Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

krl32mainweq.dll trojan


  • This topic is locked This topic is locked
43 replies to this topic

#1 deathx88

deathx88

  • Members
  • 154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 PM

Posted 04 January 2010 - 01:37 PM

I recently had a bad virus on my computer and now every time i start my computer it says that windows explorer won't load, or something along those lines, although i'm able to boot into safe mode. I looked in my system32 folder and the most recent file was krl32mainweq.dll. I've been looking alot up online and i've had the same problems as other people, it seems a program called maleware defense has been going around infecting everybody.

Anyway, right now i'm in safe mode and i'm trying to run rootrepeal but it's not working to good. I've literally been running it for 3 days straight now and it's scanning ridiculously slow.
so far it's come up with

C:\windows\explorer.e6e - invisible to windows API!
C:\windows\explorer.exe - visible to windows API, but not on disk

I don't know if i should continue scanning or not since it'll probably take another week for it to finish. but judging from seeing other posts on the internet it seems that everyone with the same problem is infected with the "H8SRT" Rootkit.

Also, malewarebytes doesn't seem to work anymore, i keep getting an "Error 704" thing and it won't start even if i rename it. So please instruct me if i have to manually delete something to get this working.

Thank you, any help would be appreciated.

--------------------------------------------------------

DDS (Ver_09-12-01.01) - NTFSx86 NETWORK
Run by SYSTEM at 17:00:22.06 on Fri 01/01/2010
Internet Explorer: 7.0.6002.18005
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3070.2550 [GMT -5:00]

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\config\systemprofile\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cndt
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cndt
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {1FD79A59-37B1-459B-9097-09F9FAB8A523} - No File
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - c:\program files\megaupload\mega manager\MegaIEMn.dll
uRunOnce: [SpybotDeletingB8660] command.com /c del "c:\windows\system32\drivers\H8SRTrtpewenboq.sys"
uRunOnce: [SpybotDeletingD755] cmd.exe /c del "c:\windows\system32\drivers\H8SRTrtpewenboq.sys"
uRunOnce: [SpybotDeletingB6349] command.com /c del "c:\windows\system32\H8SRTacisiccxia.dll"
uRunOnce: [SpybotDeletingD853] cmd.exe /c del "c:\windows\system32\H8SRTacisiccxia.dll"
uRunOnce: [SpybotDeletingB3040] command.com /c del "c:\windows\system32\H8SRTrvytkettxp.dll"
uRunOnce: [SpybotDeletingD7302] cmd.exe /c del "c:\windows\system32\H8SRTrvytkettxp.dll"
uRunOnce: [SpybotDeletingB752] command.com /c del "c:\windows\system32\H8SRTiphqmmcbed.dat"
uRunOnce: [SpybotDeletingD6271] cmd.exe /c del "c:\windows\system32\H8SRTiphqmmcbed.dat"
uRunOnce: [SpybotDeletingB5894] command.com /c del "c:\windows\system32\drivers\H8SRTrtpewenboq.sys"
uRunOnce: [SpybotDeletingD3864] cmd.exe /c del "c:\windows\system32\drivers\H8SRTrtpewenboq.sys"
uRunOnce: [SpybotDeletingB1848] command.com /c del "c:\windows\system32\H8SRTacisiccxia.dll"
uRunOnce: [SpybotDeletingD3437] cmd.exe /c del "c:\windows\system32\H8SRTacisiccxia.dll"
uRunOnce: [SpybotDeletingB6933] command.com /c del "c:\windows\system32\H8SRTrvytkettxp.dll"
uRunOnce: [SpybotDeletingD4940] cmd.exe /c del "c:\windows\system32\H8SRTrvytkettxp.dll"
uRunOnce: [SpybotDeletingB8865] command.com /c del "c:\windows\system32\H8SRTiphqmmcbed.dat"
uRunOnce: [SpybotDeletingD5042] cmd.exe /c del "c:\windows\system32\H8SRTiphqmmcbed.dat"
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_01\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRunOnce: [SpybotDeletingC4796] cmd.exe /c del "c:\windows\system32\H8SRTacisiccxia.dll"
mRunOnce: [SpybotDeletingA3120] command.com /c del "c:\windows\system32\H8SRTrvytkettxp.dll"
mRunOnce: [SpybotDeletingC9262] cmd.exe /c del "c:\windows\system32\H8SRTrvytkettxp.dll"
mRunOnce: [SpybotDeletingA6230] command.com /c del "c:\windows\system32\H8SRTiphqmmcbed.dat"
mRunOnce: [SpybotDeletingC2494] cmd.exe /c del "c:\windows\system32\H8SRTiphqmmcbed.dat"
mRunOnce: [SpybotDeletingA2623] command.com /c del "c:\windows\system32\drivers\H8SRTrtpewenboq.sys"
mRunOnce: [SpybotDeletingC942] cmd.exe /c del "c:\windows\system32\drivers\H8SRTrtpewenboq.sys"
mRunOnce: [SpybotDeletingA416] command.com /c del "c:\windows\system32\H8SRTacisiccxia.dll"
mRunOnce: [SpybotDeletingC2068] cmd.exe /c del "c:\windows\system32\H8SRTacisiccxia.dll"
mRunOnce: [SpybotDeletingA2031] command.com /c del "c:\windows\system32\H8SRTrvytkettxp.dll"
mRunOnce: [SpybotDeletingC5634] cmd.exe /c del "c:\windows\system32\H8SRTrvytkettxp.dll"
mRunOnce: [SpybotDeletingA1414] command.com /c del "c:\windows\system32\H8SRTiphqmmcbed.dat"
mRunOnce: [SpybotDeletingC9278] cmd.exe /c del "c:\windows\system32\H8SRTiphqmmcbed.dat"
dRunOnce: [SpybotDeletingB8660] command.com /c del "c:\windows\system32\drivers\H8SRTrtpewenboq.sys"
dRunOnce: [SpybotDeletingD755] cmd.exe /c del "c:\windows\system32\drivers\H8SRTrtpewenboq.sys"
dRunOnce: [SpybotDeletingB6349] command.com /c del "c:\windows\system32\H8SRTacisiccxia.dll"
dRunOnce: [SpybotDeletingD853] cmd.exe /c del "c:\windows\system32\H8SRTacisiccxia.dll"
dRunOnce: [SpybotDeletingB3040] command.com /c del "c:\windows\system32\H8SRTrvytkettxp.dll"
dRunOnce: [SpybotDeletingD7302] cmd.exe /c del "c:\windows\system32\H8SRTrvytkettxp.dll"
dRunOnce: [SpybotDeletingB752] command.com /c del "c:\windows\system32\H8SRTiphqmmcbed.dat"
dRunOnce: [SpybotDeletingD6271] cmd.exe /c del "c:\windows\system32\H8SRTiphqmmcbed.dat"
dRunOnce: [SpybotDeletingB5894] command.com /c del "c:\windows\system32\drivers\H8SRTrtpewenboq.sys"
dRunOnce: [SpybotDeletingD3864] cmd.exe /c del "c:\windows\system32\drivers\H8SRTrtpewenboq.sys"
dRunOnce: [SpybotDeletingB1848] command.com /c del "c:\windows\system32\H8SRTacisiccxia.dll"
dRunOnce: [SpybotDeletingD3437] cmd.exe /c del "c:\windows\system32\H8SRTacisiccxia.dll"
dRunOnce: [SpybotDeletingB6933] command.com /c del "c:\windows\system32\H8SRTrvytkettxp.dll"
dRunOnce: [SpybotDeletingD4940] cmd.exe /c del "c:\windows\system32\H8SRTrvytkettxp.dll"
dRunOnce: [SpybotDeletingB8865] command.com /c del "c:\windows\system32\H8SRTiphqmmcbed.dat"
dRunOnce: [SpybotDeletingD5042] cmd.exe /c del "c:\windows\system32\H8SRTiphqmmcbed.dat"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v2\WG111v2.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {26E7F314-9CD5-4DA7-857F-9AA1CE852F01} = 65.32.5.111,65.32.5.112
AppInit_DLLs: c:\windows\system32\kbdsock.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-12-30 207792]
R0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\drivers\SCMNdisP.sys [2009-8-14 21728]
R3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v2.sys [2009-8-14 206336]
S2 SCM_Service;SCM_Service;c:\windows\system32\WinService.exe [2009-8-14 180224]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-12-30 359624]
S2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-12-30 1141712]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2009-7-14 239648]
S3 DBKDRVR54;DBKDRVR54;c:\program files\cheat engine\dbk32.sys [2009-9-23 36096]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

=============== Created Last 30 ================

2010-01-01 06:17:36 145440 ----a-w- c:\windows\system32\drivers\nvstor32.sys
2010-01-01 00:56:11 22016 ----a-w- C:\bktdl.exe
2010-01-01 00:56:09 22016 ----a-w- C:\ryxy.exe
2009-12-31 17:23:13 0 d-----w- C:\Zombie Shooter 2
2009-12-30 23:47:06 793 ----a-w- c:\windows\wininit.ini
2009-12-30 22:40:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 22:40:57 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-30 22:40:57 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-30 20:09:39 98600 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2009-12-30 20:09:39 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2009-12-30 20:09:39 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-30 20:09:35 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-12-30 20:09:35 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2009-12-30 20:09:35 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-12-30 20:09:35 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-12-30 20:09:29 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2009-12-30 20:09:29 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-12-30 20:09:21 0 d-----w- c:\programdata\PC Tools
2009-12-30 20:09:21 0 d-----w- c:\program files\Spyware Doctor
2009-12-30 20:09:21 0 d-----w- c:\program files\common files\PC Tools
2009-12-30 19:31:03 0 d-----w- c:\programdata\IObit
2009-12-30 19:30:58 0 d-----w- c:\program files\IObit
2009-12-30 19:28:46 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2009-12-30 19:28:46 1071088 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2009-12-30 00:56:40 0 d-----w- c:\program files\Romcenter
2009-12-30 00:48:12 871 ----a-w- c:\windows\system32\krl32mainweq.dll
2009-12-30 00:47:11 207 ----a-w- c:\windows\system32\srcr.dat
2009-12-17 01:22:26 43744 ----a-w- C:\bootsect.zip
2009-12-17 01:22:26 112640 ----a-w- C:\bootsect.exe
2009-12-14 20:19:55 43896819 ----a-w- C:\harmony.zip
2009-12-12 07:09:58 0 d-----w- c:\program files\CamStudio
2009-12-04 14:17:04 0 d-----w- C:\Fraps
2009-12-03 18:31:01 1616138 ----a-w- C:\Fraps v2.9.9.rar
2009-12-03 04:26:50 626083 ----a-w- C:\SorR_crashes.zip
2009-12-03 04:26:45 73770902 ----a-w- C:\sorrv401bfullgamepatch.rar
2009-12-03 04:03:25 0 d-----w- c:\program files\mIRC
2009-12-03 02:23:11 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

==================== Find3M ====================

2010-01-01 00:56:16 773120 ----a-w- c:\windows\system32\drivers\agp440.sys
2009-12-31 15:11:58 32974 ----a-w- c:\programdata\nvModes.dat
2009-12-26 07:41:59 1447256 ----a-w- C:\genesisplus_20090924.zip
2009-12-26 07:39:05 131586 ----a-w- C:\gb64_xboxrename_fixed_gbv3.zip
2009-11-15 16:53:52 165378 ----a-w- c:\windows\Video Cleaner Pro Uninstaller.exe
2009-10-13 23:26:49 3742538 ----a-w- C:\q4hardqore_142patch_manualinstall.zip
2009-10-08 12:23:18 5053821 ----a-w- C:\vavoom-win-1.30.zip
2009-10-06 09:19:48 135062 ----a-w- C:\mpeg_mediator_v1.5.zip
2009-09-11 03:07:26 51200 ----a-w- c:\windows\inf\infpub.dat
2009-09-11 03:07:26 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-09-11 03:07:25 86016 ----a-w- c:\windows\inf\infstor.dat
2009-08-27 22:31:53 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-08-26 04:36:27 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 17:01:24.34 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:29 PM

Posted 06 January 2010 - 04:39 PM

Hi deathx88,

Welcome to BC HijackThis forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

If the issue is not resolved yet Please update me on the current condition of your computer. Also post a fresh DDS.txt to your reply.

#3 deathx88

deathx88
  • Topic Starter

  • Members
  • 154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 PM

Posted 06 January 2010 - 08:00 PM

Thank you for replying, i'm in desperate need of help, and willing to do whatever it takes to fix my computer.

As for the current condition of my computer, i'm still trying to run rootrepeal, like i said it's very slow and i think this is the 5th day in a row it's been running. Please tell me if i should close this or if i should keep it scanning.
So my computer is the same as it was a few days ago, windows explorer won't load when my pc boots so i'm still in safe mode.

I tried to run another DDS report but it froze a quarter way through, I checked my processes and there was a program called evp.exe running. I closed that and everything seemed to finish alright.


------------------------------------------------------

DDS (Ver_09-12-01.01) - NTFSx86 NETWORK
Run by SYSTEM at 19:00:08.99 on Wed 01/06/2010
Internet Explorer: 7.0.6002.18005
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3070.2202 [GMT -5:00]

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\config\systemprofile\Desktop\RootRepeal.exe
C:\Windows\system32\Taskmgr.exe
C:\Windows\system32\config\systemprofile\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cndt
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cndt
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {1FD79A59-37B1-459B-9097-09F9FAB8A523} - No File
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - c:\program files\megaupload\mega manager\MegaIEMn.dll
uRunOnce: [SpybotDeletingB8660] command.com /c del "c:\windows\system32\drivers\H8SRTrtpewenboq.sys"
uRunOnce: [SpybotDeletingD755] cmd.exe /c del "c:\windows\system32\drivers\H8SRTrtpewenboq.sys"
uRunOnce: [SpybotDeletingB6349] command.com /c del "c:\windows\system32\H8SRTacisiccxia.dll"
uRunOnce: [SpybotDeletingD853] cmd.exe /c del "c:\windows\system32\H8SRTacisiccxia.dll"
uRunOnce: [SpybotDeletingB3040] command.com /c del "c:\windows\system32\H8SRTrvytkettxp.dll"
uRunOnce: [SpybotDeletingD7302] cmd.exe /c del "c:\windows\system32\H8SRTrvytkettxp.dll"
uRunOnce: [SpybotDeletingB752] command.com /c del "c:\windows\system32\H8SRTiphqmmcbed.dat"
uRunOnce: [SpybotDeletingD6271] cmd.exe /c del "c:\windows\system32\H8SRTiphqmmcbed.dat"
uRunOnce: [SpybotDeletingB5894] command.com /c del "c:\windows\system32\drivers\H8SRTrtpewenboq.sys"
uRunOnce: [SpybotDeletingD3864] cmd.exe /c del "c:\windows\system32\drivers\H8SRTrtpewenboq.sys"
uRunOnce: [SpybotDeletingB1848] command.com /c del "c:\windows\system32\H8SRTacisiccxia.dll"
uRunOnce: [SpybotDeletingD3437] cmd.exe /c del "c:\windows\system32\H8SRTacisiccxia.dll"
uRunOnce: [SpybotDeletingB6933] command.com /c del "c:\windows\system32\H8SRTrvytkettxp.dll"
uRunOnce: [SpybotDeletingD4940] cmd.exe /c del "c:\windows\system32\H8SRTrvytkettxp.dll"
uRunOnce: [SpybotDeletingB8865] command.com /c del "c:\windows\system32\H8SRTiphqmmcbed.dat"
uRunOnce: [SpybotDeletingD5042] cmd.exe /c del "c:\windows\system32\H8SRTiphqmmcbed.dat"
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_01\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRunOnce: [SpybotDeletingC4796] cmd.exe /c del "c:\windows\system32\H8SRTacisiccxia.dll"
mRunOnce: [SpybotDeletingA3120] command.com /c del "c:\windows\system32\H8SRTrvytkettxp.dll"
mRunOnce: [SpybotDeletingC9262] cmd.exe /c del "c:\windows\system32\H8SRTrvytkettxp.dll"
mRunOnce: [SpybotDeletingA6230] command.com /c del "c:\windows\system32\H8SRTiphqmmcbed.dat"
mRunOnce: [SpybotDeletingC2494] cmd.exe /c del "c:\windows\system32\H8SRTiphqmmcbed.dat"
mRunOnce: [SpybotDeletingA2623] command.com /c del "c:\windows\system32\drivers\H8SRTrtpewenboq.sys"
mRunOnce: [SpybotDeletingC942] cmd.exe /c del "c:\windows\system32\drivers\H8SRTrtpewenboq.sys"
mRunOnce: [SpybotDeletingA416] command.com /c del "c:\windows\system32\H8SRTacisiccxia.dll"
mRunOnce: [SpybotDeletingC2068] cmd.exe /c del "c:\windows\system32\H8SRTacisiccxia.dll"
mRunOnce: [SpybotDeletingA2031] command.com /c del "c:\windows\system32\H8SRTrvytkettxp.dll"
mRunOnce: [SpybotDeletingC5634] cmd.exe /c del "c:\windows\system32\H8SRTrvytkettxp.dll"
mRunOnce: [SpybotDeletingA1414] command.com /c del "c:\windows\system32\H8SRTiphqmmcbed.dat"
mRunOnce: [SpybotDeletingC9278] cmd.exe /c del "c:\windows\system32\H8SRTiphqmmcbed.dat"
mRunOnce: [<NO NAME>]
mRunOnce: [GrpConv] grpconv -o
dRunOnce: [SpybotDeletingB8660] command.com /c del "c:\windows\system32\drivers\H8SRTrtpewenboq.sys"
dRunOnce: [SpybotDeletingD755] cmd.exe /c del "c:\windows\system32\drivers\H8SRTrtpewenboq.sys"
dRunOnce: [SpybotDeletingB6349] command.com /c del "c:\windows\system32\H8SRTacisiccxia.dll"
dRunOnce: [SpybotDeletingD853] cmd.exe /c del "c:\windows\system32\H8SRTacisiccxia.dll"
dRunOnce: [SpybotDeletingB3040] command.com /c del "c:\windows\system32\H8SRTrvytkettxp.dll"
dRunOnce: [SpybotDeletingD7302] cmd.exe /c del "c:\windows\system32\H8SRTrvytkettxp.dll"
dRunOnce: [SpybotDeletingB752] command.com /c del "c:\windows\system32\H8SRTiphqmmcbed.dat"
dRunOnce: [SpybotDeletingD6271] cmd.exe /c del "c:\windows\system32\H8SRTiphqmmcbed.dat"
dRunOnce: [SpybotDeletingB5894] command.com /c del "c:\windows\system32\drivers\H8SRTrtpewenboq.sys"
dRunOnce: [SpybotDeletingD3864] cmd.exe /c del "c:\windows\system32\drivers\H8SRTrtpewenboq.sys"
dRunOnce: [SpybotDeletingB1848] command.com /c del "c:\windows\system32\H8SRTacisiccxia.dll"
dRunOnce: [SpybotDeletingD3437] cmd.exe /c del "c:\windows\system32\H8SRTacisiccxia.dll"
dRunOnce: [SpybotDeletingB6933] command.com /c del "c:\windows\system32\H8SRTrvytkettxp.dll"
dRunOnce: [SpybotDeletingD4940] cmd.exe /c del "c:\windows\system32\H8SRTrvytkettxp.dll"
dRunOnce: [SpybotDeletingB8865] command.com /c del "c:\windows\system32\H8SRTiphqmmcbed.dat"
dRunOnce: [SpybotDeletingD5042] cmd.exe /c del "c:\windows\system32\H8SRTiphqmmcbed.dat"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v2\WG111v2.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {26E7F314-9CD5-4DA7-857F-9AA1CE852F01} = 65.32.5.111,65.32.5.112
AppInit_DLLs: c:\windows\system32\kbdsock.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-12-30 207792]
R0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\drivers\SCMNdisP.sys [2009-8-14 21728]
R3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v2.sys [2009-8-14 206336]
S3 DBKDRVR54;DBKDRVR54;c:\program files\cheat engine\dbk32.sys [2009-9-23 36096]

=============== Created Last 30 ================

2010-01-01 06:17:36 145440 ----a-w- c:\windows\system32\drivers\nvstor32.sys
2010-01-01 00:56:11 22016 ----a-w- C:\bktdl.exe
2010-01-01 00:56:09 22016 ----a-w- C:\ryxy.exe
2009-12-31 17:23:13 0 d-----w- C:\Zombie Shooter 2
2009-12-30 23:47:06 793 ----a-w- c:\windows\wininit.ini
2009-12-30 22:40:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 22:40:57 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-30 22:40:57 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-30 20:09:39 98600 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2009-12-30 20:09:39 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2009-12-30 20:09:39 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-30 20:09:35 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-12-30 20:09:35 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2009-12-30 20:09:35 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-12-30 20:09:35 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-12-30 20:09:29 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2009-12-30 20:09:29 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-12-30 20:09:21 0 d-----w- c:\programdata\PC Tools
2009-12-30 20:09:21 0 d-----w- c:\program files\Spyware Doctor
2009-12-30 20:09:21 0 d-----w- c:\program files\common files\PC Tools
2009-12-30 19:31:03 0 d-----w- c:\programdata\IObit
2009-12-30 19:30:58 0 d-----w- c:\program files\IObit
2009-12-30 19:28:46 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2009-12-30 19:28:46 1071088 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2009-12-30 00:56:40 0 d-----w- c:\program files\Romcenter
2009-12-30 00:48:12 871 ----a-w- c:\windows\system32\krl32mainweq.dll
2009-12-30 00:47:11 202 ----a-w- c:\windows\system32\srcr.dat
2009-12-17 01:22:26 43744 ----a-w- C:\bootsect.zip
2009-12-17 01:22:26 112640 ----a-w- C:\bootsect.exe
2009-12-14 20:19:55 43896819 ----a-w- C:\harmony.zip
2009-12-12 07:09:58 0 d-----w- c:\program files\CamStudio

==================== Find3M ====================

2010-01-01 00:56:16 773120 ----a-w- c:\windows\system32\drivers\agp440.sys
2009-12-31 15:11:58 32974 ----a-w- c:\programdata\nvModes.dat
2009-12-26 07:41:59 1447256 ----a-w- C:\genesisplus_20090924.zip
2009-12-26 07:39:05 131586 ----a-w- C:\gb64_xboxrename_fixed_gbv3.zip
2009-12-08 01:53:21 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-03 04:26:51 626083 ----a-w- C:\SorR_crashes.zip
2009-11-15 16:53:52 165378 ----a-w- c:\windows\Video Cleaner Pro Uninstaller.exe
2009-10-13 23:26:49 3742538 ----a-w- C:\q4hardqore_142patch_manualinstall.zip
2009-09-11 03:07:26 51200 ----a-w- c:\windows\inf\infpub.dat
2009-09-11 03:07:26 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-09-11 03:07:25 86016 ----a-w- c:\windows\inf\infstor.dat
2009-08-27 22:31:53 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-08-26 04:36:27 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 19:50:35.17 ===============

Edited by deathx88, 06 January 2010 - 10:55 PM.


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:29 PM

Posted 07 January 2010 - 03:04 AM

Please stop RootRepeal from running right now and concentrate on the steps given below.

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions
  • I'm not surprised you are infected as I don't see any antivirus protection on the computer. We are going to install one when the system is stable.

    Important: In step 2, we would have preferred to run ComboFix in normal mode. You may run it in Safe Mode with Networking. But make sure when Combofix rebooted the system, don't prevent it and let it run in normal mode. I expect the computer to run in normal mode, but in case you waited long enough to make sure it will not boot normally you may again boot to Safe Mode with Networking.

  • Spybot S&D has tried to remove the infection but it has created a mess we have to clean before starting to disinfect the system. Please go to add/remove programs and uninstall it. When we are done and you are clean you may install it again if you wanted.

  • We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
    • Go to Start > Control Panel > Windows Defender.
    • Open Windows Defender.
    • Click on Tools, Options.
    • At the bottom of the Window Defender's page, under Administrator Options uncheck "use Windows Defender" and then Save.
    • Click Close.
    Note:When everything is done and your log is clean again, you can enable it again.

  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#5 deathx88

deathx88
  • Topic Starter

  • Members
  • 154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 PM

Posted 07 January 2010 - 06:20 AM

I ran combofix, had to rename it first, and after it rebooted several times it deleted some files. Then it actually booted windows normally, but i couldn't get the internet to work, i tried opening firefox and internet exploer but it said that i can't use files that the registry key is being deleted. So right now i'm back in safe mode again to use the internet.

Also, in step 2 windows defender wasn't in control panel, and when i tried opening it in the start menu an error, failed to initalize properly (0x80000003) popped up. I was having problems with it right before my computer seriously screwed up, and when i clicked on defender in security center i got a blue screen. I disabled it from starting up in Ccleaner before all this happened so hopefully there's nothing to worry about.

here's my log


ComboFix 10-01-04.01 - SYSTEM 01/07/2010 5:28.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3070.2602 [GMT -5:00]
Running from: c:\windows\system32\config\systemprofile\Desktop\ComboFix1.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-106703752-1790758987-2821308049-500
C:\bktdl.exe
c:\program files\Cheat Engine\dbk32.sys
C:\ryxy.exe
c:\windows\system32\drivers\agp440.sys
c:\windows\system32\drivers\H8SRTrtpewenboq.sys
c:\windows\system32\H8SRTacisiccxia.dll
c:\windows\system32\H8SRTiphqmmcbed.dat
c:\windows\system32\H8SRTixvvposqob.dll
c:\windows\system32\H8SRTrvytkettxp.dll
c:\windows\system32\kbdsock.dll
c:\windows\system32\srcr.dat
T:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_H8SRTd.sys
-------\Service_H8SRTd.sys
-------\Legacy_DBKDRVR54
-------\Service_DBKDRVR54


((((((((((((((((((((((((( Files Created from 2009-12-07 to 2010-01-07 )))))))))))))))))))))))))))))))
.

2010-01-07 10:39 . 2010-01-07 10:43 -------- d-----w- c:\users\Deathx\AppData\Local\temp
2010-01-07 10:39 . 2010-01-07 10:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-07 10:26 . 2010-01-07 10:27 -------- d-----w- C:\32788R22FWJFW
2010-01-01 06:17 . 2008-06-06 19:13 145440 ----a-w- c:\windows\system32\drivers\nvstor32.sys
2009-12-31 17:23 . 2010-01-01 00:44 -------- d-----w- C:\Zombie Shooter 2
2009-12-30 22:40 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 22:40 . 2010-01-01 20:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-30 22:40 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-30 20:09 . 2009-10-30 16:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-30 20:09 . 2009-10-30 16:09 98600 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2009-12-30 20:09 . 2009-11-09 16:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-12-30 20:09 . 2009-10-06 21:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-12-30 20:09 . 2009-09-03 14:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-12-30 20:09 . 2010-01-07 10:42 -------- d-----w- c:\program files\Spyware Doctor
2009-12-30 20:09 . 2009-12-30 20:10 -------- d-----w- c:\program files\Common Files\PC Tools
2009-12-30 20:09 . 2009-12-30 20:09 -------- d-----w- c:\users\Deathx\AppData\Roaming\PC Tools
2009-12-30 20:09 . 2009-12-30 20:09 -------- d-----w- c:\programdata\PC Tools
2009-12-30 19:31 . 2009-12-30 19:31 -------- d-----w- c:\programdata\IObit
2009-12-30 19:30 . 2009-12-30 19:30 -------- d-----w- c:\program files\IObit
2009-12-30 19:28 . 2005-08-26 00:18 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2009-12-30 19:06 . 2009-12-30 19:06 -------- d-----w- c:\users\Deathx\AppData\Local\Threat Expert
2009-12-30 18:55 . 2009-12-30 18:59 -------- d-----w- c:\users\Deathx\AppData\Roaming\QuickScan
2009-12-30 00:56 . 2009-12-30 00:56 -------- d-----w- c:\users\Deathx\AppData\Roaming\romcenter
2009-12-30 00:56 . 2009-12-30 00:56 -------- d-----w- c:\program files\Romcenter
2009-12-30 00:48 . 2010-01-01 20:44 871 ----a-w- c:\windows\system32\krl32mainweq.dll
2009-12-17 01:22 . 2009-10-09 21:35 43744 ----a-w- C:\bootsect.zip
2009-12-17 01:22 . 2009-09-18 03:35 112640 ----a-w- C:\bootsect.exe
2009-12-14 20:19 . 2009-12-14 20:29 43896819 ----a-w- C:\harmony.zip
2009-12-12 07:57 . 2009-12-12 07:57 -------- d-----w- c:\program files\Microsoft Silverlight
2009-12-12 07:09 . 2009-12-12 07:34 -------- d-----w- c:\program files\CamStudio

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-07 10:42 . 2009-08-15 00:48 32974 ----a-w- c:\programdata\nvModes.dat
2010-01-07 10:41 . 2008-08-26 03:54 -------- d-----w- c:\programdata\NVIDIA
2010-01-07 10:39 . 2009-09-23 06:47 -------- d-----w- c:\program files\Cheat Engine
2010-01-07 09:34 . 2009-08-16 11:32 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-01 00:56 . 2009-08-15 11:57 -------- d-----w- c:\users\Deathx\AppData\Roaming\uTorrent
2009-12-31 22:29 . 2009-08-15 02:55 -------- d-----w- c:\users\Deathx\AppData\Roaming\vlc
2009-12-27 02:14 . 2009-12-03 04:03 -------- d-----w- c:\users\Deathx\AppData\Roaming\mIRC
2009-12-26 17:50 . 2009-12-03 04:03 -------- d-----w- c:\program files\mIRC
2009-12-26 07:41 . 2009-09-24 12:19 1447256 ----a-w- C:\genesisplus_20090924.zip
2009-12-26 07:39 . 2006-09-22 05:00 131586 ----a-w- C:\gb64_xboxrename_fixed_gbv3.zip
2009-12-18 08:48 . 2009-09-17 05:50 -------- d-----w- c:\users\Deathx\AppData\Roaming\LimeWire
2009-12-08 01:53 . 2009-12-03 02:23 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-03 04:26 . 2009-12-03 04:26 626083 ----a-w- C:\SorR_crashes.zip
2009-12-03 02:21 . 2009-08-16 05:08 -------- d-----w- c:\program files\FlashFXP
2009-12-03 02:18 . 2009-08-16 13:44 -------- d-----w- c:\program files\Guitar Pro 5
2009-11-28 22:26 . 2009-08-30 07:09 -------- d-----w- c:\users\Deathx\AppData\Roaming\dvdcss
2009-11-16 04:17 . 2009-11-15 16:53 -------- d-----w- c:\programdata\River Past G5
2009-11-15 16:53 . 2009-11-15 16:53 -------- d-----w- c:\program files\WMV9_VCM
2009-11-15 16:53 . 2009-11-15 16:53 165378 ----a-w- c:\windows\Video Cleaner Pro Uninstaller.exe
2009-11-15 16:53 . 2009-11-15 16:53 -------- d-----w- c:\users\Deathx\AppData\Roaming\River Past G5
2009-11-15 16:53 . 2009-11-15 16:53 -------- d-----w- c:\program files\River Past
2009-11-15 16:53 . 2009-11-15 16:53 -------- d-----w- c:\program files\Common Files\River Past
2009-11-15 16:40 . 2009-11-15 00:16 -------- d-----w- c:\program files\AllToAVI
2009-10-27 03:36 . 2009-08-15 02:47 75928 ----a-w- c:\users\Deathx\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-14 11:34 . 2009-10-14 11:34 118 ----a-w- c:\users\Deathx\AppData\Roaming\wklnhst.dat
2009-10-13 23:26 . 2009-10-13 23:26 3742538 ----a-w- C:\q4hardqore_142patch_manualinstall.zip
2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-08-26 04:36 . 2008-08-26 04:36 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-04-07 132760]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-08-16 198160]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-11-18 1243088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingD755"="del" [X]
"SpybotDeletingD853"="del" [X]
"SpybotDeletingD7302"="del" [X]
"SpybotDeletingD6271"="del" [X]
"SpybotDeletingD3864"="del" [X]
"SpybotDeletingD3437"="del" [X]
"SpybotDeletingD4940"="del" [X]
"SpybotDeletingD5042"="del" [X]
"SpybotDeletingB8660"="command.com" [2006-11-02 50648]
"SpybotDeletingB6349"="command.com" [2006-11-02 50648]
"SpybotDeletingB3040"="command.com" [2006-11-02 50648]
"SpybotDeletingB752"="command.com" [2006-11-02 50648]
"SpybotDeletingB5894"="command.com" [2006-11-02 50648]
"SpybotDeletingB1848"="command.com" [2006-11-02 50648]
"SpybotDeletingB6933"="command.com" [2006-11-02 50648]
"SpybotDeletingB8865"="command.com" [2006-11-02 50648]

c:\users\Deathx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2009-8-15 19968]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
NETGEAR WG111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v2\WG111v2.exe [2009-8-14 1261568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-04-23 13:51 691656 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
2008-06-02 22:14 75008 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 23:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPADVISOR]
2008-07-03 19:44 972080 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
2009-11-18 17:47 1243088 ----a-w- c:\program files\Spyware Doctor\pctsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 18:50 155648 ----a-w- c:\windows\System32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:(:d7,23,54,02,67,27,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-106703752-1790758987-2821308049-1000]
"EnableNotificationsRef"=dword:00000002

R0 PCTCore;PCTools KDS;c:\windows\System32\drivers\PCTCore.sys [12/30/2009 3:09 PM 207792]
R0 SCMNdisP;General NDIS Protocol Driver;c:\windows\System32\drivers\SCMNdisP.sys [8/14/2009 9:56 PM 21728]
R2 SCM_Service;SCM_Service;c:\windows\System32\WinService.exe [8/14/2009 9:56 PM 180224]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [12/30/2009 3:09 PM 359624]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [7/14/2009 2:28 PM 239648]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\System32\drivers\wg111v2.sys [8/14/2009 9:56 PM 206336]

--- Other Services/Drivers In Memory ---

*Deregistered* - PCTSDInjDriver32

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\T]
\shell\AutoRun\command - T:\Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ae6dc33-b203-11de-bf61-806e6f6e6963}]
\shell\AutoRun\command - T:\Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f256ae5-a3c9-11de-bbb4-00219724222f}]
\shell\AutoRun\command - P:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f256ae7-a3c9-11de-bbb4-00219724222f}]
\shell\AutoRun\command - Q:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f256ae9-a3c9-11de-bbb4-00219724222f}]
\shell\AutoRun\command - R:\Zombie_Shooter2_Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7927f032-89f3-11de-8d70-00219724222f}]
\shell\AutoRun\command - n:\setup\rsrc\Autorun.exe
\shell\dinstall\command - n:\directx\dxsetup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-08-14 c:\windows\Tasks\HPCeeScheduleForAdministrator.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-08-26 03:03]

2010-01-07 c:\windows\Tasks\User_Feed_Synchronization-{24138D86-F21F-439C-A61C-F237E6674B53}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.short-funny-jokes.com
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cndt
TCP: {26E7F314-9CD5-4DA7-857F-9AA1CE852F01} = 65.32.5.111,65.32.5.112
FF - ProfilePath - c:\users\Deathx\AppData\Roaming\Mozilla\Firefox\Profiles\ycvuqqz4.default\
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\users\Deathx\AppData\Roaming\Mozilla\Firefox\Profiles\ycvuqqz4.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AlcoholAutomount - c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-07 05:44
Windows 6.0.6002 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys acpi.sys hal.dll >>UNKNOWN [0x851201F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x8a095d24
\Driver\ACPI -> acpi.sys @ 0x82378d68
\Driver\atapi -> 0x851201f8
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\mierpxxifwtpipb]
"imagepath"="\??\c:\windows\TEMP\80AE.tmp"

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3596)
c:\program files\Spyware Doctor\pctgmhk.dll
c:\program files\Unlocker\UnlockerHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
c:\hp\kbd\kbd.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\program files\Java\jre1.6.0_01\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-01-07 05:54:53 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-07 10:54

Pre-Run: 34,052,943,872 bytes free
Post-Run: 33,038,757,888 bytes free

- - End Of File - - 916A34EF17557809EF1B9B3D850D3AC4

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:29 PM

Posted 07 January 2010 - 06:57 AM

You may make the CFScript.txt in Safe Mode. But this time run Combofix in normal mode and again let it reboot in normal mode and tell me about internet connection too.

We might need a clean atapi.sys file to replace the current file. Tell me if you have access to another Vista installed computer. I will tell you how and from which directory to copy it.
  • Please uninstall DAEMON Tools and Alcohol 120 as they are interfering with our fixes. If you have serious problem with it tell me before proceeding to the next step.

  • Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    Driver::
    mierpxxifwtpipb
    Rootkit::
    c:\windows\TEMP\80AE.tmp
    c:\windows\system32\krl32mainweq.dll
    
    Registry::
    [-HKEY_LOCAL_MACHINE\system\ControlSet002\Services\mierpxxifwtpipb]
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "SpybotDeletingD755"=-
    "SpybotDeletingD853"=-
    "SpybotDeletingD7302"=-
    "SpybotDeletingD6271"=-
    "SpybotDeletingD3864"=-
    "SpybotDeletingD3437"=-
    "SpybotDeletingD4940"=-
    "SpybotDeletingD5042"=-
    "SpybotDeletingB8660"=-
    "SpybotDeletingB6349"=-
    "SpybotDeletingB3040"=-
    "SpybotDeletingB752"=-
    "SpybotDeletingB5894"=-
    "SpybotDeletingB1848"=-
    "SpybotDeletingB6933"=-
    "SpybotDeletingB8865"=-
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\T]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ae6dc33-b203-11de-bf61-806e6f6e6963}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f256ae5-a3c9-11de-bbb4-00219724222f}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7927f032-89f3-11de-8d70-00219724222f}]

    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


#7 deathx88

deathx88
  • Topic Starter

  • Members
  • 154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 PM

Posted 07 January 2010 - 03:21 PM

I uninstalled daemon tools, but i already uninstalled alcohol right after my pc screwed up. I just deleted whatever was left in program files so that program should have already been gone.

I booted up in normal mode and i noticed the internet and everything worked. I ran combofix and it told me again that it had to disable the CD Emulation, i don't know if it should say this or not since i uninstalled daemon and alcohol.
It rebooted and scanned again and rebooted again. When i got back to my desktop nothing worked again, i noticed even text files and other applications give me that error "illegal operation on registry file marked for deletion", which i'm pretty sure was doing before too.

and yes, i do have another vista computer and a flash drive to get the atapi.sys file if i have to.


EDIT: I just restarted my computer again in normal mode and i'm on the internet now. Running combofix must have done something to make everything not load up i'm guessing, but rebooting again after it made the log file seemed to get things working as of right now.
I'm still not sure if everything is fixed though.



ComboFix 10-01-04.01 - Deathx 01/07/2010 14:41:03.2.2 - x86
Microsoft® Windows Vistaāā€˛¢ Home Premium 6.0.6002.2.1252.1.1033.18.3070.2260 [GMT -5:00]
Running from: c:\users\Deathx\Desktop\ComboFix1.exe
Command switches used :: c:\users\Deathx\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-12-07 to 2010-01-07 )))))))))))))))))))))))))))))))
.

2010-01-07 19:49 . 2010-01-07 19:51 -------- d-----w- c:\users\Deathx\AppData\Local\temp
2010-01-07 19:49 . 2010-01-07 19:49 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-07 19:49 . 2010-01-07 19:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-01 06:17 . 2008-06-06 19:13 145440 ----a-w- c:\windows\system32\drivers\nvstor32.sys
2009-12-31 17:23 . 2010-01-01 00:44 -------- d-----w- C:\Zombie Shooter 2
2009-12-30 22:40 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 22:40 . 2010-01-01 20:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-30 22:40 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-30 20:09 . 2009-10-30 16:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-30 20:09 . 2009-10-30 16:09 98600 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2009-12-30 20:09 . 2009-11-09 16:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-12-30 20:09 . 2009-10-06 21:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-12-30 20:09 . 2009-09-03 14:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-12-30 20:09 . 2010-01-07 19:50 -------- d-----w- c:\program files\Spyware Doctor
2009-12-30 20:09 . 2009-12-30 20:10 -------- d-----w- c:\program files\Common Files\PC Tools
2009-12-30 20:09 . 2009-12-30 20:09 -------- d-----w- c:\users\Deathx\AppData\Roaming\PC Tools
2009-12-30 20:09 . 2009-12-30 20:09 -------- d-----w- c:\programdata\PC Tools
2009-12-30 19:31 . 2009-12-30 19:31 -------- d-----w- c:\programdata\IObit
2009-12-30 19:30 . 2009-12-30 19:30 -------- d-----w- c:\program files\IObit
2009-12-30 19:28 . 2005-08-26 00:18 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2009-12-30 19:06 . 2009-12-30 19:06 -------- d-----w- c:\users\Deathx\AppData\Local\Threat Expert
2009-12-30 18:55 . 2009-12-30 18:59 -------- d-----w- c:\users\Deathx\AppData\Roaming\QuickScan
2009-12-30 00:56 . 2009-12-30 00:56 -------- d-----w- c:\users\Deathx\AppData\Roaming\romcenter
2009-12-30 00:56 . 2009-12-30 00:56 -------- d-----w- c:\program files\Romcenter
2009-12-30 00:48 . 2010-01-01 20:44 871 ----a-w- c:\windows\system32\krl32mainweq.dll
2009-12-17 01:22 . 2009-10-09 21:35 43744 ----a-w- C:\bootsect.zip
2009-12-17 01:22 . 2009-09-18 03:35 112640 ----a-w- C:\bootsect.exe
2009-12-14 20:19 . 2009-12-14 20:29 43896819 ----a-w- C:\harmony.zip
2009-12-12 07:57 . 2009-12-12 07:57 -------- d-----w- c:\program files\Microsoft Silverlight
2009-12-12 07:09 . 2009-12-12 07:34 -------- d-----w- c:\program files\CamStudio

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-07 19:51 . 2009-08-15 00:48 32974 ----a-w- c:\programdata\nvModes.dat
2010-01-07 19:50 . 2008-08-26 03:54 -------- d-----w- c:\programdata\NVIDIA
2010-01-07 10:39 . 2009-09-23 06:47 -------- d-----w- c:\program files\Cheat Engine
2010-01-07 09:34 . 2009-08-16 11:32 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-01 00:56 . 2009-08-15 11:57 -------- d-----w- c:\users\Deathx\AppData\Roaming\uTorrent
2009-12-31 22:29 . 2009-08-15 02:55 -------- d-----w- c:\users\Deathx\AppData\Roaming\vlc
2009-12-27 02:14 . 2009-12-03 04:03 -------- d-----w- c:\users\Deathx\AppData\Roaming\mIRC
2009-12-26 17:50 . 2009-12-03 04:03 -------- d-----w- c:\program files\mIRC
2009-12-26 07:41 . 2009-09-24 12:19 1447256 ----a-w- C:\genesisplus_20090924.zip
2009-12-26 07:39 . 2006-09-22 05:00 131586 ----a-w- C:\gb64_xboxrename_fixed_gbv3.zip
2009-12-18 08:48 . 2009-09-17 05:50 -------- d-----w- c:\users\Deathx\AppData\Roaming\LimeWire
2009-12-08 01:53 . 2009-12-03 02:23 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-03 04:26 . 2009-12-03 04:26 626083 ----a-w- C:\SorR_crashes.zip
2009-12-03 02:21 . 2009-08-16 05:08 -------- d-----w- c:\program files\FlashFXP
2009-12-03 02:18 . 2009-08-16 13:44 -------- d-----w- c:\program files\Guitar Pro 5
2009-11-28 22:26 . 2009-08-30 07:09 -------- d-----w- c:\users\Deathx\AppData\Roaming\dvdcss
2009-11-16 04:17 . 2009-11-15 16:53 -------- d-----w- c:\programdata\River Past G5
2009-11-15 16:53 . 2009-11-15 16:53 -------- d-----w- c:\program files\WMV9_VCM
2009-11-15 16:53 . 2009-11-15 16:53 165378 ----a-w- c:\windows\Video Cleaner Pro Uninstaller.exe
2009-11-15 16:53 . 2009-11-15 16:53 -------- d-----w- c:\users\Deathx\AppData\Roaming\River Past G5
2009-11-15 16:53 . 2009-11-15 16:53 -------- d-----w- c:\program files\River Past
2009-11-15 16:53 . 2009-11-15 16:53 -------- d-----w- c:\program files\Common Files\River Past
2009-11-15 16:40 . 2009-11-15 00:16 -------- d-----w- c:\program files\AllToAVI
2009-10-27 03:36 . 2009-08-15 02:47 75928 ----a-w- c:\users\Deathx\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-14 11:34 . 2009-10-14 11:34 118 ----a-w- c:\users\Deathx\AppData\Roaming\wklnhst.dat
2009-10-13 23:26 . 2009-10-13 23:26 3742538 ----a-w- C:\q4hardqore_142patch_manualinstall.zip
2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-08-26 04:36 . 2008-08-26 04:36 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-04-07 132760]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-08-16 198160]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-11-18 1243088]

c:\users\Deathx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2009-8-15 19968]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
NETGEAR WG111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v2\WG111v2.exe [2009-8-14 1261568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
2008-06-02 22:14 75008 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 23:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPADVISOR]
2008-07-03 19:44 972080 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
2009-11-18 17:47 1243088 ----a-w- c:\program files\Spyware Doctor\pctsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 18:50 155648 ----a-w- c:\windows\System32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:(:d7,23,54,02,67,27,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-106703752-1790758987-2821308049-1000]
"EnableNotificationsRef"=dword:00000002

R0 PCTCore;PCTools KDS;c:\windows\System32\drivers\PCTCore.sys [12/30/2009 3:09 PM 207792]
R0 SCMNdisP;General NDIS Protocol Driver;c:\windows\System32\drivers\SCMNdisP.sys [8/14/2009 9:56 PM 21728]
R2 SCM_Service;SCM_Service;c:\windows\System32\WinService.exe [8/14/2009 9:56 PM 180224]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [12/30/2009 3:09 PM 359624]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [7/14/2009 2:28 PM 239648]
R3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\System32\drivers\wg111v2.sys [8/14/2009 9:56 PM 206336]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - PCTSDInjDriver32

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-08-14 c:\windows\Tasks\HPCeeScheduleForAdministrator.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-08-26 03:03]

2010-01-07 c:\windows\Tasks\User_Feed_Synchronization-{24138D86-F21F-439C-A61C-F237E6674B53}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.short-funny-jokes.com
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cndt
TCP: {26E7F314-9CD5-4DA7-857F-9AA1CE852F01} = 65.32.5.111,65.32.5.112
FF - ProfilePath - c:\users\Deathx\AppData\Roaming\Mozilla\Firefox\Profiles\ycvuqqz4.default\
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\users\Deathx\AppData\Roaming\Mozilla\Firefox\Profiles\ycvuqqz4.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-DAEMON Tools Lite - c:\program files\DAEMON Tools Lite\daemon.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-07 14:53
Windows 6.0.6002 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys acpi.sys hal.dll >>UNKNOWN [0x851201F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x8a098d24
\Driver\ACPI -> acpi.sys @ 0x82371d68
\Driver\atapi -> 0x851201f8
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2632)
c:\program files\Spyware Doctor\pctgmhk.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\hp\kbd\kbd.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\program files\Java\jre1.6.0_01\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-01-07 15:01:34 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-07 20:01
ComboFix2.txt 2010-01-07 10:54

Pre-Run: 33,224,880,128 bytes free
Post-Run: 33,182,035,968 bytes free

- - End Of File - - 14EEE0A5EC02334D567EA096BDBAB088

Edited by deathx88, 07 January 2010 - 03:42 PM.


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:29 PM

Posted 07 January 2010 - 03:36 PM

Let's first reboot and see how the computer is doing.

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:29 PM

Posted 07 January 2010 - 07:29 PM

We are going to replace atapi.sys now. After reboot please do the following on both computers:

To bring up Run box you can press Windows key Posted Image+R

Copy/paste the following line in the run box and click OK.

cmd /c dir /a /s /oe c:\atapi.sys* > log.txt&start log.txt

A text file (log.txt) will be open. Please post its content to your reply.

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:29 PM

Posted 07 January 2010 - 07:57 PM

Please post a new reply instead of editing the post. I get notified when you post a reply, but don't get notified when you edit the post. I accidentally read the post, otherwise would been assuming that you have not replied.

We are not done yet. I see also Spyware Doctor was running while Combofix ran. Is this the antivirus version with antispyware or just the antispyware version ?

We need to replace atapi.sys as it is causing trouble when we attempt to remove the bad dll file. Please do the step mentioned in my previous post and post both the logs.

#11 deathx88

deathx88
  • Topic Starter

  • Members
  • 154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 PM

Posted 07 January 2010 - 10:53 PM

Sorry about the edit, i actually didn't even know you posted before i edited my post.

I didn't know spyware doctor was running, i thought i had it set up to not load when i boot. I'm probably just going to uninstall that program since i don't really need it. I think it's both antivirus and spyware because it's the full version.


I tried to do what you said on the other computer i have, but it said access was denied. Should i run this in administrator mode or what?

Here's the log from my computer for right now, i won't be able to get back on the other computer again until tomorrow.


Volume in drive C is HP
Volume Serial Number is D866-D75F

Directory of c:\WINDOWS\ERDNT\cache

04/11/2009 01:32 AM 19,944 atapi.sys
1 File(s) 19,944 bytes

Directory of c:\WINDOWS\System32\drivers

04/11/2009 01:32 AM 19,944 atapi.sys
1 File(s) 19,944 bytes

Directory of c:\WINDOWS\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84

04/11/2009 01:32 AM 19,944 atapi.sys
1 File(s) 19,944 bytes

Directory of c:\WINDOWS\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699

11/02/2006 04:49 AM 19,048 atapi.sys
1 File(s) 19,048 bytes

Directory of c:\WINDOWS\System32\DriverStore\FileRepository\mshdc.inf_cc18792d

01/20/2008 09:23 PM 21,560 atapi.sys
1 File(s) 21,560 bytes

Directory of c:\WINDOWS\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c

01/20/2008 09:23 PM 21,560 atapi.sys
1 File(s) 21,560 bytes

Directory of c:\WINDOWS\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8

04/11/2009 01:32 AM 19,944 atapi.sys
1 File(s) 19,944 bytes

Total Files Listed:
7 File(s) 141,944 bytes
0 Dir(s) 33,229,340,672 bytes free

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:29 PM

Posted 08 January 2010 - 08:52 AM

No worries about the delay and thanks for letting me know.

On the other computer, please do the following:

Run Command Prompt as administrator:
  • Click on Start button.
  • Type Cmd in the Start Search text box.
  • Press Ctrl-Shift-Enter keyboard shortcut to run Command Prompt as Administrator.
  • Copy and paste the following in the command prompt and press Enter.

    dir /a /s /oe c:\atapi.sys* > log.txt&start log.txt

  • Wait until a text file opens and post the content to your reply.


#13 deathx88

deathx88
  • Topic Starter

  • Members
  • 154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 PM

Posted 08 January 2010 - 01:41 PM

alright here's the log on the other computer



Volume in drive C is COMPAQ
Volume Serial Number is 86C8-AEE5

Directory of c:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8

04/11/2009 01:32 AM 19,944 atapi.sys
1 File(s) 19,944 bytes

Directory of c:\Windows\System32\drivers

01/19/2008 02:41 AM 21,560 atapi.sys
1 File(s) 21,560 bytes

Directory of c:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21

08/03/2008 01:32 PM 21,560 atapi.sys
1 File(s) 21,560 bytes

Directory of c:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699

11/02/2006 04:49 AM 19,048 atapi.sys
1 File(s) 19,048 bytes

Directory of c:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d

01/19/2008 02:41 AM 21,560 atapi.sys
1 File(s) 21,560 bytes

Directory of c:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16632_none_db337a442479c42c

08/03/2008 01:32 PM 21,560 atapi.sys
1 File(s) 21,560 bytes

Directory of c:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20757_none_dbac78a93da31a8b

08/03/2008 01:32 PM 21,560 atapi.sys
1 File(s) 21,560 bytes

Directory of c:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c

01/19/2008 02:41 AM 21,560 atapi.sys
1 File(s) 21,560 bytes

Total Files Listed:
8 File(s) 168,352 bytes
0 Dir(s) 14,812,209,152 bytes free

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:29 PM

Posted 08 January 2010 - 01:49 PM

What we need is a copy of this file:

c:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys

You may copy it to your flash drive and put it on the root of C drive of the problem computer.

Then on the problem computer bring the run box and copy/paste:

cmd /c dir /a c:\atapi.sys >log.txt&start log.txt

Or bring up the Command prompt as before and copy and paste:

dir /a c:\atapi.sys >log.txt&start log.txt

Please post the log that opens to your reply.

#15 deathx88

deathx88
  • Topic Starter

  • Members
  • 154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 PM

Posted 08 January 2010 - 02:39 PM

Volume in drive C is HP
Volume Serial Number is D866-D75F

Directory of c:\

01/08/2010 02:37 PM 19,944 atapi.sys
1 File(s) 19,944 bytes
0 Dir(s) 33,206,026,240 bytes free




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users