:44 PM 50632]
R3 GDScan;G Data Scanner;c:\program files\Common Files\G DATA\GDScan\GDScan.exe [3/10/2009 3:47 AM 298568]
R3 HookCentre;HookCentre;c:\windows\system32\drivers\HookCentre.sys [8/22/2009 7:43 PM 32328]
S2 gupdate1c98ee01cf4fe6a;Google Update Service (gupdate1c98ee01cf4fe6a);c:\program files\Google\Update\GoogleUpdate.exe [2/14/2009 4:09 PM 133104]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [9/26/2008 8:57 AM 33752]
S3 MEMSWEEP2;MEMSWEEP2; [x]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append the content of the link to existing PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Append the content of the selected links to existing PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML
IE: Append to existing PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Create PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF file from the content of the link - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF files from the selected links - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Open with Nuance PDF Converter 5.0 - c:\program files\Nuance\PDF Professional 5\cnvres_eng.dll /100
FF - ProfilePath - c:\docume~1\User\APPLIC~1\Mozilla\Firefox\Profiles\wvyidkig.default\
FF - prefs.js: browser.startup.homepage - hxxp://operationworld.org/
FF - component: c:\program files\Mozilla Firefox\extensions\{9AA46F4F-4DC7-4c06-97AF-5035170633FE}\components\AvkWebFilterFF.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-23 18:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(596)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2476)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-08-23 19:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-23 23:03

Pre-Run: 41,936,367,616 bytes free
Post-Run: 41,912,516,608 bytes free

269 --- E O F --- 2009-08-16 14:58

Malwarebytes' Anti-Malware 1.40
Database version: 2665
Windows 5.1.2600 Service Pack 3

8/23/2009 7:11:22 PM
mbam-log-2009-08-23 (19-11-22).txt

Scan type: Quick Scan
Objects scanned: 88143
Time elapsed: 6 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Malwarebytes' Anti-Malware 1.40
Database version: 2685
Windows 5.1.2600 Service Pack 3

8/23/2009 7:20:36 PM
mbam-log-2009-08-23 (19-20-36).txt

Scan type: Quick Scan
Objects scanned: 88557
Time elapsed: 6 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_ANTIPPRO2009_100 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#11 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:27 PM

Posted 24 August 2009 - 06:32 AM

The results of Combofix and MBAM runs are good. We need to do some followups.
Place your USB flash drives in-place so that some of these programs will be able to find them.

I'm going to have you get and run two utilities.
The first stops automatic use of the AutoRun feature of XP. The second will write to any connected devices a Read-only, System protected Autorun.inf file on all of your hard drives, and all connected removable storage devices.

Download and Install Microsoft's TweakUI:
http://www.microsoft.com/windowsxp/downloa...ppowertoys.mspx
Obtain and install TweakUI (part of the PowerToys for Windows XP package), and then start TweakUI.
Expand the My Computer branch, then the AutoPlay branch, and then select Drives.
Turn off the checkbox next to every drive letter to disable AutoPlay -- except your CD/DVD drive letters.

Download and run "Flash Drive Disinfector" by sUBs. It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.
http://download.bleepingcomputer.com/sUBs/...Disinfector.exe
There is no GUI interface or log file produced.
=

>
Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
  • Double-click on cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable". (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
>

Download Security Check by screen317 and save it to your Desktop: here or here

  • Run Security Check
  • Follow the onscreen instructions inside of the command window.
  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!
Posted Image If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

You already have DDS:
double click dds.scr to run the tool.
When done, DDS.txt will open.
Click Yes at the next prompt for Optional Scan.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop.
Please include the following logs in your next reply:
the DrWeb Cure-it log
checkup.txt
DDS.txt
and tell me, How is your system now ?

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#12 Brigun

Brigun
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 24 August 2009 - 02:38 PM

My system has definately improved in terms of speed. My Gdata software no longer reports the rootkits in a deep rootkit scan. I ran the DrWeb-CureIt as prescribed; however, it did not report any infections. The "save report list" option was greyed out, so there is nothing I can post here from this application. The following is the other reports you requested:


DDS (Ver_09-07-30.01) - NTFSx86
Run by User at 11:14:16.20 on Mon 08/24/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.618 [GMT -4:00]

AV: G Data InternetSecurity 2010 *On-access scanning enabled* (Updated) {71310606-6F3B-49F2-9A81-8315AA75FBB3}
FW: G Data Personal Firewall *enabled* {6E6F4BA6-C07D-443F-A130-0A57DA59A082}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Nuance\PDF Professional 5\pdfpro5hook.exe
C:\Program Files\G Data\InternetSecurity\Firewall\GDFirewallTray.exe
C:\Program Files\G Data\InternetSecurity\AVKTray\AVKTray.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\G DATA\AVKProxy\AVKProxy.exe
C:\Program Files\G Data\InternetSecurity\AVK\AVKService.exe
C:\Program Files\G Data\InternetSecurity\AVK\AVKWCtl.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Nuance\PDF Professional 5\PDFProFiltSrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\G DATA\GDScan\GDScan.exe
C:\Program Files\G Data\InternetSecurity\Firewall\GDFwSvc.exe
C:\Documents and Settings\User\Desktop\Security and Malware\dds.scr

============== Pseudo HJT Report ===============

uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: G Data WebFilter: {0124123d-61b4-456f-af86-78c53a0790c5} - c:\program files\g data\internetsecurity\webfilter\AvkWebIE.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: ZeonIEEventHelper Class: {da986d7d-ccaf-47b2-84fe-bfa1549bebf9} - c:\program files\nuance\pdf professional 5\bin\ZeonIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Nuance PDF: {e3286bf1-e654-42ff-b4a6-5e111731df6b} - c:\program files\nuance\pdf professional 5\bin\ZeonIEFavClient.dll
TB: G Data WebFilter: {0124123d-61b4-456f-af86-78c53a0790c5} - c:\program files\g data\internetsecurity\webfilter\AvkWebIE.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PDFHook] c:\program files\nuance\pdf professional 5\pdfpro5hook.exe
mRun: [PDF5 Registry Controller] c:\program files\nuance\pdf professional 5\RegistryController.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [Nuance PDF Professional 5-reminder] "c:\program files\nuance\pdf professional 5\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\nuance\pdf professional 5\ereg\Ereg.ini"
mRun: [GDFirewallTray] c:\program files\g data\internetsecurity\firewall\GDFirewallTray.exe
mRun: [G DATA AntiVirus Trayapplication] c:\program files\g data\internetsecurity\avktray\AVKTray.exe
dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
StartupFolder: c:\docume~1\user\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append the content of the link to existing PDF file - c:\program files\nuance\pdf professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Append the content of the selected links to existing PDF file - c:\program files\nuance\pdf professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML
IE: Append to existing PDF file - c:\program files\nuance\pdf professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Create PDF file - c:\program files\nuance\pdf professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF file from the content of the link - c:\program files\nuance\pdf professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF files from the selected links - c:\program files\nuance\pdf professional 5\bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Open with Nuance PDF Converter 5.0 - c:\program files\nuance\pdf professional 5\cnvres_eng.dll /100
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {3BB1D69B-A780-4BE1-876E-F3D488877135} - hxxp://download.microsoft.com/download/3/B/E/3BE57995-8452-41F1-8297-DD75EF049853/VirtualEarth3D.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1221264355453
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\wvyidkig.default\
FF - prefs.js: browser.startup.homepage - hxxp://operationworld.org/
FF - component: c:\program files\mozilla firefox\extensions\{9aa46f4f-4dc7-4c06-97af-5035170633fe}\components\AvkWebFilterFF.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 GDNdisIc;GDNdisIc;c:\windows\system32\drivers\GDNdisIc.sys [2009-8-22 22272]
R1 GRD;G Data Rootkit Detector Driver;c:\windows\system32\drivers\GRD.sys [2009-8-22 68424]
R2 AVKProxy;G Data AntiVirus Proxy;c:\program files\common files\g data\avkproxy\AVKProxy.exe [2009-4-9 1043528]
R2 AVKService;G Data Scheduler;c:\program files\g data\internetsecurity\avk\AVKService.exe [2009-4-9 388168]
R2 AVKWCtl;G Data Filesystem Monitor;c:\program files\g data\internetsecurity\avk\AVKWCtl.exe [2009-2-25 1206096]
R2 GDTdiInterceptor;GDTdiInterceptor;c:\windows\system32\drivers\GDTdiIcpt.sys [2009-8-22 51016]
R2 PDFProFiltSrv;PDFProFiltSrv;c:\program files\nuance\pdf professional 5\PDFProFiltSrv.exe [2008-2-2 144672]
R3 GDFwSvc;G Data Personal Firewall;c:\program files\g data\internetsecurity\firewall\GDFwSvc.exe [2009-3-10 1416216]
R3 GDMnIcpt;GDMnIcpt;c:\windows\system32\drivers\MiniIcpt.sys [2009-8-22 50632]
R3 GDScan;G Data Scanner;c:\program files\common files\g data\gdscan\GDScan.exe [2009-3-10 298568]
R3 HookCentre;HookCentre;c:\windows\system32\drivers\HookCentre.sys [2009-8-22 32328]
S2 gupdate1c98ee01cf4fe6a;Google Update Service (gupdate1c98ee01cf4fe6a);c:\program files\google\update\GoogleUpdate.exe [2009-2-14 133104]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-9-26 33752]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\5.tmp --> c:\windows\system32\5.tmp [?]

=============== Created Last 30 ================

2009-08-24 08:16 <DIR> --d----- c:\documents and settings\user\DoctorWeb
2009-08-24 08:05 266,360 a------- c:\windows\system32\TweakUI.exe
2009-08-24 08:05 160,217 a------- c:\windows\system32\PowerToysLicense.rtf
2009-08-23 19:02 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-08-23 18:50 229,376 a------- c:\windows\PEV.exe
2009-08-23 18:50 161,792 a------- c:\windows\SWREG.exe
2009-08-23 18:50 98,816 a------- c:\windows\sed.exe
2009-08-23 17:10 <DIR> a-dshr-- C:\cmdcons
2009-08-23 15:10 <DIR> --d----- c:\program files\Cobian Backup 9
2009-08-23 13:55 <DIR> --d----- c:\program files\Trend Micro
2009-08-22 21:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-08-22 21:57 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-08-22 21:40 <DIR> --d----- c:\program files\Sophos
2009-08-22 21:00 <DIR> --d----- c:\windows\ERUNT
2009-08-22 20:56 <DIR> --d----- C:\SDFix
2009-08-22 20:10 68,424 a------- c:\windows\system32\drivers\GRD.sys
2009-08-22 19:44 50,632 a------- c:\windows\system32\drivers\MiniIcpt.sys
2009-08-22 19:43 32,328 a------- c:\windows\system32\drivers\HookCentre.sys
2009-08-22 19:43 51,016 a------- c:\windows\system32\drivers\GDTdiIcpt.sys
2009-08-22 19:43 22,272 a------- c:\windows\system32\drivers\GDNdisIc.sys
2009-08-22 19:41 <DIR> --d----- c:\program files\G Data
2009-08-22 19:41 <DIR> --d----- c:\program files\common files\G DATA
2009-08-22 19:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\G DATA
2009-08-20 14:31 <DIR> --d----- c:\windows\pss
2009-08-20 13:29 <DIR> --d----- c:\program files\Ace Utilities
2009-08-20 12:51 <DIR> --d----- c:\program files\TweakNow RegCleaner
2009-08-20 12:51 <DIR> --d----- c:\docume~1\user\applic~1\TweakNow RegCleaner
2009-08-20 12:43 <DIR> --d----- c:\docume~1\user\applic~1\Uniblue
2009-08-19 22:08 <DIR> --d----- c:\docume~1\user\applic~1\Malwarebytes
2009-08-19 22:08 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-19 22:08 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-19 22:08 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-19 22:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-14 17:01 <DIR> --d----- C:\6da57eaac2adf33bfab3682c2404

==================== Find3M ====================

2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-12 12:21 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-06-29 12:12 827,392 -------- c:\windows\system32\wininet.dll
2009-06-29 12:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 12:12 17,408 a------- c:\windows\system32\corpol.dll
2009-06-25 04:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 04:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 04:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 04:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 04:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 04:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 08:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 08:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 10:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 02:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll

============= FINISH: 11:15:06.14 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 9/12/2008 7:47:31 PM
System Uptime: 8/24/2009 10:52:57 AM (1 hours ago)

Motherboard: Dell Inc. | | 0UF414
Processor: Intel® Pentium® M processor 2.00GHz | Microprocessor | 1027/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 74 GiB total, 38.841 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Broadcom 440x 10/100 Integrated Controller
Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01881028&REV_02\4&2FA23535&0&00F0
Manufacturer: Broadcom
Name: Broadcom 440x 10/100 Integrated Controller
PNP Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01881028&REV_02\4&2FA23535&0&00F0
Service: bcm4sbxp

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Packet Scheduler Miniport
Device ID: ROOT\MS_PSCHEDMP\0000
Manufacturer: Microsoft
Name: WAN Miniport (IP) - Packet Scheduler Miniport
PNP Device ID: ROOT\MS_PSCHEDMP\0000
Service: PSched

==== System Restore Points ===================

RP259: 8/18/2009 10:40:51 PM - System Checkpoint
RP260: 8/18/2009 10:40:52 PM - System Checkpoint
RP261: 8/18/2009 10:40:54 PM - System Checkpoint
RP262: 8/18/2009 10:40:55 PM - System Checkpoint
RP263: 8/18/2009 10:40:56 PM - System Checkpoint
RP264: 8/18/2009 10:40:57 PM - System Checkpoint
RP265: 8/18/2009 10:40:58 PM - System Checkpoint
RP266: 8/18/2009 10:40:59 PM - System Checkpoint
RP267: 8/18/2009 10:41:00 PM - System Checkpoint
RP268: 8/18/2009 10:41:01 PM - System Checkpoint
RP269: 8/18/2009 10:41:02 PM - System Checkpoint
RP270: 8/18/2009 10:41:03 PM - Software Distribution Service 3.0
RP271: 8/18/2009 10:41:04 PM - System Checkpoint
RP272: 8/18/2009 10:41:05 PM - System Checkpoint
RP273: 8/18/2009 10:41:06 PM - System Checkpoint
RP274: 8/18/2009 10:41:07 PM - System Checkpoint
RP275: 8/18/2009 10:41:08 PM - System Checkpoint
RP276: 8/18/2009 10:41:09 PM - System Checkpoint
RP277: 8/18/2009 10:41:10 PM - Avg8 Update
RP278: 8/18/2009 10:41:11 PM - Avg8 Update
RP279: 8/18/2009 10:41:12 PM - System Checkpoint
RP280: 8/18/2009 10:41:13 PM - System Checkpoint
RP281: 8/18/2009 10:41:14 PM - System Checkpoint
RP282: 8/18/2009 10:41:16 PM - System Checkpoint
RP283: 8/18/2009 10:41:18 PM - System Checkpoint
RP284: 8/18/2009 10:41:19 PM - Installed Windows Media Format 9 Series Runtime Setup
RP285: 8/18/2009 10:41:19 PM - Installed Windows Media Format Runtime
RP286: 8/18/2009 10:41:21 PM - Installed DVD Prep
RP287: 8/18/2009 10:41:22 PM - Installed Driver Detective.
RP288: 8/18/2009 10:41:24 PM - Removed Driver Detective.
RP289: 8/18/2009 10:41:25 PM - Removed Google Earth.
RP290: 8/18/2009 10:41:26 PM - Removed DVD Prep
RP291: 8/18/2009 10:41:26 PM - Removed Virtual Earth 3D (Beta)
RP292: 8/18/2009 10:41:28 PM - Removed Virtual Earth 3D (Beta)
RP293: 8/18/2009 10:41:31 PM - Removed TweetDeck
RP294: 8/18/2009 10:41:34 PM - Installed DirectX
RP295: 8/18/2009 10:41:35 PM - Installed MP3 Player Utilities
RP296: 8/18/2009 10:41:35 PM - System Checkpoint
RP297: 8/18/2009 10:41:35 PM - System Checkpoint
RP298: 8/18/2009 10:41:35 PM - System Checkpoint
RP299: 8/18/2009 10:41:36 PM - Avg8 Update
RP300: 8/18/2009 10:41:37 PM - Avg8 Update
RP301: 8/18/2009 10:41:38 PM - System Checkpoint
RP302: 8/18/2009 10:41:39 PM - Software Distribution Service 3.0
RP303: 8/18/2009 10:41:40 PM - System Checkpoint
RP304: 8/18/2009 10:41:41 PM - Avg8 Update
RP305: 8/18/2009 10:41:42 PM - System Checkpoint
RP306: 8/18/2009 10:41:42 PM - System Checkpoint
RP307: 8/18/2009 10:41:43 PM - System Checkpoint
RP308: 8/18/2009 10:41:43 PM - Software Distribution Service 3.0
RP309: 8/18/2009 10:41:43 PM - System Checkpoint
RP310: 8/18/2009 10:41:43 PM - System Checkpoint
RP311: 8/18/2009 10:41:44 PM - System Checkpoint
RP312: 8/18/2009 10:41:44 PM - System Checkpoint
RP313: 8/18/2009 10:41:44 PM - Software Distribution Service 3.0
RP314: 8/18/2009 10:41:44 PM - System Checkpoint
RP315: 8/18/2009 10:41:44 PM - Software Distribution Service 3.0
RP316: 8/18/2009 10:41:45 PM - System Checkpoint
RP317: 8/18/2009 10:41:45 PM - System Checkpoint
RP318: 8/18/2009 10:41:45 PM - System Checkpoint
RP319: 8/18/2009 10:41:45 PM - System Checkpoint
RP320: 8/18/2009 10:41:45 PM - System Checkpoint
RP321: 8/18/2009 10:41:46 PM - System Checkpoint
RP322: 8/18/2009 10:41:46 PM - System Checkpoint
RP323: 8/18/2009 10:41:46 PM - System Checkpoint
RP324: 8/18/2009 10:41:47 PM - Software Distribution Service 3.0
RP325: 8/18/2009 10:41:47 PM - Software Distribution Service 3.0
RP326: 8/18/2009 10:41:47 PM - Software Distribution Service 3.0
RP327: 8/18/2009 10:41:48 PM - Printer Driver Microsoft XPS Document Writer Installed
RP328: 8/18/2009 10:41:48 PM - Software Distribution Service 3.0
RP329: 8/18/2009 10:41:48 PM - Software Distribution Service 3.0
RP330: 8/18/2009 10:41:49 PM - System Checkpoint
RP331: 8/18/2009 10:41:49 PM - Software Distribution Service 3.0
RP332: 8/22/2009 11:00:48 PM - System Checkpoint

==== Installed Programs ======================

Ace Utilities
Adobe AIR
Adobe Audition 1.0
Adobe Audition 1.5
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Digital Editions
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Center 1.0
Adobe Media Player
Adobe Photoshop CS2
Adobe Reader 9.1.3
Adobe Shockwave Player
Adobe Stock Photos 1.0
Apple Mobile Device Support
Apple Software Update
ATI Display Driver
Audio Flash 1.2
AutoUpdate
Bonjour
Cobian Backup 9
Compatibility Pack for the 2007 Office system
Conexant D110 MDC V.9x Modem
e-Sword
e-Sword Macros for Word 2003
ERUNT 1.1j
Flash Slideshow Maker Pro 4.87
G Data InternetSecurity
getPlus® for Adobe
Google Chrome
Google Talk (remove only)
Google Update Helper
Google Updater
Graboid Video 1.5
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
InterActual Player
InterVideo XPack (DVD Only)
iTunes
Java™ 6 Update 10
Java™ 6 Update 7
JW Desktop Player
Macromedia Dreamweaver MX
Macromedia Extension Manager
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Office Small Business Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Windows XP Video Decoder Checkup Utility
Mozilla ActiveX Control v1.7.12
Mozilla Firefox (3.0.13)
Mozilla Thunderbird (2.0.0.21)
MP3 Player Utilities
MSXML 6.0 Parser (KB925673)
Nuance PDF Professional 5
Pdf995 (installed by TaxCut)
PdfEdit995 (installed by TaxCut)
Picasa 3
PowerPlugs: Video Backgrounds
QuickTime
Scansoft PDF Professional
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
SMPlayer 0.6.7
Sophos Anti-Rootkit 1.5.0
TaxCut Premium + Efile 2008
TBS WMP Plug-in
TOSHIBA e-STUDIO3510c Series Client
Tweak UI
Update for Windows XP (KB898461)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
VitalSource Bookshelf
VLC media player 1.0.1
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Media Format 11 runtime
Windows Presentation Foundation
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

8/24/2009 8:22:27 AM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Nuance\PDF Professional 5\PDFCWordAddin.dll. Reference error message: The operation completed successfully. .
8/23/2009 9:55:45 AM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Nuance\PDF Professional 5\PDFCPptAddin.dll. Reference error message: The operation completed successfully. .
8/23/2009 7:22:56 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCIIde
8/23/2009 6:50:45 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s).
8/23/2009 6:50:45 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
8/23/2009 6:50:45 PM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
8/23/2009 6:50:45 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
8/23/2009 6:50:44 PM, error: Service Control Manager [7034] - The PDFProFiltSrv service terminated unexpectedly. It has done this 1 time(s).
8/23/2009 6:50:44 PM, error: Service Control Manager [7034] - The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).
8/23/2009 5:31:06 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000369' while processing the file 'Combo-Fix.sys' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
8/23/2009 5:14:37 PM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: The specified module could not be found.
8/23/2009 5:11:27 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
8/23/2009 5:11:27 PM, error: PlugPlayManager [11] - The device Root\LEGACY_MCQNMQPC\0000 disappeared from the system without first being prepared for removal.
8/22/2009 8:59:23 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
8/22/2009 7:45:52 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.MFC. Reference error message: The referenced assembly is not installed on your system. .
8/22/2009 7:45:52 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Nuance\PDF Professional 5\RegistryController.exe. Reference error message: The operation completed successfully. .
8/22/2009 7:45:52 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.MFC could not be found and Last Error was The referenced assembly is not installed on your system.
8/22/2009 11:15:07 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Nuance\PDF Professional 5\ShellExt50.dll. Reference error message: The operation completed successfully. .
8/22/2009 11:01:49 PM, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: Cannot create a file when that file already exists.
8/22/2009 10:05:47 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip
8/20/2009 2:35:27 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
8/20/2009 2:34:50 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
8/20/2009 2:34:50 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
8/20/2009 2:34:50 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/20/2009 2:34:50 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/20/2009 2:34:50 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
8/20/2009 2:34:50 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/20/2009 2:34:50 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/20/2009 2:34:19 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/20/2009 2:34:18 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
8/20/2009 12:24:56 PM, error: Service Control Manager [7000] - The adfs service failed to start due to the following error: The system cannot find the file specified.
8/20/2009 11:14:29 AM, error: PSched [14103] - QoS [Adapter {2216A99D-A8EB-4903-8463-BFB6D6645457}]: The netcard driver failed the query for OID_GEN_LINK_SPEED.
8/19/2009 9:42:15 AM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.
8/19/2009 9:30:46 AM, error: System Error [1003] - Error code 100000d1, parameter1 e1af3000, parameter2 00000002, parameter3 00000000, parameter4 edc56225.
8/19/2009 10:57:34 PM, error: System Error [1003] - Error code 100000d1, parameter1 e1a96000, parameter2 00000002, parameter3 00000000, parameter4 edd16225.
8/19/2009 10:30:23 PM, error: System Error [1003] - Error code 100000d1, parameter1 e1a68000, parameter2 00000002, parameter3 00000000, parameter4 edd44225.
8/19/2009 10:27:19 PM, error: Service Control Manager [7034] - The AntipyProex service terminated unexpectedly. It has done this 1 time(s).
8/19/2009 10:05:39 PM, error: System Error [1003] - Error code 100000d1, parameter1 e1957000, parameter2 00000002, parameter3 00000000, parameter4 ed3d5225.

==== End Of File ===========================

#13 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:27 PM

Posted 24 August 2009 - 03:33 PM

Good new from you. OK. You need to update the Java runtime (see below).
I'll make another reply later this evening, after having a chance to re-review your logs.

Posted Image
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  • Scroll down to where it says "Java SE Runtime Environment (JRE) - JRE 6 Update 16 -"
  • Click the "Download" button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u16 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH CheckedApplications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.
To test your Java Run-time, you may go to this page http://www.java.com/en/download/help/testvm.xml
When all is well, you should see Java Version: 1.6.0_16 from Sun Microsystems Inc.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#14 Brigun

Brigun
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 24 August 2009 - 08:29 PM

Java is updated. System is operating well thanks to your guidance. I look forward to any follow-up you may have.

#15 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:27 PM

Posted 25 August 2009 - 06:09 AM

Hello Brigun,

Unless you have purchased Malwarebytes' Anti Malware {MBAM}, you need to un-install it. Go to Control Panel and Add-or-Remove programs.
Look for it and click the line for it. Select Change/Remove to de-install it.
OK & Exit out of Control Panel

I see that you are clear of your original issues.
If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used; followed by advice on staying safer.

We have to remove Combofix and all its associated folders. By whichever name you named it, ( you had named it combo-fix Posted Image), put that name in the RUN box stated just below.
The "/u" in the Run line below is to start Combofix for it's cleanup & removal function.
Note the space after x and before the slash mark.
The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.
  • Click Start, then click Run.

    In the command box that opens, type or copy/paste combo-fix /u and then click OK.
  • Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe
  • Please double-click OTL.exe Posted Image to run it.
  • Click on the CleanUp! button at upper Right corner. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTL attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
  • This step removes the files, folders, and shortcuts created by the tools I had you download and run.
Delete the RootRepeal download and RootRepeal.exe, if still present.
We are finished here. Best regards.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users