Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange malware issue - unable to use detection tools or virus scanners


  • This topic is locked This topic is locked
30 replies to this topic

#1 Thomas Lovie

Thomas Lovie

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 27 August 2009 - 06:15 PM

I've got a really strange problem, that makes it really difficult to post any diagnostic information about the problem. I've tried running HiJackThis, MalwareBytes anti-malware, Trendnet housecall online scanner, GMER, ad-aware, Spybot S&D, RootRepeal and dds.scr. The results are pretty much the same for all of these programs. The scan/analysis starts, sometimes it gets partway through scanning, and then the application window gets closed. After this happens, in the case of .exe files, the resulting program is rendered useless, in that further attempts to launch it result in a "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item." and you also cannot rename, or delete the file.

Trend-net housecall is also pretty interesting, in that it runs inside the browser, and after it was terminated (part way through the scan) iexplore.exe now exhibits the same error in not being able to launch. This not being able to launch persists across reboots also. I then installed firefox.exe on the system, was using it for a brief period, tried trend-net housecall and now it too is showing the error in not being able to launch.

dds.scr is able to be to be re-launched, and it brings up the black command window type screen, but never brings up the notepad windows. It seems unaffected by the termination behaviour, and is able to be re-launched.

I was able to run A2 anti-trojan, and do have a log of what it did, it quarantined about 10 trojans, and I do have a log of what it did, if that would be useful.

I'm pretty much committed to re-installing windows after some data recovery on this system, but for interests sake, I was looking into this as an academic exercise.

Does anybody have any ideas on what I should try next?

Tom.

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:45 PM

Posted 27 August 2009 - 07:45 PM

Hi Thomas Lovie,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

I share your academic interest. So let's have a go at it.


#3 Thomas Lovie

Thomas Lovie
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 28 August 2009 - 12:03 AM

Thanks for looking into this issue. I have run the Win32kDiag and here are the results.

Log file is located at: C:\Documents and Settings\Admin\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A70900000002}\{AC76BA86-7AD7-1033-7B44-A70900000002}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\setup.pss\setup.pss

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{D190EE07-1887-4595-8F62-6253114299D2}\{D190EE07-1887-4595-8F62-6253114299D2}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Intuit\Quicken\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Intuit\Quicken\Data\Data

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\RSA

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\MMC\MMC

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Real\Msg\Msg

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec\Symantec

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\WINDOWS\system\system

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-10 05:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 17:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 17:11:53 62976 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 17:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\MRT.exe

[1] 2009-07-29 17:49:14 24281536 C:\WINDOWS\system32\MRT.exe ()



Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^



Finished!

#4 Thomas Lovie

Thomas Lovie
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 28 August 2009 - 12:04 AM

Here is the A2 log as requested:

a-squared Free - Version 4.5
Last update: 26/08/2009 8:15:00 PM

Scan settings:

Scan type: Deep Scan
Objects: Memory, Traces, Cookies, C:\, D:\
Scan archives: On
Heuristics: Off
ADS Scan: On

Scan start: 26/08/2009 8:15:28 PM

c:\program files\helper detected: Trace.Directory.I-Spy!A2
c:\program files\partygaming detected: Trace.Directory.PartyPoker!A2
c:\program files\partygaming\language detected: Trace.Directory.PartyPoker!A2
c:\program files\partygaming\language\en_us detected: Trace.Directory.PartyPoker!A2
c:\program files\partygaming\partycasino detected: Trace.Directory.PartyPoker!A2
c:\program files\partygaming\partycasino\language detected: Trace.Directory.PartyPoker!A2
c:\program files\partygaming\partycasino\language\en_us detected: Trace.Directory.PartyPoker!A2
c:\program files\partygaming\partycasino\language\en_us\images detected: Trace.Directory.PartyPoker!A2
c:\program files\partygaming\partycasino\language\en_us\images\games detected: Trace.Directory.PartyPoker!A2
c:\program files\partygaming\partycasino\language\en_us\images\games\cardgames detected: Trace.Directory.PartyPoker!A2
c:\program files\pc mightymax detected: Trace.Directory.PC MightyMax!A2
c:\program files\pc mightymax\undo detected: Trace.Directory.PC MightyMax!A2
c:\windows\msa.exe detected: Trace.File.file-exe-2009.com!A2
c:\program files\pc mightymax\lic.conf detected: Trace.File.PC MightyMax!A2
c:\program files\pc mightymax\lic.dat detected: Trace.File.PC MightyMax!A2
c:\program files\pc mightymax\pcdocrx.conf detected: Trace.File.PC MightyMax!A2
c:\program files\pc mightymax\tmp_res_x_101.tmp detected: Trace.File.PC MightyMax!A2
c:\program files\pc mightymax\tmp_res_x_102.tmp detected: Trace.File.PC MightyMax!A2
c:\program files\pc mightymax\tmp_res_x_103.tmp detected: Trace.File.PC MightyMax!A2
c:\program files\pc mightymax\tmp_res_x_104.tmp detected: Trace.File.PC MightyMax!A2
c:\program files\pc mightymax\tmp_res_x_105.tmp detected: Trace.File.PC MightyMax!A2
c:\program files\pc mightymax\tmp_res_x_106.tmp detected: Trace.File.PC MightyMax!A2
c:\program files\pc mightymax\tmp_res_x_107.tmp detected: Trace.File.PC MightyMax!A2
c:\program files\pc mightymax\tmp_res_x_108.tmp detected: Trace.File.PC MightyMax!A2
c:\program files\pc mightymax\tmp_res_x_109.tmp detected: Trace.File.PC MightyMax!A2
c:\program files\pc mightymax\tmp_res_x_110.tmp detected: Trace.File.PC MightyMax!A2
c:\program files\pc mightymax\tmp_res_x_111.tmp detected: Trace.File.PC MightyMax!A2
c:\program files\pc mightymax\tmp_res_x_112.tmp detected: Trace.File.PC MightyMax!A2
c:\program files\pc mightymax\tmp_res_x_113.tmp detected: Trace.File.PC MightyMax!A2
c:\program files\pc mightymax\tmp_res_x_114.tmp detected: Trace.File.PC MightyMax!A2
c:\program files\pc mightymax\tmp_res_x_115.tmp detected: Trace.File.PC MightyMax!A2
c:\program files\pc mightymax\tmp_res_x_116.tmp detected: Trace.File.PC MightyMax!A2
c:\program files\pc mightymax\tmp_res_x_117.tmp detected: Trace.File.PC MightyMax!A2
c:\program files\pc mightymax\tmp_res_x_118.tmp detected: Trace.File.PC MightyMax!A2
c:\program files\pc mightymax\tmp_res_x_119.tmp detected: Trace.File.PC MightyMax!A2
c:\program files\pc mightymax\tmp_res_x_120.tmp detected: Trace.File.PC MightyMax!A2
c:\program files\pc mightymax\tmp_res_x_121.tmp detected: Trace.File.PC MightyMax!A2
c:\program files\pc mightymax\tmp_res_x_122.tmp detected: Trace.File.PC MightyMax!A2
c:\program files\pc mightymax\tmp_res_x_123.tmp detected: Trace.File.PC MightyMax!A2
c:\program files\pc mightymax\tmp_res_x_124.tmp detected: Trace.File.PC MightyMax!A2
c:\program files\pc mightymax\tmp_res_x_125.tmp detected: Trace.File.PC MightyMax!A2
C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Local Settings\Temp\60.tmp detected: Trojan-Downloader.Win32.Small!IK
C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Local Settings\Temp\mlntssitnc.tmp detected: Virus.Win32.Patched.KY!IK
C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Local Settings\Temp\serr.tmp detected: Trojan.Win32.Agent!IK
C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Local Settings\Temp\spool.tmp detected: Trojan.Win32.Tdss!IK
C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Local Settings\Temp\stibchqoie.tmp detected: Trojan.Win32.Tdss!IK
C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Local Settings\Temporary Internet Files\Content.IE5\OMXS7B66\load[1].php detected: Trojan-Dropper.Win32.Oficla!IK
C:\Downloads\MLBPlayballSetup-dm[1].exe detected: Riskware.AdWare.Win32.Trymedia.b!IK
C:\hp\bin\KillWind.exe detected: Riskware.RiskTool.Win32.PsKill.p!A2
C:\Program Files\Online Services\PeoplePC\ISP5900\Branding\ppal3ppc.exe/PPCToolbar.dll detected: Riskware.AdWare.Win32.Agent!IK
C:\Program Files\Online Services\PeoplePC\ISP5900\Dll\CRYPTO.DLL detected: Win32.SuspectCrc!IK
C:\Program Files\Windows Antivirus Pro\tmp\dbsinit.exe detected: Trojan.HTML.FakeScanti!IK
C:\Program Files\Windows Antivirus Pro\tmp\wispex.html detected: Trojan.HTML.FakeScanti!IK
C:\Program Files\Windows Antivirus Pro\Windows Antivirus Pro.exe detected: Riskware.FraudTool.Win32.WinAntiVirus!IK
C:\WINDOWS\svchast.exe detected: Trojan.Fakealert!IK
C:\WINDOWS\system32\dddesot.dll detected: Riskware.FraudTool.Win32.WinAntiVirus!IK
C:\WINDOWS\system32\desot.exe detected: Trojan.Win32.FakeScanti!IK
C:\WINDOWS\system32\tapi.nfo detected: Trojan-Downloader.Win32.Small!IK
C:\WINDOWS\system32\wispex.html detected: Trojan.HTML.FakeScanti!IK

Scanned

Files: 260977
Traces: 358387
Cookies: 2
Processes: 12

Found

Files: 18
Traces: 41
Cookies: 0
Processes: 0
Registry keys: 0

Scan end: 26/08/2009 9:49:20 PM
Scan time: 1:33:52

C:\WINDOWS\system32\desot.exe Quarantined Trojan.Win32.FakeScanti!IK
C:\WINDOWS\svchast.exe Quarantined Trojan.Fakealert!IK
C:\Program Files\Windows Antivirus Pro\tmp\dbsinit.exe Quarantined Trojan.HTML.FakeScanti!IK
C:\Program Files\Windows Antivirus Pro\tmp\wispex.html Quarantined Trojan.HTML.FakeScanti!IK
C:\WINDOWS\system32\wispex.html Quarantined Trojan.HTML.FakeScanti!IK
C:\Program Files\Online Services\PeoplePC\ISP5900\Dll\CRYPTO.DLL Quarantined Win32.SuspectCrc!IK
C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Local Settings\Temporary Internet Files\Content.IE5\OMXS7B66\load[1].php Quarantined Trojan-Dropper.Win32.Oficla!IK
C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Local Settings\Temp\spool.tmp Quarantined Trojan.Win32.Tdss!IK
C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Local Settings\Temp\stibchqoie.tmp Quarantined Trojan.Win32.Tdss!IK
C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Local Settings\Temp\serr.tmp Quarantined Trojan.Win32.Agent!IK
C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Local Settings\Temp\mlntssitnc.tmp Quarantined Virus.Win32.Patched.KY!IK
C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Local Settings\Temp\60.tmp Quarantined Trojan-Downloader.Win32.Small!IK
C:\WINDOWS\system32\tapi.nfo Quarantined Trojan-Downloader.Win32.Small!IK

Quarantined

Files: 13
Traces: 0
Cookies: 0

#5 Thomas Lovie

Thomas Lovie
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 28 August 2009 - 12:07 AM

I was also successful in getting a sophos log if that is of any assistance:

Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Admin>cd "c:\Program Files\Sophos\Sophos Anti-Rootkit"


C:\Program Files\Sophos\Sophos Anti-Rootkit>sarcli

Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc

Areas to be scanned:
Running processes
Registry
Local hard drives

Running process scan...
Info: Starting process scan.
Scan completed successfully.
Running registry scan...
Info: Starting registry scan.
Scan completed successfully.
Running disk scan...
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
Hidden: file C:\Documents and Settings\Admin\Desktop\pizh2vjc.exe
Hidden: file C:\Program Files\Mozilla Firefox\firefox.exe
Hidden: file C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
Hidden: file C:\Program Files\Spybot - Search & Destroy-2\SpybotSD.exe
Hidden: file C:\WINDOWS\system32\MRT.exe
Hidden: file C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Local Se
ttings\Temporary Internet Files\Content.IE5\7RIOQ0EN\8x32;dg=E5717-W-MS-7;dst=1;
et=1251352705593;tzo=420;a=p-28xXVjOjVJlTQ;labels=Broadband%20Enterprises%20LLC.
MediaVest.P%26G_Q3_JAS09[1].gif
Hidden: file C:\Documents and Settings\Admin\Desktop\RootRepeal.exe
Hidden: file C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
Hidden: file C:\Program Files\Internet Explorer\iexplore.exe
Hidden: file C:\WINDOWS\system32\eventlog.dll
Info: Starting disk scan of D: (FAT).
Scan completed successfully.

C:\Program Files\Sophos\Sophos Anti-Rootkit>

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:45 PM

Posted 28 August 2009 - 04:29 AM

Win32kDiag log shows what we wanted to see. As I thought it is a new rootkit no antivirus or antimalware can remove and needs special treatment.
  • We need to run the tool with the following command to fix some malware related changes.
    Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK:

    "%userprofile%\desktop\win32kdiag.exe" -f -r

    When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

  • Go to start > Run copy/paste the following lines one by one in the run box and click OK after each line.

    cmd /c copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll C:\ /y
    cmd /c dir /a C:\eventlog.dll >log.txt&log.txt&del log.txt

    A log.txt file will be opened. Please post the content to your reply.

  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
    Files to move:
    C:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot.  Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please copy and paste this log in your next reply.
Please include in your next reply:
  • The win32kdiag.txt
  • The log.txt
  • The Avenger log.
  • Any comment or feedback about how it went.


#7 Thomas Lovie

Thomas Lovie
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 28 August 2009 - 08:35 AM

Thank you again for your help with this item.

Here are the logs as you requested:

1. win32kdiag

Log file is located at: C:\Documents and Settings\Admin\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706

Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Found mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Found mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Found mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Found mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653

Found mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d1\d1

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d2\d2

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d3\d3

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d4\d4

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d5\d5

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d6\d6

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d7\d7

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d8\d8

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ftpcache\ftpcache

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A70900000002}\{AC76BA86-7AD7-1033-7B44-A70900000002}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A70900000002}\{AC76BA86-7AD7-1033-7B44-A70900000002}

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Minidump\Minidump

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\security\logs\logs

Found mount point : C:\WINDOWS\setup.pss\setup.pss

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\setup.pss\setup.pss

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1025\1025

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1028\1028

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1031\1031

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1037\1037

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1041\1041

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1042\1042

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1054\1054

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\2052\2052

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3076\3076

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{D190EE07-1887-4595-8F62-6253114299D2}\{D190EE07-1887-4595-8F62-6253114299D2}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{D190EE07-1887-4595-8F62-6253114299D2}\{D190EE07-1887-4595-8F62-6253114299D2}

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Intuit\Quicken\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Intuit\Quicken\Config\Config

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Intuit\Quicken\Data\Data

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Intuit\Quicken\Data\Data

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\Credentials

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\RSA

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\RSA

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\MMC\MMC

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\MMC\MMC

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Real\Msg\Msg

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Real\Msg\Msg

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec\Symantec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec\Symantec

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\Credentials

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\WINDOWS\system\system

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\WINDOWS\system\system

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\dhcp\dhcp

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-10 05:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 17:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 17:11:53 62976 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 17:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\export\export

Found mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Cannot access: C:\WINDOWS\system32\MRT.exe

Attempting to restore permissions of : C:\WINDOWS\system32\MRT.exe

[1] 2009-07-29 17:49:14 24281536 C:\WINDOWS\system32\MRT.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\sample\sample

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\good\good

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wins\wins

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\xircom\xircom

Found mount point : C:\WINDOWS\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\Temp

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp



Finished!



2. log.txt file

Volume in drive C is HP_PAVILION
Volume Serial Number is DC7E-5543

Directory of c:\

13/04/2008 05:11 PM 56,320 eventlog.dll
1 File(s) 56,320 bytes
0 Dir(s) 148,492,029,952 bytes free


3. avenger log:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.


4. Everything went really well, instructions were crystal clear. Where should I go from here? is there still more disinfection to be done?

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:45 PM

Posted 28 August 2009 - 08:56 AM

Well done. :thumbup2:

We just might have removed the nasty rootkit from your system. We are going to do the usual cleaning part as the scanners should be able run now. I'll inform you when we are done and it is safe.
  • We need to run win32kdiag once more just by double-clicking as you did it in the first post. Please post the log.

  • Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Download RootRepeal.exe from one of these download locations and save it to your desktop:
    http://download.bleepingcomputer.com/rootr.../RootRepeal.exe
    http://ad13.geekstogo.com/RootRepeal.exe
    http://rootrepeal.psikotick.com/RootRepeal.exe
    • Open Posted Image on your desktop.
    • Click the Posted Image tab.
    • Click the Posted Image button.
    • Check all seven boxes: Posted Image
    • Click Ok.
    • Check the box for your main system drive (Usually C:), and press Ok.
    • Allow RootRepeal to run a scan of your system. This may take some time.
    • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
  • Please run DDS and post both the logs. No need to zip or attach them.
Please include in your next reply:
  • The win32kdiag.txt
  • The log of MBAM.
  • The RootRepeal report.
  • Both logs of DDS.
  • Any comment or feedback about how it went.


#9 Thomas Lovie

Thomas Lovie
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 28 August 2009 - 09:08 AM

I think that the win32kdiag removed the funny mount points inside of the c:\windows directory, but how do I do the same for all the files that are currently damaged? I have these mount points at iexplore.exe, firefox.exe, and a few others? -- disregard.... before I refreshed the main thread. hopefully the scanners will clean this up.

Edited by Thomas Lovie, 28 August 2009 - 09:11 AM.


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:45 PM

Posted 28 August 2009 - 02:34 PM

After restart, the scanners should run. There should be no damage to the system due to this rootkit. Other things we will take care of. I'll wait for the logs.

#11 Thomas Lovie

Thomas Lovie
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 28 August 2009 - 04:33 PM

1. Win32kdiag came back clean:

Log file is located at: C:\Documents and Settings\Admin\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...

Finished!

2. MBAM - had to install another copy of it beside current copy since Rootkit modified original one to be unaccessable
Not able to use online updater - error code 732 (I think this is due to the parallel install, and damage to the original copy)

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

28/08/2009 2:11:53 PM
mbam-log-2009-08-28 (14-11-53).txt

Scan type: Quick Scan
Objects scanned: 112197
Time elapsed: 7 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 5
Files Infected: 44

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Win AntiVirus Pro (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Windows antiVirus pro (Rogue.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe tapi.nfo beforeglav) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Windows AntiVirus Pro (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Windows AntiVirus Pro (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Start Menu\Programs\Windows AntiVirus Pro (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\dddesot.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\msvcm80.dll (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\msvcp80.dll (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\msvcr80.dll (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\Windows Antivirus Pro.exe (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\i1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\i2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\i3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\j1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\j2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\j3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\jj1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\jj2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\jj3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\l1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\l2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\l3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\pix.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\t1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\t2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\up1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\up2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\w1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\w11.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\w2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\w3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\w3.jpg (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\wt1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\wt2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\wt3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Windows AntiVirus Pro\Windows Antivirus Pro.lnk (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Start Menu\Programs\Windows AntiVirus Pro\Windows Antivirus Pro.lnk (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bennuar.old (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sonhelp.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysnet.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ppp3.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ppp4.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Desktop\Windows Antivirus Pro.lnk (Rogue.WindowsAntiVirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Desktop\Windows Antivirus Pro.lnk (Rogue.WindowsAntiVirus2008) -> Quarantined and deleted successfully.
C:\WINDOWS\msa.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\1.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bincd32.dat (Malware.Trace) -> Quarantined and deleted successfully.


3. RootRepeal

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/28 14:15
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF1DBD000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B5E000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootreepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootreepeal.sys
Address: 0xEF785000 Size: 49152 File Visible: No Signed: -
Status: -

Name: wnur.sys
Image Path: wnur.sys
Address: 0xF75FC000 Size: 61440 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20070820.048\EraserUtilRebootDrv.sys
Status: Locked to the Windows API!

Path: c:\program files\updates from hp\9972322\users\default\data\d0000000.fcs
Status: Allocation size mismatch (API: 512, Raw: 0)

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x85ff1008

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x86376c80

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x85fedc78

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x85bb8cb8

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf1fee7d0

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x85c02af8

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x85f04380

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf1feea40

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf1fef100

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x85dd23f0

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x85bb4e50

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x85fd9078

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x85ba3208

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x85f3f5c0

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x85dd2130

#: 129 Function Name: NtOpenThreadToken
Status: Hooked by "<unknown>" at address 0x85e97738

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x85bc6cb8

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x85e91360

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x85e90900

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x85ed0cb8

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf1fef330

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x85f7d560

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x85ebe2f0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x85dd20d8

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x85ec94f8

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x85dd2648

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x85ea00a8

==EOF==


4. dds.scr


DDS (Ver_09-07-30.01) - NTFSx86
Run by Admin at 14:26:22.23 on 28/08/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.500 [GMT -7:00]

AV: Norton 360 *On-access scanning enabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdateMgr.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\DISC\DiscStreamHub.exe
c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Documents and Settings\Admin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q106&bd=pavilion&pf=desktop
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q106&bd=pavilion&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q106&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q106&bd=pavilion&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q106&bd=pavilion&pf=desktop
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q106&bd=pavilion&pf=desktop
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.7\NppBho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy-2\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.7\UIBHO.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [DISCover] c:\program files\disc\DISCover.exe
mRun: [DiscUpdateManager] c:\program files\disc\DiscUpdateMgr.exe
mRun: [<NO NAME>]
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [TP CfgWiz] "c:\program files\common files\symantec shared\opc\{31011d49-d90c-4da0-878b-78d28ad507af}\SymCuw.exe" -G:{2D617065-1C52-4240-B5BC-C0AE12157777} -T:Config
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy-2\SDHelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath -

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-8-26 64160]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2009-8-26 980512]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-7-17 108904]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-7-17 108904]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-7-22 112688]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20070820.048\NAVENG.SYS [2009-7-22 81232]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20070820.048\NAVEX15.SYS [2009-7-22 865904]
S2 AntipPro2009_100;AntipyProex;c:\windows\svchast.exe --> c:\windows\svchast.exe [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\11.tmp --> c:\windows\system32\11.tmp [?]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-3-21 1245064]

=============== Created Last 30 ================

2009-08-28 07:17 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware2
2009-08-27 16:48 <DIR> --d----- c:\program files\Sophos
2009-08-26 23:09 <DIR> --d----- c:\docume~1\admin\applic~1\Malwarebytes
2009-08-26 23:09 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-26 23:09 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-26 23:09 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-26 23:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-26 23:05 <DIR> --dsh--- c:\documents and settings\admin\IETldCache
2009-08-26 23:05 <DIR> --d----- c:\documents and settings\admin\WINDOWS
2009-08-26 23:05 <DIR> --d----- c:\docume~1\admin\applic~1\Symantec
2009-08-26 23:05 <DIR> --d----- c:\docume~1\admin\applic~1\Intuit
2009-08-26 23:05 <DIR> --d----- c:\docume~1\admin\applic~1\Digital Interactive Systems Corporation
2009-08-26 23:05 <DIR> --d----- c:\documents and settings\Admin
2009-08-26 22:29 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-08-26 22:05 <DIR> --d----- c:\program files\Spybot - Search & Destroy-2
2009-08-26 20:11 <DIR> --d----- c:\program files\a-squared Free
2009-08-26 19:51 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-08-26 19:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-08-26 19:49 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-26 17:17 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-08-26 15:16 <DIR> a-d----- c:\windows\system32\images
2009-08-20 13:06 5,632 a------- c:\windows\system32\ptpusb.dll
2009-08-20 13:06 159,232 a------- c:\windows\system32\ptpusd.dll
2009-08-12 08:31 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 08:31 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-08-05 02:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll

==================== Find3M ====================

2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-22 21:38 92,947 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-07-22 21:38 45,056 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\uninstallui\eHelpSetup.exe
2009-07-22 21:38 341,048 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\HPBasicDetection3.dll
2009-07-22 21:38 163,840 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemcheck.dll
2009-07-22 21:38 61,440 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemutil.dll
2009-07-22 21:38 44,032 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\scripts\devcon.exe
2009-07-22 21:38 40,960 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\ScDmi.dll
2009-07-22 21:38 32,768 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\uploadHSC.dll
2009-07-22 21:38 32,768 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\Scom.dll
2009-07-22 14:01 115,000 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-07-22 14:01 48,776 a------- c:\windows\system32\S32EVNT1.DLL
2009-07-22 14:01 8,014 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-07-22 14:01 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 06:18 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 12:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 12:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-13 10:08 5,537,792 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-11 07:39 112,942 a------- c:\windows\hpoins07.dat
2009-07-11 07:36 1,871 a--shr-- c:\windows\system32\drivers\103C_HP_CPC_EL453AA-ABA a1320n_YC_0Pavi_QCNN549_E61NAemMPC1_48_IAsterope_SHewleet-Packard_V1.0_B3.03_T051118_WXP2_L409_M960_J200_7Intel_8Pentium 4_93.06_#060705_N10EC8139_Z11C10620_G10025A61_OHP DVD Writer 740b.MRK
2009-07-03 10:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-03 10:09 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 10:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 10:09 1,208,832 -------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 10:09 206,848 -------- c:\windows\system32\dllcache\occache.dll
2009-07-03 10:09 594,432 -------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-03 10:09 55,296 -------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-03 10:09 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 10:09 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 10:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 10:09 184,320 -------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 10:09 386,048 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 04:01 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-07-01 00:08 101,376 -------- c:\windows\system32\dllcache\iecompat.dll
2009-06-25 01:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 01:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 01:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 01:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 01:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 01:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-25 01:25 730,112 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-06-25 01:25 301,568 -------- c:\windows\system32\dllcache\kerberos.dll
2009-06-25 01:25 147,456 -------- c:\windows\system32\dllcache\schannel.dll
2009-06-25 01:25 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-06-25 01:25 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2009-06-25 01:25 54,272 -------- c:\windows\system32\dllcache\wdigest.dll
2009-06-24 04:18 92,928 -------- c:\windows\system32\dllcache\ksecdd.sys
2009-06-16 07:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 07:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 07:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-12 05:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 05:31 80,896 -------- c:\windows\system32\dllcache\tlntsess.exe
2009-06-12 05:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-12 05:31 76,288 -------- c:\windows\system32\dllcache\telnet.exe
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\dllcache\mstscax.dll
2009-06-10 07:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 07:13 84,992 -------- c:\windows\system32\dllcache\avifil32.dll
2009-06-09 23:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-09 23:14 132,096 -------- c:\windows\system32\dllcache\wkssvc.dll
2009-06-03 12:09 1,291,264 -------- c:\windows\system32\quartz.dll
2009-06-03 12:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2006-01-14 10:12 32 a--sh--- c:\windows\sminst\HPCD.SYS

============= FINISH: 14:26:44.67 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 11/07/2009 11:33:42 AM
System Uptime: 28/08/2009 2:14:02 PM (0 hours ago)

Motherboard: Hewleet-Packard | | Asterope
Processor: Intel® Pentium® 4 CPU 3.06GHz | CPU 1 | 3065/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 179 GiB total, 138.315 GiB free.
D: is FIXED (FAT32) - 7 GiB total, 0.476 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
J: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

1500
1500_Help
1500Trb
5 Card Slingo from HP Media Center (remove only)
a-squared Free 4.5
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0
Agere Systems PCI-SV92PP Soft Modem
AiO_Scan
AiO_Scan_CDA
AiOSoftware
AiOSoftwareNPI
AppCore
AstroPop Deluxe from HP Media Center (remove only)
ATI Control Panel
ATI Display Driver
AudibleManager
AV
Barnyard Invasion from HP Media Center (remove only)
Bejeweled 2 Deluxe from HP Media Center (remove only)
Blackhawk Striker 2 from HP Media Center (remove only)
Blasterball 2 from HP Media Center (remove only)
Blasterball 2 Remix from HP Media Center (remove only)
Boggle Supreme from HP Media Center (remove only)
Bookworm Deluxe from HP Media Center (remove only)
Bounce Symphony from HP Media Center (remove only)
BufferChm
CameraDrivers
ccCommon
CCleaner (remove only)
Chuzzle Deluxe from HP Media Center (remove only)
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_LightScribePlugin
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
Crystal Maze from HP Media Center (remove only)
CueTour
Customer Experience Enhancement
Destinations
DeviceManagementQFolder
DISCover
DocProc
DocumentViewer
DocumentViewerQFolder
Easy Internet Sign-up
Family Feud
FATE from HP Media Center (remove only)
Fax
Fax_CDA
GearDrvs
GemMaster Mystic
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
HP Boot Optimizer
HP Deskjet Printer Preload
HP DigitalMedia Archive
HP Document Viewer 5.3
HP Game Console and games
HP Image Zone 5.3
HP Image Zone for Media Center PC
HP Imaging Device Functions 5.3
HP Multimedia Keyboard Software
HP Photosmart 330,380,420,470,7800,8000,8200 Series
HP Photosmart Cameras 5.0
HP PSC & OfficeJet 5.3.A
HP PSC & OfficeJet 5.3.B
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
HPProductAssistant
HpSdpAppCoreApp
Insaniquarium Deluxe from HP Media Center (remove only)
InstantShareDevices
InterVideo WinDVD Player
J2SE Runtime Environment 5.0 Update 5
Lemonade Tycoon 2 from HP Media Center (remove only)
Lexibox Deluxe from HP Media Center (remove only)
LightScribe 1.4.52.1
LiveUpdate 3.2 (Symantec Corporation)
Mah Jong Quest from HP Media Center (remove only)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Away Mode
Microsoft Money 2005
Microsoft Office 2003 Edition 60 Days Trial Welcome Tour
Microsoft Office Standard Edition 2003
Microsoft Works
Mozilla Firefox (3.5.2)
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 4.5
muvee autoProducer unPlugged 1.2
Netscape Browser (remove only)
NewCopy
NewCopy_CDA
Norton 360
Norton 360 (Symantec Corporation)
Norton 360 Help
Norton Confidential Browser Component
Norton Confidential Web Authentification Component
Norton Confidential Web Protection Component
Otto
PanoStandAlone
PC-Doctor 5 for Windows
PhotoGallery
Polar Bowler from HP Media Center (remove only)
Polar Golfer from HP Media Center (remove only)
ProductContext
PS2
PSPrinters08
PSTAPlugin
Puzzle Express from HP Media Center (remove only)
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
Quicken 2006
RandMap
Readme
RealPlayer
Realtek High Definition Audio Driver
Remove IntelliMover Demo
Ricochet Lost Worlds from HP Media Center (remove only)
Scan
ScannerCopy
SCRABBLE from HP Media Center (remove only)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Shooting Stars Pool from HP Media Center (remove only)
Shrek 2 Ogre Bowler from HP Media Center (remove only)
SkinsHP1
Slingo Deluxe from HP Media Center (remove only)
Snowboard SuperJam from HP Media Center (remove only)
SolutionCenter
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sonic_PrimoSDK
Sophos Anti-Rootkit 1.5.0
SPBBC 32bit
Spybot - Search & Destroy
Status
Super Granny from HP Media Center (remove only)
SuppSoft
Symantec Real Time Storage Protection Component
Symantec Technical Support Controls
SymNet
Tradewinds from HP Media Center (remove only)
TrayApp
Unload
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
Updates from HP (remove only)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
WebReg
Windows Genuine Advantage Validation Tool (KB892130)
Windows Live OneCare safety scanner
Windows Media Format Runtime
Windows XP Media Center Edition 2005 KB908250
Windows XP Service Pack 3
Yahoo! Toolbar
Zuma Deluxe from HP Media Center (remove only)

==== Event Viewer Messages From Past Week ========

28/08/2009 6:28:20 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: iaStor IntelIde ViaIde
27/08/2009 4:48:01 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SPBBCDrv SRTSPX SYMTDI Tcpip
27/08/2009 4:48:01 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
27/08/2009 4:48:01 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
27/08/2009 4:48:01 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
27/08/2009 4:48:01 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
27/08/2009 4:47:59 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
26/08/2009 9:52:06 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
26/08/2009 7:49:23 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
26/08/2009 7:46:23 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
26/08/2009 7:38:57 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.CRT. Reference error message: The referenced assembly is not installed on your system. .
26/08/2009 7:38:57 PM, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\system32\desot.exe. Reference error message: The operation completed successfully. .
26/08/2009 7:38:57 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
26/08/2009 7:32:34 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eeCtrl Fips intelppm SPBBCDrv SRTSPX SYMTDI
26/08/2009 7:31:31 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
26/08/2009 5:15:35 PM, error: Dhcp [1002] - The IP address lease 99.236.147.12 for the Network Card with network address 00142AB7B673 has been denied by the DHCP server 192.168.5.254 (The DHCP Server sent a DHCPNACK message).
26/08/2009 3:17:59 PM, information: Windows File Protection [64007] - The protected system file eventlog.dll could not be verified as valid because the file was in use. Use the SFC utility to verify the integrity of the file at a later time.
26/08/2009 10:37:25 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Internet Explorer 8 for Windows XP.
26/08/2009 10:35:58 PM, error: Service Control Manager [7000] - The Lavasoft Ad-Aware Service service failed to start due to the following error: Access is denied.
26/08/2009 10:35:53 PM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
26/08/2009 10:24:28 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Norton 360\tpBTPlg.dll. Reference error message: The operation completed successfully. .
26/08/2009 10:23:24 PM, error: Service Control Manager [7000] - The AntipyProex service failed to start due to the following error: The system cannot find the file specified.

==== End Of File ===========================

5. Overall it went pretty smoothly, but wasn't able to update MBAM. Still unable to use iexplore.exe or firefox.exe, and default installs of the other scanners.
farbar, how did you know to remove that eventlog.dll after the first win32diag step?

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:45 PM

Posted 28 August 2009 - 05:02 PM

farbar, how did you know to remove that eventlog.dll after the first win32diag step?

Because I know how this rootkit acts, just needed confirmation from the log.

  • Go to start => Run => copy/paste the following line in the run box and click OK.

    sc delete AntipPro2009_100

    A window will flash, it is normal.

  • MBAM got lot a lot of them. But we need to run an updated MBAM to take all it can remove.
    Uninstall your MBAM.
    Use Windows search and give Malwarebytes as search object. Remove any remaining folder.
    Download Malwarebytes' Anti-Malware from one of these locations:
    malwarebytes.org
    majorgeeks.com
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the MBAM log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


Note: In case you could still not update MBAM update MBAM manually. To do that download mbam-rules.exe.
Double-click mban-rules.exe to run it.
Then run MBAM, let remove what it finds, reboot if needed and post the log.


#13 Thomas Lovie

Thomas Lovie
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 28 August 2009 - 05:55 PM

Well, I'm a moron, the reason that MBAM wouldn't update was that the computer is/was running with network connection unplugged. :thumbup2:

I updated MBAM and here is the log:

Malwarebytes' Anti-Malware 1.40
Database version: 2710
Windows 5.1.2600 Service Pack 3

28/08/2009 3:50:32 PM
mbam-log-2009-08-28 (15-50-32).txt

Scan type: Quick Scan
Objects scanned: 114810
Time elapsed: 7 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Local Settings\Temp\62.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Local Settings\Temp\a.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Local Settings\Temp\b.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:45 PM

Posted 28 August 2009 - 06:02 PM

Good you noticed it. We need to run ComboFix and internet connect is required. ComboFix disconnects internet while running and reconnects it again when it finished.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#15 Thomas Lovie

Thomas Lovie
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 28 August 2009 - 06:45 PM

Here is the Combofix log.


ComboFix 09-08-28.01 - Admin 28/08/2009 16:32.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.589 [GMT -7:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Admin\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Admin\Local Settings\Temp\IadHide5.dll
c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Start Menu\Programs\Download programs.url
c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Start Menu\Programs\Translator.url
c:\program files\Helper
c:\recycler\S-1-5-21-1281440437-1569338651-1500501007-1008
c:\recycler\S-1-5-21-1397362940-3154158900-3290956665-1008
c:\windows\Installer\12b2e931.msi
c:\windows\Installer\12d7bd5.msi
c:\windows\Installer\1375ccf2.msp
c:\windows\Installer\1375cd05.msp
c:\windows\Installer\1375cd18.msp
c:\windows\Installer\1375cd2a.msp
c:\windows\Installer\13c8f6.msi
c:\windows\Installer\13c8fd.msi
c:\windows\Installer\13c903.msi
c:\windows\Installer\13c90f.msi
c:\windows\Installer\13c925.msi
c:\windows\Installer\13c934.msi
c:\windows\Installer\13c93a.msi
c:\windows\Installer\13c940.msi
c:\windows\Installer\13c94a.msi
c:\windows\Installer\13c950.msi
c:\windows\Installer\13c956.msi
c:\windows\Installer\13c961.msi
c:\windows\Installer\13c967.msi
c:\windows\Installer\13c96d.msi
c:\windows\Installer\147639ae.msi
c:\windows\Installer\14765090.msi
c:\windows\Installer\1476509a.msi
c:\windows\Installer\14812d.msi
c:\windows\Installer\155057c0.msi
c:\windows\Installer\16606cb1.msp
c:\windows\Installer\177acdb.msp
c:\windows\Installer\177ad04.msp
c:\windows\Installer\177ad18.msp
c:\windows\Installer\177ad2b.msp
c:\windows\Installer\1a87e79e.msi
c:\windows\Installer\1adbcb2b.msi
c:\windows\Installer\1ddb63a8.msp
c:\windows\Installer\1ddb63ba.msp
c:\windows\Installer\1ddf012.msi
c:\windows\Installer\203a899.msi
c:\windows\Installer\20639c62.msp
c:\windows\Installer\21f6292.msp
c:\windows\Installer\21f62a5.msp
c:\windows\Installer\21f62b8.msp
c:\windows\Installer\21f62bf.msi
c:\windows\Installer\21f62d1.msp
c:\windows\Installer\21f62e4.msp
c:\windows\Installer\24d45b4.msp
c:\windows\Installer\24d45c7.msp
c:\windows\Installer\24d45db.msp
c:\windows\Installer\24d45fe.msp
c:\windows\Installer\24d45ff.msp
c:\windows\Installer\24d4612.msp
c:\windows\Installer\24d4625.msp
c:\windows\Installer\24eac4b.msi
c:\windows\Installer\2504669f.msp
c:\windows\Installer\25886.msp
c:\windows\Installer\26bd205e.msp
c:\windows\Installer\26bd2067.msi
c:\windows\Installer\26bd2079.msp
c:\windows\Installer\2715e.msp
c:\windows\Installer\27506b.msi
c:\windows\Installer\275084.msp
c:\windows\Installer\2baa414.msi
c:\windows\Installer\2baa426.msp
c:\windows\Installer\2baa439.msp
c:\windows\Installer\2baa44c.msp
c:\windows\Installer\2d749f4.msi
c:\windows\Installer\32c38.msi
c:\windows\Installer\32c43.msi
c:\windows\Installer\32c49.msi
c:\windows\Installer\32c4f.msi
c:\windows\Installer\336f0b8e.msp
c:\windows\Installer\33bc764.msi
c:\windows\Installer\345a504.msp
c:\windows\Installer\3481230.msi
c:\windows\Installer\358f367.msi
c:\windows\Installer\3ebb08c.msp
c:\windows\Installer\3ebb09e.msp
c:\windows\Installer\3ebb0b1.msp
c:\windows\Installer\4331e1.msi
c:\windows\Installer\4331f3.msi
c:\windows\Installer\4535df.msi
c:\windows\Installer\4c543670.msp
c:\windows\Installer\521e217.msp
c:\windows\Installer\5471c29.msp
c:\windows\Installer\5471c3c.msp
c:\windows\Installer\5471c4f.msp
c:\windows\Installer\5471c63.msp
c:\windows\Installer\5471c76.msp
c:\windows\Installer\5471c89.msp
c:\windows\Installer\5471c9c.msp
c:\windows\Installer\5ad1ac.msi
c:\windows\Installer\60fb87b.msp
c:\windows\Installer\7764064.msi
c:\windows\Installer\77dde.msi
c:\windows\Installer\8b2607.msi
c:\windows\Installer\8b2616.msi
c:\windows\Installer\8b2622.msi
c:\windows\Installer\8b2628.msi
c:\windows\Installer\8b2631.msi
c:\windows\Installer\8b2637.msi
c:\windows\Installer\8b263d.msi
c:\windows\Installer\8b2643.msi
c:\windows\Installer\8b2649.msi
c:\windows\Installer\8f6b594.msi
c:\windows\Installer\924fbef.msp
c:\windows\Installer\924fc02.msp
c:\windows\Installer\924fc15.msp
c:\windows\Installer\924fc28.msp
c:\windows\Installer\924fc3b.msp
c:\windows\Installer\924fc4e.msp
c:\windows\Installer\924fc61.msp
c:\windows\Installer\adb8f.msi
c:\windows\Installer\b00ca97.msi
c:\windows\Installer\bc62d6c.msi
c:\windows\Installer\c477ce8.msp
c:\windows\Installer\c477cfb.msp
c:\windows\Installer\c477d0f.msp
c:\windows\Installer\dc2b0a.msp
c:\windows\Installer\e0aaa7.msp
c:\windows\Installer\e0aaba.msp
c:\windows\Installer\e0aad7.msp
c:\windows\Installer\e1abc.msi
c:\windows\Installer\e1ac2.msi
c:\windows\Installer\e1ac8.msi
c:\windows\Installer\e1ace.msi
c:\windows\Installer\e1ad4.msi
c:\windows\Installer\e1ada.msi
c:\windows\Installer\e1ae0.msi
c:\windows\Installer\e1ae6.msi
c:\windows\Installer\e1aec.msi
c:\windows\Installer\e1af6.msi
c:\windows\Installer\e1afc.msi
c:\windows\Installer\e1b08.msi
c:\windows\Installer\e1b0e.msi
c:\windows\Installer\e1b14.msi
c:\windows\Installer\e1b1a.msi
c:\windows\Installer\e1b20.msi
c:\windows\Installer\ea33112.msp
c:\windows\Installer\f16e89f.msi
c:\windows\Installer\f16e8a5.msi
c:\windows\kb913800.exe
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\ps2.bat
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-28 )))))))))))))))))))))))))))))))
.

2009-08-28 23:07 . 2009-08-28 23:07 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Identities
2009-08-28 22:38 . 2009-08-28 22:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-28 22:34 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-28 22:34 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-28 22:34 . 2009-08-28 22:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-28 00:37 . 2009-08-28 00:37 -------- d-----w- c:\documents and settings\Admin\Application Data\AdobeUM
2009-08-27 23:48 . 2009-08-27 23:48 -------- d-----w- c:\program files\Sophos
2009-08-27 06:29 . 2009-08-28 00:37 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Adobe
2009-08-27 06:09 . 2009-08-27 06:09 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2009-08-27 05:55 . 2009-08-27 05:57 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-27 05:53 . 2008-12-04 08:25 120832 ----a-w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Mozilla\Firefox\Profiles\c8haajec.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll
2009-08-27 05:29 . 2009-08-27 05:29 -------- dc----w- c:\windows\system32\DRVSTORE
2009-08-27 02:45 . 2009-08-27 02:46 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-08-27 00:17 . 2009-08-27 00:16 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-08-27 00:16 . 2009-08-27 04:58 -------- d-----w- c:\documents and settings\Administrator\.housecall6.6
2009-08-26 23:10 . 2009-08-26 23:10 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2009-08-26 23:07 . 2009-08-26 23:07 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-08-26 23:07 . 2009-08-26 23:07 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-08-20 20:06 . 2001-08-18 05:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-08-20 20:06 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-08-20 20:00 . 2009-08-20 20:00 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-08-12 15:31 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-28 23:29 . 2005-11-25 23:12 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-28 23:29 . 2005-11-25 23:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-27 06:12 . 2009-08-27 03:11 -------- d-----w- c:\program files\a-squared Free
2009-08-27 06:06 . 2005-11-25 22:37 51056 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-27 05:34 . 2009-07-17 20:09 -------- d-----w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\uTorrent
2009-08-27 05:29 . 2009-08-27 05:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-27 05:29 . 2009-08-27 02:49 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-27 05:28 . 2006-11-27 00:46 -------- d-----w- c:\program files\Lavasoft
2009-08-27 05:26 . 2009-08-27 02:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-27 05:26 . 2009-08-27 02:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-27 05:05 . 2009-08-27 05:05 -------- d-----w- c:\program files\Spybot - Search & Destroy-2
2009-08-20 20:00 . 2005-11-25 23:09 -------- d-----w- c:\program files\Google
2009-08-05 09:01 . 2004-08-10 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-24 01:21 . 2009-07-23 18:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-07-24 01:21 . 2009-07-23 18:21 -------- d-----w- c:\program files\NOS
2009-07-23 18:21 . 2009-07-23 18:21 1914000 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-07-23 05:06 . 2009-07-11 18:35 51056 ----a-w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-23 04:38 . 2005-08-31 12:01 92947 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-07-23 04:38 . 2009-07-23 04:38 45056 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
2009-07-23 04:38 . 2009-07-23 04:38 61440 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll
2009-07-23 04:38 . 2009-07-23 04:38 44032 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
2009-07-23 04:38 . 2009-07-23 04:38 40960 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll
2009-07-23 04:38 . 2009-07-23 04:38 341048 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetection3.dll
2009-07-23 04:38 . 2009-07-23 04:38 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll
2009-07-23 04:38 . 2009-07-23 04:38 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll
2009-07-23 04:38 . 2009-07-23 04:38 163840 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dll
2009-07-20 13:24 . 2005-11-25 22:51 -------- d-----w- c:\program files\Common Files\L&H
2009-07-20 13:24 . 2009-07-20 13:24 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-07-20 13:23 . 2005-11-25 22:49 -------- d-----w- c:\program files\Microsoft Works
2009-07-17 19:01 . 2004-08-10 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 15:02 . 2009-07-17 15:02 -------- d-----w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Yahoo!
2009-07-17 15:02 . 2006-07-06 03:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-07-13 17:08 . 2004-08-10 12:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-11 15:20 . 2009-07-11 18:35 155 ----a-w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Local Settings\Application Data\fusioncache.dat
2009-07-11 14:39 . 2005-11-25 22:29 112942 ----a-w- c:\windows\hpoins07.dat
2009-07-11 14:36 . 2009-07-11 14:36 1871 --sha-r- c:\windows\system32\drivers\103C_HP_CPC_EL453AA-ABA a1320n_YC_0Pavi_QCNN549_E61NAemMPC1_48_IAsterope_SHewleet-Packard_V1.0_B3.03_T051118_WXP2_L409_M960_J200_7Intel_8Pentium 4_93.06_#060705_N10EC8139_Z11C10620_G10025A61_OHP DVD Writer 740b.MRK
2009-07-09 01:54 . 2008-02-02 19:45 -------- d-----w- c:\program files\PokerStars
2009-07-08 17:28 . 2009-08-27 05:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
2009-07-07 20:34 . 2009-07-03 23:10 -------- d-----w- c:\program files\PartyGaming
2009-07-03 17:09 . 2004-08-10 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-03 14:49 . 2009-08-27 05:29 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-25 08:25 . 2004-08-10 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-10 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-10 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-10 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-10 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-10 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-10 19:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-10 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-10 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-10 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-10 19:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 16:19 . 2004-08-10 12:00 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-10 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-10 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2004-08-10 12:00 1291264 ------w- c:\windows\system32\quartz.dll
2006-01-14 17:12 . 2006-07-04 06:01 32 --sha-w- c:\windows\SMINST\HPCD.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"DISCover"="c:\program files\DISC\DISCover.exe" [2005-09-27 1060864]
"DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-09-27 61440]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-03 77312]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-25 27136]

c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Start Menu\Programs\Startup\
MLB.TV NexDef Plug-in.lnk - c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Local Settings\Application Data\Autobahn\mlb-nexdef-autobahn.exe [2009-7-17 801032]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Updates from HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2005-11-25 36903]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [26/08/2009 10:29 PM 64160]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 7:49 AM 1029456]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\11.tmp --> c:\windows\system32\11.tmp [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-08-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-05 04:42]

2009-08-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-05 04:42]

2009-08-28 c:\windows\Tasks\WebReg psc 1500 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2005-05-12 15:21]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKLM-Run-PCDrProfiler - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q106&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q106&bd=pavilion&pf=desktop
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-28 16:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\11.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2f,99,5b,90,12,1b,6e,44,8d,5d,8e,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2f,99,5b,90,12,1b,6e,44,8d,5d,8e,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(960)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\a-squared Free\a2service.exe
c:\windows\arservice.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\program files\DISC\DiscStreamHub.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\hp\KBD\kbd.exe
c:\windows\RTHDCPL.EXE
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
c:\program files\Java\jre1.5.0_05\bin\jusched.exe
.
**************************************************************************
.
Completion time: 2009-08-28 16:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-28 23:43

Pre-Run: 148,906,274,816 bytes free
Post-Run: 149,127,692,288 bytes free

411 --- E O F --- 2009-08-27 05:37




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users