Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

problem with trojan pakes.ELE and google hijack and probably more


  • This topic is locked This topic is locked
8 replies to this topic

#1 exitsusej

exitsusej

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 13 January 2010 - 07:24 AM

Hi to you guys, i keep being infected by Pakes.ELE in windows temp svchost.exe, my virus protection keeps picking it up then i delete.. if i leave my computer with the interenet connected i'll have a list of about 10 Pakes.ELE within an hour
Also having the google hijack problem.. tried using spybot, adaware, malwarebytes, AVG but not in safe mode as when i try and use safe mode i get a blue screen with an error i think with hardware but i'm not totaly sure, i have the error code if it would help.. here is my HJlog hope you can help


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:48:37, on 13/01/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: sunriseradio Toolbar - {6bcb9b24-850c-4fe5-a24a-b2bfcd67448f} - C:\Program Files\sunriseradio\tbsun1.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: sunriseradio Toolbar - {6bcb9b24-850c-4fe5-a24a-b2bfcd67448f} - C:\Program Files\sunriseradio\tbsun1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD6180B1-0F2B-4EB1-9C0D-46F6353EB6B1}: NameServer = 212.139.132.56 212.139.132.57
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

--
End of file - 5652 bytes


BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:31 PM

Posted 19 January 2010 - 10:23 AM

Hello and welcome to Bleeping Computer! welcome.gif

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 exitsusej

exitsusej
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 20 January 2010 - 04:37 PM

Thanks for your reply.. in the last few months i had the internet security 2010
problem and used rkill to stop it running, then did the scans with free AVG, spybot,
malewarebytes, adaware but still have on going problems with constant alerts from AVG
about trojan's coming in through windows/temp/svchost, it was pakes.EXE a week or so ago..
then it was PSW.Generic7.BCBD, it seems to change at least once a week. Also have the google
redirect issue and random pages appearing which tends to get an alert from AVG.
In the last day or so i've had a notice that shuts my pc down for it's own safety.. seems to happen
when connected to the internet


DDS (Ver_09-12-01.01) - NTFSx86
Run by woody at 20:35:12.60 on 20/01/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.401 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\msfeedssync.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG9\avgui.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\woody\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uURLSearchHooks: sunriseradio Toolbar: {6bcb9b24-850c-4fe5-a24a-b2bfcd67448f} - c:\program files\sunriseradio\tbsun1.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: sunriseradio Toolbar: {6bcb9b24-850c-4fe5-a24a-b2bfcd67448f} - c:\program files\sunriseradio\tbsun1.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SpeedTouch USB Diagnostics] "c:\program files\thomson\speedtouch usb\Dragdiag.exe" /icon
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {AD6180B1-0F2B-4EB1-9C0D-46F6353EB6B1} = 212.139.132.56 212.139.132.57
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\woody\applic~1\mozilla\firefox\profiles\hsvjvp7v.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-1-9 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-1-3 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-1-3 28424]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-1-3 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-1-3 285392]
S0 nzyionlu;nzyionlu; [x]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]
S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2007-11-15 34064]

=============== Created Last 30 ================

2010-01-15 23:41:49 0 d-----w- c:\program files\CCleaner
2010-01-13 11:14:55 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-09 17:45:35 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-01-09 17:16:58 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-09 16:37:49 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-09 16:34:40 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-09 16:34:04 0 d-----w- c:\program files\Lavasoft
2010-01-03 15:18:31 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-01-03 15:18:31 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-01-03 15:04:27 0 d-----w- c:\program files\Trend Micro
2010-01-03 04:38:23 0 d--h--w- C:\$AVG
2010-01-03 04:38:12 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-03 04:38:11 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-03 04:38:05 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-03 04:37:58 0 d-----w- c:\windows\system32\drivers\Avg
2010-01-03 04:37:40 0 d-----w- c:\program files\AVG
2010-01-03 04:37:39 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-01-03 04:02:47 0 d-----w- c:\docume~1\woody\applic~1\Malwarebytes
2010-01-03 04:02:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-03 04:02:40 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-03 04:02:40 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-03 04:02:40 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-03 03:36:33 0 d-----w- C:\spoolerlogs
2010-01-03 02:58:40 0 ----a-w- c:\windows\system32\18467.exe
2010-01-03 02:13:21 1 ----a-w- C:\s

==================== Find3M ====================

2010-01-15 15:43:39 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-09 17:45:15 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-20 09:51:19 7895336 ----a-w- c:\program files\Firefox Setup 3.5.3.exe
2008-04-21 20:53:32 8155851 ----a-w- c:\program files\Photoshop_albumSE_en_us_320.zip
2008-04-21 20:18:57 7054272 ----a-w- c:\program files\SFTPMSI.exe
2008-04-21 19:46:08 18678232 ----a-w- c:\program files\setupUK.exe

============= FINISH: 20:36:57.56 ===============

Attached Files



#4 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:31 AM

Posted 21 January 2010 - 08:29 AM

Hi exitsusej,



Welcome to BleepingComputer HijackThis Logs and Malware Removal, welcome.gif
My name is sundavis, I will be helping you to deal with your Malware problems today.

Step1
  1. Go to this thread and Download TDSSKiller.zip to your Desktop.
  2. Extract its contents to your desktop and drag TDSSKiller.exe on the desktop, not in the folder.
  3. Start > Run and copy/paste the following bolded command into run box and hit Enter.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  4. If TDSSKiller alerts you that the system needs to reboot, please consent.
  5. When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.


Step2
  1. If you already have Combofix, please delete that copy and download it again as it's being updated regularly.
  2. Please visit this webpage for download links, and instructions for running the tool:
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix
  3. Note: CombFix has recently been updated to include the option for installing the Recovery Console automatically. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  4. Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.
  5. Click Yes to allow Combofix to continue scanning for malware.
  6. When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply.
  7. Do not mouse click on Combofix while it is running. That may cause it to stall.

Step3

Please download GMER Rootkit Scanner from Here or Here.
  1. Extract the contents of the zipped file to desktop.
  2. Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  3. If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  4. In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  5. Then click the Scan button & wait for it to finish. For more info, go to Here for your reference.
  6. Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" , and copy and paste the contents in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


In your next reply, please post back:

1.TDSSKiller.txt
2.ComboFix log
3.Gmer log Thanks.



#5 exitsusej

exitsusej
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 24 January 2010 - 04:25 PM

sorry for the delay but been having trouble with the Gmer scan.. the other 2 went ok and seemed to end any problems i was having but the Gmer scanned ok the 1st 2 times but when i clicked save it totally froze my PC and the only way to continue was to turn off at the mains.. i then tried it today and a soon as the program loaded it froze again.. i've included the 1st 2 scan logs




17:15:59:921 2172 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
17:15:59:921 2172 ================================================================================
17:15:59:921 2172 SystemInfo:

17:15:59:921 2172 OS Version: 5.1.2600 ServicePack: 3.0
17:15:59:921 2172 Product type: Workstation
17:15:59:921 2172 ComputerName: WOODMAST-86BQP5
17:15:59:921 2172 UserName: woody
17:15:59:921 2172 Windows directory: C:\WINDOWS
17:15:59:921 2172 Processor architecture: Intel x86
17:15:59:921 2172 Number of processors: 2
17:15:59:921 2172 Page size: 0x1000
17:15:59:921 2172 Boot type: Normal boot
17:15:59:921 2172 ================================================================================
17:15:59:937 2172 UnloadDriverW: NtUnloadDriver error 2
17:15:59:937 2172 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
17:15:59:937 2172 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
17:15:59:968 2172 UtilityInit: KLMD drop and load success
17:15:59:968 2172 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
17:15:59:968 2172 UtilityInit: KLMD open success
17:15:59:968 2172 UtilityInit: Initialize success
17:15:59:968 2172
17:15:59:968 2172 Scanning Services ...
17:15:59:968 2172 CreateRegParser: Registry parser init started
17:15:59:968 2172 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
17:15:59:968 2172 CreateRegParser: DisableWow64Redirection error
17:15:59:968 2172 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
17:16:00:000 2172 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
17:16:00:000 2172 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:16:00:000 2172 wfopen_ex: Trying to KLMD file open
17:16:00:000 2172 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
17:16:00:000 2172 wfopen_ex: File opened ok (Flags 2)
17:16:00:000 2172 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 264A90
17:16:00:000 2172 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
17:16:00:000 2172 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
17:16:00:000 2172 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:16:00:000 2172 wfopen_ex: Trying to KLMD file open
17:16:00:000 2172 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
17:16:00:000 2172 wfopen_ex: File opened ok (Flags 2)
17:16:00:000 2172 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 264980
17:16:00:000 2172 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
17:16:00:000 2172 CreateRegParser: EnableWow64Redirection error
17:16:00:000 2172 CreateRegParser: RegParser init completed
17:16:00:390 2172 GetAdvancedServicesInfo: Raw services enum returned 315 services
17:16:00:390 2172 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
17:16:00:390 2172 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
17:16:00:390 2172
17:16:00:390 2172 Scanning Kernel memory ...
17:16:00:390 2172 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
17:16:00:390 2172 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 86F71A08
17:16:00:390 2172 DetectCureTDL3: KLMD_GetDeviceObjectList returned 2 DevObjects
17:16:00:390 2172
17:16:00:390 2172 DetectCureTDL3: DEVICE_OBJECT: 86F91C68
17:16:00:390 2172 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86F91C68
17:16:00:390 2172 KLMD_ReadMem: Trying to ReadMemory 0x86F91C68[0x38]
17:16:00:390 2172 DetectCureTDL3: DRIVER_OBJECT: 86F71A08
17:16:00:390 2172 KLMD_ReadMem: Trying to ReadMemory 0x86F71A08[0xA8]
17:16:00:390 2172 KLMD_ReadMem: Trying to ReadMemory 0xE10172E0[0x18]
17:16:00:390 2172 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
17:16:00:390 2172 DetectCureTDL3: IrpHandler (0) addr: F768BBB0
17:16:00:390 2172 DetectCureTDL3: IrpHandler (1) addr: 804F4562
17:16:00:390 2172 DetectCureTDL3: IrpHandler (2) addr: F768BBB0
17:16:00:390 2172 DetectCureTDL3: IrpHandler (3) addr: F7685D1F
17:16:00:390 2172 DetectCureTDL3: IrpHandler (4) addr: F7685D1F
17:16:00:390 2172 DetectCureTDL3: IrpHandler (5) addr: 804F4562
17:16:00:390 2172 DetectCureTDL3: IrpHandler (6) addr: 804F4562
17:16:00:390 2172 DetectCureTDL3: IrpHandler (7) addr: 804F4562
17:16:00:390 2172 DetectCureTDL3: IrpHandler (8) addr: 804F4562
17:16:00:390 2172 DetectCureTDL3: IrpHandler (9) addr: F76862E2
17:16:00:390 2172 DetectCureTDL3: IrpHandler (10) addr: 804F4562
17:16:00:390 2172 DetectCureTDL3: IrpHandler (11) addr: 804F4562
17:16:00:390 2172 DetectCureTDL3: IrpHandler (12) addr: 804F4562
17:16:00:390 2172 DetectCureTDL3: IrpHandler (13) addr: 804F4562
17:16:00:390 2172 DetectCureTDL3: IrpHandler (14) addr: F76863BB
17:16:00:390 2172 DetectCureTDL3: IrpHandler (15) addr: F7689F28
17:16:00:390 2172 DetectCureTDL3: IrpHandler (16) addr: F76862E2
17:16:00:390 2172 DetectCureTDL3: IrpHandler (17) addr: 804F4562
17:16:00:390 2172 DetectCureTDL3: IrpHandler (18) addr: 804F4562
17:16:00:390 2172 DetectCureTDL3: IrpHandler (19) addr: 804F4562
17:16:00:390 2172 DetectCureTDL3: IrpHandler (20) addr: 804F4562
17:16:00:390 2172 DetectCureTDL3: IrpHandler (21) addr: 804F4562
17:16:00:390 2172 DetectCureTDL3: IrpHandler (22) addr: F7687C82
17:16:00:390 2172 DetectCureTDL3: IrpHandler (23) addr: F768C99E
17:16:00:390 2172 DetectCureTDL3: IrpHandler (24) addr: 804F4562
17:16:00:390 2172 DetectCureTDL3: IrpHandler (25) addr: 804F4562
17:16:00:390 2172 DetectCureTDL3: IrpHandler (26) addr: 804F4562
17:16:00:390 2172 TDL3_FileDetect: Processing driver: Disk
17:16:00:390 2172 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
17:16:00:390 2172 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
17:16:00:437 2172 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
17:16:00:437 2172
17:16:00:437 2172 DetectCureTDL3: DEVICE_OBJECT: 86F6DAB8
17:16:00:437 2172 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86F6DAB8
17:16:00:437 2172 DetectCureTDL3: DEVICE_OBJECT: 86F70D98
17:16:00:437 2172 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86F70D98
17:16:00:437 2172 KLMD_ReadMem: Trying to ReadMemory 0x86F70D98[0x38]
17:16:00:437 2172 DetectCureTDL3: DRIVER_OBJECT: 86F9BB68
17:16:00:437 2172 KLMD_ReadMem: Trying to ReadMemory 0x86F9BB68[0xA8]
17:16:00:437 2172 KLMD_ReadMem: Trying to ReadMemory 0x86EECB00[0x38]
17:16:00:437 2172 KLMD_ReadMem: Trying to ReadMemory 0x86F72C28[0xA8]
17:16:00:437 2172 KLMD_ReadMem: Trying to ReadMemory 0xE16460A0[0x1A]
17:16:00:437 2172 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
17:16:00:437 2172 DetectCureTDL3: IrpHandler (0) addr: 86EF0841
17:16:00:437 2172 DetectCureTDL3: IrpHandler (1) addr: 86EF0841
17:16:00:437 2172 DetectCureTDL3: IrpHandler (2) addr: 86EF0841
17:16:00:437 2172 DetectCureTDL3: IrpHandler (3) addr: 86EF0841
17:16:00:437 2172 DetectCureTDL3: IrpHandler (4) addr: 86EF0841
17:16:00:437 2172 DetectCureTDL3: IrpHandler (5) addr: 86EF0841
17:16:00:437 2172 DetectCureTDL3: IrpHandler (6) addr: 86EF0841
17:16:00:437 2172 DetectCureTDL3: IrpHandler (7) addr: 86EF0841
17:16:00:437 2172 DetectCureTDL3: IrpHandler (8) addr: 86EF0841
17:16:00:437 2172 DetectCureTDL3: IrpHandler (9) addr: 86EF0841
17:16:00:437 2172 DetectCureTDL3: IrpHandler (10) addr: 86EF0841
17:16:00:437 2172 DetectCureTDL3: IrpHandler (11) addr: 86EF0841
17:16:00:437 2172 DetectCureTDL3: IrpHandler (12) addr: 86EF0841
17:16:00:437 2172 DetectCureTDL3: IrpHandler (13) addr: 86EF0841
17:16:00:437 2172 DetectCureTDL3: IrpHandler (14) addr: 86EF0841
17:16:00:437 2172 DetectCureTDL3: IrpHandler (15) addr: 86EF0841
17:16:00:437 2172 DetectCureTDL3: IrpHandler (16) addr: 86EF0841
17:16:00:437 2172 DetectCureTDL3: IrpHandler (17) addr: 86EF0841
17:16:00:437 2172 DetectCureTDL3: IrpHandler (18) addr: 86EF0841
17:16:00:437 2172 DetectCureTDL3: IrpHandler (19) addr: 86EF0841
17:16:00:437 2172 DetectCureTDL3: IrpHandler (20) addr: 86EF0841
17:16:00:437 2172 DetectCureTDL3: IrpHandler (21) addr: 86EF0841
17:16:00:437 2172 DetectCureTDL3: IrpHandler (22) addr: 86EF0841
17:16:00:437 2172 DetectCureTDL3: IrpHandler (23) addr: 86EF0841
17:16:00:437 2172 DetectCureTDL3: IrpHandler (24) addr: 86EF0841
17:16:00:437 2172 DetectCureTDL3: IrpHandler (25) addr: 86EF0841
17:16:00:437 2172 DetectCureTDL3: IrpHandler (26) addr: 86EF0841
17:16:00:437 2172 DetectCureTDL3: All IRP handlers pointed to one addr: 86EF0841
17:16:00:437 2172 KLMD_ReadMem: Trying to ReadMemory 0x86EF0841[0x400]
17:16:00:437 2172 TDL3_IrpHookDetect: CheckParameters: 4, FFDF0308, 333, 121, 3, 109
17:16:00:437 2172 Driver "atapi" Irp handler infected by TDSS rootkit ... 17:16:00:437 2172 KLMD_WriteMem: Trying to WriteMemory 0x86EF08BA[0xD]
17:16:00:437 2172 cured
17:16:00:437 2172 KLMD_ReadMem: Trying to ReadMemory 0x86EF06EC[0x400]
17:16:00:437 2172 TDL3_StartIoHookDetect: CheckParameters: 9, FFDF0308, 1
17:16:00:437 2172 Driver "atapi" StartIo handler infected by TDSS rootkit ... 17:16:00:437 2172 TDL3_StartIoHookCure: Number of patches 1
17:16:00:437 2172 KLMD_WriteMem: Trying to WriteMemory 0x86EF07F5[0x6]
17:16:00:437 2172 cured
17:16:00:437 2172 TDL3_FileDetect: Processing driver: atapi
17:16:00:437 2172 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
17:16:00:437 2172 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
17:16:00:437 2172 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Infected
17:16:00:437 2172 File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 17:16:00:453 2172 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
17:16:00:453 2172 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
17:16:00:468 2172 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\driver.cab
17:16:00:562 2172 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp1.cab
17:16:00:578 2172 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp2.cab
17:16:00:625 2172 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp3.cab
17:16:00:640 2172 CabinetCallback: Backup candidate found: atapi.sys:96512, extracting..
17:16:00:687 2172 CabinetCallback: File extracted successfully: C:\DOCUME~1\woody\LOCALS~1\Temp\bck1.tmp
17:16:00:687 2172 ValidateDriverFile: Stage 1 passed
17:16:00:687 2172 ValidateDriverFile: Stage 2 passed
17:16:00:828 2172 DigitalSignVerifyByHandle: Embedded DS result: 800B0100
17:16:02:359 2172 DigitalSignVerifyByHandle: Cat DS result: 00000000
17:16:02:359 2172 ValidateDriverFile: Stage 3 passed
17:16:02:359 2172 CabinetCallback: File validated successfully, restore information prepared
17:16:02:359 2172 FindDriverFileBackup: Backup copy found in cab-file
17:16:02:359 2172 TDL3_FileCure: Backup copy found, using it..
17:16:02:359 2172 TDL3_FileCure: Dumping cured buffer to file C:\WINDOWS\system32\drivers\tsk2.tmp
17:16:02:406 2172 TDL3_FileCure: New / Old Image paths: (system32\drivers\tsk2.tmp, system32\drivers\atapi.sys)
17:16:02:421 2172 TDL3_FileCure: KLMD jobs schedule success
17:16:02:421 2172 will be cured on next reboot
17:16:02:421 2172 UtilityBootReinit: Reboot required for cure complete..
17:16:02:421 2172 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmdb.sys) returned status 00000000
17:16:02:421 2172 UtilityBootReinit: KLMD drop success
17:16:02:421 2172 KLMD_ApplyPendList: Pending buffer(1B12_6C50, 600) dropped successfully
17:16:02:421 2172 UtilityBootReinit: Cure on reboot scheduled successfully
17:16:02:421 2172
17:16:02:437 2172 Completed
17:16:02:437 2172
17:16:02:437 2172 Results:
17:16:02:437 2172 Memory objects infected / cured / cured on reboot: 2 / 2 / 0
17:16:02:437 2172 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
17:16:02:437 2172 File objects infected / cured / cured on reboot: 1 / 0 / 1
17:16:02:437 2172
17:16:02:437 2172 UnloadDriverW: NtUnloadDriver error 1
17:16:02:437 2172 KLMD_Unload: UnloadDriverW(klmd21) error 1
17:16:02:437 2172 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
17:16:02:437 2172 UtilityDeinit: KLMD(ARK) unloaded successfully







ComboFix 10-01-21.08 - woody 22/01/2010 22:23:06.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.551 [GMT 0:00]
Running from: c:\documents and settings\woody\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
C:\s
c:\windows\system32\18467.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lowsec\user.ds.lll
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\sdra64.exe
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-12-22 to 2010-01-22 )))))))))))))))))))))))))))))))
.

2010-01-21 10:37 . 2010-01-21 10:37 3803208 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-01-20 21:16 . 2010-01-20 21:17 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2010-01-18 09:39 . 2010-01-03 12:26 3776280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-01-18 09:39 . 2010-01-03 04:37 1260312 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-01-18 09:39 . 2010-01-03 12:26 3966744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-01-15 23:41 . 2010-01-15 23:41 -------- d-----w- c:\program files\CCleaner
2010-01-13 11:14 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-13 01:32 . 2010-01-13 01:32 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\AdobeUM
2010-01-09 17:45 . 2010-01-09 17:45 -------- d-----w- c:\program files\Java
2010-01-09 17:44 . 2010-01-09 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-01-09 17:44 . 2010-01-09 17:44 152576 ----a-w- c:\documents and settings\woody\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-09 17:16 . 2009-12-02 13:19 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-09 16:37 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-09 16:37 . 2010-01-09 16:37 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-01-09 16:37 . 2010-01-09 16:37 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-01-09 16:37 . 2010-01-09 16:37 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-01-09 16:34 . 2010-01-09 16:34 -------- d-----w- c:\program files\Lavasoft
2010-01-03 15:18 . 2010-01-22 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-03 15:18 . 2010-01-03 15:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-03 15:04 . 2010-01-03 15:04 -------- d-----w- c:\program files\Trend Micro
2010-01-03 12:42 . 2010-01-03 13:51 -------- d-----w- c:\documents and settings\woody\Local Settings\Application Data\luohma
2010-01-03 04:38 . 2010-01-03 14:20 -------- d-----w- C:\$AVG
2010-01-03 04:38 . 2010-01-03 04:38 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-03 04:38 . 2010-01-03 04:38 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-03 04:38 . 2010-01-03 04:38 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-03 04:38 . 2010-01-03 04:38 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-01-03 04:37 . 2010-01-22 09:54 -------- d-----w- c:\windows\system32\drivers\Avg
2010-01-03 04:37 . 2010-01-03 04:37 -------- d-----w- c:\program files\AVG
2010-01-03 04:37 . 2010-01-15 17:51 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-01-03 04:02 . 2010-01-03 04:02 -------- d-----w- c:\documents and settings\woody\Application Data\Malwarebytes
2010-01-03 04:02 . 2009-12-30 14:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-03 04:02 . 2010-01-03 04:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-03 04:02 . 2010-01-03 04:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-03 04:02 . 2009-12-30 14:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-03 03:36 . 2010-01-03 03:36 -------- d-----w- C:\spoolerlogs
2010-01-03 02:13 . 2010-01-03 02:13 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-22 17:17 . 2003-07-16 20:24 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-21 10:37 . 2010-01-09 16:37 372280 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-01-21 10:37 . 2010-01-09 16:36 823928 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-01-20 21:02 . 2008-09-04 09:55 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-12 02:22 . 2008-09-03 08:37 -------- d-----w- c:\program files\Roots Knotty Roots
2010-01-09 17:45 . 2009-11-04 17:49 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-09 17:16 . 2008-11-19 18:58 -------- d-----w- c:\program files\sunriseradio
2010-01-09 16:37 . 2010-01-09 16:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-09 16:37 . 2010-01-09 16:37 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2010-01-09 16:37 . 2010-01-09 16:37 194104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2010-01-09 16:36 . 2010-01-09 16:36 6296864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-01-09 16:36 . 2010-01-09 16:36 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-01-09 16:36 . 2010-01-09 16:36 816272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-01-09 16:36 . 2010-01-09 16:36 1643272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-01-09 16:36 . 2010-01-09 16:36 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-01-09 16:36 . 2010-01-09 16:36 1181328 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-01-09 16:34 . 2010-01-09 16:34 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2009-12-21 19:14 . 2003-07-16 20:51 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-07 14:10 . 2010-01-09 16:34 2953352 -c--a-w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
2009-11-21 15:51 . 2003-07-16 20:23 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-04 17:48 . 2009-11-04 17:48 152576 ----a-w- c:\documents and settings\woody\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2009-10-20 09:51 . 2009-10-20 09:51 7895336 ----a-w- c:\program files\Firefox Setup 3.5.3.exe
2008-04-21 20:53 . 2008-04-21 20:53 8155851 ----a-w- c:\program files\Photoshop_albumSE_en_us_320.zip
2008-04-21 20:18 . 2008-04-21 20:18 7054272 ----a-w- c:\program files\SFTPMSI.exe
2008-04-21 19:46 . 2008-04-21 19:44 18678232 ----a-w- c:\program files\setupUK.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{6bcb9b24-850c-4fe5-a24a-b2bfcd67448f}"= "c:\program files\sunriseradio\tbsun1.dll" [2009-11-09 2166296]

[HKEY_CLASSES_ROOT\clsid\{6bcb9b24-850c-4fe5-a24a-b2bfcd67448f}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6bcb9b24-850c-4fe5-a24a-b2bfcd67448f}"= "c:\program files\sunriseradio\tbsun1.dll" [2009-11-09 2166296]

[HKEY_CLASSES_ROOT\clsid\{6bcb9b24-850c-4fe5-a24a-b2bfcd67448f}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{6BCB9B24-850C-4FE5-A24A-B2BFCD67448F}"= "c:\program files\sunriseradio\tbsun1.dll" [2009-11-09 2166296]

[HKEY_CLASSES_ROOT\clsid\{6bcb9b24-850c-4fe5-a24a-b2bfcd67448f}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-01-03 2033432]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-09 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-11-18 495432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-01-03 04:38 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager 1.0\\MediaManager.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"53:UDP"= 53:UDP:Promo

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [09/01/2010 16:37 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [03/01/2010 04:38 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [03/01/2010 04:38 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [03/01/2010 04:37 285392]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [02/12/2009 13:19 1181328]
S0 nzyionlu;nzyionlu; [x]
.
Contents of the 'Scheduled Tasks' folder

2010-01-22 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 10:37]

2010-01-22 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 10:37]

2010-01-22 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 10:37]

2010-01-22 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 10:37]

2010-01-22 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 10:37]

2010-01-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 12:42]

2010-01-22 c:\windows\Tasks\User_Feed_Synchronization-{D42E21E9-EC9B-4892-8EB7-329FF9969CE0}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {AD6180B1-0F2B-4EB1-9C0D-46F6353EB6B1} = 212.139.132.56 212.139.132.57
FF - ProfilePath - c:\documents and settings\woody\Application Data\Mozilla\Firefox\Profiles\hsvjvp7v.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-22 22:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3360)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\windows\system32\devldr32.exe
.
**************************************************************************
.
Completion time: 2010-01-22 22:49:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-22 22:49

Pre-Run: 61,557,903,360 bytes free
Post-Run: 62,869,856,256 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 8846876B6CFAB9BC2DF2013D343BEFA6


#6 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:31 AM

Posted 24 January 2010 - 11:10 PM

Hi exitsusej,


QUOTE
the only way to continue was to turn off at the mains

That's ok. Since the culprit is gone. we may skip Gmer part. We need to scan the remnants with Kas Online Scanner. It will take some time to run the full course. Please be patient and do the following:


Step1
  1. Close any open browsers
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
  3. Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:
CODE
DDS::
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
Driver::
nzyionlu
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop



Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Step2


Let's clean some temp files. Please do the following:

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.


If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Step3


Please perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner.
  1. Please go to Kaspersky Online Scanner and perform an online antivirus scan.
  2. Click Accept button on the "Requirements and limitations".
  3. When Java warning " The applcation digital signature has been verified. Do you want to run the application " appears, Click on "Run" button.
  4. It will be Downloading and installing the program and Updating the database.
  5. When Updating the database have finished, click on Settings.
  6. Make sure all boxes are checked. then click on the Save button.
  7. Click on My Computer under Scan menu. It will start scanning, so be patient and let it run.
  8. Once the scan is completed, Click on View Scan Report.
  9. You may see a list of infected items over there. Click on Save Report As.
  10. Click "Desktop" , Name the file as "KAS", Change the Files of type to Text file (.txt) and Click on Save button.
  11. Please post the contents in your next reply.
  12. You can refer to this animation

Note for Internet Explorer 8 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.



Please post back the logs in your next reply.


1.ComboFix log
2.Kas Online Scan Report

Tell me how your pc is running now.

#7 exitsusej

exitsusej
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 25 January 2010 - 04:30 PM

many thanks so far sundavies.. here's the 2 logs

ComboFix 10-01-24.05 - woody 25/01/2010 18:34:51.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.539 [GMT 0:00]
Running from: c:\documents and settings\woody\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\woody\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\MSN6
c:\documents and settings\All Users\Application Data\MSN6\au.ini
c:\documents and settings\woody\Application Data\MSN6
c:\documents and settings\woody\Application Data\MSN6\au.ini
c:\documents and settings\woody\Application Data\MSN6\msndata.dat
c:\documents and settings\woody\Application Data\MSN6\msndata001.dat
c:\documents and settings\woody\Application Data\MSN6\msndata002.dat
c:\documents and settings\woody\Application Data\MSN6\msndata003.dat
c:\documents and settings\woody\Application Data\MSN6\UserData\{36FE7572-9CA5-01C7-0200-00000D742C41}\fastsettings.dat
c:\documents and settings\woody\Application Data\MSN6\UserData\{36FE7572-9CA5-01C7-0200-00000D742C41}\favcache.xml
c:\documents and settings\woody\Application Data\MSN6\UserData\{36FE7572-9CA5-01C7-0200-00000D742C41}\favorites.xml
c:\documents and settings\woody\Application Data\MSN6\UserData\{36FE7572-9CA5-01C7-0200-00000D742C41}\favthumb.dbx
c:\documents and settings\woody\Application Data\MSN6\UserData\{36FE7572-9CA5-01C7-0200-00000D742C41}\localsettings.xml
c:\documents and settings\woody\Application Data\MSN6\UserData\{36FE7572-9CA5-01C7-0200-00000D742C41}\msnuser.dat
c:\documents and settings\woody\Application Data\MSN6\UserData\{36FE7572-9CA5-01C7-0200-00000D742C41}\settings.xml

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NZYIONLU
-------\Service_nzyionlu


((((((((((((((((((((((((( Files Created from 2009-12-25 to 2010-01-25 )))))))))))))))))))))))))))))))
.

2010-01-21 10:37 . 2010-01-21 10:37 3803208 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-01-20 21:16 . 2010-01-20 21:17 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2010-01-18 09:39 . 2010-01-03 12:26 3776280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-01-18 09:39 . 2010-01-03 04:37 1260312 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-01-18 09:39 . 2010-01-03 12:26 3966744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-01-15 23:41 . 2010-01-15 23:41 -------- d-----w- c:\program files\CCleaner
2010-01-13 11:14 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-13 01:32 . 2010-01-13 01:32 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\AdobeUM
2010-01-09 17:45 . 2010-01-09 17:45 -------- d-----w- c:\program files\Java
2010-01-09 17:44 . 2010-01-09 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-01-09 17:44 . 2010-01-09 17:44 152576 ----a-w- c:\documents and settings\woody\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-09 17:16 . 2009-12-02 13:19 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-09 16:37 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-09 16:37 . 2010-01-09 16:37 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-01-09 16:37 . 2010-01-09 16:37 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-01-09 16:37 . 2010-01-09 16:37 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-01-09 16:34 . 2010-01-09 16:34 -------- d-----w- c:\program files\Lavasoft
2010-01-03 15:18 . 2010-01-22 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-03 15:18 . 2010-01-03 15:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-03 15:04 . 2010-01-03 15:04 -------- d-----w- c:\program files\Trend Micro
2010-01-03 12:42 . 2010-01-03 13:51 -------- d-----w- c:\documents and settings\woody\Local Settings\Application Data\luohma
2010-01-03 04:38 . 2010-01-03 14:20 -------- d-----w- C:\$AVG
2010-01-03 04:38 . 2010-01-03 04:38 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-03 04:38 . 2010-01-03 04:38 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-03 04:38 . 2010-01-03 04:38 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-03 04:38 . 2010-01-03 04:38 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-01-03 04:37 . 2010-01-25 10:13 -------- d-----w- c:\windows\system32\drivers\Avg
2010-01-03 04:37 . 2010-01-03 04:37 -------- d-----w- c:\program files\AVG
2010-01-03 04:37 . 2010-01-15 17:51 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-01-03 04:02 . 2010-01-03 04:02 -------- d-----w- c:\documents and settings\woody\Application Data\Malwarebytes
2010-01-03 04:02 . 2009-12-30 14:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-03 04:02 . 2010-01-03 04:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-03 04:02 . 2010-01-03 04:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-03 04:02 . 2009-12-30 14:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-03 03:36 . 2010-01-03 03:36 -------- d-----w- C:\spoolerlogs
2010-01-03 02:13 . 2010-01-03 02:13 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-25 00:34 . 2008-09-04 09:55 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-22 17:17 . 2003-07-16 20:24 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-01-21 10:37 . 2010-01-09 16:37 372280 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-01-21 10:37 . 2010-01-09 16:36 823928 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-01-12 02:22 . 2008-09-03 08:37 -------- d-----w- c:\program files\Roots Knotty Roots
2010-01-09 17:45 . 2009-11-04 17:49 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-09 17:16 . 2008-11-19 18:58 -------- d-----w- c:\program files\sunriseradio
2010-01-09 16:37 . 2010-01-09 16:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-09 16:37 . 2010-01-09 16:37 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2010-01-09 16:37 . 2010-01-09 16:37 194104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2010-01-09 16:36 . 2010-01-09 16:36 6296864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-01-09 16:36 . 2010-01-09 16:36 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-01-09 16:36 . 2010-01-09 16:36 816272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-01-09 16:36 . 2010-01-09 16:36 1643272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-01-09 16:36 . 2010-01-09 16:36 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-01-09 16:36 . 2010-01-09 16:36 1181328 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-01-09 16:34 . 2010-01-09 16:34 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2009-12-21 19:14 . 2003-07-16 20:51 916480 ------w- c:\windows\system32\wininet.dll
2009-12-07 14:10 . 2010-01-09 16:34 2953352 -c--a-w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
2009-11-21 15:51 . 2003-07-16 20:23 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-04 17:48 . 2009-11-04 17:48 152576 ----a-w- c:\documents and settings\woody\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2009-10-20 09:51 . 2009-10-20 09:51 7895336 ----a-w- c:\program files\Firefox Setup 3.5.3.exe
2008-04-21 20:53 . 2008-04-21 20:53 8155851 ----a-w- c:\program files\Photoshop_albumSE_en_us_320.zip
2008-04-21 20:18 . 2008-04-21 20:18 7054272 ----a-w- c:\program files\SFTPMSI.exe
2008-04-21 19:46 . 2008-04-21 19:44 18678232 ----a-w- c:\program files\setupUK.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{6bcb9b24-850c-4fe5-a24a-b2bfcd67448f}"= "c:\program files\sunriseradio\tbsun1.dll" [2009-11-09 2166296]

[HKEY_CLASSES_ROOT\clsid\{6bcb9b24-850c-4fe5-a24a-b2bfcd67448f}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6bcb9b24-850c-4fe5-a24a-b2bfcd67448f}"= "c:\program files\sunriseradio\tbsun1.dll" [2009-11-09 2166296]

[HKEY_CLASSES_ROOT\clsid\{6bcb9b24-850c-4fe5-a24a-b2bfcd67448f}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{6BCB9B24-850C-4FE5-A24A-B2BFCD67448F}"= "c:\program files\sunriseradio\tbsun1.dll" [2009-11-09 2166296]

[HKEY_CLASSES_ROOT\clsid\{6bcb9b24-850c-4fe5-a24a-b2bfcd67448f}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-01-03 2033432]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-09 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-11-18 495432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-01-03 04:38 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager 1.0\\MediaManager.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"53:UDP"= 53:UDP:Promo

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [09/01/2010 16:37 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [03/01/2010 04:38 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [03/01/2010 04:38 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [03/01/2010 04:37 285392]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [02/12/2009 13:19 1181328]
.
Contents of the 'Scheduled Tasks' folder

2010-01-25 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 10:37]

2010-01-25 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 10:37]

2010-01-25 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 10:37]

2010-01-25 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 10:37]

2010-01-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 10:37]

2010-01-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 12:42]

2010-01-25 c:\windows\Tasks\User_Feed_Synchronization-{D42E21E9-EC9B-4892-8EB7-329FF9969CE0}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {AD6180B1-0F2B-4EB1-9C0D-46F6353EB6B1} = 212.139.132.56 212.139.132.57
FF - ProfilePath - c:\documents and settings\woody\Application Data\Mozilla\Firefox\Profiles\hsvjvp7v.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-25 18:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2056)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\devldr32.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-01-25 18:46:02 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-25 18:45
ComboFix2.txt 2010-01-22 22:49

Pre-Run: 62,514,589,696 bytes free
Post-Run: 62,817,325,056 bytes free

- - End Of File - - 6EBBD8757A3098C7F0C409DF734A545C





--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, January 25, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, January 25, 2010 16:17:48
Records in database: 3369554
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Objects scanned: 45734
Threats found: 2
Infected objects found: 3
Suspicious objects found: 0
Scan duration: 01:11:10



File name / Threat / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\_sdra64_.exe.zip Infected: Trojan-Spy.Win32.Zbot.gen 1
C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\13\5754a58d-25820e38 Infected: Trojan-Downloader.Java.OpenStream.af 1
C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\19\60e1dc13-454d386c Infected: Trojan-Downloader.Java.OpenStream.af 1

Selected area has been scanned.


#8 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:31 AM

Posted 25 January 2010 - 11:19 PM

Hi exitsusej,



As far as those infected objects listed in the Kaspersky report, those can be safely remove by clearing your java cache as instructed in this thread and unisntalling the Combofix quarantine folder, which we will be taking care of now. Another thing occurred to my mind, you may need to reinstall your MSN if it can't run properly. It's the best way to ensure the integrity of the program.

Other than that, your logs appear clean now. thumbup.gif If you have no remaining concerns on your pc, let's do some tidy up and you should be good to go.

Step1

Click START then RUN
Now copy/paste ComboFix /Uninstall in the runbox and click OK.
Note the space between the x and the /Uninstall, it needs to be there.



This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Step2

Download OTC by OldTimer and save it to your desktop.
  1. Double click OTC and let it run
  2. Then Click the Cleanup button.
  3. You will get a prompt saying "Being Cleanup Process". Please select Yes.
  4. Restart your computer when prompted.
Please delete the tools and logs we have used. Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:
  1. Update your antivirus programs

    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check

  2. Update your Your Adobe Acrobat Reader

    Old versions may render vulnerabilities that malware can use to infect your system. Please download Adobe Reader 9 to your desktop.
    Uninstall the old Adobe Reader from Start > Control Panel > Add/Remove Programs. Install the new one.

  3. Update all programs regularly - Make sure you update all the programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

  4. Backup your valid registry -ERUNT (Emergency Recovery Utility NT) allows you to store a complete backup of your registry and restore if needed. Due to malware affects, a corrupt registry can prevent a system from booting. You're well advised to backup your valid registry while the system is clean now. For more info: Here and Here .
Please check out Tony Klein's article "How did I get infected in the first place?"
Read some information Here how to prevent Malware.


Glad to be of help. Safe surfing!!

Edited by sundavis, 26 January 2010 - 02:36 AM.


#9 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:31 AM

Posted 30 January 2010 - 10:30 PM

Since this issue appears resolved ... this Topic is closed.

Glad we could help.

Everyone else please begin a New Topic.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users