Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected computer - Rootkit (?)


  • This topic is locked This topic is locked
25 replies to this topic

#1 carolinek1982

carolinek1982

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 01 September 2009 - 07:34 AM

Hi, I'm a newbie here, and I've read through several of the posts to try and sort my computer out, but to no avail. This is only the second time I've got a virus on my computer and the first one was picked up and sorted in seconds by my AVG.

My IE keeps redirecting me to different search sites, so much that I can't use it, but I can use firefox (which seems to run no problems). I have AVG anti virus, which wont now run scans, and when I started my computer up this morning start-up programs such as msn messenger didn't start.

I think I have a rootkit that changes permissions on my internet settings (if that's possible) as I've tried to run several anti-malware programs suggested on this site (malwarebytes etc) and they close within a couple of seconds of running them. I've also tried running DDC, rootrepeal and RSIT, which all close after a few seconds.

When I run Win32kDiag the first thing it comes up with is WARNING: could not get backup privileges!

Thanks in advance for any help!
Caroline

Posting the win32kdiag:
Log file is located at: C:Documents and SettingsCarolineDesktopWin32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:WINDOWS'...



Found mount point : C:WINDOWS$hf_mig$KB902400KB902400

Mount point destination : Device__max++>^

Found mount point : C:WINDOWS$hf_mig$KB912945KB912945

Mount point destination : Device__max++>^

Found mount point : C:WINDOWS$hf_mig$KB913580KB913580

Mount point destination : Device__max++>^

Found mount point : C:WINDOWS$hf_mig$KB920213KB920213

Mount point destination : Device__max++>^

Found mount point : C:WINDOWS$hf_mig$KB931784KB931784

Mount point destination : Device__max++>^

Found mount point : C:WINDOWS$hf_mig$KB932168KB932168

Mount point destination : Device__max++>^

Found mount point : C:WINDOWS$hf_mig$KB947864KB947864

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSaddinsaddins

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSassemblyNativeImages_v2.0.50727_32TempZAP18F.tmpZAP18F.tmp

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSassemblyNativeImages_v2.0.50727_32TempZAP271.tmpZAP271.tmp

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSassemblyNativeImages_v2.0.50727_32TempZAP2A4.tmpZAP2A4.tmp

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSassemblyNativeImages_v2.0.50727_32TempZAPD8.tmpZAPD8.tmp

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSassemblytemptemp

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSassemblytmptmp

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSConfigConfig

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSConnection WizardConnection Wizard

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSHelpSBSITrainingWXPPROCbzCbz

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSHelpSBSITrainingWXPPROLibLib

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSHelpSBSITrainingWXPPROWaveWave

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSimeimejpappletsapplets

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSimeimejp98imejp98

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSInstaller$PatchCache$Managed0DC1503A46F231838AD88BCDDC8E8F7C3.2.307293.2.30729

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSInstaller$PatchCache$ManagedDC3BF90CC0D3D2F398A9A6D1762F70F32.2.307292.2.30729

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSjavaclassesclasses

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSjavatrustlibtrustlib

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSMicrosoft.NETFrameworkv1.1.4322Temporary ASP.NET FilesBind LogsBind Logs

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSMicrosoft.NETFrameworkv2.0.50727Temporary ASP.NET FilesTemporary ASP.NET Files

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSmsappsmsinfomsinfo

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSOptionsCABSCABS

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSOptionsInstallInstall

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSpchealthERRORREPQHEADLESQHEADLES

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSpchealthERRORREPQSIGNOFFQSIGNOFF

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSpchealthhelpctrBATCHBATCH

Mount point destination : Device__max++>^

Cannot access: C:WINDOWSpchealthhelpctrbinarieshelpsvc.exe



Found mount point : C:WINDOWSpchealthhelpctrConfigCheckPointCheckPoint

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSpchealthhelpctrHelpFilesHelpFiles

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSpchealthhelpctrInstalledSKUsInstalledSKUs

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSpchealthhelpctrSystemDFSDFS

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSpchealthhelpctrTempTemp

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSRegistrationCRMLogCRMLog

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSrepairBackupServiceStateServiceState

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSSoftwareDistributionAuthCabsDownloadedDownloaded

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSSoftwareDistributionDownload355f788b6de8a3ec79e9aa172e6317f1backupbackup

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSSunJavaDeploymentDeployment

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem3210251025

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem3210281028

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem3210311031

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem3210371037

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem3210411041

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem3210421042

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem3210541054

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem3220522052

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem3230763076

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem323com_dmi3com_dmi

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileApplication DataAdobeAcrobat7.0CollabCollab

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileApplication DataAdobeAcrobat7.0PreferencesPreferences

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileApplication DataIdentities{42C6FC78-3BE9-478A-8A5E-35F264CAD89E}{42C6FC78-3BE9-478A-8A5E-35F264CAD89E}

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileApplication DataIntelWirelessWireless

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileApplication DataMicrosoftCredentialsCredentials

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileApplication DataMicrosoftCryptoRSARSA

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileApplication DataMicrosoftMedia PlayerMedia Player

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileApplication DataMicrosoftMMCMMC

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileApplication DataMicrosoftSystemCertificatesMyCertificatesCertificates

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileApplication DataMicrosoftSystemCertificatesMyCRLsCRLs

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileApplication DataMicrosoftSystemCertificatesMyCTLsCTLs

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileApplication Datatoshibapcdiagv3.0LogsLogs

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileDesktopDesktop

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileLocal SettingsApplication DataMicrosoftCD BurningCD Burning

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileLocal SettingsApplication DataMicrosoftCredentialsCredentials

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileLocal SettingsApplication DataMicrosoftOFFICEOFFICE

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileNetHoodNetHood

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofilePrintHoodPrintHood

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32dhcpdhcp

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32driversdisdndisdn

Mount point destination : Device__max++>^

Cannot access: C:WINDOWSsystem32eventlog.dll

[1] 2004-08-04 13:00:00 55808 C:WINDOWS$NtServicePackUninstall$eventlog.dll (Microsoft Corporation)

[1] 2008-04-14 01:11:53 56320 C:WINDOWSServicePackFilesi386eventlog.dll (Microsoft Corporation)

[1] 2008-04-14 01:11:53 61952 C:WINDOWSsystem32eventlog.dll ()

[2] 2008-04-14 01:11:53 56320 C:WINDOWSsystem32logevent.dll (Microsoft Corporation)



Found mount point : C:WINDOWSsystem32exportexport

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32LogFilesWUDFWUDF

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32muidispspecdispspec

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32NtmsDataExportExport

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32oobehtmlispsgnupispsgnup

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32oobehtmloemcustoemcust

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32oobehtmloemhwoemhw

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32oobeISPSoftwareBTYahooBTYahoo

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32oobesamplesample

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32ShellExtShellExt

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32wbemmofbadbad

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32wbemmofgoodgood

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32wbemsnmpsnmp

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32winswins

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32xircomxircom

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSTempHistoryHistory

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSTempIntelChipIntelChip

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSTempspss5804spss5804

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSTempTemporary Internet FilesTemporary Internet Files

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSWinSxSInstallTempInstallTemp

Mount point destination : Device__max++>^



Finished!


and PEEK:

Volume in drive C has no label.
Volume Serial Number is 9005-FC2D

Directory of C:WINDOWS$NtServicePackUninstall$

04/08/2004 13:00 180,224 scecli.dll

Directory of C:WINDOWS$NtServicePackUninstall$

04/08/2004 13:00 407,040 netlogon.dll

Directory of C:WINDOWS$NtServicePackUninstall$

04/08/2004 13:00 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:WINDOWSServicePackFilesi386

14/04/2008 01:12 181,248 scecli.dll

Directory of C:WINDOWSServicePackFilesi386

14/04/2008 01:12 407,040 netlogon.dll

Directory of C:WINDOWSServicePackFilesi386

14/04/2008 01:11 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:WINDOWSsystem32

14/04/2008 01:12 181,248 scecli.dll

Directory of C:WINDOWSsystem32

14/04/2008 01:12 407,040 netlogon.dll

Directory of C:WINDOWSsystem32

14/04/2008 01:11 61,952 eventlog.dll
3 File(s) 650,240 bytes

Total Files Listed:
9 File(s) 1,937,920 bytes
0 Dir(s) 29,597,208,576 bytes free

Merged posts. ~ OB

Edited by Orange Blossom, 01 September 2009 - 10:00 PM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:53 AM

Posted 03 September 2009 - 09:48 PM

Hello carolinek1982,

This is a nasty Rootkit!

We will need to take this cleanup in phases. You are not clean until I tell you so - even if it appears that everything is running fine!

Let's begin....

==========

Step 1

Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r

==========

Step 2

Please do this:
  • Click on the Start button, then click on Run...
  • In the empty "Open:" box provided, type cmd and press Enter
    • This will launch a Command Prompt window (looks like DOS).
  • Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).

    copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll C:\ /y
  • In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.
  • Press Enter.When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
    NOTE[: If you didn't get this message, stop and tell me first. Executing The Avenger script (step #3) won't work if the file copy was not successful.
  • Exit the Command Prompt window.
==========

Step 3

:( Warning to others reading this thread!: The Avenger is a VERY POWERFUL program, and can easily be misused.
Certain misuses of this program can prevent your system from ever starting again.
For this reason, it is strongly recommended to use The Avenger only as directed and under qualified supervision.
We can accept no responsibility for damage caused by misuse of the program.
:(
  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
    Files to move:C:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.
==========

With your next post please provide:

* Win32kDiag.txt
* Avenger.txt
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 carolinek1982

carolinek1982
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 07 September 2009 - 07:35 PM

Hi SifuMike

Many thanks for taking this on!

Caroline


Win32Diag.txt:

Log file is located at: C:\Documents and Settings\Caroline\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB902400\KB902400

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB902400\KB902400

Found mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945

Found mount point : C:\WINDOWS\$hf_mig$\KB913580\KB913580

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB913580\KB913580

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Found mount point : C:\WINDOWS\$hf_mig$\KB947864\KB947864

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB947864\KB947864

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\addins\addins

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP18F.tmp\ZAP18F.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP18F.tmp\ZAP18F.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP271.tmp\ZAP271.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP271.tmp\ZAP271.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2A4.tmp\ZAP2A4.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2A4.tmp\ZAP2A4.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD8.tmp\ZAPD8.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD8.tmp\ZAPD8.tmp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\Options\CABS\CABS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Options\CABS\CABS

Found mount point : C:\WINDOWS\Options\Install\Install

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Options\Install\Install

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

Attempting to restore permissions of : C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

[1] 2004-08-04 13:00:00 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-14 01:12:21 744448 C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-14 01:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\repair\Backup\ServiceState\ServiceState

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\repair\Backup\ServiceState\ServiceState

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1025\1025

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1028\1028

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1031\1031

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1037\1037

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1041\1041

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1042\1042

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1054\1054

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\2052\2052

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3076\3076

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\7.0\Collab\Collab

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\7.0\Collab\Collab

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\7.0\Preferences\Preferences

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\7.0\Preferences\Preferences

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{42C6FC78-3BE9-478A-8A5E-35F264CAD89E}\{42C6FC78-3BE9-478A-8A5E-35F264CAD89E}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{42C6FC78-3BE9-478A-8A5E-35F264CAD89E}\{42C6FC78-3BE9-478A-8A5E-35F264CAD89E}

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Intel\Wireless\Wireless

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Intel\Wireless\Wireless

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\Credentials

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\RSA

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\RSA

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\MMC\MMC

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\MMC\MMC

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\toshiba\pcdiag\v3.0\Logs\Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\toshiba\pcdiag\v3.0\Logs\Logs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\Credentials

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\dhcp\dhcp

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 13:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-14 01:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-14 01:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-14 01:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\export\export

Found mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Found mount point : C:\WINDOWS\system32\NtmsData\Export\Export

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\NtmsData\Export\Export

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Found mount point : C:\WINDOWS\system32\oobe\ISPSoftware\BTYahoo\BTYahoo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\ISPSoftware\BTYahoo\BTYahoo

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\sample\sample

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\good\good

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wins\wins

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\xircom\xircom

Found mount point : C:\WINDOWS\Temp\History\History

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\History\History

Found mount point : C:\WINDOWS\Temp\IntelChip\IntelChip

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\IntelChip\IntelChip

Found mount point : C:\WINDOWS\Temp\spss5804\spss5804

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\spss5804\spss5804

Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Temporary Internet Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\Temporary Internet Files\Temporary Internet Files

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp



Finished!



Avenger.txt:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:53 AM

Posted 07 September 2009 - 09:35 PM

Hi caroline,

Looks good so far. :( But we still have a ways to go.

Please tell me the antivirus you are running.
Also tell me if you are running a registry protector, like Spybot Teatimer or Windows Defender.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 carolinek1982

carolinek1982
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 08 September 2009 - 03:30 AM

Hi,

I'm running AVG (free version), and I have "spybot SD resident" running, I don't know if this is the same as teatimer?

Caroline

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:53 AM

Posted 08 September 2009 - 10:28 AM

Hi caroline,

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your AVG Antivirus and Spybot Teatimer before running ComboFix, as they will prevent it from running.

To disable AVG antivirus:
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.


To disable Spybot's Teatimer:
Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts


Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 carolinek1982

carolinek1982
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 08 September 2009 - 01:57 PM

Hi SifuMike,


Here's the Combofix log:

ComboFix 09-09-08.01 - Caroline 08/09/2009 19:42.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1015.455 [GMT 1:00]
Running from: c:\documents and settings\Caroline\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\msa.exe
c:\windows\system32\nsprs.dll
c:\windows\system32\serauth1.dll
c:\windows\system32\serauth2.dll
c:\windows\system32\ssprs.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-08-08 to 2009-09-08 )))))))))))))))))))))))))))))))
.

2009-09-01 12:47 . 2009-09-08 00:13 -------- d--h--w- c:\windows\PIF
2009-09-01 11:52 . 2009-09-01 11:53 -------- d-----w- c:\program files\trend micro
2009-09-01 11:52 . 2009-09-01 11:52 -------- d-----w- C:\rsit
2009-09-01 11:24 . 2009-09-01 11:24 -------- d-----w- c:\documents and settings\Caroline\Application Data\Malwarebytes
2009-09-01 11:24 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-01 11:24 . 2009-09-01 11:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-01 11:24 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-01 11:24 . 2009-09-01 11:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-29 20:57 . 2005-06-02 10:33 102384 ----a-w- c:\windows\system32\drivers\meiudf.sys
2009-08-29 20:57 . 2005-04-22 11:36 135168 ----a-w- c:\windows\system32\DVDMenu.dll
2009-08-29 20:57 . 2004-08-28 07:37 155648 ----a-w- c:\windows\system32\RAMASST.exe
2009-08-29 20:57 . 2004-08-28 07:33 110592 ----a-w- c:\windows\system32\DVDRAMSV.exe
2009-08-29 20:57 . 2009-08-29 20:57 -------- d-----w- c:\program files\DVD-RAM
2009-08-13 13:00 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-07 23:59 . 2008-06-02 21:16 -------- d-----w- c:\documents and settings\Caroline\Application Data\StumbleUpon
2009-08-29 20:57 . 2006-04-20 08:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-26 00:05 . 2009-07-07 19:04 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-25 19:44 . 2008-07-22 20:11 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-25 19:44 . 2008-07-22 20:11 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-25 19:44 . 2008-07-22 20:11 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-07 19:21 . 2008-12-04 08:55 54264 ------w- c:\documents and settings\Caroline\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-07 18:23 . 2009-08-07 18:23 -------- d-----w- c:\program files\MSBuild
2009-08-07 18:22 . 2009-08-07 18:22 -------- d-----w- c:\program files\Reference Assemblies
2009-08-05 09:01 . 2006-04-19 11:47 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-20 22:45 . 2008-04-12 15:02 -------- d-----w- c:\documents and settings\Caroline\Application Data\Skype
2009-07-20 19:38 . 2008-04-12 15:04 -------- d-----w- c:\documents and settings\Caroline\Application Data\skypePM
2009-07-17 19:01 . 2006-04-19 11:47 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2006-04-19 11:48 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2006-04-19 11:47 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2006-04-19 11:47 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2006-04-19 11:47 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2006-04-19 11:47 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2006-04-19 11:47 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2006-04-19 11:47 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2006-04-19 11:47 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2006-04-19 11:47 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2006-04-19 11:47 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2006-04-19 11:47 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2006-04-19 11:47 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2006-04-19 11:47 76288 ----a-w- c:\windows\system32\telnet.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="c:\windows\system32\thpsrv" [X]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"00THotkey"="c:\windows\system32\00THotkey.exe" [2006-03-29 253952]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-12 118784]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2005-08-31 102400]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-21 1077330]
"Tvs"="c:\program files\TOSHIBA\Tvs\TvsTray.exe" [2006-02-02 73728]
"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2006-03-30 262144]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2006-02-24 30208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-25 2007832]
"LogitechCommunicationsManager"="c:\program files\Common Files\Logitech\LComMgr\Communications_Helper.exe" [2006-10-31 284184]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"000StTHK"="000StTHK.exe" - c:\windows\system32\000StTHK.exe [2001-06-23 24576]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2005-10-15 88203]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2006-03-21 299008]
"TPSODDCtl"="TPSODDCtl.exe" - c:\windows\system32\TPSODDCtl.exe [2006-03-21 102400]
"TFNF5"="TFNF5.exe" - c:\windows\system32\TFNF5.exe [2006-03-17 593920]
"NDSTray.exe"="NDSTray.exe" [BU]
"TFncKy"="TFncKy.exe" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2006-2-2 1753088]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2009-8-29 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-25 19:44 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-02-24 10:49 40448 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\CambridgeSoft\\ChemOffice2005\\ChemDraw\\ChemDraw.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [27/12/2004 23:31 16384]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [20/04/2006 10:15 6144]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [22/07/2008 21:11 335240]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [22/07/2008 21:11 297752]
R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [24/02/2006 12:01 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [24/02/2006 12:01 33024]
R2 smihlp;SMI helper driver;c:\program files\Protector Suite QL\smihlp.sys [24/02/2006 11:34 3456]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [06/03/2006 19:28 98304]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [20/04/2006 10:14 35968]
S3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\StumbleUpon\StumbleUponUpdateService.exe [03/06/2009 21:52 120168]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
FF - ProfilePath - c:\documents and settings\Caroline\Application Data\Mozilla\Firefox\Profiles\fq0subw8.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.type - 2
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPCDN32.DLL
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-08 19:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1176)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\program files\Protector Suite QL\mysafe.dll
c:\program files\Protector Suite QL\crypto.dll

- - - - - - - > 'lsass.exe'(1232)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll

- - - - - - - > 'explorer.exe'(4048)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Protector Suite QL\mysafe.dll
c:\program files\Protector Suite QL\infra.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\ThpSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Toshiba\ConfigFree\NDSTray.exe
c:\program files\Toshiba\TOSHIBA Direct Disc Writer\DDWMon.exe
c:\windows\system32\ThpSrv.exe
c:\windows\system32\TPSBattM.exe
c:\program files\Protector Suite QL\psqltray.exe
c:\program files\Apoint2K\ApntEx.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe
.
**************************************************************************
.
Completion time: 2009-09-08 19:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-08 18:52

Pre-Run: 32,708,235,264 bytes free
Post-Run: 32,893,919,232 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /forceresetreg

231 --- E O F --- 2009-08-29 22:33

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:53 AM

Posted 08 September 2009 - 02:43 PM

Hi caroline,

You need to disable your AVG Antivirus and Spybot Teatimer before running ComboFix, as they will prevent it from running.

To disable AVG antivirus:
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.


To disable Spybot's Teatimer:
Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

Registry:: 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 carolinek1982

carolinek1982
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 08 September 2009 - 05:42 PM

Hi SifuMike,

Disabling the AVG is no problem, and I did that before running the combofix. Spybot is slightly more tricky as I cannot run it from the desktop item, it says I do not have the permissions to run it (as with all other antivirus etc programs). It is running, and the icon is at the bottom of my screen, but I cannot access the "mode" menu from there. I "exit"'d it before and hoped that would solve it, but that obviously didn't work! Any suggestions how I can access the sypybot to disable it?

Cheers,
Caroline

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:53 AM

Posted 08 September 2009 - 06:05 PM

Hi Caroline,



Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

* Open Spybot Search & Destroy.
* In the Mode menu click "Advanced mode" if not already selected.
* Choose "Yes" at the Warning prompt.
* Expand the "Tools" menu.
* Click "Resident".
* Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
* In the File menu click "Exit" to exit Spybot Search & Destroy.


If that does not work, then uninstall Spybot. You can reinstall it when we are done using ComboFix.

Edited by SifuMike, 08 September 2009 - 06:08 PM.
typo

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:53 AM

Posted 08 September 2009 - 06:11 PM

Hi Caroline,

do not have the permissions to run it


This is one of the systoms of the malware on your computer. It will effect many of your programs, and they all say " you do not have permission to run this program"

We will fix that later. :(
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 carolinek1982

carolinek1982
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 09 September 2009 - 04:02 AM

Hello SifuMike,

I've uninstalled Spybot, and disabled the AVG resident shield. Also followed previous instructions on the CFScript.txt. I said "yes" when it asked me if I wanted tto dowload the most recent version of ComboFix. I hope this was right? Here is the following log.txt from the run Combofix:

ComboFix 09-09-08.06 - Caroline 09/09/2009 9:33.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1015.557 [GMT 1:00]
Running from: c:\documents and settings\Caroline\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Caroline\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((( Files Created from 2009-08-09 to 2009-09-09 )))))))))))))))))))))))))))))))
.

2009-09-01 12:47 . 2009-09-08 00:13 -------- d--h--w- c:\windows\PIF
2009-09-01 11:52 . 2009-09-01 11:53 -------- d-----w- c:\program files\trend micro
2009-09-01 11:52 . 2009-09-01 11:52 -------- d-----w- C:\rsit
2009-09-01 11:24 . 2009-09-01 11:24 -------- d-----w- c:\documents and settings\Caroline\Application Data\Malwarebytes
2009-09-01 11:24 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-01 11:24 . 2009-09-01 11:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-01 11:24 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-01 11:24 . 2009-09-01 11:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-29 20:57 . 2005-06-02 10:33 102384 ----a-w- c:\windows\system32\drivers\meiudf.sys
2009-08-29 20:57 . 2005-04-22 11:36 135168 ----a-w- c:\windows\system32\DVDMenu.dll
2009-08-29 20:57 . 2004-08-28 07:37 155648 ----a-w- c:\windows\system32\RAMASST.exe
2009-08-29 20:57 . 2004-08-28 07:33 110592 ----a-w- c:\windows\system32\DVDRAMSV.exe
2009-08-29 20:57 . 2009-08-29 20:57 -------- d-----w- c:\program files\DVD-RAM
2009-08-13 13:00 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-09 08:25 . 2008-04-22 20:11 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-09 08:21 . 2008-04-22 20:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-07 23:59 . 2008-06-02 21:16 -------- d-----w- c:\documents and settings\Caroline\Application Data\StumbleUpon
2009-08-29 20:57 . 2006-04-20 08:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-26 00:05 . 2009-07-07 19:04 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-25 19:44 . 2008-07-22 20:11 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-25 19:44 . 2008-07-22 20:11 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-25 19:44 . 2008-07-22 20:11 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-07 19:21 . 2008-12-04 08:55 54264 ------w- c:\documents and settings\Caroline\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-07 18:23 . 2009-08-07 18:23 -------- d-----w- c:\program files\MSBuild
2009-08-07 18:22 . 2009-08-07 18:22 -------- d-----w- c:\program files\Reference Assemblies
2009-08-05 09:01 . 2006-04-19 11:47 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-20 22:45 . 2008-04-12 15:02 -------- d-----w- c:\documents and settings\Caroline\Application Data\Skype
2009-07-20 19:38 . 2008-04-12 15:04 -------- d-----w- c:\documents and settings\Caroline\Application Data\skypePM
2009-07-17 19:01 . 2006-04-19 11:47 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2006-04-19 11:48 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2006-04-19 11:47 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2006-04-19 11:47 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2006-04-19 11:47 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2006-04-19 11:47 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2006-04-19 11:47 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2006-04-19 11:47 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2006-04-19 11:47 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2006-04-19 11:47 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2006-04-19 11:47 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2006-04-19 11:47 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2006-04-19 11:47 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2006-04-19 11:47 76288 ----a-w- c:\windows\system32\telnet.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="c:\windows\system32\thpsrv" [X]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"00THotkey"="c:\windows\system32\00THotkey.exe" [2006-03-29 253952]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-12 118784]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2005-08-31 102400]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-21 1077330]
"Tvs"="c:\program files\TOSHIBA\Tvs\TvsTray.exe" [2006-02-02 73728]
"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2006-03-30 262144]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2006-02-24 30208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-25 2007832]
"LogitechCommunicationsManager"="c:\program files\Common Files\Logitech\LComMgr\Communications_Helper.exe" [2006-10-31 284184]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"000StTHK"="000StTHK.exe" - c:\windows\system32\000StTHK.exe [2001-06-23 24576]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2005-10-15 88203]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2006-03-21 299008]
"TPSODDCtl"="TPSODDCtl.exe" - c:\windows\system32\TPSODDCtl.exe [2006-03-21 102400]
"TFNF5"="TFNF5.exe" - c:\windows\system32\TFNF5.exe [2006-03-17 593920]
"NDSTray.exe"="NDSTray.exe" [BU]
"TFncKy"="TFncKy.exe" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2006-2-2 1753088]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2009-8-29 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-25 19:44 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-02-24 10:49 40448 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\CambridgeSoft\\ChemOffice2005\\ChemDraw\\ChemDraw.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [27/12/2004 23:31 16384]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [20/04/2006 10:15 6144]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [22/07/2008 21:11 335240]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [22/07/2008 21:11 297752]
R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [24/02/2006 12:01 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [24/02/2006 12:01 33024]
R2 smihlp;SMI helper driver;c:\program files\Protector Suite QL\smihlp.sys [24/02/2006 11:34 3456]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [06/03/2006 19:28 98304]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [20/04/2006 10:14 35968]
S3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\StumbleUpon\StumbleUponUpdateService.exe [03/06/2009 21:52 120168]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
FF - ProfilePath - c:\documents and settings\Caroline\Application Data\Mozilla\Firefox\Profiles\fq0subw8.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.type - 2
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPCDN32.DLL
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Power Saver - c:\windows\IsUninst.exe -fc:\program files\TOSHIBA\Power Saver\Uninst.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-09 09:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(884)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\program files\Protector Suite QL\mysafe.dll
c:\program files\Protector Suite QL\crypto.dll

- - - - - - - > 'lsass.exe'(940)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll

- - - - - - - > 'explorer.exe'(2892)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
Completion time: 2009-09-09 9:40
ComboFix-quarantined-files.txt 2009-09-09 08:40
ComboFix2.txt 2009-09-08 18:52

Pre-Run: 32,938,192,896 bytes free
Post-Run: 32,891,604,992 bytes free

184 --- E O F --- 2009-08-29 22:33

#13 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:53 AM

Posted 09 September 2009 - 11:47 AM

Hi caroline,

it asked me if I wanted tto dowload the most recent version of ComboFix. I hope this was right?


Yes, you were right. :(

Now we will look for stragglers.

Please disable any running anti-virus program before running Kaspersky Online Scanner.
If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
Close any open browsers

Please do a scan with Kaspersky Online Scanner

You can refer to this animation by sundavis.


Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
This scanner will only scan. It does not remove any malware it finds.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 carolinek1982

carolinek1982
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 09 September 2009 - 03:29 PM

Hi SifuMike,

I disabled the firewall to allow this to run, and report is as follows:

Caroline

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, September 9, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, September 09, 2009 19:33:27
Records in database: 2764419
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 91348
Threats found: 2
Infected objects found: 3
Suspicious objects found: 0
Scan duration: 02:07:49


File name / Threat / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\53FB586B.exe Infected: not-a-virus:Dialer.Win32.BT.g 1
C:\Qoobox\Quarantine\C\WINDOWS\msa.exe.vir Infected: Packed.Win32.Katusha.e 1
C:\System Volume Information\_restore{1D82E5A4-D286-403A-A26F-6489E92795F9}\RP218\A0033309.exe Infected: Packed.Win32.Katusha.e 1

Selected area has been scanned.

#15 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:53 AM

Posted 09 September 2009 - 04:01 PM

Hi Caroline,

Looks good. :( It found previously deleted files stored in your system restore folder and previously deleted files. We will take care of those shortly.

How is your computer running? We still need to do one more step.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users