Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with either a rootkit or a hefty Trojan


  • Please log in to reply
16 replies to this topic

#1 Ryano1

Ryano1

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 29 December 2009 - 07:13 PM

I'm new, our computer got infected with something which is redirecting some searches and has wiped out our anti virus. I ran through a few previous similar threads and did a DDS, attempting a RootRepeal scan and scanned the file which you told people in a similar situation to scan.

DDS:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Claire Pike at 23:25:36.54 on 29/12/2009
Internet Explorer: 8.0.6001.18865 BrowserJavaVersion: 1.6.0_11
Microsoft® Windows Vistaāā€˛¢ Home Premium 6.0.6001.1.1252.44.1033.18.2046.1121 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer3\TeamViewer_Service.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Claire Pike\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bbc.co.uk/
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Active Desktop Calendar] c:\program files\xemicomputers\active desktop calendar\ADC.exe
uRun: [settdebugx.exe] c:\users\claire~1\appdata\local\temp\settdebugx.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~3.EXE -Update -1103470 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618)" -"http://www.habbo.com/shockwave_client"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\users\claire~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\bbcipl~1.lnk - c:\program files\bbc iplayer desktop\BBC iPlayer Desktop.exe
StartupFolder: c:\users\claire~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {ACF3FB60-D57B-4886-8BC6-F995D4C37C14} = 192.168.1.1
TCP: {B760BE55-F4B6-4761-849D-18C5F04085A6} = 192.168.1.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
AppInit_DLLs: avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\claire~1\appdata\roaming\mozilla\firefox\profiles\sq6tajm3.default\
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\claire pike\appdata\local\microsoft\internet explorer\downloaded program files\npsoe.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-29 335240]
R1 AvgMfx86;AVG Minifilter x86 Resident Driver;c:\windows\system32\drivers\avgmfx86.sys [2008-5-12 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-20 108552]
R2 TeamViewer;TeamViewer 3;c:\program files\teamviewer3\TeamViewer_Service.exe [2008-8-6 181544]
R3 ZY202_VS;ZyXEL 802.11g XG202 1211 Vista Driver;c:\windows\system32\drivers\WlanUZG.sys [2009-4-6 449536]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-29 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-29 297752]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-3-23 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]

=============== Created Last 30 ================

2009-12-29 17:44:11 0 d-----w- c:\program files\Trend Micro
2009-12-29 16:16:09 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-12-29 10:12:15 671 ----a-w- c:\windows\system32\krl32mainweq.dll
2009-12-29 10:11:13 202 ----a-w- c:\windows\system32\srcr.dat
2009-12-24 11:16:17 0 d-----w- c:\users\claire~1\appdata\roaming\TS3Client
2009-12-24 11:14:53 121071 ----a-w- c:\program files\Uninstall.exe
2009-12-24 11:14:52 0 d-----w- c:\program files\translations
2009-12-24 11:14:52 0 d-----w- c:\program files\styles
2009-12-24 11:14:52 0 d-----w- c:\program files\sound
2009-12-24 11:14:52 0 d-----w- c:\program files\scripts
2009-12-24 11:14:51 0 d-----w- c:\program files\plugins
2009-12-24 11:14:51 0 d-----w- c:\program files\imageformats
2009-12-24 11:14:51 0 d-----w- c:\program files\gfx
2009-12-23 19:48:38 5797064 ----a-w- c:\program files\ts3client_win32.exe
2009-12-23 19:48:20 348360 ----a-w- c:\program files\update.exe
2009-12-19 08:28:25 0 d-----w- c:\program files\GIMP-2.0
2009-12-18 17:36:23 0 d-----w- c:\programdata\WindowsSearch
2009-12-18 17:17:03 0 d-----w- c:\programdata\Trymedia
2009-12-18 16:58:36 0 d-----w- c:\program files\rFactor
2009-12-12 13:01:11 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-12 13:01:07 411136 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-12 13:01:07 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-12-12 11:03:47 0 d-----w- C:\DF
2009-12-10 19:06:53 281600 ----a-w- c:\windows\system32\raschap.dll
2009-12-10 19:06:53 244224 ----a-w- c:\windows\system32\rastls.dll
2009-12-02 13:48:04 398336 ----a-w- c:\program files\fmodex.dll

==================== Find3M ====================

2009-12-29 11:17:05 69 ----a-w- c:\users\claire pike\jagex_runescape_preferences2.dat
2009-12-29 10:30:43 39 ----a-w- c:\users\claire pike\jagex_runescape_preferences.dat
2009-12-23 19:48:38 6468 ----a-w- c:\program files\changelog.txt
2009-12-23 19:48:18 17068 ----a-w- c:\program files\apps.ini
2009-12-23 19:48:16 539 ----a-w- c:\program files\mirrors.ini
2009-12-02 18:09:47 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-02 18:09:46 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-21 06:40:20 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34:39 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34:39 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59:58 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-02 20:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:41:23 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-13 13:41:34 7096320 ----a-w- c:\program files\QtGui4.dll
2009-10-13 13:41:34 634880 ----a-w- c:\program files\QtNetwork4.dll
2009-10-13 13:41:34 1959936 ----a-w- c:\program files\QtCore4.dll
2009-10-11 04:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-06-03 15:25:39 51200 ----a-w- c:\windows\inf\infpub.dat
2009-06-03 15:25:38 86016 ----a-w- c:\windows\inf\infstrng.dat
2009-06-03 15:25:38 86016 ----a-w- c:\windows\inf\infstor.dat
2009-06-01 20:36:46 1734 ----a-w- c:\program files\server.log
2009-06-01 20:36:45 20480 ----a-w- c:\program files\server.dbs
2009-06-01 20:28:07 561 ----a-w- c:\program files\server.ini
2009-06-01 20:28:07 0 ----a-w- c:\program files\whitelist.txt
2009-06-01 20:28:06 8 ----a-w- c:\program files\bad_names.txt
2009-06-01 20:28:02 21281 ----a-w- c:\program files\unins000.dat
2009-06-01 20:27:28 685849 ----a-w- c:\program files\unins000.exe
2008-06-12 05:21:11 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2007-08-02 12:49:42 3964 ----a-w- c:\program files\readme.txt
2007-08-02 06:00:20 20505 ----a-w- c:\program files\slicense.txt
2007-08-02 05:52:48 439808 ----a-w- c:\program files\server_windows.exe
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2006-03-13 15:00:02 2657 ----a-w- c:\program files\INSTALL.mysql
2006-03-13 15:00:00 95744 ----a-w- c:\program files\dbexpmysql.dll
2006-03-13 15:00:00 362 ----a-w- c:\program files\manual.html

============= FINISH: 23:29:12.17 ===============


I tried the RootRepeal scan but it didnt work in the end and restarted our computer loing some of the stuff i had ready to post. The file came back with that it was a LookLike.Trojan.H with a bit more than what i posted. I'll add the RootRepeal log if it works in a it . *EDIT* Its getting stuck on Windows\winsxs\Manifests \. Attached the attach.txt :( (Been 10 mins and it hasnt scanned a thing from the Manifests folder...)
*Final Edit*: The RootRepeal one didnt work and our computer restarted itself again. Oh and the AVG doesnt have any components in it when i open it up, just says its working.

Hopefully you can be of some help as its frustrating and we have spent most of today trying to fix it.

Attached Files


Edited by Ryano1, 29 December 2009 - 07:47 PM.


BC AdBot (Login to Remove)

 


#2 Ryano1

Ryano1
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 31 December 2009 - 01:58 PM

I scanned 2 of the atapi.sys files on virustotal (like others in this situation) and they came back with these results. The RootRepeal doesnt want to work and I'm stuck, any chance of some help please.

Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.30 -
AhnLab-V3 5.0.0.2 2009.12.29 -
AntiVir 7.9.1.122 2009.12.29 -
Antiy-AVL 2.0.3.7 2009.12.30 -
Authentium 5.2.0.5 2009.12.30 -
Avast 4.8.1351.0 2009.12.29 -
AVG 8.5.0.430 2009.12.30 -
BitDefender 7.2 2009.12.30 -
CAT-QuickHeal 10.00 2009.12.30 -
ClamAV 0.94.1 2009.12.30 -
Comodo 3412 2009.12.30 -
DrWeb 5.0.1.12222 2009.12.30 -
eSafe 7.0.17.0 2009.12.29 -
eTrust-Vet 35.1.7206 2009.12.30 -
F-Prot 4.5.1.85 2009.12.30 -
F-Secure 9.0.15370.0 2009.12.30 -
Fortinet 4.0.14.0 2009.12.30 -
GData 19 2009.12.30 -
Ikarus T3.1.1.79.0 2009.12.30 -
Jiangmin 13.0.900 2009.12.30 -
K7AntiVirus 7.10.932 2009.12.28 -
Kaspersky 7.0.0.125 2009.12.30 -
McAfee 5846 2009.12.29 -
McAfee+Artemis 5846 2009.12.29 -
McAfee-GW-Edition 6.8.5 2009.12.29 Heuristic.BehavesLike.Win32.Rootkit.H
Microsoft 1.5302 2009.12.30 -
NOD32 4727 2009.12.30 -
Norman 6.04.03 2009.12.29 -
nProtect 2009.1.8.0 2009.12.30 -
Panda 10.0.2.2 2009.12.15 -
PCTools 7.0.3.5 2009.12.30 -
Prevx 3.0 2009.12.30 -
Rising 22.28.02.03 2009.12.30 -
Sophos 4.49.0 2009.12.30 -
Sunbelt 3.2.1858.2 2009.12.30 -
Symantec 1.4.4.12 2009.12.30 -
TheHacker 6.5.0.3.121 2009.12.30 -
TrendMicro 9.120.0.1004 2009.12.30 -
VBA32 3.12.12.1 2009.12.30 -
ViRobot 2009.12.30.2115 2009.12.30 -
VirusBuster 5.0.21.0 2009.12.29 -


Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.30 -
AhnLab-V3 5.0.0.2 2009.12.29 -
AntiVir 7.9.1.122 2009.12.29 -
Antiy-AVL 2.0.3.7 2009.12.30 -
Authentium 5.2.0.5 2009.12.30 -
Avast 4.8.1351.0 2009.12.29 -
AVG 8.5.0.430 2009.12.30 -
BitDefender 7.2 2009.12.30 -
CAT-QuickHeal 10.00 2009.12.30 -
ClamAV 0.94.1 2009.12.30 -
Comodo 3412 2009.12.30 -
DrWeb 5.0.1.12222 2009.12.30 -
eSafe 7.0.17.0 2009.12.29 -
eTrust-Vet 35.1.7206 2009.12.30 -
F-Prot 4.5.1.85 2009.12.30 -
F-Secure 9.0.15370.0 2009.12.30 -
Fortinet 4.0.14.0 2009.12.30 -
GData 19 2009.12.30 -
Ikarus T3.1.1.79.0 2009.12.30 -
Jiangmin 13.0.900 2009.12.30 -
K7AntiVirus 7.10.932 2009.12.28 -
Kaspersky 7.0.0.125 2009.12.30 -
McAfee 5846 2009.12.29 -
McAfee+Artemis 5846 2009.12.29 -
McAfee-GW-Edition 6.8.5 2009.12.29 Heuristic.BehavesLike.Win32.Rootkit.H
Microsoft 1.5302 2009.12.30 -
NOD32 4727 2009.12.30 -
Norman 6.04.03 2009.12.29 -
nProtect 2009.1.8.0 2009.12.30 -
Panda 10.0.2.2 2009.12.15 -
PCTools 7.0.3.5 2009.12.30 -
Prevx 3.0 2009.12.30 -
Rising 22.28.02.03 2009.12.30 -
Sophos 4.49.0 2009.12.30 -
Sunbelt 3.2.1858.2 2009.12.30 -
Symantec 1.4.4.12 2009.12.30 -
TheHacker 6.5.0.3.121 2009.12.30 -
TrendMicro 9.120.0.1004 2009.12.30 -
VBA32 3.12.12.1 2009.12.30 -
ViRobot 2009.12.30.2115 2009.12.30 -
VirusBuster 5.0.21.0 2009.12.29 -


Looks like i have the rootkit that many others have.

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:59 PM

Posted 08 January 2010 - 11:17 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. You can find information on A/V control HERE

Orange Blossom :(
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 Ryano1

Ryano1
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 09 January 2010 - 07:31 PM

Yeah, the virus/rootkit has turned AVG into a shell with no components in it and says its still running despite not being, so we uninstalled it and installed a different anti virus. Its not allowing us to scan our computer with regular anti virus' and is redirecting google searches and telling us to download certain things which look malicious. Think thats all of it. Here's the new DDS log and thanks for replying.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Claire Pike at 14:46:54.53 on 09/01/2010
Internet Explorer: 8.0.6001.18865 BrowserJavaVersion: 1.6.0_11
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2046.1142 [GMT 0:00]

SP: COMODO Defense+ *enabled* (Updated) {043803A4-4F86-4ef7-AFC5-F6E02A79969B}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer3\TeamViewer_Service.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Lavasoft\Ad-Aware\AAWWSC.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Users\Claire Pike\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bbc.co.uk/
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Active Desktop Calendar] c:\program files\xemicomputers\active desktop calendar\ADC.exe
uRun: [settdebugx.exe] c:\users\claire~1\appdata\local\temp\settdebugx.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~3.EXE -Update -1103470 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618)" -"http://www.habbo.com/shockwave_client"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [COMODO SafeSurf] "c:\program files\comodo\safesurf\cssurf.exe" -s
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
StartupFolder: c:\users\claire~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\bbcipl~1.lnk - c:\program files\bbc iplayer desktop\BBC iPlayer Desktop.exe
StartupFolder: c:\users\claire~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {ACF3FB60-D57B-4886-8BC6-F995D4C37C14} = 192.168.1.1
TCP: {B760BE55-F4B6-4761-849D-18C5F04085A6} = 192.168.1.1
AppInit_DLLs: c:\windows\system32\guard32.dll c:\windows\system32\cssdll32.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\claire~1\appdata\roaming\mozilla\firefox\profiles\sq6tajm3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\claire pike\appdata\local\microsoft\internet explorer\downloaded program files\npsoe.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-30 64288]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-12-30 98320]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-12-30 25104]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1181328]
R2 TeamViewer;TeamViewer 3;c:\program files\teamviewer3\TeamViewer_Service.exe [2008-8-6 181544]
R3 ZY202_VS;ZyXEL 802.11g XG202 1211 Vista Driver;c:\windows\system32\drivers\WlanUZG.sys [2009-4-6 449536]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-3-23 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]

=============== Created Last 30 ================

2010-01-06 19:48:12 1553 ----a-w- c:\users\claire pike\.recently-used.xbel
2010-01-02 11:18:41 0 d-----w- c:\programdata\McAfee
2009-12-31 21:07:39 0 d-----w- c:\users\claire pike\.thumbnails
2009-12-30 18:52:08 0 d-----w- c:\users\claire~1\appdata\roaming\Comodo
2009-12-30 18:32:05 249592 ----a-w- c:\windows\system32\cssdll32.dll
2009-12-30 18:31:53 0 d-----w- c:\program files\AskBarDis
2009-12-30 18:29:38 98320 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-12-30 18:29:38 25104 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-12-30 18:29:38 143096 ----a-w- c:\windows\system32\guard32.dll
2009-12-30 18:29:38 0 d-----w- c:\programdata\comodo
2009-12-30 18:29:38 0 d-----w- c:\program files\COMODO
2009-12-30 17:33:46 0 d-----w- c:\programdata\avg8
2009-12-30 17:29:03 0 d-----w- c:\programdata\AVG Security Toolbar
2009-12-30 17:18:49 0 ----a-w- c:\windows\system32\commonpriv.log.lock
2009-12-30 14:46:36 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-12-30 14:18:57 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-30 14:18:29 0 dc-h--w- c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-12-30 13:49:16 0 d--h--w- C:\$AVG
2009-12-30 13:48:28 0 d-----w- c:\programdata\avg9
2009-12-29 17:44:11 0 d-----w- c:\program files\Trend Micro
2009-12-29 16:16:09 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-12-29 10:12:15 853 ----a-w- c:\windows\system32\krl32mainweq.dll
2009-12-29 10:11:13 246 ----a-w- c:\windows\system32\srcr.dat
2009-12-24 11:16:17 0 d-----w- c:\users\claire~1\appdata\roaming\TS3Client
2009-12-24 11:14:53 121071 ----a-w- c:\program files\Uninstall.exe
2009-12-24 11:14:52 0 d-----w- c:\program files\translations
2009-12-24 11:14:52 0 d-----w- c:\program files\styles
2009-12-24 11:14:52 0 d-----w- c:\program files\sound
2009-12-24 11:14:52 0 d-----w- c:\program files\scripts
2009-12-24 11:14:51 0 d-----w- c:\program files\plugins
2009-12-24 11:14:51 0 d-----w- c:\program files\imageformats
2009-12-24 11:14:51 0 d-----w- c:\program files\gfx
2009-12-23 19:48:38 5797064 ----a-w- c:\program files\ts3client_win32.exe
2009-12-23 19:48:20 348360 ----a-w- c:\program files\update.exe
2009-12-19 08:28:25 0 d-----w- c:\program files\GIMP-2.0
2009-12-18 17:36:23 0 d-----w- c:\programdata\WindowsSearch
2009-12-18 17:17:03 0 d-----w- c:\programdata\Trymedia
2009-12-18 16:58:36 0 d-----w- c:\program files\rFactor
2009-12-12 13:01:11 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-12 13:01:07 411136 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-12 13:01:07 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-12-12 11:03:47 0 d-----w- C:\DF
2009-12-10 19:06:53 281600 ----a-w- c:\windows\system32\raschap.dll
2009-12-10 19:06:53 244224 ----a-w- c:\windows\system32\rastls.dll

==================== Find3M ====================

2009-12-30 18:31:21 86016 ----a-w- c:\windows\inf\infstrng.dat
2009-12-30 18:31:21 86016 ----a-w- c:\windows\inf\infstor.dat
2009-12-30 18:31:21 51200 ----a-w- c:\windows\inf\infpub.dat
2009-12-29 11:17:05 69 ----a-w- c:\users\claire pike\jagex_runescape_preferences2.dat
2009-12-29 10:30:43 39 ----a-w- c:\users\claire pike\jagex_runescape_preferences.dat
2009-12-23 19:48:38 6468 ----a-w- c:\program files\changelog.txt
2009-12-23 19:48:18 17068 ----a-w- c:\program files\apps.ini
2009-12-23 19:48:16 539 ----a-w- c:\program files\mirrors.ini
2009-12-02 13:48:04 398336 ----a-w- c:\program files\fmodex.dll
2009-11-21 06:40:20 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34:39 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34:39 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59:58 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-02 20:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:41:23 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-13 13:41:34 7096320 ----a-w- c:\program files\QtGui4.dll
2009-10-13 13:41:34 634880 ----a-w- c:\program files\QtNetwork4.dll
2009-10-13 13:41:34 1959936 ----a-w- c:\program files\QtCore4.dll
2009-06-01 20:36:46 1734 ----a-w- c:\program files\server.log
2009-06-01 20:36:45 20480 ----a-w- c:\program files\server.dbs
2009-06-01 20:28:07 561 ----a-w- c:\program files\server.ini
2009-06-01 20:28:07 0 ----a-w- c:\program files\whitelist.txt
2009-06-01 20:28:06 8 ----a-w- c:\program files\bad_names.txt
2009-06-01 20:28:02 21281 ----a-w- c:\program files\unins000.dat
2009-06-01 20:27:28 685849 ----a-w- c:\program files\unins000.exe
2008-06-12 05:21:11 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2007-08-02 12:49:42 3964 ----a-w- c:\program files\readme.txt
2007-08-02 06:00:20 20505 ----a-w- c:\program files\slicense.txt
2007-08-02 05:52:48 439808 ----a-w- c:\program files\server_windows.exe
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2006-03-13 15:00:02 2657 ----a-w- c:\program files\INSTALL.mysql
2006-03-13 15:00:00 95744 ----a-w- c:\program files\dbexpmysql.dll
2006-03-13 15:00:00 362 ----a-w- c:\program files\manual.html

============= FINISH: 14:49:34.42 ===============

#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:59 AM

Posted 10 January 2010 - 07:15 PM

Hello and Welcome to BleepingComputer! :(

Please provide a log from Gmer:

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#6 Ryano1

Ryano1
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 11 January 2010 - 09:33 AM

Hopefulluy I did this correctly. It did come up with the rootkit alteration warning box thing so it looks to be a rootkit.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-11 14:17:23
Windows 6.0.6001 Service Pack 1
Running: 468bvxst.exe; Driver: C:\Users\CLAIRE~1\AppData\Local\Temp\kwliiaow.sys


---- System - GMER 1.0.15 ----

Code 85744398 ZwEnumerateKey
Code 855CE0F0 ZwFlushInstructionCache
Code 85618CF5 IofCallDriver
Code 857382CE IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCompleteRequest 82A8AFE2 5 Bytes JMP 857382D3
.text ntkrnlpa.exe!IofCallDriver 82B0CF6F 5 Bytes JMP 85618CFA
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 82C0330B 5 Bytes JMP 855CE0F4
PAGE ntkrnlpa.exe!ZwEnumerateKey 82C58BAC 5 Bytes JMP 8574439C

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\Iexplore.exe[1452] USER32.dll!DialogBoxParamW 76C91FD5 5 Bytes JMP 7318541D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1452] WININET.dll!HttpAddRequestHeadersA 76F6CF46 5 Bytes JMP 0096000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[1452] WININET.dll!HttpAddRequestHeadersW 76F6FE49 5 Bytes JMP 00A0000A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[1080] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73EF88B4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1080] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73F398A5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1080] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73EFB9D4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1080] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73EEFB47] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1080] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73EF7A79] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1080] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73EEEA65] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1080] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73F2B17D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1080] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73EFBC9A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1080] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73EF074E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1080] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73EF06B5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1080] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73EE71B3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1080] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [73F7D848] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1080] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73F17379] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1080] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73EEE109] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1080] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73EE697E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1080] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73EE69A9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1080] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73EF2465] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Modules - GMER 1.0.15 ----

Module \systemroot\system32\drivers\H8SRTxcnfsvtrii.sys (*** hidden *** ) 8C8C6000-8C8E2000 (114688 bytes)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\H8SRTievplpoimn.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [688] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTievplpoimn.dll (*** hidden *** ) @ C:\Windows\System32\svchost.exe [820] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTievplpoimn.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [844] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTievplpoimn.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [936] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTievplpoimn.dll (*** hidden *** ) @ C:\Windows\Explorer.EXE [1080] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTievplpoimn.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [1452] 0x10000000

---- Services - GMER 1.0.15 ----

Service C:\Windows\system32\drivers\H8SRTxcnfsvtrii.sys (*** hidden *** ) [SYSTEM] H8SRTd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTxcnfsvtrii.sys
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTxcnfsvtrii.sys
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTtdtcwteygo.dll
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTwtqiufedid.dat
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTievplpoimn.dll
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTbbuusormxi.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTxcnfsvtrii.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTxcnfsvtrii.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTtdtcwteygo.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTwtqiufedid.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTievplpoimn.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTbbuusormxi.dll
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTxcnfsvtrii.sys
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTxcnfsvtrii.sys
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTtdtcwteygo.dll
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTwtqiufedid.dat
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTievplpoimn.dll
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTbbuusormxi.dll
Reg HKLM\SYSTEM\ControlSet005\Services\H8SRTd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet005\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet005\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTxcnfsvtrii.sys
Reg HKLM\SYSTEM\ControlSet005\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet005\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTxcnfsvtrii.sys
Reg HKLM\SYSTEM\ControlSet005\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTtdtcwteygo.dll
Reg HKLM\SYSTEM\ControlSet005\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTwtqiufedid.dat
Reg HKLM\SYSTEM\ControlSet005\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTievplpoimn.dll
Reg HKLM\SYSTEM\ControlSet005\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTbbuusormxi.dll
Reg HKLM\SYSTEM\ControlSet006\Services\H8SRTd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet006\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet006\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTxcnfsvtrii.sys
Reg HKLM\SYSTEM\ControlSet006\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet006\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTxcnfsvtrii.sys
Reg HKLM\SYSTEM\ControlSet006\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTtdtcwteygo.dll
Reg HKLM\SYSTEM\ControlSet006\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTwtqiufedid.dat
Reg HKLM\SYSTEM\ControlSet006\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTievplpoimn.dll
Reg HKLM\SYSTEM\ControlSet006\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTbbuusormxi.dll

---- Files - GMER 1.0.15 ----

File C:\Users\Claire Pike\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O1FRVWD4\favcenter[1] 0 bytes
File C:\Users\Claire Pike\AppData\Local\Temp\Low\h8srtmainqt.dll 16152 bytes
File C:\Users\Claire Pike\AppData\Local\Temp\~DFD98A.tmp 32768 bytes
File C:\Users\Claire Pike\AppData\Local\Temp\~DFD98F.tmp 512 bytes
File C:\Users\Claire Pike\AppData\Local\Temp\~DFD9D7.tmp 16384 bytes
File C:\Users\Claire Pike\AppData\Local\Temp\~DFD9DC.tmp 512 bytes
File C:\Users\Claire Pike\AppData\Local\Temp\~DFDA01.tmp 32768 bytes
File C:\Users\Claire Pike\AppData\Local\Temp\~DFDA07.tmp 512 bytes
File C:\Users\Claire Pike\AppData\Local\Temp\H8SRT6292.tmp 17408 bytes executable
File C:\Users\Claire Pike\AppData\Local\Temp\H8SRT667a.tmp 680448 bytes executable
File C:\Users\Claire Pike\AppData\Local\Temp\h8srtmainqt.dll 16528 bytes
File C:\Users\Claire Pike\AppData\Local\Temp\~DF244A.tmp 0 bytes
File C:\Users\Claire Pike\AppData\Local\Temp\~DF2458.tmp 0 bytes
File C:\Windows\System32\drivers\H8SRTxcnfsvtrii.sys 40448 bytes executable <-- ROOTKIT !!!
File C:\Windows\System32\H8SRTbbuusormxi.dll 40960 bytes executable
File C:\Windows\System32\H8SRTievplpoimn.dll 36864 bytes executable
File C:\Windows\System32\H8SRTtdtcwteygo.dll 23040 bytes executable
File C:\Windows\System32\H8SRTwtqiufedid.dat 246 bytes

---- EOF - GMER 1.0.15 ----

#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:59 AM

Posted 11 January 2010 - 10:54 AM

Hi,


it s indeed a rootkit and a rather nasty one at that: It is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide to clean your PC please run Combofix and post back the logs in your next reply:

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 Ryano1

Ryano1
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 11 January 2010 - 11:04 AM

Thanks for the reply, we do do online banking on that pc so will change passwords and that asap. Dads a banker so will notice any incorrect transactions and the only funny thing on the pc so far is the antivirus situation. Running ComboFix as we speak on it and will post the logs as soon as. We've been thinking about getting a new pc so thats what we'll do as well as wiping the current one and reinstalling stuff.

#9 Ryano1

Ryano1
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 11 January 2010 - 12:38 PM

ComboFix log:

ComboFix 10-01-04.01 - Claire Pike 11/01/2010 16:33:48.1.1 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2046.1129 [GMT 0:00]
Running from: c:\users\Claire Pike\Desktop\ComboFix1.exe
SP: COMODO Defense+ *enabled* (Updated) {043803A4-4F86-4ef7-AFC5-F6E02A79969B}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\update.exe
c:\users\Claire Pike\AppData\Roaming\.#
c:\users\Claire Pike\AppData\Roaming\.#\MBX@F78@1F628B8.###
c:\users\Claire Pike\AppData\Roaming\.#\MBX@F78@1F628E8.###
c:\users\Claire Pike\AppData\Roaming\.#\MBX@F78@1F62918.###
c:\users\CLAIRE~1\AppData\Local\Temp\wscsvc32.exe
c:\windows\system32\AutoRun.inf
c:\windows\system32\H8SRTbbuusormxi.dll
c:\windows\system32\H8SRTievplpoimn.dll
c:\windows\system32\H8SRTtdtcwteygo.dll
c:\windows\system32\H8SRTwtqiufedid.dat
c:\windows\system32\intel64.exe
c:\windows\system32\ntos.exe
c:\windows\system32\oembios.exe
c:\windows\system32\sdra64.exe
c:\windows\system32\srcr.dat
c:\windows\system32\twex.exe
c:\windows\system32\twext.exe
c:\windows\system32\wsnpoema.exe
c:\windows\system32\drivers\H8SRTxcnfsvtrii.sys . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_H8SRTd.sys


((((((((((((((((((((((((( Files Created from 2009-12-11 to 2010-01-11 )))))))))))))))))))))))))))))))
.

2010-01-11 17:07 . 2010-01-11 17:07 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-11 14:35 . 2010-01-11 17:11 1184144 ----a-w- c:\windows\system32\drivers\sfi.dat
2010-01-11 14:30 . 2010-01-11 14:36 -------- d-----w- c:\programdata\Comodo
2010-01-11 14:30 . 2010-01-11 14:30 74328 ----a-w- c:\windows\system32\drivers\inspect.sys
2010-01-11 14:30 . 2010-01-11 14:30 29520 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-01-11 14:30 . 2010-01-11 14:30 171552 ----a-w- c:\windows\system32\guard32.dll
2010-01-11 14:30 . 2010-01-11 14:30 128376 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2010-01-11 12:37 . 2010-01-11 12:37 -------- d-----w- c:\users\Claire Pike\AppData\Local\AVG Security Toolbar
2010-01-02 11:18 . 2010-01-02 11:18 -------- d-----w- c:\programdata\McAfee
2009-12-31 21:07 . 2010-01-06 19:34 -------- d-----w- c:\users\Claire Pike\AppData\Roaming\gtk-2.0
2009-12-31 21:07 . 2009-12-31 21:07 -------- d-----w- c:\users\Claire Pike\.thumbnails
2009-12-30 18:52 . 2010-01-11 11:13 -------- d-----w- c:\users\Claire Pike\AppData\Roaming\Comodo
2009-12-30 18:32 . 2009-12-30 18:32 249592 ----a-w- c:\windows\system32\cssdll32.dll
2009-12-30 18:29 . 2010-01-11 14:30 -------- d-----w- c:\program files\COMODO
2009-12-30 17:33 . 2010-01-11 12:38 -------- d-----w- c:\programdata\avg8
2009-12-30 17:29 . 2010-01-10 19:46 -------- d-----w- c:\programdata\AVG Security Toolbar
2009-12-30 14:46 . 2003-03-18 20:20 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-12-30 14:46 . 2009-12-30 14:46 -------- d-----w- c:\program files\Alwil Software
2009-12-30 13:49 . 2009-12-30 13:51 -------- d-----w- C:\$AVG
2009-12-30 13:48 . 2010-01-11 12:40 -------- d-----w- c:\programdata\avg9
2009-12-29 17:44 . 2009-12-29 17:44 -------- d-----w- c:\program files\Trend Micro
2009-12-29 10:12 . 2010-01-11 08:44 847 ----a-w- c:\windows\system32\krl32mainweq.dll
2009-12-29 10:11 . 2010-01-11 17:14 40448 ----a-w- c:\windows\system32\drivers\H8SRTxcnfsvtrii.sys
2009-12-24 11:16 . 2009-12-24 11:22 -------- d-----w- c:\users\Claire Pike\AppData\Roaming\TS3Client
2009-12-24 11:14 . 2009-12-24 11:14 121071 ----a-w- c:\program files\Uninstall.exe
2009-12-24 11:14 . 2009-12-24 11:14 -------- d-----w- c:\program files\translations
2009-12-24 11:14 . 2009-12-24 11:14 -------- d-----w- c:\program files\styles
2009-12-24 11:14 . 2009-12-24 11:14 -------- d-----w- c:\program files\sound
2009-12-24 11:14 . 2009-12-24 11:14 -------- d-----w- c:\program files\scripts
2009-12-24 11:14 . 2009-12-24 11:14 -------- d-----w- c:\program files\plugins
2009-12-24 11:14 . 2009-12-24 11:14 -------- d-----w- c:\program files\imageformats
2009-12-24 11:14 . 2009-12-24 11:14 -------- d-----w- c:\program files\gfx
2009-12-23 19:48 . 2009-12-23 19:48 5797064 ----a-w- c:\program files\ts3client_win32.exe
2009-12-19 08:28 . 2009-12-19 08:28 -------- d-----w- c:\program files\GIMP-2.0
2009-12-18 17:36 . 2009-12-18 17:36 -------- d-----w- c:\programdata\WindowsSearch
2009-12-18 17:17 . 2009-12-18 17:17 -------- d-----w- c:\programdata\Trymedia
2009-12-18 16:58 . 2009-12-18 17:34 -------- d-----w- c:\program files\rFactor

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-11 11:57 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-01-11 11:57 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-01-11 11:57 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-01-11 11:57 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-01-11 11:57 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-01-11 11:57 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-11 11:57 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-01-11 11:37 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-01-11 11:09 . 2008-08-29 14:11 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-11 11:08 . 2009-08-29 19:03 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-11 11:02 . 2009-04-18 06:51 -------- d-----w- c:\programdata\Lavasoft
2010-01-10 21:28 . 2009-08-12 09:33 -------- d-----w- c:\program files\Championship Manager 01-02
2010-01-04 18:50 . 2009-09-26 13:46 -------- d-----w- c:\users\Claire Pike\AppData\Roaming\mIRC
2010-01-02 13:37 . 2009-04-14 11:50 -------- d-----w- c:\users\Claire Pike\AppData\Roaming\teamspeak2
2009-12-30 14:18 . 2009-04-18 06:51 -------- d-----w- c:\program files\Lavasoft
2009-12-30 13:48 . 2008-07-29 17:07 -------- d-----w- c:\program files\AVG
2009-12-29 16:16 . 2008-05-13 15:35 -------- d-----w- c:\program files\Java
2009-12-29 11:17 . 2009-09-02 13:44 69 ----a-w- c:\users\Claire Pike\jagex_runescape_preferences2.dat
2009-12-29 10:30 . 2008-07-02 14:54 39 ----a-w- c:\users\Claire Pike\jagex_runescape_preferences.dat
2009-12-23 19:48 . 2009-12-23 19:48 6468 ----a-w- c:\program files\changelog.txt
2009-12-23 19:48 . 2009-12-23 19:48 17068 ----a-w- c:\program files\apps.ini
2009-12-23 19:48 . 2009-12-23 19:48 539 ----a-w- c:\program files\mirrors.ini
2009-12-19 11:09 . 2009-08-06 08:51 -------- d-----w- c:\program files\Paint.NET
2009-12-17 20:35 . 2009-10-23 21:46 1 ----a-w- c:\users\Claire Pike\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-12-02 13:48 . 2009-12-02 13:48 398336 ----a-w- c:\program files\fmodex.dll
2009-11-29 15:11 . 2009-11-29 15:08 -------- d-----w- c:\program files\Quick Screen Recorder
2009-11-21 06:40 . 2009-12-10 19:07 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-10 19:07 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-10 19:07 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-10 19:07 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-09 13:22 . 2009-12-12 13:01 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 13:20 . 2009-12-12 13:01 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-11-09 11:04 . 2009-12-12 13:01 411136 ----a-w- c:\windows\system32\drivers\http.sys
2009-11-02 20:42 . 2009-10-03 07:19 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-30 07:43 . 2009-05-05 19:13 38208 ----a-w- c:\users\Claire Pike\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-10-29 09:41 . 2009-11-26 13:01 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-29 09:10 . 2008-05-12 13:20 82224 ----a-w- c:\users\Claire Pike\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-13 13:41 . 2009-10-13 13:41 7096320 ----a-w- c:\program files\QtGui4.dll
2009-10-13 13:41 . 2009-10-13 13:41 634880 ----a-w- c:\program files\QtNetwork4.dll
2009-10-13 13:41 . 2009-10-13 13:41 1959936 ----a-w- c:\program files\QtCore4.dll
2009-06-01 20:36 . 2009-06-01 20:28 1734 ----a-w- c:\program files\server.log
2009-06-01 20:36 . 2009-06-01 20:28 20480 ----a-w- c:\program files\server.dbs
2009-06-01 20:28 . 2009-06-01 20:28 0 ----a-w- c:\program files\whitelist.txt
2009-06-01 20:28 . 2009-06-01 20:28 561 ----a-w- c:\program files\server.ini
2009-06-01 20:28 . 2009-06-01 20:28 8 ----a-w- c:\program files\bad_names.txt
2009-06-01 20:28 . 2009-06-01 20:27 21281 ----a-w- c:\program files\unins000.dat
2009-06-01 20:27 . 2009-06-01 20:27 685849 ----a-w- c:\program files\unins000.exe
2007-08-02 12:49 . 2009-06-01 20:27 3964 ----a-w- c:\program files\readme.txt
2007-08-02 06:00 . 2009-06-01 20:27 20505 ----a-w- c:\program files\slicense.txt
2007-08-02 05:52 . 2009-06-01 20:27 439808 ----a-w- c:\program files\server_windows.exe
2006-03-13 15:00 . 2009-06-01 20:27 2657 ----a-w- c:\program files\INSTALL.mysql
2006-03-13 15:00 . 2009-06-01 20:27 95744 ----a-w- c:\program files\dbexpmysql.dll
2006-03-13 15:00 . 2009-06-01 20:27 362 ----a-w- c:\program files\manual.html
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 13:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-09 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2007-10-11 4702208]
"Skytel"="Skytel.exe" [2007-10-11 1826816]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-07-11 185632]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13683232]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 92704]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-29 149280]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-01-11 1800464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\guard32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0aswBoot.exe /M:aba98a5e1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
R3 fssfltr;fssfltr;c:\windows\system32\DRIVERS\fssfltr.sys [2009-02-06 55280]
R3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2009-02-06 533360]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2010-01-11 128376]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2010-01-11 29520]
S2 TeamViewer;TeamViewer 3;c:\program files\TeamViewer3\TeamViewer_Service.exe [2008-08-06 181544]
S3 ZY202_VS;ZyXEL 802.11g XG202 1211 Vista Driver;c:\windows\system32\DRIVERS\WlanUZG.sys [2007-04-03 449536]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {ACF3FB60-D57B-4886-8BC6-F995D4C37C14} = 192.168.1.1
TCP: {B760BE55-F4B6-4761-849D-18C5F04085A6} = 192.168.1.1
FF - ProfilePath - c:\users\Claire Pike\AppData\Roaming\Mozilla\Firefox\Profiles\sq6tajm3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Claire Pike\AppData\Local\Microsoft\Internet Explorer\Downloaded Program Files\npsoe.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Active Desktop Calendar - c:\program files\XemiComputers\Active Desktop Calendar\ADC.exe
AddRemove-82A44D22-9452-49FB-00FB-CEC7DCAF7E23 - c:\program files\EA SPORTS\EA SPORTS online\EASOUNInstaller.exe
AddRemove-Football Manager 2008 - c:\program files\Sports Interactive\Football Manager 2008\Uninstall_Football Manager 2008\Uninstall Football Manager 2008.exe
AddRemove-Fraps - c:\users\Claire Pike\Desktop\Craigy Crubble\msn\uninstall.exe
AddRemove-{9BE8E9B7-A286-44BF-0080-C947C6C1FC21} - c:\program files\EA SPORTS\FIFA 07\EAUninstall.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\H8SRTd.sys]
"imagepath"="\systemroot\system32\drivers\H8SRTxoqiepvdej.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\H8SRTd.sys]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\H8SRTxoqiepvdej.sys"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\RtHDVCpl.exe
c:\windows\System32\rundll32.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2010-01-11 17:31:49 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-11 17:29

Pre-Run: 8,924,254,208 bytes free
Post-Run: 10,861,457,408 bytes free

- - End Of File - - 598F9330207C9A633C88549EDC74E7C7

#10 Ryano1

Ryano1
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 11 January 2010 - 01:37 PM

Another question, would the rootkit save itself onto a USB stick as we copied over the files that we needed a couple of days ago and dont know whether to try opening them on the computer incase it is on the memory stick.

#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:59 AM

Posted 11 January 2010 - 04:24 PM

Hi,

there is a low but present charge, that malware is going to be present on the flash drive. To prevent infection, please do the following:

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

You can do this on your clean computer. Holding down the shift-key should prevent any malware from automatically infection you. After having run this tool wih your flash drive plugged in, the flash drive will be vaccinated and no longer able to automatically infect you. If you only copy over docments then you should be safe from infectin the other PC.

There are a couple of items left on your infected PC we need to remove, please run the following script:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\krl32mainweq.dll
c:\windows\system32\drivers\H8SRTxcnfsvtrii.sys


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 Ryano1

Ryano1
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 11 January 2010 - 06:01 PM

Cheers for that, ran both as instructed, hopefully the USB is fine :(

ComboFix 10-01-04.01 - Claire Pike 11/01/2010 22:36:48.2.1 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2046.1347 [GMT 0:00]
Running from: c:\users\Claire Pike\Desktop\ComboFix1.exe
Command switches used :: c:\users\Claire Pike\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\windows\system32\drivers\H8SRTxcnfsvtrii.sys"
"c:\windows\system32\krl32mainweq.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\H8SRTxcnfsvtrii.sys
c:\windows\system32\krl32mainweq.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_H8SRTd.sys
-------\Service_H8SRTd.sys


((((((((((((((((((((((((( Files Created from 2009-12-11 to 2010-01-11 )))))))))))))))))))))))))))))))
.

2010-01-11 22:47 . 2010-01-11 22:50 -------- d-----w- c:\users\Claire Pike\AppData\Local\temp
2010-01-11 22:47 . 2010-01-11 22:47 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-11 22:47 . 2010-01-11 22:47 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-11 17:49 . 2010-01-11 17:49 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-11 17:49 . 2010-01-11 17:49 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-11 17:49 . 2010-01-11 17:49 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-11 17:49 . 2010-01-11 17:49 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-01-11 17:49 . 2010-01-11 17:53 -------- d-----w- c:\windows\system32\drivers\Avg
2010-01-11 14:35 . 2010-01-11 22:00 1272944 ----a-w- c:\windows\system32\drivers\sfi.dat
2010-01-11 14:30 . 2010-01-11 14:30 74328 ----a-w- c:\windows\system32\drivers\inspect.sys
2010-01-11 12:37 . 2010-01-11 12:37 -------- d-----w- c:\users\Claire Pike\AppData\Local\AVG Security Toolbar
2010-01-02 11:18 . 2010-01-02 11:18 -------- d-----w- c:\programdata\McAfee
2009-12-31 21:07 . 2010-01-06 19:34 -------- d-----w- c:\users\Claire Pike\AppData\Roaming\gtk-2.0
2009-12-31 21:07 . 2009-12-31 21:07 -------- d-----w- c:\users\Claire Pike\.thumbnails
2009-12-30 18:52 . 2010-01-11 11:13 -------- d-----w- c:\users\Claire Pike\AppData\Roaming\Comodo
2009-12-30 18:32 . 2009-12-30 18:32 249592 ----a-w- c:\windows\system32\cssdll32.dll
2009-12-30 18:29 . 2010-01-11 22:16 -------- d-----w- c:\program files\COMODO
2009-12-30 17:29 . 2010-01-10 19:46 -------- d-----w- c:\programdata\AVG Security Toolbar
2009-12-30 14:46 . 2003-03-18 20:20 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-12-30 14:46 . 2009-12-30 14:46 -------- d-----w- c:\program files\Alwil Software
2009-12-30 13:49 . 2009-12-30 13:51 -------- d-----w- C:\$AVG
2009-12-30 13:48 . 2010-01-11 17:48 -------- d-----w- c:\programdata\avg9
2009-12-29 17:44 . 2009-12-29 17:44 -------- d-----w- c:\program files\Trend Micro
2009-12-24 11:16 . 2009-12-24 11:22 -------- d-----w- c:\users\Claire Pike\AppData\Roaming\TS3Client
2009-12-24 11:14 . 2009-12-24 11:14 121071 ----a-w- c:\program files\Uninstall.exe
2009-12-24 11:14 . 2009-12-24 11:14 -------- d-----w- c:\program files\translations
2009-12-24 11:14 . 2009-12-24 11:14 -------- d-----w- c:\program files\styles
2009-12-24 11:14 . 2009-12-24 11:14 -------- d-----w- c:\program files\sound
2009-12-24 11:14 . 2009-12-24 11:14 -------- d-----w- c:\program files\scripts
2009-12-24 11:14 . 2009-12-24 11:14 -------- d-----w- c:\program files\plugins
2009-12-24 11:14 . 2009-12-24 11:14 -------- d-----w- c:\program files\imageformats
2009-12-24 11:14 . 2009-12-24 11:14 -------- d-----w- c:\program files\gfx
2009-12-23 19:48 . 2009-12-23 19:48 5797064 ----a-w- c:\program files\ts3client_win32.exe
2009-12-19 08:28 . 2009-12-19 08:28 -------- d-----w- c:\program files\GIMP-2.0
2009-12-18 17:36 . 2009-12-18 17:36 -------- d-----w- c:\programdata\WindowsSearch
2009-12-18 17:17 . 2009-12-18 17:17 -------- d-----w- c:\programdata\Trymedia
2009-12-18 16:58 . 2009-12-18 17:34 -------- d-----w- c:\program files\rFactor

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-11 11:57 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-01-11 11:57 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-01-11 11:57 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-01-11 11:57 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-01-11 11:57 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-01-11 11:57 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-11 11:57 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-01-11 11:37 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-01-11 11:09 . 2008-08-29 14:11 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-11 11:08 . 2009-08-29 19:03 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-11 11:02 . 2009-04-18 06:51 -------- d-----w- c:\programdata\Lavasoft
2010-01-10 21:28 . 2009-08-12 09:33 -------- d-----w- c:\program files\Championship Manager 01-02
2010-01-04 18:50 . 2009-09-26 13:46 -------- d-----w- c:\users\Claire Pike\AppData\Roaming\mIRC
2010-01-02 13:37 . 2009-04-14 11:50 -------- d-----w- c:\users\Claire Pike\AppData\Roaming\teamspeak2
2009-12-30 14:18 . 2009-04-18 06:51 -------- d-----w- c:\program files\Lavasoft
2009-12-30 13:48 . 2008-07-29 17:07 -------- d-----w- c:\program files\AVG
2009-12-29 16:16 . 2008-05-13 15:35 -------- d-----w- c:\program files\Java
2009-12-29 11:17 . 2009-09-02 13:44 69 ----a-w- c:\users\Claire Pike\jagex_runescape_preferences2.dat
2009-12-29 10:30 . 2008-07-02 14:54 39 ----a-w- c:\users\Claire Pike\jagex_runescape_preferences.dat
2009-12-23 19:48 . 2009-12-23 19:48 6468 ----a-w- c:\program files\changelog.txt
2009-12-23 19:48 . 2009-12-23 19:48 17068 ----a-w- c:\program files\apps.ini
2009-12-23 19:48 . 2009-12-23 19:48 539 ----a-w- c:\program files\mirrors.ini
2009-12-19 11:09 . 2009-08-06 08:51 -------- d-----w- c:\program files\Paint.NET
2009-12-17 20:35 . 2009-10-23 21:46 1 ----a-w- c:\users\Claire Pike\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-12-02 13:48 . 2009-12-02 13:48 398336 ----a-w- c:\program files\fmodex.dll
2009-11-29 15:11 . 2009-11-29 15:08 -------- d-----w- c:\program files\Quick Screen Recorder
2009-11-21 06:40 . 2009-12-10 19:07 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-10 19:07 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-10 19:07 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-10 19:07 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-09 13:22 . 2009-12-12 13:01 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 13:20 . 2009-12-12 13:01 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-11-09 11:04 . 2009-12-12 13:01 411136 ----a-w- c:\windows\system32\drivers\http.sys
2009-11-02 20:42 . 2009-10-03 07:19 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-30 07:43 . 2009-05-05 19:13 38208 ----a-w- c:\users\Claire Pike\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-10-29 09:41 . 2009-11-26 13:01 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-29 09:10 . 2008-05-12 13:20 82224 ----a-w- c:\users\Claire Pike\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-13 13:41 . 2009-10-13 13:41 7096320 ----a-w- c:\program files\QtGui4.dll
2009-10-13 13:41 . 2009-10-13 13:41 634880 ----a-w- c:\program files\QtNetwork4.dll
2009-10-13 13:41 . 2009-10-13 13:41 1959936 ----a-w- c:\program files\QtCore4.dll
2009-06-01 20:36 . 2009-06-01 20:28 1734 ----a-w- c:\program files\server.log
2009-06-01 20:36 . 2009-06-01 20:28 20480 ----a-w- c:\program files\server.dbs
2009-06-01 20:28 . 2009-06-01 20:28 0 ----a-w- c:\program files\whitelist.txt
2009-06-01 20:28 . 2009-06-01 20:28 561 ----a-w- c:\program files\server.ini
2009-06-01 20:28 . 2009-06-01 20:28 8 ----a-w- c:\program files\bad_names.txt
2009-06-01 20:28 . 2009-06-01 20:27 21281 ----a-w- c:\program files\unins000.dat
2009-06-01 20:27 . 2009-06-01 20:27 685849 ----a-w- c:\program files\unins000.exe
2007-08-02 12:49 . 2009-06-01 20:27 3964 ----a-w- c:\program files\readme.txt
2007-08-02 06:00 . 2009-06-01 20:27 20505 ----a-w- c:\program files\slicense.txt
2007-08-02 05:52 . 2009-06-01 20:27 439808 ----a-w- c:\program files\server_windows.exe
2006-03-13 15:00 . 2009-06-01 20:27 2657 ----a-w- c:\program files\INSTALL.mysql
2006-03-13 15:00 . 2009-06-01 20:27 95744 ----a-w- c:\program files\dbexpmysql.dll
2006-03-13 15:00 . 2009-06-01 20:27 362 ----a-w- c:\program files\manual.html
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 13:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-09 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2007-10-11 4702208]
"Skytel"="Skytel.exe" [2007-10-11 1826816]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-07-11 185632]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13683232]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 92704]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-29 149280]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-01-11 2033432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0aswBoot.exe /M:aba98a5e1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [11/01/2010 17:49 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\drivers\avgtdix.sys [11/01/2010 17:49 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [11/01/2010 17:48 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/01/2010 17:48 285392]
R2 TeamViewer;TeamViewer 3;c:\program files\TeamViewer3\TeamViewer_Service.exe [06/08/2008 06:42 181544]
R3 ZY202_VS;ZyXEL 802.11g XG202 1211 Vista Driver;c:\windows\System32\drivers\WlanUZG.sys [06/04/2009 14:19 449536]
S3 fssfltr;FssFltr;c:\windows\System32\drivers\fssfltr.sys [23/03/2009 20:24 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [06/02/2009 18:08 533360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {ACF3FB60-D57B-4886-8BC6-F995D4C37C14} = 192.168.1.1
TCP: {B760BE55-F4B6-4761-849D-18C5F04085A6} = 192.168.1.1
FF - ProfilePath - c:\users\Claire Pike\AppData\Roaming\Mozilla\Firefox\Profiles\sq6tajm3.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Claire Pike\AppData\Local\Microsoft\Internet Explorer\Downloaded Program Files\npsoe.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-11 22:50
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\RtHDVCpl.exe
c:\windows\System32\rundll32.exe
c:\program files\AVG\AVG9\avgtray.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2010-01-11 22:59:04 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-11 22:59
ComboFix2.txt 2010-01-11 17:31

Pre-Run: 13,508,767,744 bytes free
Post-Run: 13,043,793,920 bytes free

- - End Of File - - 9469FA0EC32EEB0E9BB12480E55DFA2F

#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:59 AM

Posted 11 January 2010 - 06:37 PM

Hi,

that is looking good. How is your PC doing?

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 Ryano1

Ryano1
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 12 January 2010 - 06:50 PM

PC seems to be running fine but thats probably due to the parents being rather effiecient and doing a reformat and reinstall. Do you want me to run the ESET scan anyway?

#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:59 AM

Posted 12 January 2010 - 07:03 PM

Hi,

your parents reformatted after running ComboFix?

If so, there is no need for the Esetscan.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users