Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I believe I have a RootKit infection?!?


  • This topic is locked This topic is locked
3 replies to this topic

#1 pelkins555

pelkins555

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 14 September 2009 - 11:50 PM

Hello,

I'm searching for help in removing malware from my computer. I've been working on it for days with various tools and I've also performed a system image restore, but I still am having problems. Prior to the infection I was running AVG Free 8.5 and Spybot. A couple weeks ago I was hit with a virus that came up and presented itself as Windows Security Pro. I thought I removed it by killing the tasks, updating AVG and Spybot, running scans in both and removing all found entries. I also downloaded MalwareBytes Free and removed all items it found.

The same virus came back a few days later and after about 3 of these occurences I got another similar virus called Windows Police Pro. I was following a similar removal strategy. During the process I damaged my computer and had to restore from an image backup that is a month old.

After running clean for about a week I was infected with something else. It disabled and damaged Malwarebytes, Winpatrol, HiJackThis, AVG, SuperAntiSpyware, ComboFix, and wouldn't removed my desktop. This was similar to the symptoms I had in some of the previous infections.

I created a Kaspersky Rescue Disk on another uninfected computer. I ran it for 15hours and it removed hundreds of items (Trojans, SKYNET, and others I don't recall). I removed AVG since it wasn't helping and installed Avast free. I ran ComboFix (although after joining this forum it looks like I shouldn't have run it without first asking for assistance).

I ran Avira Rescue CD and MalwareBytes and both detected a root kit. MalwareBytes said it removed it successfully but Avira said it couldn't remove it. I'm worried the root kit is still present. I don't seem to be having any symptoms at the moment. However, I feel like trouble is lurking just around the corner. I ran Avira's root kit remover but it failed to run with the following error:

“This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem.”

I ran Rootkit Revealer. It found 36 entries but I couldn't interpret the results. See below for output:

HKU\S-1-5-21-4099357967-3461364728-3670412518-1003\Console 9/14/2009 6:40 AM 0 bytes Security mismatch.
HKU\S-1-5-21-4099357967-3461364728-3670412518-1003\RemoteAccess\InternetProfile 4/18/2005 1:58 PM 9 bytes Data mismatch between Windows API and raw hive data.
HKLM\SECURITY\Policy\Secrets\SAC* 4/1/2004 6:16 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 4/1/2004 6:16 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\swearware\backup\winsock2 9/14/2009 6:08 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters 9/14/2009 6:08 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5 9/14/2009 6:08 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries 9/14/2009 6:08 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 9/14/2009 6:08 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 9/14/2009 6:08 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 9/14/2009 6:08 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004 9/14/2009 6:08 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9 9/14/2009 6:08 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries 9/14/2009 6:08 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 9/14/2009 6:08 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 9/14/2009 6:08 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 9/14/2009 6:08 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 9/14/2009 6:08 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 9/14/2009 6:08 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 9/14/2009 6:08 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 9/14/2009 6:08 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 9/14/2009 6:08 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 9/14/2009 6:08 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 9/14/2009 6:08 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 9/14/2009 6:08 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012 9/14/2009 6:08 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013 9/14/2009 6:08 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014 9/14/2009 6:08 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015 9/14/2009 6:08 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016 9/14/2009 6:08 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017 9/14/2009 6:08 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018 9/14/2009 6:08 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019 9/14/2009 6:08 AM 0 bytes Security mismatch.
HKLM\SYSTEM\ControlSet001\Control\StillImage\Events\STIProxyEvent\{C666EA40-DE91-4AD5-B4EA-2C2195C13BBA}\Icon 5/17/2009 2:48 PM 45 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet003\Control\StillImage\Events\STIProxyEvent\{C666EA40-DE91-4AD5-B4EA-2C2195C13BBA}\Icon 5/17/2009 2:48 PM 45 bytes Data mismatch between Windows API and raw hive data.
D: 0 bytes Error mounting volume

I'm reaching out for assistance since this thing seems to have my number. Any help would be greatly appreciated!!

Below is my DDS:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Owner at 20:59:21.01 on Mon 09/14/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1535.989 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: avast! antivirus 4.8.1351 [VPS 090914-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6796.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} - hxxp://download.microsoft.com/download/vizact2000/Install/10/WIN98Me/EN-US/msorun.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SpySubtract Shell Extension: {fa010552-4a27-4cb1-a1bb-3e2d697f1639} - c:\program files\intermute\spysubtract\sshook.dll
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\9kvji0lz.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://movies.yahoo.com/showtimes/changeloc?p=sho&date=20080529
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\9kvji0lz.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-9-12 114768]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-24 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2006-11-25 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-24 108552]
R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [2008-5-13 101528]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-9-12 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-9-12 138680]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-9-12 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-9-12 352920]
R3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [2008-5-13 24876]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe --> c:\progra~1\avg\avg8\avgemc.exe [?]
S4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe --> c:\progra~1\avg\avg8\avgwdsvc.exe [?]
S4 Maxtor Sync Service;Maxtor Service;c:\program files\maxtor\sync\SyncServices.exe [2007-9-28 156976]
S4 salive;Servers Alive;c:\progra~1\salive\serversalive.exe [2006-5-24 581120]

=============== Created Last 30 ================

2009-09-14 06:45 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-14 06:45 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-14 06:45 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-14 06:23 229,888 a------- c:\windows\PEV.exe
2009-09-14 06:23 161,792 a------- c:\windows\SWREG.exe
2009-09-14 06:23 98,816 a------- c:\windows\sed.exe
2009-09-14 06:01 <DIR> --d----- c:\docume~1\owner\applic~1\Desktopicon
2009-09-14 06:01 <DIR> --d----- c:\program files\Unlocker
2009-09-14 05:49 <DIR> --d----- c:\docume~1\owner\applic~1\AVG8
2009-09-14 05:12 <DIR> --d----- c:\program files\msn gaming zone
2009-09-12 20:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-09-12 20:02 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-09-12 20:02 <DIR> --d----- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2009-09-12 19:31 <DIR> --d----- c:\program files\Trend Micro
2009-09-12 19:29 <DIR> --d----- c:\program files\cleaner
2009-09-12 18:50 1,033,728 a------- c:\windows\explorer.exe
2009-09-12 18:30 <DIR> --d-h--- c:\windows\PIF
2009-09-12 14:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-09-11 05:49 <DIR> --d----- c:\docume~1\owner\applic~1\WinPatrol
2009-09-11 05:49 <DIR> --d----- c:\program files\BillP Studios
2009-09-11 05:46 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-09-11 05:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-11 00:59 153,088 -c------ c:\windows\system32\dllcache\triedit.dll

==================== Find3M ====================

2009-09-11 00:57 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-09-11 00:57 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-05 02:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-20 22:11 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-17 11:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-06-29 09:12 827,392 -------- c:\windows\system32\wininet.dll
2009-06-29 09:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 09:12 17,408 a------- c:\windows\system32\corpol.dll
2007-09-27 15:55 473 a------- c:\documents and settings\owner\layout.bin
2007-04-05 14:36 492,032 a------- c:\documents and settings\owner\ISSetup.dll
2007-01-20 05:46 455,600 a------- c:\documents and settings\owner\setup.exe
2006-05-17 09:21 152,496 a------- c:\documents and settings\owner\_setup.dll

============= FINISH: 20:59:44.07 ===============

BC AdBot (Login to Remove)

 


#2 pelkins555

pelkins555
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 17 September 2009 - 02:35 AM

I wanted to post an update on my situation. I believe the infection is resolved. At least all the symptoms that I had prior are resolved. However, I now have horribly slow Internet speed. On a cable modem I'm only running at 10KB/sec download rate. I have a router and two computers. The computer that isn't impacted is still getting around 2000KB/sec. I've tried to remove everything that's been installed related to the infection: Avast, Unlocker, Online Armor FW, and others. I ran LSPfix and it found an issue and resolved it but it didn't help my speed. I downloaded the NIC driver and reloaded it. I removed my SonicWall VPN client (working for years) just in case.

Nothing has helped my Internet speeds. I'm getting ready to resort to reloading the system which I really don't want to do. Attached below is my HJT logfile. As you'll see the system is pretty bare bones for software right now.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:25:56 AM, on 9/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\Virus Removal Tools\HiJackThis.exe

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 968 bytes

Any assistance would be greatly appreciated!!!

Thank you.

Paul

#3 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:09:33 AM

Posted 30 September 2009 - 09:01 AM

Hello,

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Then please post back here with the following:
  • log.txt
  • info.txt
Thanks

unite.jpg


#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:09:33 AM

Posted 04 October 2009 - 09:52 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users