Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Reroute Virus/Malware/Trojan


  • This topic is locked This topic is locked
47 replies to this topic

#1 babamoskva

babamoskva

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 19 October 2009 - 12:42 AM

Hello everyone,

I am having a problem that I saw th bytes help bamckeller with today. I am posting this because of the fact that th bytes said not to use the Avenger unless supervised and because the scripts were specific to bamckeller's problem.

My problem is that whenever I run a search on google (either in the toolbar or on the web) or any other search engine, the webpage is redirected to a spam site that has nothing to do with my search. It is very frustrating and I have tried SD Fix, Kaspersky, MalwareBytes anti-malware, etc. I installed firefox thinking that IE was the problem but the same thing happened and worse: soon after my installation, a "Windows Enterprise Defender" program popped up and tried to get me to download a file, which I didn't do. Anyway, then I tried to install Avast, but it said there was an error and closed it.

I have to mention that I know nothing about programming etc., so please consider me a complete novice here.

I tried to do the steps outlined in the Preparation Guide, but the DDS log didn't materialize for me.

I have Windows XP and a dell laptop with a wireless router. I have an external hard drive that I periodically backup with but I am afraid of copying the file where the virus is hiding.

I hate this virus or whatever it is and I beg someone to help me.

Thank you so much in advance.

I ran the RootRepeal Log and here it is:

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/10/19 01:02
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:WINDOWSSystem32Driversdump_atapi.sys
Address: 0xF4DAA000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:WINDOWSSystem32Driversdump_WMILIB.SYS
Address: 0xF8CE2000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:WINDOWSsystem32driversrootrepeal.sys
Address: 0xF1AE0000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:hiberfil.sys
Status: Locked to the Windows API!

Path: c:documents and settingsshaynalocal settingstemp~df51db.tmp
Status: Allocation size mismatch (API: 65536, Raw: 16384)

Path: c:documents and settingsshaynalocal settingstemp~df656d.tmp
Status: Allocation size mismatch (API: 393216, Raw: 16384)

Path: c:documents and settingsshaynalocal settingstemp~df7251.tmp
Status: Allocation size mismatch (API: 458752, Raw: 16384)

Path: c:documents and settingsshaynalocal settingstemp~df890a.tmp
Status: Allocation size mismatch (API: 196608, Raw: 16384)

Path: c:documents and settingsshaynalocal settingstemp~dfb7b7.tmp
Status: Allocation size mismatch (API: 131072, Raw: 16384)

Path: C:Documents and SettingsShaynaDesktopBOBOV- Songs01 Dz_ikov01 Chasidim V_anshei MasehDc16.mp3
Status: Locked to the Windows API!

Path: C:Documents and SettingsShaynaDesktopBOBOV- Songs01 Dz_ikov01 Chasidim V_anshei MasehDc19.mp3
Status: Locked to the Windows API!

Path: C:Documents and SettingsShaynaDesktopBOBOV- Songs02 H.L. Bakon01 Chasidim V_anshei MasehDc17.mp3
Status: Locked to the Windows API!

Path: C:Documents and SettingsShaynaDesktopBOBOV- Songs03 Kaminka01 Chasidei BobovDc15.mp3
Status: Locked to the Windows API!

Path: C:Documents and SettingsShaynaDesktopBOBOV- Songs04 Lipa Laish01 Chasidim V_anshei MasehDc18.mp3
Status: Locked to the Windows API!

SSDT
-------------------
#: 011 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51c71da

#: 025 Function Name: NtClose
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51c77ae

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51c91ea

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51c8b9c

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51c6950

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51cab7c

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51c75ae

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51c6d92

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51c6f92

#: 066 Function Name: NtDeviceIoControlFile
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51c8eac

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51cb084

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51c70a8

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51c7110

#: 084 Function Name: NtFsControlFile
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51c8d5e

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51ca620

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51c89f8

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51c6ab2

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51c73b2

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51caba6

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51c72fe

#: 160 Function Name: NtQueryKey
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51c7178

#: 161 Function Name: NtQueryMultipleValueKey
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51c6e7c

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51c6c5a

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51ca888

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51c65d2

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51c9a74

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51c6734

#: 206 Function Name: NtResumeThread
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51caf56

#: 207 Function Name: NtSaveKey
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51c63d0

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51c908c

#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51c76ac

#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51ca71a

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51cabd0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51c6b08

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51cacb4

#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51cade0

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51ca54c

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51c747e

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51c74f0

Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51c8938

#: 227 Function Name: NtGdiMaskBlt
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51c8998

#: 237 Function Name: NtGdiPlgBlt
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51c89c8

#: 292 Function Name: NtGdiStretchBlt
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51c8968

#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51c7e28

#: 323 Function Name: NtUserCallOneParam
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51c8ff8

#: 378 Function Name: NtUserFindWindowEx
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51c8106

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51c7d68

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51c7dc8

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51c7d98

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51ca49c

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51ca4f4

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51ca520

#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51c8fa2

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51c80e0

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51c7806

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:WINDOWSsystem32DRIVERSklif.sys" at address 0xf51c79f2

==EOF==

Merged post: I have attached the hijackthis log files. Please help me.

Attached Files


Edited by The weatherman, 20 October 2009 - 07:00 PM.
Merged posts to keep the member on "0" replies.~Tw


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:39 AM

Posted 22 October 2009 - 09:30 AM

Please visit the following link and use the instructions there to post a ComboFix log as a reply to this topic:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

After running ComboFix, please post the ComboFix log as a reply to this

#3 babamoskva

babamoskva
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 22 October 2009 - 10:41 PM

Thank you so much; here it is:

ComboFix 09-10-21.02 - Shayna 10/22/2009 22:46.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.237 [GMT -4:00]
Running from: c:\documents and settings\Shayna\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1356 [VPS 091022-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\bqefoh.exe
C:\cwxa.exe
C:\jboy.exe
C:\tfdp.exe
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\system32\drivers\fad.sys

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((( Files Created from 2009-09-23 to 2009-10-23 )))))))))))))))))))))))))))))))
.

2009-10-23 03:07 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-23 03:07 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-10-21 06:23 . 2009-10-21 06:27 -------- d-----w- c:\program files\SpywareBlaster
2009-10-21 05:49 . 2009-10-21 06:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-21 05:49 . 2009-10-21 06:12 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-21 00:02 . 2009-10-21 00:02 -------- d-----w- c:\documents and settings\Shayna\Local Settings\Application Data\Deployment
2009-10-20 18:17 . 2009-09-15 10:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-10-20 18:17 . 2009-09-15 10:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-10-20 18:17 . 2009-09-15 10:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-10-20 18:17 . 2009-09-15 10:53 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-10-20 18:17 . 2009-09-15 10:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-10-20 18:17 . 2009-09-15 10:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-10-20 18:17 . 2009-09-15 10:56 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-10-20 18:17 . 2009-09-15 10:56 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-10-20 18:16 . 2009-09-15 10:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-10-20 18:16 . 2009-10-20 18:16 -------- d-----w- c:\program files\Alwil Software
2009-10-20 14:13 . 2009-10-20 14:13 -------- d-----w- c:\program files\Trend Micro
2009-10-20 04:56 . 2009-10-20 04:56 2 --shatr- c:\windows\winstart.bat
2009-10-20 04:54 . 2009-10-23 02:01 -------- d-----w- c:\program files\UnHackMe
2009-10-19 03:44 . 2009-10-19 03:44 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-19 03:33 . 2009-10-19 03:33 0 ----a-w- c:\documents and settings\Shayna\settings.dat
2009-10-18 14:02 . 2009-10-23 02:00 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-18 14:00 . 2006-06-19 17:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2009-10-18 14:00 . 2006-05-25 19:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2009-10-18 14:00 . 2005-08-26 05:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2009-10-18 14:00 . 2003-02-03 00:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2009-10-18 14:00 . 2002-03-06 05:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2009-10-18 14:00 . 2009-10-18 14:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-10-18 06:03 . 2009-10-18 06:03 -------- d-----w- c:\documents and settings\Shayna\Application Data\Malwarebytes
2009-10-18 06:03 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-18 06:03 . 2009-10-18 06:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-18 06:03 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-18 06:03 . 2009-10-18 10:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-16 17:32 . 2009-10-16 17:32 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-15 16:16 . 2009-10-15 16:15 411368 ----a-w- c:\windows\system32\deploytk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-23 03:17 . 2009-03-25 03:36 3572 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-10-23 03:17 . 2009-03-25 03:36 729120 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-10-23 03:17 . 2009-03-25 03:36 3136032 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-23 03:17 . 2009-03-25 03:36 26628 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-10-22 23:03 . 2007-07-26 02:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-10-20 01:02 . 2004-08-06 04:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-10-20 01:01 . 2004-08-06 04:11 -------- d-----w- c:\program files\Viewpoint
2009-10-15 16:15 . 2004-08-06 04:00 -------- d-----w- c:\program files\Java
2009-10-14 14:24 . 2007-07-26 02:29 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-10-14 14:24 . 2007-07-26 02:29 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-09-25 04:02 . 2004-09-06 02:40 952 -csha-w- c:\windows\system32\KGyGaAvL.sys
2009-09-11 14:18 . 2002-08-29 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-03-30 01:48 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-30 18:55 . 2007-12-25 16:37 -------- d-----w- c:\documents and settings\Shayna\Application Data\ZoomBrowser EX
2009-08-30 18:51 . 2007-12-25 16:16 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-08-29 08:08 . 2004-08-24 00:32 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2002-08-29 10:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-06 23:24 . 2004-08-23 16:37 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2004-08-23 16:37 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2005-05-26 08:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2004-08-23 16:37 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2002-08-29 10:00 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2002-08-29 10:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2004-08-23 16:37 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2005-10-16 00:05 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2005-05-26 08:19 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2002-08-29 10:00 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2002-12-12 05:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 23:52 . 2009-08-04 23:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-04 15:13 . 1980-01-01 05:00 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 1980-01-01 05:00 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-05 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\bcmntray" [X]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-26 4632576]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-15 149280]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-02 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-02 610304]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"DadApp"="c:\program files\Dell\AccessDirect\dadapp.exe" [2004-03-04 211828]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2004-03-05 487424]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-08-06 77824]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2005-10-28 335872]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-26 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2004-10-26 921600]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Device Detector 2.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2004-8-30 94208]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLTRYSVC"=2 (0x2)
"WANMiniportService"=2 (0x2)
"SymWSC"=2 (0x2)
"Symantec Core LC"=2 (0x2)
"SNDSrvc"=2 (0x2)
"SBService"=2 (0x2)
"SAVScan"=2 (0x2)
"NVSvc"=2 (0x2)
"ICDSPTSV"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\j2re1.4.2_03\\bin\\javaw.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\SYSTEM32\DRIVERS\klbg.sys [1/29/2008 5:29 PM 33808]
R1 aswSP;avast! Self Protection;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [10/20/2009 2:17 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [10/20/2009 2:17 PM 20560]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\SYSTEM32\DRIVERS\klim5.sys [4/30/2008 5:06 PM 24592]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\SYSTEM32\DRIVERS\ICDUSB2.sys [1/14/2005 3:17 PM 39048]
S3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\SYSTEM32\DRIVERS\WUSB54GCv3.sys [4/4/2009 9:36 PM 627072]
.
Contents of the 'Scheduled Tasks' folder

2004-08-13 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://m.www.yahoo.com/
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-22 23:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1260)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1320)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3496)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\combofix\CF9527.exe
c:\program files\Dell\AccessDirect\DadTray.exe
c:\windows\system32\bcmntray.exe
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-23 23:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-23 03:34

Pre-Run: 7,601,647,616 bytes free
Post-Run: 7,929,307,136 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 755B4B0CDB7C15752525281D4E9B339E

#4 babamoskva

babamoskva
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 22 October 2009 - 11:03 PM

I just checked and the problem has not been resolved.

I am taking the liberty of attaching the report that Kaspersky generated when I first noticed the problem. Since that report I used your uninistall list and uninstalled some programs that were malware etc related. After that I was able to install and run a bunch of antispy, malware, etc. to no avail. However, some programs said that they detected and deleted one or two things (avast was one of them; spywareblaster another) but I don't think they deleted any of the files listed in the Kaspersky report. That is why I am attaching it. Thank you so much. I have attached it as an attachment in addition to attaching it below because I see that it is a bit difficult to read because of the formatting. Thank you again. I appreciate your time and the mental and physical energy you are using to help me.

Full Scan: completed 10/18/2009 1:46:12 AM (events: 48, objects: 273108, time: 01:47:48)
10/18/2009 12:05:35 AM Task completed
10/17/2009 11:57:03 PM Task started
Full Scan: completed 10/18/2009 1:46:12 AM (events: 48, objects: 273108, time: 01:47:48)
10/18/2009 1:39:14 AM Deleted: Trojan.Win32.Vilsel.ivh C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1030\A0111524.exe
10/18/2009 12:32:10 AM Detected: Backdoor.Win32.Bredolab.ajx C:\Documents and Settings\Shayna\Local Settings\Temp\~TM1E.tmp
10/18/2009 1:38:58 AM Detected: Backdoor.Win32.Bredolab.ajx C:\WINDOWS\system32\WBEM\proquota.exe
10/18/2009 1:39:14 AM Detected: Backdoor.Win32.Bredolab.ajx C:\WINDOWS\system32\WBEM\proquota.exe
10/18/2009 12:06:33 AM Detected: Trojan-Downloader.Win32.FraudLoad.fok C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1009\A0110381.exe
10/18/2009 12:06:34 AM Detected: Trojan-Downloader.Win32.FraudLoad.fok C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1009\A0110387.exe
10/18/2009 1:13:46 AM Detected: Trojan-Downloader.Win32.FraudLoad.fok C:\SDFix\backups\backups.zip/backups/braviax.exe
10/18/2009 12:06:33 AM Detected: Trojan-Downloader.Win32.FraudLoad.fol C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1009\A0110380.exe/PE_Patch.EProt
10/18/2009 12:06:34 AM Detected: Trojan-Downloader.Win32.FraudLoad.fol C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1009\A0110388.exe/PE_Patch.EProt
10/18/2009 1:13:47 AM Detected: Trojan-Downloader.Win32.FraudLoad.fol C:\SDFix\backups\backups.zip/backups/~.exe/PE_Patch.EProt
10/18/2009 12:10:17 AM Detected: Trojan.Win32.Vilsel.ivg C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1029\A0111500.exe
10/18/2009 12:10:13 AM Detected: Trojan.Win32.Vilsel.ivh C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1029\A0111495.exe
10/18/2009 12:26:02 AM Detected: Trojan.Win32.Vilsel.ivh C:\Documents and Settings\Shayna\Application Data\seres.exe
10/18/2009 12:32:10 AM Detected: Trojan.Win32.Vilsel.ivh C:\Documents and Settings\Shayna\Local Settings\Temp\~.exe
10/18/2009 1:14:14 AM Detected: Trojan.Win32.Vilsel.ivh C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1030\A0111524.exe
10/18/2009 1:39:14 AM Detected: Trojan.Win32.Vilsel.ivh C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1030\A0111524.exe
10/18/2009 12:05:05 AM Detected: http://www.viruslist.com/en/advisories/15087 C:\program files\musicmatch\musicmatch jukebox\mmjb.exe
10/18/2009 1:06:19 AM Detected: http://www.viruslist.com/en/advisories/15087 C:\program files\musicmatch\musicmatch jukebox\mmjb.exe
10/18/2009 12:56:39 AM Detected: http://www.viruslist.com/en/advisories/26027 C:\program files\Common Files\AOL\Flasha.ocx
10/18/2009 12:54:36 AM Detected: http://www.viruslist.com/en/advisories/26201 C:\program files\Adobe\Acrobat 6.0\Reader\AcroRd32.bak
10/18/2009 12:52:26 AM Detected: http://www.viruslist.com/en/advisories/32270 C:\I386\SWFLASH.OCX
10/18/2009 1:00:26 AM Detected: http://www.viruslist.com/en/advisories/32991 C:\program files\Java\j2re1.4.2_03\bin\eula.dll
10/18/2009 1:00:41 AM Detected: http://www.viruslist.com/en/advisories/34451 C:\program files\Java\jre1.6.0_02\bin\java.exe
10/18/2009 1:01:07 AM Detected: http://www.viruslist.com/en/advisories/34451 C:\program files\Java\jre1.6.0_03\bin\java.exe
10/18/2009 1:01:26 AM Detected: http://www.viruslist.com/en/advisories/34451 C:\program files\Java\jre1.6.0_05\bin\java.exe
10/18/2009 1:01:58 AM Detected: http://www.viruslist.com/en/advisories/34451 C:\program files\Java\jre1.6.0_07\bin\java.exe
10/18/2009 12:05:12 AM Detected: http://www.viruslist.com/en/advisories/34471 C:\program files\mozilla firefox\firefox.exe
10/18/2009 1:05:32 AM Detected: http://www.viruslist.com/en/advisories/34471 C:\program files\mozilla firefox\firefox.exe
10/18/2009 12:05:07 AM Detected: http://www.viruslist.com/en/advisories/35091 C:\program files\quicktime\quicktimeplayer.exe
10/18/2009 1:09:18 AM Detected: http://www.viruslist.com/en/advisories/35091 C:\program files\quicktime\quicktimeplayer.exe
10/17/2009 11:58:46 PM Detected: http://www.viruslist.com/en/advisories/35948 C:\WINDOWS\system32\Macromed\Flash\Flash10b.ocx
10/18/2009 1:38:30 AM Detected: http://www.viruslist.com/en/advisories/35948 C:\WINDOWS\system32\Macromed\Flash\Flash10b.ocx
10/18/2009 12:55:10 AM Detected: http://www.viruslist.com/en/advisories/36983 C:\program files\Adobe\Reader 8.0\Reader\plug_ins\Annots.api
10/18/2009 1:46:14 AM Task completed
10/17/2009 11:58:24 PM Task started
10/18/2009 12:32:11 AM Untreated: Backdoor.Win32.Bredolab.ajx C:\Documents and Settings\Shayna\Local Settings\Temp\~TM1E.tmp Postponed
10/18/2009 1:39:03 AM Untreated: Backdoor.Win32.Bredolab.ajx C:\WINDOWS\system32\WBEM\proquota.exe Postponed
10/18/2009 12:06:33 AM Untreated: Trojan-Downloader.Win32.FraudLoad.fok C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1009\A0110381.exe Postponed
10/18/2009 12:06:34 AM Untreated: Trojan-Downloader.Win32.FraudLoad.fok C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1009\A0110387.exe Postponed
10/18/2009 1:13:46 AM Untreated: Trojan-Downloader.Win32.FraudLoad.fok C:\SDFix\backups\backups.zip/backups/braviax.exe Postponed
10/18/2009 12:06:33 AM Untreated: Trojan-Downloader.Win32.FraudLoad.fol C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1009\A0110380.exe/PE_Patch.EProt Postponed
10/18/2009 12:06:34 AM Untreated: Trojan-Downloader.Win32.FraudLoad.fol C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1009\A0110388.exe/PE_Patch.EProt Postponed
10/18/2009 1:13:47 AM Untreated: Trojan-Downloader.Win32.FraudLoad.fol C:\SDFix\backups\backups.zip/backups/~.exe/PE_Patch.EProt Postponed
10/18/2009 12:11:52 AM Untreated: Trojan.Win32.Vilsel.ivg C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1029\A0111500.exe Postponed
10/18/2009 12:10:48 AM Untreated: Trojan.Win32.Vilsel.ivh C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1029\A0111495.exe Postponed
10/18/2009 12:26:17 AM Untreated: Trojan.Win32.Vilsel.ivh C:\Documents and Settings\Shayna\Application Data\seres.exe Postponed
10/18/2009 12:32:17 AM Untreated: Trojan.Win32.Vilsel.ivh C:\Documents and Settings\Shayna\Local Settings\Temp\~.exe Postponed
10/18/2009 1:14:15 AM Untreated: Trojan.Win32.Vilsel.ivh C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1030\A0111524.exe Postponed
Full Scan: completed 10/18/2009 1:46:12 AM (events: 48, objects: 273108, time: 01:47:48)
10/18/2009 1:47:34 AM Task completed
10/18/2009 1:46:13 AM Deleted: Backdoor.Win32.Bredolab.ajx C:\WINDOWS\system32\WBEM\proquota.exe
10/18/2009 1:46:13 AM Detected: Backdoor.Win32.Bredolab.ajx C:\WINDOWS\system32\WBEM\proquota.exe
10/18/2009 1:46:12 AM Task started

Attached Files



#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:39 AM

Posted 23 October 2009 - 12:40 PM

Click on start, then run, and type notepad c:\windows\winstart.bat and paste the contents of the file as a reply to this topic. Also please delete the file:

c:\documents and settings\Shayna\settings.dat


As for the kav log:

You need to do the following to remove certain vulnerabilities on your computer:

1. Update your Flash to the latest version to get rid of a vulnerability in the version you are running:

http://www.adobe.com/go/getflashplayer

2.Update Java to the latest version using these instructions:

Update Java:
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

    It should have next icon next to it: Posted Image
    Select it and click Remove.
  • The current version can be downloaded from Sun here: http://java.sun.com/javase/downloads/index.jsp Scroll down the page to 'Java Runtime Environment (JRE) 6 Update 11' and press the 'Download' button. On the new web page, click the 'Accept License Agreement' button. Then select 'Windows Offline Installation, Multi-language' in the Windows Platform area just below the Accept button.
3. Either upgrade musicmatch to the latest version or uninstall it if you do not use it.

Last, but not least, can you confirm if these files exist?

C:\Documents and Settings\Shayna\Application Data\seres.exe
C:\Documents and Settings\Shayna\Local Settings\Temp\~.exe

#6 babamoskva

babamoskva
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 23 October 2009 - 04:42 PM

I read you r reply but I observe the Sabbath and I don't have enough time before it starts. I will follow your instructions and post the results Saturday evening. Thank you again.

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:39 AM

Posted 23 October 2009 - 04:52 PM

Understood...I will be here when you become available.

#8 babamoskva

babamoskva
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 24 October 2009 - 10:57 PM

Thank you for your patience. I updated flash, java, and deleted musicmatch. (Doing that took a while because the computer is very very slow lately.)

I also deleted the .dat file. I looked for the two files (seres.exe and ~.exe) but couldn't find them (I did a search and went into the C drive). I think these may have been deleted by Avast.

A funny thing happened; when I typed "notepad c:\windows\winstart.bat " in run, the notepad came up blank. I thought maybe I didn't understand your instructions so I just typed in "c:\windows\winstart.bat " and a black screen popped up for a nanosecond and closed. If I recall I tried to do this initially before I posted and that is what happened. I am troubled by this.

The problem persists even after I deleted the file you asked me to.

May I ask you; should I be afraid that my passwords and personal info will be stolen? I read about the trojan fraudload and it sounds very scary.

Thank you again so much,

Shayna

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:39 AM

Posted 27 October 2009 - 10:51 AM

With what I have seen so far, I think you are ok with personal info being stolen. I cant guarantee that of course, but I think your ok.

Where are you being redirected to?

Can you open c:\windows\system32\drivers\etc\hosts in Notepad and post the contents?

#10 babamoskva

babamoskva
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 27 October 2009 - 11:28 AM

The computer is very slow. It took me about 20 minutes to just open IE, open this reply page, and to get to the file.

I don't know what program to open the etc file with. I tried Adobe but it didn't work. Please let me know.

Whenever I use google or any other search engine (yahoo etc) it redirects me to spam sites. The sites are different every time.

Thanks!

#11 babamoskva

babamoskva
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 27 October 2009 - 11:33 AM

I just realized that you said to open in Notepad. My apology.

Here are the contents:

127.0.0.1 localhost


I will be by the computer for most of the day.

Thank you again.

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:39 AM

Posted 27 October 2009 - 11:49 AM

Download GMER Rootkit Scanner from here.
  • Extract the contents of the zipped file to the desktop.
  • Double click GMER.exe and if you are asked if you want to allow gmer.sys driver to load, please allow it to do so.
  • If it gives you a warning about rootkit activity and asks if you want to run scan, please click on NO.
  • In the right panel you will see several boxes that have been checked. Uncheck the following the following checkboxes:
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Now click on the Scan button and wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in ark.txt and save it to your desktop.


#13 babamoskva

babamoskva
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 27 October 2009 - 12:19 PM

I don't see a check box for "Drives/Partition other than Systemdrive (typically C:\)."

All I see in the right hand side, in descending order is as follows: system, sections, iat/eat, devices, modules, processes, threads, libraries, services, registry, files (which has a subsection for C:\ and ADS), and show all.

I unchecked the others you mentioned (sections, iat/eat, show all) but I am not sure if I should uncheck "files" or just "c:\."

Please clarify which I should uncheck.

Thank you.

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:39 AM

Posted 27 October 2009 - 08:32 PM

Files and C:\ should be checked.

#15 babamoskva

babamoskva
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 27 October 2009 - 10:24 PM

Thank you for the clarification Grinler.

After GMER was done, it displayed a warning that read something like "there have been system modifications due to Rootkit activity."

I took the liberty of looking at other topics in the HJT forum and I saw that many people who get rootkits engage in peer to peer activities. I would like to know how I could have gotten something like this if I don't engage in such activities. I thought I got the rootkit from an attachment to an email that a co-worker sent me with a link to Youtube for a silly video but she said she opened the video and didn't get anything on her computer. I am scared to use IE and have started to use Google Chrome on my other computer and will use it on this one when it is fixed (I hope).

Here are the contents of the log (which I have uploaded as an attachment in case it is difficult to read):

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-27 23:11:16
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Shayna\LOCALS~1\Temp\axtdypob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwAdjustPrivilegesToken [0xF5CE21DA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF58606B8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwConnectPort [0xF5CE41EA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateFile [0xF5CE3B9C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF5860574]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xF5CE5B7C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateThread [0xF5CE25AE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteKey [0xF5CE1D92]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF5860A52]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeviceIoControlFile [0xF5CE3EAC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF586014C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateKey [0xF5CE20A8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateValueKey [0xF5CE2110]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwFsControlFile [0xF5CE3D5E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwLoadDriver [0xF5CE5620]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenFile [0xF5CE39F8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF586064E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF586008C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenSection [0xF5CE5BA6]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF58600F0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryKey [0xF5CE2178]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryMultipleValueKey [0xF5CE1E7C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF586076E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueueApcThread [0xF5CE5888]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwReplaceKey [0xF5CE15D2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRequestWaitReplyPort [0xF5CE4A74]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF586072E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwResumeThread [0xF5CE5F56]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSaveKey [0xF5CE13D0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSecureConnectPort [0xF5CE408C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetContextThread [0xF5CE26AC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSecurityObject [0xF5CE571A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSystemInformation [0xF5CE5BD0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF58608AE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendProcess [0xF5CE5CB4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendThread [0xF5CE5DE0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSystemDebugControl [0xF5CE554C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwTerminateProcess [0xF5CE247E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwWriteVirtualMemory [0xF5CE24F0]

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) IoIsOperationSynchronous

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\atapi \Device\Ide\IdePort0 [F868AB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F868AB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdePort1 [F868AB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F868AB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}

AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)
Device tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
---- Processes - GMER 1.0.15 ----

Library C:\Documents (*** hidden *** ) @ C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe [1880] 0x38800000

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Attached Files

  • Attached File  ark.txt   11.44KB   2 downloads





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users