Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSS rootkit infection


  • This topic is locked This topic is locked
52 replies to this topic

#31 kikaman

kikaman
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 10 April 2010 - 02:28 PM

Here's the combo fix log with the MBAM log further below:

ComboFix 10-04-10.01 - Patrick 04/10/2010 12:34:52.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.183 [GMT -7:00]
Running from: c:\documents and settings\Patrick\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Patrick\.COMMgr

.
((((((((((((((((((((((((( Files Created from 2010-03-10 to 2010-04-10 )))))))))))))))))))))))))))))))
.

2010-04-09 01:19 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-09 01:19 . 2008-04-13 18:40 96512 ----a-w- C:\atapi.sys
2010-04-04 00:55 . 2010-04-04 00:55 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-03 20:49 . 2010-04-03 20:27 -------- d-----w- C:\RECYCLER(2)
2010-04-03 20:27 . 2010-04-03 20:27 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-03 01:51 . 2010-04-03 01:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware3
2010-04-02 22:43 . 2010-04-03 00:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-02 20:32 . 2010-04-02 22:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2
2010-04-02 20:24 . 2010-04-02 20:24 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-02 19:16 . 2010-04-02 19:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-18 22:53 . 2010-03-18 22:53 -------- d-----w- c:\program files\MSECache
2010-03-15 15:30 . 2010-03-15 15:30 12464 ----a-w- c:\windows\system32\avgrsstx.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-10 19:29 . 2009-08-30 16:04 -------- d-----w- c:\program files\Malhelpwarebytes' Anti-Malware
2010-04-10 13:26 . 2008-01-19 15:57 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-10 03:37 . 2004-09-02 04:57 7304 ----a-w- c:\windows\TMP0001.TMP
2010-04-07 15:39 . 2010-04-07 15:39 4255072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-04-07 00:09 . 2003-07-16 20:37 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2010-04-05 23:35 . 2004-09-01 21:00 9313 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-04-04 19:06 . 2003-07-16 20:24 96512 ----a-w- c:\windows\system32\drivers\atapi.old
2010-04-04 00:56 . 2010-04-04 00:56 503808 ----a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1d1d9207-n\msvcp71.dll
2010-04-04 00:56 . 2010-04-04 00:56 499712 ----a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1d1d9207-n\jmc.dll
2010-04-04 00:56 . 2010-04-04 00:56 348160 ----a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1d1d9207-n\msvcr71.dll
2010-04-04 00:56 . 2010-04-04 00:56 61440 ----a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-117f5675-n\decora-sse.dll
2010-04-04 00:56 . 2010-04-04 00:56 12800 ----a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-117f5675-n\decora-d3d.dll
2010-04-04 00:56 . 2004-08-26 23:50 -------- d-----w- c:\program files\Common Files\Java
2010-04-04 00:54 . 2004-08-26 23:50 -------- d-----w- c:\program files\Java
2010-04-04 00:28 . 2006-09-09 19:51 -------- d-----w- c:\program files\BitComet
2010-04-04 00:00 . 2008-10-05 22:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-03 20:26 . 1601-01-01 07:00 96512 ----a-w- c:\windows\system32\drivers\tsk7.tmp
2010-04-03 20:17 . 2010-04-03 20:23 155254 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Personal_32_1033.dat
2010-04-03 19:58 . 2009-08-29 15:11 -------- d-----w- c:\documents and settings\Patrick\Application Data\Logs
2010-04-03 17:28 . 2009-08-31 02:03 117760 ----a-w- c:\documents and settings\Patrick\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-02 20:18 . 2010-04-02 20:18 699904 ----a-w- c:\windows\isRS-000.tmp
2010-04-02 18:30 . 2009-11-21 00:08 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-02 16:05 . 2009-08-29 19:49 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-30 20:12 . 2004-09-21 23:40 36200 ----a-w- c:\documents and settings\Patrick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-15 15:30 . 2009-08-29 16:38 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-15 15:30 . 2009-08-29 16:38 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-15 15:21 . 2009-08-29 16:38 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-25 06:24 . 2003-07-16 20:51 916480 ------w- c:\windows\system32\wininet.dll
2010-01-29 23:59 . 2009-12-29 23:12 52224 ----a-w- c:\documents and settings\Patrick\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{48d7245f-8c27-453b-86bd-a20119a3801f}]
monelare.dll [BU]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-02-23 21:04 1664256 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-15 15:30 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
c:\progra~1\AVG\AVG8\avgtray.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-13 00:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 07:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-08-05 23:06 1830128 ----a-w- c:\program files\SUPERAntiSpyware\SUPERhelpAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"UPS"=3 (0x3)
"TermService"=3 (0x3)
"TapiSrv"=2 (0x2)
"SCardSvr"=3 (0x3)
"Netlogon"=3 (0x3)
"mnmsrvc"=3 (0x3)
"iPod Service"=3 (0x3)
"FastUserSwitchingCompatibility"=2 (0x2)
"Browser"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:RSP
"8536:TCP"= 8536:TCP:BitComet 8536 TCP
"8536:UDP"= 8536:UDP:BitComet 8536 UDP
"18163:TCP"= 18163:TCP:BitComet 18163 TCP
"18163:UDP"= 18163:UDP:BitComet 18163 UDP

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/29/2009 9:38 AM 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/29/2009 9:38 AM 242696]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [2/10/2003 2:52 AM 114688]
R2 AsfAlrt;AsfAlrt;c:\windows\system32\drivers\Asfalrt.sys [12/18/2002 2:31 AM 36064]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/15/2010 8:30 AM 308064]
S0 abqhsqdg;abqhsqdg; [x]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S2 srenum;srenum;c:\windows\system32\DRIVERS\srenum.sys --> c:\windows\system32\DRIVERS\srenum.sys [?]
S3 ATWPKT;ATWPKT;c:\windows\system32\drivers\atwpkt.sys [8/31/2004 8:04 PM 19140]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]
S3 VVBETHERNET;Actiontec USB Ethernet Home DSL;c:\windows\system32\drivers\VVBETH.SYS [8/31/2004 7:54 PM 34560]
S3 vvbususb;Virata USB VvBus driver;c:\windows\system32\drivers\VVBUSUSB.SYS [8/31/2004 7:54 PM 50236]

--- Other Services/Drivers In Memory ---

*Deregistered* - pwtdapog
.
Contents of the 'Scheduled Tasks' folder

2010-04-10 c:\windows\Tasks\User_Feed_Synchronization-{4BDEC742-8D60-4785-9545-0346260D481C}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]

2010-04-03 c:\windows\Tasks\Wise Registry Cleaner 4.job
- c:\program files\Wise Registry Cleaner\WiseRegistryCleaner.exe [2009-11-20 08:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: {AF087E66-838E-4A97-8A0B-0DDDA5DEA239} - hxxps://streaming.endeavors.com/microsoft/streets/clientdownloads/OTAI.CAB
FF - ProfilePath - c:\documents and settings\Patrick\Application Data\Mozilla\Firefox\Profiles\uy9pr074.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-10 12:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x819CEAC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf857af28
\Driver\ACPI -> ACPI.sys @ 0xf84edcb8
\Driver\atapi -> atapi.sys @ 0xf84a5852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Intel® PRO/1000 MT Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf83b1bb0
PacketIndicateHandler -> NDIS.sys @ 0xf83bea21
SendHandler -> NDIS.sys @ 0xf839c87b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(504)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(564)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1612)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-04-10 12:58:50
ComboFix-quarantined-files.txt 2010-04-10 19:58
ComboFix2.txt 2010-04-08 23:56
ComboFix3.txt 2010-04-06 23:47
ComboFix4.txt 2010-04-06 02:36
ComboFix5.txt 2010-04-10 19:31

Pre-Run: 33,858,404,352 bytes free
Post-Run: 33,875,034,112 bytes free

- - End Of File - - 5607875DD5A899AB986EC68612B65881



Here's the MBAM log:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3975

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/10/2010 1:25:56 PM
mbam-log-2010-04-10 (13-25-56).txt

Scan type: Quick scan
Objects scanned: 123672
Time elapsed: 12 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "firefox.exe -safe-mode") Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


BC AdBot (Login to Remove)

 


#32 kikaman

kikaman
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 10 April 2010 - 02:38 PM

I am entering this info from my laptap: MBAM found two problems on the PC which it removed. It said it had to reboot to complete the removal process. I clicked yes. The computer has been hung up with a blue screen and mouse pointer arrow for about ten minutes.

Oh wait, a second, it now shows the Windowsxp logging off... screen, although it has been like this for quite some time as well.

Please let me know if I should just continue to wait -- and if so, for how long -- before taking other measures.

Thank you.

Edited by kikaman, 10 April 2010 - 02:43 PM.


#33 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:28 AM

Posted 10 April 2010 - 04:19 PM

Hmm...

Can you please shutdown the infected computer and re-start it up. First try Normally starting up and then Try Safe Mode and let me know if the same thing happens..

If you can't get into Windows properly, could you please boot into the OTLPE boot CD you created and run OTL and post that log so I can take a look.

Thanks.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#34 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:28 AM

Posted 10 April 2010 - 04:37 PM

The driver appears to be still infected. In addition, the previous GMER log you seemed to have had the Show All box checked causing the large GMER log.

If you are able to get into Windows properly then could you run GMER with the instructions as followed please...

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror This version will download a randomly named file (Recommended)
  • Zipped Mirror This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

If you can't get into Windows, then just run the OTLPE CD we created earlier.

Thanks.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#35 kikaman

kikaman
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 10 April 2010 - 05:06 PM

Sorry about checking the show all box -- I misread the instructions (my fault).

After rebooting, got into windows normally. Am running GMER. It crashed the first time I tried. To confirm, the show all box is not checked but the registry box is checked (most recent instructions did not say to uncheck it).

Thanks

#36 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:28 AM

Posted 10 April 2010 - 06:04 PM

Go ahead and UNCHECK ONLY the following:

Registry

Leave the rest as it is. Make sure Show All box is Unchecked too.

Now run a scan again. If GMER doesn't work try Safe Mode. If it still does not work after that, just let me know please.

Thanks.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#37 kikaman

kikaman
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 10 April 2010 - 11:49 PM

Sorry for the delay. Stepped out for awhile. The GMER log is below.

Please note, my PC is giving me more problems. Couldn't connect to the internet through either IE or firefox (edit, although after rebooting this morning was able to connect).

Here's the GMER log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-10 22:33:43
Windows 5.1.2600 Service Pack 3
Running: 8t5m4js0.exe; Driver: C:\DOCUME~1\Patrick\LOCALS~1\Temp\pwtdapog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF80FE340, 0xFD9EF, 0xF8000020]
.rsrc C:\WINDOWS\System32\DRIVERS\netbt.sys entry point in ".rsrc" section [0xF19E1A14]
.text C:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF9D6300, 0x2342C0, 0xF8000020]
init C:\WINDOWS\System32\drivers\AsfAlrt.sys entry point in "init" section [0xF88362A0]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[872] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 0091000A
.text C:\WINDOWS\System32\svchost.exe[872] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[872] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[872] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0090000C
.text C:\WINDOWS\System32\svchost.exe[872] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 028B000A
.text C:\WINDOWS\System32\svchost.exe[872] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 028A000A
.text C:\WINDOWS\Explorer.EXE[2880] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A
.text C:\WINDOWS\Explorer.EXE[2880] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BC000A
.text C:\WINDOWS\Explorer.EXE[2880] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C
.text C:\Program Files\internet explorer\iexplore.exe[3756] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A3000A
.text C:\Program Files\internet explorer\iexplore.exe[3756] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D5000A
.text C:\Program Files\internet explorer\iexplore.exe[3756] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A2000C
.text C:\Program Files\internet explorer\iexplore.exe[3756] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3756] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3756] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3756] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3756] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3756] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3756] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3756] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3756] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3836] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A3000A
.text C:\Program Files\internet explorer\iexplore.exe[3836] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D5000A
.text C:\Program Files\internet explorer\iexplore.exe[3836] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A2000C
.text C:\Program Files\internet explorer\iexplore.exe[3836] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3836] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3836] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD101 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3836] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3836] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3836] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3836] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3836] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3836] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3836] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3836] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3836] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3836] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB20 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3836] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[2040] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [00EE2BC8] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Zone Labs, LLC)
IAT C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[2040] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!UnhandledExceptionFilter] [00EE2CE9] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Zone Labs, LLC)
IAT C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[2040] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!TerminateProcess] [00EE2CB8] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Zone Labs, LLC)
IAT C:\Program Files\internet explorer\iexplore.exe[3836] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\internet explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 818D3AC8

---- Files - GMER 1.0.15 ----

File C:\windows\ERDNT\Hiv-backup\Users\00000001\ntuser.dat 0 bytes
File C:\WINDOWS\System32\DRIVERS\netbt.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Edited by kikaman, 11 April 2010 - 09:26 AM.


#38 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:28 AM

Posted 11 April 2010 - 10:08 AM

Hello again.

Let's try this once more. From the previous OTLPE and the recent GMER log file, we need to deal with another file here...

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it. (If you are using Vista, please right-click and select run as administartor)
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    CODE
    :filefind
    netbt.sys
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#39 kikaman

kikaman
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 11 April 2010 - 10:36 AM

Good morning.

Here's the requested log:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 09:28 on 11/04/2010 by Patrick (Administrator - Elevation successful)

========== filefind ==========

Searching for "netbt.sys"
C:\i386\netbt.sys --a--- 157056 bytes [20:13 01/09/2004] [15:00 29/08/2002] D96F3BC5A6E7452B0E3275B560DC8528
C:\windows\$NtServicePackUninstall$\netbt.sys -----c 162816 bytes [04:22 17/10/2009] [06:14 04/08/2004] 0C80E410CD2F47134407EE7DD19CC86B
C:\windows\ServicePackFiles\i386\netbt.sys ------ 162816 bytes [12:40 16/10/2009] [19:21 13/04/2008] 74B2B2F5BEA5E9A3DC021D685551BD3D
C:\windows\system32\DllCache\netbt.sys --a--c 162816 bytes [20:37 16/07/2003] [00:09 07/04/2010] 74B2B2F5BEA5E9A3DC021D685551BD3D
C:\windows\system32\drivers\netbt.sys --a--- 162816 bytes [20:37 16/07/2003] [05:32 11/04/2010] 74B2B2F5BEA5E9A3DC021D685551BD3D

-=End Of File=-

#40 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:28 AM

Posted 11 April 2010 - 11:35 AM

Good afternoon. smile.gif

For the meantime, it would be best if you don't use the infected machine too much or allow it to connect it to the internet unless you need to reply to me/post the logs. Thanks.

Create and Run batch script
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "quote".
    CODE
    @Echo Off
    copy /y C:\windows\ServicePackFiles\i386\netbt.sys c:\
    del %0
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input Copy.bat.
  • Hit OK.
When done properly, the icon should look like for XP machines and for Vista machines.

Double click on Copy.bat to run it. If you are using Windows Vista, please right-click and Run As Administrator...

A Black DOS window shall appear and then disappear. This is normal please do not panic. The .bat file will self delete upon completion of copying a file.

Please confirm there is now a file called: netbt.sys in the root of your C:\ drive. If so, please continue with the instructions below, if not -let me know.

Please now boot into the Windows Recovery Console like before, by pressing F8 when you reboot the machine.

At the C:\Windows prompt, type the following bolded entries, and press 'Enter' (note the spaces) upon completion of each line:

cd c:\windows\system32\drivers
ren netbt.sys netbt.old
copy c:\netbt.sys c:\windows\system32\drivers


You should see a message '1 file copied'. after inputting the last line. If you did not see that message, try again and ensure there is a space after the word copy and another space between the file paths. If asked to overwrite the file, please allow so.

Type exit and press 'Enter'. Your computer should reboot.

Then run Combofix again.

Thanks.

Edited by extremeboy, 11 April 2010 - 11:42 AM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#41 kikaman

kikaman
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 11 April 2010 - 11:50 AM

Understood. What's the best way of disconnecting from the internet. Sorry if I am dense. The computer is wireless - I don't want to disconnect the other ones that connect through the router.

#42 kikaman

kikaman
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 11 April 2010 - 12:28 PM

batch script successfully run.

Here's the combofix log:

ComboFix 10-04-10.02 - Patrick 04/11/2010 11:12:41.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.347 [GMT -7:00]
Running from: c:\documents and settings\Patrick\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-03-11 to 2010-04-11 )))))))))))))))))))))))))))))))
.

2010-04-11 17:52 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2010-04-11 17:52 . 2008-04-13 19:21 162816 ----a-w- C:\netbt.sys
2010-04-11 15:32 . 2010-04-11 15:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-04-11 15:32 . 2010-04-11 15:32 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-04-10 20:10 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-10 20:10 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-09 01:19 . 2008-04-13 18:40 96512 ----a-w- C:\atapi.sys
2010-04-09 01:19 . 2008-04-13 18:40 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-04-07 15:39 . 2010-04-07 15:39 4255072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-04-04 00:56 . 2010-04-04 00:56 503808 ----a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1d1d9207-n\msvcp71.dll
2010-04-04 00:56 . 2010-04-04 00:56 499712 ----a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1d1d9207-n\jmc.dll
2010-04-04 00:56 . 2010-04-04 00:56 348160 ----a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1d1d9207-n\msvcr71.dll
2010-04-04 00:56 . 2010-04-04 00:56 61440 ----a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-117f5675-n\decora-sse.dll
2010-04-04 00:56 . 2010-04-04 00:56 12800 ----a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-117f5675-n\decora-d3d.dll
2010-04-04 00:55 . 2010-04-04 00:55 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-03 20:49 . 2010-04-03 20:27 -------- d-----w- C:\RECYCLER(2)
2010-04-03 20:27 . 2010-04-03 20:27 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-03 01:51 . 2010-04-03 01:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware3
2010-04-02 22:43 . 2010-04-10 20:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-02 20:32 . 2010-04-02 22:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2
2010-04-02 20:24 . 2010-04-02 20:24 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-02 19:16 . 2010-04-02 19:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-18 22:53 . 2010-03-18 22:53 -------- d-----w- c:\program files\MSECache
2010-03-15 15:30 . 2010-03-15 15:30 12464 ----a-w- c:\windows\system32\avgrsstx.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-11 18:00 . 2004-09-02 04:57 7304 ----a-w- c:\windows\TMP0001.TMP
2010-04-11 05:32 . 2003-07-16 20:37 162816 ----a-w- c:\windows\system32\drivers\netbt.old
2010-04-10 22:55 . 2009-08-30 16:04 -------- d-----w- c:\program files\Malhelpwarebytes' Anti-Malware
2010-04-10 13:26 . 2008-01-19 15:57 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-05 23:35 . 2004-09-01 21:00 9313 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-04-04 19:06 . 2003-07-16 20:24 96512 ----a-w- c:\windows\system32\drivers\atapi.old
2010-04-04 00:56 . 2004-08-26 23:50 -------- d-----w- c:\program files\Common Files\Java
2010-04-04 00:54 . 2004-08-26 23:50 -------- d-----w- c:\program files\Java
2010-04-04 00:28 . 2006-09-09 19:51 -------- d-----w- c:\program files\BitComet
2010-04-04 00:00 . 2008-10-05 22:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-03 20:26 . 1601-01-01 07:00 96512 ----a-w- c:\windows\system32\drivers\tsk7.tmp
2010-04-03 20:17 . 2010-04-03 20:23 155254 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Personal_32_1033.dat
2010-04-03 19:58 . 2009-08-29 15:11 -------- d-----w- c:\documents and settings\Patrick\Application Data\Logs
2010-04-03 17:28 . 2009-08-31 02:03 117760 ----a-w- c:\documents and settings\Patrick\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-02 20:18 . 2010-04-02 20:18 699904 ----a-w- c:\windows\isRS-000.tmp
2010-04-02 18:30 . 2009-11-21 00:08 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-02 16:05 . 2009-08-29 19:49 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-30 20:12 . 2004-09-21 23:40 36200 ----a-w- c:\documents and settings\Patrick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-15 15:30 . 2009-08-29 16:38 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-15 15:30 . 2009-08-29 16:38 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-15 15:21 . 2009-08-29 16:38 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-25 06:24 . 2003-07-16 20:51 916480 ------w- c:\windows\system32\wininet.dll
2010-01-29 23:59 . 2009-12-29 23:12 52224 ----a-w- c:\documents and settings\Patrick\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-04-06_23.41.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-11 18:01 . 2010-04-11 18:01 16384 c:\windows\temp\Perflib_Perfdata_2b8.dat
+ 2003-07-16 20:37 . 2010-04-07 00:09 162816 c:\windows\system32\DllCache\netbt.sys
- 2003-07-16 20:37 . 2010-04-03 04:33 162816 c:\windows\system32\DllCache\netbt.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{48d7245f-8c27-453b-86bd-a20119a3801f}]
monelare.dll [BU]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-02-23 21:04 1664256 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-15 15:30 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
c:\progra~1\AVG\AVG8\avgtray.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-13 00:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 07:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-08-05 23:06 1830128 ----a-w- c:\program files\SUPERAntiSpyware\SUPERhelpAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"UPS"=3 (0x3)
"TermService"=3 (0x3)
"TapiSrv"=2 (0x2)
"SCardSvr"=3 (0x3)
"Netlogon"=3 (0x3)
"mnmsrvc"=3 (0x3)
"iPod Service"=3 (0x3)
"FastUserSwitchingCompatibility"=2 (0x2)
"Browser"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:RSP
"8536:TCP"= 8536:TCP:BitComet 8536 TCP
"8536:UDP"= 8536:UDP:BitComet 8536 UDP
"18163:TCP"= 18163:TCP:BitComet 18163 TCP
"18163:UDP"= 18163:UDP:BitComet 18163 UDP

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/29/2009 9:38 AM 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/29/2009 9:38 AM 242696]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [2/10/2003 2:52 AM 114688]
R2 AsfAlrt;AsfAlrt;c:\windows\system32\drivers\Asfalrt.sys [12/18/2002 2:31 AM 36064]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/15/2010 8:30 AM 308064]
S0 abqhsqdg;abqhsqdg; [x]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S2 srenum;srenum;c:\windows\system32\DRIVERS\srenum.sys --> c:\windows\system32\DRIVERS\srenum.sys [?]
S3 ATWPKT;ATWPKT;c:\windows\system32\drivers\atwpkt.sys [8/31/2004 8:04 PM 19140]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]
S3 VVBETHERNET;Actiontec USB Ethernet Home DSL;c:\windows\system32\drivers\VVBETH.SYS [8/31/2004 7:54 PM 34560]
S3 vvbususb;Virata USB VvBus driver;c:\windows\system32\drivers\VVBUSUSB.SYS [8/31/2004 7:54 PM 50236]
.
Contents of the 'Scheduled Tasks' folder

2010-04-11 c:\windows\Tasks\User_Feed_Synchronization-{4BDEC742-8D60-4785-9545-0346260D481C}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]

2010-04-03 c:\windows\Tasks\Wise Registry Cleaner 4.job
- c:\program files\Wise Registry Cleaner\WiseRegistryCleaner.exe [2009-11-20 08:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: {AF087E66-838E-4A97-8A0B-0DDDA5DEA239} - hxxps://streaming.endeavors.com/microsoft/streets/clientdownloads/OTAI.CAB
FF - ProfilePath - c:\documents and settings\Patrick\Application Data\Mozilla\Firefox\Profiles\uy9pr074.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-11 11:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(504)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3792)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-04-11 11:25:14
ComboFix-quarantined-files.txt 2010-04-11 18:25
ComboFix2.txt 2010-04-10 19:58
ComboFix3.txt 2010-04-08 23:56
ComboFix4.txt 2010-04-06 23:47
ComboFix5.txt 2010-04-11 18:11

Pre-Run: 33,825,390,592 bytes free
Post-Run: 33,833,635,840 bytes free

- - End Of File - - CBD17F9FE6A942B87C07542A31BCD8FA


#43 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:28 AM

Posted 11 April 2010 - 12:39 PM

Hello.

QUOTE
Understood. What's the best way of disconnecting from the internet. Sorry if I am dense. The computer is wireless - I don't want to disconnect the other ones that connect through the router.

It could be done by disabling the Wireless adapter through the Control Panel and Network Connections. However, for now -leave it be for now, the main infection is removed.

Thanks for that log.

It seems we dealt with the main infection successfully now. smile.gif Looking good, just some leftover stuff we need to clear up here...

Run ComboFix with CFScript

We will run ComboFix again. This time it will be slightly different from the initial run.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    CODE
    http://www.bleepingcomputer.com/forums/topic307032-40.html
    Collect::[68]
    c:\windows\system32\drivers\netbt.old
    c:\windows\system32\drivers\atapi.old
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{48d7245f-8c27-453b-86bd-a20119a3801f}]
    [-HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=-
    "FirewallOverride"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=-
    Driver::
    abqhsqdg
    srenum
    File::
    c:\windows\system32\DRIVERS\srenum.sys
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
  • Refering to the picture above, drag CFScript into ComboFix.exe.
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"
  • Please post the contents of the Combofix log in your next reply.

Upload Samples by ComboFix

When Combofix finishes running, the ComboFix log will open along with a message box. With the above script, ComboFix captured some files to submit for analysis.
  • Important: Ensure you are connected to the internet before clicking OK on the message box.
  • A blue-screen would appear auto-uploading the zipped file I requested.
  • After the uploading is done you should see a message near the bottom saying "Upload was Succesfull".

**NOTE**
=================
  • IF for some reason Combofix fails to upload anything please do the following:
  • Go to Start >> My Computer > C:\
  • Then Navigate to the C:\Qoobox\Quarantine folder.
  • Find the archive zip file called "[68]-Submit_Date_Time.zip"
  • Simply go to This Channel and upload the submit.zip archive file to me.
  • Follow the instructions on that page to copy/paste/send the requested file.

Let me know how it goes and if the upload went successfully or not in your next reply.

How's your computer feeling now? Better? Any other problems?
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#44 kikaman

kikaman
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 11 April 2010 - 01:12 PM

The computer rebooted before creating the combofix log. I assume this is normal. I did not get the message box re submitting files for analysis -- I will follow the additional instructions you provided to do this.

Got a windows security warning that my firewall and AVG were turned off -- I turned them both back on. This hadn't happened before. Seems like a good sign. Seems like the computer is doing well, although perhap a little too early to tell for sure.

Log is below:

ComboFix 10-04-10.02 - Patrick 04/11/2010 11:46:36.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.248 [GMT -7:00]
Running from: c:\documents and settings\Patrick\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Patrick\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\system32\DRIVERS\srenum.sys"

file zipped: c:\windows\system32\drivers\atapi.old
file zipped: c:\windows\system32\drivers\netbt.old
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\atapi.old
c:\windows\system32\drivers\netbt.old

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SRENUM
-------\Service_abqhsqdg
-------\Service_srenum


((((((((((((((((((((((((( Files Created from 2010-03-11 to 2010-04-11 )))))))))))))))))))))))))))))))
.

2010-04-11 17:52 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2010-04-11 17:52 . 2008-04-13 19:21 162816 ----a-w- C:\netbt.sys
2010-04-11 15:32 . 2010-04-11 15:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-04-11 15:32 . 2010-04-11 15:32 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-04-10 20:10 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-10 20:10 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-09 01:19 . 2008-04-13 18:40 96512 ----a-w- C:\atapi.sys
2010-04-09 01:19 . 2008-04-13 18:40 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-04-07 15:39 . 2010-04-07 15:39 4255072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-04-04 00:56 . 2010-04-04 00:56 503808 ----a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1d1d9207-n\msvcp71.dll
2010-04-04 00:56 . 2010-04-04 00:56 499712 ----a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1d1d9207-n\jmc.dll
2010-04-04 00:56 . 2010-04-04 00:56 348160 ----a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1d1d9207-n\msvcr71.dll
2010-04-04 00:56 . 2010-04-04 00:56 61440 ----a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-117f5675-n\decora-sse.dll
2010-04-04 00:56 . 2010-04-04 00:56 12800 ----a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-117f5675-n\decora-d3d.dll
2010-04-04 00:55 . 2010-04-04 00:55 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-03 20:49 . 2010-04-03 20:27 -------- d-----w- C:\RECYCLER(2)
2010-04-03 20:27 . 2010-04-03 20:27 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-03 01:51 . 2010-04-03 01:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware3
2010-04-02 22:43 . 2010-04-10 20:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-02 20:32 . 2010-04-02 22:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2
2010-04-02 20:24 . 2010-04-02 20:24 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-02 19:16 . 2010-04-02 19:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-18 22:53 . 2010-03-18 22:53 -------- d-----w- c:\program files\MSECache
2010-03-15 15:30 . 2010-03-15 15:30 12464 ----a-w- c:\windows\system32\avgrsstx.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-11 18:57 . 2004-09-02 04:57 7304 ----a-w- c:\windows\TMP0001.TMP
2010-04-10 22:55 . 2009-08-30 16:04 -------- d-----w- c:\program files\Malhelpwarebytes' Anti-Malware
2010-04-10 13:26 . 2008-01-19 15:57 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-05 23:35 . 2004-09-01 21:00 9313 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-04-04 00:56 . 2004-08-26 23:50 -------- d-----w- c:\program files\Common Files\Java
2010-04-04 00:54 . 2004-08-26 23:50 -------- d-----w- c:\program files\Java
2010-04-04 00:28 . 2006-09-09 19:51 -------- d-----w- c:\program files\BitComet
2010-04-04 00:00 . 2008-10-05 22:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-03 20:26 . 1601-01-01 07:00 96512 ----a-w- c:\windows\system32\drivers\tsk7.tmp
2010-04-03 20:17 . 2010-04-03 20:23 155254 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Personal_32_1033.dat
2010-04-03 19:58 . 2009-08-29 15:11 -------- d-----w- c:\documents and settings\Patrick\Application Data\Logs
2010-04-03 17:28 . 2009-08-31 02:03 117760 ----a-w- c:\documents and settings\Patrick\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-02 20:18 . 2010-04-02 20:18 699904 ----a-w- c:\windows\isRS-000.tmp
2010-04-02 18:30 . 2009-11-21 00:08 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-02 16:05 . 2009-08-29 19:49 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-30 20:12 . 2004-09-21 23:40 36200 ----a-w- c:\documents and settings\Patrick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-15 15:30 . 2009-08-29 16:38 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-15 15:30 . 2009-08-29 16:38 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-15 15:21 . 2009-08-29 16:38 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-25 06:24 . 2003-07-16 20:51 916480 ------w- c:\windows\system32\wininet.dll
2010-01-29 23:59 . 2009-12-29 23:12 52224 ----a-w- c:\documents and settings\Patrick\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-15 15:30 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
c:\progra~1\AVG\AVG8\avgtray.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-13 00:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 07:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-08-05 23:06 1830128 ----a-w- c:\program files\SUPERAntiSpyware\SUPERhelpAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"UPS"=3 (0x3)
"TermService"=3 (0x3)
"TapiSrv"=2 (0x2)
"SCardSvr"=3 (0x3)
"Netlogon"=3 (0x3)
"mnmsrvc"=3 (0x3)
"iPod Service"=3 (0x3)
"FastUserSwitchingCompatibility"=2 (0x2)
"Browser"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:RSP
"8536:TCP"= 8536:TCP:BitComet 8536 TCP
"8536:UDP"= 8536:UDP:BitComet 8536 UDP
"18163:TCP"= 18163:TCP:BitComet 18163 TCP
"18163:UDP"= 18163:UDP:BitComet 18163 UDP

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/29/2009 9:38 AM 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/29/2009 9:38 AM 242696]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [2/10/2003 2:52 AM 114688]
R2 AsfAlrt;AsfAlrt;c:\windows\system32\drivers\Asfalrt.sys [12/18/2002 2:31 AM 36064]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/15/2010 8:30 AM 308064]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S3 ATWPKT;ATWPKT;c:\windows\system32\drivers\atwpkt.sys [8/31/2004 8:04 PM 19140]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]
S3 VVBETHERNET;Actiontec USB Ethernet Home DSL;c:\windows\system32\drivers\VVBETH.SYS [8/31/2004 7:54 PM 34560]
S3 vvbususb;Virata USB VvBus driver;c:\windows\system32\drivers\VVBUSUSB.SYS [8/31/2004 7:54 PM 50236]
.
Contents of the 'Scheduled Tasks' folder

2010-04-11 c:\windows\Tasks\User_Feed_Synchronization-{4BDEC742-8D60-4785-9545-0346260D481C}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]

2010-04-03 c:\windows\Tasks\Wise Registry Cleaner 4.job
- c:\program files\Wise Registry Cleaner\WiseRegistryCleaner.exe [2009-11-20 08:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: {AF087E66-838E-4A97-8A0B-0DDDA5DEA239} - hxxps://streaming.endeavors.com/microsoft/streets/clientdownloads/OTAI.CAB
FF - ProfilePath - c:\documents and settings\Patrick\Application Data\Mozilla\Firefox\Profiles\uy9pr074.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-11 11:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(504)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(916)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\System32\nvsvc32.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-04-11 12:04:56 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-11 19:04
ComboFix2.txt 2010-04-11 18:25
ComboFix3.txt 2010-04-10 19:58
ComboFix4.txt 2010-04-08 23:56
ComboFix5.txt 2010-04-11 18:45

Pre-Run: 33,841,295,360 bytes free
Post-Run: 33,816,186,880 bytes free

- - End Of File - - E165992487CA5A0EA53283239D762AA1

Edited by kikaman, 11 April 2010 - 01:15 PM.


#45 kikaman

kikaman
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 11 April 2010 - 01:21 PM

Manual submission was successful -- I used the same topic heading as you suggested in post 28: http://www.bleepingcomputer.com/forums/topic307032-20.html

Thanks!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users