Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with trojan.patched.u


  • This topic is locked This topic is locked
35 replies to this topic

#1 bomni

bomni

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 27 January 2010 - 08:05 PM

As requested here is the DDS log
I do get an error box saying: could not read boot sector. Try adjusting disk access levels in the options dialog. I also get get another error box stating: Could not read system registry! Please contact author!

DDS (Ver_09-12-01.01) - NTFSx86
Run by Matt at 16:36:47.95 on 27/01/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.170 [GMT -8:00]

AV: TELUS security services Anti-Virus *On-access scanning enabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: TELUS security services Firewall *enabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Roxio\BackOnTrack\Instant Restore\BOTService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\TELUS\TELUS security services\Fws.exe
C:\WINDOWS\explorer.exe
svchost.exe
C:\Program Files\TELUS\TELUS security services\rps.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TELUS\TELUS security services\AVG\Identity Protection\agent\Bin\AVGIDSAgent.exe
c:\program files\idt\wdm\STacSV.exe
svchost.exe
C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\TELUS\TELUS security services\RpsSecurityAwareR.exe
C:\Program Files\TELUS\TELUS security advisor\ServicepointService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TELUS\TELUS security advisor\TsaComHandler.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
c:\program files\telus\telus security advisor\tsa .exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Matt\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_CA&c=94&bd=Pavilion&pf=cnnb
uSearch Page = hxxp://www.live.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_CA&c=94&bd=Pavilion&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_CA&c=94&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_CA&c=94&bd=Pavilion&pf=cnnb
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uWinlogon: Shell=explorer.exe "
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0560.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0560.0\msneshellx.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Tsa.exe] "c:\program files\telus\telus security advisor\Tsa.exe" /AUTORUN
mRun: [xrq] c:\windows\system32\xrq.exe \u
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Conime] %windir%\system32\conime.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\matt\startm~1\programs\startup\teluss~1.lnk - c:\program files\telus\telus security services\RPS.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: %SYSTEMROOT%\system32\nvLsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\windows\system32\0023.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\matt\applic~1\mozilla\firefox\profiles\qku1cxql.default\
FF - plugin: c:\program files\telus\telus security advisor\nprpspa.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 RadialpointIDSEH;RadialpointIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2009-12-28 25608]
R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [2009-8-24 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [2009-8-24 15856]
R0 SysCow;SysCow;c:\windows\system32\drivers\syscow32x.sys [2009-7-1 103792]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [2009-8-24 25584]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\roxio\backontrack\disaster recovery\SaibSVC.exe [2009-6-2 457200]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2010-1-11 1858144]
R2 BOTService;BOTService;c:\program files\roxio\backontrack\instant restore\BOTService.exe [2009-7-9 199152]
R2 Radialpoint Security Services;TELUS security services;c:\program files\telus\telus security services\RpsSecurityAwareR.exe [2009-12-14 165408]
R2 RadialpointIDSAgent;RadialpointIDSAgent;c:\program files\telus\telus security services\avg\identity protection\agent\bin\AVGIDSAgent.exe [2009-12-28 5832712]
R2 ServicepointService;ServicepointService;c:\program files\telus\telus security advisor\ServicepointService.exe [2009-12-28 668912]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-8-24 113664]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2009-5-11 56480]
R3 RadialpointIDSDriver;RadialpointIDSDriver;c:\program files\telus\telus security services\avg\identity protection\agent\drivers\AVGIDSDriver.sys [2009-12-28 122376]
R3 RadialpointIDSFilter;RadialpointIDSFilter;c:\program files\telus\telus security services\avg\identity protection\agent\drivers\AVGIDSfilter.sys [2009-12-28 30216]
R3 RadialpointIDSShim;RadialpointIDSShim;c:\program files\telus\telus security services\avg\identity protection\agent\drivers\AVGIDSShim.sys [2009-12-28 25736]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-8-24 165888]
S3 RtsUIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]

=============== Created Last 30 ================

2010-01-27 03:06:04 0 d-----w- C:\autoruns
2010-01-26 03:33:05 800824 ----a-w- c:\docume~1\matt\applic~1\DPInst.exe
2010-01-26 03:33:05 106496 ----a-w- c:\docume~1\matt\applic~1\gacutil.exe
2010-01-26 01:33:19 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-26 01:31:33 0 d-----w- c:\program files\SUPERAntiSpyware
2010-01-26 01:31:33 0 d-----w- c:\docume~1\matt\applic~1\SUPERAntiSpyware.com
2010-01-26 01:30:13 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-01-26 01:25:24 110592 ------w- c:\windows\system32\dllcache\services.exe
2010-01-26 01:03:30 0 d-----w- c:\docume~1\matt\applic~1\Malwarebytes
2010-01-26 01:03:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-26 01:03:19 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-26 01:03:19 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-26 01:03:18 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-21 18:31:59 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-17 22:30:43 0 d-----w- c:\program files\Kodak
2010-01-17 22:29:21 0 d-----w- c:\program files\Bonjour
2010-01-17 22:27:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Kodak
2010-01-17 22:25:51 0 d-----w- c:\docume~1\matt\applic~1\Temp
2010-01-13 16:44:57 4 ----a-w- c:\program files\41544718.dat
2010-01-13 05:12:51 4 ----a-w- c:\program files\10451234.dat
2010-01-13 04:42:35 15360 ----a-w- c:\windows\system32\ctfmon.exe
2010-01-13 04:42:23 6435 ----a-w- c:\windows\system32\WORK.DAT
2010-01-13 00:58:32 1206508 ------w- c:\windows\system32\dllcache\sysmain.sdb
2010-01-13 00:58:31 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-13 00:58:22 81920 ----a-w- c:\windows\system32\fontsub.dll
2010-01-13 00:58:22 81920 ------w- c:\windows\system32\dllcache\fontsub.dll
2010-01-13 00:58:22 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 00:58:22 119808 ------w- c:\windows\system32\dllcache\t2embed.dll
2010-01-11 23:56:58 0 d-----w- c:\program files\a-squared Free
2010-01-10 18:26:51 0 d-sh--w- c:\documents and settings\matt\IECompatCache
2009-12-29 05:54:11 25608 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
2009-12-29 05:53:05 285704 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys
2009-12-29 05:52:52 53192 ----a-w- c:\windows\system32\drivers\rp_skt32.sys
2009-12-29 05:52:40 48384 ----a-w- c:\windows\system32\drivers\rp_pkt32.sys
2009-12-29 05:52:23 0 d-----w- c:\program files\Raxco
2009-12-29 05:47:56 0 d-----w- c:\docume~1\matt\applic~1\TELUS
2009-12-29 05:47:55 0 d-----w- c:\docume~1\alluse~1\applic~1\Radialpoint
2009-12-29 05:47:41 0 d-----w- c:\docume~1\alluse~1\applic~1\TELUS
2009-12-29 05:47:40 0 d-----w- c:\program files\TELUS

==================== Find3M ====================

2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-25 06:15:22 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-10-27 19:26:46 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009102720091028\index.dat

============= FINISH: 16:38:28.51 ===============

For some reason the forum webpage looks funny and I can not add the attach.txt file


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:32 PM

Posted 04 February 2010 - 09:29 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results. Post both logs (no need to zip attach.txt).
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)
  • GMER log

Please do NOT post logs as attachments, unless you are unable to copy/paste a log directly in the reply box.


Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 bomni

bomni
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 04 February 2010 - 07:22 PM

Hello

Thank you for taking the time to help me. i really appreciate it!

Here are the requested logs


DDS (Ver_09-12-01.01) - NTFSx86
Run by Matt at 12:50:07.64 on 04/02/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.140 [GMT -8:00]

AV: TELUS security services Anti-Virus *On-access scanning enabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: TELUS security services Firewall *enabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Roxio\BackOnTrack\Instant Restore\BOTService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\TELUS\TELUS security services\Fws.exe
C:\WINDOWS\explorer.exe
svchost.exe
C:\Program Files\TELUS\TELUS security services\rps.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TELUS\TELUS security services\AVG\Identity Protection\agent\Bin\AVGIDSAgent.exe
c:\program files\idt\wdm\STacSV.exe
svchost.exe
C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\TELUS\TELUS security services\RpsSecurityAwareR.exe
C:\Program Files\TELUS\TELUS security advisor\ServicepointService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\TELUS\TELUS security advisor\TsaComHandler.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\program files\telus\telus security advisor\tsa .exe
C:\Documents and Settings\Matt\My Documents\Downloads\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_CA&c=94&bd=Pavilion&pf=cnnb
uSearch Page = hxxp://www.live.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_CA&c=94&bd=Pavilion&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_CA&c=94&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_CA&c=94&bd=Pavilion&pf=cnnb
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uWinlogon: Shell=explorer.exe "
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0560.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0560.0\msneshellx.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Tsa.exe] "c:\program files\telus\telus security advisor\Tsa.exe" /AUTORUN
mRun: [xrq] c:\windows\system32\xrq.exe \u
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Conime] %windir%\system32\conime.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\matt\startm~1\programs\startup\teluss~1.lnk - c:\program files\telus\telus security services\RPS.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: %SYSTEMROOT%\system32\nvLsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\windows\system32\0023.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\matt\applic~1\mozilla\firefox\profiles\qku1cxql.default\
FF - plugin: c:\program files\telus\telus security advisor\nprpspa.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 RadialpointIDSEH;RadialpointIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2009-12-28 25608]
R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [2009-8-24 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [2009-8-24 15856]
R0 SysCow;SysCow;c:\windows\system32\drivers\syscow32x.sys [2009-7-1 103792]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [2009-8-24 25584]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\roxio\backontrack\disaster recovery\SaibSVC.exe [2009-6-2 457200]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2010-1-11 1858144]
R2 BOTService;BOTService;c:\program files\roxio\backontrack\instant restore\BOTService.exe [2009-7-9 199152]
R2 Radialpoint Security Services;TELUS security services;c:\program files\telus\telus security services\RpsSecurityAwareR.exe [2009-12-14 165408]
R2 RadialpointIDSAgent;RadialpointIDSAgent;c:\program files\telus\telus security services\avg\identity protection\agent\bin\AVGIDSAgent.exe [2009-12-28 5832712]
R2 ServicepointService;ServicepointService;c:\program files\telus\telus security advisor\ServicepointService.exe [2009-12-28 668912]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-8-24 113664]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2009-5-11 56480]
R3 RadialpointIDSDriver;RadialpointIDSDriver;c:\program files\telus\telus security services\avg\identity protection\agent\drivers\AVGIDSDriver.sys [2009-12-28 122376]
R3 RadialpointIDSFilter;RadialpointIDSFilter;c:\program files\telus\telus security services\avg\identity protection\agent\drivers\AVGIDSfilter.sys [2009-12-28 30216]
R3 RadialpointIDSShim;RadialpointIDSShim;c:\program files\telus\telus security services\avg\identity protection\agent\drivers\AVGIDSShim.sys [2009-12-28 25736]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-8-24 165888]
S3 RtsUIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]

=============== Created Last 30 ================

2010-01-28 00:41:50 0 ----a-w- c:\documents and settings\matt\settings.dat
2010-01-27 03:06:04 0 d-----w- C:\autoruns
2010-01-26 03:33:05 800824 ----a-w- c:\docume~1\matt\applic~1\DPInst.exe
2010-01-26 03:33:05 106496 ----a-w- c:\docume~1\matt\applic~1\gacutil.exe
2010-01-26 01:33:19 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-26 01:31:33 0 d-----w- c:\program files\SUPERAntiSpyware
2010-01-26 01:31:33 0 d-----w- c:\docume~1\matt\applic~1\SUPERAntiSpyware.com
2010-01-26 01:30:13 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-01-26 01:25:24 110592 ------w- c:\windows\system32\dllcache\services.exe
2010-01-26 01:03:30 0 d-----w- c:\docume~1\matt\applic~1\Malwarebytes
2010-01-26 01:03:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-26 01:03:19 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-26 01:03:19 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-26 01:03:18 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-21 18:31:59 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-17 22:30:43 0 d-----w- c:\program files\Kodak
2010-01-17 22:29:21 0 d-----w- c:\program files\Bonjour
2010-01-17 22:27:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Kodak
2010-01-17 22:25:51 0 d-----w- c:\docume~1\matt\applic~1\Temp
2010-01-13 16:44:57 4 ----a-w- c:\program files\41544718.dat
2010-01-13 05:12:51 4 ----a-w- c:\program files\10451234.dat
2010-01-13 04:42:35 15360 ----a-w- c:\windows\system32\ctfmon.exe
2010-01-13 04:42:23 6435 ----a-w- c:\windows\system32\WORK.DAT
2010-01-13 00:58:32 1206508 ------w- c:\windows\system32\dllcache\sysmain.sdb
2010-01-13 00:58:31 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-13 00:58:22 81920 ----a-w- c:\windows\system32\fontsub.dll
2010-01-13 00:58:22 81920 ------w- c:\windows\system32\dllcache\fontsub.dll
2010-01-13 00:58:22 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 00:58:22 119808 ------w- c:\windows\system32\dllcache\t2embed.dll
2010-01-11 23:56:58 0 d-----w- c:\program files\a-squared Free
2010-01-10 18:26:51 0 d-sh--w- c:\documents and settings\matt\IECompatCache

==================== Find3M ====================

2009-12-29 05:52:52 53192 ----a-w- c:\windows\system32\drivers\rp_skt32.sys
2009-12-29 05:52:38 48384 ----a-w- c:\windows\system32\drivers\rp_pkt32.sys
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-25 06:15:22 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-10-27 19:26:46 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009102720091028\index.dat

============= FINISH: 12:51:26.28 ===============

And the second one


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 27/10/2009 12:36:56 PM
System Uptime: 02/04/2010 12:21:16 PM (-1368 hours ago)

Motherboard: Quanta | | 3651
Processor: Intel® Atom™ CPU N270 @ 1.60GHz | CPU | 1599/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 149 GiB total, 129.562 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

a-squared Free 4.5
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.2 MUI
ALPS Touch Pad Driver
Bonjour
Broadcom 802.11 Wireless LAN Adapter
Compatibility Pack for the 2007 Office system
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB949764)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP BatteryCheck 2.10 A2
HP Games
HP Help and Support
HP QuickSync
HP User Guides 0150
HP Wireless Assistant
HpSdpAppCoreApp
IDT Audio
Java™ 6 Update 17
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Live Search Toolbar
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Project 2007 Service Pack 2 (SP2)
Microsoft Office Project MUI (English) 2007
Microsoft Office Project Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (3.5.7)
MSXML 6.0 Parser
NVIDIA Drivers
NVIDIA ForceWare Network Access Manager
PerfectDisk 10 Professional
Roxio BackOnTrack
Roxio Disaster Recovery
Roxio Instant Restore
Roxio Instant Restore Recovery Disk
Roxio Update Manager
RPS CRT
RPS PerfectDiskStub
RPS RpsCore
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
SUPERAntiSpyware Free Edition
TELUS security advisor 3.5.12
TELUS security services
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
USB Webcam
USB2.0 Card Reader Software
WebFldrs XP
Windows Backup Utility
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11

==== Event Viewer Messages From Past Week ========

04/02/2010 12:23:19 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the BOTService service.
04/02/2010 10:14:17 AM, error: Dhcp [1002] - The IP address lease 192.168.0.103 for the Network Card with network address 0C607629F42E has been denied by the DHCP server 1.1.1.1 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================

And the GMER report

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-04 13:37:02
Windows 5.1.2600 Service Pack 3
Running: zfsgtegx.exe; Driver: C:\DOCUME~1\Matt\LOCALS~1\Temp\axtdipog.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\TELUS\TELUS security services\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwOpenProcess [0xF7738470]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xED1030B0]
SSDT \??\C:\Program Files\TELUS\TELUS security services\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwTerminateThread [0xF77385C0]
SSDT \??\C:\Program Files\TELUS\TELUS security services\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwWriteVirtualMemory [0xF7738660]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF5EC2360, 0x3CD435, 0xE8000020]
? System32\Drivers\c44a0b11.sys The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\svchost.exe[280] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x2000, 0x60000060]
.rsrc C:\WINDOWS\system32\svchost.exe[280] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x01006000]
.rsrc C:\WINDOWS\system32\svchost.exe[340] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x2000, 0x60000060]
.rsrc C:\WINDOWS\system32\svchost.exe[340] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x01006000]
.rsrc C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x2000, 0x60000060]
.rsrc C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x01006000]
.text C:\Program Files\a-squared Free\a2service.exe[1012] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 0045495D C:\Program Files\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH)
.rsrc C:\WINDOWS\system32\winlogon.exe[1240] C:\WINDOWS\system32\winlogon.exe section is executable [0x01077000, 0xB000, 0x60000060]
.rsrc C:\WINDOWS\system32\winlogon.exe[1240] C:\WINDOWS\system32\winlogon.exe entry point in ".rsrc" section [0x01081000]
.rsrc C:\WINDOWS\system32\svchost.exe[1476] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x2000, 0x60000060]
.rsrc C:\WINDOWS\system32\svchost.exe[1476] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x01006000]
.rsrc C:\WINDOWS\system32\svchost.exe[1540] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x2000, 0x60000060]
.rsrc C:\WINDOWS\system32\svchost.exe[1540] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x01006000]
.rsrc C:\WINDOWS\System32\svchost.exe[1628] C:\WINDOWS\System32\svchost.exe section is executable [0x01005000, 0x2000, 0x60000060]
.rsrc C:\WINDOWS\System32\svchost.exe[1628] C:\WINDOWS\System32\svchost.exe entry point in ".rsrc" section [0x01006000]
.reloc C:\WINDOWS\explorer.exe[1844] C:\WINDOWS\explorer.exe section is executable [0x010FB000, 0x5000, 0x62000060]
.reloc C:\WINDOWS\explorer.exe[1844] C:\WINDOWS\explorer.exe entry point in ".reloc" section [0x010FF000]
.rsrc C:\WINDOWS\system32\svchost.exe[2040] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x2000, 0x60000060]
.rsrc C:\WINDOWS\system32\svchost.exe[2040] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x01006000]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies )
AttachedDevice \FileSystem\Ntfs \Ntfs trufos.sys (Trufos Kernel Module/BitDefender S.R.L.)
AttachedDevice \Driver\Tcpip \Device\Ip rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 SaibIa32.sys (Disk Filter Driver/Sonic Solutions)
AttachedDevice \Driver\Tcpip \Device\Udp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)

---- EOF - GMER 1.0.15 ----




#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:32 PM

Posted 05 February 2010 - 08:25 AM

Hello bomni,

COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 bomni

bomni
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 05 February 2010 - 06:15 PM


Here is the file.


ComboFix 10-02-05.02 - Matt 05/02/2010 14:46:57.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.412 [GMT -8:00]
Running from: c:\documents and settings\Matt\My Documents\Downloads\ComboFix.exe
AV: TELUS security services Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: TELUS security services Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1261457544-1985019686-3703074159-1003
c:\windows\system32\aestfltr .exe
c:\windows\system32\ctfmon .exe
c:\windows\system32\oem10.inf
c:\windows\system32\stacsv.exe
c:\windows\system32\WORK.DAT
c:\windows\vsnp2uvc .exe

c:\windows\system32\lsass.exe . . . is infected!!

c:\windows\system32\svchost.exe . . . is infected!!

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-01-05 to 2010-02-05 )))))))))))))))))))))))))))))))
.

2010-01-28 00:41 . 2010-01-28 00:41 0 ----a-w- c:\documents and settings\Matt\settings.dat
2010-01-27 03:06 . 2010-01-27 03:06 -------- d-----w- C:\autoruns
2010-01-26 03:33 . 2010-01-26 04:50 800824 ----a-w- c:\documents and settings\Matt\Application Data\DPInst.exe
2010-01-26 03:33 . 2010-01-26 04:50 106496 ----a-w- c:\documents and settings\Matt\Application Data\gacutil.exe
2010-01-26 01:34 . 2010-01-26 01:34 52224 ----a-w- c:\documents and settings\Matt\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-26 01:34 . 2010-01-26 01:34 117760 ----a-w- c:\documents and settings\Matt\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-26 01:33 . 2010-01-26 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-26 01:31 . 2010-01-26 01:31 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-26 01:31 . 2010-01-26 01:31 -------- d-----w- c:\documents and settings\Matt\Application Data\SUPERAntiSpyware.com
2010-01-26 01:30 . 2010-01-26 01:30 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-26 01:25 . 2009-02-06 11:11 110592 ------w- c:\windows\system32\dllcache\services.exe
2010-01-26 01:03 . 2010-01-26 01:03 -------- d-----w- c:\documents and settings\Matt\Application Data\Malwarebytes
2010-01-26 01:03 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-26 01:03 . 2010-01-26 01:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-26 01:03 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-26 01:03 . 2010-01-26 01:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-21 18:31 . 2009-12-21 19:14 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-21 18:31 . 2009-12-21 19:14 916480 ------w- c:\windows\system32\dllcache\wininet.dll
2010-01-21 18:31 . 2009-12-21 19:14 1208832 ------w- c:\windows\system32\dllcache\urlmon.dll
2010-01-21 18:31 . 2009-12-21 19:14 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-01-21 18:31 . 2009-12-21 13:19 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-01-21 18:31 . 2009-12-21 19:14 5942784 ------w- c:\windows\system32\dllcache\mshtml.dll
2010-01-21 18:31 . 2009-12-21 19:14 11070464 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-01-20 18:21 . 2010-01-20 18:21 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-01-17 22:30 . 2010-01-17 22:30 -------- d-----w- c:\program files\Kodak
2010-01-17 22:29 . 2010-01-17 22:29 -------- d-----w- c:\program files\Bonjour
2010-01-17 22:29 . 2010-01-17 22:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-01-17 22:27 . 2010-01-17 22:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2010-01-17 22:25 . 2010-01-26 04:50 -------- d-----w- c:\documents and settings\Matt\Application Data\Temp
2010-01-13 16:44 . 2010-01-13 16:44 4 ----a-w- c:\program files\41544718.dat
2010-01-13 05:12 . 2010-01-13 05:12 4 ----a-w- c:\program files\10451234.dat
2010-01-13 04:42 . 2008-04-15 04:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
2010-01-13 00:58 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-13 00:58 . 2009-10-15 16:28 81920 ----a-w- c:\windows\system32\fontsub.dll
2010-01-13 00:58 . 2009-10-15 16:28 81920 ------w- c:\windows\system32\dllcache\fontsub.dll
2010-01-13 00:58 . 2009-10-15 16:28 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 00:58 . 2009-10-15 16:28 119808 ------w- c:\windows\system32\dllcache\t2embed.dll
2010-01-11 23:56 . 2010-01-13 07:14 -------- d-----w- c:\program files\a-squared Free
2010-01-10 18:26 . 2010-01-10 18:26 -------- d-sh--w- c:\documents and settings\Matt\IECompatCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-21 20:13 . 2009-10-27 19:19 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-17 00:22 . 2009-10-27 19:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-01-17 00:18 . 2009-10-29 10:26 -------- d-----w- c:\program files\Symantec
2010-01-13 16:45 . 2009-10-27 19:18 -------- d-----w- c:\program files\Apoint2K
2010-01-10 21:28 . 2009-10-27 19:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-29 06:07 . 2009-12-29 05:47 -------- d-----w- c:\documents and settings\Matt\Application Data\TELUS
2009-12-29 05:52 . 2009-12-29 05:52 53192 ----a-w- c:\windows\system32\drivers\rp_skt32.sys
2009-12-29 05:52 . 2009-12-29 05:52 48384 ----a-w- c:\windows\system32\drivers\rp_pkt32.sys
2009-12-29 05:52 . 2009-12-29 05:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Raxco
2009-12-29 05:52 . 2009-12-29 05:52 -------- d-----w- c:\program files\Raxco
2009-12-29 05:51 . 2009-12-29 05:47 -------- d-----w- c:\program files\TELUS
2009-12-29 05:49 . 2009-12-29 05:47 -------- d-----w- c:\documents and settings\All Users\Application Data\TELUS
2009-12-29 05:47 . 2009-12-29 05:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Radialpoint
2009-12-29 05:47 . 2009-10-27 19:19 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-21 15:51 . 2010-01-13 00:58 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-15 18:39 . 2009-10-27 19:43 40576 ----a-w- c:\documents and settings\Matt\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-11 22:30 . 2009-11-11 22:30 152576 ----a-w- c:\documents and settings\Matt\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-11 22:29 . 2009-11-11 22:29 79488 ----a-w- c:\documents and settings\Matt\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
.
CODE
<pre>
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\Apoint2K\apoint .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Hewlett-Packard\HP QuickSync\quicksync .exe
c:\program files\Hewlett-Packard\HP Wireless Assistant\hpwamain .exe
c:\program files\IDT\WDM\sttray .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\TELUS\TELUS security advisor\tsa .exe
</pre>


------- Sigcheck -------

[-] 2008-04-15 . B5EAE45F051C7C52F6BD5519AEE46D40 . 14848 . . [5.1.2600.5512] . . c:\windows\system32\lsass.exe

[-] 2008-04-15 . ED01A2F446C5B788817C44D28E10F346 . 58880 . . [5.1.2600.5512] . . c:\windows\system32\spoolsv.exe

[-] 2008-04-15 . B0CA57559B588A2FBFAB22BC89C8ED2C . 512000 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2008-04-15 . 6F63C7EA78149DF6AC39D788E00802F9 . 17408 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe

[-] 2008-04-15 . 0670F46B0680D5C2AF34AE3D6695D37E . 1036288 . . [6.00.2900.5512] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"xrq"="c:\windows\system32\xrq.exe \u" [X]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [N/A]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [N/A]
"nwiz"="nwiz.exe" [2009-06-26 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-26 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-26 13762560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [N/A]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [N/A]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [N/A]
"Tsa.exe"="c:\program files\TELUS\TELUS security advisor\Tsa.exe" [N/A]
"Conime"="c:\windows\system32\conime.exe" [2008-04-15 27648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360]

c:\documents and settings\Matt\Start Menu\Programs\Startup\
Telus Security.lnk - c:\program files\TELUS\TELUS security services\RPS.exe [2009-12-14 649496]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Radialpoint Security Services]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Hewlett-Packard\\HP QuickSync\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\TELUS\\TELUS security advisor\\ServicepointService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R0 RadialpointIDSEH;RadialpointIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [28/12/2009 9:54 PM 25608]
R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [24/08/2009 9:33 PM 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [24/08/2009 9:33 PM 15856]
R0 SysCow;SysCow;c:\windows\system32\drivers\syscow32x.sys [01/07/2009 10:10 PM 103792]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [24/08/2009 9:33 PM 25584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/01/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/01/2010 7:56 AM 74480]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [02/06/2009 6:05 PM 457200]
R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [11/01/2010 3:56 PM 1858144]
R2 BOTService;BOTService;c:\program files\Roxio\BackOnTrack\Instant Restore\BOTService.exe [09/07/2009 3:08 AM 199152]
R2 Radialpoint Security Services;TELUS security services;c:\program files\TELUS\TELUS security services\RpsSecurityAwareR.exe [14/12/2009 10:26 PM 165408]
R2 RadialpointIDSAgent;RadialpointIDSAgent;c:\program files\TELUS\TELUS security services\AVG\Identity Protection\agent\bin\AVGIDSAgent.exe [28/12/2009 9:54 PM 5832712]
R2 ServicepointService;ServicepointService;c:\program files\TELUS\TELUS security advisor\ServicepointService.exe [28/12/2009 9:47 PM 668912]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [24/08/2009 8:59 PM 113664]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [11/05/2009 10:49 AM 56480]
R3 RadialpointIDSDriver;RadialpointIDSDriver;c:\program files\TELUS\TELUS security services\AVG\Identity Protection\agent\drivers\AVGIDSDriver.sys [28/12/2009 9:54 PM 122376]
R3 RadialpointIDSFilter;RadialpointIDSFilter;c:\program files\TELUS\TELUS security services\AVG\Identity Protection\agent\drivers\AVGIDSfilter.sys [28/12/2009 9:54 PM 30216]
R3 RadialpointIDSShim;RadialpointIDSShim;c:\program files\TELUS\TELUS security services\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys [28/12/2009 9:54 PM 25736]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/01/2010 7:56 AM 7408]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [24/08/2009 9:11 PM 165888]
S3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - 8520B13A
*NewlyCreated* - 96FD5893
*Deregistered* - 8520b13a
*Deregistered* - 96fd5893

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan sysagent
.
Contents of the 'Scheduled Tasks' folder

2010-02-05 c:\windows\Tasks\BackOnTrack Instant Restore Idle.job
- c:\program files\Roxio\BackOnTrack\Instant Restore\RstIdle.exe [2009-07-09 11:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_CA&c=94&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_CA&c=94&bd=Pavilion&pf=cnnb
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvLsp.dll
FF - ProfilePath - c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\qku1cxql.default\
FF - plugin: c:\program files\TELUS\TELUS security advisor\nprpspa.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-05 15:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1240)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1296)
c:\windows\system32\nvLsp.dll
.
Completion time: 2010-02-05 15:07:15
ComboFix-quarantined-files.txt 2010-02-05 23:07

Pre-Run: 138,958,106,624 bytes free
Post-Run: 138,932,301,824 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 048BF0BFEF057DC863ED7CAB469B576C



#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:32 PM

Posted 06 February 2010 - 06:36 AM

Hello bomni,

We have quite some cleanup to do here. Please let me know if you have your XP CD at hand (or if you don't have one, maybe you can borrow one from a friend/family member), because we need to replace some files.


SHOW HIDDEN FILES AND FOLDERS
-------------------------------------------------
Go to Start > My Computer
Go to Tools > Folder Options
Click on the View tab
Untick the following:
  • Hide extensions for known file types
  • Hide protected operating system files (Recommended)
You will get a message warning you about showing protected operating system files, click Yes
Make sure this option is selected:
  • Show hidden files and folders
Click Apply and then click OK


UPLOAD A FILE
--------------------
We need to check a file. Please click this link VirusTotal

When the page has finished loading, click the Choose file button and navigate to the following file and click Send file.

c:\windows\system32\winlogon.exe
c:\windows\system32\svchost.exe

If you get the message that the file has already been scanned before, please click Reanalyse file now.
Please post back the results of the scan in your next post.


CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
CODE
RenV::
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\Apoint2K\apoint .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Hewlett-Packard\HP QuickSync\quicksync .exe
c:\program files\Hewlett-Packard\HP Wireless Assistant\hpwamain .exe
c:\program files\IDT\WDM\sttray .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\TELUS\TELUS security advisor\tsa .exe

Driver::
8520B13A
96FD5893

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"xrq"=-

File::
c:\windows\system32\xrq.exe

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

In your next reply, please include the following:
  • Combofix.txt
  • VirusTotal results
  • Let me know if you have an XP CD

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 bomni

bomni
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 06 February 2010 - 02:01 PM

Hello I am having some issues with your last reply. I am not sure that I uploaded the executable files to Virustotal did anything (0 bytes received for each file).


Also the computer that is infected is a Netbook so I do not have a cd drive and since I have recently purchased it and there is little information I have on it I think that maybe we should just format it. I am not sure on the procedure of how to format it but I searched around and you need a flash drive which I have 2 (1gb and 8 gb).

I know when I got the virus too, my trial of Norton AV expired so I tried to download a keygen( I know, very bad I am a student so I am not made of money), needless to say I have learned my lesson. This Netbook is strictly for school, so no P2P downloading, or questionable site browsing. Since my ISP AV failed to stop this trojan is their a good free AV program you can recommend? Can this virus spread though file transfer by flash drive? Reason for asking is that I have been transferring excel and word documents between netbook and desktop.

If this is possible I really only need my product keys for Microsoft Office and probably XP(not sure where to find them) and everything else I can download all appropriate files. Is there any other files I should store prior to format?

I have the CD for XP for my desktop computer but no way to transfer unless I can copy and paste from my desktop/cd to flash drive?
Here is the the combofix file

ComboFix 10-02-05.04 - Matt 06/02/2010 9:59.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.229 [GMT -8:00]
Running from: c:\documents and settings\Matt\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Matt\My Documents\Downloads\CFscript.txt
AV: TELUS security services Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: TELUS security services Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}

FILE ::
"c:\windows\system32\xrq.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\lsass.exe . . . is infected!!

c:\windows\system32\svchost.exe . . . is infected!!

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_8520B13A
-------\Legacy_96FD5893


((((((((((((((((((((((((( Files Created from 2010-01-06 to 2010-02-06 )))))))))))))))))))))))))))))))
.

2010-01-28 00:41 . 2010-01-28 00:41 0 ----a-w- c:\documents and settings\Matt\settings.dat
2010-01-27 03:06 . 2010-01-27 03:06 -------- d-----w- C:\autoruns
2010-01-26 03:33 . 2010-01-26 04:50 800824 ----a-w- c:\documents and settings\Matt\Application Data\DPInst.exe
2010-01-26 03:33 . 2010-01-26 04:50 106496 ----a-w- c:\documents and settings\Matt\Application Data\gacutil.exe
2010-01-26 01:34 . 2010-01-26 01:34 52224 ----a-w- c:\documents and settings\Matt\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-26 01:34 . 2010-01-26 01:34 117760 ----a-w- c:\documents and settings\Matt\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-26 01:33 . 2010-01-26 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-26 01:31 . 2010-01-26 01:31 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-26 01:31 . 2010-01-26 01:31 -------- d-----w- c:\documents and settings\Matt\Application Data\SUPERAntiSpyware.com
2010-01-26 01:30 . 2010-01-26 01:30 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-26 01:25 . 2009-02-06 11:11 110592 ------w- c:\windows\system32\dllcache\services.exe
2010-01-26 01:03 . 2010-01-26 01:03 -------- d-----w- c:\documents and settings\Matt\Application Data\Malwarebytes
2010-01-26 01:03 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-26 01:03 . 2010-01-26 01:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-26 01:03 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-26 01:03 . 2010-01-26 01:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-21 18:31 . 2009-12-21 19:14 916480 ------w- c:\windows\system32\wininet.dll
2010-01-21 18:31 . 2009-12-21 19:14 916480 ------w- c:\windows\system32\dllcache\wininet.dll
2010-01-21 18:31 . 2009-12-21 19:14 1208832 ------w- c:\windows\system32\dllcache\urlmon.dll
2010-01-21 18:31 . 2009-12-21 19:14 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-01-21 18:31 . 2009-12-21 13:19 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-01-21 18:31 . 2009-12-21 19:14 5942784 ------w- c:\windows\system32\dllcache\mshtml.dll
2010-01-21 18:31 . 2009-12-21 19:14 11070464 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-01-20 18:21 . 2010-01-20 18:21 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-01-17 22:30 . 2010-01-17 22:30 -------- d-----w- c:\program files\Kodak
2010-01-17 22:29 . 2010-01-17 22:29 -------- d-----w- c:\program files\Bonjour
2010-01-17 22:29 . 2010-01-17 22:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-01-17 22:27 . 2010-01-17 22:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2010-01-17 22:25 . 2010-01-26 04:50 -------- d-----w- c:\documents and settings\Matt\Application Data\Temp
2010-01-13 16:44 . 2010-01-13 16:44 4 ----a-w- c:\program files\41544718.dat
2010-01-13 05:12 . 2010-01-13 05:12 4 ----a-w- c:\program files\10451234.dat
2010-01-13 04:42 . 2008-04-15 04:00 15360 ------w- c:\windows\system32\ctfmon.exe
2010-01-13 00:58 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-13 00:58 . 2009-10-15 16:28 81920 ----a-w- c:\windows\system32\fontsub.dll
2010-01-13 00:58 . 2009-10-15 16:28 81920 ------w- c:\windows\system32\dllcache\fontsub.dll
2010-01-13 00:58 . 2009-10-15 16:28 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 00:58 . 2009-10-15 16:28 119808 ------w- c:\windows\system32\dllcache\t2embed.dll
2010-01-11 23:56 . 2010-01-13 07:14 -------- d-----w- c:\program files\a-squared Free
2010-01-10 18:26 . 2010-01-10 18:26 -------- d-sh--w- c:\documents and settings\Matt\IECompatCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-06 17:58 . 2009-10-27 19:18 -------- d-----w- c:\program files\Apoint2K
2010-01-21 20:13 . 2009-10-27 19:19 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-17 00:22 . 2009-10-27 19:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-01-17 00:18 . 2009-10-29 10:26 -------- d-----w- c:\program files\Symantec
2010-01-10 21:28 . 2009-10-27 19:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-29 06:07 . 2009-12-29 05:47 -------- d-----w- c:\documents and settings\Matt\Application Data\TELUS
2009-12-29 05:52 . 2009-12-29 05:52 53192 ----a-w- c:\windows\system32\drivers\rp_skt32.sys
2009-12-29 05:52 . 2009-12-29 05:52 48384 ----a-w- c:\windows\system32\drivers\rp_pkt32.sys
2009-12-29 05:52 . 2009-12-29 05:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Raxco
2009-12-29 05:52 . 2009-12-29 05:52 -------- d-----w- c:\program files\Raxco
2009-12-29 05:51 . 2009-12-29 05:47 -------- d-----w- c:\program files\TELUS
2009-12-29 05:49 . 2009-12-29 05:47 -------- d-----w- c:\documents and settings\All Users\Application Data\TELUS
2009-12-29 05:47 . 2009-12-29 05:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Radialpoint
2009-12-29 05:47 . 2009-10-27 19:19 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-21 15:51 . 2010-01-13 00:58 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-15 18:39 . 2009-10-27 19:43 40576 ----a-w- c:\documents and settings\Matt\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-11 22:30 . 2009-11-11 22:30 152576 ----a-w- c:\documents and settings\Matt\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-11 22:29 . 2009-11-11 22:29 79488 ----a-w- c:\documents and settings\Matt\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
.

------- Sigcheck -------

[-] 2008-04-15 . B5EAE45F051C7C52F6BD5519AEE46D40 . 14848 . . [5.1.2600.5512] . . c:\windows\system32\lsass.exe

[-] 2008-04-15 . ED01A2F446C5B788817C44D28E10F346 . 58880 . . [5.1.2600.5512] . . c:\windows\system32\spoolsv.exe

[-] 2008-04-15 . B0CA57559B588A2FBFAB22BC89C8ED2C . 512000 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2008-04-15 . 6F63C7EA78149DF6AC39D788E00802F9 . 17408 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe

[-] 2008-04-15 . 0670F46B0680D5C2AF34AE3D6695D37E . 1036288 . . [6.00.2900.5512] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-15 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-07-13 458844]
"nwiz"="nwiz.exe" [2009-06-26 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-26 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-26 13762560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Tsa.exe"="c:\program files\TELUS\TELUS security advisor\Tsa.exe" [2009-12-15 4277488]
"Conime"="c:\windows\system32\conime.exe" [2008-04-15 27648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360]

c:\documents and settings\Matt\Start Menu\Programs\Startup\
Telus Security.lnk - c:\program files\TELUS\TELUS security services\RPS.exe [2009-12-14 649496]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Radialpoint Security Services]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Hewlett-Packard\\HP QuickSync\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\TELUS\\TELUS security advisor\\ServicepointService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R0 RadialpointIDSEH;RadialpointIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [28/12/2009 9:54 PM 25608]
R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [24/08/2009 9:33 PM 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [24/08/2009 9:33 PM 15856]
R0 SysCow;SysCow;c:\windows\system32\drivers\syscow32x.sys [01/07/2009 10:10 PM 103792]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [24/08/2009 9:33 PM 25584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/01/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/01/2010 7:56 AM 74480]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [02/06/2009 6:05 PM 457200]
R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [11/01/2010 3:56 PM 1858144]
R2 BOTService;BOTService;c:\program files\Roxio\BackOnTrack\Instant Restore\BOTService.exe [09/07/2009 3:08 AM 199152]
R2 Radialpoint Security Services;TELUS security services;c:\program files\TELUS\TELUS security services\RpsSecurityAwareR.exe [14/12/2009 10:26 PM 165408]
R2 RadialpointIDSAgent;RadialpointIDSAgent;c:\program files\TELUS\TELUS security services\AVG\Identity Protection\agent\bin\AVGIDSAgent.exe [28/12/2009 9:54 PM 5832712]
R2 ServicepointService;ServicepointService;c:\program files\TELUS\TELUS security advisor\ServicepointService.exe [28/12/2009 9:47 PM 668912]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [24/08/2009 8:59 PM 113664]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [11/05/2009 10:49 AM 56480]
R3 RadialpointIDSDriver;RadialpointIDSDriver;c:\program files\TELUS\TELUS security services\AVG\Identity Protection\agent\drivers\AVGIDSDriver.sys [28/12/2009 9:54 PM 122376]
R3 RadialpointIDSFilter;RadialpointIDSFilter;c:\program files\TELUS\TELUS security services\AVG\Identity Protection\agent\drivers\AVGIDSfilter.sys [28/12/2009 9:54 PM 30216]
R3 RadialpointIDSShim;RadialpointIDSShim;c:\program files\TELUS\TELUS security services\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys [28/12/2009 9:54 PM 25736]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/01/2010 7:56 AM 7408]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [24/08/2009 9:11 PM 165888]
S3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - 12AFE078
*Deregistered* - 12afe078

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan sysagent
.
Contents of the 'Scheduled Tasks' folder

2010-02-06 c:\windows\Tasks\BackOnTrack Instant Restore Idle.job
- c:\program files\Roxio\BackOnTrack\Instant Restore\RstIdle.exe [2009-07-09 11:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_CA&c=94&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_CA&c=94&bd=Pavilion&pf=cnnb
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvLsp.dll
FF - ProfilePath - c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\qku1cxql.default\
FF - plugin: c:\program files\TELUS\TELUS security advisor\nprpspa.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-AESTFltr - c:\windows\system32\AESTFltr.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-06 10:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1240)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1296)
c:\windows\system32\nvLsp.dll

- - - - - - - > 'explorer.exe'(2656)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\TELUS\TELUS security services\Fws.exe
c:\program files\idt\wdm\STacSV.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
c:\program files\TELUS\TELUS security advisor\TsaComHandler.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-02-06 10:24:46 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-06 18:24
ComboFix2.txt 2010-02-05 23:07

Pre-Run: 138,957,234,176 bytes free
Post-Run: 138,853,572,608 bytes free

- - End Of File - - 1E86D4A75C406735D6DB5911431239C4

Edited by bomni, 06 February 2010 - 02:01 PM.


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:32 PM

Posted 06 February 2010 - 02:50 PM

At this point we have 5 windows core files infected. Those files need to be replaced in order to get your computer cleaned up.

At this point a reformat is the best thing you can do, given the fact that you know how to do this with a flash drive.

The alternative is to copy the infected files from your XP CD to a flash drive on a clean computer with CD drive and then transfer them to your Netbook.

I don't see evidence of a flash drive infection, but to make sure this will not happen, please use Flash Disinfector.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.


Download and install an antivirus program, and make sure that you keep it updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
Two good antivirus programs free for non-commercial home use are Avast! and Antivir
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 bomni

bomni
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 06 February 2010 - 04:08 PM

Honestly I'm not entirely sure how to format a netbook. Do you know of a trusted site that has a step by step procedure for that?

If I copy those 5 core files and transfer them to my netbook I am basically replacing those files with new ones?

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:32 PM

Posted 06 February 2010 - 04:15 PM

Well, its not quite that simple. First we will have to expand the files from the CD to the clean computer (I can instruct you to make a short batch for that). Then you will need to copy those files to your flash drive.

The files on your flash drive will need to be copied in your windows folder and after that a run of Combofix should get them where they belong.

I don't know of a way to reformat a Netbook, but I will look into that and let you know what I find.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 bomni

bomni
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 06 February 2010 - 04:51 PM

Hi

I have been doing some searching and have found some instructions on how to format but I am hesitant on doing this.

This is the link for netbook formatting

http://www.tomshardware.com/forum/53882-35...t-netbook-drive


I just do not want to try something and not have it work or have my computer not work

But I am prepared to do whatever you find best or easiest for you as you are the one helping me!



Thanks in advance

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:32 PM

Posted 07 February 2010 - 05:17 AM

Lets first check if you have somehow a recovery partition.

Please restart and tap f12 repeatedly, until the boot menu comes up. Let me know if it has a recovery option there listed. If so, you can reset your laptop to factory settings using that option.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 bomni

bomni
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 07 February 2010 - 12:31 PM

Yes I have a few options

1) System Info
2) System Diagnostics
3) Boot Device Options
4) BIOS Setup
5) System Recovery

also another screen gives me the options of windows recovery console.

For reference my netbook is an Hp mini 311-1000CA if you need to do some research or anything.



#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:32 PM

Posted 07 February 2010 - 01:03 PM

Try Option 5 there. This should restore your laptop to factory settings.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 bomni

bomni
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 07 February 2010 - 02:16 PM

I tried option 2 and it took to another screen that listed 2 options
1) Microsoft windows recovery console
2) Windows XP home edition

So I tried 1 and a disk read error occurred

**EDIT** I tried again no disk read error, however it just took to the options listed above and auto took me to the same screen again with these two options but gave me time to pick one.

Edited by bomni, 07 February 2010 - 02:21 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users