Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

lsm32.sys & Security Alert Center Infection


  • This topic is locked This topic is locked
44 replies to this topic

#1 corpsesriiise

corpsesriiise

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:SoCal
  • Local time:04:55 AM

Posted 27 September 2009 - 12:38 PM

A few weeks ago a managed to get his trojan on my hands...
- Every so often a Security Alert Center message window pops up warning me of an infection.
- Every couple of minutes I get warning messages from Windows saying lsm32.sys has found a problem and needs to close.
- I sometimes return to my desktop and I find shortcuts to what seem be porn sites and a Protection System and Protection System Support.
- I can't run exe programs regularly; an 'open with' window pops up every time I try to open an exe program. Sometimes I am able to find the programs to open them manually, but certain programs like the dds.scr I cannot, thus no dds log file. I -have- found a way to run RootRepeal so here it is....





ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/27 10:12
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: 1394BUS.SYS
Image Path: C:WINDOWSsystem32DRIVERS1394BUS.SYS
Address: 0xF764E000 Size: 57344 File Visible: - Signed: -
Status: -

Name: aa2z7r44.SYS
Image Path: C:WINDOWSSystem32Driversaa2z7r44.SYS
Address: 0xF6792000 Size: 229376 File Visible: - Signed: -
Status: -

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF74D6000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: DriverACPI_HAL
Address: 0x804D7000 Size: 2260992 File Visible: - Signed: -
Status: -

Name: ACPIEC.sys
Image Path: ACPIEC.sys
Address: 0xF7A5A000 Size: 11648 File Visible: - Signed: -
Status: -

Name: AegisP.sys
Image Path: C:WINDOWSsystem32DRIVERSAegisP.sys
Address: 0xF797E000 Size: 19232 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:WINDOWSSystem32driversafd.sys
Address: 0xAA724000 Size: 138496 File Visible: - Signed: -
Status: -

Name: AGRSM.sys
Image Path: C:WINDOWSsystem32DRIVERSAGRSM.sys
Address: 0xAAA7C000 Size: 1122592 File Visible: - Signed: -
Status: -

Name: arp1394.sys
Image Path: C:WINDOWSsystem32DRIVERSarp1394.sys
Address: 0xF6BB8000 Size: 60800 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF744A000 Size: 98304 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0x00000000 Size: 0 File Visible: - Signed: -
Status: -

Name: atksgt.sys
Image Path: C:WINDOWSsystem32DRIVERSatksgt.sys
Address: 0xA9BC7000 Size: 271360 File Visible: - Signed: -
Status: -

Name: ATMFD.DLL
Image Path: C:WINDOWSSystem32ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: -
Status: -

Name: audstub.sys
Image Path: C:WINDOWSsystem32DRIVERSaudstub.sys
Address: 0xF7CB2000 Size: 3072 File Visible: - Signed: -
Status: -

Name: BATTC.SYS
Image Path: C:WINDOWSsystem32DRIVERSBATTC.SYS
Address: 0xF7A56000 Size: 16384 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:WINDOWSSystem32DriversBeep.SYS
Address: 0xF7BA8000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:WINDOWSsystem32BOOTVID.dll
Address: 0xF7A4E000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:WINDOWSSystem32DriversCdfs.SYS
Address: 0xF776E000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:WINDOWSsystem32DRIVERScdrom.sys
Address: 0xF773E000 Size: 62976 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:WINDOWSsystem32DRIVERSCLASSPNP.SYS
Address: 0xF769E000 Size: 53248 File Visible: - Signed: -
Status: -

Name: CmBatt.sys
Image Path: C:WINDOWSsystem32DRIVERSCmBatt.sys
Address: 0xF72AD000 Size: 13952 File Visible: - Signed: -
Status: -

Name: compbatt.sys
Image Path: compbatt.sys
Address: 0xF7A52000 Size: 10240 File Visible: - Signed: -
Status: -

Name: csiidecoder_kern_i386.sys
Image Path: C:WINDOWSsystem32DRIVERScsiidecoder_kern_i386.sys
Address: 0xF789E000 Size: 36864 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF768E000 Size: 36352 File Visible: - Signed: -
Status: -

Name: DLABOIOM.SYS
Image Path: C:WINDOWSSystem32DLADLABOIOM.SYS
Address: 0xF795E000 Size: 25568 File Visible: - Signed: -
Status: -

Name: DLACDBHM.SYS
Image Path: C:WINDOWSSystem32DriversDLACDBHM.SYS
Address: 0xF7B86000 Size: 5568 File Visible: - Signed: -
Status: -

Name: DLADResN.SYS
Image Path: C:WINDOWSSystem32DLADLADResN.SYS
Address: 0xF7D95000 Size: 2432 File Visible: - Signed: -
Status: -

Name: DLAIFS_M.SYS
Image Path: C:WINDOWSSystem32DLADLAIFS_M.SYS
Address: 0xAA334000 Size: 86464 File Visible: - Signed: -
Status: -

Name: DLAOPIOM.SYS
Image Path: C:WINDOWSSystem32DLADLAOPIOM.SYS
Address: 0xAA533000 Size: 14624 File Visible: - Signed: -
Status: -

Name: DLAPoolM.SYS
Image Path: C:WINDOWSSystem32DLADLAPoolM.SYS
Address: 0xF7B5A000 Size: 6304 File Visible: - Signed: -
Status: -

Name: DLARTL_N.SYS
Image Path: C:WINDOWSSystem32DriversDLARTL_N.SYS
Address: 0xF7A3E000 Size: 22624 File Visible: - Signed: -
Status: -

Name: DLAUDF_M.SYS
Image Path: C:WINDOWSSystem32DLADLAUDF_M.SYS
Address: 0xAA306000 Size: 86976 File Visible: - Signed: -
Status: -

Name: DLAUDFAM.SYS
Image Path: C:WINDOWSSystem32DLADLAUDFAM.SYS
Address: 0xAA31C000 Size: 94272 File Visible: - Signed: -
Status: -

Name: dmio.sys
Image Path: dmio.sys
Address: 0xF7462000 Size: 153344 File Visible: - Signed: -
Status: -

Name: dmload.sys
Image Path: dmload.sys
Address: 0xF7B42000 Size: 5888 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: C:WINDOWSsystem32driversdrmk.sys
Address: 0xF787E000 Size: 61440 File Visible: - Signed: -
Status: -

Name: DRVMCDB.SYS
Image Path: DRVMCDB.SYS
Address: 0xF73D0000 Size: 87104 File Visible: - Signed: -
Status: -

Name: DRVNDDM.SYS
Image Path: C:WINDOWSSystem32DriversDRVNDDM.SYS
Address: 0xF6BA8000 Size: 38304 File Visible: - Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:WINDOWSSystem32Driversdump_atapi.sys
Address: 0xAA623000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:WINDOWSSystem32Driversdump_WMILIB.SYS
Address: 0xF7BFA000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:WINDOWSSystem32driversDxapi.sys
Address: 0xAA65B000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:WINDOWSSystem32driversdxg.sys
Address: 0xBF9C3000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:WINDOWSSystem32driversdxgthk.sys
Address: 0xF7D0D000 Size: 4096 File Visible: - Signed: -
Status: -

Name: e100b325.sys
Image Path: C:WINDOWSsystem32DRIVERSe100b325.sys
Address: 0xF681C000 Size: 163328 File Visible: - Signed: -
Status: -

Name: Fips.SYS
Image Path: C:WINDOWSSystem32DriversFips.SYS
Address: 0xF6BD8000 Size: 44544 File Visible: - Signed: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xF73F8000 Size: 129792 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:WINDOWSSystem32DriversFs_Rec.SYS
Address: 0xF7BA6000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF7488000 Size: 125056 File Visible: - Signed: -
Status: -

Name: GEARAspiWDM.sys
Image Path: C:WINDOWSsystem32DRIVERSGEARAspiWDM.sys
Address: 0xF775E000 Size: 40960 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:WINDOWSsystem32hal.dll
Address: 0x806FF000 Size: 134400 File Visible: - Signed: -
Status: -

Name: HDAudBus.sys
Image Path: C:WINDOWSsystem32DRIVERSHDAudBus.sys
Address: 0xF6A01000 Size: 163840 File Visible: - Signed: -
Status: -

Name: HTTP.sys
Image Path: C:WINDOWSSystem32DriversHTTP.sys
Address: 0xA9A46000 Size: 264832 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:WINDOWSsystem32DRIVERSi8042prt.sys
Address: 0xF771E000 Size: 52480 File Visible: - Signed: -
Status: -

Name: ialmdd5.DLL
Image Path: C:WINDOWSSystem32ialmdd5.DLL
Address: 0xBFA3A000 Size: 925696 File Visible: - Signed: -
Status: -

Name: ialmdev5.DLL
Image Path: C:WINDOWSSystem32ialmdev5.DLL
Address: 0xBFA05000 Size: 217088 File Visible: - Signed: -
Status: -

Name: ialmdnt5.dll
Image Path: C:WINDOWSSystem32ialmdnt5.dll
Address: 0xBF9E3000 Size: 139264 File Visible: - Signed: -
Status: -

Name: ialmnt5.sys
Image Path: C:WINDOWSsystem32DRIVERSialmnt5.sys
Address: 0xF6A3D000 Size: 1353696 File Visible: - Signed: -
Status: -

Name: ialmrnt5.dll
Image Path: C:WINDOWSSystem32ialmrnt5.dll
Address: 0xBF9D5000 Size: 57344 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: C:WINDOWSsystem32DRIVERSimapi.sys
Address: 0xF772E000 Size: 42112 File Visible: - Signed: -
Status: -

Name: intelppm.sys
Image Path: C:WINDOWSsystem32DRIVERSintelppm.sys
Address: 0xF770E000 Size: 36352 File Visible: - Signed: -
Status: -

Name: ipnat.sys
Image Path: C:WINDOWSsystem32DRIVERSipnat.sys
Address: 0xAA663000 Size: 152832 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:WINDOWSsystem32DRIVERSipsec.sys
Address: 0xAA7C7000 Size: 75264 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF765E000 Size: 37248 File Visible: - Signed: -
Status: -

Name: iviaspi.sys
Image Path: C:WINDOWSsystem32driversiviaspi.sys
Address: 0xF7A2E000 Size: 20992 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:WINDOWSsystem32DRIVERSkbdclass.sys
Address: 0xF7A1E000 Size: 24576 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:WINDOWSsystem32KDCOM.DLL
Address: 0xF7B3E000 Size: 8192 File Visible: - Signed: -
Status: -

Name: kmixer.sys
Image Path: C:WINDOWSsystem32driverskmixer.sys
Address: 0xA9269000 Size: 172416 File Visible: - Signed: -
Status: -

Name: KR10N.sys
Image Path: KR10N.sys
Address: 0xF7418000 Size: 204160 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:WINDOWSsystem32DRIVERSks.sys
Address: 0xF67CA000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF73B9000 Size: 92928 File Visible: - Signed: -
Status: -

Name: lirsgt.sys
Image Path: C:WINDOWSsystem32DRIVERSlirsgt.sys
Address: 0xF7A06000 Size: 18048 File Visible: - Signed: -
Status: -

Name: mdc8021x.sys
Image Path: C:WINDOWSsystem32DRIVERSmdc8021x.sys
Address: 0xAA2E6000 Size: 14176 File Visible: - Signed: -
Status: -

Name: meiudf.sys
Image Path: C:WINDOWSSystem32Driversmeiudf.sys
Address: 0xAA8C7000 Size: 102112 File Visible: - Signed: -
Status: -

Name: mnmdd.SYS
Image Path: C:WINDOWSSystem32Driversmnmdd.SYS
Address: 0xF7BAA000 Size: 4224 File Visible: - Signed: -
Status: -

Name: Modem.SYS
Image Path: C:WINDOWSSystem32DriversModem.SYS
Address: 0xF79EE000 Size: 30080 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:WINDOWSsystem32DRIVERSmouclass.sys
Address: 0xF7A26000 Size: 23040 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF766E000 Size: 42368 File Visible: - Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:WINDOWSsystem32DRIVERSmrxdav.sys
Address: 0xA9E51000 Size: 180608 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:WINDOWSsystem32DRIVERSmrxsmb.sys
Address: 0xAA689000 Size: 455296 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:WINDOWSSystem32DriversMsfs.SYS
Address: 0xF78D6000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: C:WINDOWSsystem32DRIVERSmsgpc.sys
Address: 0xF783E000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:WINDOWSsystem32DRIVERSmssmbios.sys
Address: 0xF7B02000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF72E5000 Size: 105344 File Visible: - Signed: -
Status: -

Name: NBSMI.sys
Image Path: C:WINDOWSsystem32DRIVERSNBSMI.sys
Address: 0xF7B98000 Size: 6144 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF72FF000 Size: 182656 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:WINDOWSsystem32DRIVERSndistapi.sys
Address: 0xF7270000 Size: 10112 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:WINDOWSsystem32DRIVERSndisuio.sys
Address: 0xAA202000 Size: 14592 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:WINDOWSsystem32DRIVERSndiswan.sys
Address: 0xF677B000 Size: 91520 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:WINDOWSSystem32DriversNDProxy.SYS
Address: 0xF785E000 Size: 40576 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:WINDOWSsystem32DRIVERSnetbios.sys
Address: 0xF6BF8000 Size: 34688 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:WINDOWSsystem32DRIVERSnetbt.sys
Address: 0xAA746000 Size: 162816 File Visible: - Signed: -
Status: -

Name: netdevio.sys
Image Path: C:WINDOWSsystem32DRIVERSnetdevio.sys
Address: 0xAA1FE000 Size: 12032 File Visible: - Signed: -
Status: -

Name: nic1394.sys
Image Path: C:WINDOWSsystem32DRIVERSnic1394.sys
Address: 0xF76CE000 Size: 61824 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:WINDOWSSystem32DriversNpfs.SYS
Address: 0xF78F6000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF732C000 Size: 574976 File Visible: - Signed: -
Status: -

Name: ntoskrnl.exe
Image Path: C:WINDOWSsystem32ntoskrnl.exe
Address: 0x804D7000 Size: 2260992 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:WINDOWSSystem32DriversNull.SYS
Address: 0xF7C9C000 Size: 2944 File Visible: - Signed: -
Status: -

Name: ohci1394.sys
Image Path: ohci1394.sys
Address: 0xF763E000 Size: 61696 File Visible: - Signed: -
Status: -

Name: OPRGHDLR.SYS
Image Path: C:WINDOWSsystem32DRIVERSOPRGHDLR.SYS
Address: 0xF7C07000 Size: 4096 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF78C6000 Size: 19712 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF74C5000 Size: 68224 File Visible: - Signed: -
Status: -

Name: PCI_PNP2356
Image Path: DriverPCI_PNP2356
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xF7C06000 Size: 3328 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:WINDOWSsystem32DRIVERSPCIIDEX.SYS
Address: 0xF78BE000 Size: 28672 File Visible: - Signed: -
Status: -

Name: pcmcia.sys
Image Path: pcmcia.sys
Address: 0xF74A7000 Size: 120192 File Visible: - Signed: -
Status: -

Name: pfc.sys
Image Path: C:WINDOWSsystem32driverspfc.sys
Address: 0xF72A9000 Size: 10368 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: DriverPnpManager
Address: 0x804D7000 Size: 2260992 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: C:WINDOWSsystem32driversportcls.sys
Address: 0xAAB8F000 Size: 147456 File Visible: - Signed: -
Status: -

Name: psched.sys
Image Path: C:WINDOWSsystem32DRIVERSpsched.sys
Address: 0xF676A000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: C:WINDOWSsystem32DRIVERSptilink.sys
Address: 0xF79AE000 Size: 17792 File Visible: - Signed: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xF76AE000 Size: 36320 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:WINDOWSsystem32DRIVERSrasacd.sys
Address: 0xF7278000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:WINDOWSsystem32DRIVERSrasl2tp.sys
Address: 0xF780E000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:WINDOWSsystem32DRIVERSraspppoe.sys
Address: 0xF781E000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:WINDOWSsystem32DRIVERSraspptp.sys
Address: 0xF782E000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: C:WINDOWSsystem32DRIVERSraspti.sys
Address: 0xF79B6000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: FileSystemRAW
Address: 0x804D7000 Size: 2260992 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:WINDOWSsystem32DRIVERSrdbss.sys
Address: 0xAA6F9000 Size: 175744 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:WINDOWSSystem32DRIVERSRDPCDD.sys
Address: 0xF7BAC000 Size: 4224 File Visible: - Signed: -
Status: -

Name: rdpdr.sys
Image Path: C:WINDOWSsystem32DRIVERSrdpdr.sys
Address: 0xF673A000 Size: 196224 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:WINDOWSsystem32DRIVERSredbook.sys
Address: 0xF774E000 Size: 57600 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:WINDOWSsystem32driversrootrepeal.sys
Address: 0xA9EDE000 Size: 49152 File Visible: No Signed: -
Status: -

Name: RtkHDAud.sys
Image Path: C:WINDOWSsystem32driversRtkHDAud.sys
Address: 0xAABB3000 Size: 4247552 File Visible: - Signed: -
Status: -

Name: s24trans.sys
Image Path: C:WINDOWSsystem32DRIVERSs24trans.sys
Address: 0xAA2DE000 Size: 13568 File Visible: - Signed: -
Status: -

Name: SCSIPORT.SYS
Image Path: C:WINDOWSSystem32DriversSCSIPORT.SYS
Address: 0xF7504000 Size: 98304 File Visible: - Signed: -
Status: -

Name: sdbus.sys
Image Path: C:WINDOWSsystem32DRIVERSsdbus.sys
Address: 0xF6844000 Size: 79232 File Visible: - Signed: -
Status: -

Name: SKYNETcqalhddt.sys
Image Path: C:WINDOWSsystem32driversSKYNETcqalhddt.sys
Address: 0xAA88D000 Size: 167936 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: sprl.sys
Image Path: sprl.sys
Address: 0xF751C000 Size: 1052672 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: Driversptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF73E6000 Size: 73472 File Visible: - Signed: -
Status: -

Name: srv.sys
Image Path: C:WINDOWSsystem32DRIVERSsrv.sys
Address: 0xA992C000 Size: 333952 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:WINDOWSsystem32DRIVERSswenum.sys
Address: 0xF7B8C000 Size: 4352 File Visible: - Signed: -
Status: -

Name: SynTP.sys
Image Path: C:WINDOWSsystem32DRIVERSSynTP.sys
Address: 0xF67ED000 Size: 191936 File Visible: - Signed: -
Status: -

Name: sysaudio.sys
Image Path: C:WINDOWSsystem32driverssysaudio.sys
Address: 0xA9EEE000 Size: 60800 File Visible: - Signed: -
Status: -

Name: tbiosdrv.sys
Image Path: C:WINDOWSsystem32DRIVERStbiosdrv.sys
Address: 0xF7B06000 Size: 9472 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:WINDOWSsystem32DRIVERStcpip.sys
Address: 0xAA76E000 Size: 361600 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:WINDOWSsystem32DRIVERSTDI.SYS
Address: 0xF79A6000 Size: 20480 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:WINDOWSsystem32DRIVERStermdd.sys
Address: 0xF784E000 Size: 40704 File Visible: - Signed: -
Status: -

Name: tifm21.sys
Image Path: C:WINDOWSsystem32driverstifm21.sys
Address: 0xF6858000 Size: 162560 File Visible: - Signed: -
Status: -

Name: tmcomm.sys
Image Path: C:WINDOWSsystem32driverstmcomm.sys
Address: 0xA92E4000 Size: 97280 File Visible: - Signed: -
Status: -

Name: tmpreflt.sys
Image Path: C:WINDOWSsystem32DRIVERStmpreflt.sys
Address: 0xAA7DA000 Size: 53248 File Visible: - Signed: -
Status: -

Name: tmtdi.sys
Image Path: C:WINDOWSsystem32DRIVERStmtdi.sys
Address: 0xF6BE8000 Size: 59264 File Visible: - Signed: -
Status: -

Name: tmxpflt.sys
Image Path: C:WINDOWSsystem32DRIVERStmxpflt.sys
Address: 0xAA34A000 Size: 294912 File Visible: - Signed: -
Status: -

Name: tsxt_kern_i386.sys
Image Path: C:WINDOWSsystem32DRIVERStsxt_kern_i386.sys
Address: 0xF79CE000 Size: 32768 File Visible: - Signed: -
Status: -

Name: Tvs.sys
Image Path: C:WINDOWSsystem32DRIVERSTvs.sys
Address: 0xF788E000 Size: 43392 File Visible: - Signed: -
Status: -

Name: Udfs.SYS
Image Path: C:WINDOWSSystem32DriversUdfs.SYS
Address: 0xAA8B6000 Size: 66048 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:WINDOWSsystem32DRIVERSupdate.sys
Address: 0xF66B4000 Size: 384768 File Visible: - Signed: -
Status: -

Name: usbaapl.sys
Image Path: C:WINDOWSSystem32Driversusbaapl.sys
Address: 0xF6C08000 Size: 57344 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:WINDOWSsystem32DRIVERSUSBD.SYS
Address: 0xF7B84000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:WINDOWSsystem32DRIVERSusbehci.sys
Address: 0xF7A16000 Size: 30208 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:WINDOWSsystem32DRIVERSusbhub.sys
Address: 0xF76DE000 Size: 59520 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:WINDOWSsystem32DRIVERSUSBPORT.SYS
Address: 0xF6880000 Size: 147456 File Visible: - Signed: -
Status: -

Name: usbscan.sys
Image Path: C:WINDOWSsystem32DRIVERSusbscan.sys
Address: 0xF6716000 Size: 15104 File Visible: - Signed: -
Status: -

Name: usbuhci.sys
Image Path: C:WINDOWSsystem32DRIVERSusbuhci.sys
Address: 0xF7A0E000 Size: 20608 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:WINDOWSSystem32driversvga.sys
Address: 0xF7A46000 Size: 20992 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:WINDOWSsystem32DRIVERSVIDEOPRT.SYS
Address: 0xF6A29000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF767E000 Size: 52352 File Visible: - Signed: -
Status: -

Name: vsapint.sys
Image Path: C:WINDOWSsystem32DRIVERSvsapint.sys
Address: 0xAA3BA000 Size: 1213376 File Visible: - Signed: -
Status: -

Name: w39n51.sys
Image Path: C:WINDOWSsystem32DRIVERSw39n51.sys
Address: 0xF68A4000 Size: 1428096 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: C:WINDOWSsystem32DRIVERSwanarp.sys
Address: 0xF6BC8000 Size: 34560 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:WINDOWSSystem32watchdog.sys
Address: 0xF7956000 Size: 20480 File Visible: - Signed: -
Status: -

Name: wdmaud.sys
Image Path: C:WINDOWSsystem32driverswdmaud.sys
Address: 0xA9E3C000 Size: 83072 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: DriverWin32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:WINDOWSSystem32win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:WINDOWSSystem32DriversWMILIB.SYS
Address: 0xF7B40000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: DriverWMIxWDM
Address: 0x804D7000 Size: 2260992 File Visible: - Signed: -
Status: -

Name: wowhd_kern_i386.sys
Image Path: C:WINDOWSsystem32DRIVERSwowhd_kern_i386.sys
Address: 0xF79E6000 Size: 28672 File Visible: - Signed: -
Status: -





- Also, I have tried running regedit, but I haven't had any luck.

Any help would be greatly appreciated!

Figured out a way to run HijackThis.. :]







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:41 AM, on 9/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:WINDOWSsystem32csrss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesIntelWirelessBinEvtEng.exe
C:Program FilesIntelWirelessBinS24EvMon.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32ctfmon.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesTOSHIBAConfigFreeCFSvcs.exe
C:WINDOWSsystem32DVDRAMSV.exe
C:WINDOWSeHomeehRecvr.exe
C:WINDOWSeHomeehSched.exe
C:Program FilesJavajre6binjqs.exe
C:WINDOWSsystem32HPZipm12.exe
C:Program FilesIntelWirelessBinRegSrvc.exe
C:Program FilesTrend MicroInternet SecuritySfCtlCom.exe
C:Program FilesTrend MicroInternet SecurityUfSeAgnt.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32svchost.exe
c:TOSHIBAIVPswupdateswupdtmr.exe
C:Program FilesTOSHIBATOSHIBA AppletTAPPSRV.exe
C:WINDOWSehomemcrdsvc.exe
C:WINDOWSsystem32dllhost.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:WINDOWSSystem32alg.exe
C:WINDOWSsystem32wmdtc.exe
C:Program FilesTrend MicroInternet SecurityTmProxy.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32sofatnet.exe
C:WINDOWSsystem32lsm32.sys
C:Program FilesTrend MicroHijackThisHijackThis.exe
C:WINDOWSsystem32wbemwmiprvse.exe

R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:WINDOWSsystem32userinit.exe,C:WINDOWSsystem32driverssmss.exe,C:WINDOWSsystem32sdra64.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 7.0ActiveXAcroIEHelper.dll (file missing)
O2 - BHO: MSN helper - {19EA25F0-EB8F-43B9-B9E8-0A81E9A97177} - lkod.dll (file missing)
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:Program FilesAskBarDisbarbinaskBar.dll (file missing)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:Program FilesRealRealPlayerrpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:WINDOWSSystem32DLADLASHX_W.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:Program FilesCommon FilesMicrosoft SharedWindows LiveWindowsLiveLogin.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:Program FilesViewpointViewpoint Toolbar3.8.0ViewBarBHO.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:Program FilesGoogleGoogleToolbarNotifier5.1.1309.3572swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:Program FilesJavajre6binjp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:Program FilesJavajre6libdeployjqsiejqs_plugin.dll
O4 - HKLM..Run: [TFncKy] TFncKy.exe
O4 - HKLM..Run: [TDispVol] TDispVol.exe
O4 - HKLM..Run: [SynTPEnh] C:Program FilesSynapticsSynTPSynTPEnh.exe
O4 - HKLM..Run: [igfxtray] C:WINDOWSsystem32igfxtray.exe
O4 - HKLM..Run: [igfxhkcmd] C:WINDOWSsystem32hkcmd.exe
O4 - HKLM..Run: [igfxpers] C:WINDOWSsystem32igfxpers.exe
O4 - HKLM..Run: [ehTray] C:WINDOWSehomeehtray.exe
O4 - HKLM..Run: [THotkey] C:Program FilesToshibaToshiba Appletthotkey.exe
O4 - HKLM..Run: [SynTPLpr] C:Program FilesSynapticsSynTPSynTPLpr.exe
O4 - HKLM..Run: [LtMoh] C:Program FilesltmohLtmoh.exe
O4 - HKLM..Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM..Run: [Tvs] C:Program FilesToshibaTvsTvsTray.exe
O4 - HKLM..Run: [TPSMain] TPSMain.exe
O4 - HKLM..Run: [PadTouch] C:Program FilesTOSHIBATouch and LaunchPadExe.exe
O4 - HKLM..Run: [SmoothView] C:Program FilesTOSHIBATOSHIBA Zooming UtilitySmoothView.exe
O4 - HKLM..Run: [dla] C:WINDOWSsystem32dlaDLACTRLW.exe
O4 - HKLM..Run: [Pinger] c:toshibaivpismpinger.exe /run
O4 - HKLM..Run: [IntelZeroConfig] "C:Program FilesIntelWirelessbinZCfgSvc.exe"
O4 - HKLM..Run: [IntelWireless] "C:Program FilesIntelWirelessBinifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM..Run: [MSKDetectorExe] C:Program FilesMcAfeeSpamKillerMSKDetct.exe /uninstall
O4 - HKLM..Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM..Run: [PRISMSVR.EXE] "C:WINDOWSsystem32PRISMSVR.EXE" /APPLY
O4 - HKLM..Run: [TkBellExe] "C:Program FilesCommon FilesRealUpdate_OBrealsched.exe" -osboot
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesJavajre6binjusched.exe"
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeQTTask.exe" -atboottime
O4 - HKLM..Run: [iTunesHelper] "C:Program FilesiTunesiTunesHelper.exe"
O4 - HKLM..Run: [MRT] "C:WINDOWSsystem32MRT.exe" /R
O4 - HKLM..Run: [DWQueuedReporting] "c:PROGRA~1COMMON~1MICROS~1DWdwtrig20.exe" -t
O4 - HKCU..Run: [TOSCDSPD] C:Program FilesTOSHIBATOSCDSPDtoscdspd.exe
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:Program FilesMicrosoft OfficeOFFICE11ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:Program FilesAdobeAcrobat 7.0Readerreader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOffice10OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:WINDOWSsystem32RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2Office10EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2OFFICE11REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:WINDOWSsystem32Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O15 - Trusted Zone: http://www.godaddy.com
O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - file:///D:/win/setup/iaieplay.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:Program FilesYahoo!commonyinsthelper.dll
O16 - DPF: {8B67B37E-1AE2-4B99-B8CF-55AF4D58DF0D} (IAMCE Class) - file:///D:/win/setup/iamce.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - AppInit_DLLs: C:PROGRA~1GoogleGOOGLE~1GOEC62~1.DLL,C:WINDOWSTEMP111957kou.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:Program FilesCommon FilesAdobe Systems SharedServiceAdobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:Program FilesBonjourmDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:Program FilesTOSHIBAConfigFreeCFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:WINDOWSsystem32DVDRAMSV.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:Program FilesIntelWirelessBinEvtEng.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:Program FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:Program FilesiPodbiniPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:Program FilesJavajre6binjqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:WINDOWSsystem32HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:Program FilesIntelWirelessBinRegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:Program FilesIntelWirelessBinS24EvMon.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:Program FilesTrend MicroInternet SecuritySfCtlCom.exe
O23 - Service: sofatnet Service (sofatnet) - Sigma Designs In - C:WINDOWSsystem32sofatnet.exe
O23 - Service: Swupdtmr - Unknown owner - c:TOSHIBAIVPswupdateswupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:Program FilesTOSHIBATOSHIBA AppletTAPPSRV.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:Program FilesTrend MicroBMTMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:Program FilesTrend MicroInternet SecurityTmProxy.exe

--
End of file - 10394 bytes

Attached Files


Edited by The weatherman, 27 September 2009 - 05:20 PM.
Merged post to keep the member on 0 replies.~Tw


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:55 PM

Posted 14 October 2009 - 05:47 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 corpsesriiise

corpsesriiise
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:SoCal
  • Local time:04:55 AM

Posted 14 October 2009 - 11:22 PM

Hi, _temp_!
Thanks for replying. :]

Unfortunately, since I last posted this my computer only got worse. Currently I can't go online onto firefox. It gives me an error saying, 'Assert in LSP; original ==reinterpret_cast<proc>(instance->org_startup_) assertion failed; capture\lsp\nolsp\wsp_patches.cpp:239' and gives me the option to either abort, retry, or ignore. But none of those options will make firefox work.

I tried getting into task manager which worked fine before, now it says, Task Manager has been disabled by your administrator.

Should I download the OTL from another computer then transfer it to my infected computer through a flash disk or something? What are my options at this point?

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:55 PM

Posted 15 October 2009 - 04:28 AM

Hi,

if you are transferring things from the infected PC, please be extra careful, since some infections spread through flash drives.
We are going to disinfect your flash drive, so you should be safe, however to minimise the risks, I would advise to transfer as little as possible.
You can run the tool from your clean PC:
Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.


I would like to ask you to download a collection of tools and save them on your flash drive so that you do not have to go back and forth with it. Do not run all of those on your infected PC right away but only when I ask you to. (we may not use some of them at all.)The first thing I would like you to try on the infected PC, is LSPFix:
  • Disconnect from the Internet, go to the LSPfix file and extract (unzip) LSP-Fix into its own folder such as C:\lspfix. (Click here for information on how to do this if not sure. Win 9x/2000 users click here.
  • Open the lspfix folder and double-click on LSPFix.exe to start the program.
  • Check the "I know what I am doing" checkbox.
  • Select (highlight) all instances of 111957kou.dll in the left column under "Keep".
  • Click the arrow >> so it goes over to the right column under "Remove".
  • Click "Finish" and LSPfix will remove references to the file and restore the chain numbers.
  • Restart your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
  • Delete the following files:
    • C:\WINDOWS\TEMP\111957kou.dll[/B]
  • Restart your computer normally and try to connect to the internet
For instructions with screen shots, see the "Using LSP-Fix Tutorial".

If you can then connect to the internet please provide the OTL logs as well. If you can't let me know.

regards _temp_

Edited by _temp_, 15 October 2009 - 04:28 AM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 corpsesriiise

corpsesriiise
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:SoCal
  • Local time:04:55 AM

Posted 16 October 2009 - 10:58 AM

K, so far I've installed the flash drive cleaner on the clean computer and ran it. Then I downloaded all of the listed files on to the flash drive and I ran the lpfix program on the infected computer. The problem is that it won't find the 111957kou.dll file so I can put it on the remove list. I tried to go into safe mode and delete that dll file but it wouldn't allow me. It said, 'access denied'. Any other suggestions?

Oh, and I'm still gettin that lsm error while in safe mode too, in case it means anything.

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:55 PM

Posted 18 October 2009 - 09:22 AM

Hi,

if the file 111957kou.dll is not listed by LSPFix this is actually a good thing, I think. :( It means, that the file should no longer interfere with the LSP. Could you please tell me the entries you see in LSPFix?

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 corpsesriiise

corpsesriiise
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:SoCal
  • Local time:04:55 AM

Posted 18 October 2009 - 10:59 AM

Ahh, sweet! The entries are... Mswsock.dll, winrnr.dll, mdnsNSP.dll, and rsvpsp.dll. Did you want their descriptions too?

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:55 PM

Posted 18 October 2009 - 12:10 PM

Hi,

those are windows files and should be left allone for now. :(

Could you please try to uninstall Google Desktop and see if this will restore your internet access.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 corpsesriiise

corpsesriiise
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:SoCal
  • Local time:04:55 AM

Posted 19 October 2009 - 03:50 AM

Okay... When I try uninstalling it traditionally through the add/remove app in the control pannel it says, c:windows\system32\rundll32.exe Application not found. Sooo, I went and searched for the google uninstall program and when I ran thaaat, it said, c:program files\google\google desktop search\googlededesktopsetup.exe is not a valid win32 application.

Andd, I tried doing these steps while in safe mode but I didn't have any luck with that either. I got the same error messages...

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:55 PM

Posted 19 October 2009 - 10:32 AM

Hi,


Please copy ComboFix on your infected PC.
**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Transfer all files you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Posted Image

  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


    Posted Image


  • At the next prompt, click 'Yes' to run the full ComboFix scan.

  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.

If Combofix does not restore your internet access please copy the file on your Flashdrive and post it to me via your clean PC. It should be safe to connect your flash drive to your PC, but, as an extra measure of safety, please hold down the shift-key on the clean PC while you connect your flash drive.


regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 corpsesriiise

corpsesriiise
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:SoCal
  • Local time:04:55 AM

Posted 21 October 2009 - 02:06 AM

I've hit another brick wall... I can't run combofix. It seems like it's starting to load then it does nothing. Then I tried dragging the Setup package into combofix like you said, and it gave me an error saying the application [combofix] is not found [eventhough all these tools are on my desktop].

I'm not sure if I mentioned this before, but for like a month now i've been having to do little tricks to get programs to work. Every time I try to open a program, an 'open with' window pops up and basically I've had to browse for the location of that program in that window, which works sometimes. When it doesn't I just get that lsm32 error with the options to abort, ignore or retry.


Thanks for your time, again. I know this is no easy fix.. :(

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:55 PM

Posted 21 October 2009 - 09:48 AM

Hi,

ok, at this point I will need more information. This means I would like you to run OTL and post the logs here. Your flash drive should be protected from infecting your clean PC, however as an extra safety measure, I would like to ask you press the SHIFT-key whenever you connect your flash drive to your clean PC.

We need to create an OTL Report
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTListIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
I would also like to ask you to run the following two tools, which will need to be transfered:

Download and run Win32kDiag:
Please also download unhookexec.inf:
  • Download the following file: UnHookExec.inf
  • Save it to your Desktop.
  • Rightclick the file and select install.
  • Please reboot

Please post back the logs from OTL and Win32kDiag. Did running unhookexec.inf change anything about you being able to run your programs?
regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 corpsesriiise

corpsesriiise
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:SoCal
  • Local time:04:55 AM

Posted 23 October 2009 - 01:05 PM

Hey,

I went ahead and installed OTL on my desktop; I selected scan all users and clicked Run, and the program ran for about 10 or so seconds, then decided to disappear. Then I tried to rerun it and it said "Windows cannot find the appropriate device, path, or file. You may not have the permissions to access the item."

Thuuus, I only have the other log file, the Win32kDiag one which ran fine.

unhookexec.inf absolutely helped. I don't ge the Open With windows anymore. :] I do still get that other error message [Assert LSP] with certain programs though, like firefox.





Running from: C:\Documents and Settings\Diana Radu\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Diana Radu\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB902400\KB902400

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB913580\KB913580

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\APW_DATA\APW_DATA

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\BDATunePIA\BDATunePIA

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehCIR\ehCIR

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\EhCM\EhCM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehcommon\ehcommon

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehepg\ehepg

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehepgdat\ehepgdat

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehExtCOM\ehExtCOM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehExtHost\ehExtHost

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiExtCOM\ehiExtCOM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiExtens\ehiExtens

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiMsgr\ehiMsgr

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiPlay\ehiPlay

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiProxy\ehiProxy

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiUserXp\ehiUserXp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiVidCtl\ehiVidCtl

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiwmp\ehiwmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiWUapi\ehiWUapi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehRecObj\ehRecObj

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehshell\ehshell

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.MediaCenter\Microsoft.MediaCenter

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP175.tmp\ZAP175.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP280.tmp\ZAP280.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP293.tmp\ZAP293.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP29E.tmp\ZAP29E.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2A9.tmp\ZAP2A9.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP37.tmp\ZAP37.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP42E.tmp\ZAP42E.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6C.tmp\ZAP6C.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ehome\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\OfficeAssistant\Microsoft Office Tools\Microsoft Office Tools

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Options\CABS\CABS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Options\Install\Install

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-10 05:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 17:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 17:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 17:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^



Finished!


#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:55 PM

Posted 26 October 2009 - 11:06 AM

Hi,

you contracted a real nasty rootkit.
We will need some more tools, since ComboFix isn't running:
  • Download The Avenger by Swandog46 from here.
  • Please download Junction.zip and save it.
First go to Start > Run copy/paste the following lines one by one in the run box and click OK after each line.

cmd /c copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll C:\ /y
cmd /c dir /a C:\eventlog.dll >log.txt&log.txt&del log.txt

A log file will appear. Please post the content in your next reply.
  • Then Unzip/extract Avenger to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
    Files to move:C:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log, along with a new OTL log in your next reply.
Afterwards please run wink32diag again as followed:
please run win32kdiag.exe again, with the following command to fix some malware related changes.
Please make sure that a copy of win32kdiag.exe is located on your desktop.

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK:

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

Finally we need to scan the system with this special tool.
  • Unzip junction and put junction.exe in the Windows directory (C:\Windows).
  • Go to Start => Run... => Copy and paste the following command in the run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

    A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.
Please post back the content of the log.txt, the log from avenger, win32kdiag and junction in your next reply.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 corpsesriiise

corpsesriiise
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:SoCal
  • Local time:04:55 AM

Posted 27 October 2009 - 01:02 AM

A rootkit? Interesting... Well here are the logs:

log.txt
Volume in drive C is SQ004224P01
Volume Serial Number is 782D-CCD2

Directory of C:\

04/13/2008 05:11 PM 56,320 eventlog.dll
1 File(s) 56,320 bytes
0 Dir(s) 111,502,372,864 bytes free

Avenger
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "a2m0beb1" found!
Start Type: 3 (Manual)

Rootkit scan completed.

File move operation "C:\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.


Junction

Junction v1.05 - Windows junction creator and reparse point viewer
Copyright © 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com


Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\54f3fea9dae418ae09c24a380f\36188182474c08dc875770abbddcc8: Access is denied.


...

...

...

...

...

..
Failed to open \\?\c:\\Documents and Settings\Diana Radu\Desktop\OTL.exe: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Diana Radu\Desktop\OTL2.exe: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Diana Radu\Desktop\OTTL.exe: Access is denied.


.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

.
Failed to open \\?\c:\\System Volume Information\MountPointManagerRemoteDatabase: Access is denied.


..

...

...

...

...

...

.\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

..

...

...

...

...

...

...

...

...

...

...




& I still couldn't open the OTL to get a log....




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users