Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trojan and/or possible rootkit


  • This topic is locked This topic is locked
3 replies to this topic

#1 jopa66

jopa66

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Windsor CANADA
  • Local time:01:08 PM

Posted 23 November 2009 - 09:33 PM

I did a dumb thing yesterday . Downloaded a movie and WMP said it needed a codec for DRM restrictions or something. The message asked me to download a file called "Free Codec v.2.1.5.exe". Downloaded the file and scanned it with Avir AntiVir - nothing found! Ran the file but, movie still doesn't play - asking me again to download the codec. Now I'm suspicious and immediately do a registry restore from saved backup and re-boot. At bootup I'm treated to the BSOD even in Safe Mode option. BSOD culprit was sptd.sys (from Daemon Tools). Skipping load for sptd.sys gets me to Safe Mode where I uninstall Daemon Tools. Now I can get to the Desktop but, strange things are happening.

I am running Windows XP SP-3 and patches are up-to-date. System has two hard drives - a small 10Gig drive C: with barebones Windows XP (system partition) (not updated and no Internet access - used mainly for the Internet Explorer cache and the pagefile). Drive D: is the main OS (boot partition) and has a small pagefile (128KB) to accomodate any crash dumps (64KB). After reboot, the Event Log showed an error saying it could not find the pagefile for the crash dump after the BSOD... but the file is still there. Further checking reveals that my 250 GB hard drive is not visible in either Device Manager or Disk Manager. I have no trouble booting up or accessing D: and E: from Windows Explorer. (E: is the second partion of the 250 GB drive.)

Around this time Avira did its daily update and - you guessed it - "Free Codec v.2.1.5.exe" is now identified as a virus in the Temporary Internet Files. It is now quarantined and labeled TR/PCK.Tdss.Z.298 Trojan. I have tried various tools to get rid of this thing. Spybot, Malwarebytes, Avir Antivir, ComboFix, and a couple of older rootkit eliminators from AVG and BitDefender. TrendMicro online scanner craps out half way through the scan.

The reason I'm thinking rootkit is periodically a hidden IExplore instance will startup which will then traverse to many different sites in the background. Sysinternals Process Explorer can see (and kill) the process. Checking properties of the process - under Image Tab - shows Path: "D:\Program Files\Internet Explorer\IEXPLORE.EXE" (normal)
Command Line: "D:\Program Files\Internet Explorer\IEXPLORE.EXE" h??p://top-name.cn/in.cgi?5 (not normal). Hitting the button "Bring to Front" says "no visible windows found". This process will then go to many different sites, some of which play music or talking as if on radio. The thing apparently wants to come and go at intervals but, I am also running Process Guard from Diamond CS which blocks Windows Explorer from terminating the rogue IExplore. If necessaqry I could provide a list of sites that it goes to.

Have tried registry search for "top-name.cn". Have replaced both Explorer.exe and IExplore.exe from the uninfected drive C: install. I don't know what else to try. The logs you ask for are attached below. I also have the ComboFix log from this morning if you want it.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:16:55 PM, on 11/23/09
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir Desktop\sched.exe
D:\Program Files\Avira\AntiVir Desktop\avguard.exe
D:\Program Files\CachemanXP\CachemanXP.exe
D:\Program Files\ProcessGuard\dcsuserprot.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\NetLimiter 2 Pro\nlsvc.exe
D:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
D:\Program Files\UPHClean\uphclean.exe
D:\WINDOWS\System32\alg.exe
D:\Program Files\TuneUp Utilities 2010\TuneUpSystemStatusCheck.exe
D:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\NetLimiter 2 Pro\NLClient.exe
D:\Program Files\Avira\AntiVir Desktop\avgnt.exe
D:\Program Files\ProcessGuard\pgaccount.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\NetWorx\networx.exe
C:\_no-inst (Apps)\Everything 1.2.1.371\Everything-1.2.1.371.exe
D:\Program Files\OpenDNS Updater\OpenDNS Updater.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Desksware\Calendar.exe
D:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe
D:\Program Files\ProcessGuard\procguard.exe
D:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\_no-inst (Apps)\CacheSentry\CacheSentry.exe
D:\Program Files\WordWeb\wweb32.exe
D:\Program Files\AWC\AWC.exe
D:\Program Files\ClipCache\clipc.exe
C:\_no-inst (Apps)\dm2-1.23.1\DM2.exe
C:\tools\procexp.exe
C:\_no-inst (Apps)\TitleTime v2.11\TiTime.exe
C:\_no-inst (Apps)\TitleTime v2.11\TiTimeDC.exe
C:\_no-inst (Apps)\TitleTime v2.11\TiTimeDD.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\_no-inst (Apps)\HijackThis v2.0.0.2\HijackThis.exe
D:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: jopa66 Toolbar - {fb228b45-6686-4e19-990d-af10901d4a24} - D:\Program Files\jopa66\tbjop0.dll
O3 - Toolbar: jopa66 Toolbar - {fb228b45-6686-4e19-990d-af10901d4a24} - D:\Program Files\jopa66\tbjop0.dll
O3 - Toolbar: &NetWorx Desk Band - {FEEA54B4-D80F-41C7-87B9-DC08E6D3255F} - D:\PROGRA~1\NetWorx\deskband.dll
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [!1_pgaccount] "D:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [NetWorx] "D:\Program Files\NetWorx\networx.exe" /auto
O4 - HKLM\..\Run: [Everything] "C:\_no-inst (Apps)\Everything 1.2.1.371\Everything-1.2.1.371.exe" -startup
O4 - HKLM\..\Run: [OpenDNS Update] "D:\Program Files\OpenDNS Updater\OpenDNS Updater.exe"
O4 - HKLM\..\Run: [Calendar] D:\Program Files\Desksware\Calendar.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [SRS Audio Sandbox] "D:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" /hideme
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "D:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - HKCU\..\Run: [WeatherEye] D:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - Startup: AWC (lower priority).lnk = D:\WINDOWS\system32\cmd.exe
O4 - Startup: bitdefender Anti-Rootkit.lnk = D:\Program Files\bitdefender_antirootkit\bitdefender_antirootkit-BETA2.exe
O4 - Startup: ClipCache Pro.lnk = D:\Program Files\ClipCache\clipc.exe
O4 - Startup: DM2.lnk = C:\_no-inst (Apps)\dm2-1.23.1\DM2.exe
O4 - Startup: Process Explorer.lnk = C:\tools\procexp.exe
O4 - Startup: TiTime.lnk = C:\_no-inst (Apps)\TitleTime v2.11\TiTime.exe
O4 - Startup: WeatherEye.lnk = ?
O4 - Global Startup: CacheSentry.lnk = C:\_no-inst (Apps)\CacheSentry\CacheSentry.exe
O4 - Global Startup: WordWeb Pro.lnk = D:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: CacheSentry - {B72455AE-D3DE-492a-8FE0-0EA053B85277} - C:\_no-inst (Apps)\CacheSentry\CacheSentry.exe
O9 - Extra 'Tools' menuitem: CacheSentry - {B72455AE-D3DE-492a-8FE0-0EA053B85277} - C:\_no-inst (Apps)\CacheSentry\CacheSentry.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1254831484046
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - D:\Program Files\CachemanXP\CachemanXP.exe
O23 - Service: DiamondCS ProcessGuard Service v3.500 (DCSPGSRV) - DiamondCS - D:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - D:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - D:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe
O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - D:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe

--
End of file - 7708 bytes



DDS (Ver_09-11-23.01) - NTFSx86
Run by jopa at 19:32:41.48 on 11/23/09
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.508 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

D:\WINDOWS\system32\svchost -k DcomLaunch
D:\WINDOWS\system32\svchost -k rpcss
D:\WINDOWS\System32\svchost.exe -k netsvcs
D:\WINDOWS\system32\svchost.exe -k NetworkService
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir Desktop\sched.exe
D:\Program Files\Avira\AntiVir Desktop\avguard.exe
D:\Program Files\CachemanXP\CachemanXP.exe
D:\Program Files\ProcessGuard\dcsuserprot.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\NetLimiter 2 Pro\nlsvc.exe
D:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
D:\Program Files\UPHClean\uphclean.exe
D:\WINDOWS\System32\alg.exe
D:\Program Files\TuneUp Utilities 2010\TuneUpSystemStatusCheck.exe
D:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\NetLimiter 2 Pro\NLClient.exe
D:\Program Files\Avira\AntiVir Desktop\avgnt.exe
D:\Program Files\ProcessGuard\pgaccount.exe
D:\WINDOWS\system32\svchost.exe -k LocalService
D:\Program Files\NetWorx\networx.exe
C:\_no-inst (Apps)\Everything 1.2.1.371\Everything-1.2.1.371.exe
D:\Program Files\OpenDNS Updater\OpenDNS Updater.exe
D:\WINDOWS\System32\svchost.exe -k HTTPFilter
D:\Program Files\Desksware\Calendar.exe
D:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe
D:\Program Files\ProcessGuard\procguard.exe
D:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\_no-inst (Apps)\CacheSentry\CacheSentry.exe
D:\Program Files\WordWeb\wweb32.exe
D:\Program Files\AWC\AWC.exe
D:\Program Files\ClipCache\clipc.exe
C:\_no-inst (Apps)\dm2-1.23.1\DM2.exe
C:\tools\procexp.exe
C:\_no-inst (Apps)\TitleTime v2.11\TiTime.exe
D:\WINDOWS\system32\wbem\wmiprvse.exe
C:\_no-inst (Apps)\TitleTime v2.11\TiTimeDC.exe
C:\_no-inst (Apps)\TitleTime v2.11\TiTimeDD.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\WINDOWS\explorer.exe
E:\My Downloads\dds.scr
D:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.msn.com
mLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://www.msn.com
mWindow Title = ~
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - d:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: jopa66 Toolbar: {fb228b45-6686-4e19-990d-af10901d4a24} - d:\program files\jopa66\tbjop0.dll
TB: jopa66 Toolbar: {fb228b45-6686-4e19-990d-af10901d4a24} - d:\program files\jopa66\tbjop0.dll
TB: &NetWorx Desk Band: {feea54b4-d80f-41c7-87b9-dc08e6d3255f} - d:\progra~1\networx\deskband.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} -
uRun: [SRS Audio Sandbox] "d:\program files\srs labs\audio sandbox\SRSSSC.exe" /hideme
uRun: [!1_ProcessGuard_Startup] "d:\program files\processguard\procguard.exe" -minimize
uRun: [WeatherEye] d:\program files\theweathernetwork\weathereye\WeatherEye.exe
mRun: [avgnt] "d:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [!1_pgaccount] "d:\program files\processguard\pgaccount.exe"
mRun: [NetWorx] "d:\program files\networx\networx.exe" /auto
mRun: [Everything] "c:\_no-inst (apps)\everything 1.2.1.371\Everything-1.2.1.371.exe" -startup
mRun: [OpenDNS Update] "d:\program files\opendns updater\OpenDNS Updater.exe"
mRun: [Calendar] d:\program files\desksware\Calendar.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "d:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: d:\docume~1\jopa\startm~1\programs\startup\awc(lo~1.lnk - d:\windows\system32\cmd.exe
StartupFolder: d:\docume~1\jopa\startm~1\programs\startup\bitdef~1.lnk - d:\program files\bitdefender_antirootkit\bitdefender_antirootkit-BETA2.exe
StartupFolder: d:\docume~1\jopa\startm~1\programs\startup\clipca~1.lnk - d:\program files\clipcache\clipc.exe
StartupFolder: d:\docume~1\jopa\startm~1\programs\startup\dm2.lnk - c:\_no-inst (apps)\dm2-1.23.1\DM2.exe
StartupFolder: d:\docume~1\jopa\startm~1\programs\startup\proces~1.lnk - c:\tools\procexp.exe
StartupFolder: d:\docume~1\jopa\startm~1\programs\startup\titime.lnk - c:\_no-inst (apps)\titletime v2.11\TiTime.exe
StartupFolder: d:\docume~1\jopa\startm~1\programs\startup\weathe~1.lnk - d:\program files\theweathernetwork\weathereye\WeatherEye.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\caches~1.lnk - c:\_no-inst (apps)\cachesentry\CacheSentry.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\wordwe~1.lnk - d:\program files\wordweb\wweb32.exe
uPolicies-explorer: NoSMBalloonTip = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: ForceCopyACLWithFile = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - d:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {B72455AE-D3DE-492a-8FE0-0EA053B85277} - c:\_no-inst (apps)\cachesentry\CacheSentry.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1254831484046
DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} - hxxp://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\jopa\applic~1\mozilla\firefox\profiles\rrahp7i9.default\
FF - component: d:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: d:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - d:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 600000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 600000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 nltdi;nltdi;d:\windows\system32\drivers\nltdi.sys [2007-4-23 82200]
R1 PSSDK42;PSSDK42;d:\windows\system32\drivers\pssdk42.sys [2009-10-18 38976]
R1 UltDefrag;UDefrag Driver;d:\windows\system32\uddriver.sys [2008-11-29 15040]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\program files\avira\antivir desktop\sched.exe [2009-7-31 108289]
R2 CachemanXPService;CachemanXP;d:\program files\cachemanxp\CachemanXP.exe [2009-7-24 316416]
R2 DCSPGSRV;DiamondCS ProcessGuard Service v3.500;d:\program files\processguard\DCSUserProt.exe [2009-8-5 31744]
R2 procguard;procguard;d:\windows\system32\drivers\procguard.sys [2009-8-5 26688]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;d:\program files\tuneup utilities 2010\TuneUpUtilitiesService32.exe [2009-10-30 1021256]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;d:\program files\tuneup utilities 2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064]

=============== Created Last 30 ================

2009-11-23 18:07:32 1033728 ----a-w- d:\windows\explorer.exe
2009-11-23 11:43:09 98816 ----a-w- d:\windows\sed.exe
2009-11-23 11:43:09 77312 ----a-w- d:\windows\MBR.exe
2009-11-23 11:43:09 260608 ----a-w- d:\windows\PEV.exe
2009-11-23 11:43:09 161792 ----a-w- d:\windows\SWREG.exe
2009-11-23 05:39:46 157712 ----a-w- d:\windows\system32\drivers\tmcomm.sys
2009-11-23 04:42:03 10361462 ----a-w- d:\windows\registry.daz
2009-11-21 23:45:08 47360 ------w- d:\docume~1\jopa\applic~1\pcouffin.sys
2009-11-21 14:09:40 167 ----a-w- d:\windows\ShellPicture.INI
2009-11-20 20:23:02 0 d-----w- d:\docume~1\jopa\applic~1\X-Setup Pro
2009-11-20 11:52:32 0 d-----w- d:\docume~1\jopa\applic~1\AnBSoft
2009-11-19 22:47:39 0 d-----w- d:\docume~1\jopa\applic~1\Foxit Software
2009-11-16 18:53:45 0 d-----w- d:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2009-11-12 22:03:30 111616 ----a-w- d:\windows\system32\ActualEarth.scr
2009-11-12 22:03:30 0 d-----w- d:\program files\Actual Earth 3D
2009-11-12 21:47:26 102400 ----a-w- d:\windows\system32\ActualMoon.scr
2009-11-12 21:47:26 0 d-----w- d:\program files\Actual Moon 3D
2009-11-12 21:38:19 794624 ----a-w- d:\windows\system32\Experience Engine.dll
2009-11-12 21:38:19 65536 ----a-w- d:\windows\system32\GameAquariumPlugin.dll
2009-11-12 21:38:19 110592 ----a-w- d:\windows\system32\Amazing 3D Aquarium.scr
2009-11-12 21:38:18 0 d-----w- d:\program files\Amazing 3D Aquarium
2009-11-12 14:18:24 200704 ----a-w- d:\windows\Autumn Sunset.scr
2009-11-12 14:14:55 0 d-----w- d:\program files\AnBSoft
2009-11-11 21:07:10 3249 ----a-w- d:\windows\system32\wbem\Outlook_01ca6312eecf9c68.mof
2009-11-11 18:55:52 0 d-----w- d:\program files\Microsoft ActiveSync
2009-11-11 18:54:49 0 d-----w- d:\windows\SHELLNEW
2009-11-11 16:39:13 0 d-----w- d:\windows\system32\CatRoot2
2009-11-11 13:32:20 29512 ----a-w- d:\windows\system32\TURegOpt.exe
2009-11-11 13:32:19 30024 ----a-w- d:\windows\system32\uxtuneup.dll
2009-11-11 13:32:01 0 d-----w- d:\docume~1\jopa\applic~1\TuneUp Software
2009-11-11 13:31:53 0 d-----w- d:\program files\TuneUp Utilities 2010
2009-11-11 13:31:30 0 d-----w- d:\docume~1\alluse~1\applic~1\TuneUp Software
2009-11-09 01:37:55 0 d-----w- d:\program files\Disk Investigator
2009-11-05 16:10:54 0 d-----w- d:\program files\DiskTrix
2009-11-05 00:02:04 0 d-----w- d:\docume~1\alluse~1\applic~1\X-Setup Pro
2009-11-03 11:25:54 0 d-----w- d:\program files\AceReader Pro (Server)
2009-11-01 12:23:43 0 d-----w- d:\docume~1\jopa\applic~1\VistaCodecs
2009-11-01 12:23:37 0 d-----w- d:\program files\VistaCodecPack
2009-11-01 12:22:48 0 d-----w- d:\docume~1\alluse~1\applic~1\VistaCodecs
2009-10-31 12:35:13 8823673 ----a-w- d:\windows\registry.zzz
2009-10-29 23:43:57 73728 ----a-w- d:\windows\system32\javacpl.cpl
2009-10-28 14:35:38 0 d-----w- d:\docume~1\jopa\applic~1\IObit
2009-10-28 14:35:37 0 d-----w- d:\program files\IObit
2009-10-27 13:23:46 1092096 ----a-w- d:\windows\system32\Cyber Waves.scr
2009-10-27 13:23:46 0 d-----w- d:\program files\Cyber Waves
2009-10-26 18:23:28 0 d-----w- d:\docume~1\jopa\applic~1\KC Softwares
2009-10-26 16:16:04 0 d-----w- d:\program files\Stellarium
2009-10-26 16:14:21 0 d-----w- d:\program files\Planetarium0220
2009-10-26 16:11:44 0 d-----w- d:\program files\Celestia
2009-10-26 16:07:51 0 d-----w- d:\program files\Alice Law
2009-10-25 23:43:24 0 d-----w- d:\program files\3Deep Space

==================== Find3M ====================

2009-11-24 00:33:16 240660 ----a-w- d:\windows\system32\pghash.dat
2009-11-23 23:56:21 237644 ----a-w- d:\windows\system32\pguard.dat
2009-10-29 23:43:45 411368 ----a-w- d:\windows\system32\deploytk.dll
2009-10-25 23:44:27 4038656 ----a-w- d:\windows\system32\3D Interstellar Voyager.scr
2009-10-20 23:11:02 38976 ----a-w- d:\windows\system32\drivers\pssdk42.sys
2009-10-08 19:57:02 611328 ----a-w- d:\windows\system32\uiautomationcore.dll
2009-10-08 19:57:00 220160 ----a-w- d:\windows\system32\oleacc.dll
2009-10-08 19:56:56 20480 ----a-w- d:\windows\system32\oleaccrc.dll
2009-09-28 16:08:48 69824 ----a-w- d:\windows\system32\drivers\LxrJD31d.sys
2009-09-28 16:08:48 61440 ----a-w- d:\windows\system32\LxrJD20Sat.dll
2009-09-28 16:08:48 53248 ----a-w- d:\windows\system32\LxrJD31s.exe
2009-09-28 16:08:48 249856 ----a-w- d:\windows\system32\LxrJD31.dll
2009-09-28 16:08:48 167936 ----a-w- d:\windows\system32\LxrJD31c.exe
2009-09-28 16:08:48 146432 ----a-w- d:\windows\system32\LxrJD31p.exe
2009-09-24 05:46:04 85504 ----a-w- d:\windows\system32\ff_vfw.dll
2009-09-11 14:13:26 136704 ----a-w- d:\windows\system32\msv1_0.dll
2009-09-07 08:13:04 69382 ----a-w- d:\windows\system32\pthreadGC2.dll
2009-09-04 21:44:40 69464 ----a-w- d:\windows\system32\XAPOFX1_3.dll
2009-09-04 21:44:40 515416 ----a-w- d:\windows\system32\XAudio2_5.dll
2009-09-04 21:44:40 238936 ----a-w- d:\windows\system32\xactengine3_5.dll
2009-09-04 21:29:34 453456 ----a-w- d:\windows\system32\d3dx10_42.dll
2009-09-04 21:29:34 235344 ----a-w- d:\windows\system32\d3dx11_42.dll
2009-09-04 21:29:32 5501792 ----a-w- d:\windows\system32\d3dcsx_42.dll
2009-09-04 21:29:32 1974616 ----a-w- d:\windows\system32\D3DCompiler_42.dll
2009-09-04 21:29:30 1892184 ----a-w- d:\windows\system32\D3DX9_42.dll
2009-09-04 21:03:36 58880 ----a-w- d:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ------w- d:\windows\system32\wininet.dll
2009-08-26 08:03:23 247326 ----a-w- d:\windows\system32\strmdll.dll
2009-07-24 00:07:46 32768 --sha-w- d:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009072320090724\index.dat

============= FINISH: 19:35:56.23 ===============


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/23 19:39
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: PROCEXP113.SYS
Image Path: D:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xF7DCF000 Size: 7872 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: D:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB472E000 Size: 49152 File Visible: No Signed: -
Status: -

Name: uphcleanhlp.sys
Image Path: D:\WINDOWS\system32\Drivers\uphcleanhlp.sys
Address: 0xB4995000 Size: 8960 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: d:\program files\processguard\logs\pglog_2009'11'23_mon.txt
Status: Size mismatch (API: 651210, Raw: 650782)

Path: d:\documents and settings\jopa\local settings\temp\fla8.tmp
Status: Size mismatch (API: 13685316, Raw: 11774692)

Path: d:\documents and settings\jopa\local settings\temp\~df2400.tmp
Status: Allocation size mismatch (API: 32768, Raw: 16384)

Path: D:\Documents and Settings\jopa\Local Settings\Temp\~DFCE9C.tmp
Status: Locked to the Windows API!

Path: d:\documents and settings\jopa\local settings\temp\~dfeaef.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: D:\Documents and Settings\jopa\Local Settings\Temp\~DFF05E.tmp
Status: Locked to the Windows API!

SSDT
-------------------
#: 037 Function Name: NtCreateFile
Status: Hooked by "D:\WINDOWS\system32\drivers\procguard.sys" at address 0xf7bd753c

#: 041 Function Name: NtCreateKey
Status: Hooked by "D:\WINDOWS\system32\drivers\procguard.sys" at address 0xf7bd9678

#: 053 Function Name: NtCreateThread
Status: Hooked by "D:\WINDOWS\system32\drivers\procguard.sys" at address 0xf7bda534

#: 063 Function Name: NtDeleteKey
Status: Hooked by "D:\WINDOWS\system32\drivers\procguard.sys" at address 0xf7bd9d71

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "D:\WINDOWS\system32\drivers\procguard.sys" at address 0xf7bd9c6f

#: 084 Function Name: NtFsControlFile
Status: Hooked by "D:\WINDOWS\system32\drivers\procguard.sys" at address 0xf7bd755e

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xb79fa35a

#: 116 Function Name: NtOpenFile
Status: Hooked by "D:\WINDOWS\system32\drivers\procguard.sys" at address 0xf7bd751e

#: 119 Function Name: NtOpenKey
Status: Hooked by "D:\WINDOWS\system32\drivers\procguard.sys" at address 0xf7bd9644

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xb79fa328

#: 125 Function Name: NtOpenSection
Status: Hooked by "D:\WINDOWS\system32\drivers\procguard.sys" at address 0xf7bd90b3

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xb79fa32d

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "D:\WINDOWS\system32\drivers\procguard.sys" at address 0xf7bd9452

#: 186 Function Name: NtReadVirtualMemory
Status: Hooked by "D:\WINDOWS\system32\drivers\procguard.sys" at address 0xf7bd942f

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xb79fa364

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "D:\WINDOWS\system32\drivers\procguard.sys" at address 0xf7bd87c8

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xb79fa35f

#: 213 Function Name: NtSetContextThread
Status: Hooked by "D:\WINDOWS\system32\drivers\procguard.sys" at address 0xf7bda9b4

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "D:\WINDOWS\system32\drivers\procguard.sys" at address 0xf7bda1f7

#: 247 Function Name: NtSetValueKey
Status: Hooked by "D:\WINDOWS\system32\drivers\procguard.sys" at address 0xf7bd9816

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "D:\WINDOWS\system32\drivers\procguard.sys" at address 0xf7bd9475

#: 254 Function Name: NtSuspendThread
Status: Hooked by "D:\WINDOWS\system32\drivers\procguard.sys" at address 0xf7bda9f2

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "D:\WINDOWS\system32\drivers\procguard.sys" at address 0xf7bd9410

#: 258 Function Name: NtTerminateThread
Status: Hooked by "D:\WINDOWS\system32\drivers\procguard.sys" at address 0xf7bda9d3

#: 263 Function Name: NtUnloadKey
Status: Hooked by "D:\WINDOWS\system32\Drivers\uphcleanhlp.sys" at address 0xb49956d0

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "D:\WINDOWS\system32\drivers\procguard.sys" at address 0xf7bd93ed

Shadow SSDT
-------------------
#: 421 Function Name: NtUserGetMessage
Status: Hooked by "D:\WINDOWS\system32\drivers\procguard.sys" at address 0xf7bda1d3

#: 474 Function Name: NtUserPeekMessage
Status: Hooked by "D:\WINDOWS\system32\drivers\procguard.sys" at address 0xf7bda1ac

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "D:\WINDOWS\system32\drivers\procguard.sys" at address 0xf7bd9f58

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "D:\WINDOWS\system32\drivers\procguard.sys" at address 0xf7bd9dd9

==EOF==

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:08 PM

Posted 29 November 2009 - 08:42 AM

Hello ,
And :( to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log
  • GMER log


Please give me some time to review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay
.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 jopa66

jopa66
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Windsor CANADA
  • Local time:01:08 PM

Posted 30 November 2009 - 06:32 PM

hello elise025...

Thank you for your response but, I have since resolved the original problem: just getting back to let you know. Further to my original description of the problem I noticed that my searches (even with Firefox) were getting hijacked. I cannot give any details of the infection as I chose to format the drive and re-install. All is now as it should be.

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:08 PM

Posted 01 December 2009 - 04:06 AM

Glad you got it fixed :(

This topic is now closed.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users