Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/Patched.CG


  • This topic is locked This topic is locked
38 replies to this topic

#1 fulham

fulham

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:44 AM

Posted 02 April 2010 - 11:10 AM

This virus appears every time I start the PC and when the infected file is accessed. i have tried cleaning with AVG and Malwarebytes full scan, but it's still appearing. The PC has started crashing (blue screen). The infected file is: C\\Windows\System32\drivers\nvata.sys. Logs attached.

DDS log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Roger at 10:08:50.25 on Thu 04/01/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.305 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\CAPPActiveProtection.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Roger\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070607
uInternet Settings,ProxyOverride = localhost
mSearchAssistant = hxxp://www.google.com
mWinlogon: SFCDisable=-99 (0xffffff9d)
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {291f88f3-cf26-46b2-90ee-ee77b403bc6f} - No File
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [<NO NAME>]
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe"
mRun: [QOELOADER] "c:\program files\ca\etrust ez armor\etrust anti-spam\qsp-5.1.18.0\QOELoader.exe"
mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
StartupFolder: c:\docume~1\roger\startm~1\programs\startup\filmon~1.lnk - c:\program files\filmon hdi player\launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: Download All By FlashGet3 - c:\documents and settings\roger\application data\flashgetbho\GetAllUrl.htm
IE: Download By FlashGet3 - c:\documents and settings\roger\application data\flashgetbho\GetUrl.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: ameritrade.com
Trusted Zone: tdameritrade.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {4B6E3013-6E45-11D0-9309-0020AFE05CC8} - hxxp://concept.gamberjohnson.com/core/ext/blah/Install-Vrml3DPlayer.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL ,
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 91.212.65.122 browser-security.microsoft.com
Hosts: 91.212.65.122 spyware-protector-2009.com
Hosts: 91.212.65.122 www.spyware-protector-2009.com
Hosts: 91.212.65.122 secure.spyware-protector-2009.com
Hosts: 91.212.65.122 knocker

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\roger\applic~1\mozilla\firefox\profiles\37eog2w0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\roger\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\roger\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-2-17 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-2-17 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-2-17 242696]
R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2009-3-5 26352]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2009-3-5 21104]
R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\vetefile.sys [2009-10-13 739696]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2009-3-5 21488]
R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2009-3-5 32240]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-16 308064]
R3 PPCtlPriv;PPCtlPriv;c:\program files\ca\etrust ez armor\etrust pestpatrol\PPCtlPriv.exe [2007-8-16 189704]
R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2009-10-13 133520]
S2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus\isafe.exe [2009-3-5 144960]
S2 gupdate1c9c36526a00cca;Google Update Service (gupdate1c9c36526a00cca);c:\program files\google\update\GoogleUpdate.exe [2009-4-22 133104]
S2 VETMSGNT;VET Message Service;c:\program files\ca\ca internet security suite\ca anti-virus\vetmsg.exe [2009-3-5 238832]

=============== Created Last 30 ================

2010-03-23 19:22:37 0 d-----w- c:\docume~1\roger\applic~1\111 Pix Ltd
2010-03-23 19:18:56 0 d-----w- c:\program files\FilmOn HDi Player
2010-03-19 16:04:46 0 d-----w- c:\docume~1\roger\applic~1\SkypeMate
2010-03-16 13:23:51 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-10 23:11:23 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

==================== Find3M ====================

2010-03-16 13:23:54 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-16 13:22:56 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-25 15:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 09:54:25 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-22 21:33:57 19837 ------w- c:\program files\common files\ezovemik.ban
2008-10-22 21:33:57 18975 ------w- c:\program files\common files\xojyjacis.lib
2008-10-22 21:33:57 15543 ------w- c:\program files\common files\laraqu.bin
2008-10-22 21:33:57 12426 ------w- c:\program files\common files\izaxuguh.bat
2002-07-31 23:55:12 324 --sh--w- c:\windows\WSYS049.SYS
2008-10-01 02:34:24 168 --sh--r- c:\windows\system32\D50D164753.sys
2008-10-01 02:34:29 5174 --sh--w- c:\windows\system32\KGyGaAvL.sys
2009-08-06 02:27:11 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2008-10-22 21:01:38 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102220081023\index.dat
2008-10-23 12:55:13 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102320081024\index.dat

============= FINISH: 10:12:25.34 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:44 PM

Posted 02 April 2010 - 11:27 AM

Hi fulham,

From what you have said and after having a quick look at your logs, it doesn't look good. I can see you have a rootkit and
you may also have a file infector, lets do a check to see what is there.


Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on drweb-cureit.exe to start the program.
  • Cancel any prompts to download the latest CureIt version and click Start.
  • At the prompt to "Start scan now", click Ok. Allow the setup.exe/driver to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Thanks

unite.jpg


#3 fulham

fulham
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:44 AM

Posted 02 April 2010 - 04:22 PM

I have a problem. I've downloaded Dr.Web Cureit.exe, but I can't reboot my computer in Safe Mode. When I tried I got the blue screen with message: Windows has shut down to prevent damage to your computer." I can load Windows in normal mode without a problem.

#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:44 PM

Posted 03 April 2010 - 04:52 AM

Please run it in normal mode then.

unite.jpg


#5 fulham

fulham
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:44 AM

Posted 04 April 2010 - 06:13 PM

I ran Dr.Web and the Express Scan found 2 infections. I did the Cure> Move Incurable. I then ran the Complete Scan and after about 4 hours it crashed. I tried it again and it did the same thing. I then ran a Custom Scan selecting just C://Windows folder as that's where it previously found the viruses. After it finished I did the Move>Move Incurable, but when I tried to exit the application I got a warning box that said the 3 infections where found, but no action was taken. When I looked under "Statistics" It showed that no files had been moved. Here is the log report:

nvata.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2213 - write error - write error;;
nvata.sys;c:\windows\system32\drivers;BackDoor.Tdss.2213 - write error - write error;;
nvata.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2213 - write error;;

#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:44 PM

Posted 05 April 2010 - 06:59 AM

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#7 fulham

fulham
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:44 AM

Posted 05 April 2010 - 07:49 PM

ComboFix log:
ComboFix 10-04-04.01 - Roger 04/05/2010 19:42:56.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.697 [GMT -4:00]
Running from: c:\documents and settings\Roger\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\avoza.inf
c:\documents and settings\Roger\Application Data\BITS
c:\documents and settings\Roger\Application Data\BITS\BITS.ini
c:\documents and settings\Roger\Application Data\BITS\DHTTable.dat
c:\documents and settings\Roger\Application Data\BITS\ProxyList.ini
c:\documents and settings\Roger\Application Data\BITS\UPnP.ini
c:\documents and settings\Roger\Application Data\FlashGetBHO
c:\documents and settings\Roger\Application Data\FlashGetBHO\FlashGetBHO3.dll
c:\documents and settings\Roger\Application Data\FlashGetBHO\FlashGetHook.dll
c:\documents and settings\Roger\Application Data\FlashGetBHO\GetAllUrl.htm
c:\documents and settings\Roger\Application Data\FlashGetBHO\GetUrl.htm
c:\documents and settings\Roger\Cookies\ukefi.pif
c:\documents and settings\Roger\Local Settings\Application Data\femuh.bat
c:\program files\Common Files\izaxuguh.bat
c:\program files\FlashGet Network
c:\program files\FlashGet Network\FlashGet 3\dat\Appsetting.cfg
c:\program files\FlashGet Network\FlashGet 3\dat\directui\1.gif
c:\program files\FlashGet Network\FlashGet 3\dat\directui\1.jpg
c:\program files\FlashGet Network\FlashGet 3\dat\directui\2.jpg
c:\program files\FlashGet Network\FlashGet 3\dat\directui\3.jpg
c:\program files\FlashGet Network\FlashGet 3\dat\directui\btn1.gif
c:\program files\FlashGet Network\FlashGet 3\dat\directui\btn2.gif
c:\program files\FlashGet Network\FlashGet 3\dat\directui\cig.gif
c:\program files\FlashGet Network\FlashGet 3\dat\directui\cig1.gif
c:\program files\FlashGet Network\FlashGet 3\dat\directui\client_1_2.jpg
c:\program files\FlashGet Network\FlashGet 3\dat\directui\client_2_2.jpg
c:\program files\FlashGet Network\FlashGet 3\dat\directui\client_3.jpg
c:\program files\FlashGet Network\FlashGet 3\dat\directui\client_3_1.jpg
c:\program files\FlashGet Network\FlashGet 3\dat\directui\client_4.jpg
c:\program files\FlashGet Network\FlashGet 3\dat\directui\client_icon01.jpg
c:\program files\FlashGet Network\FlashGet 3\dat\directui\client_icon02.jpg
c:\program files\FlashGet Network\FlashGet 3\dat\directui\client_icon03.jpg
c:\program files\FlashGet Network\FlashGet 3\dat\directui\client_icon04.jpg
c:\program files\FlashGet Network\FlashGet 3\dat\directui\client_WuBiaoTi-3.jpg
c:\program files\FlashGet Network\FlashGet 3\dat\directui\client_WuBiaoTi-4_1.jpg
c:\program files\FlashGet Network\FlashGet 3\dat\directui\dian.jpg
c:\program files\FlashGet Network\FlashGet 3\dat\directui\directui_new_1257390906.zip
c:\program files\FlashGet Network\FlashGet 3\dat\directui\down.gif
c:\program files\FlashGet Network\FlashGet 3\dat\directui\game.gif
c:\program files\FlashGet Network\FlashGet 3\dat\directui\game.jpg
c:\program files\FlashGet Network\FlashGet 3\dat\directui\game1.gif
c:\program files\FlashGet Network\FlashGet 3\dat\directui\gameall.gif
c:\program files\FlashGet Network\FlashGet 3\dat\directui\gametop.gif
c:\program files\FlashGet Network\FlashGet 3\dat\directui\ico01.gif
c:\program files\FlashGet Network\FlashGet 3\dat\directui\ico02.gif
c:\program files\FlashGet Network\FlashGet 3\dat\directui\line.gif
c:\program files\FlashGet Network\FlashGet 3\dat\directui\movie.gif
c:\program files\FlashGet Network\FlashGet 3\dat\directui\movie1.gif
c:\program files\FlashGet Network\FlashGet 3\dat\directui\new_rescenter.txt
c:\program files\FlashGet Network\FlashGet 3\dat\directui\newgame.gif
c:\program files\FlashGet Network\FlashGet 3\dat\directui\newmovie.gif
c:\program files\FlashGet Network\FlashGet 3\dat\directui\p1.gif
c:\program files\FlashGet Network\FlashGet 3\dat\directui\p2.gif
c:\program files\FlashGet Network\FlashGet 3\dat\directui\p3.gif
c:\program files\FlashGet Network\FlashGet 3\dat\directui\p4.gif
c:\program files\FlashGet Network\FlashGet 3\dat\directui\p5.gif
c:\program files\FlashGet Network\FlashGet 3\dat\directui\p6.gif
c:\program files\FlashGet Network\FlashGet 3\dat\directui\p7.gif
c:\program files\FlashGet Network\FlashGet 3\dat\directui\p8.gif
c:\program files\FlashGet Network\FlashGet 3\dat\directui\pic_bg.gif
c:\program files\FlashGet Network\FlashGet 3\dat\directui\preview.gif
c:\program files\FlashGet Network\FlashGet 3\dat\directui\reom.jpg
c:\program files\FlashGet Network\FlashGet 3\dat\directui\reom.jpg1
c:\program files\FlashGet Network\FlashGet 3\dat\directui\rescenter.txt
c:\program files\FlashGet Network\FlashGet 3\dat\directui\soft.jpg
c:\program files\FlashGet Network\FlashGet 3\dat\directui\soft_zhan.jpg
c:\program files\FlashGet Network\FlashGet 3\dat\directui\tab.gif
c:\program files\FlashGet Network\FlashGet 3\dat\FlashGet3db.bak
c:\program files\FlashGet Network\FlashGet 3\dat\FlashGet3db.db
c:\program files\FlashGet Network\FlashGet 3\dat\stat\advertisement\0E35CB25_7C40_7050_26F7_11F7E92C480D.swf
c:\program files\FlashGet Network\FlashGet 3\dat\stat\advertisement\149d17ba900edabf7985be0c6922a96e.zip
c:\program files\FlashGet Network\FlashGet 3\dat\stat\advertisement\17D45098_EABC_4DAE_14D4_74C4DE118B59.swf
c:\program files\FlashGet Network\FlashGet 3\dat\stat\advertisement\183EADA2_4B8B_FD2E_7AA3_9F2D7E75BD3C.gif
c:\program files\FlashGet Network\FlashGet 3\dat\stat\advertisement\1FA77883_6647_F73B_D7AF_B8F1DA2A50BB.swf
c:\program files\FlashGet Network\FlashGet 3\dat\stat\advertisement\1FACB51E_A68C_BED5_D515_F55CEA907866.swf
c:\program files\FlashGet Network\FlashGet 3\dat\stat\advertisement\35EF75B0_D86A_47C1_0900_0D59C3A48AD1.gif
c:\program files\FlashGet Network\FlashGet 3\dat\stat\advertisement\6E486BE5_C8C3_5BE7_2429_C7594748E6B7.swf
c:\program files\FlashGet Network\FlashGet 3\dat\stat\advertisement\84991BD7_0CF6_DE57_3633_C6CF5C60550C.swf
c:\program files\FlashGet Network\FlashGet 3\dat\stat\advertisement\907E5DB2_C627_1EC7_867C_3448B18D5879.swf
c:\program files\FlashGet Network\FlashGet 3\dat\stat\advertisement\adconfig.ini
c:\program files\FlashGet Network\FlashGet 3\dat\stat\advertisement\D360EFA6_1BBE_00C7_1F10_F9DE27C927D8.swf
c:\program files\FlashGet Network\FlashGet 3\dat\stat\advertisement\D5927DB1_C13D_99F3_44D1_005BA32FD9F4.gif
c:\program files\FlashGet Network\FlashGet 3\dat\stat\advertisement\D703429A_686B_B1A2_E673_9C4D01EC4771.swf
c:\program files\FlashGet Network\FlashGet 3\dat\stat\advertisement\domain_url_list.ini
c:\program files\FlashGet Network\FlashGet 3\dat\stat\advertisement\E04396B7_2122_F313_6367_4B9173D495A3.swf
c:\program files\FlashGet Network\FlashGet 3\dat\stat\advertisement\EEF3972C_1225_7716_C282_138741DFB1D6.swf
c:\program files\FlashGet Network\FlashGet 3\dat\stat\advertisement\FDA78D5E_3A7E_2A03_0F65_6612553BDF9D.gif
c:\program files\FlashGet Network\FlashGet 3\dat\stat\advertisement\port.ini
c:\program files\FlashGet Network\FlashGet 3\dat\stat\skinpreview\preview_blue3.png
c:\program files\FlashGet Network\FlashGet 3\dat\stat\skinpreview\preview_red3.png
c:\program files\FlashGet Network\FlashGet 3\dat\stat\skinpreview\preview_white.png
c:\program files\FlashGet Network\FlashGet 3\dat\stat\statdata\statinfo.dat
c:\program files\FlashGet Network\FlashGet 3\P2PCfg.ini
c:\windows\ejikik.inf
c:\windows\run.log
c:\windows\system32\secustat.dat
c:\windows\wyrozari.bat
c:\windows\xofexyzip.bat
E:\Autorun.inf
E:\install.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSserv.sys)
-------\Service_TDSSserv.sys)


((((((((((((((((((((((((( Files Created from 2010-03-05 to 2010-04-05 )))))))))))))))))))))))))))))))
.

2010-04-03 16:31 . 2010-04-03 17:29 -------- d-----w- c:\documents and settings\Roger\DoctorWeb
2010-04-02 00:20 . 2010-04-02 00:20 -------- d-----w- c:\documents and settings\Roger\Local Settings\Application Data\FilmOn.com
2010-03-23 19:57 . 2010-03-23 19:57 -------- d-----w- c:\documents and settings\Roger\Application Data\vlc
2010-03-23 19:22 . 2010-04-01 16:37 -------- d-----w- c:\documents and settings\Roger\Application Data\111 Pix Ltd
2010-03-23 19:18 . 2010-04-01 02:02 -------- d-----w- c:\program files\FilmOn HDi Player
2010-03-20 01:12 . 2010-03-20 01:12 -------- d-----w- c:\program files\Common Files\Skype
2010-03-19 16:04 . 2010-03-19 16:04 -------- d-----w- c:\documents and settings\Roger\Application Data\SkypeMate
2010-03-16 13:23 . 2010-03-16 13:23 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-10 23:11 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-04 22:48 . 2010-04-04 22:48 0 ----a-w- c:\windows\system32\drivers\drw11.tmp
2010-04-04 22:48 . 2010-04-04 22:48 0 ----a-w- c:\windows\system32\drivers\drw10.tmp
2010-04-04 22:47 . 2010-04-04 22:47 0 ----a-w- c:\windows\system32\drivers\drwF.tmp
2010-04-04 22:47 . 2010-04-04 22:47 0 ----a-w- c:\windows\system32\drivers\drwE.tmp
2010-04-04 22:41 . 2010-04-04 22:41 0 ----a-w- c:\windows\system32\drivers\drwD.tmp
2010-04-04 22:41 . 2010-04-04 22:41 0 ----a-w- c:\windows\system32\drivers\drwC.tmp
2010-04-04 22:40 . 2010-04-04 22:40 0 ----a-w- c:\windows\system32\drivers\drwB.tmp
2010-04-04 22:27 . 2010-04-04 22:27 0 ----a-w- c:\windows\system32\drivers\drwA.tmp
2010-04-04 21:21 . 2010-04-04 21:21 0 ----a-w- c:\windows\system32\drivers\drw9.tmp
2010-04-04 21:21 . 2010-04-04 21:21 0 ----a-w- c:\windows\system32\drivers\drw8.tmp
2010-04-04 21:04 . 2010-04-04 21:04 0 ----a-w- c:\windows\system32\drivers\drw7.tmp
2010-04-04 20:15 . 2010-04-04 20:15 0 ----a-w- c:\windows\system32\drivers\drw6.tmp
2010-04-04 17:06 . 2010-04-04 17:06 0 ----a-w- c:\windows\system32\drivers\drw11B.tmp
2010-04-04 17:05 . 2010-04-04 17:05 0 ----a-w- c:\windows\system32\drivers\drw11A.tmp
2010-04-04 17:05 . 2010-04-04 17:05 0 ----a-w- c:\windows\system32\drivers\drw119.tmp
2010-04-04 17:02 . 2010-04-04 17:02 0 ----a-w- c:\windows\system32\drivers\drw118.tmp
2010-04-04 16:16 . 2010-04-04 16:16 0 ----a-w- c:\windows\system32\drivers\drw117.tmp
2010-04-04 15:15 . 2009-11-17 02:29 0 ----a-w- c:\documents and settings\Roger\Local Settings\Application Data\prvlcl.dat
2010-04-03 17:29 . 2010-04-03 17:29 0 ----a-w- c:\windows\system32\drivers\drw97.tmp
2010-04-03 17:29 . 2010-04-03 17:29 0 ----a-w- c:\windows\system32\drivers\drw96.tmp
2010-04-03 17:26 . 2010-04-03 17:26 0 ----a-w- c:\windows\system32\drivers\drw95.tmp
2010-04-03 16:38 . 2010-04-03 16:38 0 ----a-w- c:\windows\system32\drivers\drw94.tmp
2010-04-02 14:17 . 2010-01-27 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\CanonIJPLM
2010-04-02 13:33 . 2010-04-02 13:33 4076824 ------w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2010-04-02 13:33 . 2010-04-02 13:33 2059544 ------w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2010-04-02 13:33 . 2010-04-02 13:33 598296 ------w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll
2010-04-02 13:33 . 2010-04-02 13:33 313112 ------w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglogx.dll
2010-04-02 13:33 . 2010-04-02 13:33 1598744 ------w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-04-02 13:33 . 2010-04-02 13:33 1515224 ------w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgwd.dll
2010-04-02 13:33 . 2010-04-02 13:33 1274136 ------w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-04-02 13:33 . 2010-04-02 13:33 4250976 ------w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-04-02 13:33 . 2010-04-02 13:33 341272 ------w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxch32.dll
2010-04-02 13:32 . 2010-04-02 13:32 556824 ------w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2010-04-02 13:32 . 2010-04-02 13:32 459544 ------w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcclix.dll
2010-04-02 13:32 . 2010-04-02 13:32 1086744 ------w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchsvx.exe
2010-04-02 13:32 . 2010-04-02 13:32 301336 ------w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll
2010-04-02 13:31 . 2010-04-02 13:31 1685784 ------w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-04-02 13:31 . 2010-04-02 13:31 1035032 ------w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-04-01 18:12 . 2007-06-13 12:39 -------- d-----w- c:\program files\Quicken
2010-03-27 14:29 . 2007-06-13 12:38 -------- d-----w- c:\documents and settings\Roger\Application Data\OpenOffice.org2
2010-03-21 18:01 . 2007-06-15 13:43 -------- d-----w- c:\documents and settings\Roger\Application Data\Skype
2010-03-21 17:59 . 2008-11-26 14:21 -------- d-----w- c:\documents and settings\Roger\Application Data\skypePM
2010-03-20 01:12 . 2009-02-06 16:37 -------- d-----r- c:\program files\Skype
2010-03-19 15:58 . 2007-07-04 03:01 -------- d-----w- c:\program files\SkypeMate
2010-03-16 13:24 . 2010-03-16 13:24 360584 ------w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-03-16 13:24 . 2010-03-16 13:24 333192 ------w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-03-16 13:24 . 2010-03-16 13:24 28424 ------w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-03-16 13:23 . 2010-02-17 17:41 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-16 13:23 . 2010-02-17 17:41 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-16 13:22 . 2010-02-17 17:41 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-10 15:45 . 2007-06-27 21:09 59 ----a-w- c:\windows\wpd99.drv
2010-03-10 15:45 . 2007-06-27 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2010-03-09 20:58 . 2010-03-09 20:58 1956808 ------w- c:\documents and settings\Roger\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2010-03-09 20:54 . 2010-03-09 20:54 827290 ------w- c:\documents and settings\Roger\Application Data\Move Networks\MoveMediaPlayerWinSilent_071505000011.exe
2010-03-09 20:54 . 2009-02-13 14:30 -------- d-----w- c:\documents and settings\Roger\Application Data\Move Networks
2010-03-06 15:50 . 2009-02-14 13:07 -------- d-----w- c:\program files\Veetle
2010-02-25 06:24 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-17 17:40 . 2009-11-13 23:16 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-09 17:30 . 2007-08-13 23:53 -------- d-----w- c:\program files\FTP Commander
2010-01-16 21:11 . 2008-12-27 22:53 5115824 ------w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-07 21:07 . 2008-10-22 22:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2008-10-22 22:24 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2008-10-22 21:33 . 2008-10-22 21:33 19837 ------w- c:\program files\Common Files\ezovemik.ban
2008-10-22 21:33 . 2008-10-22 21:33 18975 ------w- c:\program files\Common Files\xojyjacis.lib
2008-10-22 21:33 . 2008-10-22 21:33 15543 ------w- c:\program files\Common Files\laraqu.bin
2002-07-31 23:55 . 2007-06-15 21:10 324 --sh--w- c:\windows\WSYS049.SYS
2008-10-01 02:34 . 2007-07-05 15:02 168 --sh--r- c:\windows\system32\D50D164753.sys
2008-10-01 02:34 . 2007-07-05 15:02 5174 --sh--w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------


[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 4AFB3B0919649F95C1964AA1FAD27D73 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB917953$\tcpip.sys

c:\windows\System32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]
"nwiz"="nwiz.exe" [2006-08-23 1617920]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-23 86016]
"SigmatelSysTrayApp"="stsystra.exe" [2006-08-15 282624]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-06-08 169984]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-07-30 177392]
"QOELOADER"="c:\program files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2009-03-05 14088]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2009-12-01 230664]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-04 198160]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-07 1848648]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-12-12 722256]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-11-19 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-16 13:23 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Roger^Start Menu^Programs^Startup^OpenOffice.org 2.2.lnk]
path=c:\documents and settings\Roger\Start Menu\Programs\Startup\OpenOffice.org 2.2.lnk
backup=c:\windows\pss\OpenOffice.org 2.2.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\basicsmssmenu]
2007-10-09 20:21 169328 ------w- c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2008-08-13 22:32 206064 ------w- c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-10-05 08:12 94208 ------w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-10-09 23:57 16384 ------w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
2003-07-01 00:56 188416 ------w- c:\program files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
2003-07-01 01:00 65536 ------w- c:\program files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 09:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-03-04 15:51 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\sopvod.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"$INSTDIR\\FlvDetector.exe"= c:\\Program Files\\FlashGet Network\\FlashGet 3\\FlvDetector.exe
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/17/2010 1:41 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/17/2010 1:41 PM 242696]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/16/2010 9:23 AM 308064]
R3 PPCtlPriv;PPCtlPriv;c:\program files\CA\eTrust EZ Armor\eTrust PestPatrol\PPCtlPriv.exe [8/16/2007 10:10 PM 189704]
S2 gupdate1c9c36526a00cca;Google Update Service (gupdate1c9c36526a00cca);c:\program files\Google\Update\GoogleUpdate.exe [4/22/2009 12:12 PM 133104]
.
Contents of the 'Scheduled Tasks' folder

2010-03-30 c:\windows\Tasks\CAAntiSpywareScan_Daily as Roger at 10 26 AM.job
- c:\program files\CA\eTrust EZ Armor\eTrust PestPatrol\CAAntiSpyware.exe [2007-08-17 02:10]

2010-04-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-22 16:12]

2010-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-22 16:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = localhost
IE: Download All By FlashGet3 - c:\documents and settings\Roger\Application Data\FlashGetBHO\GetAllUrl.htm
IE: Download By FlashGet3 - c:\documents and settings\Roger\Application Data\FlashGetBHO\GetUrl.htm
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: ameritrade.com
Trusted Zone: tdameritrade.com
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {4B6E3013-6E45-11D0-9309-0020AFE05CC8} - hxxp://concept.gamberjohnson.com/core/ext/blah/Install-Vrml3DPlayer.exe
FF - ProfilePath - c:\documents and settings\Roger\Application Data\Mozilla\Firefox\Profiles\37eog2w0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Roger\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Roger\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

BHO-{291f88f3-cf26-46b2-90ee-ee77b403bc6f} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
MSConfigStartUp-FlashGet 3 - c:\program files\FlashGet Network\FlashGet 3\FlashGet3.exe
MSConfigStartUp-FlashGetBHO - c:\program files\FlashGet Network\FlashGet 3\mxhelper.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-05 19:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1976)
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

- - - - - - - > 'lsass.exe'(368)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll

- - - - - - - > 'explorer.exe'(2204)
c:\windows\system32\WININET.dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
c:\program files\Google\Google Desktop Search\GoogleDesktopHyper.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Seagate\Basics\Service\SyncServicesBasics.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\stsystra.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\program files\CA\eTrust EZ Armor\eTrust PestPatrol\CAPPActiveProtection.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
c:\program files\CA\CA Internet Security Suite\ccprovsp.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2010-04-05 20:13:18 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-06 00:12

Pre-Run: 33,323,388,928 bytes free
Post-Run: 33,914,834,944 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 468906AD853CD21148BB1ACDDF39C260


#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:44 PM

Posted 06 April 2010 - 08:46 AM

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either CA or AVG.



Before you do any of the next step you need to temporarily disable the TeaTimer protection in spybot, as it may
stop the tools we use from doing their job. Please keep it disabled whilst I am helping you then you can enable it again
when your clean.

To disable Teatimer, open Spybot and click on the Mode tab and select Advanced mode.
It will ask you if your sure you want to go into advanced mode, select yes.
Now go to tools and click on the resident tab.
Uncheck the box that says "Resident "TeaTimer" (Protection of over-all system settings) active".
Then close Spybot and reboot your computer.


  • Go to Start >> Run
  • Copy and paste the following command line into the Run box, then click OK.
cmd /c mbr -t& start mbr.log
  • A file called mbr.log will pop up please post the contents in your reply.



Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy the content of the following codebox into the main textfield :
    CODE
    :filefind
    beep.*
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan, Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt


Then please post back here with the following logs:
  • mbr.log
  • SystemLook.txt

Thanks

unite.jpg


#9 fulham

fulham
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:44 AM

Posted 06 April 2010 - 09:51 AM

I did have the two anti virus programs scheduled to scan at different times, but I have uninstalled AVG. I have disabled Teatimer and run the programs as requested.



Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys
kernel: MBR read successfully
user & kernel MBR OK



SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 10:44 on 06/04/2010 by Roger (Administrator - Elevation successful)

========== filefind ==========

Searching for "beep.*"
C:\i386\beep.sys ------ 4224 bytes [13:58 19/06/2007] [10:00 04/08/2004] DA1F27D85E0D1525F6621372E7B685E9
C:\Program Files\HotRecorder\Emo\beep.wav ------ 17524 bytes [23:54 25/06/2007] [16:49 18/03/2005] 2BA0155E506416A551566C92B0A199ED

-=End Of File=-

#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:44 PM

Posted 06 April 2010 - 10:52 AM

Can you tell me how the computer is running now and if you are having any more problems?


TFC(Temp File Cleaner):
  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.TFC(Temp File Cleaner):



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
http://www.bleepingcomputer.com/forums/t/306650/win32patchedcg/

Collect::
c:\program files\Common Files\ezovemik.ban
c:\program files\Common Files\xojyjacis.lib
c:\program files\Common Files\laraqu.bin
FCopy::
C:\i386\beep.sys | c:\windows\System32\drivers\beep.sys


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



Please click this link-->Virustotal
When the Virustotal page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\windows\system32\drivers\tcpip.sys

Please post back with the link to the scan results, in your next post.
If Virustotal is busy, try the same at Jotti: http://virusscan.jotti.org/


Then please post back here with the following logs:
  • Combofix.txt
  • Virustotal link

Thanks

unite.jpg


#11 fulham

fulham
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:44 AM

Posted 06 April 2010 - 12:14 PM

ComboFix 10-04-04.01 - Roger 04/06/2010 12:32:40.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.585 [GMT -4:00]
Running from: c:\documents and settings\Roger\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Roger\Desktop\CFScript.txt
AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}

file zipped: c:\program files\Common Files\ezovemik.ban
file zipped: c:\program files\Common Files\laraqu.bin
file zipped: c:\program files\Common Files\xojyjacis.lib
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\ezovemik.ban
c:\program files\Common Files\laraqu.bin
c:\program files\Common Files\xojyjacis.lib

.
--------------- FCopy ---------------

c:\i386\beep.sys --> c:\windows\System32\drivers\beep.sys
.
((((((((((((((((((((((((( Files Created from 2010-03-06 to 2010-04-06 )))))))))))))))))))))))))))))))
.

2010-04-06 16:32 . 2004-08-04 10:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2010-04-06 16:32 . 2004-08-04 10:00 4224 ----a-w- c:\windows\system32\dllcache\beep.sys
2010-04-03 16:31 . 2010-04-03 17:29 -------- d-----w- c:\documents and settings\Roger\DoctorWeb
2010-04-02 13:33 . 2010-04-02 13:33 4076824 ------w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2010-04-02 13:33 . 2010-04-02 13:33 2059544 ------w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2010-04-02 13:33 . 2010-04-02 13:33 598296 ------w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll
2010-04-02 13:33 . 2010-04-02 13:33 313112 ------w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglogx.dll
2010-04-02 13:33 . 2010-04-02 13:33 1598744 ------w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-04-02 13:33 . 2010-04-02 13:33 1515224 ------w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgwd.dll
2010-04-02 13:33 . 2010-04-02 13:33 1274136 ------w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-04-02 13:33 . 2010-04-02 13:33 4250976 ------w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-04-02 13:33 . 2010-04-02 13:33 341272 ------w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxch32.dll
2010-04-02 13:32 . 2010-04-02 13:32 556824 ------w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2010-04-02 13:32 . 2010-04-02 13:32 459544 ------w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcclix.dll
2010-04-02 13:32 . 2010-04-02 13:32 1086744 ------w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchsvx.exe
2010-04-02 13:32 . 2010-04-02 13:32 301336 ------w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll
2010-04-02 13:31 . 2010-04-02 13:31 1685784 ------w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-04-02 13:31 . 2010-04-02 13:31 1035032 ------w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-04-02 00:20 . 2010-04-02 00:20 -------- d-----w- c:\documents and settings\Roger\Local Settings\Application Data\FilmOn.com
2010-03-23 19:57 . 2010-03-23 19:57 -------- d-----w- c:\documents and settings\Roger\Application Data\vlc
2010-03-23 19:22 . 2010-04-01 16:37 -------- d-----w- c:\documents and settings\Roger\Application Data\111 Pix Ltd
2010-03-23 19:18 . 2010-04-01 02:02 -------- d-----w- c:\program files\FilmOn HDi Player
2010-03-20 01:12 . 2010-03-20 01:12 -------- d-----w- c:\program files\Common Files\Skype
2010-03-19 16:04 . 2010-03-19 16:04 -------- d-----w- c:\documents and settings\Roger\Application Data\SkypeMate
2010-03-16 13:24 . 2010-03-16 13:24 360584 ------w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-03-16 13:24 . 2010-03-16 13:24 333192 ------w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-03-16 13:24 . 2010-03-16 13:24 28424 ------w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-03-10 23:11 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-09 20:54 . 2010-03-09 20:54 827290 ------w- c:\documents and settings\Roger\Application Data\Move Networks\MoveMediaPlayerWinSilent_071505000011.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-06 14:23 . 2007-06-13 12:39 -------- d-----w- c:\program files\Quicken
2010-04-06 14:10 . 2009-11-13 23:16 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-04 15:15 . 2009-11-17 02:29 0 ----a-w- c:\documents and settings\Roger\Local Settings\Application Data\prvlcl.dat
2010-04-02 14:17 . 2010-01-27 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\CanonIJPLM
2010-03-27 14:29 . 2007-06-13 12:38 -------- d-----w- c:\documents and settings\Roger\Application Data\OpenOffice.org2
2010-03-21 18:01 . 2007-06-15 13:43 -------- d-----w- c:\documents and settings\Roger\Application Data\Skype
2010-03-21 17:59 . 2008-11-26 14:21 -------- d-----w- c:\documents and settings\Roger\Application Data\skypePM
2010-03-20 01:12 . 2009-02-06 16:37 -------- d-----r- c:\program files\Skype
2010-03-19 15:58 . 2007-07-04 03:01 -------- d-----w- c:\program files\SkypeMate
2010-03-10 15:45 . 2007-06-27 21:09 59 ----a-w- c:\windows\wpd99.drv
2010-03-10 15:45 . 2007-06-27 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2010-03-09 20:54 . 2009-02-13 14:30 -------- d-----w- c:\documents and settings\Roger\Application Data\Move Networks
2010-03-06 15:50 . 2009-02-14 13:07 -------- d-----w- c:\program files\Veetle
2010-02-25 06:24 . 2004-08-10 17:51 916480 ------w- c:\windows\system32\wininet.dll
2010-02-09 17:30 . 2007-08-13 23:53 -------- d-----w- c:\program files\FTP Commander
2010-01-16 21:11 . 2008-12-27 22:53 5115824 ------w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-07 21:07 . 2008-10-22 22:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2008-10-22 22:24 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2002-07-31 23:55 . 2007-06-15 21:10 324 --sh--w- c:\windows\WSYS049.SYS
2008-10-01 02:34 . 2007-07-05 15:02 168 --sh--r- c:\windows\system32\D50D164753.sys
2008-10-01 02:34 . 2007-07-05 15:02 5174 --sh--w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 4AFB3B0919649F95C1964AA1FAD27D73 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB917953$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]
"nwiz"="nwiz.exe" [2006-08-23 1617920]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-23 86016]
"SigmatelSysTrayApp"="stsystra.exe" [2006-08-15 282624]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-06-08 169984]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-07-30 177392]
"QOELOADER"="c:\program files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2009-03-05 14088]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2009-12-01 230664]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-04 198160]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-07 1848648]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-12-12 722256]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-11-19 113664]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Roger^Start Menu^Programs^Startup^OpenOffice.org 2.2.lnk]
path=c:\documents and settings\Roger\Start Menu\Programs\Startup\OpenOffice.org 2.2.lnk
backup=c:\windows\pss\OpenOffice.org 2.2.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\basicsmssmenu]
2007-10-09 20:21 169328 ------w- c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2008-08-13 22:32 206064 ------w- c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-10-05 08:12 94208 ------w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-10-09 23:57 16384 ------w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
2003-07-01 00:56 188416 ------w- c:\program files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
2003-07-01 01:00 65536 ------w- c:\program files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 09:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-03-04 15:51 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\sopvod.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"$INSTDIR\\FlvDetector.exe"= c:\\Program Files\\FlashGet Network\\FlashGet 3\\FlvDetector.exe
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 PPCtlPriv;PPCtlPriv;c:\program files\CA\eTrust EZ Armor\eTrust PestPatrol\PPCtlPriv.exe [8/16/2007 10:10 PM 189704]
S2 gupdate1c9c36526a00cca;Google Update Service (gupdate1c9c36526a00cca);c:\program files\Google\Update\GoogleUpdate.exe [4/22/2009 12:12 PM 133104]
.
Contents of the 'Scheduled Tasks' folder

2010-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-22 16:12]

2010-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-22 16:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = localhost
IE: Download All By FlashGet3 - c:\documents and settings\Roger\Application Data\FlashGetBHO\GetAllUrl.htm
IE: Download By FlashGet3 - c:\documents and settings\Roger\Application Data\FlashGetBHO\GetUrl.htm
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: ameritrade.com
Trusted Zone: tdameritrade.com
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {4B6E3013-6E45-11D0-9309-0020AFE05CC8} - hxxp://concept.gamberjohnson.com/core/ext/blah/Install-Vrml3DPlayer.exe
FF - ProfilePath - c:\documents and settings\Roger\Application Data\Mozilla\Firefox\Profiles\37eog2w0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - plugin: c:\documents and settings\Roger\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Roger\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

BHO-{291f88f3-cf26-46b2-90ee-ee77b403bc6f} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-06 12:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1568)
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

- - - - - - - > 'lsass.exe'(1816)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll
.
Completion time: 2010-04-06 12:41:47
ComboFix-quarantined-files.txt 2010-04-06 16:41

Pre-Run: 34,104,434,688 bytes free
Post-Run: 34,067,226,624 bytes free

- - End Of File - - DC9EA52D930C43733BB88C65188E8919
Upload was successful


Link for Virus Total log: http://www.virustotal.com/reanalisis.html?...f6e9-1270572619

#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:44 PM

Posted 06 April 2010 - 12:28 PM

That's looking better, how is the computer running?

unite.jpg


#13 fulham

fulham
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:44 AM

Posted 06 April 2010 - 12:58 PM

I still have a virus in the original file that was detected by AVG C:\windows\system32\drivers\nvata.sys

Check out the Virus Total log for that file:

http://www.virustotal.com/reanalisis.html?...5e1d-1270576460

#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:44 PM

Posted 06 April 2010 - 01:06 PM

That's strange, your other logs aren't showing it so I assumed DrWeb had taken care of it, that is why I asked twice
how the computer is running.

  • Go to Kaspersky and Download TDSSKiller.zip.
  • Extract the contents of TDSSKiller.zip to your Desktop.
  • Double click on TDSSKiller.exe to run it.
  • If it finds something and asks you what to do, follow the instructions to type in "delete".
  • When done, a log file should be created on your C: drive called TDSSKiller.txt(with time+date appended) please post this log in your next reply.

unite.jpg


#15 fulham

fulham
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:44 AM

Posted 06 April 2010 - 03:55 PM

My computer appears to be running fine.

I ran the TDSSKiller.exe and it took less than a second. Is that normal?

Anyway, here's the log:

16:49:32:000 4064 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
16:49:32:000 4064 ================================================================================
16:49:32:000 4064 SystemInfo:

16:49:32:000 4064 OS Version: 5.1.2600 ServicePack: 3.0
16:49:32:000 4064 Product type: Workstation
16:49:32:000 4064 ComputerName: D85R82D1
16:49:32:000 4064 UserName: Roger
16:49:32:000 4064 Windows directory: C:\WINDOWS
16:49:32:000 4064 Processor architecture: Intel x86
16:49:32:000 4064 Number of processors: 2
16:49:32:000 4064 Page size: 0x1000
16:49:32:015 4064 Boot type: Normal boot
16:49:32:015 4064 ================================================================================
16:49:32:015 4064 UnloadDriverW: NtUnloadDriver error 1
16:49:32:015 4064 ForceUnloadDriverW: UnloadDriverW(klmd21) error 1
16:49:32:015 4064 LoadDriverW: Driver already loaded
16:49:32:015 4064 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
16:49:32:015 4064 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:49:32:015 4064 wfopen_ex: Trying to KLMD file open
16:49:32:015 4064 wfopen_ex: File opened ok (Flags 2)
16:49:32:015 4064 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
16:49:32:015 4064 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:49:32:015 4064 wfopen_ex: Trying to KLMD file open
16:49:32:015 4064 wfopen_ex: File opened ok (Flags 2)
16:49:32:015 4064 Initialize success
16:49:32:015 4064
16:49:32:015 4064 Scanning Services ...
16:49:32:093 4064 Raw services enum returned 345 services
16:49:32:109 4064
16:49:32:109 4064 Scanning Kernel memory ...
16:49:32:109 4064 Devices to scan: 6
16:49:32:109 4064
16:49:32:109 4064 Driver Name: Disk
16:49:32:109 4064 IRP_MJ_CREATE : F74ADBB0
16:49:32:109 4064 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
16:49:32:109 4064 IRP_MJ_CLOSE : F74ADBB0
16:49:32:109 4064 IRP_MJ_READ : F74A7D1F
16:49:32:109 4064 IRP_MJ_WRITE : F74A7D1F
16:49:32:109 4064 IRP_MJ_QUERY_INFORMATION : 804F4562
16:49:32:109 4064 IRP_MJ_SET_INFORMATION : 804F4562
16:49:32:109 4064 IRP_MJ_QUERY_EA : 804F4562
16:49:32:109 4064 IRP_MJ_SET_EA : 804F4562
16:49:32:109 4064 IRP_MJ_FLUSH_BUFFERS : F74A82E2
16:49:32:109 4064 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
16:49:32:109 4064 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
16:49:32:109 4064 IRP_MJ_DIRECTORY_CONTROL : 804F4562
16:49:32:109 4064 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
16:49:32:109 4064 IRP_MJ_DEVICE_CONTROL : F74A83BB
16:49:32:109 4064 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74ABF28
16:49:32:109 4064 IRP_MJ_SHUTDOWN : F74A82E2
16:49:32:109 4064 IRP_MJ_LOCK_CONTROL : 804F4562
16:49:32:109 4064 IRP_MJ_CLEANUP : 804F4562
16:49:32:109 4064 IRP_MJ_CREATE_MAILSLOT : 804F4562
16:49:32:109 4064 IRP_MJ_QUERY_SECURITY : 804F4562
16:49:32:109 4064 IRP_MJ_SET_SECURITY : 804F4562
16:49:32:109 4064 IRP_MJ_POWER : F74A9C82
16:49:32:109 4064 IRP_MJ_SYSTEM_CONTROL : F74AE99E
16:49:32:109 4064 IRP_MJ_DEVICE_CHANGE : 804F4562
16:49:32:109 4064 IRP_MJ_QUERY_QUOTA : 804F4562
16:49:32:109 4064 IRP_MJ_SET_QUOTA : 804F4562
16:49:32:140 4064 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
16:49:32:140 4064
16:49:32:140 4064 Driver Name: USBSTOR
16:49:32:140 4064 IRP_MJ_CREATE : F77DC218
16:49:32:140 4064 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
16:49:32:140 4064 IRP_MJ_CLOSE : F77DC218
16:49:32:140 4064 IRP_MJ_READ : F77DC23C
16:49:32:140 4064 IRP_MJ_WRITE : F77DC23C
16:49:32:140 4064 IRP_MJ_QUERY_INFORMATION : 804F4562
16:49:32:140 4064 IRP_MJ_SET_INFORMATION : 804F4562
16:49:32:140 4064 IRP_MJ_QUERY_EA : 804F4562
16:49:32:140 4064 IRP_MJ_SET_EA : 804F4562
16:49:32:140 4064 IRP_MJ_FLUSH_BUFFERS : 804F4562
16:49:32:140 4064 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
16:49:32:140 4064 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
16:49:32:140 4064 IRP_MJ_DIRECTORY_CONTROL : 804F4562
16:49:32:140 4064 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
16:49:32:140 4064 IRP_MJ_DEVICE_CONTROL : F77DC180
16:49:32:140 4064 IRP_MJ_INTERNAL_DEVICE_CONTROL : F77D79E6
16:49:32:140 4064 IRP_MJ_SHUTDOWN : 804F4562
16:49:32:140 4064 IRP_MJ_LOCK_CONTROL : 804F4562
16:49:32:140 4064 IRP_MJ_CLEANUP : 804F4562
16:49:32:140 4064 IRP_MJ_CREATE_MAILSLOT : 804F4562
16:49:32:140 4064 IRP_MJ_QUERY_SECURITY : 804F4562
16:49:32:140 4064 IRP_MJ_SET_SECURITY : 804F4562
16:49:32:140 4064 IRP_MJ_POWER : F77DB5F0
16:49:32:140 4064 IRP_MJ_SYSTEM_CONTROL : F77D9A6E
16:49:32:140 4064 IRP_MJ_DEVICE_CHANGE : 804F4562
16:49:32:140 4064 IRP_MJ_QUERY_QUOTA : 804F4562
16:49:32:140 4064 IRP_MJ_SET_QUOTA : 804F4562
16:49:32:156 4064 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
16:49:32:156 4064
16:49:32:156 4064 Driver Name: Disk
16:49:32:156 4064 IRP_MJ_CREATE : F74ADBB0
16:49:32:156 4064 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
16:49:32:156 4064 IRP_MJ_CLOSE : F74ADBB0
16:49:32:156 4064 IRP_MJ_READ : F74A7D1F
16:49:32:156 4064 IRP_MJ_WRITE : F74A7D1F
16:49:32:156 4064 IRP_MJ_QUERY_INFORMATION : 804F4562
16:49:32:156 4064 IRP_MJ_SET_INFORMATION : 804F4562
16:49:32:156 4064 IRP_MJ_QUERY_EA : 804F4562
16:49:32:156 4064 IRP_MJ_SET_EA : 804F4562
16:49:32:156 4064 IRP_MJ_FLUSH_BUFFERS : F74A82E2
16:49:32:156 4064 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
16:49:32:156 4064 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
16:49:32:156 4064 IRP_MJ_DIRECTORY_CONTROL : 804F4562
16:49:32:156 4064 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
16:49:32:156 4064 IRP_MJ_DEVICE_CONTROL : F74A83BB
16:49:32:156 4064 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74ABF28
16:49:32:156 4064 IRP_MJ_SHUTDOWN : F74A82E2
16:49:32:156 4064 IRP_MJ_LOCK_CONTROL : 804F4562
16:49:32:156 4064 IRP_MJ_CLEANUP : 804F4562
16:49:32:156 4064 IRP_MJ_CREATE_MAILSLOT : 804F4562
16:49:32:156 4064 IRP_MJ_QUERY_SECURITY : 804F4562
16:49:32:156 4064 IRP_MJ_SET_SECURITY : 804F4562
16:49:32:156 4064 IRP_MJ_POWER : F74A9C82
16:49:32:156 4064 IRP_MJ_SYSTEM_CONTROL : F74AE99E
16:49:32:156 4064 IRP_MJ_DEVICE_CHANGE : 804F4562
16:49:32:156 4064 IRP_MJ_QUERY_QUOTA : 804F4562
16:49:32:156 4064 IRP_MJ_SET_QUOTA : 804F4562
16:49:32:156 4064 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
16:49:32:156 4064
16:49:32:156 4064 Driver Name: Disk
16:49:32:156 4064 IRP_MJ_CREATE : F74ADBB0
16:49:32:156 4064 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
16:49:32:156 4064 IRP_MJ_CLOSE : F74ADBB0
16:49:32:156 4064 IRP_MJ_READ : F74A7D1F
16:49:32:156 4064 IRP_MJ_WRITE : F74A7D1F
16:49:32:156 4064 IRP_MJ_QUERY_INFORMATION : 804F4562
16:49:32:156 4064 IRP_MJ_SET_INFORMATION : 804F4562
16:49:32:156 4064 IRP_MJ_QUERY_EA : 804F4562
16:49:32:156 4064 IRP_MJ_SET_EA : 804F4562
16:49:32:156 4064 IRP_MJ_FLUSH_BUFFERS : F74A82E2
16:49:32:156 4064 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
16:49:32:156 4064 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
16:49:32:156 4064 IRP_MJ_DIRECTORY_CONTROL : 804F4562
16:49:32:156 4064 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
16:49:32:156 4064 IRP_MJ_DEVICE_CONTROL : F74A83BB
16:49:32:156 4064 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74ABF28
16:49:32:156 4064 IRP_MJ_SHUTDOWN : F74A82E2
16:49:32:156 4064 IRP_MJ_LOCK_CONTROL : 804F4562
16:49:32:156 4064 IRP_MJ_CLEANUP : 804F4562
16:49:32:156 4064 IRP_MJ_CREATE_MAILSLOT : 804F4562
16:49:32:156 4064 IRP_MJ_QUERY_SECURITY : 804F4562
16:49:32:156 4064 IRP_MJ_SET_SECURITY : 804F4562
16:49:32:156 4064 IRP_MJ_POWER : F74A9C82
16:49:32:156 4064 IRP_MJ_SYSTEM_CONTROL : F74AE99E
16:49:32:156 4064 IRP_MJ_DEVICE_CHANGE : 804F4562
16:49:32:156 4064 IRP_MJ_QUERY_QUOTA : 804F4562
16:49:32:156 4064 IRP_MJ_SET_QUOTA : 804F4562
16:49:32:156 4064 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
16:49:32:156 4064
16:49:32:156 4064 Driver Name: Disk
16:49:32:156 4064 IRP_MJ_CREATE : F74ADBB0
16:49:32:156 4064 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
16:49:32:156 4064 IRP_MJ_CLOSE : F74ADBB0
16:49:32:156 4064 IRP_MJ_READ : F74A7D1F
16:49:32:156 4064 IRP_MJ_WRITE : F74A7D1F
16:49:32:156 4064 IRP_MJ_QUERY_INFORMATION : 804F4562
16:49:32:156 4064 IRP_MJ_SET_INFORMATION : 804F4562
16:49:32:156 4064 IRP_MJ_QUERY_EA : 804F4562
16:49:32:156 4064 IRP_MJ_SET_EA : 804F4562
16:49:32:156 4064 IRP_MJ_FLUSH_BUFFERS : F74A82E2
16:49:32:156 4064 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
16:49:32:156 4064 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
16:49:32:156 4064 IRP_MJ_DIRECTORY_CONTROL : 804F4562
16:49:32:156 4064 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
16:49:32:156 4064 IRP_MJ_DEVICE_CONTROL : F74A83BB
16:49:32:156 4064 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74ABF28
16:49:32:156 4064 IRP_MJ_SHUTDOWN : F74A82E2
16:49:32:156 4064 IRP_MJ_LOCK_CONTROL : 804F4562
16:49:32:156 4064 IRP_MJ_CLEANUP : 804F4562
16:49:32:156 4064 IRP_MJ_CREATE_MAILSLOT : 804F4562
16:49:32:156 4064 IRP_MJ_QUERY_SECURITY : 804F4562
16:49:32:156 4064 IRP_MJ_SET_SECURITY : 804F4562
16:49:32:156 4064 IRP_MJ_POWER : F74A9C82
16:49:32:156 4064 IRP_MJ_SYSTEM_CONTROL : F74AE99E
16:49:32:156 4064 IRP_MJ_DEVICE_CHANGE : 804F4562
16:49:32:156 4064 IRP_MJ_QUERY_QUOTA : 804F4562
16:49:32:156 4064 IRP_MJ_SET_QUOTA : 804F4562
16:49:32:156 4064 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
16:49:32:156 4064
16:49:32:156 4064 Driver Name: nvata
16:49:32:156 4064 IRP_MJ_CREATE : F72C6894
16:49:32:156 4064 IRP_MJ_CREATE_NAMED_PIPE : F72C6874
16:49:32:156 4064 IRP_MJ_CLOSE : F72C6894
16:49:32:156 4064 IRP_MJ_READ : F72C6874
16:49:32:156 4064 IRP_MJ_WRITE : F72C6874
16:49:32:156 4064 IRP_MJ_QUERY_INFORMATION : F72C6874
16:49:32:156 4064 IRP_MJ_SET_INFORMATION : F72C6874
16:49:32:156 4064 IRP_MJ_QUERY_EA : F72C6874
16:49:32:156 4064 IRP_MJ_SET_EA : F72C6874
16:49:32:156 4064 IRP_MJ_FLUSH_BUFFERS : F72C6874
16:49:32:156 4064 IRP_MJ_QUERY_VOLUME_INFORMATION : F72C6874
16:49:32:156 4064 IRP_MJ_SET_VOLUME_INFORMATION : F72C6874
16:49:32:156 4064 IRP_MJ_DIRECTORY_CONTROL : F72C6874
16:49:32:156 4064 IRP_MJ_FILE_SYSTEM_CONTROL : F72C6874
16:49:32:156 4064 IRP_MJ_DEVICE_CONTROL : 85E9B90A
16:49:32:156 4064 IRP_MJ_INTERNAL_DEVICE_CONTROL : F72C6D6E
16:49:32:156 4064 IRP_MJ_SHUTDOWN : F72C6874
16:49:32:156 4064 IRP_MJ_LOCK_CONTROL : F72C6874
16:49:32:156 4064 IRP_MJ_CLEANUP : F72C6874
16:49:32:156 4064 IRP_MJ_CREATE_MAILSLOT : F72C6874
16:49:32:156 4064 IRP_MJ_QUERY_SECURITY : F72C6874
16:49:32:156 4064 IRP_MJ_SET_SECURITY : F72C6874
16:49:32:156 4064 IRP_MJ_POWER : F72C6D0E
16:49:32:156 4064 IRP_MJ_SYSTEM_CONTROL : F72C6A9C
16:49:32:156 4064 IRP_MJ_DEVICE_CHANGE : F72C6874
16:49:32:156 4064 IRP_MJ_QUERY_QUOTA : F72C6874
16:49:32:156 4064 IRP_MJ_SET_QUOTA : F72C6874
16:49:32:156 4064 C:\WINDOWS\system32\drivers\tsk13D.tmp - Verdict: 3
16:49:32:156 4064
16:49:32:156 4064 Completed
16:49:32:156 4064
16:49:32:156 4064 Results:
16:49:32:156 4064 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
16:49:32:156 4064 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
16:49:32:156 4064 File objects infected / cured / cured on reboot: 0 / 0 / 0
16:49:32:156 4064
16:49:32:156 4064 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
16:49:32:156 4064 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
16:49:32:156 4064 UnloadDriverW: NtUnloadDriver error 1
16:49:32:156 4064 KLMD(ARK) unloaded successfully




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users