Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Generic14.ADMQ & virus identified Packed.Protector.C, Ca


  • This topic is locked This topic is locked
31 replies to this topic

#1 suwzy

suwzy

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 15 September 2009 - 03:35 PM

Attached File  DDS.txt   16.62KB   3 downloadsHi after posting an initial log : -

Hi - my sons laptop Toshiba Sat Pro running win xp has been infected with the 2 virus above - located in C:\Windows\system32\drivers\agp440.sys and
" " " " \ntfs.sys I have run spybot, AVG free, malwarebytes and none will remove it - AVG states Object is white-listed (critical/system file that should not be removed)"
Really dont know what to do to shift it can anyone help "

and following instructions kindly offered by Garmanma - the brief history is my sons laptop appears to be infected with the above trojans - have run Dr WebCureIT in safe mode - log is attached

vjocx.dll;c:\windows\system32\nagasoft;Probably DLOADER.Trojan;Incurable.Moved.;
DivXBundle.exe/data015\data055;C:\Documents and Settings\Administrator\My Documents\DivXBundle.exe/data015;DDoS.Nitecafe.6;;
data015;C:\Documents and Settings\Administrator\My Documents;Archive contains infected objects;;
DivXBundle.exe;C:\Documents and Settings\Administrator\My Documents;Archive contains infected objects;;
RegUBP2b-Administrator.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/13 19:59
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: 0000099C
Image Path: 0000099C
Address: 0x85CCC000 Size: 41216 File Visible: No Signed: -
Status: -

Name: 0000099C
Image Path: 0000099C
Address: 0xA9566000 Size: 77440 File Visible: No Signed: -
Status: Hidden from the Windows API!

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA9A0E000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7BA9000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA833A000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\drivers\dmwibk.sys
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\str.sys
Status: Invisible to the Windows API!

Path: c:\documents and settings\administrator\local settings\temp\~dfc6ba.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

SSDT
-------------------
ServiceTable Hooked [0x86b96e88]!

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x85b26000

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x85b26005

#: 037 Function Name: NtCreateFile
Status: Hooked by "<unknown>" at address 0x85b2600a

#: 047 Function Name: NtCreateProcess
Status: Hooked by "<unknown>" at address 0x85b2600f

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "<unknown>" at address 0x85b26014

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x85b26019

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x85b2601e

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x85b26023

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x85b26028

#: 119 Function Name: NtOpenKey
Status: Hooked by "<unknown>" at address 0x85b2602d

#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x85b26032

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x85b26037

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x85b26041

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x85b2603c

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "<unknown>" at address 0x85b26046

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0x85b2604b

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x85b26050

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x85b26055

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x85b2605a

Stealth Objects
-------------------
Object: Hidden Thread [ETHREAD: 0x85cabda8, TID: 816]
Process: svchost.exe (PID: 856) Address: 0x006c1f3c Size: -

Hidden Services
-------------------
Service Name: dhnafqpae
Image Path: C:\WINDOWS\system32\drivers\dmwibk.sys

Shadow SSDT
-------------------
#: 460 Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x85b2605f

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x85b26064

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x85b26069

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x85b26073

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x85b2606e

==EOF==



this was run successfully - followed instructions and did the other scans (logs attatched)

didnt know how to Disable any script-blocking programs hope the log was ok?

would appreciate any further help

Attached Files



BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:09:36 AM

Posted 30 September 2009 - 05:07 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.  

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine.  Please perform the following scan:
  • Download DDS by sUBs from one of the following links.  Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool.  No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note:  You may have to disable any script protection running if the scan fails to run.  After downloading the tool, disconnect from the internet and disable all antivirus protection.  Run the scan, enable your A/V and reconnect to the internet.  

Information on A/V control HERE

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 suwzy

suwzy
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 04 October 2009 - 04:29 PM

Attached File  Attach.txt   8.58KB   6 downloadsAttached File  DDS.txt   15.75KB   26 downloads

Many thanks for the response - I have done as requested and attached the logs - I appreciate the time being taken to try and resolve this issue which is still causing a problem on this laptop - logs attached below.

#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:09:36 AM

Posted 05 October 2009 - 06:44 AM

Hello my name is Sempai and welcome to Bleeping Computer.

*We apologize for the delay. Forum have been busy.

*I want you to understand that I'm still a trainee here. I will be working with my Coach who will approve all my instructions before posting them to you, so there's a possibility to have some delays in my responses. But the good part is, there are two people reviewing your problem instead of one.

*It is important not to make any further changes or run any other tools unless instructed to. This may hinder the cleaning process of your machine.

*You must reply within 5 days otherwise this topic will be closed.


Your log will be analyzed and you will be instructed on what to do next as soon as possible.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:09:36 AM

Posted 06 October 2009 - 07:35 AM

Hello suwzy,

Sorry for the delay, forum have been really busy.


1. Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case µTorrent / Limewire).

These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.


Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."



2. Download Combofix from any of the links below but rename it to CFscan before saving it to your desktop. (make sure to disable your anti virus/anti malware programs) - See HERE

Link 1
Link 2


==================================


Double click on the renamed ComboFix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.



~~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:09:36 AM

Posted 09 October 2009 - 01:04 PM

Hi,

Are you still with us?

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 suwzy

suwzy
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 09 October 2009 - 04:56 PM

Hi yes still here my son takes his laptop back to uni during the week returning fridays - i have downloaded the item mentioned but cant find out out to disable the realtime scanner in threatfire ? can you tell me how to do this please dont want to damage the laptop as it mentions it needs to be done. (followed instructions to disable pc tools firewall) but dont have the ThreatFire's icon near the clock so cant select Suspend?
please let me know.

#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:09:36 AM

Posted 10 October 2009 - 07:36 AM

Hi suwzy,

We can temporarily remove threatfire, Go to start > control panel > add remove program and uninstall threatfire. You can always install it back after we clean the computer. Thanks.


~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 suwzy

suwzy
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 10 October 2009 - 05:02 PM

Hi - have looked for threatfire in add and remove programs but it doesnt exist - there was a folder in programs but there was nothing much in there so deleted it Ithink its been removed previousely) restarted machine - however when i start to run combofix i receive a message saying : Combofix has detected the following real time scanner(s) to be active antivirus: Threatfire but cant find the programme at all on the laptop - it does say that running combofix may lead to unpredictable results or possible machine damage - can i still run it with this message? Should I remove pc tools firewall plus (seem to recall threatfire was part of the install ? maybe) - sorry for the hassle.

#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:09:36 AM

Posted 11 October 2009 - 05:21 PM

Hi suwzy,

sorry for the hassle.

Don't be sorry, this is the reason why we are here for.

If threatfire is no longer installed, you can ignore the message and proceed with combofix. :(


~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 suwzy

suwzy
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 12 October 2009 - 02:44 PM

Hi Sempai - please find attached log as requesed many thanks for your assistance. Suwzy

Attached Files



#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:09:36 AM

Posted 13 October 2009 - 08:23 AM

Hi suwzy,


You are welcome. Please do not attached logs because it will be easier for me to analyze them if you will directly post them into this thread. :(


1. Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case uTorrent, LimeWire and Vuze).

These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."




2. We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found HERE.)

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

KillAll::

Rootkit::
c:\windows\system32\drivers\dmwibk.sys
c:\docume~1\ADMINI~1\LOCALS~1\Temp\pohci13F.sys
C:\WINDOWS\system32\drivers\str.sys
c:\documents and settings\administrator\local settings\temp\~dfc6ba.tmp

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"vvdsvc"=-

Driver::
cjdzsoa
dhnafqpae
oskxxtlj
pohci13F

NetSvc::
cjdzsoa
oskxxtlj

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.




3. We Need to check for Rootkits with RootRepeal[*]Open Posted Image on your desktop.
[*]Click the Posted Image tab.
[*]Click the Posted Image button.
[*]Check all seven boxes: Posted Image
[*]Push Ok
[*]Check the box for your main system drive (Usually C:), and press Ok.
[*]Allow RootRepeal to run a scan of your system. This may take some time.
[*]Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply.
[/list]

4. Please go to C:\Qoobox then look for Add-Remove Programs.txt and post it's contents for me please.



Post the following when you reply:
  • ComboFix.txt
  • RootRepeal.txt
  • Contents of C:\Qoobox\Add-Remove Programs.txt

~Semp :(

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#13 suwzy

suwzy
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 16 October 2009 - 04:22 PM

Hello Sempai - I have followed the instructions carefully and will post the requested information below - hope to be able to clean my sons laptop and thanks very much for all the assistance you are giving. :(

COMBOFIX LOG

ComboFix 09-10-16.02 - Administrator 16/10/2009 21:55.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.272 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\CFscan.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: ThreatFire *On-access scanning enabled* (Updated) {67B2B9A1-25C8-4057-962D-807958FFC9E3}
FW: PC Tools Firewall Plus *disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CJDZSOA
-------\Legacy_OSKXXTLJ
-------\Legacy_POHCI13F
-------\Service_cjdzsoa
-------\Service_dhnafqpae
-------\Service_oskxxtlj
-------\Service_pohci13F


((((((((((((((((((((((((( Files Created from 2009-09-16 to 2009-10-16 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-16 21:03 . 2008-10-16 11:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-15 23:55 . 2008-11-19 14:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-10-12 19:17 . 2009-07-29 15:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Logs
2009-10-11 18:49 . 2008-11-04 11:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire
2009-10-10 21:44 . 2008-10-16 11:10 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-10-04 21:19 . 2009-01-26 21:39 -------- d-----w- c:\program files\Acoustica CD Label Maker
2009-10-04 21:19 . 2008-10-27 02:59 -------- d-----w- c:\program files\DivX
2009-10-04 21:19 . 2008-11-04 11:53 -------- d-----w- c:\program files\LimeWire
2009-10-04 21:19 . 2008-10-29 22:45 -------- d-----w- c:\program files\Xvid
2009-10-04 21:19 . 2008-10-27 12:24 -------- d-----w- c:\program files\Windows Media Connect 2
2009-10-03 11:24 . 2008-12-04 23:26 -------- d-----w- c:\program files\Lx_cats
2009-09-27 17:29 . 2009-02-14 11:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-27 16:42 . 2009-02-14 11:52 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-17 21:15 . 2009-04-17 22:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-10 13:54 . 2009-04-17 22:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 13:53 . 2009-04-17 22:02 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 09:36 . 2009-05-16 07:27 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-09 22:51 . 2008-10-17 20:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-25 16:52 . 2008-10-17 19:23 -------- d-----w- c:\program files\Vuze
2009-08-25 16:51 . 2008-10-18 16:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\Paltalk
2009-08-25 16:51 . 2008-10-18 16:05 -------- d-----w- c:\program files\Paltalk Messenger
2009-08-25 15:16 . 2009-08-25 15:17 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-25 15:16 . 2006-05-22 10:35 -------- d-----w- c:\program files\Java
2009-08-23 09:29 . 2008-10-17 19:07 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-23 09:29 . 2008-10-17 19:07 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-23 09:29 . 2008-10-17 19:07 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-20 10:00 . 2009-08-20 10:00 -------- d-----w- c:\documents and settings\All Users\Application Data\TVU Networks
2009-08-12 13:38 . 2009-08-12 13:38 262144 ----a-w- C:\ntuser.dat
2009-08-06 12:06 . 2009-08-06 12:06 59904 ----a-w- c:\windows\system32\zlib1.dll
2009-08-06 12:02 . 2009-08-06 12:02 286720 ----a-w- c:\windows\system32\libcurl.dll
2009-08-06 12:02 . 2009-08-06 12:02 196608 ----a-w- c:\windows\system32\ssleay32.dll
2009-08-06 12:02 . 2009-08-06 12:02 1028096 ----a-w- c:\windows\system32\libeay32.dll
2009-08-06 12:02 . 2009-08-06 12:02 143360 ----a-w- c:\windows\system32\libexpatw.dll
2009-08-05 09:01 . 2006-05-22 08:58 204800 ----a-w- c:\windows\system32\mswebdvd.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-10-12_19.37.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-16 21:01 . 2009-10-16 21:01 16384 c:\windows\temp\Perflib_Perfdata_2a0.dat
+ 2006-05-22 08:58 . 2009-10-16 20:14 54010 c:\windows\system32\perfc009.dat
- 2006-05-22 08:58 . 2009-10-12 19:30 54010 c:\windows\system32\perfc009.dat
+ 2006-05-22 08:58 . 2009-10-16 20:14 383822 c:\windows\system32\perfh009.dat
- 2006-05-22 08:58 . 2009-10-12 19:30 383822 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-14 15:07 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-08 39408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="thpsrv" [X]
"00THotkey"="c:\windows\system32\00THotkey.exe" [2006-05-18 253952]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-12 118784]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2005-08-31 102400]
"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-01 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-01 696320]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2008-08-05 2611096]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-08 2023704]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"LXCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 73728]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-25 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-04-24 1448960]
"000StTHK"="000StTHK.exe" - c:\windows\system32\000StTHK.exe [2001-06-23 24576]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2006-03-04 88204]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2006-05-19 299008]
"TPSODDCtl"="TPSODDCtl.exe" - c:\windows\system32\TPSODDCtl.exe [2006-05-19 102400]
"TFNF5"="TFNF5.exe" - c:\windows\system32\TFNF5.exe [2006-04-11 622592]
"TOSDCR"="TOSDCR.EXE" - c:\windows\system32\TOSDCR.exe [2005-12-12 57344]
"NDSTray.exe"="NDSTray.exe" [BU]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-09 16207360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Update Agent.lnk - c:\program files\3\3Connect\AutoUpdateSrv.exe [2008-10-17 670256]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AtiExtEvent]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-23 09:29 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-991696779-180514507-7473742-14332\Scripts\Logon\0\0]
"Script"=\\hullcc.gov.uk\SysVol\hullcc.gov.uk\scripts\hcc183 IBS.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-991696779-180514507-7473742-14332\Scripts\Logon\1\0]
"Script"=\\hullcc.gov.uk\SysVol\hullcc.gov.uk\scripts\hcc162.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-991696779-180514507-7473742-18130\Scripts\Logon\0\0]
"Script"=\\hullcc.gov.uk\SysVol\hullcc.gov.uk\scripts\AllowWindowReuse.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-991696779-180514507-7473742-18130\Scripts\Logon\0\1]
"Script"=\\hullcc.gov.uk\SysVol\hullcc.gov.uk\scripts\hcc165.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-991696779-180514507-7473742-22946\Scripts\Logon\0\0]
"Script"=\\hullcc.gov.uk\SysVol\hullcc.gov.uk\scripts\hcc183 IBS.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-991696779-180514507-7473742-22946\Scripts\Logon\1\0]
"Script"=\\hullcc.gov.uk\SysVol\hullcc.gov.uk\scripts\AllowWindowReuse.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-991696779-180514507-7473742-22946\Scripts\Logon\1\1]
"Script"=\\hullcc.gov.uk\SysVol\hullcc.gov.uk\scripts\Housing.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-991696779-180514507-7473742-2576\Scripts\Logon\0\0]
"Script"=\\hullcc.gov.uk\SysVol\hullcc.gov.uk\scripts\AllowWindowReuse.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-991696779-180514507-7473742-2576\Scripts\Logon\0\1]
"Script"=\\hullcc.gov.uk\SysVol\hullcc.gov.uk\scripts\hcc165.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-991696779-180514507-7473742-7099\Scripts\Logon\0\0]
"Script"=\\hullcc.gov.uk\SysVol\hullcc.gov.uk\scripts\AllowWindowReuse.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-991696779-180514507-7473742-7099\Scripts\Logon\0\1]
"Script"=\\hullcc.gov.uk\SysVol\hullcc.gov.uk\scripts\hcc165.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-991696779-180514507-7473742-8260\Scripts\Logon\0\0]
"Script"=\\hullcc.gov.uk\sysvol\hullcc.gov.uk\scripts\AllowWindowReuse.vbs

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\TunnelServer.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2009\\fm.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5507:TCP"= 5507:TCP:WWW

R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [27/12/2004 23:31 16384]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [24/05/2006 09:38 6144]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [17/10/2008 20:07 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [17/10/2008 20:07 108552]
R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [15/02/2007 18:00 26624]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [17/10/2008 19:39 160792]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [02/07/2009 00:02 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [02/07/2009 00:02 297752]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [14/02/2009 13:55 603904]
R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [17/10/2008 20:37 388936]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [07/02/2007 18:00 2944]
R3 FWAuth;FWAuth Driver;c:\windows\system32\drivers\FWAuthdriver.sys [17/10/2008 19:39 58136]
S3 CdProbe;CdProbe;c:\windows\system32\drivers\CDProbe.SYS [09/05/2007 15:31 11904]
S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [24/05/2006 11:33 35968]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-10-16 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-11 20:36]

2008-11-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-10-16 c:\windows\Tasks\User_Feed_Synchronization-{12673888-80C6-403B-9CD5-711D3AA57E91}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.bbc.co.uk/sport
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://hcc-930:7777/dev60cgi/f60cgi?config=houlive
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: leedstrinity.ac.uk\remote
TCP: {716E7D86-E5B2-49FA-9609-C9D0C58E4985} = 212.50.160.100 213.249.130.100
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
DPF: {ff348b6e-fd21-11d4-a3f0-00c04fa32518} - hxxp://hull-connect:18231/jinitiator/oajinit.exe
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\as5el5ts.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.wwe.com/
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-16 22:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-489560314-3103030024-1390383519-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ba,f3,26,71,e2,a3,f4,4b,bd,b3,bb,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ba,f3,26,71,e2,a3,f4,4b,bd,b3,bb,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3848)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Super_DVD_Creator_9.8\NMSAccessU.exe
c:\program files\PC Tools Firewall Plus\FWService.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\ThpSrv.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\ThpSrv.exe
c:\windows\system32\igfxext.exe
c:\program files\Toshiba\ConfigFree\NDSTray.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\TPSBattM.exe
c:\program files\Apoint2K\ApntEx.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-10-16 22:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-16 21:06

Pre-Run: 48,536,698,880 bytes free
Post-Run: 48,697,905,152 bytes free

278 --- E O F --- 2009-09-09 22:56


ROOTREPEAL TXT LOG

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/16 22:07
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\CFscan\catchme.sys
Address: 0xF78EF000 Size: 31744 File Visible: No Signed: -
Status: -

Name: Combo-Fix.sys
Image Path: Combo-Fix.sys
Address: 0xF7697000 Size: 60416 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA64E000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B4B000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PROCEXP90.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP90.SYS
Address: 0xF7BD9000 Size: 6464 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA9C67000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x85c16000

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x85c16005

#: 037 Function Name: NtCreateFile
Status: Hooked by "<unknown>" at address 0x85c1600a

#: 047 Function Name: NtCreateProcess
Status: Hooked by "<unknown>" at address 0x85c1600f

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "<unknown>" at address 0x85c16014

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x85c16019

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x85c1601e

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x85c16023

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x85c16028

#: 119 Function Name: NtOpenKey
Status: Hooked by "<unknown>" at address 0x85c1602d

#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x85c16032

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x85c16037

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x85c16041

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x85c1603c

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "<unknown>" at address 0x85c16046

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0x85c1604b

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x85c16050

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x85c16055

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x85c1605a

Shadow SSDT
-------------------
#: 460 Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x85c1605f

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x85c16064

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x85c16069

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x85c16073

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x85c1606e

==EOF==

C:\QOOBOX\ADD-REMOVE PROGRAMS TXT

µTorrent
2007 Microsoft Office Suite Service Pack 1 (SP1)
3Connect
Acoustica CD/DVD Label Maker
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.8
Adobe Shockwave Player 11.5
ALPS Touch Pad Driver
Apple Software Update
AVG Free 8.5
Bluetooth Stack for Windows by Toshiba
CD/DVD Drive Acoustic Silencer
DivX Codec
DivX Converter
DivX Player
DivX Web Player
F1 Manager
ffdshow [rev 2488] [2008-12-13]
Football Manager 2009
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Huawei Modems
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Connections Drivers
Intel® PROSet/Wireless Software
InterVideo WinDVD Creator 2
InterVideo WinDVD for TOSHIBA
J2SE Runtime Environment 5.0 Update 6
Java™ 6 Update 15
Lexmark 730 Series
LimeWire 4.18.8
Macromedia Flash Player
Malwarebytes' Anti-Malware
mCore
mDrWiFi
mHelp
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C Runtime
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
mIWA
mLogView
mMHouse
Mozilla Firefox (3.0.14)
mPfMgr
mPfWiz
mProSafe
MSN Toolbar
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
mWlsSafe
mXML
mZConfig
Nero 7 Essentials
neroxml
PC Tools Firewall Plus 4.0
QuickTime
Realtek High Definition Audio Driver
SD Secure Module
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Sonic DLA
Sonic RecordNow!
SpeedTouch USB Software
Spybot - Search & Destroy
Super DVD Creator 9.8 Full Version
Sx3Jinitiator
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Display Devices Change Utility
TOSHIBA HDD Protection
TOSHIBA Hotkey Utility for Display Devices
TOSHIBA Manuals
TOSHIBA Password Utility
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
TOSHIBA SD Memory Boot Utility
TOSHIBA SD Memory Card Format
TOSHIBA Security Assist
TOSHIBA Software Modem
TOSHIBA TouchPad On/Off Utility V2.05.01
TOSHIBA Utilities
TOSHIBA Zooming Utility
TuneUp Utilities 2009
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office Outlook 2007 (KB969907)
Update for Outlook 2007 Junk Email Filter (kb973514)
Update for Windows Internet Explorer 8 (KB969497)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
WebFldrs XP
Window Washer
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live installer
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
WinRAR archiver
WinZip8.1
Wireless Hotkey
World Championship Snooker 2004
Xvid 1.1.3 final uninstall

#14 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:09:36 AM

Posted 17 October 2009 - 10:31 AM

Hello suwzy,

Good job :( , your logs are good so how's your computer running now? Let's do a few more steps to make sure that you're clean. Please stay with me until I declare that you are good to go. :(


1. Please open your Malwarebytes' Anti-Malware, Click on update tab and apply all updates available. then perform a full scan. Post the scan result for me when done.



2. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 16...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version.


3. Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.


4. Please create a fresh DDS log for me, post the log DDS.txt when you reply.



Please post the following logs when you reply:
  • Result of MBAM.
  • Kaspersky scan report.
  • A fresh DDS log.


~Semp :)

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#15 suwzy

suwzy
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 17 October 2009 - 04:51 PM

Hello Sempai - please find below the log for malwarbytes scan - tried to unistall java but hit a problem - there is an entry in add and remove still for java 6 update 15 which I cannot remove - there is also a Java control panel in the control planel which when clicked on say the file does not exist - i have tried to install the java 16 as mentioned in your early post but after thats been downloaded to my desktop goes so far then say Installation failed and please run set up again. I have tried to do the onlines scan but this wont run when I try and click on the link to install java from the window on the left and get the same message.

Was looking good up to that point :( :(

Malwarebytes' Anti-Malware 1.41
Database version: 2976
Windows 5.1.2600 Service Pack 3

17/10/2009 21:23:31
mbam-log-2009-10-17 (21-23-31).txt

Scan type: Full Scan (C:\|)
Objects scanned: 160277
Time elapsed: 49 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by suwzy, 18 October 2009 - 07:23 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users