Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Malware causing havoc


  • This topic is locked This topic is locked
2 replies to this topic

#1 pleverr

pleverr

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 18 April 2010 - 08:56 PM

Hi, thank you in advance for your help. I can't find the name of the malware infection and cannot finish gmer although I have a partial log that may shed some light.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Paul at 10:36:19.19 on Sun 04/18/2010
Internet Explorer: 7.0.6000.17037 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1918.999 [GMT -4:00]

SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\rundll32.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\Fhujeb.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Users\Paul\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Users\Paul\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Users\Paul\AppData\Local\Temp\Fp2.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Paul\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=PRESARIO&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=PRESARIO&pf=laptop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe
uRun: [Aim6]
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SansaDispatch] c:\users\paul\appdata\roaming\sandisk\sansa updater\SansaDispatch.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Google Update] "c:\users\paul\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Microsoft Corp] c:\users\paul\appdata\roaming\svchosts.exe
uRun: [StartServiceRDHDLLET] c:\users\paul\appdata\local\rdhdllet\StartService.exe
uRun: [YVIBBBHA8C] c:\users\paul\appdata\local\temp\Fp2.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [<NO NAME>]
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ALUAlert] "c:\program files\symantec\liveupdate\ALuNotify.exe" "/LOWDISKSPACE C"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Microsoft Corp] c:\users\paul\appdata\roaming\svchosts.exe
mRun: [StartServiceRDHDLLET] c:\users\paul\appdata\local\rdhdllet\StartService.exe
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
TCP: NameServer = 93.188.165.25,93.188.161.125
TCP: {83A55A9C-A5CD-45DD-9404-95B9E5314381} = 93.188.165.25,93.188.161.125
TCP: {DC30459A-C137-4E42-946F-F2C4940F004F} = 93.188.165.25,93.188.161.125
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\paul\appdata\roaming\mozilla\firefox\profiles\g32jlz9c.default\
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\users\paul\appdata\roaming\mozilla\firefox\profiles\g32jlz9c.default\extensions\{73c7d5b0-7b03-444a-84c7-ce1ba03b5573}\components\FFExternalAlert.dll
FF - component: c:\users\paul\appdata\roaming\mozilla\firefox\profiles\g32jlz9c.default\extensions\{73c7d5b0-7b03-444a-84c7-ce1ba03b5573}\components\RadioWMPCore.dll
FF - component: c:\users\paul\appdata\roaming\mozilla\firefox\profiles\g32jlz9c.default\extensions\{e0b8c461-f8fb-49b4-8373-fe32e9252800}\platform\winnt_x86-msvc\components\enbar3.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\paul\appdata\local\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\paul\appdata\roaming\mozilla\plugins\npatgpc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-9-15 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-15 66632]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-3-19 607576]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-11-29 24652]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-9-29 38224]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-15 12872]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-17 135664]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-7-28 29744]
SUnknown dsload;dsload; [x]

=============== Created Last 30 ================

2010-04-18 06:08:19 69 ----a-w- c:\windows\system32\abcdefg.bat
2010-04-18 06:08:19 43008 ---ha-w- c:\windows\system32\consinit.dll
2010-04-18 06:08:13 104448 ---ha-w- c:\windows\system32\a.exe
2010-04-18 03:28:54 77312 ----a-w- c:\windows\MBR.exe
2010-04-18 03:28:53 98816 ----a-w- c:\windows\sed.exe
2010-04-18 03:28:53 261632 ----a-w- c:\windows\PEV.exe
2010-04-18 03:28:53 161792 ----a-w- c:\windows\SWREG.exe
2010-04-18 03:25:18 0 d-s---w- C:\ComboFix
2010-04-17 19:16:08 163328 ----a-w- c:\windows\Fhujeb.exe
2010-04-17 15:55:02 163328 ----a-w- c:\windows\Fhujea.exe
2010-04-17 15:54:59 75776 --sha-r- c:\windows\system32\d3dx9_317.dll
2010-04-14 00:00:04 58368 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 00:00:04 211968 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 00:00:03 102400 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-13 23:59:56 3502480 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-13 23:59:55 3468168 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-13 23:59:48 434176 ----a-w- c:\windows\system32\vbscript.dll
2010-04-13 23:59:38 62464 ----a-w- c:\windows\system32\l3codeca.acm
2010-04-13 23:59:38 220672 ----a-w- c:\windows\system32\l3codecp.acm
2010-04-13 23:59:32 815104 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-13 23:59:31 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-13 23:59:31 22016 ----a-w- c:\windows\system32\netiougc.exe
2010-04-13 23:59:31 179712 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-13 23:59:31 167424 ----a-w- c:\windows\system32\tcpipcfg.dll
2010-04-13 23:59:31 15360 ----a-w- c:\windows\system32\drivers\TUNMP.SYS
2010-04-13 23:58:18 97792 ----a-w- c:\windows\system32\cabview.dll
2010-04-13 23:58:12 171520 ----a-w- c:\windows\system32\wintrust.dll
2010-03-30 23:00:05 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-30 23:00:04 389120 ----a-w- c:\windows\system32\html.iec

==================== Find3M ====================

2010-04-18 13:56:00 42062 ----a-w- c:\users\paul\appdata\roaming\nvModes.dat
2010-03-13 00:25:34 86016 ----a-w- c:\windows\inf\infstrng.dat
2010-03-13 00:25:34 86016 ----a-w- c:\windows\inf\infstor.dat
2010-03-13 00:25:34 51200 ----a-w- c:\windows\inf\infpub.dat
2010-03-09 16:50:34 56320 ----a-w- c:\windows\system32\iesetup.dll
2010-03-09 16:50:25 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 16:48:34 72704 ----a-w- c:\windows\system32\admparse.dll
2010-03-09 14:17:48 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2010-03-09 12:43:52 48128 ----a-w- c:\windows\system32\mshtmler.dll
2010-02-24 23:43:00 93360 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-20 23:54:40 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:51:43 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 21:30:16 396800 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-19 23:47:50 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-12 00:41:37 18499623 ----a-w- C:\vlc-1.0.5-win32.exe
2010-01-25 12:58:44 473088 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:58:44 154624 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:58:44 154112 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:58:29 472576 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 12:56:33 312320 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:36:22 435712 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-25 08:36:19 515584 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:36:05 431104 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:35:58 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-23 08:05:07 2048 ----a-w- c:\windows\system32\tzres.dll
2008-12-13 08:22:12 174 --sha-w- c:\program files\desktop.ini
2008-12-02 18:08:42 226960 ------w- c:\program files\cnsload_1228241322945.tmp
2008-06-11 07:09:28 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 10:42:04.25 ===============




Here is the partial GMER log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-18 19:54:11
Windows 6.0.6000
Running: gmer.exe; Driver: C:\Users\Paul\AppData\Local\Temp\kxtdapod.sys


---- System - GMER 1.0.15 ----

INT 0x52 ? 858CFBF8
INT 0x62 ? 858CFBF8
INT 0x82 ? 84576BF8
INT 0x92 ? 84577BF8
INT 0xA2 ? 84577BF8

---- Kernel code sections - GMER 1.0.15 ----

? System32\Drivers\spos.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 88E58ACF 5 Bytes JMP 858CF1D8
.text al8xzkaw.SYS 8B78A000 22 Bytes [8E, 71, BA, 82, 78, 70, BA, ...]
.text al8xzkaw.SYS 8B78A017 74 Bytes [00, 99, 07, 24, 80, A4, 05, ...]
.text al8xzkaw.SYS 8B78A062 84 Bytes [88, 82, 5C, 68, 85, 82, 8C, ...]
.text al8xzkaw.SYS 8B78A0B7 22 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text al8xzkaw.SYS 8B78A0CE 80 Bytes [00, 00, 26, 00, 00, 00, E0, ...]
.text ...

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8533F1F8

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

Device \Driver\volmgr \Device\VolMgrControl 8533B1F8
Device \Driver\usbohci \Device\USBPDO-0 858E61F8
Device \Driver\PCI_PNP6388 \Device\00000051 spos.sys
Device \Driver\usbehci \Device\USBPDO-1 858E71F8
Device \Driver\volmgr \Device\HarddiskVolume1 8533B1F8
Device \Driver\volmgr \Device\HarddiskVolume2 8533B1F8
Device \Driver\cdrom \Device\CdRom0 858F01F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 8533D1F8
Device \Driver\atapi \Device\Ide\IdePort0 8533D1F8
Device \Driver\atapi \Device\Ide\IdePort1 8533D1F8
Device \Driver\cdrom \Device\CdRom1 858F01F8
Device \Driver\iScsiPrt \Device\RaidPort1 8594D1F8
Device \Driver\usbohci \Device\USBFDO-0 858E61F8
Device \Driver\usbehci \Device\USBFDO-1 858E71F8
Device \Driver\sptd \Device\1860530397 spos.sys
Device \Driver\al8xzkaw \Device\Scsi\al8xzkaw1Port4Path0Target0Lun0 859041F8
Device \Driver\al8xzkaw \Device\Scsi\al8xzkaw1 859041F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -985843727
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 1179352772
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x14 0xB1 0x10 0xB4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x4D 0xD2 0x32 0xE8 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xDF 0xDA 0x87 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x14 0xB1 0x10 0xB4 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x4D 0xD2 0x32 0xE8 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xDF 0xDA 0x87 0x00 ...




I also read a similar thread and ran rkill

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Paul on 04/18/2010 at 20:03:28.


Processes terminated by Rkill or while it was running:


C:\Users\Paul\AppData\Local\Temp\Fp2.exe
C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Users\Paul\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Users\Paul\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Users\Paul\Desktop\rkill.pif


Rkill completed on 04/18/2010 at 20:04:43.




GMER is still running but I think it restarts at the end or possibly before so I can't save the log file once its done.

Attached Files


Edited by pleverr, 18 April 2010 - 08:57 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:57 PM

Posted 23 April 2010 - 04:05 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Please try running Gmer with only SECTIONS checked
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:57 PM

Posted 27 April 2010 - 06:28 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users