Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBR Rootkit Detected: HelpAssistant Folder Reappears on Reboot


  • This topic is locked This topic is locked
20 replies to this topic

#1 modle

modle

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 25 October 2009 - 08:51 AM

Referred from here: http://www.bleepingcomputer.com/forums/t/265796/helpassistant-folder-creates-on-reboot;-taking-up-all-hard-drive-space/ ~ OB

Was infected with a virus/something that installed a program on my computer with a name similar to "SystemProtect," "SystemProtector," "ProtectSystem," etc.

Three or four icons for pornographic websites would appear on my desktop every few reboots; I don't know if clicking on them opened anything, as I never bothered to try. I would get frequent pop-ups begging me to download fake anti-virus/anti-malware software. I could not install or run anti-malware software without altering the names of the .exe files. Eventually, I ran many anti-malware programs and thought I got rid of the problem. The virus would cause my computer to lock up on reboot unless I booted in safe mode; it would also create, upon reboot, a folder in my Documents and Settings folder called "HelpAssistant" which was loaded with copies of files from my user profile. This folder takes up quite a bit of my remaining hard drive space. The reappearing folder is, I think, the only problem "left over" from the original infection.

-------

DDS.txt:


DDS (Ver_09-10-24.04) - NTFSx86
Run by NAME at 8:44:12.17 on Sun 10/25/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.165 [GMT

-5:00]

AV: Protection System *On-access scanning enabled* (Outdated)

{28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\NAME\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page =

hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/ymj/*http://www.yahoo.com
uStart Page = hxxp://www.google.com/
uSearch Bar =

hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/

search/search.html
mDefault_Page_URL = hxxp://www.yahoo.com
mDefault_Search_URL =

hxxp://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
mSearch Page =

hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/ymj/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
mSearch Bar =

hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/

search/search.html
uSearchURL,(Default) =

hxxp://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} -

c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} -

c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} -

c:\program files\common files\microsoft shared\windows

live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} -

c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} -

c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} -

c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft

money\system\mnyviewer.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Microsoft Works Update Detection] c:\program files\microsoft

works\WkDetect.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes'

anti-malware\mbam.exe" /runcleanupscript
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\AIM.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program

files\messenger\msmsgs.exe
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} -

{301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft

money\system\mnyviewer.dll
Trusted Zone: aol.com\free
Trusted Zone: musicmatch.com\online
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.c

ab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program

files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: cbXQjiiF - cbXQjiiF.dll
AppInit_DLLs: puqvfc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath -

c:\docume~1\michae~1\applic~1\mozilla\firefox\profiles\oh634g1o.NAME\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - HiddenExtension: Java Console: No Registry Reference - c:\program

files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program

files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-23 64160]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2009-1-20 13360]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2009-1-20 68912]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys

[2008-5-22 144768]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys

[2008-5-22 545088]
S3 BCASPROT;Advanced System Protector;\??\c:\program files\systweak\advanced

system protector\sasprot32.sys --> c:\program files\systweak\advanced system

protector\sasprot32.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program

files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1028432]
S3 vtdg46xx;vtdg46xx;c:\progra~1\turtle~1\santac~1\contro~1\vtdg46xx.sys

[2008-5-22 19232]
S4 iWinGamesInstaller;iWinGamesInstaller;c:\documents and

settings\NAME\desktop\michael's briefcase\games\jewel quest\iwin

games\iwingamesinstaller.exe --> c:\documents and

settings\NAME\desktop\michael's briefcase\games\jewel quest\iwin

games\iWinGamesInstaller.exe [?]

=============== Created Last 30 ================

2009-10-20 21:25:02 0 d-----w-

c:\docume~1\michae~1\applic~1\TweakNow RegCleaner
2009-10-09 14:32:21 38224 ----a-w-

c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-09 14:28:59 19160 ----a-w-

c:\windows\system32\drivers\mbam.sys
2009-10-07 14:14:26 0 d-----w-

c:\docume~1\alluse~1\applic~1\Avg8
2009-10-01 05:26:22 56832 ------w-

c:\windows\system32\iyvu9_32.dll
2009-10-01 05:26:22 143872 ------w- c:\windows\system32\iacenc.dll

==================== Find3M ====================

2009-08-08 12:56:21 411368 ----a-w-

c:\windows\system32\deploytk.dll
2008-05-21 19:08:02 32768 --sha-w-

c:\windows\system32\config\systemprofile\local

settings\history\history.ie5\mshist012008052120080522\index.dat

============= FINISH: 8:44:36.74 ===============

Attached Files


Edited by Orange Blossom, 25 October 2009 - 10:09 AM.


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:20 PM

Posted 01 November 2009 - 03:14 PM

Hello,

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Then please post back here with the following:
  • log.txt
  • info.txt
Thanks

unite.jpg


#3 modle

modle
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 01 November 2009 - 09:17 PM

Syler,

The reply came faster than I expected; you take as much time as you need. I'm quite patient. :-)

Here are the RSIT logs... Thank you for the reply!


P.S.: I ran it with "Show files/folders created within the past 3 months" selected.

Attached Files

  • Attached File  info.txt   13.23KB   9 downloads
  • Attached File  log.txt   28.29KB   4 downloads

Edited by modle, 01 November 2009 - 09:18 PM.


#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:20 PM

Posted 02 November 2009 - 05:44 PM

Hi modle,

I don't see an Anti Virus Program running on your machine
  • Download and install an antivirus program, and make sure that you keep it updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
Two good antivirus programs free for non-commercial home use are Avast! and Antivir
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.



Download and run the McAfee Consumer Products Removal tool (MCPR.exe).
Running the McAfee Consumer Product Removal tool (MCPR.exe) removes all 2005, 2006, and 2007 and newer versions of McAfee consumer products.
  • McAfee Security Center
  • McAfee VirusScan
  • McAfee Personal Firewall Plus
  • McAfee Privacy Service
  • McAfee SpamKiller
  • McAfee Wireless Network Security
  • McAfee SiteAdvisor
  • McAfee Data Backup
  • McAfee Network Manager
  • McAfee Easy Network
  • McAfee AntiSpyware
  • Click Save and save the file to any folder on the computer.
  • Navigate to the folder where the file is saved.
  • Double-click MCPR.exe.
  • Click Run. A Command Line window will be displayed, and then close automatically. Wait for a second Command Line window to be displayed.
    Note: Do not double-click MCPR.exe again, you may have to wait up to 1 minute for the next window to appear.
    After the second window appears, the program will begin the cleanup.
  • Observe the installation, which could take several minutes. The following message will be displayed in the Command Line window:
    The machine must reboot to complete the un-installation. Reboot now? [y.n]
  • Press Y on the keyboard.
  • Wait for the computer to restart.
All McAfee products are now removed from your computer.
These McAfee removal instructions can be found at http://ts.mcafeehelp.com/faq3.asp?docid=408302



Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Please post back here with the following logs:
  • MBAM log
  • New Rsit log
Thanks

unite.jpg


#5 modle

modle
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 03 November 2009 - 10:41 AM

Syler,

May I have MBAM installed at the same time as Avast?

Here are the logs from MBAM and RSIT. Thank you again for your help.

Attached Files



#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:20 PM

Posted 03 November 2009 - 12:20 PM

May I have MBAM installed at the same time as Avast?


Yes you can, MBAM is not an AntiVirus, please install an AntiVirus then post a new Rsit log.

unite.jpg


#7 modle

modle
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 03 November 2009 - 01:58 PM

Syler,

I have installed Avast, but have not run it. Here is the RSIT Log

Attached Files

  • Attached File  log3.txt   29.88KB   4 downloads


#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:20 PM

Posted 03 November 2009 - 06:54 PM

modle,

Please run a full scan with Avast and post the results in the next reply, if it finds anything.


Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.


We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :Reg
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "Microsoft Works Update Detection"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\99139015283640472128940181043825]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced System Protector]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GaruYacUpdate_ENG]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GaruYac_ENG]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MultiCoreAVAS]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "MpfService"=-
    "McSysmon"=-
    "McShield"=-
    "McProxy"=-
    "McODS"=-
    "McNASvc"=-
    "mcmscsvc"=-
    "avg8wd"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLS"=""
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cbXQjiiF]
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\system32\drivers\svchost.exe"=-
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\system32\drivers\svchost.exe"=-
    :Files
    c:\windows\system32\drivers\svchost.exe
    :Commands
    [EmptyTemp]
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs, as this process may crash your computer.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Double click on Gmer to run it.
  • Allow the gmer.sys driver to load if asked.
  • You may see a rootkit warning window, If you do, click No.
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.



Please post back here with the following logs:
  • OTM results
  • Gmer log
  • Avast results
Thanks

unite.jpg


#9 modle

modle
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 05 November 2009 - 12:04 PM

Syler,

Here it is


AVAST LOG

*
* avast! Report
* This file is generated automatically
*
* Task 'Simple user interface' used
* Started on Wednesday, November 04, 2009 5:40:30 PM
* VPS: 091104-0, 11/04/2009
*

C:\Program Files\Alwil Software\Avast4\DATA\moved\A0049522.exe.vir [L] Win32:Trojan-gen (0)
During the file repair, error occurred: The file was not repaired.
C:\Program Files\Alwil Software\Avast4\DATA\moved\A0075363.exe.vir [L] Win32:MalOb-M [Cryp] (0)
During the file repair, error occurred: The file was not repaired.
C:\Program Files\Alwil Software\Avast4\DATA\moved\A0075364.dll.vir [L] Win32:Hilot [Trj] (0)
During the file repair, error occurred: The file was not repaired.
C:\Program Files\Alwil Software\Avast4\DATA\moved\A0075365.exe.vir [L] Win32:Trojan-gen (0)
During the file repair, error occurred: The file was not repaired.
C:\Program Files\Alwil Software\Avast4\DATA\moved\A0075366.exe.vir [L] Win32:Trojan-gen (0)
During the file repair, error occurred: The file was not repaired.
C:\Program Files\Alwil Software\Avast4\DATA\moved\A0075367.exe.vir [L] Win32:Trojan-gen (0)
During the file repair, error occurred: The file was not repaired.
Infected files: 6
Total files: 179269
Total folders: 10263
Total size: 43.0 GB

*
* Task stopped: Wednesday, November 04, 2009 6:30:15 PM
* Run-time was 49 minute(s), 45 second(s)
*

================================

OTM LOG

All processes killed
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Microsoft Works Update Detection deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\99139015283640472128940181043825\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced System Protector\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GaruYacUpdate_ENG\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GaruYac_ENG\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MultiCoreAVAS\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services\\MpfService deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services\\McSysmon deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services\\McShield deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services\\McProxy deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services\\McODS deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services\\McNASvc deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services\\mcmscsvc deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services\\avg8wd deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\"AppInit_DLLS"|"" /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cbXQjiiF\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list\\%windir%\system32\drivers\svchost.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list\\%windir%\system32\drivers\svchost.exe not found.
========== FILES ==========
File/Folder c:\windows\system32\drivers\svchost.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: HelpAssistant
->Temp folder emptied: 2420608 bytes
->Temporary Internet Files folder emptied: 21891549 bytes
->Java cache emptied: 300610 bytes
->FireFox cache emptied: 7883040 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

User: NAME
->Temp folder emptied: 42078914 bytes
File delete failed. C:\Documents and Settings\NAME\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 46222985 bytes
->Java cache emptied: 300610 bytes
->FireFox cache emptied: 78158233 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Owner
->Temp folder emptied: 1199254 bytes
->Temporary Internet Files folder emptied: 108129985 bytes
->Java cache emptied: 23000986 bytes
->FireFox cache emptied: 12194932 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\$$$dq3e scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\$67we.$ scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_558.dat scheduled to be deleted on reboot.
Windows Temp folder emptied: 2208005 bytes
RecycleBin emptied: 29696 bytes

Total Files Cleaned = 330.12 mb


OTM by OldTimer - Version 3.0.0.6 log created on 11042009_183804

Files moved on Reboot...
File move failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\$$$dq3e scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\$67we.$ scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_558.dat not found!

Registry entries deleted on Reboot...

================================

GMER LOG

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-05 10:51:34
Windows 5.1.2600 Service Pack 3
Running: ql8teo22.exe; Driver: C:\DOCUME~1\NAME~1\LOCALS~1\Temp\awqoqpoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF5EAB6B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF5EAB574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF5EABA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF5EAB14C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF5EAB64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF5EAB08C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF5EAB0F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF5EAB76E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF5EAB72E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF5EAB8AE]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[1800] ADVAPI32.dll!CryptDestroyKey 77DE9E9C 7 Bytes JMP 00BD28E0
.text C:\WINDOWS\Explorer.EXE[1800] ADVAPI32.dll!CryptDecrypt 77DEA109 7 Bytes JMP 00BD2890
.text C:\WINDOWS\Explorer.EXE[1800] ADVAPI32.dll!CryptEncrypt 77DEE340 7 Bytes JMP 00BD2854
.text C:\WINDOWS\Explorer.EXE[1800] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00BD2839
.text C:\WINDOWS\Explorer.EXE[1800] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00BD26C5
.text C:\WINDOWS\Explorer.EXE[1800] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00BD27B7
.text C:\WINDOWS\Explorer.EXE[1800] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00BD26FD
.text C:\WINDOWS\Explorer.EXE[1800] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00BD2735
.text C:\WINDOWS\System32\alg.exe[2260] ADVAPI32.dll!CryptDestroyKey 77DE9E9C 7 Bytes JMP 00B228E0
.text C:\WINDOWS\System32\alg.exe[2260] ADVAPI32.dll!CryptDecrypt 77DEA109 7 Bytes JMP 00B22890
.text C:\WINDOWS\System32\alg.exe[2260] ADVAPI32.dll!CryptEncrypt 77DEE340 7 Bytes JMP 00B22854
.text C:\WINDOWS\System32\alg.exe[2260] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00B22839
.text C:\WINDOWS\System32\alg.exe[2260] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00B226C5
.text C:\WINDOWS\System32\alg.exe[2260] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00B227B7
.text C:\WINDOWS\System32\alg.exe[2260] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00B226FD
.text C:\WINDOWS\System32\alg.exe[2260] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00B22735

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 FFA1FE40
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 FFA1FE40
Device \Driver\atapi \Device\Ide\IdePort0 FFA1FE40
Device \Driver\atapi \Device\Ide\IdePort1 FFA1FE40
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f FFA1FE40

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior;

---- Files - GMER 1.0.15 ----

File C:\System Volume Information\_restore{CDEF33A1-FBA8-4E26-A648-99175B928D1B}\RP337\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-1659004503-1788223648-725345543-1004 7831552 bytes
File C:\System Volume Information\_restore{CDEF33A1-FBA8-4E26-A648-99175B928D1B}\RP337\snapshot\ComDb.Dat 23124 bytes
File C:\System Volume Information\_restore{CDEF33A1-FBA8-4E26-A648-99175B928D1B}\RP337\snapshot\domain.txt 50 bytes
File C:\System Volume Information\_restore{CDEF33A1-FBA8-4E26-A648-99175B928D1B}\RP337\snapshot\Repository 0 bytes
File C:\System Volume Information\_restore{CDEF33A1-FBA8-4E26-A648-99175B928D1B}\RP337\snapshot\Repository\$WinMgmt.CFG 20 bytes
File C:\System Volume Information\_restore{CDEF33A1-FBA8-4E26-A648-99175B928D1B}\RP337\snapshot\Repository\FS 0 bytes
File C:\System Volume Information\_restore{CDEF33A1-FBA8-4E26-A648-99175B928D1B}\RP337\snapshot\Repository\FS\INDEX.BTR 1048576 bytes
File C:\System Volume Information\_restore{CDEF33A1-FBA8-4E26-A648-99175B928D1B}\RP337\snapshot\Repository\FS\INDEX.MAP 556 bytes
File C:\System Volume Information\_restore{CDEF33A1-FBA8-4E26-A648-99175B928D1B}\RP337\snapshot\Repository\FS\MAPPING.VER 4 bytes
File C:\System Volume Information\_restore{CDEF33A1-FBA8-4E26-A648-99175B928D1B}\RP337\snapshot\Repository\FS\MAPPING1.MAP 3292 bytes
File C:\System Volume Information\_restore{CDEF33A1-FBA8-4E26-A648-99175B928D1B}\RP337\snapshot\Repository\FS\MAPPING2.MAP 3292 bytes
File C:\System Volume Information\_restore{CDEF33A1-FBA8-4E26-A648-99175B928D1B}\RP337\snapshot\Repository\FS\OBJECTS.DATA 5554176 bytes
File C:\System Volume Information\_restore{CDEF33A1-FBA8-4E26-A648-99175B928D1B}\RP337\snapshot\Repository\FS\OBJECTS.MAP 2748 bytes
File C:\System Volume Information\_restore{CDEF33A1-FBA8-4E26-A648-99175B928D1B}\RP337\snapshot\_REGISTRY_MACHINE_SAM 24576 bytes
File C:\System Volume Information\_restore{CDEF33A1-FBA8-4E26-A648-99175B928D1B}\RP337\snapshot\_REGISTRY_MACHINE_SECURITY 49152 bytes
File C:\System Volume Information\_restore{CDEF33A1-FBA8-4E26-A648-99175B928D1B}\RP337\snapshot\_REGISTRY_MACHINE_SOFTWARE 30244864 bytes
File C:\System Volume Information\_restore{CDEF33A1-FBA8-4E26-A648-99175B928D1B}\RP337\snapshot\_REGISTRY_MACHINE_SYSTEM 5550080 bytes
File C:\System Volume Information\_restore{CDEF33A1-FBA8-4E26-A648-99175B928D1B}\RP337\snapshot\_REGISTRY_USER_.DEFAULT 3297280 bytes
File C:\System Volume Information\_restore{CDEF33A1-FBA8-4E26-A648-99175B928D1B}\RP337\snapshot\_REGISTRY_USER_NTUSER_S-1-5-18 3297280 bytes
File C:\System Volume Information\_restore{CDEF33A1-FBA8-4E26-A648-99175B928D1B}\RP337\snapshot\_REGISTRY_USER_NTUSER_S-1-5-19 229376 bytes
File C:\System Volume Information\_restore{CDEF33A1-FBA8-4E26-A648-99175B928D1B}\RP337\snapshot\_REGISTRY_USER_NTUSER_S-1-5-20 229376 bytes
File C:\System Volume Information\_restore{CDEF33A1-FBA8-4E26-A648-99175B928D1B}\RP337\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-1659004503-1788223648-725345543-1000 7798784 bytes
File C:\System Volume Information\_restore{CDEF33A1-FBA8-4E26-A648-99175B928D1B}\RP337\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-1659004503-1788223648-725345543-1003 6811648 bytes
File C:\System Volume Information\_restore{CDEF33A1-FBA8-4E26-A648-99175B928D1B}\RP337\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-1659004503-1788223648-725345543-500 3407872 bytes
File C:\System Volume Information\_restore{CDEF33A1-FBA8-4E26-A648-99175B928D1B}\RP337\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-19 8192 bytes
File C:\System Volume Information\_restore{CDEF33A1-FBA8-4E26-A648-99175B928D1B}\RP337\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-20 8192 bytes
File C:\System Volume Information\_restore{CDEF33A1-FBA8-4E26-A648-99175B928D1B}\RP337\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-1659004503-1788223648-725345543-1000 262144 bytes
File C:\System Volume Information\_restore{CDEF33A1-FBA8-4E26-A648-99175B928D1B}\RP337\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-1659004503-1788223648-725345543-1003 262144 bytes
File C:\System Volume Information\_restore{CDEF33A1-FBA8-4E26-A648-99175B928D1B}\RP337\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-1659004503-1788223648-725345543-1004 233472 bytes
File C:\System Volume Information\_restore{CDEF33A1-FBA8-4E26-A648-99175B928D1B}\RP337\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-1659004503-1788223648-725345543-500 262144 bytes

---- EOF - GMER 1.0.15 ----

#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:20 PM

Posted 05 November 2009 - 04:25 PM

Hi modle,

The files found by Avast are noting to worry about, however the results of OTM and Gmer show that you may have a possible Mebroot infection.


Download and Run MBR Rootkit Scan
  • Please download MBR Rootkit Detector and save it on your desktop.
  • Double click on mbr.exe to run it.
  • Select Run when you recieve a Security Warning
  • The process is automatic, a black DOS window will appear and disappear suddenly. This is normal.
  • A log file will the be created on your desktop where you ran mbr.exe
  • Copy and paste the contents of mbr.log on your next reply.

unite.jpg


#11 modle

modle
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 06 November 2009 - 09:39 AM

Syler,

Whenever I try to run MBR.exe, I get the following message in a dialog box:

C:\DOCUME~1\NAME~1\Desktop\mbr.exe
The NTVDM CPU has encountered an illegal instruction.
CS:00cf IP:0656 OP:fe f8 06 db 02 Choose "Close" to terminate the application.
[CLOSE] [IGNORE]


If I click "Ignore," the same message reappears, with the string of characters (i.e. "fe f8 06 db...") being sometimes slightly different.

I cannot get the program to work to the point of giving me a log file.

#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:20 PM

Posted 06 November 2009 - 03:14 PM

Ok let's try this.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#13 modle

modle
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 06 November 2009 - 08:04 PM

Syler,

Here is the ComboFix log:


ComboFix 09-11-05.05 - NAME 11/06/2009 18:32.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.284 [GMT -6:00]
Running from: c:\documents and settings\NAME\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1356 [VPS 091106-2] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\My Documents\ZbThumbnail.info
c:\windows\system32\ymmnepoq.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IWINGAMESINSTALLER
-------\Service_iWinGamesInstaller


((((((((((((((((((((((((( Files Created from 2009-10-07 to 2009-11-07 )))))))))))))))))))))))))))))))
.

2009-11-05 00:38 . 2009-11-05 00:38 -------- d-----w- C:\_OTM
2009-11-03 18:44 . 2009-09-15 11:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-03 18:44 . 2009-09-15 11:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-03 18:44 . 2009-09-15 11:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-03 18:44 . 2009-09-15 11:53 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-03 18:44 . 2009-09-15 11:56 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-03 18:44 . 2009-09-15 11:56 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-03 18:44 . 2009-09-15 11:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-03 18:44 . 2009-09-15 11:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-03 18:44 . 2009-09-15 11:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-03 18:44 . 2009-11-03 18:44 -------- d-----w- c:\program files\Alwil Software
2009-11-02 02:14 . 2009-11-02 02:15 -------- d-----w- C:\rsit
2009-10-23 11:07 . 2009-10-23 11:07 -------- d-----w- c:\documents and settings\Owner\Application

Data\Malwarebytes
2009-10-20 23:27 . 2009-10-20 23:27 -------- d-----w- c:\documents and settings\HelpAssistant\Contacts
2009-10-20 23:27 . 2009-10-20 23:27 -------- d-----w- c:\documents and settings\HelpAssistant\.thumbnails
2009-10-20 21:25 . 2009-10-20 21:25 -------- d-----w- c:\documents and settings\NAME\Application

Data\TweakNow RegCleaner
2009-10-09 14:32 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-09 14:28 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-20 21:25 . 2008-05-28 03:08 58480 ----a-w- c:\documents and settings\NAME\Local

Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-16 19:02 . 2009-09-21 19:02 3695616 ----a-w- c:\documents and settings\All Users\Application

Data\Lavasoft\Ad-Aware\update\AutoLaunch.exe
2009-10-16 19:02 . 2009-07-17 19:03 2353992 ----a-w- c:\documents and settings\All Users\Application

Data\Lavasoft\Ad-Aware\update\Ad-Aware.exe
2009-10-10 00:12 . 2008-06-01 05:18 -------- d-----w- c:\documents and settings\All Users\Application

Data\Spybot - Search & Destroy
2009-10-10 00:01 . 2008-05-23 02:21 -------- d--h--w- c:\program files\InstallShield Installation

Information
2009-10-09 14:54 . 2008-12-11 04:55 -------- d-----w- c:\documents and settings\NAME\Application

Data\Buddi
2009-10-09 14:53 . 2008-05-28 02:42 -------- d-----w- c:\documents and settings\All Users\Application

Data\WLInstaller
2009-10-09 14:53 . 2009-08-30 20:55 -------- d-----w- c:\documents and settings\Owner\Application

Data\YouSendIt
2009-10-09 14:53 . 2008-06-12 04:54 -------- d-----w- c:\program files\LAME Mp3 Encoder
2009-10-09 14:53 . 2008-06-12 04:44 -------- d-----w- c:\program files\WAV to MP3 Encoder
2009-10-09 14:53 . 2008-05-31 18:27 -------- d-----w- c:\program files\HP
2009-10-09 14:53 . 2008-05-28 18:55 -------- d-----w- c:\program files\AIM95
2009-10-09 14:32 . 2009-01-21 00:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-09 14:20 . 2009-02-27 17:00 -------- d-----w- c:\documents and settings\NAME\Application

Data\SUPERAntiSpyware.com
2009-10-09 14:16 . 2008-12-18 07:24 -------- d-----w- c:\documents and settings\NAME\Application

Data\Systweak
2009-10-09 14:16 . 2008-12-18 07:24 -------- d-----w- c:\documents and settings\All Users\Application

Data\Systweak
2009-10-09 14:10 . 2008-12-01 03:31 -------- d-sh--w- c:\documents and settings\All Users\Application

Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-10-07 14:19 . 2008-08-18 23:47 -------- d-----w- c:\program files\VideoLAN
2009-10-07 14:14 . 2009-10-07 14:14 -------- d-----w- c:\documents and settings\All Users\Application

Data\Avg8
2009-10-07 14:13 . 2009-10-06 14:39 -------- d---a-w- c:\documents and settings\All Users\Application

Data\TEMP
2009-10-06 14:22 . 2008-07-15 18:04 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-25 11:42 . 2009-09-25 11:42 17204720 ----a-w- c:\documents and settings\Owner\Application

Data\Real\Update\setup\rp\.exe
2009-09-25 11:42 . 2009-09-25 11:42 8406648 ----a-w- c:\documents and settings\Owner\Application

Data\Real\Update\setup\gtb_us\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2009-09-25 11:42 . 2009-09-25 11:42 10309448 ----a-w- c:\documents and settings\Owner\Application

Data\Real\Update\setup\chr\ChromeInstaller.exe
2009-09-25 11:41 . 2009-09-25 11:41 52288 ----a-w- c:\documents and settings\Owner\Application

Data\Real\Update\setup\RUP\inst_config\gtapi.dll
2009-09-25 11:41 . 2009-09-25 11:41 64000 ----a-w- c:\documents and settings\Owner\Application

Data\Real\Update\setup\RUP\inst_config\gcapi_dll.dll
2009-09-25 11:41 . 2009-09-25 11:41 50688 ----a-w- c:\documents and settings\Owner\Application

Data\Real\Update\setup\RUP\inst_config\fftbapi.dll
2009-09-25 11:41 . 2009-09-25 11:41 114688 ----a-w- c:\documents and settings\Owner\Application

Data\Real\Update\setup\RUP\inst_config\compat.dll
2009-09-18 14:15 . 2009-09-18 14:13 -------- d-----w- c:\documents and settings\NAME\Application

Data\gtk-2.0
2009-09-03 11:27 . 2009-09-03 11:27 488968 ----a-w- c:\documents and settings\Owner\Application

Data\Real\Update\setup\setup.exe
2009-01-04 14:34 . 2008-12-07 19:38 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-01-04 14:34 . 2008-12-07 19:38 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-04 14:34 . 2008-12-07 19:38 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-01-04 14:34 . 2008-12-07 19:38 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-01-04 14:34 . 2008-12-07 19:38 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-01 185896]
"combofix"="c:\combofix\CF25604.exe" [2009-11-07 389120]

c:\documents and settings\NAME\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\documents and settings\NAME\Desktop\fix me\erunt\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sasnative32\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 2.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Device Detector 2.lnk
backup=c:\windows\pss\Device Detector 2.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TuneUp.ProgramStatisticsSvc"=2 (0x2)
"UxTuneUp"=2 (0x2)
"TuneUp.Defrag"=3 (0x3)
"nwsyspsrv"=2 (0x2)
"nwscheduler"=2 (0x2)
"nwdbtools"=2 (0x2)
"aspnet_state"=3 (0x3)
"aawservice"=2 (0x2)
"usnjsvc"=3 (0x3)
"ose"=3 (0x3)
"Lavasoft Ad-Aware Service"=3 (0x3)
"iWinGamesInstaller"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"nwiz"=nwiz.exe /install
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Documents and Settings\\NAME\\Desktop\\NAME's Briefcase\\Games\\Jewel Quest\\iWin Games\\WebUpdater.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/23/2009 2:02 PM 64160]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [11/3/2009 12:44 PM 114768]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [1/20/2009 10:20 AM 13360]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/3/2009 12:44 PM 20560]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [1/20/2009 10:20 AM 68912]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [5/22/2008 8:21 PM 144768]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [5/22/2008 8:21 PM 545088]
S3 BCASPROT;Advanced System Protector;\??\c:\program files\Systweak\Advanced System Protector\sasprot32.sys --> c:\program

files\Systweak\Advanced System Protector\sasprot32.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 3:34 PM

1028432]
S3 vtdg46xx;vtdg46xx;c:\progra~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [5/22/2008 8:21 PM 19232]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 19:02]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/ymj/*http://www.yahoo.com
uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
mDefault_Page_URL = hxxp://www.yahoo.com
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/ymj/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
Trusted Zone: aol.com\free
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\NAME\Application Data\Mozilla\Firefox\Profiles\oh634g1o.NAME\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Jewel Quest - c:\documents and settings\NAME\Desktop\NAME's Briefcase\Games\Jewel Quest\iWin.com
AddRemove-TweakNow RegCleaner_is1 - c:\documents and settings\NAME\Desktop\RegCleaner\TweakNow

RegCleaner\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-06 18:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xFF9D0E40]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0xff9d0e40
NDIS: Realtek RTL8139 Family PCI Fast Ethernet NIC -> SendCompleteHandler -> 0xffa0d800
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x094FE9BD
malicious code @ sector 0x094FE9C0 !
PE file found in sector at 0x094FE9D6 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2009-11-07 19:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-07 01:01

Pre-Run: 34,914,193,408 bytes free
Post-Run: 34,743,201,792 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 37C8107FEBE153AA88AB4BB8249209F0

#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:20 PM

Posted 07 November 2009 - 05:14 PM

Hi,

Your last log was formatted with word wrap, which makes the logs difficult to read, please make sure word wrap is off.

Open notepad, click on Format and untick word wrap.


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

MBR::
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iWinGamesInstaller"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\drivers\\svchost.exe"=-

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

unite.jpg


#15 modle

modle
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 08 November 2009 - 10:10 AM

Syler,

I have re-attached the above ComboFix log to this message, with word wrap turned off, just in case you still need to read it. Below is pasted the ComboFix log resulting from the dragging and dropping of CFScript.txt onto the ComboFix icon.

===========


ComboFix 09-11-07.02 - NAME 11/08/2009 8:48.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.267 [GMT -6:00]
Running from: c:\documents and settings\NAME\Desktop\fix me\ComboFix.exe
Command switches used :: c:\documents and settings\NAME\Desktop\fix me\CFScript.txt
AV: avast! antivirus 4.8.1356 [VPS 091108-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IWINGAMESINSTALLER
-------\Legacy_IWINGAMESINSTALLER


((((((((((((((((((((((((( Files Created from 2009-10-08 to 2009-11-08 )))))))))))))))))))))))))))))))
.

2009-11-05 00:38 . 2009-11-05 00:38 -------- d-----w- C:\_OTM
2009-11-03 18:44 . 2009-09-15 11:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-03 18:44 . 2009-09-15 11:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-03 18:44 . 2009-09-15 11:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-03 18:44 . 2009-09-15 11:53 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-03 18:44 . 2009-09-15 11:56 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-03 18:44 . 2009-09-15 11:56 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-03 18:44 . 2009-09-15 11:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-03 18:44 . 2009-09-15 11:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-03 18:44 . 2009-09-15 11:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-03 18:44 . 2009-11-03 18:44 -------- d-----w- c:\program files\Alwil Software
2009-11-02 02:14 . 2009-11-02 02:15 -------- d-----w- C:\rsit
2009-10-23 11:07 . 2009-10-23 11:07 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-10-20 23:27 . 2009-10-20 23:27 -------- d-----w- c:\documents and settings\HelpAssistant\Contacts
2009-10-20 23:27 . 2009-10-20 23:27 -------- d-----w- c:\documents and settings\HelpAssistant\.thumbnails
2009-10-20 21:25 . 2009-10-20 21:25 -------- d-----w- c:\documents and settings\NAME\Application Data\TweakNow RegCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-20 21:25 . 2008-05-28 03:08 58480 ----a-w- c:\documents and settings\NAME\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-16 19:02 . 2009-09-21 19:02 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AutoLaunch.exe
2009-10-16 19:02 . 2009-07-17 19:03 2353992 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-Aware.exe
2009-10-10 00:12 . 2008-06-01 05:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-10 00:01 . 2008-05-23 02:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-09 14:54 . 2008-12-11 04:55 -------- d-----w- c:\documents and settings\NAME\Application Data\Buddi
2009-10-09 14:53 . 2008-05-28 02:42 -------- d-----w- c:\documents and settings\All Users\Application Data\WLInstaller
2009-10-09 14:53 . 2009-08-30 20:55 -------- d-----w- c:\documents and settings\Owner\Application Data\YouSendIt
2009-10-09 14:53 . 2008-06-12 04:54 -------- d-----w- c:\program files\LAME Mp3 Encoder
2009-10-09 14:53 . 2008-06-12 04:44 -------- d-----w- c:\program files\WAV to MP3 Encoder
2009-10-09 14:53 . 2008-05-31 18:27 -------- d-----w- c:\program files\HP
2009-10-09 14:53 . 2008-05-28 18:55 -------- d-----w- c:\program files\AIM95
2009-10-09 14:32 . 2009-01-21 00:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-09 14:20 . 2009-02-27 17:00 -------- d-----w- c:\documents and settings\NAME\Application Data\SUPERAntiSpyware.com
2009-10-09 14:16 . 2008-12-18 07:24 -------- d-----w- c:\documents and settings\NAME\Application Data\Systweak
2009-10-09 14:16 . 2008-12-18 07:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Systweak
2009-10-09 14:10 . 2008-12-01 03:31 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-10-07 14:19 . 2008-08-18 23:47 -------- d-----w- c:\program files\VideoLAN
2009-10-07 14:14 . 2009-10-07 14:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg8
2009-10-07 14:13 . 2009-10-06 14:39 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-06 14:22 . 2008-07-15 18:04 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-25 11:42 . 2009-09-25 11:42 17204720 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup\rp\.exe
2009-09-25 11:42 . 2009-09-25 11:42 8406648 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup\gtb_us\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2009-09-25 11:42 . 2009-09-25 11:42 10309448 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup\chr\ChromeInstaller.exe
2009-09-25 11:41 . 2009-09-25 11:41 52288 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup\RUP\inst_config\gtapi.dll
2009-09-25 11:41 . 2009-09-25 11:41 64000 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup\RUP\inst_config\gcapi_dll.dll
2009-09-25 11:41 . 2009-09-25 11:41 50688 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup\RUP\inst_config\fftbapi.dll
2009-09-25 11:41 . 2009-09-25 11:41 114688 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup\RUP\inst_config\compat.dll
2009-09-18 14:15 . 2009-09-18 14:13 -------- d-----w- c:\documents and settings\NAME\Application Data\gtk-2.0
2009-09-10 19:54 . 2009-10-09 14:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-10-09 14:28 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-03 11:27 . 2009-09-03 11:27 488968 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup\setup.exe
2009-01-04 14:34 . 2008-12-07 19:38 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-01-04 14:34 . 2008-12-07 19:38 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-04 14:34 . 2008-12-07 19:38 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-01-04 14:34 . 2008-12-07 19:38 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-01-04 14:34 . 2008-12-07 19:38 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-07_00.43.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-08 14:56 . 2009-11-08 14:56 16384 c:\windows\Temp\Perflib_Perfdata_7a8.dat
+ 2009-11-08 14:56 . 2009-11-08 14:56 16384 c:\windows\Temp\Perflib_Perfdata_4ac.dat
+ 2009-11-08 14:38 . 2009-11-08 14:38 233472 c:\windows\ERDNT\AutoBackup\11-8-2009\Users\00000002\UsrClass.dat
+ 2009-11-08 14:38 . 2005-10-20 18:02 163328 c:\windows\ERDNT\AutoBackup\11-8-2009\ERDNT.EXE
+ 2009-11-08 14:38 . 2009-11-08 14:38 7974912 c:\windows\ERDNT\AutoBackup\11-8-2009\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-01 185896]

c:\documents and settings\NAME\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\documents and settings\NAME\Desktop\fix me\erunt\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sasnative32\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 2.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Device Detector 2.lnk
backup=c:\windows\pss\Device Detector 2.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TuneUp.ProgramStatisticsSvc"=2 (0x2)
"UxTuneUp"=2 (0x2)
"TuneUp.Defrag"=3 (0x3)
"nwsyspsrv"=2 (0x2)
"nwscheduler"=2 (0x2)
"nwdbtools"=2 (0x2)
"aspnet_state"=3 (0x3)
"aawservice"=2 (0x2)
"usnjsvc"=3 (0x3)
"ose"=3 (0x3)
"Lavasoft Ad-Aware Service"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"nwiz"=nwiz.exe /install
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Documents and Settings\\NAME\\Desktop\\NAME's Briefcase\\Games\\Jewel Quest\\iWin Games\\WebUpdater.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/23/2009 2:02 PM 64160]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [11/3/2009 12:44 PM 114768]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [1/20/2009 10:20 AM 13360]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/3/2009 12:44 PM 20560]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [1/20/2009 10:20 AM 68912]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [5/22/2008 8:21 PM 144768]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [5/22/2008 8:21 PM 545088]
S3 BCASPROT;Advanced System Protector;\??\c:\program files\Systweak\Advanced System Protector\sasprot32.sys --> c:\program files\Systweak\Advanced System Protector\sasprot32.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 3:34 PM 1028432]
S3 vtdg46xx;vtdg46xx;c:\progra~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [5/22/2008 8:21 PM 19232]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 19:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
Trusted Zone: aol.com\free
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\NAME\Application Data\Mozilla\Firefox\Profiles\oh634g1o.NAME\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-08 08:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1576)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-08 9:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-08 15:04
ComboFix2.txt 2009-11-07 01:02

Pre-Run: 34,665,918,464 bytes free
Post-Run: 34,631,348,224 bytes free

- - End Of File - - BDA71C0FB956623941F28A4F111B66F5

Attached Files


Edited by modle, 08 November 2009 - 10:11 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users