Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSS rootkit infection


  • This topic is locked This topic is locked
52 replies to this topic

#1 kikaman

kikaman

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 03 April 2010 - 10:12 PM

First off, I want to thank you for this great service your provide.

Here's my problem. My PC got infected with the virtumonde trojan. After quite a bit of work (and many nasty pop ups) I thought I got it cleaned up mainly using Malwarbyte's Anti-Malware, . However, it appears that my driver atapi is infected by TDSS rootkit even after Malwarbyte, AVG, SpyBot and Superantispyware show no infections. I have run TDSSKiller several times. Each time it notes the driver is infected, which will be cured on next reboot. However, it keeps coming back. Also, when I use IE or firefox I typically get redirected.

Any help you can provide would be much appreciated.

My logs are below:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Patrick at 18:22:52.51 on Sat 04/03/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.168 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Your Protection *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Patrick\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: {48d7245f-8c27-453b-86bd-a20119a3801f} - monelare.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: turbotax.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
DPF: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aol.com/computercheckup/qdiagcc.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1118953582000
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxps://mail.devinegong.com/Remote/msrdp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {AF087E66-838E-4A97-8A0B-0DDDA5DEA239} - hxxps://streaming.endeavors.com/microsoft/streets/clientdownloads/OTAI.CAB
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: batufezab - {1710c2ed-e463-4ead-86bc-fae8e4caefec} - No File
STS: {1710c2ed-e463-4ead-86bc-fae8e4caefec} - No File
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\patrick\applic~1\mozilla\firefox\profiles\uy9pr074.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-29 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-29 29512]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-29 242696]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-8-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480]
R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2003-2-10 114688]
R2 AsfAlrt;AsfAlrt;c:\windows\system32\drivers\Asfalrt.sys [2002-12-18 36064]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-15 308064]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-8-31 1245064]
S0 abqhsqdg;abqhsqdg; [x]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe --> c:\progra~1\avg\avg8\avgwdsvc.exe [?]
S2 Ias;Network Security;c:\windows\system32\svchost.exe -k netsvcs [2003-7-16 14336]
S2 Iprip;Windows Protected Services;c:\windows\system32\svchost.exe -k netsvcs [2003-7-16 14336]
S2 srenum;srenum;c:\windows\system32\drivers\srenum.sys --> c:\windows\system32\drivers\srenum.sys [?]
S3 ATWPKT;ATWPKT;c:\windows\system32\drivers\atwpkt.sys [2004-8-31 19140]
S3 ndisrd;WinpkFilter Service;c:\windows\system32\drivers\ndisrd.sys --> c:\windows\system32\drivers\ndisrd.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 7408]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]
S3 VVBETHERNET;Actiontec USB Ethernet Home DSL;c:\windows\system32\drivers\VVBETH.SYS [2004-8-31 34560]
S3 vvbususb;Virata USB VvBus driver;c:\windows\system32\drivers\VVBUSUSB.SYS [2004-8-31 50236]

=============== Created Last 30 ================

2010-04-04 01:20:22 0 ----a-w- c:\documents and settings\patrick\defogger_reenable
2010-04-04 00:55:31 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-04-04 00:55:31 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-03 20:49:04 0 d-----w- C:\RECYCLER(2)
2010-04-03 20:27:58 0 d-----w- c:\windows\system32\wbem\Repository
2010-04-03 20:27:12 0 d-s---w- C:\ComboFix
2010-04-03 20:01:25 60416 ----a-w- c:\windows\system32\drivers\Combo-Fix.sys
2010-04-03 19:36:17 0 d-sha-r- C:\cmdcons
2010-04-03 19:33:34 98816 ----a-w- c:\windows\sed.exe
2010-04-03 19:33:34 77312 ----a-w- c:\windows\MBR.exe
2010-04-03 19:33:34 261632 ----a-w- c:\windows\PEV.exe
2010-04-03 19:33:34 161792 ----a-w- c:\windows\SWREG.exe
2010-04-03 01:51:52 0 d-----w- c:\program files\Malwarebytes' Anti-Malware3
2010-04-02 22:43:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-02 22:43:22 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-02 22:43:22 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-02 20:32:10 0 d-----w- c:\program files\Malwarebytes' Anti-Malware2
2010-04-02 20:18:12 699904 ----a-w- c:\windows\isRS-000.tmp
2010-04-02 15:18:51 0 d-sh--w- c:\documents and settings\patrick\.COMMgr
2010-03-18 22:53:12 0 d-----w- c:\program files\MSECache
2010-03-15 15:30:54 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-10 23:54:18 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

==================== Find3M ====================

2010-04-04 00:27:28 7304 ----a-w- c:\windows\TMP0001.TMP
2010-04-04 00:27:22 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-03 20:26:23 96512 ----a-w- c:\windows\system32\drivers\tsk7.tmp
2010-04-03 04:33:51 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2010-03-31 01:43:09 9313 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-03-15 15:30:57 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-15 15:21:22 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll

============= FINISH: 18:25:13.89 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:26 AM

Posted 05 April 2010 - 06:27 PM

Hello.

Yes, you seem to be infected with the newer TDSS variant. More information here: http://rootbiez.blogspot.com/2009/11/rootk...s-lets-put.html

Let's see what we can do here. I see a few things that we need to do other than the infected drive.

Do you have your Windows XP disk still with you? We may need that if we can't do it through Windows normally.

Let's start off with Combofix.

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.



Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 kikaman

kikaman
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 05 April 2010 - 08:43 PM

Thanks for your response.

I located the Windows XP disk (service pack 1a).

Here is the combofix log:

ComboFix 10-04-05.01 - Patrick 04/05/2010 18:54:03.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.185 [GMT -7:00]
Running from: c:\documents and settings\Patrick\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IAS
-------\Legacy_IPRIP
-------\Legacy_NPF
-------\Service_Ias
-------\Service_Iprip
-------\Service_ndisrd


((((((((((((((((((((((((( Files Created from 2010-03-06 to 2010-04-06 )))))))))))))))))))))))))))))))
.

2010-04-04 00:55 . 2010-04-04 00:55 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-03 20:49 . 2010-04-03 20:27 -------- d-----w- C:\RECYCLER(2)
2010-04-03 20:27 . 2010-04-03 20:27 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-03 01:51 . 2010-04-03 01:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware3
2010-04-02 22:43 . 2010-03-29 22:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-02 22:43 . 2010-04-03 00:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-02 22:43 . 2010-03-29 22:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-02 20:32 . 2010-04-02 22:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2
2010-04-02 20:24 . 2010-04-02 20:24 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-02 19:16 . 2010-04-02 19:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-02 15:18 . 2010-04-02 18:46 -------- d-sh--w- c:\documents and settings\Patrick\.COMMgr
2010-03-18 22:53 . 2010-03-18 22:53 -------- d-----w- c:\program files\MSECache
2010-03-15 15:30 . 2010-03-15 15:30 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-10 23:54 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-06 02:12 . 2004-09-02 04:57 7304 ----a-w- c:\windows\TMP0001.TMP
2010-04-05 23:35 . 2004-09-01 21:00 9313 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-04-04 21:48 . 2008-01-19 15:57 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-04 19:06 . 2003-07-16 20:24 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-04 00:56 . 2010-04-04 00:56 503808 ----a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1d1d9207-n\msvcp71.dll
2010-04-04 00:56 . 2010-04-04 00:56 499712 ----a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1d1d9207-n\jmc.dll
2010-04-04 00:56 . 2010-04-04 00:56 348160 ----a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1d1d9207-n\msvcr71.dll
2010-04-04 00:56 . 2010-04-04 00:56 61440 ----a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-117f5675-n\decora-sse.dll
2010-04-04 00:56 . 2010-04-04 00:56 12800 ----a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-117f5675-n\decora-d3d.dll
2010-04-04 00:56 . 2004-08-26 23:50 -------- d-----w- c:\program files\Common Files\Java
2010-04-04 00:54 . 2004-08-26 23:50 -------- d-----w- c:\program files\Java
2010-04-04 00:28 . 2006-09-09 19:51 -------- d-----w- c:\program files\BitComet
2010-04-04 00:00 . 2008-10-05 22:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-03 22:58 . 2009-08-30 16:04 -------- d-----w- c:\program files\Malhelpwarebytes' Anti-Malware
2010-04-03 20:26 . 1601-01-01 07:00 96512 ----a-w- c:\windows\system32\drivers\tsk7.tmp
2010-04-03 20:17 . 2010-04-03 20:23 155254 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Personal_32_1033.dat
2010-04-03 19:58 . 2009-08-29 15:11 -------- d-----w- c:\documents and settings\Patrick\Application Data\Logs
2010-04-03 17:28 . 2009-08-31 02:03 117760 ----a-w- c:\documents and settings\Patrick\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-03 04:33 . 2003-07-16 20:37 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2010-04-02 20:18 . 2010-04-02 20:18 699904 ----a-w- c:\windows\isRS-000.tmp
2010-04-02 18:30 . 2009-11-21 00:08 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-02 16:05 . 2009-08-29 19:49 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-30 20:12 . 2004-09-21 23:40 36200 ----a-w- c:\documents and settings\Patrick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-15 15:30 . 2009-08-29 16:38 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-15 15:30 . 2009-08-29 16:38 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-15 15:21 . 2009-08-29 16:38 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-25 06:24 . 2003-07-16 20:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-29 23:59 . 2009-12-29 23:12 52224 ----a-w- c:\documents and settings\Patrick\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{48d7245f-8c27-453b-86bd-a20119a3801f}]
monelare.dll [BU]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-02-23 21:04 1664256 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-15 15:30 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
c:\progra~1\AVG\AVG8\avgtray.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-13 00:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 07:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-08-05 23:06 1830128 ----a-w- c:\program files\SUPERAntiSpyware\SUPERhelpAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"UPS"=3 (0x3)
"TermService"=3 (0x3)
"TapiSrv"=2 (0x2)
"SCardSvr"=3 (0x3)
"Netlogon"=3 (0x3)
"mnmsrvc"=3 (0x3)
"iPod Service"=3 (0x3)
"FastUserSwitchingCompatibility"=2 (0x2)
"Browser"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:RSP
"8536:TCP"= 8536:TCP:BitComet 8536 TCP
"8536:UDP"= 8536:UDP:BitComet 8536 UDP
"18163:TCP"= 18163:TCP:BitComet 18163 TCP
"18163:UDP"= 18163:UDP:BitComet 18163 UDP

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/29/2009 9:38 AM 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/29/2009 9:38 AM 242696]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [2/10/2003 2:52 AM 114688]
R2 AsfAlrt;AsfAlrt;c:\windows\system32\drivers\Asfalrt.sys [12/18/2002 2:31 AM 36064]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/15/2010 8:30 AM 308064]
S0 abqhsqdg;abqhsqdg; [x]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S2 srenum;srenum;c:\windows\system32\DRIVERS\srenum.sys --> c:\windows\system32\DRIVERS\srenum.sys [?]
S3 ATWPKT;ATWPKT;c:\windows\system32\drivers\atwpkt.sys [8/31/2004 8:04 PM 19140]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]
S3 VVBETHERNET;Actiontec USB Ethernet Home DSL;c:\windows\system32\drivers\VVBETH.SYS [8/31/2004 7:54 PM 34560]
S3 vvbususb;Virata USB VvBus driver;c:\windows\system32\drivers\VVBUSUSB.SYS [8/31/2004 7:54 PM 50236]
.
Contents of the 'Scheduled Tasks' folder

2010-04-06 c:\windows\Tasks\User_Feed_Synchronization-{4BDEC742-8D60-4785-9545-0346260D481C}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]

2010-04-03 c:\windows\Tasks\Wise Registry Cleaner 4.job
- c:\program files\Wise Registry Cleaner\WiseRegistryCleaner.exe [2009-11-20 08:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: {AF087E66-838E-4A97-8A0B-0DDDA5DEA239} - hxxps://streaming.endeavors.com/microsoft/streets/clientdownloads/OTAI.CAB
FF - ProfilePath - c:\documents and settings\Patrick\Application Data\Mozilla\Firefox\Profiles\uy9pr074.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{1710c2ed-e463-4ead-86bc-fae8e4caefec} - (no file)
SSODL-batufezab-{1710c2ed-e463-4ead-86bc-fae8e4caefec} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-05 19:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x818A9AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf857af28
\Driver\ACPI -> ACPI.sys @ 0xf84edcb8
\Driver\atapi -> atapi.sys @ 0xf84a5852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Intel® PRO/1000 MT Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf83b1bb0
PacketIndicateHandler -> NDIS.sys @ 0xf83bea21
SendHandler -> NDIS.sys @ 0xf839c87b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(516)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(576)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1568)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\System32\nvsvc32.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-04-05 19:36:55 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-06 02:36
ComboFix2.txt 2010-04-03 20:21

Pre-Run: 33,844,867,072 bytes free
Post-Run: 34,147,901,440 bytes free

- - End Of File - - EB5230A4896AEDECCC2C67B5F019BA44


#4 kikaman

kikaman
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 06 April 2010 - 08:58 AM

FYI, after using combofix I re-enabled my anti-virus program (AVG) -- I hope that was the right thing to do.

I just took a look at my PC this morning and I have a few popups from XP Security. A security alert warning of a system integrity threat and another alert stating tht it had detected 27 critical system objects. I assume these are bogus and just wanted to give you a heads up of what was happening on this end.

Thanks for your help.

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:26 AM

Posted 06 April 2010 - 04:34 PM

Hello.

The infection is still there. Since you have your Windows XP disk with you we will use that to our advantage here.

First...

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it. (If you are using Vista, please right-click and select run as administartor)
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    CODE
    :filefind
    atapi.sys
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task


--
Update and Scan with MalwareBytes Anti-Malware
  • Launch Malwarebytes' Anti-Malware
  • Go to the Update tab
  • Select Check for Update and let MBAM download and install any available updates.
  • After the update is complete go to the Scanner tab.
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.



Edited by extremeboy, 06 April 2010 - 04:34 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 kikaman

kikaman
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 06 April 2010 - 05:08 PM

Here's the SystemLook Log (I'm working on Anti-Malware update, etc and will post shortly).

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 14:58 on 06/04/2010 by Patrick (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\i386\atapi.sys --a--- 87296 bytes [20:11 01/09/2004] [14:29 23/04/2003] E52B3B3F78C9AE85806CE49DCDD80C18
C:\windows\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [04:23 17/10/2009] [05:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\windows\ERDNT\cache\atapi.sys --a--- 96512 bytes [02:33 06/04/2010] [19:06 04/04/2010] 9F3A2F5AA6875C72BF062C712CFA2674
C:\windows\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [12:44 16/10/2009] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\windows\system32\drivers\atapi.sys ------ 96512 bytes [20:24 16/07/2003] [19:06 04/04/2010] 9F3A2F5AA6875C72BF062C712CFA2674

-=End Of File=-

#7 kikaman

kikaman
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 06 April 2010 - 05:45 PM

Here's the MBAM log:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3961

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/6/2010 3:35:56 PM
mbam-log-2010-04-06 (15-35-56).txt

Scan type: Quick scan
Objects scanned: 124556
Time elapsed: 15 minute(s), 49 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Failed to unload process.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\IEXPLORE.EXE") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Delete on reboot.


#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:26 AM

Posted 06 April 2010 - 06:11 PM

Print out these instructions to use while in the Recovery Console: (This is for XP only)
  1. Restart your computer.
  2. Before Windows loads, you will be prompted to choose which Operating System to start.
  3. Use the up and down arrow key to select Microsoft Windows Recovery Console
  4. You must enter which Windows installation to log onto. Type 1 and press 'Enter'.
  5. At the C:\Windows prompt, type the following bolded entries, and press 'Enter' (note the spaces):

    cd c:\windows\system32\drivers
    ren atapi.sys atapi.old
    copy C:\windows\ServicePackFiles\i386\atapi.sys c:\windows\system32\drivers
    exit


    You should see a message '1 file copied'. If you did not see that message, try again and ensure there is a space after the word copy and another space between the file paths.
    (if you do not see 1 file copied on the screen, even after ensuring the commands are correct, rename the file back to it's original name by typing the following command then hitting Enter.
    ren atapi.old atapi.sys
    you should NOT be prompted to overwrite an existing file, but if you are, select No then type exit to restart and notify me of your results)

  6. Type exit and press 'Enter'. Your computer should reboot.

After that, please re-run Combofix for me and post the log upon completion.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 kikaman

kikaman
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 06 April 2010 - 06:51 PM

I followed your instructions and got the "1 file copied" message. Reran Combofix, the log is below:

ComboFix 10-04-05.06 - Patrick 04/06/2010 16:28:20.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.353 [GMT -7:00]
Running from: c:\documents and settings\Patrick\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-03-06 to 2010-04-06 )))))))))))))))))))))))))))))))
.

2010-04-04 00:56 . 2010-04-04 00:56 503808 ----a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1d1d9207-n\msvcp71.dll
2010-04-04 00:56 . 2010-04-04 00:56 499712 ----a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1d1d9207-n\jmc.dll
2010-04-04 00:56 . 2010-04-04 00:56 348160 ----a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1d1d9207-n\msvcr71.dll
2010-04-04 00:56 . 2010-04-04 00:56 61440 ----a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-117f5675-n\decora-sse.dll
2010-04-04 00:56 . 2010-04-04 00:56 12800 ----a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-117f5675-n\decora-d3d.dll
2010-04-04 00:55 . 2010-04-04 00:55 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-03 20:49 . 2010-04-03 20:27 -------- d-----w- C:\RECYCLER(2)
2010-04-03 20:27 . 2010-04-03 20:27 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-03 01:51 . 2010-04-03 01:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware3
2010-04-02 22:43 . 2010-03-29 22:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-02 22:43 . 2010-04-03 00:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-02 22:43 . 2010-03-29 22:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-02 20:32 . 2010-04-02 22:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2
2010-04-02 20:24 . 2010-04-02 20:24 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-02 19:16 . 2010-04-02 19:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-02 15:18 . 2010-04-02 18:46 -------- d-sh--w- c:\documents and settings\Patrick\.COMMgr
2010-03-18 22:53 . 2010-03-18 22:53 -------- d-----w- c:\program files\MSECache
2010-03-15 15:30 . 2010-03-15 15:30 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-10 23:54 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-06 23:18 . 2004-09-02 04:57 7304 ----a-w- c:\windows\TMP0001.TMP
2010-04-06 13:13 . 2008-01-19 15:57 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-05 23:35 . 2004-09-01 21:00 9313 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-04-04 19:06 . 2003-07-16 20:24 96512 ----a-w- c:\windows\system32\drivers\atapi.old
2010-04-04 00:56 . 2004-08-26 23:50 -------- d-----w- c:\program files\Common Files\Java
2010-04-04 00:54 . 2004-08-26 23:50 -------- d-----w- c:\program files\Java
2010-04-04 00:28 . 2006-09-09 19:51 -------- d-----w- c:\program files\BitComet
2010-04-04 00:00 . 2008-10-05 22:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-03 22:58 . 2009-08-30 16:04 -------- d-----w- c:\program files\Malhelpwarebytes' Anti-Malware
2010-04-03 20:26 . 1601-01-01 07:00 96512 ----a-w- c:\windows\system32\drivers\tsk7.tmp
2010-04-03 20:17 . 2010-04-03 20:23 155254 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Personal_32_1033.dat
2010-04-03 19:58 . 2009-08-29 15:11 -------- d-----w- c:\documents and settings\Patrick\Application Data\Logs
2010-04-03 17:28 . 2009-08-31 02:03 117760 ----a-w- c:\documents and settings\Patrick\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-03 04:33 . 2003-07-16 20:37 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2010-04-02 20:18 . 2010-04-02 20:18 699904 ----a-w- c:\windows\isRS-000.tmp
2010-04-02 18:30 . 2009-11-21 00:08 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-02 16:05 . 2009-08-29 19:49 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-30 20:12 . 2004-09-21 23:40 36200 ----a-w- c:\documents and settings\Patrick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-15 15:30 . 2009-08-29 16:38 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-15 15:30 . 2009-08-29 16:38 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-15 15:21 . 2009-08-29 16:38 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-25 06:24 . 2003-07-16 20:51 916480 ------w- c:\windows\system32\wininet.dll
2010-01-29 23:59 . 2009-12-29 23:12 52224 ----a-w- c:\documents and settings\Patrick\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{48d7245f-8c27-453b-86bd-a20119a3801f}]
monelare.dll [BU]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-02-23 21:04 1664256 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-15 15:30 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
c:\progra~1\AVG\AVG8\avgtray.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-13 00:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 07:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-08-05 23:06 1830128 ----a-w- c:\program files\SUPERAntiSpyware\SUPERhelpAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"UPS"=3 (0x3)
"TermService"=3 (0x3)
"TapiSrv"=2 (0x2)
"SCardSvr"=3 (0x3)
"Netlogon"=3 (0x3)
"mnmsrvc"=3 (0x3)
"iPod Service"=3 (0x3)
"FastUserSwitchingCompatibility"=2 (0x2)
"Browser"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:RSP
"8536:TCP"= 8536:TCP:BitComet 8536 TCP
"8536:UDP"= 8536:UDP:BitComet 8536 UDP
"18163:TCP"= 18163:TCP:BitComet 18163 TCP
"18163:UDP"= 18163:UDP:BitComet 18163 UDP

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/29/2009 9:38 AM 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/29/2009 9:38 AM 242696]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [2/10/2003 2:52 AM 114688]
R2 AsfAlrt;AsfAlrt;c:\windows\system32\drivers\Asfalrt.sys [12/18/2002 2:31 AM 36064]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/15/2010 8:30 AM 308064]
S0 abqhsqdg;abqhsqdg; [x]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S2 srenum;srenum;c:\windows\system32\DRIVERS\srenum.sys --> c:\windows\system32\DRIVERS\srenum.sys [?]
S3 ATWPKT;ATWPKT;c:\windows\system32\drivers\atwpkt.sys [8/31/2004 8:04 PM 19140]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]
S3 VVBETHERNET;Actiontec USB Ethernet Home DSL;c:\windows\system32\drivers\VVBETH.SYS [8/31/2004 7:54 PM 34560]
S3 vvbususb;Virata USB VvBus driver;c:\windows\system32\drivers\VVBUSUSB.SYS [8/31/2004 7:54 PM 50236]
.
Contents of the 'Scheduled Tasks' folder

2010-04-06 c:\windows\Tasks\User_Feed_Synchronization-{4BDEC742-8D60-4785-9545-0346260D481C}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]

2010-04-03 c:\windows\Tasks\Wise Registry Cleaner 4.job
- c:\program files\Wise Registry Cleaner\WiseRegistryCleaner.exe [2009-11-20 08:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: {AF087E66-838E-4A97-8A0B-0DDDA5DEA239} - hxxps://streaming.endeavors.com/microsoft/streets/clientdownloads/OTAI.CAB
FF - ProfilePath - c:\documents and settings\Patrick\Application Data\Mozilla\Firefox\Profiles\uy9pr074.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-06 16:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x818EEAC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf857af28
\Driver\ACPI -> ACPI.sys @ 0xf84edcb8
\Driver\atapi -> atapi.sys @ 0xf84a5852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Intel® PRO/1000 MT Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf83b1bb0
PacketIndicateHandler -> NDIS.sys @ 0xf83bea21
SendHandler -> NDIS.sys @ 0xf839c87b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(512)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(580)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3816)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-04-06 16:47:33
ComboFix-quarantined-files.txt 2010-04-06 23:47
ComboFix2.txt 2010-04-06 02:36
ComboFix3.txt 2010-04-03 20:21

Pre-Run: 34,021,761,024 bytes free
Post-Run: 34,064,846,848 bytes free

- - End Of File - - 7E2F0969D7E616F360749E6786BBDC2F

#10 kikaman

kikaman
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 07 April 2010 - 09:31 AM

Hello.

Took a look at my computer this morning and it showed a svchost.exe application error. It read as follows:

The instruction at "0x0b597cd7" referenced memory at "0x100a6024". The memory could not be "written"
Click on OK to terminate
Click on cancel to debug

I clicked on OK and logged in as I had to access some files on the computer. Good news is no pop ups like yesterday.

Thanks again for your continued help.

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:26 AM

Posted 07 April 2010 - 09:07 PM

Download and Run Kaspersky TDSSKiller
  • Go to Kaspersky and Download TDSSKiller.zip.
  • Extract the contents of TDSSKiller.zip to your Desktop.
  • Click Start >> Run then copy and paste the following bold command line into the Run box and click OK.
"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  • Follow the instructions to type in "delete" when it asks you what to do when if finds something.
  • When done, a log file should be created on your C: drive called TDSSKiller.txt please post this log in your next reply.

Then please re-run GMER for me and post the log.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 kikaman

kikaman
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 08 April 2010 - 09:07 AM

I think I may have screwed this up slightly -- started working on this before having my coffee. Sorry.

I had a copy of TDSS Killer already installed, instead of following your directions, I double clicked on it and it did its thing. After re-reading your instruction I copied the command but did not get instructions to delete anything.

Also, I've got thpse XP defender pop ups back and there is a svchost.exe and winlogon.exe using up a lot of my cpu memory.

Here is the log. I will post the GMER log shortly.

06:52:49:093 3460 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
06:52:49:093 3460 ================================================================================
06:52:49:093 3460 SystemInfo:

06:52:49:093 3460 OS Version: 5.1.2600 ServicePack: 3.0
06:52:49:093 3460 Product type: Workstation
06:52:49:093 3460 ComputerName: OFFICE
06:52:49:093 3460 UserName: Patrick
06:52:49:093 3460 Windows directory: C:\WINDOWS
06:52:49:093 3460 Processor architecture: Intel x86
06:52:49:093 3460 Number of processors: 1
06:52:49:093 3460 Page size: 0x1000
06:52:49:093 3460 Boot type: Normal boot
06:52:49:093 3460 ================================================================================
06:52:49:093 3460 UnloadDriverW: NtUnloadDriver error 1
06:52:49:093 3460 ForceUnloadDriverW: UnloadDriverW(klmd21) error 1
06:52:49:093 3460 LoadDriverW: Driver already loaded
06:52:49:093 3460 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
06:52:49:093 3460 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
06:52:49:093 3460 wfopen_ex: Trying to KLMD file open
06:52:49:093 3460 wfopen_ex: File opened ok (Flags 2)
06:52:49:093 3460 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
06:52:49:093 3460 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
06:52:49:093 3460 wfopen_ex: Trying to KLMD file open
06:52:49:093 3460 wfopen_ex: File opened ok (Flags 2)
06:52:49:093 3460 Initialize success
06:52:49:093 3460
06:52:49:093 3460 Scanning Services ...
06:52:49:515 3460 Raw services enum returned 371 services
06:52:49:531 3460
06:52:49:531 3460 Scanning Kernel memory ...
06:52:49:531 3460 Devices to scan: 5
06:52:49:531 3460
06:52:49:531 3460 Driver Name: Disk
06:52:49:531 3460 IRP_MJ_CREATE : F857CBB0
06:52:49:531 3460 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
06:52:49:531 3460 IRP_MJ_CLOSE : F857CBB0
06:52:49:531 3460 IRP_MJ_READ : F8576D1F
06:52:49:531 3460 IRP_MJ_WRITE : F8576D1F
06:52:49:531 3460 IRP_MJ_QUERY_INFORMATION : 804FA88E
06:52:49:531 3460 IRP_MJ_SET_INFORMATION : 804FA88E
06:52:49:531 3460 IRP_MJ_QUERY_EA : 804FA88E
06:52:49:531 3460 IRP_MJ_SET_EA : 804FA88E
06:52:49:531 3460 IRP_MJ_FLUSH_BUFFERS : F85772E2
06:52:49:531 3460 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
06:52:49:531 3460 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
06:52:49:531 3460 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
06:52:49:531 3460 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
06:52:49:531 3460 IRP_MJ_DEVICE_CONTROL : F85773BB
06:52:49:531 3460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F857AF28
06:52:49:531 3460 IRP_MJ_SHUTDOWN : F85772E2
06:52:49:531 3460 IRP_MJ_LOCK_CONTROL : 804FA88E
06:52:49:531 3460 IRP_MJ_CLEANUP : 804FA88E
06:52:49:531 3460 IRP_MJ_CREATE_MAILSLOT : 804FA88E
06:52:49:531 3460 IRP_MJ_QUERY_SECURITY : 804FA88E
06:52:49:531 3460 IRP_MJ_SET_SECURITY : 804FA88E
06:52:49:531 3460 IRP_MJ_POWER : F8578C82
06:52:49:531 3460 IRP_MJ_SYSTEM_CONTROL : F857D99E
06:52:49:531 3460 IRP_MJ_DEVICE_CHANGE : 804FA88E
06:52:49:531 3460 IRP_MJ_QUERY_QUOTA : 804FA88E
06:52:49:531 3460 IRP_MJ_SET_QUOTA : 804FA88E
06:52:49:546 3460 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
06:52:49:546 3460
06:52:49:546 3460 Driver Name: USBSTOR
06:52:49:546 3460 IRP_MJ_CREATE : F88B3218
06:52:49:546 3460 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
06:52:49:546 3460 IRP_MJ_CLOSE : F88B3218
06:52:49:546 3460 IRP_MJ_READ : F88B323C
06:52:49:546 3460 IRP_MJ_WRITE : F88B323C
06:52:49:546 3460 IRP_MJ_QUERY_INFORMATION : 804FA88E
06:52:49:546 3460 IRP_MJ_SET_INFORMATION : 804FA88E
06:52:49:546 3460 IRP_MJ_QUERY_EA : 804FA88E
06:52:49:546 3460 IRP_MJ_SET_EA : 804FA88E
06:52:49:546 3460 IRP_MJ_FLUSH_BUFFERS : 804FA88E
06:52:49:546 3460 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
06:52:49:546 3460 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
06:52:49:546 3460 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
06:52:49:546 3460 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
06:52:49:546 3460 IRP_MJ_DEVICE_CONTROL : F88B3180
06:52:49:546 3460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F88AE9E6
06:52:49:546 3460 IRP_MJ_SHUTDOWN : 804FA88E
06:52:49:546 3460 IRP_MJ_LOCK_CONTROL : 804FA88E
06:52:49:546 3460 IRP_MJ_CLEANUP : 804FA88E
06:52:49:546 3460 IRP_MJ_CREATE_MAILSLOT : 804FA88E
06:52:49:546 3460 IRP_MJ_QUERY_SECURITY : 804FA88E
06:52:49:546 3460 IRP_MJ_SET_SECURITY : 804FA88E
06:52:49:546 3460 IRP_MJ_POWER : F88B25F0
06:52:49:546 3460 IRP_MJ_SYSTEM_CONTROL : F88B0A6E
06:52:49:546 3460 IRP_MJ_DEVICE_CHANGE : 804FA88E
06:52:49:546 3460 IRP_MJ_QUERY_QUOTA : 804FA88E
06:52:49:546 3460 IRP_MJ_SET_QUOTA : 804FA88E
06:52:49:546 3460 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
06:52:49:546 3460
06:52:49:546 3460 Driver Name: Disk
06:52:49:546 3460 IRP_MJ_CREATE : F857CBB0
06:52:49:546 3460 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
06:52:49:546 3460 IRP_MJ_CLOSE : F857CBB0
06:52:49:546 3460 IRP_MJ_READ : F8576D1F
06:52:49:546 3460 IRP_MJ_WRITE : F8576D1F
06:52:49:546 3460 IRP_MJ_QUERY_INFORMATION : 804FA88E
06:52:49:546 3460 IRP_MJ_SET_INFORMATION : 804FA88E
06:52:49:546 3460 IRP_MJ_QUERY_EA : 804FA88E
06:52:49:546 3460 IRP_MJ_SET_EA : 804FA88E
06:52:49:546 3460 IRP_MJ_FLUSH_BUFFERS : F85772E2
06:52:49:546 3460 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
06:52:49:546 3460 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
06:52:49:546 3460 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
06:52:49:546 3460 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
06:52:49:546 3460 IRP_MJ_DEVICE_CONTROL : F85773BB
06:52:49:546 3460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F857AF28
06:52:49:546 3460 IRP_MJ_SHUTDOWN : F85772E2
06:52:49:546 3460 IRP_MJ_LOCK_CONTROL : 804FA88E
06:52:49:546 3460 IRP_MJ_CLEANUP : 804FA88E
06:52:49:546 3460 IRP_MJ_CREATE_MAILSLOT : 804FA88E
06:52:49:546 3460 IRP_MJ_QUERY_SECURITY : 804FA88E
06:52:49:546 3460 IRP_MJ_SET_SECURITY : 804FA88E
06:52:49:546 3460 IRP_MJ_POWER : F8578C82
06:52:49:546 3460 IRP_MJ_SYSTEM_CONTROL : F857D99E
06:52:49:546 3460 IRP_MJ_DEVICE_CHANGE : 804FA88E
06:52:49:546 3460 IRP_MJ_QUERY_QUOTA : 804FA88E
06:52:49:546 3460 IRP_MJ_SET_QUOTA : 804FA88E
06:52:49:546 3460 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
06:52:49:546 3460
06:52:49:546 3460 Driver Name: Disk
06:52:49:546 3460 IRP_MJ_CREATE : F857CBB0
06:52:49:546 3460 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
06:52:49:546 3460 IRP_MJ_CLOSE : F857CBB0
06:52:49:546 3460 IRP_MJ_READ : F8576D1F
06:52:49:546 3460 IRP_MJ_WRITE : F8576D1F
06:52:49:546 3460 IRP_MJ_QUERY_INFORMATION : 804FA88E
06:52:49:546 3460 IRP_MJ_SET_INFORMATION : 804FA88E
06:52:49:546 3460 IRP_MJ_QUERY_EA : 804FA88E
06:52:49:546 3460 IRP_MJ_SET_EA : 804FA88E
06:52:49:546 3460 IRP_MJ_FLUSH_BUFFERS : F85772E2
06:52:49:546 3460 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
06:52:49:562 3460 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
06:52:49:562 3460 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
06:52:49:562 3460 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
06:52:49:562 3460 IRP_MJ_DEVICE_CONTROL : F85773BB
06:52:49:562 3460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F857AF28
06:52:49:562 3460 IRP_MJ_SHUTDOWN : F85772E2
06:52:49:562 3460 IRP_MJ_LOCK_CONTROL : 804FA88E
06:52:49:562 3460 IRP_MJ_CLEANUP : 804FA88E
06:52:49:562 3460 IRP_MJ_CREATE_MAILSLOT : 804FA88E
06:52:49:562 3460 IRP_MJ_QUERY_SECURITY : 804FA88E
06:52:49:562 3460 IRP_MJ_SET_SECURITY : 804FA88E
06:52:49:562 3460 IRP_MJ_POWER : F8578C82
06:52:49:562 3460 IRP_MJ_SYSTEM_CONTROL : F857D99E
06:52:49:562 3460 IRP_MJ_DEVICE_CHANGE : 804FA88E
06:52:49:562 3460 IRP_MJ_QUERY_QUOTA : 804FA88E
06:52:49:562 3460 IRP_MJ_SET_QUOTA : 804FA88E
06:52:49:562 3460 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
06:52:49:562 3460
06:52:49:562 3460 Driver Name: atapi
06:52:49:562 3460 IRP_MJ_CREATE : 8191BAC8
06:52:49:562 3460 IRP_MJ_CREATE_NAMED_PIPE : 8191BAC8
06:52:49:562 3460 IRP_MJ_CLOSE : 8191BAC8
06:52:49:562 3460 IRP_MJ_READ : 8191BAC8
06:52:49:562 3460 IRP_MJ_WRITE : 8191BAC8
06:52:49:562 3460 IRP_MJ_QUERY_INFORMATION : 8191BAC8
06:52:49:562 3460 IRP_MJ_SET_INFORMATION : 8191BAC8
06:52:49:562 3460 IRP_MJ_QUERY_EA : 8191BAC8
06:52:49:562 3460 IRP_MJ_SET_EA : 8191BAC8
06:52:49:562 3460 IRP_MJ_FLUSH_BUFFERS : 8191BAC8
06:52:49:562 3460 IRP_MJ_QUERY_VOLUME_INFORMATION : 8191BAC8
06:52:49:562 3460 IRP_MJ_SET_VOLUME_INFORMATION : 8191BAC8
06:52:49:562 3460 IRP_MJ_DIRECTORY_CONTROL : 8191BAC8
06:52:49:562 3460 IRP_MJ_FILE_SYSTEM_CONTROL : 8191BAC8
06:52:49:562 3460 IRP_MJ_DEVICE_CONTROL : 8191BAC8
06:52:49:562 3460 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8191BAC8
06:52:49:562 3460 IRP_MJ_SHUTDOWN : 8191BAC8
06:52:49:562 3460 IRP_MJ_LOCK_CONTROL : 8191BAC8
06:52:49:562 3460 IRP_MJ_CLEANUP : 8191BAC8
06:52:49:562 3460 IRP_MJ_CREATE_MAILSLOT : 8191BAC8
06:52:49:562 3460 IRP_MJ_QUERY_SECURITY : 8191BAC8
06:52:49:562 3460 IRP_MJ_SET_SECURITY : 8191BAC8
06:52:49:562 3460 IRP_MJ_POWER : 8191BAC8
06:52:49:562 3460 IRP_MJ_SYSTEM_CONTROL : 8191BAC8
06:52:49:562 3460 IRP_MJ_DEVICE_CHANGE : 8191BAC8
06:52:49:562 3460 IRP_MJ_QUERY_QUOTA : 8191BAC8
06:52:49:562 3460 IRP_MJ_SET_QUOTA : 8191BAC8
06:52:49:562 3460 Driver "atapi" infected by TDSS rootkit!
06:52:49:562 3460 C:\WINDOWS\system32\drivers\tsk2E.tmp - Verdict: 3
06:52:49:562 3460
06:52:49:562 3460 Completed
06:52:49:562 3460
06:52:49:562 3460 Results:
06:52:49:562 3460 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
06:52:49:562 3460 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
06:52:49:562 3460 File objects infected / cured / cured on reboot: 0 / 0 / 0
06:52:49:562 3460
06:52:49:562 3460 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
06:52:49:562 3460 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
06:52:49:562 3460 UnloadDriverW: NtUnloadDriver error 1
06:52:49:562 3460 KLMD(ARK) unloaded successfully


#13 kikaman

kikaman
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 08 April 2010 - 09:41 AM

Here's the GMER log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-04-08 07:28:44
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Patrick\LOCALS~1\Temp\pwtdapog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8191BAC8

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:26 AM

Posted 08 April 2010 - 06:20 PM

Hello.

Could you please delete the copy of Combofix you currently have, re-download it and run Combofix again, post the log once done. THen please run Systemlook again as mentioned in this post over here: http://www.bleepingcomputer.com/forums/ind...t&p=1703263

Thanks.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 kikaman

kikaman
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 08 April 2010 - 07:01 PM

Combofix deleted, reinstalled and rerun. The log is below. I'll do Systemlook next.

ComboFix 10-04-07.04 - Patrick 04/08/2010 16:33:41.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.202 [GMT -7:00]
Running from: c:\documents and settings\Patrick\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\NetworkService\Local Settings\Application Data\ave.exe

.
((((((((((((((((((((((((( Files Created from 2010-03-08 to 2010-04-08 )))))))))))))))))))))))))))))))
.

2010-04-07 15:39 . 2010-04-07 15:39 4255072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-04-04 00:56 . 2010-04-04 00:56 503808 ----a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1d1d9207-n\msvcp71.dll
2010-04-04 00:56 . 2010-04-04 00:56 499712 ----a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1d1d9207-n\jmc.dll
2010-04-04 00:56 . 2010-04-04 00:56 348160 ----a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1d1d9207-n\msvcr71.dll
2010-04-04 00:56 . 2010-04-04 00:56 61440 ----a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-117f5675-n\decora-sse.dll
2010-04-04 00:56 . 2010-04-04 00:56 12800 ----a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-117f5675-n\decora-d3d.dll
2010-04-04 00:55 . 2010-04-04 00:55 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-03 20:49 . 2010-04-03 20:27 -------- d-----w- C:\RECYCLER(2)
2010-04-03 20:27 . 2010-04-03 20:27 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-03 01:51 . 2010-04-03 01:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware3
2010-04-02 22:43 . 2010-03-29 22:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-02 22:43 . 2010-04-03 00:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-02 22:43 . 2010-03-29 22:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-02 20:32 . 2010-04-02 22:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2
2010-04-02 20:24 . 2010-04-02 20:24 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-02 19:16 . 2010-04-02 19:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-02 15:18 . 2010-04-02 18:46 -------- d-sh--w- c:\documents and settings\Patrick\.COMMgr
2010-03-18 22:53 . 2010-03-18 22:53 -------- d-----w- c:\program files\MSECache
2010-03-15 15:30 . 2010-03-15 15:30 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-10 23:54 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-08 16:48 . 2008-01-19 15:57 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-08 14:29 . 2004-09-02 04:57 7304 ----a-w- c:\windows\TMP0001.TMP
2010-04-08 14:29 . 2009-10-16 12:44 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-07 00:09 . 2003-07-16 20:37 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2010-04-05 23:35 . 2004-09-01 21:00 9313 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-04-04 19:06 . 2003-07-16 20:24 96512 ----a-w- c:\windows\system32\drivers\atapi.old
2010-04-04 00:56 . 2004-08-26 23:50 -------- d-----w- c:\program files\Common Files\Java
2010-04-04 00:54 . 2004-08-26 23:50 -------- d-----w- c:\program files\Java
2010-04-04 00:28 . 2006-09-09 19:51 -------- d-----w- c:\program files\BitComet
2010-04-04 00:00 . 2008-10-05 22:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-03 22:58 . 2009-08-30 16:04 -------- d-----w- c:\program files\Malhelpwarebytes' Anti-Malware
2010-04-03 20:26 . 1601-01-01 07:00 96512 ----a-w- c:\windows\system32\drivers\tsk7.tmp
2010-04-03 20:17 . 2010-04-03 20:23 155254 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Personal_32_1033.dat
2010-04-03 19:58 . 2009-08-29 15:11 -------- d-----w- c:\documents and settings\Patrick\Application Data\Logs
2010-04-03 17:28 . 2009-08-31 02:03 117760 ----a-w- c:\documents and settings\Patrick\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-02 20:18 . 2010-04-02 20:18 699904 ----a-w- c:\windows\isRS-000.tmp
2010-04-02 18:30 . 2009-11-21 00:08 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-02 16:05 . 2009-08-29 19:49 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-30 20:12 . 2004-09-21 23:40 36200 ----a-w- c:\documents and settings\Patrick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-15 15:30 . 2009-08-29 16:38 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-15 15:30 . 2009-08-29 16:38 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-15 15:21 . 2009-08-29 16:38 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-25 06:24 . 2003-07-16 20:51 916480 ------w- c:\windows\system32\wininet.dll
2010-01-29 23:59 . 2009-12-29 23:12 52224 ----a-w- c:\documents and settings\Patrick\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{48d7245f-8c27-453b-86bd-a20119a3801f}]
monelare.dll [BU]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-02-23 21:04 1664256 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-15 15:30 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
c:\progra~1\AVG\AVG8\avgtray.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-13 00:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 07:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-08-05 23:06 1830128 ----a-w- c:\program files\SUPERAntiSpyware\SUPERhelpAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"UPS"=3 (0x3)
"TermService"=3 (0x3)
"TapiSrv"=2 (0x2)
"SCardSvr"=3 (0x3)
"Netlogon"=3 (0x3)
"mnmsrvc"=3 (0x3)
"iPod Service"=3 (0x3)
"FastUserSwitchingCompatibility"=2 (0x2)
"Browser"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:RSP
"8536:TCP"= 8536:TCP:BitComet 8536 TCP
"8536:UDP"= 8536:UDP:BitComet 8536 UDP
"18163:TCP"= 18163:TCP:BitComet 18163 TCP
"18163:UDP"= 18163:UDP:BitComet 18163 UDP

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/29/2009 9:38 AM 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/29/2009 9:38 AM 242696]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [2/10/2003 2:52 AM 114688]
R2 AsfAlrt;AsfAlrt;c:\windows\system32\drivers\Asfalrt.sys [12/18/2002 2:31 AM 36064]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/15/2010 8:30 AM 308064]
S0 abqhsqdg;abqhsqdg; [x]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S2 srenum;srenum;c:\windows\system32\DRIVERS\srenum.sys --> c:\windows\system32\DRIVERS\srenum.sys [?]
S3 ATWPKT;ATWPKT;c:\windows\system32\drivers\atwpkt.sys [8/31/2004 8:04 PM 19140]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]
S3 VVBETHERNET;Actiontec USB Ethernet Home DSL;c:\windows\system32\drivers\VVBETH.SYS [8/31/2004 7:54 PM 34560]
S3 vvbususb;Virata USB VvBus driver;c:\windows\system32\drivers\VVBUSUSB.SYS [8/31/2004 7:54 PM 50236]

--- Other Services/Drivers In Memory ---

*Deregistered* - klmdb
.
Contents of the 'Scheduled Tasks' folder

2010-04-08 c:\windows\Tasks\User_Feed_Synchronization-{4BDEC742-8D60-4785-9545-0346260D481C}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]

2010-04-03 c:\windows\Tasks\Wise Registry Cleaner 4.job
- c:\program files\Wise Registry Cleaner\WiseRegistryCleaner.exe [2009-11-20 08:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: {AF087E66-838E-4A97-8A0B-0DDDA5DEA239} - hxxps://streaming.endeavors.com/microsoft/streets/clientdownloads/OTAI.CAB
FF - ProfilePath - c:\documents and settings\Patrick\Application Data\Mozilla\Firefox\Profiles\uy9pr074.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-08 16:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8192CAC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf857af28
\Driver\ACPI -> ACPI.sys @ 0xf84edcb8
\Driver\atapi -> tsk2E.tmp @ 0xf84a5852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Intel® PRO/1000 MT Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf83b1bb0
PacketIndicateHandler -> NDIS.sys @ 0xf83bea21
SendHandler -> NDIS.sys @ 0xf839c87b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(508)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(568)
c:\windows\system32\WININET.dll
.
Completion time: 2010-04-08 16:56:50
ComboFix-quarantined-files.txt 2010-04-08 23:56
ComboFix2.txt 2010-04-06 23:47
ComboFix3.txt 2010-04-06 02:36
ComboFix4.txt 2010-04-03 20:21

Pre-Run: 33,793,703,936 bytes free
Post-Run: 33,909,243,904 bytes free

- - End Of File - - 4FDFB87333D79016EA440103FC543AB5





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users