Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

.tmp folders being created every five minutes


  • This topic is locked This topic is locked
5 replies to this topic

#1 jujubeeza

jujubeeza

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 02 February 2010 - 08:18 PM

Hello, this is my first topic on this site. I have read the guide to this section of the forums and have done my best to follow them. I have exhausted all the available help that I knew of, which I presume to not be much (google, yahoo answers, tech-savvy friends). I noticed that google repeatedly put a link to a topic from this forum as the top choice, so I felt that this site could help me out too ;)

In short, I've noticed that in my c:\windows\temp folder, a random folder with a name that consists of four random letters with a .tmp extension is created every five minutes. When I perform a virus scan using webroot antispyware/antivirus, it states that a virus was found that was in each of these folders, affecting the file svchost.exe in the folder. However, when I checked, each folder had nothing in it.

This might be related to random DCOM crashes I've started to get around the same time as this virus happened. I assume they're related; maybe not.

The virus to my knowledge isn't affecting system performance, but the DCOM crashes at times, forcing me to restart, and I also get bluescreens. I assume that, because all of these errors started occuring at the same time, removal of the virus should fix all of them.

My laptop is a TOSHIBA that is running Windows Vista 32-bit home premium.

Also, I'm not sure if it's relevant, but everyday, sometimes right before a problem occurs, my antivirus tells me that it has blocked the connection to "dr.areaconnect.com"

While scanning with rootrepeal, two malware and a trojan tried to access files on my computer. Webroot antivirus stopped the malware, windows defender stopped the trojan. The malware names were: Mal/Behav-010 and Mal/FakeAV-AD.

I could not complete the rootrepeal scan. The scanner stopped for over an hour at: c:\windows\winsxs\manifest. I checked the properties of that folder, and found there to be 19,802 files. I don't know if any of this information will help; I'm just trying to help as best I can.

I zippled attach.txt using winrar and tried to upload that, but the site said I did not have permission to upload that file type, so I uploaded attach.txt instead.

Now for the forum requirements: below will be dds.txt
--------------------------------------------------------------------------

DDS (Ver_09-12-01.01) - NTFSx86
Run by Dennis at 19:29:08.67 on Tue 02/02/2010
Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1013.297 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FW: Webroot Desktop Firewall *enabled* {AF0CFAAE-AAB5-450a-8C74-0DEEB429DF50}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Rosewill\Common\RegistryWriter.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Dwm.exe
C:\Windows\system32\TODDSrv.exe
C:\Windows\Explorer.EXE
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\ltmoh\ltmoh.exe
C:\Program Files\Toshiba\Utilities\KeNotify.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Rosewill\Common\RaUI.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\dllhost.exe
C:\Windows\system32\svchost.exe -k wcssvc
C:\Windows\system32\conime.exe
C:\Users\Dennis\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dennis\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dennis\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dennis\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dennis\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - c:\program files\megaupload\mega manager\MegaIEMn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: Veoh Video Compass: {52836eb0-631a-47b1-94a6-61f9d9112dae} - c:\program files\veoh networks\veoh video compass\SearchRecsPlugin.dll
uRun: [<NO NAME>]
uRun: [ehTray.exe] "c:\windows\ehome\ehTray.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [RtHDVCpl] "c:\windows\RtHDVCpl.exe"
mRun: [NDSTray.exe] NDSTray.exe
mRun: [HWSetup] "c:\program files\toshiba\utilities\HWSetup.exe" hwSetUP
mRun: [SVPWUTIL] "c:\program files\toshiba\utilities\SVPWUTIL.exe" SVPwUTIL
mRun: [TPwrMain] "c:\program files\toshiba\power saver\TPwrMain.EXE"
mRun: [HSON] "c:\program files\toshiba\tbs\HSON.exe"
mRun: [SmoothView] "c:\program files\toshiba\smoothview\SmoothView.exe"
mRun: [SynTPStart] "c:\program files\synaptics\syntp\SynTPStart.exe"
mRun: [<NO NAME>]
mRun: [IgfxTray] "c:\windows\system32\igfxtray.exe"
mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"
mRun: [Persistence] "c:\windows\system32\igfxpers.exe"
mRun: [LtMoh] "c:\program files\ltmoh\Ltmoh.exe"
mRun: [KeNotify] "c:\program files\toshiba\utilities\KeNotify.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SpySweeper] c:\program files\webroot\spy sweeper\SpySweeperUI.exe /startintray
StartupFolder: c:\users\dennis\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\rosewi~1.lnk - c:\program files\rosewill\common\RaUI.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {1AD649C1-8B55-4033-9019-CF452DB5499E} - hxxp://comic.paran.com/tns_web2/ToonsXParan3.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader2.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {BC1B2B87-020B-41B4-B654-AA594DF17C9C} - hxxp://mgameweb.nefficient.co.kr/mgameweb/download/cab/mglaunch_vista.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\dennis\appdata\roaming\mozilla\firefox\profiles\cmi6kpqt.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.daemon-search.com/startpage
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\users\dennis\appdata\local\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\users\dennis\program files\dna\plugins\npbtdna.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-11-6 29808]
R1 pwipf6;Privacyware Filter Driver;c:\windows\system32\drivers\pwipf6.sys [2008-7-31 95624]
R2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\rosewill\common\RegistryWriter.exe [2010-1-27 185632]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\SpySweeper.exe [2009-11-6 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\spy sweeper\WRConsumerService.exe [2009-8-9 1201640]
R3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2007-11-21 724992]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-11-29 21504]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2008-7-9 42512]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2009-2-13 11520]
S4 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-11-5 110592]
S4 WDFNet;Webroot Desktop Firewall network service;c:\program files\webroot\webroot desktop firewall\wdfsvc.exe [2008-7-31 353672]
S4 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]

=============== Created Last 30 ================

2010-02-02 21:00:14 98816 ----a-w- c:\windows\sed.exe
2010-02-02 21:00:14 77312 ----a-w- c:\windows\MBR.exe
2010-02-02 21:00:14 261632 ----a-w- c:\windows\PEV.exe
2010-02-02 21:00:14 161792 ----a-w- c:\windows\SWREG.exe
2010-02-02 20:56:30 0 d-s---w- C:\ComboFix
2010-01-31 02:21:35 0 d-----w- c:\users\dennis\appdata\roaming\Malwarebytes
2010-01-31 02:21:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-31 02:21:24 0 d-----w- c:\programdata\Malwarebytes
2010-01-31 02:21:23 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-31 02:21:22 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-27 23:01:46 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2010-01-27 21:07:02 0 d-----w- c:\programdata\Ralink
2010-01-27 21:06:40 1597440 ----a-w- c:\windows\system32\RaCertMgr.dll
2010-01-27 21:06:03 221184 ----a-w- c:\windows\system32\RaCoInst.dll
2010-01-27 21:06:03 13931 ----a-w- c:\windows\system32\RaCoInst.dat
2010-01-27 21:06:03 0 d-----w- c:\programdata\Rosewill Driver
2010-01-27 21:05:13 0 d-----w- c:\program files\Cisco
2010-01-27 21:05:03 97280 ----a-w- c:\windows\system32\RAEXTUI.dll
2010-01-27 21:05:03 766464 ----a-w- c:\windows\system32\RAIHV.dll
2010-01-27 21:05:03 1048576 ----a-w- c:\windows\system32\CiscoEapFast.dll
2010-01-27 21:05:03 0 d-----w- c:\program files\Rosewill
2010-01-27 13:12:34 0 d-----w- c:\users\dennis\Program Files
2010-01-25 23:58:24 0 d-----w- c:\programdata\Sun
2010-01-18 15:37:08 15749 ----a-w- c:\users\dennis\Uniblue Systems Ltd. Online Store.htm
2010-01-18 15:33:12 60813 ----a-w- c:\users\dennis\AKD-7364964176.pdf
2010-01-18 15:25:42 0 d-----w- c:\program files\Uniblue
2010-01-16 18:14:59 0 ----a-w- c:\windows\PowerReg.dat
2010-01-16 18:09:42 0 d-----w- c:\program files\Infogrames Interactive
2010-01-13 13:27:22 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 13:27:18 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-10 19:04:47 373248 ----a-w- c:\windows\system32\MSVCRTD.DLL
2010-01-10 19:04:47 174592 ----a-w- c:\windows\system32\MSPDB50.DLL
2010-01-07 19:53:13 0 d-----w- c:\users\dennis\appdata\roaming\DNA
2010-01-07 19:53:13 0 d-----w- c:\program files\DNA
2010-01-07 18:54:15 0 d-----w- c:\programdata\CCP
2010-01-07 18:54:15 0 d-----w- c:\program files\CCP
2010-01-06 13:33:29 863 ----a-w- C:\net_save.dna
2010-01-06 13:33:15 0 d-----w- c:\program files\support.com
2010-01-06 13:33:03 0 d-----w- c:\program files\common files\SupportSoft
2010-01-05 02:58:36 0 d-----w- c:\users\dennis\appdata\roaming\PeerNetworking

==================== Find3M ====================

2010-02-02 18:54:07 319984 ----a-w- c:\windows\DIFxAPI.dll
2010-01-27 21:06:24 51200 ----a-w- c:\windows\inf\infpub.dat
2010-01-27 21:06:24 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-01-27 21:06:21 143360 ----a-w- c:\windows\inf\infstor.dat
2010-01-27 17:01:30 19944 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-14 16:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-02 06:38:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32:33 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-24 00:23:06 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-12-24 00:22:33 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-12-23 01:33:31 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2009-12-12 20:07:49 39 ----a-w- c:\users\dennis\jagex_runescape_preferences.dat
2009-12-12 19:56:31 69 ----a-w- c:\users\dennis\jagex_runescape_preferences2.dat
2009-11-09 12:31:42 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30:03 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-06 20:19:42 1563008 ----a-w- c:\windows\WRSetup.dll
2008-11-29 15:14:43 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-07-07 14:17:05 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 19:32:57.81 ===============

Okay, the folders for whatever reason have stopped replicating every five minutes, but rootrepeal still "freezes" when it tries to scan manifest.
My more pertinent problem now is that the svchost.exe process that runs the services DcomLaunch and PlugPlay is using 50% of my CPU when I'm not even doing anything. This DOES affect system performance and is bothering me.

I await help as soon as possible.


===========

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 19 August 2010 - 01:07 AM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:47 AM

Posted 09 February 2010 - 07:42 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Can you try running Gmer, another rootkit scanner

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#3 jujubeeza

jujubeeza
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 10 February 2010 - 09:52 PM

Hello m0le, pleasure to meet you.

My laptop got better than worse during the waiting period. It got to the point where there were seemingly no errors, and I thought I solved everything and it was fine. Then Windows update stated there were eight important updates to perform. I was wary of anything at this point, and so I manually created a restore point, and updated. After doing so, my computer failed to load windows on the restart, and I had to use system restore to restore to the point I had made beforehand. However, a plethora of problems began occurring at that point.

Every ten to twenty minutes now, I'll get a Microsoft Windows error message stating "Host Process for Windows has Stopped." I figured that meant some random svchost.exe service has stopped, but it wasn't DCOMLaunch or Plugplay, the two that had previously given me such miserable headaches. It won't force my laptop to restart or affect system performance--but it is annoying.

Also, I use google chrome as my main browser. I have it set up on quick launch, and sometimes, especially if I have been away from my laptop for an hour or so, (example: I took a 90 minute nap while letting the laptop run GMER), when I click on it, I get the blue screen of death. Outside of having a digital camera or something, I don't know how to tell you what it says. I can't even write it down because the laptop force restarts itself in like 10 seconds without my being able to stop it.

All in all, I'm going insane and might waste three hundred or so dollars to buy RAM and windows 7 64-bit on a laptop that I was planning on replacing within the year. If you could help me save this one, I'd be so darn grateful.

Here is the result of the GMER scan.
----------------------------------------------------------------

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-10 21:27:42
Windows 6.0.6002 Service Pack 2
Running: n7y3ce0x.exe; Driver: C:\Users\Dennis\AppData\Local\Temp\pxryrpow.sys


---- System - GMER 1.0.15 ----

SSDT 84866CD8 ZwAllocateVirtualMemory
SSDT 84868488 ZwCreateProcess
SSDT 84868280 ZwCreateProcessEx
SSDT 84866FA8 ZwCreateThread
SSDT 84866D50 ZwQueueApcThread
SSDT 84866BE8 ZwReadVirtualMemory
SSDT 84866E40 ZwSetContextThread
SSDT 84868190 ZwSetInformationProcess
SSDT 84866EB8 ZwSetInformationThread
SSDT 84866020 ZwSuspendProcess
SSDT 84866DC8 ZwSuspendThread
SSDT 84868208 ZwTerminateProcess
SSDT 84866F30 ZwTerminateThread
SSDT 84866C60 ZwWriteVirtualMemory
SSDT 84866AF8 ZwCreateThreadEx
SSDT 84866B70 ZwCreateUserProcess

INT 0x62 ? 8581FBF8
INT 0x72 ? 8581FBF8
INT 0x82 ? 83E74BF8
INT 0x92 ? 83E74BF8
INT 0xA2 ? 8581FBF8
INT 0xB1 ? 83E73BF8
INT 0xB1 ? 83E73BF8

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!KeInsertQueue + 321 820AD958 4 Bytes [D8, 6C, 86, 84] {FSUBR DWORD [ESI+EAX*4-0x7c]}
.text ntoskrnl.exe!KeInsertQueue + 3F9 820ADA30 8 Bytes [88, 84, 86, 84, 80, 82, 86, ...]
.text ntoskrnl.exe!KeInsertQueue + 411 820ADA48 4 Bytes [A8, 6F, 86, 84]
.text ntoskrnl.exe!KeInsertQueue + 6D5 820ADD0C 4 Bytes [50, 6D, 86, 84]
.text ntoskrnl.exe!KeInsertQueue + 6ED 820ADD24 4 Bytes CALL 9E8F6394
.text ...
? System32\Drivers\spbq.sys The system cannot find the path specified. !
.rsrc C:\Windows\system32\drivers\atapi.sys entry point in ".rsrc" section [0x86675024]
.text USBPORT.SYS!DllUnload 8B15041B 5 Bytes JMP 8581F1D8
.text a4qkj54q.SYS 8B251000 22 Bytes [82, 43, 01, 82, 6C, 42, 01, ...]
.text a4qkj54q.SYS 8B251017 81 Bytes [00, 32, 17, B4, 82, 3D, 15, ...]
.text a4qkj54q.SYS 8B251069 24 Bytes [6B, 09, 82, B0, 88, 08, 82, ...]
.text a4qkj54q.SYS 8B251082 60 Bytes [05, 82, 79, 21, 05, 82, 0C, ...]
.text a4qkj54q.SYS 8B2510BF 13 Bytes [82, 00, 00, 00, 00, 00, 00, ...] {ADD BYTE [EAX], 0x0; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
.text ...
.text ain7a82s.SYS 8B28A000 22 Bytes [82, 43, 01, 82, 6C, 42, 01, ...]
.text ain7a82s.SYS 8B28A017 29 Bytes [00, 32, 17, B4, 82, 3D, 15, ...]
.text ain7a82s.SYS 8B28A035 129 Bytes [51, 06, 82, B4, 7E, 06, 82, ...]
.text ain7a82s.SYS 8B28A0B7 22 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text ain7a82s.SYS 8B28A0CE 80 Bytes [00, 00, 26, 00, 00, 00, E0, ...]
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3216] ntdll.dll!KiUserExceptionDispatcher + A 775A5DD2 5 Bytes JMP 00017DB0 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3216] kernel32.dll!VirtualProtect 765A1DC3 5 Bytes JMP 000169B0 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3216] kernel32.dll!LoadLibraryExW 765C9109 5 Bytes JMP 00016000 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3216] kernel32.dll!VirtualFree 765E40AA 5 Bytes JMP 00016990 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3216] kernel32.dll!VirtualAlloc 765EAD55 5 Bytes JMP 00016960 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3216] kernel32.dll!CreateFileA 765ECE5F 5 Bytes JMP 00016000 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[3348] kernel32.dll!CreateThread + 1A 765EC928 4 Bytes CALL 00450771 C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe (Spy Sweeper Client Executable/Webroot Software, Inc.)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 83E732D8
IAT \SystemRoot\system32\drivers\pci.sys[ntoskrnl.exe!IoDetachDevice] [82A6FDDC] \SystemRoot\System32\Drivers\spbq.sys
IAT \SystemRoot\system32\drivers\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [82A6FE30] \SystemRoot\System32\Drivers\spbq.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [82A456D6] \SystemRoot\System32\Drivers\spbq.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [82A45042] \SystemRoot\System32\Drivers\spbq.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [82A45800] \SystemRoot\System32\Drivers\spbq.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [82A450C0] \SystemRoot\System32\Drivers\spbq.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [82A4513E] \SystemRoot\System32\Drivers\spbq.sys
IAT \SystemRoot\system32\drivers\ataport.SYS[ntoskrnl.exe!DbgBreakPoint] 83E742D8
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8581F2D8
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [82A54B90] \SystemRoot\System32\Drivers\spbq.sys
IAT \SystemRoot\System32\Drivers\a4qkj54q.SYS[ataport.SYS!AtaPortNotification] CC358B04
IAT \SystemRoot\System32\Drivers\a4qkj54q.SYS[ataport.SYS!AtaPortWritePortUchar] 838B277F
IAT \SystemRoot\System32\Drivers\a4qkj54q.SYS[ataport.SYS!AtaPortWritePortUlong] 458B38C6
IAT \SystemRoot\System32\Drivers\a4qkj54q.SYS[ataport.SYS!AtaPortGetPhysicalAddress] A5A5A514
IAT \SystemRoot\System32\Drivers\a4qkj54q.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] [100D8BA5] \Program Files\DAEMON Tools Lite\Engine.dll (Helper library/DT Soft Ltd)
IAT \SystemRoot\System32\Drivers\a4qkj54q.SYS[ataport.SYS!AtaPortGetScatterGatherList] 5F8B2750
IAT \SystemRoot\System32\Drivers\a4qkj54q.SYS[ataport.SYS!AtaPortReadPortUchar] 30810889
IAT \SystemRoot\System32\Drivers\a4qkj54q.SYS[ataport.SYS!AtaPortStallExecution] 54771129
IAT \SystemRoot\System32\Drivers\a4qkj54q.SYS[ataport.SYS!AtaPortGetParentBusType] 10C25D5E
IAT \SystemRoot\System32\Drivers\a4qkj54q.SYS[ataport.SYS!AtaPortRequestCallback] 8B55CC00
IAT \SystemRoot\System32\Drivers\a4qkj54q.SYS[ataport.SYS!AtaPortWritePortBufferUshort] 084D8BEC
IAT \SystemRoot\System32\Drivers\a4qkj54q.SYS[ataport.SYS!AtaPortGetUnCachedExtension] 0CF0918B
IAT \SystemRoot\System32\Drivers\a4qkj54q.SYS[ataport.SYS!AtaPortCompleteRequest] 458B0000
IAT \SystemRoot\System32\Drivers\a4qkj54q.SYS[ataport.SYS!AtaPortMoveMemory] [8B108910] \SystemRoot\system32\DRIVERS\Rtlh86.sys (Realtek 8101E/8168/8169 NDIS6 32-bit Driver /Realtek Corporation )
IAT \SystemRoot\System32\Drivers\a4qkj54q.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 000CF491
IAT \SystemRoot\System32\Drivers\a4qkj54q.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 04508900
IAT \SystemRoot\System32\Drivers\a4qkj54q.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 053C7980
IAT \SystemRoot\System32\Drivers\a4qkj54q.SYS[ataport.SYS!AtaPortReadPortUshort] 560C558B
IAT \SystemRoot\System32\Drivers\a4qkj54q.SYS[ataport.SYS!AtaPortReadPortBufferUshort] C6127557
IAT \SystemRoot\System32\Drivers\a4qkj54q.SYS[ataport.SYS!AtaPortInitialize] B18D0502
IAT \SystemRoot\System32\Drivers\a4qkj54q.SYS[ataport.SYS!AtaPortGetDeviceBase] 00000CF8
IAT \SystemRoot\System32\Drivers\a4qkj54q.SYS[ataport.SYS!AtaPortDeviceStateChange] A508788D
IAT \SystemRoot\System32\Drivers\a4qkj54q.SYS[NTOSKRNL.exe!KeTickCount] [8B118920] \SystemRoot\system32\DRIVERS\usbuhci.sys (UHCI USB Miniport Driver/Microsoft Corporation)
IAT \SystemRoot\System32\Drivers\ain7a82s.SYS[ataport.SYS!AtaPortNotification] F73BFF33
IAT \SystemRoot\System32\Drivers\ain7a82s.SYS[ataport.SYS!AtaPortWritePortUchar] B85F0B75
IAT \SystemRoot\System32\Drivers\ain7a82s.SYS[ataport.SYS!AtaPortWritePortUlong] FFFFFFFE
IAT \SystemRoot\System32\Drivers\ain7a82s.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 08C25D5E
IAT \SystemRoot\System32\Drivers\ain7a82s.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 5D8B5300
IAT \SystemRoot\System32\Drivers\ain7a82s.SYS[ataport.SYS!AtaPortGetScatterGatherList] 74DF3B0C
IAT \SystemRoot\System32\Drivers\ain7a82s.SYS[ataport.SYS!AtaPortReadPortUchar] 01FB8311
IAT \SystemRoot\System32\Drivers\ain7a82s.SYS[ataport.SYS!AtaPortStallExecution] 5F5B0C74
IAT \SystemRoot\System32\Drivers\ain7a82s.SYS[ataport.SYS!AtaPortGetParentBusType] FFFFFEB8
IAT \SystemRoot\System32\Drivers\ain7a82s.SYS[ataport.SYS!AtaPortRequestCallback] C25D5EFF
IAT \SystemRoot\System32\Drivers\ain7a82s.SYS[ataport.SYS!AtaPortWritePortBufferUshort] 7E390008
IAT \SystemRoot\System32\Drivers\ain7a82s.SYS[ataport.SYS!AtaPortGetUnCachedExtension] C7077524
IAT \SystemRoot\System32\Drivers\ain7a82s.SYS[ataport.SYS!AtaPortCompleteRequest] 81642446
IAT \SystemRoot\System32\Drivers\ain7a82s.SYS[ataport.SYS!AtaPortMoveMemory] 7E398B29
IAT \SystemRoot\System32\Drivers\ain7a82s.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] C7077528
IAT \SystemRoot\System32\Drivers\ain7a82s.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 81902846
IAT \SystemRoot\System32\Drivers\ain7a82s.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 468B8B29
IAT \SystemRoot\System32\Drivers\ain7a82s.SYS[ataport.SYS!AtaPortReadPortUshort] 244E8B2C
IAT \SystemRoot\System32\Drivers\ain7a82s.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 7468016A
IAT \SystemRoot\System32\Drivers\ain7a82s.SYS[ataport.SYS!AtaPortInitialize] 500000FA
IAT \SystemRoot\System32\Drivers\ain7a82s.SYS[ataport.SYS!AtaPortGetDeviceBase] C73BD1FF
IAT \SystemRoot\System32\Drivers\ain7a82s.SYS[ataport.SYS!AtaPortDeviceStateChange] 5F5B0C75
IAT \SystemRoot\System32\Drivers\ain7a82s.SYS[NTOSKRNL.exe!KeTickCount] 56EC8B55
IAT \SystemRoot\system32\DRIVERS\storport.sys[ntoskrnl.exe!DbgBreakPoint] 8593B2D8

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[3348] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!QueueUserWorkItem] [004508C8] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe (Spy Sweeper Client Executable/Webroot Software, Inc.)
IAT C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[3348] @ C:\Windows\system32\shell32.dll [KERNEL32.dll!QueueUserWorkItem] [004508C8] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe (Spy Sweeper Client Executable/Webroot Software, Inc.)
IAT C:\Windows\Explorer.EXE[3940] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73537817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3940] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7358A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3940] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7353BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3940] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7352F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3940] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [735375E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3940] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7352E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3940] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73568395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3940] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7353DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3940] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7352FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3940] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7352FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3940] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [735271CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3940] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [735BCAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3940] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7355C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3940] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7352D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3940] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73526853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3940] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7352687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3940] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73532AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 848031F8

AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))

Device \Driver\netbt \Device\NetBT_Tcpip_{208ECA7A-953E-4E93-A2B0-5306BC50FC81} 85FC31F8

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

Device \Driver\volmgr \Device\VolMgrControl 848001F8
Device \Driver\usbuhci \Device\USBPDO-0 858651F8
Device \Driver\usbuhci \Device\USBPDO-1 858651F8
Device \Driver\usbuhci \Device\USBPDO-2 858651F8
Device \Driver\usbuhci \Device\USBPDO-3 858651F8
Device \Driver\usbehci \Device\USBPDO-4 858691F8

AttachedDevice \Driver\tdx \Device\Tcp pwipf6.sys (pwipf6/Webroot Software Inc (www.webroot.com))

Device \Driver\PCI_PNP9433 \Device\00000057 spbq.sys
Device \Driver\volmgr \Device\HarddiskVolume1 848001F8
Device \Driver\PCI_PNP9433 \Device\00000058 spbq.sys
Device \Driver\volmgr \Device\HarddiskVolume2 848001F8
Device \Driver\cdrom \Device\CdRom0 859441F8
Device \Driver\cdrom \Device\CdRom1 859441F8
Device \Driver\atapi \Device\Ide\IdePort0 848021F8
Device \Driver\atapi \Device\Ide\IdePort1 848021F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-2 848021F8
Device \Driver\cdrom \Device\CdRom2 859441F8
Device \Driver\netbt \Device\NetBt_Wins_Export 85FC31F8
Device \Driver\Smb \Device\NetbiosSmb 85FC01F8
Device \Driver\iScsiPrt \Device\RaidPort0 859321F8
Device \Driver\netbt \Device\NetBT_Tcpip_{913B64A1-2CB8-4419-AA7D-9AFA24048303} 85FC31F8

AttachedDevice \Driver\tdx \Device\Udp pwipf6.sys (pwipf6/Webroot Software Inc (www.webroot.com))
AttachedDevice \Driver\tdx \Device\RawIp pwipf6.sys (pwipf6/Webroot Software Inc (www.webroot.com))

Device \Driver\usbuhci \Device\USBFDO-0 858651F8
Device \Driver\usbuhci \Device\USBFDO-1 858651F8
Device \Driver\usbuhci \Device\USBFDO-2 858651F8
Device \Driver\usbuhci \Device\USBFDO-3 858651F8
Device \Driver\usbehci \Device\USBFDO-4 858691F8
Device \Driver\sptd \Device\1943399448 spbq.sys
Device \Driver\sptd \Device\1943555449 spbq.sys
Device \Driver\ain7a82s \Device\Scsi\ain7a82s1Port4Path0Target0Lun0 859381F8
Device \Driver\a4qkj54q \Device\Scsi\a4qkj54q1Port3Path0Target0Lun0 858D11F8
Device \Driver\a4qkj54q \Device\Scsi\a4qkj54q1 858D11F8
Device \Driver\ain7a82s \Device\Scsi\ain7a82s1 859381F8
Device \FileSystem\cdfs \Cdfs 8621B1F8
Device -> \Driver\atapi \Device\Harddisk0\DR0 8491E856

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x1C 0x63 0x36 0x52 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x4D 0x9F 0xD3 0xBF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x8F 0x05 0x30 0x77 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x83 0x1E 0xB0 0x11 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC2 0x42 0x58 0x6F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x5A 0xB2 0x46 0x9D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x5B 0xCC 0x1E 0x6B ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x4D 0x9F 0xD3 0xBF ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x8F 0x05 0x30 0x77 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x83 0x1E 0xB0 0x11 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC2 0x42 0x58 0x6F ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x5A 0xB2 0x46 0x9D ...

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


-------------------------------------
Note: The only program I have installed on my laptop since I first requested aid on this site is Daemon Tools Lite.

Edited by jujubeeza, 10 February 2010 - 09:54 PM.


#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:47 AM

Posted 11 February 2010 - 07:36 AM

Setting the system restore may well have reinfected you. There is definitely an infection in a system file from a rootkit which is nasty called TDSS.

Let's try and stop some of the processes and allow Combofix to replace the infected file.


Please download Rkill by Grinler and save it to your desktop.
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • Paste the resulting log in your next reply.

Now

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop but rename it Combo-Fix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:47 AM

Posted 14 February 2010 - 07:26 PM

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:47 AM

Posted 15 February 2010 - 08:07 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. smile.gif

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users