Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help hava nasty one!


  • This topic is locked This topic is locked
21 replies to this topic

#1 rob miller

rob miller

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 28 April 2010 - 11:15 PM

Hi

I have tried several removal programs, Malwarebytes, Avast, Spy bot Search and destroy. All seemed to find a ton of things and say they clean it but after a reboot Avast finds 600 or so files infected with a trojan. Any help you can give me would be greatly appreciated. I have a GMER log and a DDS log.

Thank You
Rob




DDS (Ver_10-03-17.01) - NTFSx86
Run by Bruce at 22:41:22.13 on Wed 04/28/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.767.240 [GMT -4:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Bruce\Desktop\dds.scr

============== Pseudo HJT Report ===============

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10d.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1171395060831
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171395208050
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-4-16 162768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-4-16 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-16 40384]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-12-15 24652]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-16 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-16 40384]
S0 kl1;kl1;c:\windows\system32\drivers\kl1.sys --> c:\windows\system32\drivers\kl1.sys [?]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\rainfo.sys --> c:\program files\logmein\RaInfo.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-4-12 38224]

=============== Created Last 30 ================

2010-04-16 22:23:10 0 d-----w- C:\ComboFix
2010-04-16 04:14:31 0 d-sha-r- C:\cmdcons
2010-04-16 04:12:54 98816 ----a-w- c:\windows\sed.exe
2010-04-16 04:12:54 77312 ----a-w- c:\windows\MBR.exe
2010-04-16 04:12:54 261632 ----a-w- c:\windows\PEV.exe
2010-04-16 04:12:54 161792 ----a-w- c:\windows\SWREG.exe
2010-04-15 23:45:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-04-15 03:43:30 0 d-sh--w- c:\documents and settings\bruce\IECompatCache
2010-04-15 03:39:59 0 d-sh--w- c:\documents and settings\bruce\PrivacIE
2010-04-15 03:37:32 0 d-sh--w- c:\documents and settings\bruce\IETldCache
2010-04-15 03:29:57 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-04-15 03:29:49 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-04-15 03:29:36 0 d-----w- c:\windows\ie8updates
2010-04-15 03:26:39 64000 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-04-15 03:20:27 0 dc-h--w- c:\windows\ie8
2010-04-14 05:22:22 3215 ----a-w- c:\windows\wininit.ini
2010-04-14 03:32:04 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-04-14 03:32:04 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-04-14 03:18:55 0 d-----w- c:\program files\Trend Micro
2010-04-14 03:13:31 0 d-----w- C:\2fbda1a391ddd0e568a8859bdbb6a575
2010-04-14 02:48:21 0 d-----w- C:\Downloads
2010-04-13 03:47:07 0 d-----w- c:\docume~1\bruce\applic~1\Malwarebytes
2010-04-13 03:46:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-13 03:46:04 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-13 03:46:01 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-13 03:46:01 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-16 13:19:55 2181376 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39:04 2058368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:47:05 100864 ----a-w- c:\windows\system32\6to4svc.dll
2007-11-27 21:39:46 13459744 --sha-w- c:\windows\system32\drivers\fidbox.dat
2007-11-27 21:39:46 386848 --sha-w- c:\windows\system32\drivers\fidbox2.dat

============= FINISH: 22:42:49.61 ===============








GMER Log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-29 00:01:33
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Bruce\LOCALS~1\Temp\afeyrpob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB7CDDC08]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB7CDDAC4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xB7CDE078]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB7CDDFA2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB7CDD69A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB7CDDB9E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB7CDD5DA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB7CDD63E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB7CDDCBE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xB7CDE146]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB7CDDC7E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB7CDDDFE]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xB7CEA50A]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xB7CEA32E]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xB7CEA468]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!ObInsertObject 80564423 5 Bytes JMP B7CE797E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!NtCreateSection 8056469B 7 Bytes JMP B7CEA332 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ZwCreateProcessEx 805820F6 7 Bytes JMP B7CEA50E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ObMakeTemporaryObject 805A29A4 5 Bytes JMP B7CE64AA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ZwLoadDriver 805A5972 7 Bytes JMP B7CEA46C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[564] USER32.dll!UnhookWindowsHookEx 7E41F21E 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[564] USER32.dll!CallNextHookEx 7E41F85B 5 Bytes JMP 3E2DD101 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[564] USER32.dll!CreateWindowExW 7E41FC25 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[564] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[564] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 3E2E9A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[564] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[564] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[564] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[564] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[564] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[564] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[564] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[564] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 3E2EDB20 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[564] ole32.dll!OleLoadFromStream 7752A257 5 Bytes JMP 3E3E4AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1152] USER32.dll!CreateWindowExW 7E41FC25 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1152] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1152] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1152] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1152] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1152] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1152] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1152] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1152] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)
Device \FileSystem\Fastfat \FatCdrom aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswRdr.SYS (avast! TDI RDR Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Edited by rob miller, 28 April 2010 - 11:18 PM.


BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:04:57 PM

Posted 03 May 2010 - 10:33 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 rob miller

rob miller
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 04 May 2010 - 04:37 PM

Hi

I am still having the same issues with this computer. If I scan it with Avast it shows it cleans about 600 infected files and after a reboot when I scan again there are about the same amount of infected files but they are new files. Here are the logs you asked for. Thank you for any help you can give me.

Rob


DDS (Ver_10-03-17.01) - NTFSx86
Run by Bruce at 22:33:17.18 on Mon 05/03/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.767.328 [GMT -4:00]

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Bruce\Desktop\dds.scr

============== Pseudo HJT Report ===============

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1171395060831
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171395208050
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-4-16 162768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-4-16 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-16 40384]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-12-15 24652]
S0 kl1;kl1;c:\windows\system32\drivers\kl1.sys --> c:\windows\system32\drivers\kl1.sys [?]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\rainfo.sys --> c:\program files\logmein\RaInfo.sys [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-16 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-16 40384]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-4-12 38224]

=============== Created Last 30 ================

2010-04-16 22:23:10 0 d-----w- C:\ComboFix
2010-04-16 04:14:31 0 d-sha-r- C:\cmdcons
2010-04-16 04:12:54 98816 ----a-w- c:\windows\sed.exe
2010-04-16 04:12:54 77312 ----a-w- c:\windows\MBR.exe
2010-04-16 04:12:54 261632 ----a-w- c:\windows\PEV.exe
2010-04-16 04:12:54 161792 ----a-w- c:\windows\SWREG.exe
2010-04-15 23:45:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-04-15 03:43:30 0 d-sh--w- c:\documents and settings\bruce\IECompatCache
2010-04-15 03:39:59 0 d-sh--w- c:\documents and settings\bruce\PrivacIE
2010-04-15 03:37:32 0 d-sh--w- c:\documents and settings\bruce\IETldCache
2010-04-15 03:29:57 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-04-15 03:29:49 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-04-15 03:29:36 0 d-----w- c:\windows\ie8updates
2010-04-15 03:26:39 64000 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-04-15 03:20:27 0 dc-h--w- c:\windows\ie8
2010-04-14 05:22:22 3215 ----a-w- c:\windows\wininit.ini
2010-04-14 03:32:04 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-04-14 03:32:04 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-04-14 03:18:55 0 d-----w- c:\program files\Trend Micro
2010-04-14 03:13:31 0 d-----w- C:\2fbda1a391ddd0e568a8859bdbb6a575
2010-04-14 02:48:21 0 d-----w- C:\Downloads
2010-04-13 03:47:07 0 d-----w- c:\docume~1\bruce\applic~1\Malwarebytes
2010-04-13 03:46:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-13 03:46:04 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-13 03:46:01 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-13 03:46:01 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-16 13:19:55 2181376 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39:04 2058368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:47:05 100864 ----a-w- c:\windows\system32\6to4svc.dll
2007-11-27 21:39:46 13459744 --sha-w- c:\windows\system32\drivers\fidbox.dat
2007-11-27 21:39:46 386848 --sha-w- c:\windows\system32\drivers\fidbox2.dat

============= FINISH: 22:35:21.43 ===============





GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-04 17:32:02
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Bruce\LOCALS~1\Temp\afeyrpob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xBAD89C08]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xBAD89AC4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xBAD8A078]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xBAD89FA2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xBAD8969A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xBAD89B9E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xBAD895DA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xBAD8963E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xBAD89CBE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xBAD8A146]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xBAD89C7E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xBAD89DFE]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xBAD9650A]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xBAD9632E]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xBAD96468]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!ObInsertObject 80564423 5 Bytes JMP BAD9397E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!NtCreateSection 8056469B 7 Bytes JMP BAD96332 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ZwCreateProcessEx 805820F6 7 Bytes JMP BAD9650E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ObMakeTemporaryObject 805A29A4 5 Bytes JMP BAD924AA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ZwLoadDriver 805A5972 7 Bytes JMP BAD9646C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\internet explorer\iexplore.exe[3160] USER32.dll!CreateWindowExW 7E41FC25 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3160] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3160] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3160] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3160] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3160] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3160] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3160] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3160] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3384] USER32.dll!UnhookWindowsHookEx 7E41F21E 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3384] USER32.dll!CallNextHookEx 7E41F85B 5 Bytes JMP 3E2DD101 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3384] USER32.dll!CreateWindowExW 7E41FC25 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3384] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3384] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 3E2E9A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3384] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3384] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3384] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3384] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3384] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3384] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3384] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3384] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 3E2EDB20 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3384] ole32.dll!OleLoadFromStream 7752A257 5 Bytes JMP 3E3E4AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3752] USER32.dll!UnhookWindowsHookEx 7E41F21E 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3752] USER32.dll!CallNextHookEx 7E41F85B 5 Bytes JMP 3E2DD101 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3752] USER32.dll!CreateWindowExW 7E41FC25 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3752] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3752] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 3E2E9A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3752] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3752] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3752] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3752] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3752] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3752] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3752] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3752] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 3E2EDB20 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3752] ole32.dll!OleLoadFromStream 7752A257 5 Bytes JMP 3E3E4AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----











#4 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:03:57 PM

Posted 05 May 2010 - 03:10 AM

Hello

I will be handling your log to help you get cleaned up. I apologize for the delay but the forum is very busy.

As you can see the logs we ask for are very extensive and take a lot of time to investigate. In addition, since I am still in training all of my responses have to be reviewed by our excellent expert staff so there may be a delay in response time. The advantage is that your log will be evaluated by two sets of eyes and two brains.

If you haven't already, you can keep the link to this topic in your Favorites. Alternatively, you can click the Options button at the top bar of this topic and Track this Topic, where you can choose email notifications.

Please make sure Word Wrap in notepad is turned off. When copying and pasting logs paste them directly in the reply box only attach logs if asked to. Do not wrap logs in codebox or code tags. It makes it very difficult to read and analyze them. Please paste them directly into the reply box.
Please do not make any changes to your system until we are through. Fixes are based upon information that is current from your system so any changes can affect our strategy. Please refrain from running any tools we may use without specific instructions.

If your operating system is Windows Vista or Windows 7 it may be necessary to right click then choose Run as Administrator any programs we use.

Before we begin please check and follow the instructions on How to Show Hidden Files and Folders in Windows Vista and Windows XP and How to show hidden files in Windows 7

Because the e-mail notification system is not completely reliable, please check your topic once a day for responses.

Again, keep in mind that it may take a couple of days or more before I can reply but once we get started the process should speed up.

Thank you for your patience!!
PW

#5 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:03:57 PM

Posted 06 May 2010 - 01:58 AM

Hello rob miller,

CODE
If I scan it with Avast it shows it cleans about 600 infected files and after a reboot when I scan again there are about the same amount of infected files but they are new files

Can you copy then post 5 or 6 of the files including the complete path that AVAST is finding?

Step 1.

We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. Click and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press
  5. Click on
  6. Click on
  7. Uncheck this checkbox:
  8. Close/Exit Spybot Search and Destroy
Step 2.

I don't see evidence of a firewall.

To enable Windows Firewall, follow these steps:
  • Click Start, click Run, type Firewall.cpl, and then click OK.
  • On the General tab, click On (recommended).
  • Click OK.
Step 3.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :dir
    C:\2fbda1a391ddd0e568a8859bdbb6a575

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Step 4.

I see you have previously run ComboFix. You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.

Please delete the copy of Combofix from your desktop if still there.

Download a new copy of Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. <----Important
    Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

In your next reply please post copies along with the paths of some of the files AVAST finds along with the following:

SystemLook.txt
ComboFix.txt


Thanks!!
PW

#6 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:03:57 PM

Posted 10 May 2010 - 11:33 AM

Hello rob miller,

Do you still need help?
PW

#7 rob miller

rob miller
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 10 May 2010 - 05:55 PM

Hi

Yes I do I am sorry for the delay I was not notified by thew site with an email that you responded for some reason. I will post what you asked for this evening.

Thank You
Rob

#8 rob miller

rob miller
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 12 May 2010 - 01:24 AM

Hi

I have disabled Teatimer and SDHelper as instructed.

I have also checked to make sure the firewall was on and it is.

Here are the logs you requested:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 01:54 on 12/05/2010 by Bruce (Administrator - Elevation successful)

========== dir ==========

C:\2fbda1a391ddd0e568a8859bdbb6a575 - Parameters: "(none)"

---Files---
mrt.exe --a--- 29634504 bytes [20:17 04/01/2010] [20:17 04/01/2010]
mrtstub.exe --a--- 57800 bytes [20:17 04/01/2010] [20:17 04/01/2010]

---Folders---
None found.

-=End Of File=-








ComboFix 10-05-11.04 - Bruce 05/12/2010 2:01.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.767.437 [GMT -4:00]
Running from: c:\documents and settings\Bruce\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-04-12 to 2010-05-12 )))))))))))))))))))))))))))))))
.

2010-05-12 05:49 . 2010-05-12 05:49 -------- d-----w- c:\windows\LastGood
2010-04-18 01:47 . 2010-04-18 01:47 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-17 02:46 . 2010-05-06 20:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-17 02:46 . 2010-05-06 20:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-17 02:46 . 2010-05-06 20:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-17 02:46 . 2010-05-06 20:39 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-17 02:46 . 2010-05-06 20:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-04-17 02:46 . 2010-05-06 20:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-04-17 02:46 . 2010-05-06 20:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-04-17 02:45 . 2010-05-06 20:59 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-17 02:45 . 2010-04-14 16:47 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-15 23:47 . 2010-04-15 23:47 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-15 23:45 . 2010-04-17 02:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-04-15 23:45 . 2010-04-15 23:45 -------- d-----w- c:\program files\Alwil Software
2010-04-15 03:59 . 2010-04-15 03:59 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-04-15 03:59 . 2010-04-15 03:59 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-04-15 03:59 . 2010-04-15 03:59 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-04-15 03:59 . 2010-04-15 03:59 161800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgrkx86.sys
2010-04-15 03:43 . 2010-04-15 03:43 -------- d-sh--w- c:\documents and settings\Bruce\IECompatCache
2010-04-15 03:39 . 2010-04-15 03:39 -------- d-sh--w- c:\documents and settings\Bruce\PrivacIE
2010-04-15 03:37 . 2010-04-15 03:37 -------- d-sh--w- c:\documents and settings\Bruce\IETldCache
2010-04-15 03:29 . 2010-02-25 06:24 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-04-15 03:29 . 2010-02-25 06:24 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-04-15 03:29 . 2010-04-16 07:17 -------- d-----w- c:\windows\ie8updates
2010-04-15 03:26 . 2010-02-16 04:50 64000 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-04-15 03:20 . 2010-04-15 03:26 -------- dc-h--w- c:\windows\ie8
2010-04-15 02:54 . 2010-03-21 23:10 877848 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-04-15 02:54 . 2010-03-21 23:10 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-04-15 02:54 . 2010-03-21 23:10 610072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-04-15 02:54 . 2010-03-21 23:10 798488 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-04-14 03:32 . 2010-04-14 05:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-14 03:32 . 2010-04-14 03:39 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-14 03:18 . 2010-04-14 03:18 -------- d-----w- c:\program files\Trend Micro
2010-04-14 03:13 . 2010-04-14 03:15 -------- d-----w- C:\2fbda1a391ddd0e568a8859bdbb6a575
2010-04-14 02:48 . 2010-04-17 02:44 -------- d-----w- C:\Downloads
2010-04-13 03:48 . 2010-04-13 03:51 79488 ----a-w- c:\documents and settings\Bruce\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-04-13 03:47 . 2010-04-13 03:47 -------- d-----w- c:\documents and settings\Bruce\Application Data\Malwarebytes
2010-04-13 03:46 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-13 03:46 . 2010-04-13 03:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-13 03:46 . 2010-04-13 03:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-13 03:46 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-13 03:43 . 2010-04-14 02:55 -------- d-----w- c:\documents and settings\Bruce\Application Data\Yahoo!
2010-04-13 03:43 . 2010-04-14 02:59 -------- d-----w- c:\documents and settings\Bruce\Local Settings\Application Data\Google
2010-04-13 03:43 . 2010-04-13 03:43 67480 ----a-w- c:\documents and settings\Bruce\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-13 03:42 . 2010-04-13 03:42 -------- d-----w- c:\documents and settings\Bruce\Local Settings\Application Data\Apple Computer
2010-04-13 03:42 . 2010-04-13 03:42 -------- d-----w- c:\documents and settings\Bruce\Local Settings\Application Data\ApplicationHistory
2010-04-13 03:41 . 2010-04-13 03:41 -------- d-----w- c:\documents and settings\Bruce\Local Settings\Application Data\ATI
2010-04-13 03:41 . 2010-04-13 03:41 -------- d-----w- c:\documents and settings\Bruce\Application Data\ATI
2010-04-13 03:41 . 2010-04-13 03:41 128 ----a-w- c:\documents and settings\Bruce\Local Settings\Application Data\fusioncache.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-29 02:35 . 2009-01-01 16:08 -------- d-----w- c:\program files\LimeWire
2010-04-17 01:33 . 2010-03-21 23:10 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-14 03:38 . 2009-02-02 03:20 -------- d-----w- c:\program files\Google
2010-04-14 02:53 . 2008-05-02 03:57 -------- d-----w- c:\program files\Yahoo!
2010-03-24 16:20 . 2010-03-19 00:47 -------- d-sh--w- c:\documents and settings\All Users\Application Data\a2de372
2010-03-23 02:22 . 2010-03-23 02:22 -------- d-----w- c:\documents and settings\Guest\Application Data\AVG9
2010-03-21 23:10 . 2010-03-21 23:10 -------- d-----w- c:\program files\AVG
2010-03-19 00:48 . 2010-03-19 00:48 -------- d-sh--w- c:\documents and settings\All Users\Application Data\MSFTRFXFW
2010-03-10 06:15 . 2006-02-28 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 12:31 . 2006-02-28 12:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 13:19 . 2006-02-28 12:00 2181376 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39 . 2004-08-03 22:59 2058368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:47 . 2006-02-28 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:01 . 2006-02-28 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2007-11-27 21:39 . 2007-02-14 15:44 13459744 --sha-w- c:\windows\system32\drivers\fidbox.dat
2007-11-27 21:39 . 2007-02-14 15:44 386848 --sha-w- c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((( SnapShot@2010-04-16_22.33.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-12 05:39 . 2010-05-12 05:39 16384 c:\windows\Temp\Perflib_Perfdata_7ac.dat
- 2006-02-28 12:00 . 2010-04-16 20:50 71904 c:\windows\system32\perfc009.dat
+ 2006-02-28 12:00 . 2010-05-12 05:44 71904 c:\windows\system32\perfc009.dat
+ 2010-05-12 05:48 . 2010-05-12 05:51 3832 c:\windows\SoftwareDistribution\EventCache\{503CDA39-0536-4B48-89B0-8D2BD703460F}.bin
+ 2006-02-28 12:00 . 2010-05-12 05:44 444028 c:\windows\system32\perfh009.dat
- 2006-02-28 12:00 . 2010-04-16 20:50 444028 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-01 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-04-14 2790472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/16/2010 10:46 PM 164048]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/16/2010 10:46 PM 19024]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/15/2008 1:24 AM 24652]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\RaInfo.sys --> c:\program files\LogMeIn\RaInfo.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [4/12/2010 11:46 PM 38224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-04-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-12 02:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atapi]
"ImagePath"="System32\Drivers\atapi.svs"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(628)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3404)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-05-12 02:14:18
ComboFix-quarantined-files.txt 2010-05-12 06:14
ComboFix2.txt 2010-04-16 22:38
ComboFix3.txt 2010-04-16 20:57

Pre-Run: 16,453,963,776 bytes free
Post-Run: 16,472,010,752 bytes free

- - End Of File - - 54C2A320D3D08CE744BFDEA7095992D0

I am running an Avast scan now to get you the virused files you asked for. I will post them shortly. Computer is still running very slow. Thank you very much for your help!

Rob

#9 rob miller

rob miller
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 13 May 2010 - 06:23 PM

Hi

I think we are getting closer. My last Avast scan only found 22 virus and they were all in windows media files .WMA or .MP3 files. I cannot find the Avast logs to post and once it finds the files it puts them in a Virus chest and the folder is hidden and protected from access. I ran another scan and it did not find anything. Do you think the machine is clean now by the logs I posted?

Thanks for all your help!
Rob

#10 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:03:57 PM

Posted 16 May 2010 - 08:00 AM

Hello rob miller,

Thought I would let you know that I'm still with you.

My Coach is unavailable till Sunday evening. I will have a fix for you then.

Thanks for your patience!!
PW

#11 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:03:57 PM

Posted 16 May 2010 - 05:15 PM

Hello rob miller,

Step 1.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Step 2.

Please delete the copy of Combofix on your desktop.

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How to temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs. http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

In your next reply please include the following:

TDSSKiller.txt
combofix.txt


Thanks!!
PW

#12 rob miller

rob miller
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 17 May 2010 - 10:30 PM

Hi

Thanks for all your help! I have tried several times to paste the combofix log and IE locks up. I will attach it instead of pasting it this time. Let me know if you think theis machine is clean now.


22:28:57:328 2360 TDSS rootkit removing tool 2.3.0.0 May 12 2010 18:11:17
22:28:57:328 2360 ================================================================================
22:28:57:328 2360 SystemInfo:

22:28:57:328 2360 OS Version: 5.1.2600 ServicePack: 3.0
22:28:57:328 2360 Product type: Workstation
22:28:57:328 2360 ComputerName: KATHY-4ADF8F5CE
22:28:57:328 2360 UserName: Bruce
22:28:57:328 2360 Windows directory: C:\WINDOWS
22:28:57:328 2360 Processor architecture: Intel x86
22:28:57:328 2360 Number of processors: 1
22:28:57:328 2360 Page size: 0x1000
22:28:57:328 2360 Boot type: Normal boot
22:28:57:328 2360 ================================================================================
22:28:57:375 2360 UnloadDriverW: NtUnloadDriver error 2
22:28:57:375 2360 ForceUnloadDriverW: UnloadDriverW(klmd23) error 2
22:28:57:531 2360 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
22:28:57:531 2360 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
22:28:57:531 2360 wfopen_ex: Trying to KLMD file open
22:28:57:531 2360 wfopen_ex: File opened ok (Flags 2)
22:28:57:531 2360 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
22:28:57:531 2360 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
22:28:57:531 2360 wfopen_ex: Trying to KLMD file open
22:28:57:531 2360 wfopen_ex: File opened ok (Flags 2)
22:28:57:531 2360 KLAVA engine initialized
22:28:57:890 2360 Initialize success
22:28:57:890 2360
22:28:57:890 2360 Scanning Services ...
22:28:58:453 2360 Raw services enum returned 339 services
22:28:58:484 2360
22:28:58:484 2360 Scanning Drivers ...
22:28:59:562 2360 Aavmker4 (a5246ed2586aa807af0bcf63165a71cc) C:\WINDOWS\system32\drivers\Aavmker4.sys
22:28:59:734 2360 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
22:29:00:078 2360 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
22:29:00:187 2360 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
22:29:00:265 2360 Afc (a7b8a3a79d35215d798a300df49ed23f) C:\WINDOWS\system32\drivers\Afc.sys
22:29:00:328 2360 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
22:29:00:718 2360 aswFsBlk (1b6ed99291ddf5d2501554cc5757aab6) C:\WINDOWS\system32\drivers\aswFsBlk.sys
22:29:00:828 2360 aswMon2 (81432b1a4b31036c822eb967decf613c) C:\WINDOWS\system32\drivers\aswMon2.sys
22:29:00:921 2360 aswRdr (3e2b6112d2766f87eda8466fde86a986) C:\WINDOWS\system32\drivers\aswRdr.sys
22:29:00:953 2360 aswSP (d78b644816db540e103d0b0766fd9967) C:\WINDOWS\system32\drivers\aswSP.sys
22:29:01:000 2360 aswTdi (606d731008d98b6ef946730c597c1642) C:\WINDOWS\system32\drivers\aswTdi.sys
22:29:01:062 2360 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
22:29:01:125 2360 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\Drivers\atapi.svs
22:29:01:281 2360 ati2mtag (492bd2a5f65f218d4ede5764a3bb67e9) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
22:29:01:515 2360 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
22:29:01:593 2360 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
22:29:01:687 2360 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
22:29:01:890 2360 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
22:29:02:015 2360 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
22:29:02:078 2360 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
22:29:02:140 2360 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
22:29:02:359 2360 cmuda (297cc8a257cbd3c46bbd675ec5e35cc2) C:\WINDOWS\system32\drivers\cmuda.sys
22:29:03:171 2360 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
22:29:03:312 2360 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
22:29:03:453 2360 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
22:29:03:609 2360 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
22:29:03:687 2360 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
22:29:03:843 2360 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
22:29:03:937 2360 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
22:29:04:062 2360 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
22:29:04:125 2360 FETNDIS (e9648254056bce81a85380c0c3647dc4) C:\WINDOWS\system32\DRIVERS\fetnd5.sys
22:29:04:203 2360 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
22:29:04:265 2360 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
22:29:04:343 2360 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
22:29:04:437 2360 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
22:29:04:562 2360 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
22:29:04:625 2360 GEARAspiWDM (f2f431d1573ee632975c524418655b84) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
22:29:04:671 2360 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
22:29:04:750 2360 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
22:29:04:859 2360 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
22:29:04:906 2360 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
22:29:04:984 2360 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
22:29:05:062 2360 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
22:29:05:234 2360 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
22:29:05:312 2360 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
22:29:05:750 2360 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
22:29:05:828 2360 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
22:29:05:921 2360 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
22:29:06:015 2360 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
22:29:06:109 2360 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
22:29:06:187 2360 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
22:29:06:234 2360 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
22:29:06:281 2360 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
22:29:06:421 2360 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
22:29:06:515 2360 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
22:29:06:750 2360 LMImirr (725d65bf81191264210f75a921527aeb) C:\WINDOWS\system32\DRIVERS\LMImirr.sys
22:29:06:890 2360 ltmodem5 (006df4dac09517adcc3fb329f50ff156) C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys
22:29:07:062 2360 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
22:29:07:171 2360 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
22:29:07:250 2360 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
22:29:07:312 2360 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
22:29:07:406 2360 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
22:29:07:531 2360 MREMP50 (80b2ec735495823ae5771a5f603e73bd) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
22:29:07:578 2360 MRESP50 (37d7c22f7e26da90e2d2d260e5d27846) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
22:29:07:796 2360 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
22:29:08:171 2360 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
22:29:08:531 2360 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
22:29:11:062 2360 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
22:29:11:640 2360 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
22:29:12:046 2360 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
22:29:12:328 2360 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
22:29:12:656 2360 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
22:29:12:781 2360 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
22:29:12:921 2360 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
22:29:13:015 2360 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
22:29:13:109 2360 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
22:29:13:218 2360 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
22:29:13:296 2360 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
22:29:13:421 2360 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
22:29:13:531 2360 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
22:29:13:671 2360 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
22:29:13:812 2360 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
22:29:13:906 2360 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
22:29:13:984 2360 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
22:29:14:109 2360 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
22:29:14:218 2360 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
22:29:14:296 2360 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
22:29:14:375 2360 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
22:29:14:593 2360 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
22:29:14:890 2360 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
22:29:14:984 2360 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
22:29:15:062 2360 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
22:29:15:171 2360 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
22:29:15:406 2360 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
22:29:15:562 2360 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
22:29:15:656 2360 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
22:29:15:796 2360 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
22:29:15:890 2360 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
22:29:16:015 2360 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
22:29:16:109 2360 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
22:29:16:218 2360 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
22:29:16:296 2360 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
22:29:16:406 2360 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
22:29:16:515 2360 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
22:29:16:640 2360 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
22:29:16:812 2360 SMBios (d72a21424ca66c7a745bd995eca6a710) C:\WINDOWS\system32\DRIVERS\SMBios.sys
22:29:16:937 2360 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
22:29:17:062 2360 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
22:29:17:171 2360 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
22:29:17:312 2360 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
22:29:17:406 2360 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
22:29:17:937 2360 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
22:29:18:062 2360 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
22:29:18:250 2360 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
22:29:18:390 2360 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
22:29:18:500 2360 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
22:29:18:625 2360 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
22:29:18:796 2360 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
22:29:18:906 2360 USBAAPL (026f7f224f088ee11e383bca448fff81) C:\WINDOWS\system32\Drivers\usbaapl.sys
22:29:18:984 2360 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
22:29:19:093 2360 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
22:29:19:203 2360 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
22:29:19:296 2360 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
22:29:19:390 2360 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
22:29:19:484 2360 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
22:29:19:625 2360 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
22:29:19:703 2360 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
22:29:19:796 2360 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
22:29:19:906 2360 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
22:29:19:984 2360 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
22:29:20:125 2360 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
22:29:20:281 2360 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
22:29:20:421 2360 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
22:29:20:531 2360 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
22:29:20:640 2360 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
22:29:20:781 2360 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
22:29:20:781 2360
22:29:20:781 2360 Completed
22:29:20:781 2360
22:29:20:781 2360 Results:
22:29:20:781 2360 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
22:29:20:781 2360 File objects infected / cured / cured on reboot: 0 / 0 / 0
22:29:20:781 2360
22:29:20:781 2360 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
22:29:20:781 2360 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
22:29:20:796 2360 KLMD(ARK) unloaded successfully

Attached Files



#13 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:03:57 PM

Posted 20 May 2010 - 10:49 AM

Hello rob miller,

I notice you have two antivirus programs installed, Avast and AVG9. You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC. Please uninstall one of them now.
Instructions for AVG9 removal are here

Step 1.

You should still have SystemLook on your desktop. If not, download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :filefind
    *atapi.sys*

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Step 2.

We need to run a Combofix Script

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <<----Important
3. Open notepad and copy/paste the text in the codebox below into it:

CODE
DirLook::
c:\documents and settings\All Users\Application Data\a2de372
c:\documents and settings\All Users\Application Data\MSFTRFXFW

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=-


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

If Combofix prompts you to update the program please allow it to do so.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

In your next reply please include the following:

SystemLook.txt
ComboFix.txt


Thanks!!
PW

#14 rob miller

rob miller
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 20 May 2010 - 06:32 PM

Hi

I have seen those AVG registry entries in the scans but it had beed uninstalled before I put on the Avast so it is not running. I have ran the scan you wanted and here are the logs. I do not know if this is important but everytime I run combofix when i go back into explorer it says it is not set to be my default browser. Thanks for your help!

Rob


SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 18:40 on 20/05/2010 by Bruce (Administrator - Elevation successful)

========== filefind ==========

Searching for "*atapi.sys*"
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir --a--- 95360 bytes [04:17 16/04/2010] [12:00 28/02/2006] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [02:52 13/05/2010] [02:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [22:35 16/04/2010] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [01:43 13/05/2010] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\SoftwareDistribution\Download.old\9866fb57abdc0ea2f5d4e132d055ba4e\atapi.sys --a--- 96512 bytes [01:43 13/05/2010] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\SoftwareDistribution\Download.old\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys --a--- 96512 bytes [17:30 28/11/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys --a--- 96512 bytes [12:00 28/02/2006] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

-=End Of File=-







ComboFix 10-05-20.07 - Bruce 05/20/2010 18:57:33.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.423 [GMT -4:00]
Running from: c:\documents and settings\Bruce\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Bruce\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-04-20 to 2010-05-20 )))))))))))))))))))))))))))))))
.

2010-05-13 23:11 . 2010-05-13 23:11 -------- d-----w- C:\410e697210e555f0a191
2010-05-13 23:10 . 2010-05-13 23:15 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-13 23:09 . 2010-05-13 23:09 -------- d-----w- c:\program files\Microsoft
2010-05-13 23:09 . 2010-05-13 23:09 -------- d-----w- c:\documents and settings\Bruce\Local Settings\Application Data\Identities
2010-05-13 23:09 . 2010-05-13 23:09 -------- d-----w- c:\documents and settings\Bruce\Application Data\Windows Desktop Search
2010-05-13 23:07 . 2010-05-14 07:17 -------- d-----w- c:\program files\Windows Desktop Search
2010-05-13 23:07 . 2010-05-13 23:07 -------- d-----w- c:\windows\system32\GroupPolicy
2010-05-13 23:05 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2010-05-13 23:05 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2010-05-13 23:05 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2010-05-13 22:52 . 2010-05-20 22:56 -------- d-----w- c:\windows\system32\CatRoot2
2010-05-13 04:44 . 2010-05-13 04:44 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-05-13 03:09 . 2010-05-13 04:44 -------- d-----w- c:\windows\system32\wbem\Repository.001
2010-05-13 03:08 . 2010-05-13 03:08 -------- d-----w- c:\windows\system32\scripting
2010-05-13 03:08 . 2010-05-13 03:08 -------- d-----w- c:\windows\l2schemas
2010-05-13 03:08 . 2010-05-13 03:08 -------- d-----w- c:\windows\system32\en
2010-05-13 03:08 . 2010-05-13 03:08 -------- d-----w- c:\windows\system32\bits
2010-05-13 02:51 . 2010-05-13 02:51 -------- d-----w- c:\windows\EHome
2010-05-13 01:45 . 2008-04-13 18:40 10240 ------w- c:\windows\system32\drivers\sffp_mmc.sys
2010-05-13 01:44 . 2008-04-14 00:12 33792 ------w- c:\windows\system32\mmcperf.exe
2010-05-13 01:44 . 2008-04-14 00:11 397312 ------w- c:\windows\system32\mmcex.dll
2010-05-13 01:44 . 2008-04-14 00:11 184320 ------w- c:\windows\system32\microsoft.managementconsole.dll
2010-05-13 01:44 . 2008-04-14 00:11 106496 ------w- c:\windows\system32\mmcfxcommon.dll
2010-05-13 01:44 . 2008-04-14 00:11 86016 ------w- c:\windows\system32\mdmxsdk.dll
2010-05-13 01:44 . 2004-08-04 02:41 11868 ------w- c:\windows\system32\drivers\mdmxsdk.sys
2010-05-13 01:44 . 2008-04-14 00:11 37376 ------w- c:\windows\system32\l2gpstore.dll
2010-05-13 01:44 . 2008-04-14 00:11 61440 ------w- c:\windows\system32\kmsvc.dll
2010-05-13 01:44 . 2008-04-14 00:09 6144 ------w- c:\windows\system32\kbdpash.dll
2010-05-13 01:44 . 2008-04-14 00:09 6144 ------w- c:\windows\system32\kbdnepr.dll
2010-05-13 01:44 . 2008-04-14 00:09 6144 ------w- c:\windows\system32\kbdiultn.dll
2010-05-13 01:44 . 2008-04-14 00:09 6144 ------w- c:\windows\system32\kbdbhc.dll
2010-05-13 01:44 . 2008-04-14 00:11 81920 ------w- c:\windows\system32\ieencode.dll
2010-05-13 01:42 . 2008-04-13 18:36 44928 ------w- c:\windows\system32\drivers\agpcpq.sys
2010-05-13 01:42 . 2008-04-13 18:36 42368 ------w- c:\windows\system32\drivers\agp440.sys
2010-05-13 01:42 . 2008-04-14 00:11 4255 ------w- c:\windows\system32\drivers\adv01nt5.dll
2010-05-13 01:42 . 2008-04-14 00:11 3967 ------w- c:\windows\system32\drivers\adv02nt5.dll
2010-05-13 01:42 . 2008-04-14 00:11 3775 ------w- c:\windows\system32\drivers\adv11nt5.dll
2010-05-13 01:42 . 2008-04-14 00:11 3711 ------w- c:\windows\system32\drivers\adv09nt5.dll
2010-05-13 01:42 . 2008-04-14 00:11 3647 ------w- c:\windows\system32\drivers\adv07nt5.dll
2010-05-13 01:42 . 2008-04-14 00:11 3615 ------w- c:\windows\system32\drivers\adv05nt5.dll
2010-05-13 01:42 . 2008-04-14 00:11 3135 ------w- c:\windows\system32\drivers\adv08nt5.dll
2010-05-13 01:23 . 2010-05-13 01:23 -------- d-----w- c:\program files\Common Files\Java
2010-05-13 01:23 . 2010-05-13 01:23 503808 ----a-w- c:\documents and settings\Bruce\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-272c623a-n\msvcp71.dll
2010-05-13 01:23 . 2010-05-13 01:23 499712 ----a-w- c:\documents and settings\Bruce\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-272c623a-n\jmc.dll
2010-05-13 01:23 . 2010-05-13 01:23 61440 ----a-w- c:\documents and settings\Bruce\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1d759c74-n\decora-sse.dll
2010-05-13 01:23 . 2010-05-13 01:23 348160 ----a-w- c:\documents and settings\Bruce\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-272c623a-n\msvcr71.dll
2010-05-13 01:23 . 2010-05-13 01:23 12800 ----a-w- c:\documents and settings\Bruce\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1d759c74-n\decora-d3d.dll
2010-05-13 01:23 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-13 22:11 . 2010-04-13 03:43 68256 ----a-w- c:\documents and settings\Bruce\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-13 03:12 . 2007-02-13 19:16 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-05-13 01:23 . 2009-01-01 16:20 -------- d-----w- c:\program files\Java
2010-05-06 20:59 . 2010-04-17 02:45 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-06 20:39 . 2010-04-17 02:46 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-06 20:39 . 2010-04-17 02:46 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-06 20:34 . 2010-04-17 02:46 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-06 20:33 . 2010-04-17 02:46 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-05-06 20:33 . 2010-04-17 02:46 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-05-06 20:33 . 2010-04-17 02:46 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-06 20:33 . 2010-04-17 02:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-04-29 02:35 . 2009-01-01 16:08 -------- d-----w- c:\program files\LimeWire
2010-04-17 02:45 . 2010-04-15 23:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-04-17 01:33 . 2010-03-21 23:10 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-15 23:45 . 2010-04-15 23:45 -------- d-----w- c:\program files\Alwil Software
2010-04-15 03:59 . 2010-04-15 03:59 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-04-15 03:59 . 2010-04-15 03:59 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-04-15 03:59 . 2010-04-15 03:59 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-04-15 03:59 . 2010-04-15 03:59 161800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgrkx86.sys
2010-04-14 16:47 . 2010-04-17 02:45 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-14 05:22 . 2010-04-14 03:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-14 03:39 . 2010-04-14 03:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-14 03:38 . 2009-02-02 03:20 -------- d-----w- c:\program files\Google
2010-04-14 03:18 . 2010-04-14 03:18 -------- d-----w- c:\program files\Trend Micro
2010-04-14 02:55 . 2010-04-13 03:43 -------- d-----w- c:\documents and settings\Bruce\Application Data\Yahoo!
2010-04-14 02:53 . 2008-05-02 03:57 -------- d-----w- c:\program files\Yahoo!
2010-04-13 03:51 . 2010-04-13 03:48 79488 ----a-w- c:\documents and settings\Bruce\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-04-13 03:47 . 2010-04-13 03:47 -------- d-----w- c:\documents and settings\Bruce\Application Data\Malwarebytes
2010-04-13 03:46 . 2010-04-13 03:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-13 03:46 . 2010-04-13 03:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-13 03:41 . 2010-04-13 03:41 -------- d-----w- c:\documents and settings\Bruce\Application Data\ATI
2010-04-13 03:41 . 2010-04-13 03:41 128 ----a-w- c:\documents and settings\Bruce\Local Settings\Application Data\fusioncache.dat
2010-03-30 04:46 . 2010-04-13 03:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2010-04-13 03:46 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-24 16:20 . 2010-03-19 00:47 -------- d-sh--w- c:\documents and settings\All Users\Application Data\a2de372
2010-03-23 02:22 . 2010-03-23 02:22 -------- d-----w- c:\documents and settings\Guest\Application Data\AVG9
2010-03-21 23:10 . 2010-04-15 02:54 877848 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-03-21 23:10 . 2010-04-15 02:54 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-03-21 23:10 . 2010-04-15 02:54 610072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-03-21 23:10 . 2010-04-15 02:54 798488 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-03-21 23:10 . 2010-03-21 23:10 -------- d-----w- c:\program files\AVG
2010-03-10 06:15 . 2006-02-28 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2006-02-28 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2007-11-27 21:39 . 2007-02-14 15:44 13459744 --sha-w- c:\windows\system32\drivers\fidbox.dat
2007-11-27 21:39 . 2007-02-14 15:44 386848 --sha-w- c:\windows\system32\drivers\fidbox2.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\All Users\Application Data\a2de372 ----

2010-03-19 00:48 . 2010-03-19 00:48 4286 ----a-w- c:\documents and settings\All Users\Application Data\a2de372\MSW.ico
2010-03-19 00:48 . 2009-10-31 03:58 707 ----a-w- c:\documents and settings\All Users\Application Data\a2de372\BackUp\McAfee Security Scan.lnk
2010-03-19 00:48 . 2010-03-19 00:48 11370 ----a-w- c:\documents and settings\All Users\Application Data\a2de372\MSWSys\vd952342.bd

---- Directory of c:\documents and settings\All Users\Application Data\MSFTRFXFW ----

2010-03-19 00:48 . 2010-03-22 09:15 69459 --sha-w- c:\documents and settings\All Users\Application Data\MSFTRFXFW\MSUNULLLJW.cfg


((((((((((((((((((((((((((((( SnapShot_2010-05-18_02.45.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-20 22:07 . 2010-05-20 22:07 16384 c:\windows\Temp\Perflib_Perfdata_7a4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
[BU]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/16/2010 10:46 PM 164048]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/16/2010 10:46 PM 19024]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/15/2008 1:24 AM 24652]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\RaInfo.sys --> c:\program files\LogMeIn\RaInfo.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-04-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-20 19:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atapi]
"ImagePath"="System32\Drivers\atapi.svs"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(628)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3684)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-05-20 19:09:13
ComboFix-quarantined-files.txt 2010-05-20 23:09
ComboFix2.txt 2010-05-18 02:50
ComboFix3.txt 2010-05-12 06:14
ComboFix4.txt 2010-04-16 22:38
ComboFix5.txt 2010-05-20 22:55

Pre-Run: 15,123,746,816 bytes free
Post-Run: 15,089,324,032 bytes free

- - End Of File - - EEEDF513944ED0D8D9E3EADC00DA547D


#15 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:03:57 PM

Posted 23 May 2010 - 05:21 AM

Hello rob miller,

Step 1.

Please go here to download and run the AVG9 Uninstall Tool for your version of Windows.


Step 2.

Please go to Start | Run, (or Windows Key + r ), and type cmd in the run box.

In the command window type the following:

cd \ (note the space between cd and \)

Copy then paste the following atapi.svs fix by noahdfear at the C:\ prompt. Do not include the word "CODE"

CODE
ren %systemroot%\system32\drivers\atapi.sys atapi.old
copy /y %systemroot%\servicepackfiles\i386\atapi.sys %systemroot%\system32\drivers
dir %systemroot%\system32\drivers\*atapi.* >log.txt
reg add HKLM\system\currentcontrolset\services\atapi /v ImagePath /t REG_EXPAND_SZ /d system32\Drivers\atapi.sys
reg query HKLM\system\currentcontrolset\services\atapi /v ImagePath >>log.txt
notepad log.txt
The fix will run and you will get the following message. The operation completed successfully and a log will open.

Close the command window and post the log.txt in your next reply.

Step 3.

We need to run a Combofix Script

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <<----Important
3. Open notepad and copy/paste the text in the codebox below into it:

CODE
Folder::
c:\documents and settings\All Users\Application Data\a2de372
c:\documents and settings\All Users\Application Data\MSFTRFXFW


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

If Combofix prompts you to update the program please allow it to do so.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 3.

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
In your next reply please include the following:

log.txt
ComboFix.txt
ESET report << note: If nothing is found there will be no report.

Thanks!!
PW




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users