Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redirection and Other Problems


  • This topic is locked This topic is locked
12 replies to this topic

#1 TeriBash

TeriBash

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 10 March 2010 - 04:21 PM

boopme has suggested that I make a new post here with my recent logs. If you need back information on the problem, here is the original post.

http://www.bleepingcomputer.com/forums/t/301209/recent-virus-removed-browser-redirection-and-other-problems-persist/


DDS (Ver_09-12-01.01) - NTFSx86
Run by Beth at 13:31:31.45 on Wed 03/10/2010
Internet Explorer: 6.0.2900.3311
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.168 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Beth\Desktop\AV_FIles\dds\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: DefaultSearchHook Class: {c94e154b-1459-4a47-966b-4b843befc7db} - c:\program files\asksearch\bin\DefaultSearch.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
mRun: [diagent] "c:\program files\creative\sblive\diagnostics\diagent.exe" startup
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [LXSUPMON] c:\windows\system32\LXSUPMON.EXE RUN
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\beth\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
mPolicies-explorer: =
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\beth\applic~1\mozilla\firefox\profiles\sf6asebp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.seamonkey-project.org/start/
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-12-25 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-12-25 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-12-25 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-12-25 56816]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-3-6 24652]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]

=============== Created Last 30 ================

2010-03-10 18:30:36 20 ----a-w- c:\documents and settings\beth\defogger_reenable
2010-03-08 17:45:54 0 d-----w- c:\docume~1\beth\applic~1\Malwarebytes
2010-03-08 17:45:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-08 17:45:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-08 17:45:42 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-08 17:45:42 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-08 02:19:18 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-03-08 02:19:05 0 d-----w- c:\program files\SUPERAntiSpyware
2010-03-08 02:19:05 0 d-----w- c:\docume~1\beth\applic~1\SUPERAntiSpyware.com
2010-03-08 02:18:44 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-03-08 01:52:16 2852 ----a-w- c:\windows\system32\tmp.reg
2010-03-07 19:54:02 0 d-----w- C:\ProcessExplorer
2010-02-28 23:14:11 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-02-28 23:14:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

==================== Find3M ====================

2010-01-04 02:51:14 58296 ---ha-w- c:\windows\system32\mlfcache.dat

============= FINISH: 13:32:36.23 ===============




UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 3/6/2009 6:38:26 PM
System Uptime: 3/10/2010 12:38:16 PM (1 hours ago)

Motherboard: Dell Computer Corp. | |
Processor: Intel® Pentium® 4 CPU 2.00GHz | Microprocessor | 1993/400mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 10 GiB total, 1.305 GiB free.
D: is FIXED (NTFS) - 19 GiB total, 6.221 GiB free.
E: is CDROM ()
F: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP303: 2/8/2010 7:37:00 PM - System Checkpoint
RP304: 2/9/2010 7:42:58 PM - System Checkpoint
RP305: 2/10/2010 7:44:30 PM - System Checkpoint
RP306: 2/11/2010 10:51:48 PM - System Checkpoint
RP307: 2/13/2010 12:08:13 AM - System Checkpoint
RP308: 2/14/2010 12:44:12 AM - System Checkpoint
RP309: 2/15/2010 1:44:12 AM - System Checkpoint
RP310: 2/16/2010 2:30:33 AM - System Checkpoint
RP311: 2/17/2010 3:30:32 AM - System Checkpoint
RP312: 2/18/2010 4:30:32 AM - System Checkpoint
RP313: 2/19/2010 5:30:32 AM - System Checkpoint
RP314: 2/20/2010 6:30:10 AM - System Checkpoint
RP315: 2/21/2010 7:30:10 AM - System Checkpoint
RP316: 2/22/2010 7:31:15 AM - System Checkpoint
RP317: 2/23/2010 8:30:10 AM - System Checkpoint
RP318: 2/24/2010 9:30:10 AM - System Checkpoint
RP319: 2/25/2010 10:30:10 AM - System Checkpoint
RP320: 2/26/2010 10:42:10 AM - System Checkpoint
RP321: 2/27/2010 1:55:15 PM - System Checkpoint
RP322: 2/28/2010 10:29:49 PM - System Checkpoint
RP323: 3/6/2010 11:07:02 AM - System Checkpoint
RP324: 3/7/2010 12:35:36 PM - System Checkpoint
RP325: 3/7/2010 9:19:03 PM - Installed SUPERAntiSpyware Free Edition
RP326: 3/9/2010 5:26:37 PM - System Checkpoint

==== Installed Programs ======================


Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.2
AIM 6
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Avira AntiVir Personal - Free Antivirus
Bonjour
Dell ResourceCD
FlashFXP v3
FrostWire 4.17.2
Intel® PRO Ethernet Adapter and Software
iTunes
Java™ 6 Update 15
Lexmark Supplies Monitor
Lexmark Z23-Z33
Malwarebytes' Anti-Malware
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.6)
NVIDIA Windows 2000/XP Display Drivers
PowerArchiver 2004 v9.26
QuickTime
SeaMonkey (1.1.15)
Sound Blaster Live!
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
Viewpoint Media Player
WebFldrs XP
Winamp
Windows Media Format Runtime
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

3/9/2010 5:04:18 PM, error: Dhcp [1002] - The IP address lease 192.168.1.20 for the Network Card with network address 0007E9CF3B4E has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
3/8/2010 11:48:57 AM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: Access is denied.
3/7/2010 9:25:19 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avgio avipbb Fips intelppm IPSec MRxSmb NetBIOS NetBT OMCI RasAcd Rdbss SASDIFSV SASKUTIL sptd ssmdrv Tcpip
3/7/2010 9:03:04 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avgio avipbb Fips intelppm IPSec MRxSmb NetBIOS NetBT OMCI RasAcd Rdbss sptd ssmdrv Tcpip
3/7/2010 9:03:04 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
3/7/2010 9:03:04 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/7/2010 9:03:04 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/7/2010 9:03:04 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
3/7/2010 9:03:04 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/7/2010 9:03:04 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/7/2010 9:02:06 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
3/7/2010 9:02:03 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
3/7/2010 8:55:50 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Viewpoint Manager Service service to connect.
3/7/2010 8:55:50 PM, error: Service Control Manager [7000] - The Viewpoint Manager Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
3/7/2010 7:52:10 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: sptd
3/7/2010 7:51:37 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
3/7/2010 7:51:37 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
3/7/2010 7:51:14 AM, error: DCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {DCBCA92E-7DBE-4EDA-8B7B-3AAEA4DD412B} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.
3/7/2010 11:16:05 AM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
3/7/2010 11:16:02 AM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
3/7/2010 11:15:39 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
3/7/2010 11:15:36 AM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
3/7/2010 11:15:34 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
3/6/2010 12:11:10 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
3/6/2010 11:54:55 AM, error: Service Control Manager [7034] - The Windows Audio service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-10 15:35:32
Windows 5.1.2600 Service Pack 3, v.3311
Running: gmer.exe; Driver: C:\DOCUME~1\Beth\LOCALS~1\Temp\aglcrfog.sys


---- System - GMER 1.0.15 ----

SSDT EC36D106 ZwCreateKey
SSDT EC36D0FC ZwCreateThread
SSDT EC36D10B ZwDeleteKey
SSDT EC36D115 ZwDeleteValueKey
SSDT EC36D11A ZwLoadKey
SSDT EC36D0E8 ZwOpenProcess
SSDT EC36D0ED ZwOpenThread
SSDT EC36D124 ZwReplaceKey
SSDT EC36D11F ZwRestoreKey
SSDT EC36D110 ZwSetValueKey
SSDT EC36D0F7 ZwTerminateProcess

---- Devices - GMER 1.0.15 ----

Device -> \Driver\atapi \Device\Harddisk0\DR0 822E8B4C

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xB3 0xCE 0x65 0xFB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x69 0xD9 0x1F 0xCE ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x34 0x78 0x88 0x8F ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xB3 0xCE 0x65 0xFB ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x69 0xD9 0x1F 0xCE ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x34 0x78 0x88 0x8F ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:07:04 PM

Posted 11 March 2010 - 12:25 AM

Hello, TeriBash.
My name is aommaster and I will be helping you with your log.


If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Should you still require assistance, please take note of the points below:
  • Please track this topic by either adding it to your favourites or clicking the Options button at the top of this thread and then Track this topic.
  • Please disable word-wrap before posting logs. This can be done by clicking Format and un-ticking the word-wrap feature in notepad.
  • The logs that you post should be copied and pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • If you do not reply within 5 days, I will have to close your topic. Should you not be able to meet this, please notify me so that I will leave the topic open.
  • Please do not install, update, or run any programs for the duration of the fix.
  • If you do not understand the instructions I provide, please don't hesitate to ask. That's what I'm here for smile.gif
  • Please continue to reply to this topic until I give you the all clean. Just because there are no symptoms of infection doesn't mean that the computer is clean.
  • If you are running Vista, please run all the fixes as an administrator. This is done by right-clicking the program and clicking "Run as Administrator".

Please do the following so I can take a look at the current state of your system.

We need to run RSIT
  1. Download random's system information tool (RSIT) by random/random and save it to your desktop.
  2. Double click on RSIT.exe.
  3. Click Continue at the disclaimer screen.
  4. Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

NEXT:
(This step may produce a blank log. Let me know if that is the case)
We need to run a GMER scan
  1. Download GMER and save to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  2. Close all other open programs as there is a slight chance your computer will crash.
  3. Double click the GMER program. Your security programs may detect GMER's driver trying to load. Allow it.
  4. You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  5. Make sure all options are checked except:
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive, which is typically C:\
    • Show All (This is important, so do not miss it.)
    Note: If GMER crashes or hangs, please retry running a scan. Only this time, in addition to the options mentioned above, uncheck Devices as well.
  6. When the scan is complete, click Save and save the log onto your desktop.

In your next reply, please include the following:
  • Log.txt
  • info.txt
  • gmer.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 TeriBash

TeriBash
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 11 March 2010 - 01:17 PM

Thank you for your help. Here are the requested logs:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Beth at 2010-03-11 12:29:14
Microsoft Windows XP Home Edition Service Pack 3, v.3311
System drive C: has 1 GB (12%) free of 10 GB
Total RAM: 511 MB (37% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29:27 PM, on 3/11/2010
Platform: Windows XP SP3, v.3311 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.3311)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Beth\Desktop\AV_FIles\RSIT.exe
C:\Program Files\trend micro\Beth.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6282 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-07-25 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-07-25 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=NvQTwk,NvCplDaemon initialize []
"diagent"=C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe [2002-04-03 135264]
"UpdReg"=C:\WINDOWS\UpdReg.EXE [2000-05-11 90112]
"LXSUPMON"=C:\WINDOWS\system32\LXSUPMON.EXE [2002-05-06 900096]
"WinampAgent"=C:\Program Files\Winamp\winampa.exe []
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2006-10-27 31016]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-25 149280]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-10-03 35696]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2009-09-04 935288]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2009-11-10 417792]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-11-12 141600]
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]

C:\Documents and Settings\Beth\Start Menu\Programs\Startup
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2009-09-03 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
""=
"NoDriveTypeAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84cf6e30-c8eb-11de-a785-0007e9cf3b4e}]
shell\AutoRun\command - G:\CA_EdgeLitemobile.exe


======List of files/folders created in the last 1 months======

2010-03-11 12:29:14 ----D---- C:\rsit
2010-03-11 07:00:03 ----D---- C:\Program Files\trend micro
2010-03-08 12:45:54 ----D---- C:\Documents and Settings\Beth\Application Data\Malwarebytes
2010-03-08 12:45:43 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-03-08 12:45:42 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-03-07 21:19:18 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-07 21:19:05 ----D---- C:\Program Files\SUPERAntiSpyware
2010-03-07 21:19:05 ----D---- C:\Documents and Settings\Beth\Application Data\SUPERAntiSpyware.com
2010-03-07 21:18:44 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2010-03-07 20:52:16 ----A---- C:\WINDOWS\system32\tmp.txt
2010-03-07 20:51:53 ----A---- C:\rapport.txt
2010-03-07 15:11:33 ----A---- C:\New Text Document.txt
2010-03-07 14:54:02 ----D---- C:\ProcessExplorer
2010-02-28 18:14:11 ----D---- C:\Program Files\Spybot - Search & Destroy
2010-02-28 18:14:11 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-26 17:45:09 ----A---- C:\WINDOWS\ntbtlog.txt

======List of files/folders modified in the last 1 months======

2010-03-11 09:46:27 ----D---- C:\WINDOWS\Temp
2010-03-11 07:00:03 ----D---- C:\Program Files
2010-03-11 00:52:44 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-03-10 21:31:32 ----D---- C:\WINDOWS\Prefetch
2010-03-10 21:26:02 ----D---- C:\WINDOWS\system32\CatRoot2
2010-03-08 15:00:55 ----D---- C:\WINDOWS\Registration
2010-03-08 12:46:55 ----D---- C:\WINDOWS\system32\drivers
2010-03-07 21:19:15 ----SHD---- C:\WINDOWS\Installer
2010-03-07 21:18:44 ----D---- C:\Program Files\Common Files
2010-03-07 21:11:29 ----D---- C:\WINDOWS\system32
2010-03-07 14:29:06 ----D---- C:\Program Files\Bonjour
2010-03-06 12:02:06 ----D---- C:\Documents and Settings\Beth\Application Data\Mozilla
2010-03-06 12:01:36 ----D---- C:\Program Files\Mozilla Firefox
2010-02-26 17:45:09 ----D---- C:\WINDOWS
2010-02-21 09:37:35 ----D---- C:\Documents and Settings\Beth\Application Data\FrostWire

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-03-30 96104]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-02-12 36352]
R1 OMCI;OMCI; C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS [2001-08-22 13632]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS []
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2009-05-11 28520]
R2 avgntflt;avgntflt; C:\WINDOWS\system32\DRIVERS\avgntflt.sys [2009-12-25 56816]
R2 PfModNT;PfModNT; \??\C:\WINDOWS\System32\PfModNT.sys []
R3 BCMModem;BCM V.90 56K Modem; C:\WINDOWS\System32\DRIVERS\BCMDM.sys [2001-08-17 871388]
R3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2002-09-19 139776]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-02-12 10368]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2002-09-03 12160]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2002-04-18 909837]
R3 P16X;Creative SB Live! Series (WDM); C:\WINDOWS\system32\drivers\P16X.sys [2002-08-30 1293440]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-02-12 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-02-12 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2008-02-12 25856]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-02-12 20608]
S3 aglcrfog;aglcrfog; \??\C:\DOCUME~1\Beth\LOCALS~1\Temp\aglcrfog.sys []
S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2009-08-28 40448]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-02-12 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-02-12 26368]
S4 sptd;sptd; C:\WINDOWS\System32\Drivers\sptd.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-07-21 185089]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-08-28 144672]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 Creative Service for CDROM Access;Creative Service for CDROM Access; C:\WINDOWS\System32\CTsvcCDA.exe [1999-12-13 44032]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-07-25 153376]
R2 LexBceS;LexBce Server; C:\WINDOWS\system32\LEXBCES.EXE [2002-05-06 300544]
R2 NVSvc;NVIDIA Driver Helper Service; C:\WINDOWS\System32\nvsvc32.exe [2002-04-18 61440]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R2 WMDM PMSP Service;WMDM PMSP Service; C:\WINDOWS\System32\MsPMSPSv.exe [2000-06-26 53520]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-11-12 545568]
S2 CLTNetCnService;Symantec Lic NetConnect service; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe /h ccCommon []
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2006-10-27 65824]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.06 2010-03-11 12:29:28

======Uninstall list======

-->"C:\Program Files\Creative\SBLive\Program\Ctzapxx.EXE" /X /U /S /R
-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {926CC8AE-8414-43DF-8EB4-CF26D9C3C663}
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48E3A9E6-FA13-11D5-8CC9-00A0C98192B6}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48E3A9E6-FA13-11D5-8CC9-00A0C98192B6}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{51F5239C-197B-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{51F5239C-197B-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E7337A45-3FE5-4392-ABBB-26B794D060C9}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E7337A45-3FE5-4392-ABBB-26B794D060C9}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acrobat.com-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A92000000001}
AIM 6-->C:\Program Files\AIM6\uninst.exe
Apple Application Support-->MsiExec.exe /I{3FA365DF-2D68-45ED-8F83-8C8A33E65143}
Apple Mobile Device Support-->MsiExec.exe /I{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Avira AntiVir Personal - Free Antivirus-->C:\Program Files\Avira\AntiVir Desktop\setup.exe /REMOVE
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
Dell ResourceCD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
FlashFXP v3-->"C:\Program Files\FlashFXP\unins000.exe"
FrostWire 4.17.2-->C:\Program Files\FrostWire\Uninstall.exe
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Intel® PRO Ethernet Adapter and Software-->Prounstl.exe
iTunes-->MsiExec.exe /I{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}
Java™ 6 Update 15-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216013FF}
Lexmark Supplies Monitor-->C:\WINDOWS\system32\LXSMUNIN.EXE
Lexmark Z23-Z33-->C:\WINDOWS\system32\spool\drivers\w32x86\3\lxaiUN5C.EXE -dLexmark Z23-Z33
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Mozilla Firefox (3.6)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
NVIDIA Windows 2000/XP Display Drivers-->rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nvdd.inf
PowerArchiver 2004 v9.26-->"C:\Program Files\PowerArchiver\unins000.exe"
QuickTime-->MsiExec.exe /I{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}
SeaMonkey (1.1.15)-->C:\WINDOWS\SeaMonkeyUninstall.exe /ua "1.1.15 (en)"
Sound Blaster Live!-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{96E16100-A77F-4B31-B9AD-FFBA040EE1BD}\SETUP.EXE" -l0x9
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Winamp-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"

======Hosts File======

127.0.0.1 localhost

======Security center information======

AV: AntiVir Desktop

======System event log======

Computer Name: HOME-VA41CK1FIM
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.


Record Number: 30389
Source Name: Service Control Manager
Time Written: 20091225213928.000000-300
Event Type: error
User:

Edited by TeriBash, 11 March 2010 - 01:25 PM.


#4 TeriBash

TeriBash
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 11 March 2010 - 01:17 PM

Computer Name: HOME-VA41CK1FIM
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.


Record Number: 30386
Source Name: Service Control Manager
Time Written: 20091225213928.000000-300
Event Type: error
User:

Computer Name: HOME-VA41CK1FIM
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.


Record Number: 30383
Source Name: Service Control Manager
Time Written: 20091225213928.000000-300
Event Type: error
User:

Computer Name: HOME-VA41CK1FIM
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.


Record Number: 30380
Source Name: Service Control Manager
Time Written: 20091225213928.000000-300
Event Type: error
User:

Computer Name: HOME-VA41CK1FIM
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.


Record Number: 30377
Source Name: Service Control Manager
Time Written: 20091225213928.000000-300
Event Type: error
User:

=====Application event log=====

Computer Name: HOME-VA

Edited by TeriBash, 11 March 2010 - 01:27 PM.


#5 TeriBash

TeriBash
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 11 March 2010 - 01:21 PM

Event Code: 4113
Message: AntiVir has detected 'TR/Crypt.ULPM.Gen'
in the file
D:\System Volume Information\_restore{070E7079-D2AB-4F87-AEFF-D08171744F92}\RP263\A0014884.exe

Record Number: 14811
Source Name: Avira AntiVir
Time Written: 20091227004537.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: HOME-VA41CK1FIM
Event Code: 4113
Message: AntiVir has detected 'TR/Crypt.ULPM.Gen'
in the file
D:\System Volume Information\_restore{070E7079-D2AB-4F87-AEFF-D08171744F92}\RP263\A0014884.exe

Record Number: 14810
Source Name: Avira AntiVir
Time Written: 20091226234537.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: HOME-VA41CK1FIM
Event Code: 4113
Message: AntiVir has detected 'TR/Crypt.ULPM.Gen'
in the file
D:\System Volume Information\_restore{070E7079-D2AB-4F87-AEFF-D08171744F92}\RP263\A0014884.exe

Record Number: 14809
Source Name: Avira AntiVir
Time Written: 20091226224549.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: HOME-VA41CK1FIM
Event Code: 1000
Message: Faulting application avnotify.exe, version 9.0.10.0, faulting module urlmon.dll, version 6.0.2900.3311, fault address 0x0003b5e6.

Record Number: 14807
Source Name: Application Error
Time

Edited by TeriBash, 11 March 2010 - 01:29 PM.


#6 TeriBash

TeriBash
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 11 March 2010 - 01:29 PM

Time Written: 20091225214448.000000-300
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 7, GenuineIntel
"PROCESSOR_REVISION"=0207
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip

-----------------EOF-----------------

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-11 13:14:46
Windows 5.1.2600 Service Pack 3, v.3311
Running: gmer.exe; Driver: C:\DOCUME~1\Beth\LOCALS~1\Temp\aglcrfog.sys


---- System - GMER 1.0.15 ----

SSDT EC3E0EEE ZwCreateKey
SSDT EC3E0EE4 ZwCreateThread
SSDT EC3E0EF3 ZwDeleteKey
SSDT EC3E0EFD ZwDeleteValueKey
SSDT EC3E0F02 ZwLoadKey
SSDT EC3E0ED0 ZwOpenProcess
SSDT EC3E0ED5 ZwOpenThread
SSDT EC3E0F0C ZwReplaceKey
SSDT EC3E0F07 ZwRestoreKey
SSDT EC3E0EF8 ZwSetValueKey
SSDT EC3E0EDF ZwTerminateProcess

---- Devices - GMER 1.0.15 ----

Device -> \Driver\atapi \Device\Harddisk0\DR0 822E8B4C

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xB3 0xCE 0x65 0xFB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x69 0xD9 0x1F 0xCE ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x34 0x78 0x88 0x8F ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xB3 0xCE 0x65 0xFB ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x69 0xD9 0x1F 0xCE ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x34 0x78 0x88 0x8F ...

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8BQ0HE5B\google[2].htm 0 bytes
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#7 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:07:04 PM

Posted 11 March 2010 - 04:50 PM

Hello, TeriBash.
Viewpoint Warning!

The logs also show Viewpoint Manager installed, Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

Viewpoint to Plunge Into Adware

I suggest you remove the program now. Go to Start > Control Panel > Add or Remove Programs. From within Add or Remove Programs uninstall the following if they exist:
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player




We need to run ATF Cleaner
  1. Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)
  2. Double-click ATF-Cleaner.exe to run the program.
  3. Under Main "Select Files to Delete" choose: Select All.
  4. Click the Empty Selected button
  5. If you use Firefox browser Click Firefox at the top and choose: Select All
  6. Click the Empty Selected button.

    Note: If you would like to keep your saved passwords, please click No at the prompt.

  7. If you use Opera browser Click Opera at the top and choose: Select All
  8. Click the Empty Selected button.

    Note: If you would like to keep your saved passwords, please click No at the prompt.

  9. Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

NEXT:

We need to run TDSSKiller
  1. Download TDSSKiller and save it to your Desktop.
  2. Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  3. Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks and do not include the word "Code") Then press OK.
    CODE
    "%userprofile%\Desktop\TDSSKiller.exe" -l "%userprofile%\Desktop\TDSSKiller.txt" -v

    **Note:If it says "Hidden service detected" DO NOT type anything in. Just press Enter.
  4. When it is done, a log file should be created on your desktop called "TDSSKiller.txt" please copy and paste the contents of that file here

In your next reply, please include the following:
  • TDSSKiller.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#8 TeriBash

TeriBash
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 11 March 2010 - 05:07 PM

Here is the TDSSKiller log:

17:00:42:906 3900 TDSS rootkit removing tool 2.2.8 Mar 10 2010 15:53:20
17:00:42:906 3900 ================================================================================
17:00:42:906 3900 SystemInfo:

17:00:42:906 3900 OS Version: 5.1.2600 ServicePack: 3.0
17:00:42:906 3900 Product type: Workstation
17:00:42:906 3900 ComputerName: HOME-VA41CK1FIM
17:00:42:906 3900 UserName: Beth
17:00:42:906 3900 Windows directory: C:\WINDOWS
17:00:42:906 3900 Processor architecture: Intel x86
17:00:42:906 3900 Number of processors: 1
17:00:42:906 3900 Page size: 0x1000
17:00:42:906 3900 Boot type: Normal boot
17:00:42:906 3900 ================================================================================
17:00:42:921 3900 UnloadDriverW: NtUnloadDriver error 2
17:00:42:921 3900 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
17:00:43:078 3900 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
17:00:43:078 3900 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:00:43:078 3900 wfopen_ex: Trying to KLMD file open
17:00:43:078 3900 wfopen_ex: File opened ok (Flags 2)
17:00:43:078 3900 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
17:00:43:078 3900 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:00:43:078 3900 wfopen_ex: Trying to KLMD file open
17:00:43:078 3900 wfopen_ex: File opened ok (Flags 2)
17:00:43:078 3900 Initialize success
17:00:43:078 3900
17:00:43:078 3900 Scanning Services ...
17:00:43:593 3900 GetAdvancedServicesInfo: Raw services enum returned 301 services
17:00:43:609 3900
17:00:43:609 3900 Scanning Kernel memory ...
17:00:43:609 3900 Devices to scan: 3
17:00:43:609 3900
17:00:43:609 3900 Driver Name: Disk
17:00:43:609 3900 IRP_MJ_CREATE : F857CBB0
17:00:43:609 3900 IRP_MJ_CREATE_NAMED_PIPE : 804FA87E
17:00:43:609 3900 IRP_MJ_CLOSE : F857CBB0
17:00:43:609 3900 IRP_MJ_READ : F8576D1F
17:00:43:609 3900 IRP_MJ_WRITE : F8576D1F
17:00:43:609 3900 IRP_MJ_QUERY_INFORMATION : 804FA87E
17:00:43:609 3900 IRP_MJ_SET_INFORMATION : 804FA87E
17:00:43:609 3900 IRP_MJ_QUERY_EA : 804FA87E
17:00:43:609 3900 IRP_MJ_SET_EA : 804FA87E
17:00:43:609 3900 IRP_MJ_FLUSH_BUFFERS : F85772E2
17:00:43:609 3900 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA87E
17:00:43:609 3900 IRP_MJ_SET_VOLUME_INFORMATION : 804FA87E
17:00:43:609 3900 IRP_MJ_DIRECTORY_CONTROL : 804FA87E
17:00:43:609 3900 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA87E
17:00:43:609 3900 IRP_MJ_DEVICE_CONTROL : F85773BB
17:00:43:609 3900 IRP_MJ_INTERNAL_DEVICE_CONTROL : F857AF28
17:00:43:609 3900 IRP_MJ_SHUTDOWN : F85772E2
17:00:43:609 3900 IRP_MJ_LOCK_CONTROL : 804FA87E
17:00:43:609 3900 IRP_MJ_CLEANUP : 804FA87E
17:00:43:609 3900 IRP_MJ_CREATE_MAILSLOT : 804FA87E
17:00:43:609 3900 IRP_MJ_QUERY_SECURITY : 804FA87E
17:00:43:609 3900 IRP_MJ_SET_SECURITY : 804FA87E
17:00:43:609 3900 IRP_MJ_POWER : F8578C82
17:00:43:609 3900 IRP_MJ_SYSTEM_CONTROL : F857D99E
17:00:43:609 3900 IRP_MJ_DEVICE_CHANGE : 804FA87E
17:00:43:609 3900 IRP_MJ_QUERY_QUOTA : 804FA87E
17:00:43:609 3900 IRP_MJ_SET_QUOTA : 804FA87E
17:00:43:640 3900 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
17:00:43:640 3900
17:00:43:640 3900 Driver Name: Disk
17:00:43:640 3900 IRP_MJ_CREATE : F857CBB0
17:00:43:640 3900 IRP_MJ_CREATE_NAMED_PIPE : 804FA87E
17:00:43:640 3900 IRP_MJ_CLOSE : F857CBB0
17:00:43:640 3900 IRP_MJ_READ : F8576D1F
17:00:43:640 3900 IRP_MJ_WRITE : F8576D1F
17:00:43:640 3900 IRP_MJ_QUERY_INFORMATION : 804FA87E
17:00:43:640 3900 IRP_MJ_SET_INFORMATION : 804FA87E
17:00:43:640 3900 IRP_MJ_QUERY_EA : 804FA87E
17:00:43:640 3900 IRP_MJ_SET_EA : 804FA87E
17:00:43:640 3900 IRP_MJ_FLUSH_BUFFERS : F85772E2
17:00:43:640 3900 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA87E
17:00:43:640 3900 IRP_MJ_SET_VOLUME_INFORMATION : 804FA87E
17:00:43:640 3900 IRP_MJ_DIRECTORY_CONTROL : 804FA87E
17:00:43:640 3900 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA87E
17:00:43:640 3900 IRP_MJ_DEVICE_CONTROL : F85773BB
17:00:43:640 3900 IRP_MJ_INTERNAL_DEVICE_CONTROL : F857AF28
17:00:43:640 3900 IRP_MJ_SHUTDOWN : F85772E2
17:00:43:640 3900 IRP_MJ_LOCK_CONTROL : 804FA87E
17:00:43:640 3900 IRP_MJ_CLEANUP : 804FA87E
17:00:43:640 3900 IRP_MJ_CREATE_MAILSLOT : 804FA87E
17:00:43:640 3900 IRP_MJ_QUERY_SECURITY : 804FA87E
17:00:43:640 3900 IRP_MJ_SET_SECURITY : 804FA87E
17:00:43:640 3900 IRP_MJ_POWER : F8578C82
17:00:43:640 3900 IRP_MJ_SYSTEM_CONTROL : F857D99E
17:00:43:640 3900 IRP_MJ_DEVICE_CHANGE : 804FA87E
17:00:43:640 3900 IRP_MJ_QUERY_QUOTA : 804FA87E
17:00:43:640 3900 IRP_MJ_SET_QUOTA : 804FA87E
17:00:43:640 3900 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
17:00:43:640 3900
17:00:43:640 3900 Driver Name: atapi
17:00:43:640 3900 IRP_MJ_CREATE : 822E8B4C
17:00:43:640 3900 IRP_MJ_CREATE_NAMED_PIPE : 822E8B4C
17:00:43:640 3900 IRP_MJ_CLOSE : 822E8B4C
17:00:43:640 3900 IRP_MJ_READ : 822E8B4C
17:00:43:640 3900 IRP_MJ_WRITE : 822E8B4C
17:00:43:640 3900 IRP_MJ_QUERY_INFORMATION : 822E8B4C
17:00:43:640 3900 IRP_MJ_SET_INFORMATION : 822E8B4C
17:00:43:640 3900 IRP_MJ_QUERY_EA : 822E8B4C
17:00:43:640 3900 IRP_MJ_SET_EA : 822E8B4C
17:00:43:640 3900 IRP_MJ_FLUSH_BUFFERS : 822E8B4C
17:00:43:640 3900 IRP_MJ_QUERY_VOLUME_INFORMATION : 822E8B4C
17:00:43:640 3900 IRP_MJ_SET_VOLUME_INFORMATION : 822E8B4C
17:00:43:640 3900 IRP_MJ_DIRECTORY_CONTROL : 822E8B4C
17:00:43:640 3900 IRP_MJ_FILE_SYSTEM_CONTROL : 822E8B4C
17:00:43:640 3900 IRP_MJ_DEVICE_CONTROL : 822E8B4C
17:00:43:640 3900 IRP_MJ_INTERNAL_DEVICE_CONTROL : 822E8B4C
17:00:43:640 3900 IRP_MJ_SHUTDOWN : 822E8B4C
17:00:43:640 3900 IRP_MJ_LOCK_CONTROL : 822E8B4C
17:00:43:640 3900 IRP_MJ_CLEANUP : 822E8B4C
17:00:43:640 3900 IRP_MJ_CREATE_MAILSLOT : 822E8B4C
17:00:43:640 3900 IRP_MJ_QUERY_SECURITY : 822E8B4C
17:00:43:640 3900 IRP_MJ_SET_SECURITY : 822E8B4C
17:00:43:640 3900 IRP_MJ_POWER : 822E8B4C
17:00:43:640 3900 IRP_MJ_SYSTEM_CONTROL : 822E8B4C
17:00:43:640 3900 IRP_MJ_DEVICE_CHANGE : 822E8B4C
17:00:43:640 3900 IRP_MJ_QUERY_QUOTA : 822E8B4C
17:00:43:640 3900 IRP_MJ_SET_QUOTA : 822E8B4C
17:00:43:640 3900 Driver "atapi" infected by TDSS rootkit!
17:00:43:640 3900 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
17:00:43:640 3900 File "C:\WINDOWS\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 17:00:43:640 3900 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
17:00:43:640 3900 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
17:00:44:046 3900 vfvi6
17:00:44:250 3900 !dsvbh1
17:00:51:609 3900 dsvbh2
17:00:51:609 3900 fdfb2
17:00:51:609 3900 Backup copy found, using it..
17:00:51:734 3900 will be cured on next reboot
17:00:51:734 3900 Reboot required for cure complete..
17:00:51:765 3900 Cure on reboot scheduled successfully
17:00:51:765 3900
17:00:51:765 3900 Completed
17:00:51:765 3900
17:00:51:765 3900 Results:
17:00:51:765 3900 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
17:00:51:765 3900 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
17:00:51:765 3900 File objects infected / cured / cured on reboot: 1 / 0 / 1
17:00:51:765 3900
17:00:51:765 3900 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
17:00:51:765 3900 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
17:00:51:765 3900 UnloadDriverW: NtUnloadDriver error 1
17:00:51:765 3900 KLMD_Unload: UnloadDriverW(klmd21) error 1
17:00:51:765 3900 KLMD(ARK) unloaded successfully


#9 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:07:04 PM

Posted 11 March 2010 - 05:27 PM

Hello, TeriBash.
Looks good. How's your PC doing?
We need to update your version of Java

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  1. Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  2. Look for "JDK 6 Update 18 (JDK or JRE)".
  3. Click the Download JRE button to the right.
  4. Select your Platform: "Windows".
  5. Select your Language: "Multi-language".
  6. Read the License Agreement, and then check the box that says: "Accept License Agreement".
  7. Click Continue and the page will refresh.
  8. Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  9. Close any programs you may have running - especially your web browser.
  10. Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  11. Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  12. Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  13. Repeat as many times as necessary to remove each Java versions.
  14. Reboot your computer once all Java components are removed.
  15. Then from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Please make sure you turn on the Java Automatic Update Feature

Then you will not have to remember to update it when Java introduces a new version.
Java is updated very frequently, and the old versions are malware magnets.

Note: This feature is available only on Windows XP, 2003, 2000 (SP2 or higher) and set by default for these operating systems.

NEXT:

We need to run a Panda Active Scan
  1. Please go here to run Panda's ActiveScan
  2. Once you are on the Panda site click the Scan your PC button
  3. Click the big Scan Now button
  4. If it wants to install an ActiveX component allow it
  5. It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  6. When download is complete, click on My Computer to start the scan
  7. When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

NEXT:

Please post up a fresh GMER log

In your next reply, please include the following:
  • ActiveScan Report

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#10 TeriBash

TeriBash
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 11 March 2010 - 08:28 PM

OK, so everything "seems" to be back to normal. I have not had any of the previous issues since following the previous steps. There were a few more detections when using Panda Active Scan. Here are the requested logs:

;***********************************************************************************************************************************************************************************
ANALYSIS: 2010-03-11 19:46:49
PROTECTIONS: 1
MALWARE: 4
SUSPECTS: 2
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
AntiVir Desktop 9.0.1.32 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00167642 Cookie/Com.com TrackingCookie No 0 Yes No c:\documents and settings\beth\application data\mozilla\profiles\default\i60hzgpj.slt\cookies.txt[.com.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No c:\documents and settings\beth\application data\mozilla\profiles\default\i60hzgpj.slt\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No c:\documents and settings\beth\application data\mozilla\profiles\default\i60hzgpj.slt\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No c:\documents and settings\beth\application data\mozilla\profiles\default\i60hzgpj.slt\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No c:\documents and settings\beth\application data\mozilla\profiles\default\i60hzgpj.slt\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No c:\documents and settings\beth\application data\mozilla\profiles\default\i60hzgpj.slt\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No c:\documents and settings\beth\application data\mozilla\profiles\default\i60hzgpj.slt\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No c:\documents and settings\beth\application data\mozilla\profiles\default\i60hzgpj.slt\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No c:\documents and settings\beth\application data\mozilla\profiles\default\i60hzgpj.slt\cookies.txt[.go.com/]
00484705 Application/IEDefender HackTools No 0 Yes No c:\system volume information\_restore{070e7079-d2ab-4f87-aeff-d08171744f92}\rp325\a0019096.exe
00921467 Generic Malware Virus/Trojan No 0 Yes No c:\system volume information\_restore{070e7079-d2ab-4f87-aeff-d08171744f92}\rp325\a0019088.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
No c:\documents and settings\beth\desktop\av_files\smitfraudfix.exe
No c:\program files\daemon tools lite\uninst.exe
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
217842 HIGH MS10-015
217839 HIGH MS10-012
217838 HIGH MS10-011
217834 HIGH MS10-008
217833 HIGH MS10-007
217832 HIGH MS10-006
217831 HIGH MS10-005
217169 HIGH MS10-002
216839 HIGH MS10-001
215938 HIGH MS09-072
215935 HIGH MS09-069
215048 HIGH MS09-065
214076 HIGH MS09-059
971486 HIGH MS09-058
214074 HIGH MS09-057
214073 HIGH MS09-056
214072 HIGH MS09-055
214071 HIGH MS09-054
213109 HIGH MS09-046
212494 HIGH MS09-042
212493 HIGH MS09-041
212530 HIGH MS09-034
211784 HIGH MS09-032
211781 HIGH MS09-029
210625 HIGH MS09-026
210624 HIGH MS09-025
210621 HIGH MS09-022
210618 HIGH MS09-019
208380 HIGH MS09-015
208379 HIGH MS09-014
208378 HIGH MS09-013
208377 HIGH MS09-012
206981 HIGH MS09-007
206980 HIGH MS09-006
204670 HIGH MS09-001
203806 HIGH MS08-078
203508 HIGH MS08-073
203505 HIGH MS08-071
202465 HIGH MS08-068
201683 HIGH MS08-067
201258 HIGH MS08-066
201256 HIGH MS08-064
201255 HIGH MS08-063
201253 HIGH MS08-061
201250 HIGH MS08-058
209275 HIGH MS08-049
209273 HIGH MS08-045
196455 MEDIUM MS08-037
194862 HIGH MS08-032
194861 HIGH MS08-031
194860 HIGH MS08-030
;===================================================================================================================================================================================


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-11 20:23:47
Windows 5.1.2600 Service Pack 3, v.3311
Running: gmer.exe; Driver: C:\DOCUME~1\Beth\LOCALS~1\Temp\aglcrfog.sys


---- System - GMER 1.0.15 ----

SSDT F8B40106 ZwCreateKey
SSDT F8B400FC ZwCreateThread
SSDT F8B4010B ZwDeleteKey
SSDT F8B40115 ZwDeleteValueKey
SSDT F8B4011A ZwLoadKey
SSDT F8B400E8 ZwOpenProcess
SSDT F8B400ED ZwOpenThread
SSDT F8B40124 ZwReplaceKey
SSDT F8B4011F ZwRestoreKey
SSDT F8B40110 ZwSetValueKey
SSDT F8B400F7 ZwTerminateProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xB3 0xCE 0x65 0xFB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x69 0xD9 0x1F 0xCE ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x34 0x78 0x88 0x8F ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xB3 0xCE 0x65 0xFB ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x69 0xD9 0x1F 0xCE ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x34 0x78 0x88 0x8F ...

---- EOF - GMER 1.0.15 ----

#11 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:07:04 PM

Posted 11 March 2010 - 09:19 PM

Hello, TeriBash.
The files that Panda ActiveScan found are cookies and system restore points. The cookies help websites know who you are so they can keep you logged in.

We clear system restore points at the end of the fix, which is what we'll do now.

Your Log looks Clean please take the time to read below to secure your machine and take the necessary steps to keep it clean smile.gif
Hiding Hidden Files
Please set your system to hide all hidden files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, uncheck Show hidden files and folders.
Check: Hide file extensions for known file types
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Purging System Restore Points
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  1. Go to Start > Programs > Accessories > System Tools and click "System Restore".
  2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  3. Then go to Start > Run and type: Cleanmgr
  4. Click "OK".
  5. Click the "More Options" Tab.
  6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
There are many ways to reduce the chance of getting infected in the future. Below, I have listed a few:
  1. Practice Safe Internet
    • Be weary about attachments in emails. Avoid opening .exe, .com, .bat, or .pif files.
    • Watch out for Foistware. More info can be found on Foistware, And how to avoid it.
    • Do not fall for Rogue/Suspect Anti-Spyware Products & Web Sites
    • Do not go to adult sites.
    • When using an Instant Messaging program be cautious about clicking on links people send to you.
    • Stay away from Warez and Crack sites. In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.
    • Use McAfee Siteadvisor to look up info on a site if you are not sure whether it is legitimate
    • Do not install any software without first reading the End User License Agreement, otherwise known as the EULA.
  2. Make Internet Explorer more secure
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt

        When all these settings have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    5. Next press the Apply button and then the OK to exit the Internet Properties page.
  3. Keep Windows updated
    Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer. Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install.
  4. Install and update the following programs frequently
    1. An outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here
    2. An antivirus software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats. Three good antivirus programs free for non-commercial home use are Avast! and Antivir and AVG Antivirus
    3. An antispyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates. SUPERAntiSpyware is another good scanner with high detection and removal rates. Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    4. SpywareBlaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    5. MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  5. Keep your other software updated too
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
Some more links you might find of interest:

Edited by aommaster, 11 March 2010 - 09:20 PM.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#12 TeriBash

TeriBash
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 11 March 2010 - 09:32 PM

OK, I have followed your advice and thank you greatly for all of your help.

#13 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:07:04 PM

Posted 11 March 2010 - 09:37 PM

No problem. Glad to be of help smile.gif

Since this problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please send me a PM with the address of this thread. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users