Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rootkit.tdds infection


  • Please log in to reply
11 replies to this topic

#1 kidwgm

kidwgm

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 04 September 2009 - 10:20 AM

Out of the blue my computer started acting weird. Ran malwarebytes and 2 rootkit.tdds infections found. Malwarebytes removes them, asks me to restart and upon restart and rescan they reappear. I have enclosed, I believe, are the requested logs to help get rid of this problem.

DDS (Ver_09-07-30.01) - NTFSx86
Run by arodriguez at 11:08:56.39 on Fri 09/04/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.61 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVCSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
c:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\arodriguez\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msnbc.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [dlccmon.exe] "c:\program files\dell photo aio printer 924\dlccmon.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [DLCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,_RunDLLEntry@16
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1171230473597
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174765881965
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
Notify: jkkjjHaw - jkkjjHaw.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\mlJYrqOg

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-17 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-17 27784]
R1 SWIPsec;SonicWALL IPsec Driver;c:\windows\system32\drivers\SWIPsec.sys [2009-8-5 87064]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-17 297752]
R2 SWGVCSvc;SonicWALL Global VPN Client Service;c:\program files\sonicwall\sonicwall global vpn client\SWGVCSvc.exe [2009-3-5 227352]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-18 38160]
S2 windev-3ae7-240c;windev-3ae7-240c;\??\c:\windows\system32\windev-3ae7-240c.sys --> c:\windows\system32\windev-3ae7-240c.sys [?]
S3 SWVNIC;SonicWALL Virtual Miniport;c:\windows\system32\drivers\SWVNIC.sys [2009-3-4 21016]

=============== Created Last 30 ================


==================== Find3M ====================

2009-08-24 11:12 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-24 11:12 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-06-29 12:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 12:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 12:12 17,408 a------- c:\windows\system32\corpol.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 08:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 08:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 10:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 02:14 132,096 a------- c:\windows\system32\wkssvc.dll
2007-12-18 12:08 56 -c-shr-- c:\windows\system32\A76524F8EB.sys
2008-12-16 17:09 891,364 a--sh--- c:\windows\system32\gOqrYJlm.ini2
2007-12-18 12:08 3,350 ac-sh--- c:\windows\system32\KGyGaAvL.sys
2008-08-19 10:47 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081920080820\index.dat

============= FINISH: 11:09:41.34 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2/11/2007 3:56:21 PM
System Uptime: 9/3/2009 2:26:35 PM (21 hours ago)

Motherboard: Intel Corporation | | D845GVSR
Processor: Intel® Celeron® CPU 2.40GHz | X1 | 2399/100mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 75 GiB total, 63.38 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: SonicWALL Virtual NIC
Device ID: ROOT\SWVNIC\0000
Manufacturer: SonicWALL
Name: SonicWALL Virtual NIC
PNP Device ID: ROOT\SWVNIC\0000
Service: SWVNIC

==== System Restore Points ===================

RP153: 8/30/2009 8:14:35 PM - System Checkpoint
RP154: 8/30/2009 8:14:36 PM - System Checkpoint
RP155: 8/30/2009 8:14:36 PM - System Checkpoint
RP156: 8/30/2009 8:14:37 PM - System Checkpoint
RP157: 8/30/2009 8:14:37 PM - System Checkpoint
RP158: 8/30/2009 8:14:37 PM - System Checkpoint
RP159: 8/30/2009 8:14:38 PM - System Checkpoint
RP160: 8/30/2009 8:14:38 PM - Installed Java™ 6 Update 13
RP161: 8/30/2009 8:14:38 PM - System Checkpoint
RP162: 8/30/2009 8:14:39 PM - System Checkpoint
RP163: 8/30/2009 8:14:39 PM - Software Distribution Service 3.0
RP164: 8/30/2009 8:14:39 PM - System Checkpoint
RP165: 8/30/2009 8:14:39 PM - System Checkpoint
RP166: 8/30/2009 8:14:40 PM - System Checkpoint
RP167: 8/30/2009 8:14:41 PM - System Checkpoint
RP168: 8/30/2009 8:14:41 PM - System Checkpoint
RP169: 8/30/2009 8:14:41 PM - System Checkpoint
RP170: 8/30/2009 8:14:41 PM - System Checkpoint
RP171: 8/30/2009 8:14:42 PM - System Checkpoint
RP172: 8/30/2009 8:14:42 PM - System Checkpoint
RP173: 8/30/2009 8:14:42 PM - System Checkpoint
RP174: 8/30/2009 8:14:42 PM - System Checkpoint
RP175: 8/30/2009 8:14:43 PM - System Checkpoint
RP176: 8/30/2009 8:14:43 PM - System Checkpoint
RP177: 8/30/2009 8:14:43 PM - Avg8 Update
RP178: 8/30/2009 8:14:43 PM - Avg8 Update
RP179: 8/30/2009 8:14:44 PM - System Checkpoint
RP180: 8/30/2009 8:14:44 PM - Software Distribution Service 3.0
RP181: 8/30/2009 8:14:44 PM - System Checkpoint
RP182: 8/30/2009 8:14:44 PM - System Checkpoint
RP183: 8/30/2009 8:14:44 PM - System Checkpoint
RP184: 8/30/2009 8:14:45 PM - System Checkpoint
RP185: 8/30/2009 8:14:45 PM - System Checkpoint
RP186: 8/30/2009 8:14:45 PM - System Checkpoint
RP187: 8/30/2009 8:14:45 PM - System Checkpoint
RP188: 8/30/2009 8:14:45 PM - System Checkpoint
RP189: 8/30/2009 8:14:46 PM - System Checkpoint
RP190: 8/30/2009 8:14:46 PM - System Checkpoint
RP191: 8/30/2009 8:14:46 PM - System Checkpoint
RP192: 8/30/2009 8:14:46 PM - System Checkpoint
RP193: 8/30/2009 8:14:46 PM - System Checkpoint
RP194: 8/30/2009 8:14:47 PM - Software Distribution Service 3.0
RP195: 8/30/2009 8:14:47 PM - System Checkpoint
RP196: 8/30/2009 8:14:47 PM - System Checkpoint
RP197: 8/30/2009 8:14:48 PM - System Checkpoint
RP198: 8/30/2009 8:14:48 PM - Avg8 Update
RP199: 8/30/2009 8:14:48 PM - Avg8 Update
RP200: 8/30/2009 8:14:48 PM - System Checkpoint
RP201: 8/30/2009 8:14:49 PM - System Checkpoint
RP202: 8/30/2009 8:14:49 PM - System Checkpoint
RP203: 8/30/2009 8:14:49 PM - Software Distribution Service 3.0
RP204: 8/30/2009 8:14:49 PM - System Checkpoint
RP205: 8/30/2009 8:14:49 PM - System Checkpoint
RP206: 8/30/2009 8:14:50 PM - System Checkpoint
RP207: 8/30/2009 8:14:50 PM - System Checkpoint
RP208: 8/30/2009 8:14:50 PM - Software Distribution Service 3.0
RP209: 8/30/2009 8:14:50 PM - System Checkpoint
RP210: 8/30/2009 8:14:51 PM - System Checkpoint
RP211: 8/30/2009 8:14:51 PM - Software Distribution Service 3.0
RP212: 8/30/2009 8:14:51 PM - System Checkpoint
RP213: 8/30/2009 8:14:51 PM - System Checkpoint
RP214: 8/30/2009 8:14:52 PM - System Checkpoint
RP215: 8/30/2009 8:14:52 PM - Installed SonicWALL Global VPN Client
RP216: 8/30/2009 8:14:52 PM - System Checkpoint
RP217: 8/30/2009 8:14:52 PM - System Checkpoint
RP218: 8/30/2009 8:14:53 PM - System Checkpoint
RP219: 8/30/2009 8:14:53 PM - System Checkpoint
RP220: 8/30/2009 8:14:53 PM - System Checkpoint
RP221: 8/30/2009 8:14:53 PM - Installed iTunes
RP222: 8/30/2009 8:14:54 PM - System Checkpoint
RP223: 8/30/2009 8:14:54 PM - Software Distribution Service 3.0
RP224: 8/30/2009 8:14:54 PM - Installed Java™ 6 Update 15
RP225: 8/30/2009 8:14:55 PM - System Checkpoint
RP226: 8/30/2009 8:14:55 PM - System Checkpoint
RP227: 8/30/2009 8:14:55 PM - System Checkpoint
RP228: 8/30/2009 8:14:55 PM - System Checkpoint
RP229: 8/30/2009 8:14:56 PM - System Checkpoint
RP230: 8/30/2009 8:14:56 PM - System Checkpoint
RP231: 8/30/2009 8:14:56 PM - System Checkpoint
RP232: 8/30/2009 8:14:56 PM - System Checkpoint
RP233: 8/30/2009 8:14:56 PM - System Checkpoint
RP234: 8/30/2009 8:14:56 PM - System Checkpoint
RP235: 8/30/2009 8:14:57 PM - Avg8 Update
RP236: 8/30/2009 8:14:57 PM - Avg8 Update
RP237: 8/30/2009 8:14:57 PM - System Checkpoint
RP238: 8/30/2009 8:14:57 PM - Software Distribution Service 3.0
RP239: 8/30/2009 8:14:57 PM - System Checkpoint
RP240: 8/30/2009 8:14:58 PM - System Checkpoint
RP241: 8/30/2009 8:14:58 PM - System Checkpoint
RP242: 8/30/2009 8:14:58 PM - System Checkpoint
RP243: 8/31/2009 9:02:39 PM - System Checkpoint
RP244: 9/1/2009 10:02:25 PM - System Checkpoint
RP245: 9/2/2009 10:15:55 PM - System Checkpoint
RP246: 9/3/2009 10:31:18 PM - System Checkpoint

==== Installed Programs ======================

ABBYY FineReader 6.0 Sprint
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Reader 8.1.2
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Apple Mobile Device Support
Apple Software Update
AVG Free 8.5
Bonjour
Brother BRAdmin Professional 2.41
Compatibility Pack for the 2007 Office system
Coupon Printer for Windows
Critical Update for Windows Media Player 11 (KB959772)
Dell Photo AIO Printer 924
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Intel® Extreme Graphics Driver
Intel® PRO Network Adapters and Drivers
Intel® PROSet
iTunes
J2SE Runtime Environment 5.0 Update 11
Java™ 6 Update 15
Malwarebytes' Anti-Malware
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft IntelliType Pro 6.3
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Professional
Microsoft Office 2000 SR-1 Small Business
Microsoft Office Access 2003
Microsoft Office Standard Edition 2003
Microsoft Publisher 98
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Web Publishing Wizard 1.52
Motorola Driver Installation
Move Networks Media Player for Internet Explorer
Mozilla Firefox (3.5.2)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Octoshape add-in for Adobe Flash Player
PDF Settings
QuickTime
RealPlayer
Realtek AC'97 Audio
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
SonicWALL Global VPN Client
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB973815)
Walgreens PhotoShow Express 4
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

8/31/2009 9:59:26 AM, error: System Error [1003] - Error code 100000d1, parameter1 8308120a, parameter2 00000002, parameter3 00000000, parameter4 8308120a.
8/31/2009 9:59:05 AM, error: Service Control Manager [7000] - The windev-3ae7-240c service failed to start due to the following error: The system cannot find the file specified.
8/31/2009 10:26:38 AM, error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{8DA42983-CADC-4069-934E-CCA1FBF05ECC} because another computer on the network has the same name. The server could not start.
8/31/2009 10:26:26 AM, error: Dhcp [1002] - The IP address lease 10.0.4.1 for the Network Card with network address 0060730C0701 has been denied by the DHCP server 10.0.10.6 (The DHCP Server sent a DHCPNACK message).
8/31/2009 10:26:22 AM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0060730C0701. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
8/30/2009 8:13:48 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Print Spooler service to connect.
8/30/2009 8:13:48 PM, error: Service Control Manager [7000] - The Print Spooler service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

==== End Of File ===========================

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/04 11:12
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEF824000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8CEA000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal[1].sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal[1].sys
Address: 0xEE76B000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\documents and settings\arodriguez\local settings\temporary internet files\content.ie5\v3y89z0m\topic34773[1].htm
Status: Allocation size mismatch (API: 69632, Raw: 131072)

Hidden Services
-------------------
Service Name: kbiwkmobdcdvqv
Image Path: C:\WINDOWS\system32\drivers\kbiwkmqaxwhkrq.sys

Service Name: kbiwkmuuqurjkt
Image Path: C:\WINDOWS\system32\drivers\kbiwkmkvcnpkbw.sys

Service Name: TDSSserv.sys
Image Path: C:\WINDOWS\system32\drivers\TDSSmqct.sys

==EOF==

BC AdBot (Login to Remove)

 


#2 kidwgm

kidwgm
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 14 September 2009 - 02:16 PM

I did not want to bump this post. But I'm really hoping to get this problem resolved. If there is a error in my post or some wrong format please inform me and I would be happy to post correctly. I'm still have this problem. Seeing how it is been awhile from my original post my logs maybe be updated. I will be happy to re-post but I will wait until instructed to do so.

#3 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:46 AM

Posted 19 September 2009 - 10:13 AM

hi kidwgm,

Sorry for delay, no shortage of posters. Your log is several days old, if you still need help with the malware simply reply to the post and we will begin.

How Can I Reduce My Risk to Malware?


#4 kidwgm

kidwgm
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 28 September 2009 - 09:40 AM

Thank you for replying. I have been on vacation sorry for the delay. Here is the logs:

DDS (Ver_09-07-30.01) - NTFSx86
Run by arodriguez at 10:25:30.59 on Mon 09/28/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.131 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Registry Mechanic\RegMech.exe
c:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVCSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\arodriguez\Desktop\removal kits\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msnbc.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [dlccmon.exe] "c:\program files\dell photo aio printer 924\dlccmon.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [DLCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,_RunDLLEntry@16
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1171230473597
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174765881965
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
Notify: jkkjjHaw - jkkjjHaw.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\mlJYrqOg

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-17 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-17 27784]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-4 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-4 74480]
R1 SWIPsec;SonicWALL IPsec Driver;c:\windows\system32\drivers\SWIPsec.sys [2009-8-5 87064]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-17 297752]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-4 7408]
S2 windev-3ae7-240c;windev-3ae7-240c;\??\c:\windows\system32\windev-3ae7-240c.sys --> c:\windows\system32\windev-3ae7-240c.sys [?]
S3 SWVNIC;SonicWALL Virtual Miniport;c:\windows\system32\drivers\SWVNIC.sys [2009-3-4 21016]

=============== Created Last 30 ================

2009-09-14 12:23 7,396 a------- c:\windows\system32\drivers\pctcore.cat
2009-09-14 10:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-09-14 10:06 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-09-14 10:06 <DIR> --d----- c:\docume~1\arodri~1\applic~1\SUPERAntiSpyware.com
2009-09-14 10:04 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-09-09 15:39 153,088 -c------ c:\windows\system32\dllcache\triedit.dll

==================== Find3M ====================

2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-08-24 11:12 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-24 11:12 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-09 12:16 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2007-12-18 12:08 56 -c-shr-- c:\windows\system32\A76524F8EB.sys
2008-12-16 17:09 891,364 a--sh--- c:\windows\system32\gOqrYJlm.ini2
2007-12-18 12:08 3,350 ac-sh--- c:\windows\system32\KGyGaAvL.sys
2008-08-19 10:47 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081920080820\index.dat

============= FINISH: 10:27:01.67 ===============

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/28 10:38
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF8729000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xEFB1A000 Size: 138496 File Visible: - Signed: -
Status: -

Name: ALCXWDM.SYS
Image Path: C:\WINDOWS\system32\drivers\ALCXWDM.SYS
Address: 0xF7E9C000 Size: 3846016 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF86BB000 Size: 96512 File Visible: - Signed: -
Status: -

Name: ATMFD.DLL
Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xF8DD5000 Size: 3072 File Visible: - Signed: -
Status: -

Name: avgldx86.sys
Image Path: C:\WINDOWS\System32\Drivers\avgldx86.sys
Address: 0xEF61B000 Size: 328576 File Visible: - Signed: -
Status: -

Name: avgmfx86.sys
Image Path: C:\WINDOWS\System32\Drivers\avgmfx86.sys
Address: 0xF8B48000 Size: 21120 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF8CBC000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF8B88000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xEFCDA000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xF89E8000 Size: 62976 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xF87B8000 Size: 53248 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF87A8000 Size: 36352 File Visible: - Signed: -
Status: -

Name: dmio.sys
Image Path: dmio.sys
Address: 0xF86D3000 Size: 153344 File Visible: - Signed: -
Status: -

Name: dmload.sys
Image Path: dmload.sys
Address: 0xF8C7E000 Size: 5888 File Visible: - Signed: -
Status: -

Name: dne2000.sys
Image Path: C:\WINDOWS\system32\DRIVERS\dne2000.sys
Address: 0xF7E59000 Size: 126592 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF8808000 Size: 61440 File Visible: - Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEF353000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8CFE000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xEFA1C000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C3000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF8DB1000 Size: 4096 File Visible: - Signed: -
Status: -

Name: e100b325.sys
Image Path: C:\WINDOWS\system32\DRIVERS\e100b325.sys
Address: 0xF827E000 Size: 140800 File Visible: - Signed: -
Status: -

Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xEE211000 Size: 143744 File Visible: - Signed: -
Status: -

Name: fdc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\fdc.sys
Address: 0xF8AD8000 Size: 27392 File Visible: - Signed: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF88E8000 Size: 44544 File Visible: - Signed: -
Status: -

Name: flpydisk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\flpydisk.sys
Address: 0xF8B08000 Size: 20480 File Visible: - Signed: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xF869B000 Size: 129792 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF8CBA000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF86F9000 Size: 125056 File Visible: - Signed: -
Status: -

Name: GEARAspiWDM.sys
Image Path: C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
Address: 0xF87F8000 Size: 40960 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806EE000 Size: 131840 File Visible: - Signed: -
Status: -

Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xF8908000 Size: 36864 File Visible: - Signed: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xF8B40000 Size: 28672 File Visible: - Signed: -
Status: -

Name: hidusb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xF8C38000 Size: 10368 File Visible: - Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xEE48D000 Size: 264832 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xF89D8000 Size: 52480 File Visible: - Signed: -
Status: -

Name: ialmdd5.DLL
Image Path: C:\WINDOWS\System32\ialmdd5.DLL
Address: 0xBFA21000 Size: 765952 File Visible: - Signed: -
Status: -

Name: ialmdev5.DLL
Image Path: C:\WINDOWS\System32\ialmdev5.DLL
Address: 0xBFA02000 Size: 126976 File Visible: - Signed: -
Status: -

Name: ialmdnt5.dll
Image Path: C:\WINDOWS\System32\ialmdnt5.dll
Address: 0xBF9E3000 Size: 126976 File Visible: - Signed: -
Status: -

Name: ialmnt5.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
Address: 0xF82D9000 Size: 681408 File Visible: - Signed: -
Status: -

Name: ialmrnt5.dll
Image Path: C:\WINDOWS\System32\ialmrnt5.dll
Address: 0xBF9D5000 Size: 57344 File Visible: - Signed: -
Status: -

Name: intelide.sys
Image Path: intelide.sys
Address: 0xF8C7C000 Size: 5504 File Visible: - Signed: -
Status: -

Name: intelppm.sys
Image Path: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Address: 0xF89B8000 Size: 36352 File Visible: - Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xEFA34000 Size: 152832 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xEFBD5000 Size: 75264 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF8778000 Size: 37248 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xF8AE0000 Size: 24576 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF8C78000 Size: 8192 File Visible: - Signed: -
Status: -

Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xEDAF8000 Size: 172416 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xF8247000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF8672000 Size: 92288 File Visible: - Signed: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF8CBE000 Size: 4224 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xF8B00000 Size: 23040 File Visible: - Signed: -
Status: -

Name: mouhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Address: 0xF8C60000 Size: 12160 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF8788000 Size: 42368 File Visible: - Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xEEB91000 Size: 180608 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xEFA5A000 Size: 455296 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF8B20000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xF8848000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xF8C68000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF858B000 Size: 105344 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF85A5000 Size: 182656 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xF8C48000 Size: 10112 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xEF29F000 Size: 14592 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xF7E42000 Size: 91520 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF8868000 Size: 40576 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xF88C8000 Size: 34688 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xEFB3C000 Size: 162816 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF8B28000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF85D2000 Size: 574976 File Visible: - Signed: -
Status: -

Name: ntoskrnl.exe
Image Path: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF8E28000 Size: 2944 File Visible: - Signed: -
Status: -

Name: parport.sys
Image Path: C:\WINDOWS\system32\DRIVERS\parport.sys
Address: 0xF826A000 Size: 80128 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF8A00000 Size: 19712 File Visible: - Signed: -
Status: -

Name: ParVdm.SYS
Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xF8D20000 Size: 6784 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF8718000 Size: 68224 File Visible: - Signed: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xF8D40000 Size: 3328 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xF89F8000 Size: 28672 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xF7E78000 Size: 147456 File Visible: - Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xF7E31000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xF8AF0000 Size: 17792 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xF8C14000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xF8818000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xF8828000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xF8838000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xF8AF8000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xEFACA000 Size: 175744 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF8CC0000 Size: 4224 File Visible: - Signed: -
Status: -

Name: rdpdr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Address: 0xF7E01000 Size: 196224 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xF87E8000 Size: 57600 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEDB63000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SASDIFSV.SYS
Image Path: C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
Address: 0xF8B30000 Size: 24576 File Visible: - Signed: -
Status: -

Name: SASENUM.SYS
Image Path: C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
Address: 0xEF433000 Size: 20480 File Visible: - Signed: -
Status: -

Name: SASKUTIL.sys
Image Path: C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
Address: 0xEFAF5000 Size: 151552 File Visible: - Signed: -
Status: -

Name: serenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serenum.sys
Address: 0xF8C40000 Size: 15744 File Visible: - Signed: -
Status: -

Name: serial.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serial.sys
Address: 0xF89C8000 Size: 64512 File Visible: - Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF8689000 Size: 73472 File Visible: - Signed: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xEE9D7000 Size: 333952 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xF8CB2000 Size: 4352 File Visible: - Signed: -
Status: -

Name: SWIPsec.sys
Image Path: C:\WINDOWS\system32\Drivers\SWIPsec.sys
Address: 0xEFBBD000 Size: 98304 File Visible: - Signed: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xF88D8000 Size: 60800 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xEFB64000 Size: 361600 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xF8AE8000 Size: 20480 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xF8858000 Size: 40704 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xF7DA3000 Size: 384768 File Visible: - Signed: -
Status: -

Name: usbccgp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbccgp.sys
Address: 0xF8B58000 Size: 32128 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xF8CB8000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF8AD0000 Size: 30208 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xF8898000 Size: 59520 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xF82A1000 Size: 147456 File Visible: - Signed: -
Status: -

Name: usbprint.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbprint.sys
Address: 0xF8B70000 Size: 25856 File Visible: - Signed: -
Status: -

Name: usbscan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbscan.sys
Address: 0xF7D8E000 Size: 15104 File Visible: - Signed: -
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Address: 0xF8AC8000 Size: 20608 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF8B18000 Size: 20992 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xF82C5000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF8798000 Size: 52352 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xF88F8000 Size: 34560 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF8B10000 Size: 20480 File Visible: - Signed: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xEF01E000 Size: 83072 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xF8C7A000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -
Status: -

Name: WudfPf.sys
Image Path: WudfPf.sys
Address: 0xF865F000 Size: 77568 File Visible: - Signed: -
Status: -

#5 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:46 AM

Posted 28 September 2009 - 08:31 PM

hi kidwgm,

Dont see the files repeated in the 2nd rootrepeal log. We will get another download to use. Its called combofix. There is a guide to read first. Read through the guide, download combofix to your desktop. disable AV etc as explained in the guide, double click the combofix icon and follow the prompts. Post the log in your reply when all done.

Guide to using Combofix

How Can I Reduce My Risk to Malware?


#6 kidwgm

kidwgm
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 29 September 2009 - 03:31 PM

Yeah. That's weird that its not showing up. I rescaned my computer again with malwarebytes, avg and superspyware; everything came up clean. Is is possible that one of those programs already fixed the problem? I went ahead and did the combofix that you requested I try. Thank you again, here is my log:

ComboFix 09-09-28.01 - arodriguez 09/29/2009 16:08.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.211 [GMT -4:00]
Running from: c:\documents and settings\arodriguez\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\378857f.msp
c:\windows\Installer\3a9dc.msp
c:\windows\system32\gOqrYJlm.ini
c:\windows\system32\gOqrYJlm.ini2
c:\windows\Tasks\sffglbpf.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_windev-3ae7-240c


((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-29 )))))))))))))))))))))))))))))))
.

2009-09-14 16:21 . 2009-09-29 20:22 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-14 14:07 . 2009-09-14 14:07 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-14 14:06 . 2009-09-14 14:06 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-14 14:06 . 2009-09-14 14:06 -------- d-----w- c:\documents and settings\arodriguez\Application Data\SUPERAntiSpyware.com
2009-09-14 14:04 . 2009-09-14 14:04 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-09 19:39 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-29 19:50 . 2007-04-03 19:10 -------- d-----w- c:\program files\Dl_cats
2009-09-14 18:44 . 2008-12-17 18:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-10 18:54 . 2008-12-18 15:52 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2008-12-18 15:52 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 07:14 . 2008-11-21 21:22 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-24 15:12 . 2008-12-17 15:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-24 15:12 . 2008-12-17 15:53 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-24 15:12 . 2008-12-17 15:53 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-14 10:58 . 2009-09-14 16:23 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-13 16:00 . 2007-03-12 14:54 -------- d-----w- c:\program files\Java
2009-08-11 14:33 . 2009-08-11 14:28 -------- d-----w- c:\documents and settings\arodriguez\Application Data\Apple Computer
2009-08-11 14:28 . 2009-08-11 14:27 -------- d-----w- c:\program files\iTunes
2009-08-11 14:28 . 2009-08-11 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-11 14:27 . 2009-08-11 14:27 -------- d-----w- c:\program files\iPod
2009-08-11 14:27 . 2009-08-11 14:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-08-11 14:27 . 2007-11-14 20:19 -------- d-----w- c:\program files\Bonjour
2009-08-11 14:26 . 2009-08-11 14:25 -------- d-----w- c:\program files\QuickTime
2009-08-11 14:23 . 2009-08-11 14:23 -------- d-----w- c:\program files\Apple Software Update
2009-08-11 14:23 . 2007-12-19 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-08-11 14:22 . 2009-08-11 14:22 -------- d-----w- c:\program files\Common Files\Apple
2009-08-05 19:48 . 2009-08-05 19:48 -------- d-----w- c:\documents and settings\arodriguez\Application Data\SonicWALL
2009-08-05 19:46 . 2009-08-05 19:46 -------- d-----w- c:\program files\Common Files\Deterministic Networks
2009-08-05 19:46 . 2009-08-05 19:46 -------- d-----w- c:\program files\SonicWALL
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-25 09:23 . 2008-12-15 15:59 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-09 16:16 . 2009-08-11 14:22 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-07-09 16:16 . 2009-08-11 14:22 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2007-12-18 16:08 . 2007-11-17 18:02 56 -csh--r- c:\windows\system32\A76524F8EB.sys
2007-12-18 16:08 . 2007-11-17 17:52 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-21 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-04 1994480]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-06-30 2836376]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 425984]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-24 2007832]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 69632]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-01-11 577536]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-24 15:12 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Documents and Settings\\arodriguez\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVC.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/17/2008 11:53 AM 335240]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/4/2009 2:50 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/4/2009 2:49 PM 74480]
R1 SWIPsec;SonicWALL IPsec Driver;c:\windows\system32\drivers\SWIPsec.sys [8/5/2009 3:47 PM 87064]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/17/2008 11:53 AM 297752]
R2 SWGVCSvc;SonicWALL Global VPN Client Service;c:\program files\SonicWALL\SonicWALL Global VPN Client\SWGVCSvc.exe [3/5/2009 11:57 PM 227352]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/4/2009 2:50 PM 7408]
S3 SWVNIC;SonicWALL Virtual Miniport;c:\windows\system32\drivers\SWVNIC.sys [3/4/2009 6:03 PM 21016]
.
Contents of the 'Scheduled Tasks' folder

2008-11-10 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2008-06-10 17:56]

2009-09-29 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-01 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msnbc.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
Notify-jkkjjHaw - jkkjjHaw.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-29 16:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(968)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1204)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Microsoft IntelliType Pro\dpupdchk.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\dlcccoms.exe
.
**************************************************************************
.
Completion time: 2009-09-29 16:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-29 20:26

Pre-Run: 67,101,634,560 bytes free
Post-Run: 67,355,172,864 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

176 --- E O F --- 2009-09-10 07:07

#7 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:46 AM

Posted 29 September 2009 - 05:21 PM

hi,

ok thanks for all the info. You have root kits on board. Root kits can hide from traditional AV, anti-malware. A good solution would be to reformat and reinstall windows. I will do my best to ensure they are removed from your computer but you should consider the reformat/reinstall option. Detecting and removing tools are much better then they use to be but the root kits also adapt and change.

Here are two somewhat old MS links: Notice the first topic from 2004 dosnt even mention the word root kit but it still all applies. The second one is from 2005 and is about root kits in Windows.

http://technet.microsoft.com/en-us/library/cc512587.aspx
http://technet.microsoft.com/en-us/library/cc512642.aspx


We will use combofix first:

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:

File::
c:\windows\system32\A76524F8EB.sys

Driver::
A76524F8EB.sys

Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on your desktop
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log

Check Malwarebytes for updates then repeat the full scan also with MBAM.

How Can I Reduce My Risk to Malware?


#8 kidwgm

kidwgm
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 30 September 2009 - 12:00 PM

Okay. I have done what you requested an included the combofix log. I wasn't sure if you needed the Malwarebytes log but I included that also. Please let me know if this infection is critical enough were I should just reformat. I hate to do that but understand that it may be necessary. Thanks again for your help.

2008-11-10 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2008-06-10 17:56]

2009-09-29 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-01 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msnbc.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-30 10:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(968)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2009-09-30 10:20
ComboFix-quarantined-files.txt 2009-09-30 14:20
ComboFix2.txt 2009-09-29 20:26

Pre-Run: 67,369,549,824 bytes free
Post-Run: 67,317,182,464 bytes free

147 --- E O F --- 2009-09-10 07:07

Malwarebytes' Anti-Malware 1.41
Database version: 2876
Windows 5.1.2600 Service Pack 3

9/30/2009 12:51:36 PM
mbam-log-2009-09-30 (12-51-36).txt

Scan type: Full Scan (C:\|)
Objects scanned: 168912
Time elapsed: 39 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#9 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:46 AM

Posted 30 September 2009 - 07:21 PM

ok thanks for the info. Looks like the top half of that last combofix log is missing. I forgot where it puts its copies ( C:\combofix?)let me check and I will post back. If you look and find it please post the entire log.

How Can I Reduce My Risk to Malware?


#10 kidwgm

kidwgm
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 01 October 2009 - 09:54 AM

ComboFix 09-09-29.04 - arodriguez 09/30/2009 10:11.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.95 [GMT -4:00]
Running from: c:\documents and settings\arodriguez\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\arodriguez\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\system32\A76524F8EB.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\A76524F8EB.sys

.
((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-30 )))))))))))))))))))))))))))))))
.

2009-09-14 16:21 . 2009-09-29 20:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-14 14:07 . 2009-09-14 14:07 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-14 14:06 . 2009-09-14 14:06 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-14 14:06 . 2009-09-14 14:06 -------- d-----w- c:\documents and settings\arodriguez\Application Data\SUPERAntiSpyware.com
2009-09-14 14:04 . 2009-09-14 14:04 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-09 19:39 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-29 19:50 . 2007-04-03 19:10 -------- d-----w- c:\program files\Dl_cats
2009-09-14 18:44 . 2008-12-17 18:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-10 18:54 . 2008-12-18 15:52 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2008-12-18 15:52 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 07:14 . 2008-11-21 21:22 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-24 15:12 . 2008-12-17 15:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-24 15:12 . 2008-12-17 15:53 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-24 15:12 . 2008-12-17 15:53 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-14 10:58 . 2009-09-14 16:23 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-13 16:00 . 2007-03-12 14:54 -------- d-----w- c:\program files\Java
2009-08-11 14:33 . 2009-08-11 14:28 -------- d-----w- c:\documents and settings\arodriguez\Application Data\Apple Computer
2009-08-11 14:28 . 2009-08-11 14:27 -------- d-----w- c:\program files\iTunes
2009-08-11 14:28 . 2009-08-11 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-11 14:27 . 2009-08-11 14:27 -------- d-----w- c:\program files\iPod
2009-08-11 14:27 . 2009-08-11 14:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-08-11 14:27 . 2007-11-14 20:19 -------- d-----w- c:\program files\Bonjour
2009-08-11 14:26 . 2009-08-11 14:25 -------- d-----w- c:\program files\QuickTime
2009-08-11 14:23 . 2009-08-11 14:23 -------- d-----w- c:\program files\Apple Software Update
2009-08-11 14:23 . 2007-12-19 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-08-11 14:22 . 2009-08-11 14:22 -------- d-----w- c:\program files\Common Files\Apple
2009-08-05 19:48 . 2009-08-05 19:48 -------- d-----w- c:\documents and settings\arodriguez\Application Data\SonicWALL
2009-08-05 19:46 . 2009-08-05 19:46 -------- d-----w- c:\program files\Common Files\Deterministic Networks
2009-08-05 19:46 . 2009-08-05 19:46 -------- d-----w- c:\program files\SonicWALL
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-25 09:23 . 2008-12-15 15:59 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-09 16:16 . 2009-08-11 14:22 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-07-09 16:16 . 2009-08-11 14:22 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2007-12-18 16:08 . 2007-11-17 17:52 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-09-29_20.22.18 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 12:00 . 2009-09-21 15:08 41040 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-09-29 20:26 41040 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-09-29 20:26 314838 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2009-09-21 15:08 314838 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-21 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-04 1994480]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-06-30 2836376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 425984]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-24 2007832]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 69632]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-01-11 577536]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-24 15:12 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Documents and Settings\\arodriguez\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVC.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/17/2008 11:53 AM 335240]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/4/2009 2:50 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/4/2009 2:49 PM 74480]
R1 SWIPsec;SonicWALL IPsec Driver;c:\windows\system32\drivers\SWIPsec.sys [8/5/2009 3:47 PM 87064]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/17/2008 11:53 AM 297752]
R2 SWGVCSvc;SonicWALL Global VPN Client Service;c:\program files\SonicWALL\SonicWALL Global VPN Client\SWGVCSvc.exe [3/5/2009 11:57 PM 227352]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/4/2009 2:50 PM 7408]
S3 SWVNIC;SonicWALL Virtual Miniport;c:\windows\system32\drivers\SWVNIC.sys [3/4/2009 6:03 PM 21016]
.
Contents of the 'Scheduled Tasks' folder

2008-11-10 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2008-06-10 17:56]

2009-09-29 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-01 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msnbc.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-30 10:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(968)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2009-09-30 10:20
ComboFix-quarantined-files.txt 2009-09-30 14:20
ComboFix2.txt 2009-09-29 20:26

Pre-Run: 67,369,549,824 bytes free
Post-Run: 67,317,182,464 bytes free

147 --- E O F --- 2009-09-10 07:07

#11 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:46 AM

Posted 02 October 2009 - 09:08 PM

hi kidwgm,

looks good. If all is good on your end.....you can remove combofix like this:

start>run and type in;
combofix /u
click ok or enter
Note: a space after the x and before the /

Always check Malwarebytes for updates before a scan. the paid version has auto updates and a real time protection feature.

You can make a new restore point. The how and the why:

One of the features of Windows ME,XP and Vista is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore archive. Therefore, clearing the restore points is a good idea after malware is removed and your computer appears to be functioning ok.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.(creates a new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot

Last; some info for you;
'

10 Tips for Reducing/Preventing Your Risk To Malware:

Simply knowing what constitutes a safe action on a computer and what may not will help you tremendously.

1) It is essential to Keep your OS,(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the auto-update feature. Staying updated is also necessary for web based applications like Java, Adobe Flash/Reader, QuickTime etc. Check there version status here.

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and your then prompted to install software to remedy this. See also the signs that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. Scanning frequency is a function of your computer habits. If you frequently have malware then you should review your computer habits.

4) Refrain from clicking on links or attachments you receive via E-Mail, IM, IRC, Chat Rooms or Social Networking Sites, no matter how tempting or legitimate the message may seem.

5) Don't click on ads/pop ups or offers from websites requesting that you need to install software, media players or codecs to your computer--for any reason.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website?

7) Set up and use limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing and lessen its potential impact.*

8) Install and understand the limitations of a software firewall.

9) Consider using an alternate browser and E-mail client. Internet Explorer and OutLook Express are popular targets for malicious code because they are widely used. All browsers can have vulnerabilities but statistically it is the most commonly used browser that will tend to be targeted the most. See also: Hardening or Securing Internet Explorer.

10) Warez, cracks etc are very popular for carrying malware payloads. Avoid. If you install files via p2p networks then you are much more likely to encounter malicious code. Do you trust the source of the file? Do you really need another malware source?

A longer version in link below.

Happy Safe Surfing.

How Can I Reduce My Risk to Malware?


#12 kidwgm

kidwgm
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 05 October 2009 - 09:14 AM

Great! Thank you so much for your time in helping resolve this. I really appreciate and I will using the tips you provided. Thanks again!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users