Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown malware wreaking havoc


  • This topic is locked This topic is locked
18 replies to this topic

#1 JFores

JFores

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 17 February 2010 - 12:04 PM

Hello all,

I used this page to great success when dealing with a Window Defender Malware in the past and I'm back again... This one seems a lot more nasty.

When the problem arose (2 days ago) it was initially caught by my expired Spysweeper and I then tried to get it with Malwarebytes. When I hit "finish" on the Malwarebytes scan it blue screened me. Upon restarting my desktop wouldn't display (completely black as was everything else) and only the My Documents folder remained open. I fixed this by undoing the corruptions it caused in my registry, but I still have no internet and I can't get Malwarebytes to run without blue screening. Spysweeper can run and detects a "App/NirSoft-Gen" but that's the only overtly malicious thing it's picking up. It's also expired and therefore useless. I've tried Spyware Doctor and AdAware but both were stopped or corrupted by the malware as I tried to either install them or open them from safe mode and normal Windows. I've been running rkill before everything but that even seems as if it's being stopped. When I run it in Safe Mode it opens and quickly disappears (in the past it took much longer.) This entire infection seems a tad useless to anyone. They're not trying to extort me, there's no internet, etc. All rather annoying.

Thanks,

Justin

BC AdBot (Login to Remove)

 


#2 JFores

JFores
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 18 February 2010 - 01:21 PM

Bump?

#3 JFores

JFores
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 19 February 2010 - 05:44 AM

Ok seeing as I've gone without a response I attempted a few things myself...

I haven't been able to get Superantispyware to even install properly. I just found the safe run version at the bottom of the guide and will try it ASAP though. The only luck that I had was with SmitFraudFix which did remove a number of files, but since then my Windows Explorer crashes constantly when not in safe mode. It's OK in safe mode, but upon normal startup it will crash when any folder is opened. I'm still unable to connect to the internet, I can't run Malwarebytes without blue screening about 30 seconds in and I'm running out of options. I'm a poor student so I'm really trying to hold off taking this thing into a shop.

Justin

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,107 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:29 AM

Posted 19 February 2010 - 06:34 AM

Hello there smile.gif

First of all, since you bumped your topic, it will show up in the forum page as "replied to". This will reduce your chance at getting a reply.

Since today's malware tends to use advanced hiding techniques. lets start with a rootkit scan. Note, if GMER bluescreens, try to run it with the "devices" box unchecked.

GMER
-------
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 JFores

JFores
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 19 February 2010 - 09:57 AM

Thank you for the response,

I'm going to run GMER shortly. I ended up getting Superantispyware to run by using the saferun package at the bottom of the guide on here. It ended up removing something like 168 files and a bunch of registry changes. Most seemed harmless but two chunks looked like trojans. My Windows explorer still doesn't seem right so I'll try this, though I think the issue might be with my Windows install. Whether it's from the trojans, their removal or my earlier use of SmitFraudFix, something seems off (I can open folders now which is an improvement but attempting to open my Control Panel crashes Windows Explorer all the same.)

Is there any simple way that I can repair my Window folder?

Rkill conistently terminates a process called \ \? \C: \Windows \System32 \wbem \WMIADAP.EXE

The main things found by superantispyware were Rootkit.Agent/Gen-4DW4R3 and Trojan.Agent /Gen-Alureon though more came up later in the search (I took my picture early on and forgot to take another later...)

I can now run Malwarebytes on Safemode! Improvement! Though my computer is useless out of safemode. Malwarebytes detects nothing on a quick scan. Will try full soon.

Justin

And the GMER results are here...

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-19 15:28:31
Windows 6.0.6002 Service Pack 2
Running: cyi1kok0.exe; Driver: C:\Users\Justin\AppData\Local\Temp\uxldapow.sys


---- System - GMER 1.0.15 ----

INT 0x62 ? 86C6CF00
INT 0x72 ? 86C6CF00
INT 0x72 ? 86C6CF00
INT 0x72 ? 86C6CF00
INT 0x82 ? 86C6CF00
INT 0x82 ? 86C6CF00
INT 0x82 ? 86C6CF00
INT 0x82 ? 86C6CF00
INT 0xA2 ? 860B1BF8
INT 0xA2 ? 860B1BF8

Code 90108EB5 ZwCallbackReturn
Code 90108979 ZwEnumerateKey
Code 9010896F ZwSaveKey
Code 90108974 ZwSaveKeyEx
Code 90108BD2 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCompleteRequest 8265A9CF 5 Bytes JMP 90108BD7
.text ntkrnlpa.exe!ZwCallbackReturn 826C32FC 5 Bytes JMP 90108EB9
PAGE ntkrnlpa.exe!ZwEnumerateKey 828130C0 5 Bytes JMP 9010897D
PAGE ntkrnlpa.exe!ZwSaveKey 82868969 5 Bytes JMP 90108973
PAGE ntkrnlpa.exe!ZwSaveKeyEx 82868B07 5 Bytes JMP 90108978
? System32\Drivers\spht.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 8FD9541B 5 Bytes JMP 86C6C4E0
.text av2yl4nw.SYS 8FF2A000 22 Bytes [82, 63, 9D, 82, 6C, 62, 9D, ...]
.text av2yl4nw.SYS 8FF2A017 181 Bytes [00, 32, 77, 79, 80, 3D, 75, ...]
.text av2yl4nw.SYS 8FF2A0CE 10 Bytes [00, 00, 00, 00, 00, 00, 66, ...]
.text av2yl4nw.SYS 8FF2A0DA 12 Bytes [00, 00, 02, 00, 00, 00, 25, ...]
.text av2yl4nw.SYS 8FF2A0E7 714 Bytes [00, F0, 0E, 00, 00, 00, 00, ...]
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\Explorer.EXE[1492] WS2_32.dll!recv 7740343A 5 Bytes JMP 10002FB0
.text C:\Windows\Explorer.EXE[1492] WS2_32.dll!WSASend 77404496 5 Bytes JMP 10002F7E
.text C:\Windows\Explorer.EXE[1492] WS2_32.dll!send 7740659B 5 Bytes JMP 10002FD0
.text C:\Windows\Explorer.EXE[1492] WS2_32.dll!WSARecv 77408400 5 Bytes JMP 10002F3D

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [8069E048] \SystemRoot\System32\Drivers\spht.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 860B21F8
Device \FileSystem\fastfat \FatCdrom 86FF81F8
Device \Driver\volmgr \Device\VolMgrControl 860AF1F8
Device \Driver\usbuhci \Device\USBPDO-0 86C9E1F8
Device \Driver\usbuhci \Device\USBPDO-1 86C9E1F8
Device \Driver\usbehci \Device\USBPDO-2 86C9F1F8
Device \Driver\usbuhci \Device\USBPDO-3 86C9E1F8
Device \Driver\PCI_PNP9426 \Device\00000060 spht.sys
Device \Driver\usbuhci \Device\USBPDO-4 86C9E1F8
Device \Driver\usbuhci \Device\USBPDO-5 86C9E1F8
Device \Driver\usbehci \Device\USBPDO-6 86C9F1F8
Device \Driver\volmgr \Device\HarddiskVolume1 860AF1F8
Device \Driver\volmgr \Device\HarddiskVolume2 860AF1F8
Device \Driver\cdrom \Device\CdRom0 86D031F8
Device \Driver\sptd \Device\2408925452 spht.sys
Device \Driver\volmgr \Device\HarddiskVolume3 860AF1F8
Device \Driver\cdrom \Device\CdRom1 86D031F8
Device \Driver\iaStor \Device\Ide\iaStor0 [831748E0] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [831748E0] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-1 [831748E0] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\volmgr \Device\HarddiskVolume4 860AF1F8
Device \Driver\cdrom \Device\CdRom2 86D031F8
Device \Driver\cdrom \Device\CdRom3 86D031F8
Device \Driver\cdrom \Device\CdRom4 86D031F8
Device \Driver\iScsiPrt \Device\RaidPort0 86D0B1F8
Device \Driver\usbuhci \Device\USBFDO-0 86C9E1F8
Device \Driver\usbuhci \Device\USBFDO-1 86C9E1F8
Device \Driver\usbehci \Device\USBFDO-2 86C9F1F8
Device \Driver\usbuhci \Device\USBFDO-3 86C9E1F8
Device \Driver\USBSTOR \Device\0000007d 86F8B1F8
Device \Driver\usbuhci \Device\USBFDO-4 86C9E1F8
Device \Driver\usbuhci \Device\USBFDO-5 86C9E1F8
Device \Driver\USBSTOR \Device\0000007f 86F8B1F8
Device \Driver\usbehci \Device\USBFDO-6 86C9F1F8
Device \Driver\av2yl4nw \Device\Scsi\av2yl4nw1Port3Path0Target0Lun0 86D071F8
Device \Driver\av2yl4nw \Device\Scsi\av2yl4nw1 86D071F8
Device \FileSystem\fastfat \Fat 86FF81F8

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\cdfs \Cdfs 86FF41F8

---- Services - GMER 1.0.15 ----

Service C:\Windows\system32\drivers\4DW4R3hYvnbOQxen.sys (*** hidden *** ) [SYSTEM] 4DW4R3 <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\BthPort\Parameters\Keys\001fe1bdbe31 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\BthPort\Parameters\Keys\001fe1bdbe31@001edc7a1e4c 0x9E 0x23 0x3D 0x2E ...
Reg HKLM\SYSTEM\ControlSet001\Services\BthPort\Parameters\Keys\001fe1bdbe31@000761c1d194 0x63 0x4A 0x47 0x10 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x71 0x51 0xA7 0x4B ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC7 0x9A 0xC7 0x68 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xF4 0xFF 0x2E 0x02 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xB4 0x9C 0x96 0xD4 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xB4 0x9C 0x96 0xD4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3
Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3@imagepath \systemroot\system32\drivers\4DW4R3hYvnbOQxen.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\injector@* 4DW4R3c
Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\modules@4DW4R3 \\?\globalroot\systemroot\system32\drivers\4DW4R3hYvnbOQxen.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\modules@4DW4R3c \\?\globalroot\systemroot\system32\4DW4R3WWydmNEbPx.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\BthPort\Parameters\Keys\001fe1bdbe31
Reg HKLM\SYSTEM\CurrentControlSet\Services\BthPort\Parameters\Keys\001fe1bdbe31@001edc7a1e4c 0x9E 0x23 0x3D 0x2E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BthPort\Parameters\Keys\001fe1bdbe31@000761c1d194 0x63 0x4A 0x47 0x10 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x71 0x51 0xA7 0x4B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC7 0x9A 0xC7 0x68 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xF4 0xFF 0x2E 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xB4 0x9C 0x96 0xD4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xB4 0x9C 0x96 0xD4 ...
Reg HKLM\SYSTEM\ControlSet003\Services\4DW4R3 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\4DW4R3@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\4DW4R3@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\4DW4R3@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\4DW4R3@imagepath \systemroot\system32\drivers\4DW4R3hYvnbOQxen.sys
Reg HKLM\SYSTEM\ControlSet003\Services\4DW4R3\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\4DW4R3\injector@* 4DW4R3c
Reg HKLM\SYSTEM\ControlSet003\Services\4DW4R3\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\4DW4R3\modules@4DW4R3 \\?\globalroot\systemroot\system32\drivers\4DW4R3hYvnbOQxen.sys
Reg HKLM\SYSTEM\ControlSet003\Services\4DW4R3\modules@4DW4R3c \\?\globalroot\systemroot\system32\4DW4R3WWydmNEbPx.dll
Reg HKLM\SYSTEM\ControlSet003\Services\BthPort\Parameters\Keys\001fe1bdbe31 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BthPort\Parameters\Keys\001fe1bdbe31@001edc7a1e4c 0x9E 0x23 0x3D 0x2E ...
Reg HKLM\SYSTEM\ControlSet003\Services\BthPort\Parameters\Keys\001fe1bdbe31@000761c1d194 0x63 0x4A 0x47 0x10 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x71 0x51 0xA7 0x4B ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC7 0x9A 0xC7 0x68 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xF4 0xFF 0x2E 0x02 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xB4 0x9C 0x96 0xD4 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xB4 0x9C 0x96 0xD4 ...

---- Files - GMER 1.0.15 ----

File C:\Windows\System32\4DW4R3AgwXJxHwpV.dll 28160 bytes executable
File C:\Windows\System32\4DW4R3sv.dat 53 bytes
File C:\Windows\System32\4DW4R3WWydmNEbPx.dll 28160 bytes executable
File C:\Windows\System32\drivers\4DW4R3hYvnbOQxen.sys 46592 bytes executable <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

Edited by JFores, 19 February 2010 - 10:36 AM.


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,107 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:29 AM

Posted 19 February 2010 - 11:13 AM

O we definitely have rootkits here blink.gif

Which means, I am going to move this topic to the Malware Removal forum...

Please proceed with the steps below.


Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.


COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 JFores

JFores
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 20 February 2010 - 08:51 AM

I blue screen whenever I hit disable on DeFogger... sad.gif

I managed to disable them by using ComboFix though. Or at least I think ComboFix disabled them. At any rate, ComboFix is running as we speak and I will edit this post to include the log. This is my last ditch all day effort at repair so that I can get an essay done tonight and still be ready to watch tomorrow's Serie A matches...

And now ComboFix is saying it's expired because it's the 20th and is therefore running in a reduced mode?#

ComboFix 10-02-12.01 - Justin 02/20/2010 13:57:02.3.2 - x86
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.1.1033.18.3581.2643 [GMT 0:00]
Running from: c:\users\Justin\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
.
---- Previous Run -------
.
c:\windows\system32\tmp.reg

.
((((((((((((((((((((((((( Files Created from 2010-01-20 to 2010-02-20 )))))))))))))))))))))))))))))))
.

2010-02-20 13:59 . 2010-02-20 14:00 -------- d-----w- c:\users\Justin\AppData\Local\temp
2010-02-20 13:59 . 2010-02-20 13:59 -------- d-----w- c:\users\Guest2\AppData\Local\temp
2010-02-20 13:59 . 2010-02-20 13:59 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-02-20 13:59 . 2010-02-20 13:59 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-19 15:04 . 2010-02-19 15:04 93056 ----a-w- C:\uxldapow.sys
2010-02-19 12:02 . 2010-02-19 12:02 -------- d-----w- c:\users\Justin\AppData\Roaming\SUPERAntiSpyware.com
2010-02-19 12:02 . 2010-02-19 12:02 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-02-18 22:04 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-18 22:04 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-18 19:30 . 2008-11-06 02:03 -------- d-----w- C:\SDFix
2010-02-18 19:14 . 2010-02-18 19:14 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-17 17:43 . 2010-02-19 15:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-17 16:20 . 2010-02-17 16:20 -------- d-----w- c:\users\Justin\AppData\Local\MicroVision Applications
2010-02-17 15:13 . 2010-02-17 15:13 -------- dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-02-17 02:28 . 2010-02-17 12:14 -------- d-----w- c:\program files\yawn
2010-02-17 02:26 . 2010-02-17 02:26 -------- d--h--w- c:\windows\PIF
2010-02-17 01:57 . 2010-02-17 01:58 -------- d-----w- c:\program files\CCleaner
2010-02-14 15:27 . 2010-02-14 15:27 -------- d-----w- c:\users\Justin\AppData\Roaming\Trusteer
2010-02-14 15:27 . 2010-02-14 15:27 -------- d-----w- c:\program files\Trusteer
2010-02-14 15:25 . 2010-02-14 15:25 -------- d-----w- c:\programdata\Trusteer
2010-02-10 16:14 . 2009-12-11 11:43 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-10 16:14 . 2009-12-11 11:43 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-02-10 16:14 . 2009-12-08 20:01 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-10 16:14 . 2009-12-08 20:01 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-01-29 11:14 . 2010-01-29 11:14 -------- d-----w- c:\programdata\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-18 21:24 . 2008-09-01 20:24 3204 ----a-w- c:\windows\bthservsdp.dat
2010-02-18 19:20 . 2008-09-01 20:33 -------- d-----w- c:\program files\Dell Video Chat
2010-02-18 19:11 . 2010-02-18 19:03 691 ----a-w- c:\users\Justin\AppData\Roaming\GetValue.vbs
2010-02-18 19:11 . 2010-02-18 19:03 35 ----a-w- c:\users\Justin\AppData\Roaming\SetValue.bat
2010-02-18 19:11 . 2010-02-18 19:03 35 ----a-w- c:\users\Justin\AppData\Roaming\SetValue.bat
2010-02-17 16:20 . 2008-09-01 20:34 -------- d-----w- c:\program files\Roxio
2010-02-17 01:59 . 2008-10-10 01:14 -------- d-----w- c:\users\Justin\AppData\Roaming\Azureus
2010-02-15 18:19 . 2009-05-01 23:30 -------- d-----w- c:\programdata\Google Updater
2010-02-13 10:42 . 2008-11-09 00:40 -------- d-----w- c:\users\Justin\AppData\Roaming\vlc
2010-02-13 06:06 . 2008-10-10 01:14 -------- d-----w- c:\program files\Vuze
2010-02-13 06:02 . 2010-02-13 06:02 348160 ----a-w- c:\users\Justin\AppData\Roaming\Azureus\updates\inst_1\msvcr71.dll
2010-02-13 06:02 . 2010-02-13 06:02 199616 ----a-w- c:\users\Justin\AppData\Roaming\Azureus\updates\inst_1\AzureusUpdater.exe
2010-02-13 06:02 . 2010-02-13 06:02 72704 ----a-w- c:\users\Justin\AppData\Roaming\Azureus\updates\inst_1\aereg.dll
2010-02-13 06:02 . 2010-02-13 06:02 227328 ----a-w- c:\users\Justin\AppData\Roaming\Azureus\updates\inst_1\Azureus.exe
2010-02-11 03:21 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-08 21:47 . 2008-09-01 20:28 -------- d-----w- c:\program files\Google
2010-01-21 21:51 . 2009-01-20 08:02 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-14 11:12 . 2009-10-02 18:07 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-04 23:28 . 2010-01-04 18:11 -------- d-----w- c:\program files\AVG
2010-01-04 23:28 . 2010-01-04 18:11 -------- d-----w- c:\programdata\avg8
2010-01-04 23:18 . 2010-01-04 22:57 -------- d-----w- c:\users\Justin\AppData\Roaming\U3
2010-01-04 23:03 . 2010-01-04 23:03 -------- d-----w- c:\users\Justin\AppData\Roaming\Malwarebytes
2010-01-04 23:00 . 2010-01-04 23:00 -------- d-----w- c:\programdata\Malwarebytes
2010-01-04 21:23 . 2009-01-07 01:23 1356 ----a-w- c:\users\Justin\AppData\Local\d3d9caps.dat
2010-01-04 17:52 . 2010-01-04 17:52 -------- d-----w- c:\users\Justin\AppData\Roaming\AVG8
2010-01-02 06:38 . 2010-01-21 22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-21 22:03 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-21 22:03 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-21 22:03 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-14 04:49 . 2008-09-18 15:31 58896 ----a-w- c:\users\Justin\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-13 13:31 . 2009-02-08 11:26 58896 ----a-w- c:\users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-08 20:01 . 2010-02-10 16:13 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-12-08 17:26 . 2010-02-10 16:13 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-12-04 18:30 . 2010-02-10 16:13 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2009-12-04 18:29 . 2010-02-10 16:13 1314816 ----a-w- c:\windows\system32\quartz.dll
2009-12-04 18:28 . 2010-02-10 16:13 22528 ----a-w- c:\windows\system32\msyuv.dll
2009-12-04 18:28 . 2010-02-10 16:13 31744 ----a-w- c:\windows\system32\msvidc32.dll
2009-12-04 18:28 . 2010-02-10 16:13 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-12-04 18:28 . 2010-02-10 16:13 13312 ----a-w- c:\windows\system32\msrle32.dll
2009-12-04 18:28 . 2010-02-10 16:13 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-12-04 18:28 . 2010-02-10 16:13 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2009-12-04 18:27 . 2010-02-10 16:13 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-12-04 15:56 . 2010-02-10 16:13 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-12-04 15:56 . 2010-02-10 16:13 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-30 18:02 . 2009-11-30 18:02 171144 ----a-w- c:\windows\system32\xliveinstall.dll
2009-11-30 18:02 . 2009-11-30 18:02 72840 ----a-w- c:\windows\system32\xliveinstallhost.exe
2009-11-24 02:55 . 2009-11-24 02:55 79368 ----a-w- c:\users\Justin\AppData\Roaming\Real\Update\setup3.09\RUP\vista.exe
2009-11-23 18:55 . 2009-11-23 18:55 439816 ----a-w- c:\users\Justin\AppData\Roaming\Real\Update\setup3.09\setup.exe
2009-12-12 11:15 . 2009-12-12 11:15 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-09-01 20:33 . 2008-09-01 20:33 74 --sh--r- c:\windows\CT4CET.bin
2008-09-01 22:53 . 2008-09-01 22:53 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-02-09 14:06 764296 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-02-09 764296]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-02-09 764296]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-04-06 12:26 238968 ----a-w- c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-01 68856]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 4363504]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"SightSpeed"="c:\program files\Dell Video Chat\DellVideoChat.exe" [2008-06-13 4758904]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-29 17920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-06-30 196608]
"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2007-10-09 100888]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-03-11 3563520]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-12 30192]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"DpAgent"="c:\program files\DigitalPersona\Bin\dpagent.exe" [2008-06-09 814144]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2008-01-14 132392]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Kernel and Hardware Abstraction Layer"="c:\windows\KHALMNPR.EXE" [2007-10-09 100888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-02-19 438403]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-06-25 442467]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-12-01 198160]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2009-05-13 6345840]

c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-5-13 1058088]

c:\users\Guest2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-5-13 1058088]

c:\users\Justin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-5-13 1058088]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-5-2 1211472]
SetPoint.lnk - c:\program files\SetPoint\SetPoint.exe [2008-9-1 679936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-09-01 20:36 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli DPPWDFLT

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:08,b7,50,d4,2f,2f,ca,01

R0 ssfs0bbc;ssfs0bbc;c:\windows\System32\drivers\ssfs0bbc.sys [4/21/2009 17:27 29808]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [2/10/2010 19:12 58984]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2/10/2010 19:12 108648]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_238116a1\AEstSrv.exe [9/1/2008 22:56 73728]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [5/5/2008 22:46 1168632]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [4/28/2008 21:56 161048]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2/10/2010 19:12 779496]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/28/2008 22:43 24652]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [4/10/2009 15:39 1205760]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\System32\drivers\ATSwpWDF.sys [9/1/2008 22:56 475136]
R3 itecir;ITECIR Infrared Receiver;c:\windows\System32\drivers\itecir.sys [9/1/2008 22:56 54784]
R3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\k57nd60x.sys [9/1/2008 22:56 203264]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\System32\drivers\OA001Ufd.sys [11/26/2008 06:02 133472]
R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\System32\drivers\OA001Vid.sys [12/26/2008 17:05 279488]
S2 gupdate1c9cab5461f630;Google Update Service (gupdate1c9cab5461f630);c:\program files\Google\Update\GoogleUpdate.exe [5/1/2009 23:31 133104]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\System32\drivers\btwl2cap.sys [9/1/2008 20:23 29736]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [9/1/2008 20:28 30192]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\System32\drivers\mbamswissarmy.sys [2/18/2010 22:04 38224]
S4 sptd;sptd;c:\windows\System32\drivers\sptd.sys [10/10/2008 01:35 717296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-02-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-01 23:30]

2010-02-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-01 23:31]

2010-02-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-01 23:31]

2009-12-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-22 11:22]

2010-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-22 11:22]

2010-02-12 c:\windows\Tasks\wrSpySweeperFullSweep.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-09-29 14:40]

2010-02-12 c:\windows\Tasks\wrSpySweeperFullSweep.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-09-29 14:40]
.
.
------- Supplementary Scan -------
.
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\Justin\AppData\Roaming\Mozilla\Firefox\Profiles\4ww7vt49.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.londonfightfactory.com/timetable/timetable.html|http://www.sherdog.net/forums/f2/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&query=
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Justin\AppData\Roaming\Mozilla\Firefox\Profiles\4ww7vt49.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-20 14:00
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\4DW4R3.sys 46592 bytes executable
c:\windows\system32\drivers\4DW4R3hYvnbOQxen.sys 46592 bytes executable
c:\windows\system32\4DW4R3AgwXJxHwpV.dll 28160 bytes executable
c:\windows\system32\4DW4R3c.dll 28160 bytes executable
c:\windows\system32\4DW4R3sv.dat 53 bytes
c:\windows\system32\4DW4R3WWydmNEbPx.dll 28160 bytes executable
c:\users\Justin\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 7

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll >>UNKNOWN [0x90164BD7]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x8bd9ed24
\Driver\ACPI -> acpi.sys @ 0x80699d68
\Driver\iaStor -> iastor.sys @ 0x83241bb8
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(628)
c:\windows\system32\DPPWDFLT.dll
.
Completion time: 2010-02-20 14:05:53
ComboFix-quarantined-files.txt 2010-02-20 14:05

Pre-Run: 47,976,509,440 bytes free
Post-Run: 48,316,641,280 bytes free

- - End Of File - - 3F464E54D1771A61DAC59521DA179AD7

I'm now reruning it with one I downloaded now rather than last night. Upon startup it notified my that it detected rootkit activity and told me to write down

C:\Windows\system32\drivers\4DW4R3hYvnbOQxen

C:\Windows\system32\4DW4R3WWydmNEbPx.dll

C:\Windows\system32\drivers\4DW4R3.sys

Edited by JFores, 20 February 2010 - 09:14 AM.


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,107 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:29 AM

Posted 20 February 2010 - 09:40 AM

Thanks for mentioning that, I was just about to suggest to redownload and run it smile.gif And I wondered also why that rootkit went undetected!

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 JFores

JFores
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 20 February 2010 - 09:42 AM

Got the log! Nevermind! Posting! One sec...

ComboFix 10-02-19.04 - Justin 02/20/2010 14:19:17.4.2 - x86
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.1.1033.18.3581.2646 [GMT 0:00]
Running from: c:\users\Justin\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\System32\4DW4R3AgwXJxHwpV.dll
c:\windows\system32\4DW4R3c.dll
c:\windows\system32\4DW4R3sv.dat
c:\windows\system32\4DW4R3tVvbSiQytf.dll
c:\windows\system32\4DW4R3WWydmNEbPx.dll
c:\windows\system32\drivers\4DW4R3.sys
c:\windows\system32\drivers\4DW4R3BiCXEXIRyw.sys
c:\windows\system32\drivers\4DW4R3hYvnbOQxen.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_4DW4R3
-------\Legacy_4DW4R3


((((((((((((((((((((((((( Files Created from 2010-01-20 to 2010-02-20 )))))))))))))))))))))))))))))))
.

2010-02-20 14:30 . 2010-02-20 14:34 -------- d-----w- c:\users\Justin\AppData\Local\temp
2010-02-20 14:30 . 2010-02-20 14:30 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-02-20 14:30 . 2010-02-20 14:30 -------- d-----w- c:\users\Guest2\AppData\Local\temp
2010-02-20 14:30 . 2010-02-20 14:30 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-02-20 14:30 . 2010-02-20 14:30 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-19 15:04 . 2010-02-19 15:04 93056 ----a-w- C:\uxldapow.sys
2010-02-19 12:02 . 2010-02-19 12:02 -------- d-----w- c:\users\Justin\AppData\Roaming\SUPERAntiSpyware.com
2010-02-19 12:02 . 2010-02-19 12:02 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-02-18 22:04 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-18 22:04 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-18 19:30 . 2008-11-06 02:03 -------- d-----w- C:\SDFix
2010-02-18 19:14 . 2010-02-18 19:14 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-17 17:43 . 2010-02-19 15:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-17 16:20 . 2010-02-17 16:20 -------- d-----w- c:\users\Justin\AppData\Local\MicroVision Applications
2010-02-17 15:13 . 2010-02-17 15:13 -------- dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-02-17 02:28 . 2010-02-17 12:14 -------- d-----w- c:\program files\yawn
2010-02-17 02:26 . 2010-02-17 02:26 -------- d--h--w- c:\windows\PIF
2010-02-17 01:57 . 2010-02-17 01:58 -------- d-----w- c:\program files\CCleaner
2010-02-14 15:27 . 2010-02-14 15:27 -------- d-----w- c:\users\Justin\AppData\Roaming\Trusteer
2010-02-14 15:27 . 2010-02-14 15:27 -------- d-----w- c:\program files\Trusteer
2010-02-14 15:25 . 2010-02-14 15:25 -------- d-----w- c:\programdata\Trusteer
2010-02-10 16:14 . 2009-12-11 11:43 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-10 16:14 . 2009-12-11 11:43 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-02-10 16:14 . 2009-12-08 20:01 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-10 16:14 . 2009-12-08 20:01 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-01-29 11:14 . 2010-01-29 11:14 -------- d-----w- c:\programdata\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-20 14:30 . 2008-09-01 20:24 12 ----a-w- c:\windows\bthservsdp.dat
2010-02-18 19:20 . 2008-09-01 20:33 -------- d-----w- c:\program files\Dell Video Chat
2010-02-18 19:11 . 2010-02-18 19:03 691 ----a-w- c:\users\Justin\AppData\Roaming\GetValue.vbs
2010-02-18 19:11 . 2010-02-18 19:03 35 ----a-w- c:\users\Justin\AppData\Roaming\SetValue.bat
2010-02-18 19:11 . 2010-02-18 19:03 35 ----a-w- c:\users\Justin\AppData\Roaming\SetValue.bat
2010-02-17 16:20 . 2008-09-01 20:34 -------- d-----w- c:\program files\Roxio
2010-02-17 01:59 . 2008-10-10 01:14 -------- d-----w- c:\users\Justin\AppData\Roaming\Azureus
2010-02-15 18:19 . 2009-05-01 23:30 -------- d-----w- c:\programdata\Google Updater
2010-02-13 10:42 . 2008-11-09 00:40 -------- d-----w- c:\users\Justin\AppData\Roaming\vlc
2010-02-13 06:06 . 2008-10-10 01:14 -------- d-----w- c:\program files\Vuze
2010-02-13 06:02 . 2010-02-13 06:02 348160 ----a-w- c:\users\Justin\AppData\Roaming\Azureus\updates\inst_1\msvcr71.dll
2010-02-13 06:02 . 2010-02-13 06:02 199616 ----a-w- c:\users\Justin\AppData\Roaming\Azureus\updates\inst_1\AzureusUpdater.exe
2010-02-13 06:02 . 2010-02-13 06:02 72704 ----a-w- c:\users\Justin\AppData\Roaming\Azureus\updates\inst_1\aereg.dll
2010-02-13 06:02 . 2010-02-13 06:02 227328 ----a-w- c:\users\Justin\AppData\Roaming\Azureus\updates\inst_1\Azureus.exe
2010-02-11 03:21 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-08 21:47 . 2008-09-01 20:28 -------- d-----w- c:\program files\Google
2010-01-21 21:51 . 2009-01-20 08:02 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-14 11:12 . 2009-10-02 18:07 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-04 23:28 . 2010-01-04 18:11 -------- d-----w- c:\program files\AVG
2010-01-04 23:28 . 2010-01-04 18:11 -------- d-----w- c:\programdata\avg8
2010-01-04 23:18 . 2010-01-04 22:57 -------- d-----w- c:\users\Justin\AppData\Roaming\U3
2010-01-04 23:03 . 2010-01-04 23:03 -------- d-----w- c:\users\Justin\AppData\Roaming\Malwarebytes
2010-01-04 23:00 . 2010-01-04 23:00 -------- d-----w- c:\programdata\Malwarebytes
2010-01-04 21:23 . 2009-01-07 01:23 1356 ----a-w- c:\users\Justin\AppData\Local\d3d9caps.dat
2010-01-04 17:52 . 2010-01-04 17:52 -------- d-----w- c:\users\Justin\AppData\Roaming\AVG8
2010-01-02 06:38 . 2010-01-21 22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-21 22:03 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-21 22:03 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-21 22:03 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-14 04:49 . 2008-09-18 15:31 58896 ----a-w- c:\users\Justin\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-13 13:31 . 2009-02-08 11:26 58896 ----a-w- c:\users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-08 20:01 . 2010-02-10 16:13 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-12-08 17:26 . 2010-02-10 16:13 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-12-04 18:30 . 2010-02-10 16:13 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2009-12-04 18:29 . 2010-02-10 16:13 1314816 ----a-w- c:\windows\system32\quartz.dll
2009-12-04 18:28 . 2010-02-10 16:13 22528 ----a-w- c:\windows\system32\msyuv.dll
2009-12-04 18:28 . 2010-02-10 16:13 31744 ----a-w- c:\windows\system32\msvidc32.dll
2009-12-04 18:28 . 2010-02-10 16:13 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-12-04 18:28 . 2010-02-10 16:13 13312 ----a-w- c:\windows\system32\msrle32.dll
2009-12-04 18:28 . 2010-02-10 16:13 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-12-04 18:28 . 2010-02-10 16:13 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2009-12-04 18:27 . 2010-02-10 16:13 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-12-04 15:56 . 2010-02-10 16:13 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-12-04 15:56 . 2010-02-10 16:13 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-30 18:02 . 2009-11-30 18:02 171144 ----a-w- c:\windows\system32\xliveinstall.dll
2009-11-30 18:02 . 2009-11-30 18:02 72840 ----a-w- c:\windows\system32\xliveinstallhost.exe
2009-11-24 02:55 . 2009-11-24 02:55 79368 ----a-w- c:\users\Justin\AppData\Roaming\Real\Update\setup3.09\RUP\vista.exe
2009-11-23 18:55 . 2009-11-23 18:55 439816 ----a-w- c:\users\Justin\AppData\Roaming\Real\Update\setup3.09\setup.exe
2009-12-12 11:15 . 2009-12-12 11:15 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-09-01 20:33 . 2008-09-01 20:33 74 --sh--r- c:\windows\CT4CET.bin
2008-09-01 22:53 . 2008-09-01 22:53 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-02-09 14:06 764296 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-02-09 764296]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-02-09 764296]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-04-06 12:26 238968 ----a-w- c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-01 68856]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 4363504]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"SightSpeed"="c:\program files\Dell Video Chat\DellVideoChat.exe" [2008-06-13 4758904]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-29 17920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-06-30 196608]
"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2007-10-09 100888]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-03-11 3563520]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-12 30192]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"DpAgent"="c:\program files\DigitalPersona\Bin\dpagent.exe" [2008-06-09 814144]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2008-01-14 132392]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Kernel and Hardware Abstraction Layer"="c:\windows\KHALMNPR.EXE" [2007-10-09 100888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-02-19 438403]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-06-25 442467]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-12-01 198160]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2009-05-13 6345840]

c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-5-13 1058088]

c:\users\Guest2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-5-13 1058088]

c:\users\Justin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-5-13 1058088]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-5-2 1211472]
SetPoint.lnk - c:\program files\SetPoint\SetPoint.exe [2008-9-1 679936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-09-01 20:36 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli DPPWDFLT

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:08,b7,50,d4,2f,2f,ca,01

R0 ssfs0bbc;ssfs0bbc;c:\windows\System32\drivers\ssfs0bbc.sys [4/21/2009 17:27 29808]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [2/10/2010 19:12 58984]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2/10/2010 19:12 108648]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_238116a1\AEstSrv.exe [9/1/2008 22:56 73728]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [5/5/2008 22:46 1168632]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [4/28/2008 21:56 161048]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2/10/2010 19:12 779496]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/28/2008 22:43 24652]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [4/10/2009 15:39 1205760]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\System32\drivers\ATSwpWDF.sys [9/1/2008 22:56 475136]
R3 itecir;ITECIR Infrared Receiver;c:\windows\System32\drivers\itecir.sys [9/1/2008 22:56 54784]
R3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\k57nd60x.sys [9/1/2008 22:56 203264]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\System32\drivers\OA001Ufd.sys [11/26/2008 06:02 133472]
R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\System32\drivers\OA001Vid.sys [12/26/2008 17:05 279488]
S2 gupdate1c9cab5461f630;Google Update Service (gupdate1c9cab5461f630);c:\program files\Google\Update\GoogleUpdate.exe [5/1/2009 23:31 133104]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\System32\drivers\btwl2cap.sys [9/1/2008 20:23 29736]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [9/1/2008 20:28 30192]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\System32\drivers\mbamswissarmy.sys [2/18/2010 22:04 38224]
S4 sptd;sptd;c:\windows\System32\drivers\sptd.sys [10/10/2008 01:35 717296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-02-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-01 23:30]

2010-02-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-01 23:31]

2010-02-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-01 23:31]

2009-12-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-22 11:22]

2010-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-22 11:22]
.
.
------- Supplementary Scan -------
.
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\Justin\AppData\Roaming\Mozilla\Firefox\Profiles\4ww7vt49.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.londonfightfactory.com/timetable/timetable.html|http://www.sherdog.net/forums/f2/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&query=
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Justin\AppData\Roaming\Mozilla\Firefox\Profiles\4ww7vt49.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-20 14:33
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(624)
c:\windows\system32\DPPWDFLT.dll

- - - - - - - > 'Explorer.exe'(7988)
c:\program files\DigitalPersona\Bin\DpoFeedb.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll
c:\program files\DigitalPersona\Bin\DpoSet.dll
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_238116a1\STacSV.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\system32\WLANExt.exe
c:\windows\System32\bcmwltry.exe
c:\program files\DigitalPersona\Bin\DpHostW.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\windows\system32\conime.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\ehome\ehmsas.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-02-20 14:42:56 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-20 14:42
ComboFix2.txt 2010-02-20 14:05

Pre-Run: 48,205,033,472 bytes free
Post-Run: 47,882,743,808 bytes free

- - End Of File - - 005BAC7C46DB7D4F530DF99C927B0C99

Edited by JFores, 20 February 2010 - 09:44 AM.


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,107 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:29 AM

Posted 20 February 2010 - 09:51 AM

Hello JFores,

That got rid of the rootkit, however, please consider the following first...

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


P2P WARNING
-------------------
Going over your logs I noticed that you have Vuze installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall Vuze, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.



CF-SCRIPT
-------------
Open notepad and copy/paste the text in the quotebox below into it:

CODE
<http://www.bleepingcomputer.com/forums/index.php?showtopic=296473&view=findpost&p=1639104>

Collect::    
C:\uxldapow.sys

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

Folder::
c:\program files\Ask.com


Save this as CFScript.txt





Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

In your next reply, please include the following:
  • Combofix.txt



regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 JFores

JFores
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 20 February 2010 - 10:00 AM

Hello there,

Yeah, P2P related sites are the cause of this, but it comes with the territory and I just have to accept that. Similarly, nothing of great importance has been done on the laptop lately and the worst thing that could get out there is a Facebook or an email password so I'll just change those. My internet banking has an immense number of security procedures and I haven't been able to do anything with this computer since the infection began. In fact, I don't know if my internet is back on as I can't access a connection where I am, but it was completely inaccesible for the entire process thus far. I've had to use a university library computer and a mate's laptop in order to get this done.

At any rate, I will probably attempt a reformat and reinstall once I am able to back everything up and once I figure out how to go about reinstalling Windows without the CD (which I'm 99.9% sure Dell doesn't physically give you.)

Regarding CFScript.txt. When I attempt to drag it onto it I get the warning

Illegal operation attempted on a registry key that has been marked for deletion.

Should I try again in Safe Mode?

Edited by JFores, 20 February 2010 - 10:02 AM.


#12 JFores

JFores
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 20 February 2010 - 10:07 AM

Worked in safe mode. Waiting for it to run through... Will edit this post when it finishes.

It's finished, but I can't actually access my deskptop and what not to connect to the internet (not to mention I'm in Safe Mode) so how do I go about submitting these files for analysis?

Ok it's at C:\CF-Submit.htm so I'll have to do it later when I have net.

Mulţumesc! Mmm... Apparently this forum doesn't like the Romanian alphabet...

Justin

At any rate here's my third log...

Combofix.txt

ComboFix 10-02-19.04 - Justin 02/20/2010 15:07:16.5.2 - x86 MINIMAL
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.1.1033.18.3581.3092 [GMT 0:00]
Running from: c:\users\Justin\Desktop\ComboFix.exe
Command switches used :: c:\users\Justin\Desktop\CFScript.txt
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

file zipped: C:\uxldapow.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Ask.com
c:\program files\Ask.com\config.xml
c:\program files\Ask.com\GenericAskToolbar.dll
c:\program files\Ask.com\mupcfg.xml
c:\program files\Ask.com\UpdateTask.exe
C:\uxldapow.sys

.
((((((((((((((((((((((((( Files Created from 2010-01-20 to 2010-02-20 )))))))))))))))))))))))))))))))
.

2010-02-20 15:14 . 2010-02-20 15:14 -------- d-----w- c:\users\Justin\AppData\Local\temp
2010-02-20 15:14 . 2010-02-20 15:14 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-02-20 15:14 . 2010-02-20 15:14 -------- d-----w- c:\users\Guest2\AppData\Local\temp
2010-02-20 15:14 . 2010-02-20 15:14 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-02-20 15:14 . 2010-02-20 15:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-20 15:06 . 2010-02-20 15:06 -------- d-----w- C:\32788R22FWJFW
2010-02-19 12:02 . 2010-02-19 12:02 -------- d-----w- c:\users\Justin\AppData\Roaming\SUPERAntiSpyware.com
2010-02-19 12:02 . 2010-02-19 12:02 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-02-18 22:04 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-18 22:04 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-18 19:30 . 2008-11-06 02:03 -------- d-----w- C:\SDFix
2010-02-18 19:14 . 2010-02-18 19:14 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-18 19:03 . 2010-02-18 19:11 35 ----a-w- c:\users\Justin\AppData\Roaming\SetValue.bat
2010-02-17 17:43 . 2010-02-19 15:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-17 16:20 . 2010-02-17 16:20 -------- d-----w- c:\users\Justin\AppData\Local\MicroVision Applications
2010-02-17 15:13 . 2010-02-17 15:13 -------- dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-02-17 02:28 . 2010-02-17 12:14 -------- d-----w- c:\program files\yawn
2010-02-17 02:26 . 2010-02-17 02:26 -------- d--h--w- c:\windows\PIF
2010-02-17 01:57 . 2010-02-17 01:58 -------- d-----w- c:\program files\CCleaner
2010-02-14 15:27 . 2010-02-14 15:27 -------- d-----w- c:\users\Justin\AppData\Roaming\Trusteer
2010-02-14 15:27 . 2010-02-14 15:27 -------- d-----w- c:\program files\Trusteer
2010-02-14 15:25 . 2010-02-14 15:25 -------- d-----w- c:\programdata\Trusteer
2010-02-13 06:02 . 2010-02-13 06:02 348160 ----a-w- c:\users\Justin\AppData\Roaming\Azureus\updates\inst_1\msvcr71.dll
2010-02-13 06:02 . 2010-02-13 06:02 199616 ----a-w- c:\users\Justin\AppData\Roaming\Azureus\updates\inst_1\AzureusUpdater.exe
2010-02-13 06:02 . 2010-02-13 06:02 72704 ----a-w- c:\users\Justin\AppData\Roaming\Azureus\updates\inst_1\aereg.dll
2010-02-13 06:02 . 2010-02-13 06:02 227328 ----a-w- c:\users\Justin\AppData\Roaming\Azureus\updates\inst_1\Azureus.exe
2010-02-10 16:14 . 2009-12-11 11:43 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-10 16:14 . 2009-12-11 11:43 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-02-10 16:14 . 2009-12-08 20:01 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-10 16:14 . 2009-12-08 20:01 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-01-29 11:14 . 2010-01-29 11:14 -------- d-----w- c:\programdata\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-20 14:30 . 2008-09-01 20:24 12 ----a-w- c:\windows\bthservsdp.dat
2010-02-18 19:20 . 2008-09-01 20:33 -------- d-----w- c:\program files\Dell Video Chat
2010-02-18 19:11 . 2010-02-18 19:03 691 ----a-w- c:\users\Justin\AppData\Roaming\GetValue.vbs
2010-02-17 16:20 . 2008-09-01 20:34 -------- d-----w- c:\program files\Roxio
2010-02-17 01:59 . 2008-10-10 01:14 -------- d-----w- c:\users\Justin\AppData\Roaming\Azureus
2010-02-15 18:19 . 2009-05-01 23:30 -------- d-----w- c:\programdata\Google Updater
2010-02-13 10:42 . 2008-11-09 00:40 -------- d-----w- c:\users\Justin\AppData\Roaming\vlc
2010-02-13 06:06 . 2008-10-10 01:14 -------- d-----w- c:\program files\Vuze
2010-02-11 03:21 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-08 21:47 . 2008-09-01 20:28 -------- d-----w- c:\program files\Google
2010-01-21 21:51 . 2009-01-20 08:02 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-14 11:12 . 2009-10-02 18:07 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-04 23:28 . 2010-01-04 18:11 -------- d-----w- c:\program files\AVG
2010-01-04 23:28 . 2010-01-04 18:11 -------- d-----w- c:\programdata\avg8
2010-01-04 23:18 . 2010-01-04 22:57 -------- d-----w- c:\users\Justin\AppData\Roaming\U3
2010-01-04 23:03 . 2010-01-04 23:03 -------- d-----w- c:\users\Justin\AppData\Roaming\Malwarebytes
2010-01-04 23:00 . 2010-01-04 23:00 -------- d-----w- c:\programdata\Malwarebytes
2010-01-04 21:23 . 2009-01-07 01:23 1356 ----a-w- c:\users\Justin\AppData\Local\d3d9caps.dat
2010-01-04 17:52 . 2010-01-04 17:52 -------- d-----w- c:\users\Justin\AppData\Roaming\AVG8
2010-01-02 06:38 . 2010-01-21 22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-21 22:03 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-21 22:03 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-21 22:03 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-14 04:49 . 2008-09-18 15:31 58896 ----a-w- c:\users\Justin\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-13 13:31 . 2009-02-08 11:26 58896 ----a-w- c:\users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-08 20:01 . 2010-02-10 16:13 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-12-08 17:26 . 2010-02-10 16:13 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-12-04 18:30 . 2010-02-10 16:13 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2009-12-04 18:29 . 2010-02-10 16:13 1314816 ----a-w- c:\windows\system32\quartz.dll
2009-12-04 18:28 . 2010-02-10 16:13 22528 ----a-w- c:\windows\system32\msyuv.dll
2009-12-04 18:28 . 2010-02-10 16:13 31744 ----a-w- c:\windows\system32\msvidc32.dll
2009-12-04 18:28 . 2010-02-10 16:13 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-12-04 18:28 . 2010-02-10 16:13 13312 ----a-w- c:\windows\system32\msrle32.dll
2009-12-04 18:28 . 2010-02-10 16:13 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-12-04 18:28 . 2010-02-10 16:13 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2009-12-04 18:27 . 2010-02-10 16:13 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-12-04 15:56 . 2010-02-10 16:13 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-12-04 15:56 . 2010-02-10 16:13 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-30 18:02 . 2009-11-30 18:02 171144 ----a-w- c:\windows\system32\xliveinstall.dll
2009-11-30 18:02 . 2009-11-30 18:02 72840 ----a-w- c:\windows\system32\xliveinstallhost.exe
2009-11-24 02:55 . 2009-11-24 02:55 79368 ----a-w- c:\users\Justin\AppData\Roaming\Real\Update\setup3.09\RUP\vista.exe
2009-11-23 18:55 . 2009-11-23 18:55 439816 ----a-w- c:\users\Justin\AppData\Roaming\Real\Update\setup3.09\setup.exe
2009-12-12 11:15 . 2009-12-12 11:15 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-09-01 20:33 . 2008-09-01 20:33 74 --sh--r- c:\windows\CT4CET.bin
2008-09-01 22:53 . 2008-09-01 22:53 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-04-06 12:26 238968 ----a-w- c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-01 68856]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 4363504]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"SightSpeed"="c:\program files\Dell Video Chat\DellVideoChat.exe" [2008-06-13 4758904]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-29 17920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-06-30 196608]
"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2007-10-09 100888]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-03-11 3563520]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-12 30192]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"DpAgent"="c:\program files\DigitalPersona\Bin\dpagent.exe" [2008-06-09 814144]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2008-01-14 132392]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Kernel and Hardware Abstraction Layer"="c:\windows\KHALMNPR.EXE" [2007-10-09 100888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-02-19 438403]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-06-25 442467]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-12-01 198160]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2009-05-13 6345840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-5-13 1058088]

c:\users\Guest2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-5-13 1058088]

c:\users\Justin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-5-13 1058088]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-5-2 1211472]
SetPoint.lnk - c:\program files\SetPoint\SetPoint.exe [2008-9-1 679936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-09-01 20:36 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli DPPWDFLT

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:08,b7,50,d4,2f,2f,ca,01

R0 ssfs0bbc;ssfs0bbc;c:\windows\System32\drivers\ssfs0bbc.sys [4/21/2009 17:27 29808]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [4/10/2009 15:39 1205760]
R3 itecir;ITECIR Infrared Receiver;c:\windows\System32\drivers\itecir.sys [9/1/2008 22:56 54784]
S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [2/10/2010 19:12 58984]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2/10/2010 19:12 108648]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_238116a1\AEstSrv.exe [9/1/2008 22:56 73728]
S2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [5/5/2008 22:46 1168632]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [4/28/2008 21:56 161048]
S2 gupdate1c9cab5461f630;Google Update Service (gupdate1c9cab5461f630);c:\program files\Google\Update\GoogleUpdate.exe [5/1/2009 23:31 133104]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2/10/2010 19:12 779496]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/28/2008 22:43 24652]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\System32\drivers\ATSwpWDF.sys [9/1/2008 22:56 475136]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\System32\drivers\btwl2cap.sys [9/1/2008 20:23 29736]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [9/1/2008 20:28 30192]
S3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\k57nd60x.sys [9/1/2008 22:56 203264]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\System32\drivers\mbamswissarmy.sys [2/18/2010 22:04 38224]
S3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\System32\drivers\OA001Ufd.sys [11/26/2008 06:02 133472]
S3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\System32\drivers\OA001Vid.sys [12/26/2008 17:05 279488]
S4 sptd;sptd;c:\windows\System32\drivers\sptd.sys [10/10/2008 01:35 717296]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ECACHE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-02-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-01 23:30]

2010-02-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-01 23:31]

2010-02-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-01 23:31]

2009-12-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-22 11:22]

2010-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-22 11:22]
.
.
------- Supplementary Scan -------
.
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\Justin\AppData\Roaming\Mozilla\Firefox\Profiles\4ww7vt49.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.londonfightfactory.com/timetable/timetable.html|http://www.sherdog.net/forums/f2/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&query=
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Justin\AppData\Roaming\Mozilla\Firefox\Profiles\4ww7vt49.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-20 15:14
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(468)
c:\windows\system32\DPPWDFLT.dll
.
Completion time: 2010-02-20 15:15:45
ComboFix-quarantined-files.txt 2010-02-20 15:15
ComboFix2.txt 2010-02-20 14:42
ComboFix3.txt 2010-02-20 14:05

Pre-Run: 51,772,960,768 bytes free
Post-Run: 51,637,157,888 bytes free

- - End Of File - - E6E1294A7A96FA9F2F534BD01287C223

Edited by JFores, 20 February 2010 - 10:22 AM.


#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,107 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:29 AM

Posted 20 February 2010 - 11:05 AM

QUOTE
Mulţumesc! Mmm... Apparently this forum doesn't like the Romanian alphabet...
Apparently it doesn't indeed laugh.gif But anyway, you are welcome (are you romanian or did you peek at my profile)?

We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 JFores

JFores
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 20 February 2010 - 11:16 AM

I'll run that and submit the report as soon as I get to an internet connection.

In other news, I'm running Malwarebytes Full Scan to make sure it would run because that was a big issue in the past and it is BUT McAffee keeps finding PRCViewer.exe or something of the sort in many of my antispyware programs. Could this have been deposited to have prevented them from running? I've removed each one as it was detected just in case.

Justin

P.S. I learned it a few years ago and I was very fluent (with an insanely heavy Translyvanian accent somehow picked up off my Sasi tutor) but I'm a bit bleep now. And yeah, got it off the profile. I can still read newspapers and books though.



#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,107 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:29 AM

Posted 20 February 2010 - 12:07 PM

Hello again smile.gif
QUOTE
BUT McAffee keeps finding PRCViewer.exe or something of the sort in many of my antispyware programs.
First of all, McAfee is known for its false positives. It detects many of the tools we are using as "bad". Next time it detects this, please note down the filename and path and post it here.

Please post also the MBAM scan results.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users