Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rogue.AntiVirusPro and a few others


  • This topic is locked This topic is locked
23 replies to this topic

#1 Jestrix

Jestrix

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 27 December 2009 - 12:02 PM

Hi –

Boopme request I post my HJT/DDS log. My original post is here if you wanted to take a look at this and I will try and give the condensed version:

http://www.bleepingcomputer.com/forums/t/278141/rogueantiviruspro-and-others/

I am running win xp sp3. I have malwarebytes antimalware, spybot SD, and Symantec endpoint protection running. A while ago MBAM reported Rogue.AntiVirusPro, seres.exe, and other goodies on my machine. I tried to let MBAM clean the files. Reboot and then rescan.

Sometimes when I rescan nothing comes back. Most of the time it will find the same infections. I have scanned with AVG and spybot. Also used SuperAntiSpyware and rootrepeal per Boopme’s instructions.

Nothing has turned up except in MBAM. So I completely uninstalled MBAM and reinstalled. It scanned and found the same infections. I let it clean them, rebooted and rescanned and it found nothing. I logged in several days later and rescanned and it found those same infections again.

I also noticed that sometimes when I shut down I get an error about an error about FileZillaServer.exe does not want to shut down or something. Not all the time but some time. I did have Filezilla installed but have since uninstalled this but FileZillaServer.exe still shows up in the process list. Otherwise everything seems to be operating as it should.

I have attached my logs to this post per directions given.

Please advise and thanks for any and all efforts in correcting this problem! I really appreciate it!

*** DDS LOG ***


DDS (Ver_09-12-01.01) - NTFSx86
Run by scott.burcky at 22:32:41.28 on Sat 12/26/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3574.2793 [GMT -5:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Symantec AntiVirus\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
c:\Program Files\Iron Mountain\Connected BackupPC\AgentService.exe
C:\Documents and Settings\scott.burcky\My Documents\Web\xampp\apache\bin\httpd.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Documents and Settings\scott.burcky\My Documents\Web\xampp\filezillaftp\filezillaserver.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kaseya\Agent\AgentMon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Documents and Settings\scott.burcky\My Documents\Web\xampp\mysql\bin\mysqld.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\StacSV.exe
C:\Documents and Settings\scott.burcky\My Documents\Web\xampp\apache\bin\httpd.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Kaseya\Agent\KaUsrTsk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Iron Mountain\Connected BackupPC\Agent.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\scott.burcky\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070802
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: {B24BA06E-FB7B-4757-95C2-DC01125F750E} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Kaseya Agent Service Helper] "c:\program files\kaseya\agent\KaUsrTsk.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [AgentUiRunKey] "c:\program files\iron mountain\connected backuppc\Agent.exe" -ni -sss -e http://localhost:16386/
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204223065453
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli Twmstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\scott~1.bur\applic~1\mozilla\firefox\profiles\gpcpaw88.default\
FF - prefs.js: browser.startup.homepage - file:///C:/Documents%20and%20Settings/scott.burcky/My%20Documents/Web/index.html
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
R2 AgentService;AgentService;c:\program files\iron mountain\connected backuppc\AgentService.exe [2008-8-1 6600000]
R2 Apache2.2;Apache2.2;c:\documents and settings\scott.burcky\my documents\web\xampp\apache\bin\httpd.exe [2008-12-9 24636]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-12-19 79432]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-9-24 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-9-24 108392]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-12-19 276816]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2008-9-24 2436536]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-2 97536]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-28 102448]
R3 KAPFA;KAPFA;c:\windows\system32\drivers\KaPFA.sys [2009-2-6 20792]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-12-19 19160]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091226.017\NAVENG.SYS [2009-12-26 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091226.017\NAVEX15.SYS [2009-12-26 1323568]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-9-24 23888]
S3 LV_Tracker;LV_Tracker;c:\windows\system32\drivers\LV_Tracker.sys [2008-8-1 45384]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
UnknownUnknown KaseyaAgent;KaseyaAgent; [x]

=============== Created Last 30 ================

2009-12-19 19:13:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-19 19:13:46 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-19 19:13:45 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-13 03:31:35 0 d-----w- c:\temp\bleeping
2009-12-13 03:05:25 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-12-13 03:05:12 0 d-----w- c:\program files\SUPERAntiSpyware
2009-12-13 03:05:12 0 d-----w- c:\docume~1\scott~1.bur\applic~1\SUPERAntiSpyware.com
2009-12-13 03:04:07 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-12-09 22:09:21 0 d-----w- c:\temp\SEPFix
2009-12-08 00:13:30 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-12-08 00:04:12 1435648 ------w- c:\windows\system32\dllcache\query.dll
2009-12-07 23:53:24 657272 ----a-w- c:\temp\windowsxp-kb975025-x86-enu_a7cb9fdfedb5e7b464709910afeec4cff61c89f4.exe
2009-12-07 23:52:58 498552 ----a-w- c:\temp\windowsxp-kb973525-x86-enu_81227dc379d43ad8ac33daaffe7576ee1a942c2e.exe
2009-12-07 23:52:50 2700664 ----a-w- c:\temp\windowsxp-kb971486-x86-enu_27160a11280bf18c47f239cf813eba95be44edc5.exe
2009-12-06 18:03:42 52016047 ----a-w- c:\temp\2001192420perfstats_12_06.zip
2009-12-04 22:55:24 2297047 ----a-w- c:\temp\auditlogs.zip
2009-11-30 15:44:57 0 d-----w- c:\temp\malwarefix

==================== Find3M ====================

2009-12-04 13:56:52 149768 ----a-w- c:\windows\system32\drivers\WpsHelper.sys
2008-02-29 12:22:28 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-02-06 19:42:58 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009020620090207\index.dat

============= FINISH: 22:33:34.96 ===============


*** ROOTREPEAL LOG ***

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/26 22:42
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA88B4000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5C6000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA6BB6000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "" at address 0x8ad1cd58

#: 013 Function Name: NtAlertThread
Status: Hooked by "" at address 0x8ae4ddf8

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "" at address 0x8ac56e48

#: 031 Function Name: NtConnectPort
Status: Hooked by "" at address 0x8aef36b0

#: 043 Function Name: NtCreateMutant
Status: Hooked by "" at address 0x8ac91c48

#: 053 Function Name: NtCreateThread
Status: Hooked by "" at address 0x8ac21d88

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "" at address 0x8afc0b00

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "" at address 0x8ab36b18

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "" at address 0x8ac62ca8

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "" at address 0x8abfae18

#: 114 Function Name: NtOpenEvent
Status: Hooked by "" at address 0x87a8e1a8

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "" at address 0x8aeb0d60

#: 129 Function Name: NtOpenThreadToken
Status: Hooked by "" at address 0x8ae053b0

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xba16d6a0

#: 143 Function Name: NtQueryDefaultLocale
Status: Hooked by "C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys" at address 0xa8a9c8a0

#: 206 Function Name: NtResumeThread
Status: Hooked by "" at address 0x8ac4def8

#: 213 Function Name: NtSetContextThread
Status: Hooked by "" at address 0x8af6ec40

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "" at address 0x8ac03f28

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "" at address 0x8af2b960

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "" at address 0x8aaacb48

#: 254 Function Name: NtSuspendThread
Status: Hooked by "" at address 0x8ae4ee90

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "" at address 0x8ae9b278

#: 258 Function Name: NtTerminateThread
Status: Hooked by "" at address 0x8ae04aa8

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "" at address 0x8aef38b0

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "" at address 0x8ad54b88

==EOF==

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:41 AM

Posted 06 January 2010 - 06:38 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. You can find information on A/V control HERE

Orange Blossom :(
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 Jestrix

Jestrix
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 08 January 2010 - 10:05 PM

Hi and I hope you had a good Holiday.

Here is the log you requested from the DDS scan I just performed. Thanks.


DDS (Ver_09-12-01.01) - NTFSx86
Run by scott.burcky at 22:00:18.51 on Fri 01/08/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3574.2709 [GMT -5:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Symantec AntiVirus\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
c:\Program Files\Iron Mountain\Connected BackupPC\AgentService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kaseya\Agent\AgentMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Kaseya\Agent\KaUsrTsk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Iron Mountain\Connected BackupPC\Agent.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\scott.burcky\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070802
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: {B24BA06E-FB7B-4757-95C2-DC01125F750E} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Kaseya Agent Service Helper] "c:\program files\kaseya\agent\KaUsrTsk.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [AgentUiRunKey] "c:\program files\iron mountain\connected backuppc\Agent.exe" -ni -sss -e http://localhost:16386/
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204223065453
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli Twmstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\scott~1.bur\applic~1\mozilla\firefox\profiles\gpcpaw88.default\
FF - prefs.js: browser.startup.homepage - file:///C:/Documents%20and%20Settings/scott.burcky/My%20Documents/Web/index.html
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows

presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
R2 AgentService;AgentService;c:\program files\iron mountain\connected backuppc\AgentService.exe [2008-8-1 6600000]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-12-19 79432]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-9-24 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-9-24 108392]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-12-19 236368]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2008-9-24 2436536]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-2 97536]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-28 102448]
R3 KAPFA;KAPFA;c:\windows\system32\drivers\KaPFA.sys [2009-2-6 20792]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-12-19 19160]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091231.119\NAVENG.SYS [2010-1-8 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091231.119\NAVEX15.SYS [2010-1-8 1323568]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-9-24 23888]
S3 LV_Tracker;LV_Tracker;c:\windows\system32\drivers\LV_Tracker.sys [2008-8-1 45384]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
UnknownUnknown KaseyaAgent;KaseyaAgent; [x]

=============== Created Last 30 ================

2010-01-09 01:58:10 90112 ----a-w- c:\windows\system32\ccrpTmr6.dll
2010-01-09 01:58:10 0 d-----w- c:\program files\Cool Timer
2010-01-08 15:00:34 696832 ----a-w- c:\windows\isRS-000.tmp
2010-01-05 00:18:46 270336 ------w- c:\windows\system32\dllcache\oakley.dll
2010-01-05 00:17:38 79872 ------w- c:\windows\system32\dllcache\raschap.dll
2010-01-05 00:17:38 149504 ------w- c:\windows\system32\dllcache\rastls.dll
2010-01-05 00:12:55 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2010-01-05 00:12:54 265728 ------w- c:\windows\system32\dllcache\http.sys
2010-01-05 00:12:54 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2010-01-05 00:12:14 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-05 00:08:36 331776 ----a-w- c:\temp\curl-nossl.exe
2010-01-02 21:05:21 0 d-----w- c:\docume~1\scott~1.bur\applic~1\HpUpdate
2010-01-02 21:05:19 0 d-----w- c:\windows\Hewlett-Packard
2009-12-28 23:52:51 290816 ----a-w- c:\temp\kPtchMgt.dll
2009-12-19 19:13:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-19 19:13:46 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-19 19:13:45 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-13 03:31:35 0 d-----w- c:\temp\bleeping
2009-12-13 03:05:25 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-12-13 03:05:12 0 d-----w- c:\program files\SUPERAntiSpyware
2009-12-13 03:05:12 0 d-----w- c:\docume~1\scott~1.bur\applic~1\SUPERAntiSpyware.com
2009-12-13 03:04:07 0 d-----w- c:\program files\common files\Wise Installation Wizard

==================== Find3M ====================

2009-12-04 13:56:52 149768 ----a-w- c:\windows\system32\drivers\WpsHelper.sys
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2008-02-29 12:22:28 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-02-06 19:42:58 32768 --sha-w- c:\windows\system32\config\systemprofile\local

settings\history\history.ie5\mshist012009020620090207\index.dat

============= FINISH: 22:01:10.31 ===============

#4 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:06:41 AM

Posted 09 January 2010 - 09:26 AM

Hello Jestrix and Welcome to BleepingComputer.

I'm DocSatan and I will be helping you with your "Malware" related computer problems. Please give me some time to research your Log and I will get back to you ASAP. :(

In the meantime:

1. Please TRACK this Topic

  • At the top-right of this thread, click on the Posted Image button.
  • In the list that drops down, click on Posted Image
  • Place a tick-mark next to Immediate E-Mail Notification
  • Then click on Posted Image
  • You will now receive an e-mail as soon as a Reply is made to this Topic. :(
2. Do Not Make Any Changes to the "Infected" Computer.
  • Once you have posted a NEW DDS Log, Do Not make any changes to the computer. I will be researching the DDS Log that you post and any changes made to the system might interfere with the FIX that I prepare for you. Examples of "Changes":
  • Deleting Files/Folders
  • Installing/Uninstalling Programs
  • Running Anti-Virus, Anti-Malware, Anti-Spyware, etc., Programs
3. Please do not seek Help with this issue at another Computer Help Forum
  • While we are working together I must insist that you do not seek help with this matter at any other Help Forum.
  • Having multiple (more than one) Forums provide help for the same computer issue will result in confusion with preparing a Fix.
  • It is also not fair to the Volunteer who is helping you, as her/his time will be wasted trying to fix a computer that someone else is also trying to fix.
  • So, if you have posted at another Computer Help Forum for this same issue I would ask that you choose which Forum that you wish to stay with and inform the other Forum(s) that you no longer require their assistance.
4. Throughout the course of us working together, I will be posting step-by-step procedures for you to follow on your computer.
  • If at any time you do not fully understand what I have said, or you are not exactly sure what you are supposed to do, then please stop there and Post back to this topic and ask your questions. That way I will be able to more clearly explain the step/procedure and we won't have to worry about any steps being done incorrectly. :)

Doc.

#5 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:06:41 AM

Posted 10 January 2010 - 08:33 PM

Hello Jestrix,

Since this is a "work" computer you should really contact the IT Department for help with resolving your computer issue. Most Companies have a strict protocol with regards to tampering/fixing issues on their computers. You may be violating an "Agreement" or "Standard Operating Procedure" by having someone other than the IT Department attempt to fix this Work Computer of yours.

If this isn't "that kind" of work computer, i.e., it's a personal computer that you own, but use it for work, then please follow the instructions below:

1. Please download ATF Cleaner by Atribune. (This program is for Vista, XP and Windows 2000 only)
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
    • If you use Firefox browser
      • Click Firefox at the top and choose: Select All
      • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    • If you use Opera browser
      • Click Opera at the top and choose: Select All
      • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
  • For Technical Support, double-click the e-mail address located at the bottom of each menu.
2. Please download GMER from one of the following locations and save it to your desktop
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

3. What I need in your next reply:
  • gmer.log
Doc.

#6 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:06:41 AM

Posted 13 January 2010 - 05:21 AM

You still here Jestrix?

#7 Jestrix

Jestrix
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 13 January 2010 - 12:48 PM

Yes I am still here. When I try to run gmer it blue screens at some point in the scan and reboots the system. This also happened while logged in as administrator and in safe mode.

#8 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:06:41 AM

Posted 14 January 2010 - 04:35 PM

Hello Jestrix,

Can you tell me at what stage of the scan GMER is causing the BSOD?

Let's try these 2 scanners instead:

1. Please download mbr.exe and save it to your root directory, usually C:\ <- (Important!)
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe >>"C:\mbr.log"
  • press Enter.
  • A "DOS" box will open and quickly disappear. That is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.
2. We Need a New RootRepeal Log
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
3. What I need in your next reply:
  • mbr.log
  • New RootRepeal.txt
  • Answer to my question above
Doc.

#9 Jestrix

Jestrix
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 15 January 2010 - 10:26 PM

* mbr.log

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK


* New RootRepeal.txt

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/15 22:09
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA8889000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA658000 Size: 8192 File Visible: No Signed: -
Status: -

Name: mbr.sys
Image Path: C:\DOCUME~1\SCOTT~1.BUR\LOCALS~1\Temp\mbr.sys
Address: 0xBA3B8000 Size: 20864 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA7BFE000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x8ac6ba88

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x8ac70a88

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x8af4c770

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x8aca2a78

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x8aef28e0

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x8aed60b0

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a5e4c10

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x8ac5aa90

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x8ac65a88

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x8ac99a80

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x8b00e7a8

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x8acada90

#: 129 Function Name: NtOpenThreadToken
Status: Hooked by "<unknown>" at address 0x8afbd150

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xb94706a0

#: 143 Function Name: NtQueryDefaultLocale
Status: Hooked by "C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys" at address 0xa8a718a0

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x8acbea80

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x8ac8ba90

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x8acf4f18

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x8afbe4e8

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x8ae64a30

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8ac71a98

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x8acbca88

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x8ac86ac0

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x8ac92a80

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x8aef2fc0

==EOF==

* Answer to my question above

The 1st time I tried running gmer it BSOD right away. Thinking it was a fluke I tried it again and it ran for a while. It looked like it was checking the HDD01 if I recall correctly then BSOD. The other 2 runs they BSOD within a minute.

#10 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:06:41 AM

Posted 19 January 2010 - 08:16 AM

So sorry for the huge delay Jestrix. Poor organizational skills on my part. I will be posting a Fix shortly.

#11 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:06:41 AM

Posted 19 January 2010 - 03:15 PM

Hi Jestrix,

This is so strange. All of your Logs appear clean to me. Few questions:
  • Is MBAM still finding those same 60 AntiVirusPro entries?
  • Are you experiencing any Pop-ups, re-directs, or other abnormal activities on this computer?
  • I see that this computer is connected to a Network, are any of the other computers on this Network experiencing and problems?
1. Perform another Scan with MalwareByte's AntiMalware (MBAM)
  • Double-Click on the MBAM Icon
  • Click on the tab Update
  • Then click on Check For Updates button
  • When MBAM has finished updating, click OK on the window that pops-up.
    • If MBAM has to close to complete the update, then allow it.
  • Now Click on the Scanner tab
  • Put a tick-mark next to Perform Quick Scan
  • Now click the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Doc.

#12 Jestrix

Jestrix
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 20 January 2010 - 08:38 PM

Hi Doc -

No worries on the delay getting back to me. I understand we are all busy especially you helping tons of people out on this site and I think thats awesome!

To answer some of your questions. It was a few weeks before I started posting in the forums that these alerts started to pop up. Only MBAM reported the alerts. I would let it clean and reboot and do what it needed to do. Sometimes when I scanned it would not find them but then if I scanned again it would find the. It would always find them while performing the last part of the scan, the Performing Extra and Heuristic scans. Thats where my quest began and I started to look at this closer.

I downloaded and tried a few things and nothing was ever found except by MBAB. So I posted here and tried a few things over in the other section which never found anything. We even uninstalled the thing and re-installed and it still found them.

Soooo......

* Is MBAM still finding those same 60 AntiVirusPro entries?
I havent scanned since someone asked me last. I just did one and this time it is clean. Log posted below.

* Are you experiencing any Pop-ups, re-directs, or other abnormal activities on this computer?
I never have. I was wondering why MBAM was always detecting them and nothing else was. I figured you all might confirm if they were real or not and help get rid of them if they were.


* I see that this computer is connected to a Network, are any of the other computers on this Network experiencing and problems?
No one else I know is experiencing this but I am more security conscious and I am the only one I know that runs MBAM.

- I always wondered if this might be something that MBAM had wrong in its database, like a false positive on something, and it just took them a long time to find it and weed it out. I have had clean scans before so I am not 100% sold but I will scan in the morning tomorrow and in the evening and see if it comes back and post here to let you know the reuslts.

I also wanted to let you know that I thank you and everyone on here for taking the time for helping me even if it turned out to be nothing or MBAM DB problem! Thanks!

MBAM LOG POSTED BELOW:

Malwarebytes' Anti-Malware 1.44
Database version: 3606
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

1/20/2010 8:27:35 PM
mbam-log-2010-01-20 (20-27-35).txt

Scan type: Quick Scan
Objects scanned: 149810
Time elapsed: 6 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 Jestrix

Jestrix
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 21 January 2010 - 08:19 PM

Still showing up....always with the extra and heuristic scan portion at the end. So I dunno........
As always I did reboot as it asked,,,,,

Malwarebytes' Anti-Malware 1.44
Database version: 3611
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

1/21/2010 8:12:15 PM
mbam-log-2010-01-21 (20-12-15).txt

Scan type: Quick Scan
Objects scanned: 149908
Time elapsed: 8 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 66

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Administrator.GLASSHOUSETECH\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Default User\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\scott.burcky\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\socadmin\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\TEMP\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Administrator.GLASSHOUSETECH\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Default User\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\scott.burcky\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\socadmin\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\TEMP\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Administrator.GLASSHOUSETECH\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Default User\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\scott.burcky\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\socadmin\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\TEMP\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\Administrator.GLASSHOUSETECH\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\scott.burcky\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\socadmin\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\TEMP\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\WINDOWS\system32\winupdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Administrator\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Administrator.GLASSHOUSETECH\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Default User\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\LocalService\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\scott.burcky\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\socadmin\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\TEMP\Local Settings\Temp\AV2010Installer.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\sysguard.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\System\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\WINDOWS\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\Administrator.GLASSHOUSETECH\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\Default User\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\scott.burcky\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\socadmin\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\TEMP\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\ocxlist\winupdate.exe (Trojan.Banker) -> Delete on reboot.
C:\WINDOWS\system32\Winupdate\Winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\All Users\Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Administrator\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Administrator.GLASSHOUSETECH\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Default User\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\scott.burcky\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\socadmin\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\TEMP\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.

#14 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:06:41 AM

Posted 22 January 2010 - 06:10 PM

Hi Jestrix,

My coach here at BleepingComputer says that he has witnessed MBAM detect files that were not on the computer before. Not sure if that is any comfort to you. :(

I see that the files have returned in the MBAM Scan. Are any of the other Computers on the Network experiencing problems with Pop-ups, Re-Directs, Warnings, etc.? I'm wondering if you are getting infected from another computer. :(

Let's do an Online Scan next:

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
Doc.

#15 Jestrix

Jestrix
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 22 January 2010 - 10:25 PM

Hi Jestrix,

My coach here at BleepingComputer says that he has witnessed MBAM detect files that were not on the computer before. Not sure if that is any comfort to you. :)

I see that the files have returned in the MBAM Scan. Are any of the other Computers on the Network experiencing problems with Pop-ups, Re-Directs, Warnings, etc.? I'm wondering if you are getting infected from another computer. :(


Nope nothing anywhere else. I get these same alerts at home or at the office, connected to the internet or not they still appear. It is all very weird!

Ran your scan and lo and behold!!!!!!!

Nothing :( Dunno if thats good or not lol....

;***********************************************************************************************************************************************************************************
ANALYSIS: 2010-01-22 22:20:39
PROTECTIONS: 1
MALWARE: 0
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Symantec Endpoint Protection 11.0.3001.2198 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
215938 HIGH MS09-072
;===================================================================================================================================================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users