Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antimalware Doctor and other malware


  • This topic is locked This topic is locked
26 replies to this topic

#1 John Lindsey

John Lindsey

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 30 April 2010 - 06:08 PM

Hi,
It all started when I downloaded a zip file file from Rapidshare. The file was checked with Virustotal and came up clean. As soon as I downloaded it, I got what I now believe was a bogus Java update. Then this Antimalware Doctor pops up telling me I had keyloggers and God knows what else. Also, my AVG went nuts telling me I had 3 trojans.

I followed your Antimalware Doctor removal instructions and I though that was the end of it, but a scan with MBAM came up with 6 infected files. I let it take care of those, scanned again, and found a bad registry entry. Scanned yet again, and found one more. At that point I figured I had a problem, so I went to your Do This Stuff First page, ran all the scans and here I am.

I am running Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

The last MBAM scan found this registry entry: Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

rkilll log:
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as john on 04/30/2010 at 17:58:40.


Processes terminated by Rkill or while it was running:


C:\Users\john\AppData\Local\Temp\RtkBtMnt.exe
C:\Users\john\AppData\Local\Temp\Xqq.exe
C:\Users\john\Desktop\rkill.com


Rkill completed on 04/30/2010 at 17:58:46.


gmer log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-04-30 18:37:48
Windows 6.0.6002 Service Pack 2
Running: ubzo3u5e.exe; Driver: C:\Users\john\AppData\Local\Temp\kxtcipog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8572BEE4

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


dds log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by john at 18:18:09.11 on Fri 04/30/2010
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_20
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3000.1478 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\PLFSetI.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DAP\DAP.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\explorer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\john\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=1008&m=extensa_5630
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=1008&m=extensa_5630
mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=1008&m=extensa_5630
uInternet Settings,ProxyServer = 208.78.125.19:80
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: SBCONVERT Class: {3017fb3e-9a77-4396-88c5-0ec9548fb42f} - c:\program files\speedbit video downloader\toolbar\tbcore3.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: SearchPredictObj Class: {389943b0-c3a2-4e69-82cb-8596a84cb3dc} - c:\progra~1\search~1\SEARCH~1.DLL
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Partner BHO Class: {83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} - c:\programdata\partner\partner.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: DAPIELoader Class: {ff6c3cf0-4b15-11d1-abed-709549c10000} - c:\progra~1\dap\DAPIEL~1.DLL
BHO: GrabberObj Class: {ff7c3cf0-4b15-11d1-abed-709549c10000} - c:\progra~1\speedb~1\toolbar\grabber.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: SpeedBit Video Downloader: {0329e7d6-6f54-462d-93f6-f5c3118badf2} - c:\program files\speedbit video downloader\toolbar\tbcore3.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [cdloader] "c:\users\john\appdata\roaming\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [DownloadAccelerator] "c:\program files\dap\DAP.EXE" /STARTUP
uRun: [M5T8QL3YW3] c:\users\john\appdata\local\temp\Xqq.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [BkupTray] "c:\program files\newtech infosystems\nti backup now 5\BkupTray.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [PLFSetI] c:\windows\PLFSetI.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [ePower_DMC] c:\program files\acer\empowering technology\epower\ePower_DMC.exe
mRun: [Acer Product Registration] "c:\program files\acer\acer registration\ACE1.exe" /startup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Cm106Sound] RunDll32 cm106.cpl,CMICtrlWnd
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Clean Traces - c:\program files\dap\privacy package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: skillport.com
Trusted Zone: skillwsa.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL,avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\john\appdata\roaming\mozilla\firefox\profiles\07ojh1lp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\dap\dapfirefox\components\DAPFireFox.dll
FF - component: c:\program files\speedbit video downloader\spfirefox\components\Engine.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\john\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-22 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-22 29512]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-2-1 242896]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-15 308064]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\newtech infosystems\nti backup now 5\client\Agentsvc.exe [2008-3-3 16384]
R2 ETService;Empowering Technology Service;c:\program files\acer\empowering technology\service\ETService.exe [2008-5-7 24576]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-4-7 50424]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-4-4 131072]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-2-25 1153368]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-2-2 24652]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-10-23 112128]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-4-15 51160]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2008-4-8 43736]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-3-28 210432]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 TpChoice;Touch Pad Detection Filter driver;c:\windows\system32\drivers\TpChoice.sys [2008-5-7 17968]
S3 USBMULCD;USB Multi-Channel Audio Device Interface;c:\windows\system32\drivers\CM106.sys [2010-1-13 1501696]

=============== Created Last 30 ================

2010-04-30 15:35:06 165376 ----a-w- c:\windows\Xjekea.exe
2010-04-30 15:33:42 0 d-----w- c:\users\john\appdata\roaming\AF809818DD663984EA4B99421DC09E6B
2010-04-30 15:01:04 0 d-----w- c:\users\john\appdata\roaming\TwiPing
2010-04-30 15:00:15 0 d-----w- c:\program files\TwiPing
2010-04-30 03:55:06 0 d-----w- c:\program files\ESET
2010-04-30 03:38:22 0 d-----w- c:\users\john\appdata\roaming\Malwarebytes
2010-04-30 03:38:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-30 03:38:14 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-30 03:38:14 0 d-----w- c:\programdata\Malwarebytes
2010-04-30 03:38:14 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-30 02:17:01 140096 ----a-w- c:\windows\system32\COMDLG32.ocx
2010-04-30 02:17:01 0 d-----w- c:\program files\Hard Cash Hijack Traffic Control
2010-04-30 00:34:23 0 d-----w- c:\program files\Tweet Adder
2010-04-29 18:08:17 0 d-----w- c:\program files\Viral
2010-04-28 20:37:17 0 d-----w- c:\users\john\appdata\roaming\Tweetsbot
2010-04-26 14:07:46 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-21 01:31:49 0 d-----w- c:\program files\The Article ReWriter Company
2010-04-21 00:21:29 28 ----a-w- c:\windows\ODBC.INI
2010-04-20 04:27:33 172032 ----a-w- c:\windows\system32\AniGIF.ocx
2010-04-20 04:27:32 0 d-----w- c:\program files\DAP
2010-04-20 04:27:25 0 d-----w- c:\programdata\SpeedBit
2010-04-20 04:27:25 0 d-----w- c:\program files\SearchPredict
2010-04-20 04:27:24 0 d-----w- c:\program files\SpeedBit Video Downloader
2010-04-19 15:11:18 0 d-----w- c:\program files\DirectorySubmitter
2010-04-18 01:12:34 0 d-----w- c:\program files\Sincell
2010-04-18 00:57:35 0 d-----w- c:\users\john\appdata\roaming\Sincell
2010-04-18 00:57:18 0 d-----w- c:\programdata\Sincell
2010-04-17 05:41:34 0 d-----w- c:\program files\S3 Ripper
2010-04-15 16:02:01 0 d-----w- c:\users\john\appdata\roaming\ubot
2010-04-15 02:51:42 411480 ----a-w- c:\windows\system32\tsccvid.dll
2010-04-15 02:51:38 0 d-----w- c:\windows\system32\QuickTime
2010-04-15 02:50:48 0 d-----w- c:\program files\common files\TechSmith Shared
2010-04-15 02:50:38 0 d-----w- c:\programdata\TechSmith
2010-04-14 13:34:10 0 d-----w- c:\users\john\.freemind
2010-04-14 12:58:32 0 d-----w- c:\users\john\appdata\roaming\com.mesiablabs.Hummingbird.DD96D946B68711898AC52ED9549DF79715E23D9C.1
2010-04-14 01:11:10 0 d-----w- c:\users\john\appdata\roaming\ViralSubmitter
2010-04-13 14:35:46 0 d-----w- c:\program files\RSS Submit
2010-04-12 05:47:19 0 d-----w- c:\program files\Market Samurai
2010-04-12 05:01:34 0 d-----w- c:\users\john\appdata\roaming\Affilorama
2010-04-12 05:01:33 0 d-----w- c:\program files\Traffic Travis v3
2010-04-11 14:44:25 0 d-----w- c:\programdata\Apple Computer
2010-04-10 18:53:37 0 d-----w- c:\program files\IM Rapid Tools
2010-04-07 02:00:20 0 d-----w- c:\programdata\WinZip
2010-04-02 22:58:07 0 d-----w- c:\program files\Chris Ramsey

==================== Find3M ====================

2010-04-26 13:31:10 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-16 18:17:30 180328 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-15 12:22:50 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-15 12:22:18 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-06 00:33:19 7495757 ----a-w- C:\kwminer.zip
2010-03-05 14:01:02 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39:13 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06:41 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05:14 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-18 14:07:05 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-18 14:07:05 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-18 13:30:03 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-01-14 02:33:27 51200 ----a-w- c:\windows\inf\infpub.dat
2010-01-14 02:33:27 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-01-14 02:33:26 86016 ----a-w- c:\windows\inf\infstor.dat
2009-11-17 04:05:26 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2010-01-03 05:39:10 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2008-10-23 08:44:36 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 18:18:57.44 ===============


and Attach.zip is attached.

Oh, and after removing the Antimalware Doctor, Google Chrome stopped working. It will load, but can't access the internet. I checked the LAN settings and they were ok.


Hope you can help me
Thanks
John


Attached Files



BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:20 AM

Posted 03 May 2010 - 08:03 PM



Hello John Lindsey smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.


When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.








Note: Please post the log in the reply window and do not make it an attachment. Do this with all subsequent replies unless I ask otherwise.







Thanks,



thewall





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 John Lindsey

John Lindsey
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 03 May 2010 - 08:31 PM

Hey thewall, thanks for taking my case. Here's the combofix log.

ComboFix 10-05-03.03 - john 05/03/2010 21:14:32.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3000.1792 [GMT -4:00]
Running from: c:\users\john\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-04-04 to 2010-05-04 )))))))))))))))))))))))))))))))
.

2010-05-03 06:15 . 2010-05-03 06:16 13407072 ----a-w- c:\users\john\AppData\Roaming\Real\Update\setup3.10\chr\ChromeInstaller.exe
2010-05-02 19:39 . 2010-05-02 19:58 -------- d-----w- C:\ComFix30783C
2010-05-02 00:38 . 2010-05-02 05:00 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-01 23:20 . 2010-05-01 23:25 52736 ----a-w- c:\windows\system32\drivers\rk_remover.sys
2010-05-01 17:54 . 2008-03-12 06:38 21560 ----a-w- C:\atapi.sys
2010-05-01 14:46 . 2010-05-01 15:06 -------- d-----w- C:\ComFix
2010-05-01 05:27 . 2010-05-04 01:13 -------- d-----w- c:\windows\system32\wbem\repository
2010-05-01 00:20 . 2010-05-01 00:20 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2010-05-01 00:12 . 2010-05-01 00:12 52224 ----a-w- c:\users\john\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-01 00:12 . 2010-05-02 00:20 117760 ----a-w- c:\users\john\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-01 00:12 . 2010-05-01 00:12 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-05-01 00:12 . 2010-05-01 00:12 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-01 00:12 . 2010-05-01 00:12 -------- d-----w- c:\users\john\AppData\Roaming\SUPERAntiSpyware.com
2010-05-01 00:11 . 2010-05-01 00:11 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-30 15:28 . 2010-04-30 15:28 -------- d-----w- c:\users\john\AppData\Local\TwiPing
2010-04-30 15:01 . 2010-04-30 15:01 -------- d-----w- c:\users\john\AppData\Roaming\TwiPing
2010-04-30 15:00 . 2010-04-30 15:00 -------- d-----w- c:\program files\TwiPing
2010-04-30 03:55 . 2010-04-30 03:55 -------- d-----w- c:\program files\ESET
2010-04-30 03:38 . 2010-04-30 03:38 -------- d-----w- c:\users\john\AppData\Roaming\Malwarebytes
2010-04-30 03:38 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-30 03:38 . 2010-04-30 03:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-30 03:38 . 2010-04-30 03:38 -------- d-----w- c:\programdata\Malwarebytes
2010-04-30 03:38 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-30 02:17 . 2010-04-30 02:17 -------- d-----w- c:\program files\Hard Cash Hijack Traffic Control
2010-04-30 00:34 . 2010-04-30 00:34 -------- d-----w- c:\program files\Tweet Adder
2010-04-29 18:08 . 2010-04-29 18:08 -------- d-----w- c:\program files\Viral
2010-04-28 20:37 . 2010-04-28 20:40 -------- d-----w- c:\users\john\AppData\Roaming\Tweetsbot
2010-04-28 12:54 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-28 12:54 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-28 12:54 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-28 12:54 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-28 12:54 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-28 12:54 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-28 12:54 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-28 12:54 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-28 12:54 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-28 12:54 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-28 12:54 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-26 14:07 . 2010-04-26 14:07 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-26 13:31 . 2010-04-26 13:31 242696 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
2010-04-26 13:29 . 2010-04-26 13:29 1689952 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-04-21 01:31 . 2010-04-21 01:31 -------- d-----w- c:\program files\The Article ReWriter Company
2010-04-21 00:23 . 2010-04-21 00:23 -------- d-----w- c:\users\john\AppData\Roaming\Apple Computer
2010-04-21 00:23 . 2010-04-21 00:23 -------- d-----w- c:\users\john\AppData\Local\Apple Computer
2010-04-20 13:28 . 2009-11-25 18:02 1230080 ----a-w- c:\programdata\AVG Security Toolbar\IEToolbar.dll
2010-04-20 04:27 . 2010-05-01 00:22 -------- d-----w- c:\program files\DAP
2010-04-20 04:27 . 2010-05-01 00:19 -------- d-----w- c:\programdata\SpeedBit
2010-04-20 04:27 . 2010-04-20 04:27 -------- d-----w- c:\program files\SearchPredict
2010-04-20 04:27 . 2010-04-20 04:27 -------- d-----w- c:\program files\SpeedBit Video Downloader
2010-04-19 15:11 . 2010-04-19 15:11 8854 ----a-r- c:\users\john\AppData\Roaming\Microsoft\Installer\{00D6FA20-0E53-4ACA-A96F-44A312E59C3C}\UNINST_Uninstall_Dir_00D6FA200E534ACAA96F44A312E59C3C.exe
2010-04-19 15:11 . 2010-04-19 15:11 126976 ----a-r- c:\users\john\AppData\Roaming\Microsoft\Installer\{00D6FA20-0E53-4ACA-A96F-44A312E59C3C}\DirectorySubmitter.e_B8C79C46F59349DBBAB4C18CF1C5AF0D.exe
2010-04-19 15:11 . 2010-04-19 15:11 10134 ----a-r- c:\users\john\AppData\Roaming\Microsoft\Installer\{00D6FA20-0E53-4ACA-A96F-44A312E59C3C}\ARPPRODUCTICON.exe
2010-04-19 15:11 . 2010-04-19 15:14 -------- d-----w- c:\program files\DirectorySubmitter
2010-04-19 03:04 . 2010-04-19 03:04 -------- d-----w- c:\users\john\AppData\Local\TechSmith
2010-04-18 01:12 . 2010-04-18 01:12 -------- d-----w- c:\program files\Sincell
2010-04-18 00:57 . 2010-04-18 00:57 -------- d-----w- c:\users\john\AppData\Roaming\Sincell
2010-04-18 00:57 . 2010-04-18 00:57 -------- d-----w- c:\programdata\Sincell
2010-04-17 05:41 . 2010-04-17 05:41 -------- d-----w- c:\users\john\AppData\Local\bhw
2010-04-17 05:41 . 2010-04-17 05:41 -------- d-----w- c:\program files\S3 Ripper
2010-04-15 16:02 . 2010-04-15 16:02 -------- d-----w- c:\users\john\AppData\Roaming\ubot
2010-04-15 16:01 . 2010-04-15 16:01 -------- d-----w- c:\users\john\AppData\Local\Xenocode
2010-04-15 02:51 . 2010-03-04 21:27 411480 ----a-w- c:\windows\system32\tsccvid.dll
2010-04-15 02:51 . 2010-04-15 02:51 -------- d-----w- c:\windows\system32\QuickTime
2010-04-15 02:50 . 2010-04-15 02:50 -------- d-----w- c:\program files\Common Files\TechSmith Shared
2010-04-15 02:50 . 2010-04-15 02:51 -------- d-----w- c:\programdata\TechSmith
2010-04-14 13:34 . 2010-04-14 13:34 -------- d-----w- c:\users\john\.freemind
2010-04-14 12:58 . 2010-04-14 12:58 -------- d-----w- c:\users\john\AppData\Roaming\com.mesiablabs.Hummingbird.DD96D946B68711898AC52ED9549DF79715E23D9C.1
2010-04-14 01:11 . 2010-04-14 01:11 -------- d-----w- c:\users\john\AppData\Local\IsolatedStorage
2010-04-14 01:11 . 2010-04-14 01:11 -------- d-----w- c:\users\john\AppData\Roaming\ViralSubmitter
2010-04-13 14:35 . 2010-04-14 01:33 -------- d-----w- c:\program files\RSS Submit
2010-04-12 05:47 . 2010-04-12 05:47 -------- d-----w- c:\program files\Market Samurai
2010-04-12 05:01 . 2010-04-12 05:01 -------- d-----w- c:\users\john\AppData\Roaming\Affilorama
2010-04-12 05:01 . 2010-04-12 05:01 -------- d-----w- c:\program files\Traffic Travis v3
2010-04-11 14:46 . 2010-04-11 14:46 -------- d-----w- c:\program files\Safari
2010-04-11 14:46 . 2010-04-11 14:46 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-04-11 14:44 . 2010-04-11 14:44 -------- d-----w- c:\program files\QuickTime
2010-04-11 14:44 . 2010-04-11 14:44 -------- d-----w- c:\programdata\Apple Computer
2010-04-10 18:53 . 2010-04-10 18:53 -------- d-----w- c:\program files\IM Rapid Tools
2010-04-08 13:32 . 2010-04-08 13:32 4255072 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2010-04-07 02:00 . 2010-04-17 06:04 -------- d-----w- c:\programdata\WinZip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-03 21:14 . 2010-03-02 15:07 0 ----a-w- c:\users\john\AppData\Local\prvlcl.dat
2010-05-02 18:59 . 2010-01-26 23:09 -------- d-----w- c:\users\john\AppData\Roaming\Skype
2010-05-02 18:53 . 2010-01-26 23:11 -------- d-----w- c:\users\john\AppData\Roaming\skypePM
2010-05-01 15:57 . 2009-10-29 21:02 19944 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-05-01 06:51 . 2009-11-10 01:51 -------- d-----w- c:\users\john\AppData\Roaming\vlc
2010-04-30 19:12 . 2008-05-07 08:53 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-30 17:28 . 2008-11-19 10:26 -------- d-----w- c:\program files\Google
2010-04-30 05:08 . 2009-12-01 18:32 1 ----a-w- c:\users\john\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-04-29 19:22 . 2010-03-05 03:31 439816 ----a-w- c:\users\john\AppData\Roaming\Real\Update\setup3.10\setup.exe
2010-04-28 20:36 . 2010-03-11 00:03 -------- d-----w- c:\program files\Tweetsbot
2010-04-28 12:58 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-04-27 18:55 . 2008-05-07 08:56 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-26 14:10 . 2009-10-26 16:36 -------- d-----w- c:\program files\Common Files\Java
2010-04-26 13:31 . 2010-02-02 01:06 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-21 00:38 . 2010-03-05 05:27 -------- d-----w- c:\program files\Rapid Keyword
2010-04-20 13:28 . 2009-06-29 20:32 -------- d-----w- c:\programdata\AVG Security Toolbar
2010-04-20 04:58 . 2009-11-18 06:54 -------- d-----w- c:\users\john\AppData\Roaming\dvdcss
2010-04-15 02:50 . 2010-03-05 06:24 -------- d-----w- c:\program files\TechSmith
2010-04-06 14:31 . 2008-05-07 08:45 -------- d-----w- c:\program files\Microsoft.NET
2010-04-06 14:29 . 2008-05-07 08:50 -------- d-----w- c:\program files\Microsoft Small Business
2010-04-02 22:58 . 2010-04-02 22:58 10134 ----a-r- c:\users\john\AppData\Roaming\Microsoft\Installer\{2A666CA0-D45E-4351-A1B0-13993B75CCDC}\_588756C92B132806DAC9D2.exe
2010-04-02 22:58 . 2010-04-02 22:58 -------- d-----w- c:\program files\Chris Ramsey
2010-03-26 19:20 . 2010-03-26 19:20 20846064 ----a-w- c:\users\john\AppData\Roaming\Real\Update\setup3.10\rp\RealPlayerSPGold.exe
2010-03-26 03:06 . 2010-03-26 02:25 -------- d-----w- c:\users\john\AppData\Roaming\eBookPro6
2010-03-24 00:38 . 2010-03-24 00:32 -------- d-----w- c:\program files\Common Files\SB Solutions
2010-03-23 22:05 . 2010-03-23 22:05 -------- dc-h--w- c:\programdata\{6652b31b-3dd5-4e71-8a3c-a017a6ca321b}
2010-03-23 22:05 . 2010-03-23 22:05 -------- d-----w- c:\program files\eWriterPro
2010-03-22 02:54 . 2010-02-20 20:26 -------- d-----w- c:\users\john\AppData\Roaming\FileZilla
2010-03-22 02:39 . 2010-02-20 20:26 -------- d-----w- c:\program files\FileZilla FTP Client
2010-03-16 18:17 . 2010-03-16 18:17 180328 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-16 17:46 . 2010-03-16 17:46 -------- d-----w- c:\users\john\AppData\Roaming\MarketSamurai.6E37012E1CBD7F47B14488FCC715944F3EBDCEDC.1
2010-03-16 17:44 . 2010-03-16 17:44 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-03-16 17:44 . 2010-03-16 17:44 38784 ----a-w- c:\users\john\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-16 17:44 . 2010-03-16 17:44 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-15 12:22 . 2010-03-15 12:22 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-15 12:22 . 2008-12-22 15:52 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-15 12:22 . 2008-12-22 15:52 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-13 05:00 . 2010-03-13 05:00 -------- d-----w- c:\program files\MySQL
2010-03-13 04:59 . 2010-03-13 04:59 -------- d-----w- c:\program files\Vision Quest
2010-03-11 16:26 . 2010-03-11 14:39 -------- d-----w- c:\program files\Keyword Harvester
2010-03-11 15:22 . 2010-03-11 15:22 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-03-11 01:06 . 2010-03-11 01:06 -------- d-----w- c:\program files\Common Files\Apple
2010-03-11 01:06 . 2010-03-11 01:06 -------- d-----w- c:\program files\Apple Software Update
2010-03-11 01:06 . 2010-03-11 01:06 -------- d-----w- c:\programdata\Apple
2010-03-07 15:54 . 2010-02-17 21:15 -------- d-----w- c:\program files\SEO PowerSuite
2010-03-07 02:11 . 2008-12-18 16:27 -------- d-----w- c:\users\john\AppData\Roaming\mjusbsp
2010-03-06 00:33 . 2010-03-06 00:33 7495757 ----a-w- C:\kwminer.zip
2010-03-05 11:31 . 2010-03-05 11:31 8405312 ----a-w- c:\users\john\AppData\Roaming\Real\Update\setup3.10\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2010-03-05 11:31 . 2010-03-05 11:31 149000 ----a-w- c:\users\john\AppData\Roaming\Real\Update\setup3.10\chr_helper\LaunchHelper.exe
2010-03-05 11:31 . 2010-03-05 11:31 283280 ----a-w- c:\users\john\AppData\Roaming\Real\Update\setup3.10\carb\CarboniteSetupLiteRealPreinstaller.exe
2010-03-05 11:31 . 2010-03-05 11:31 181768 ----a-w- c:\users\john\AppData\Roaming\Real\Update\setup3.10\carb\LaunchHelper.exe
2010-03-05 11:31 . 2010-03-05 11:31 79368 ----a-w- c:\users\john\AppData\Roaming\Real\Update\setup3.10\RUP\vista.exe
2010-03-05 11:31 . 2010-03-05 11:31 64000 ----a-w- c:\users\john\AppData\Roaming\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll
2010-03-05 11:31 . 2010-03-05 11:31 52288 ----a-w- c:\users\john\AppData\Roaming\Real\Update\setup3.10\RUP\inst_config\gtapi.dll
2010-03-05 11:31 . 2010-03-05 11:31 50688 ----a-w- c:\users\john\AppData\Roaming\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll
2010-03-05 11:31 . 2010-03-05 11:31 49152 ----a-w- c:\users\john\AppData\Roaming\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll
2010-03-05 11:31 . 2010-03-05 11:31 118784 ----a-w- c:\users\john\AppData\Roaming\Real\Update\setup3.10\RUP\inst_config\compat.dll
2010-03-05 06:01 . 2010-02-25 06:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-05 05:44 . 2010-03-05 05:37 -------- d-----w- c:\users\john\AppData\Roaming\Keyword Research Pro
2010-03-02 21:47 . 2008-11-19 10:29 104616 ----a-w- c:\users\john\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-26 23:51 . 2010-02-26 23:51 138584 ----a-w- c:\users\john\AppData\Roaming\mjusbsp\ug00000\magicJack.dll
2010-02-26 23:51 . 2010-03-07 02:10 6870864 ---ha-w- c:\users\john\AppData\Roaming\mjusbsp\in00000\setup.exe
2010-02-26 23:51 . 2010-03-02 05:26 6870864 ---ha-w- c:\users\john\AppData\Roaming\mjusbsp\Upgrade\setup2.exe
2010-02-26 23:51 . 2010-02-26 23:51 6870864 ----a-w- c:\users\john\AppData\Roaming\mjusbsp\ug00000\setup.exe
2010-02-26 23:51 . 2010-02-26 23:51 705936 ----a-w- c:\users\john\AppData\Roaming\mjusbsp\magicJackLoader.exe
2010-02-26 23:51 . 2010-02-26 23:51 480608 ----a-w- c:\users\john\AppData\Roaming\mjusbsp\octvqe1_apiw.dll
2010-02-26 23:51 . 2010-02-26 23:51 214360 ----a-w- c:\users\john\AppData\Roaming\mjusbsp\TjVista.dll
2010-02-26 23:50 . 2010-02-26 23:50 324952 ----a-w- c:\users\john\AppData\Roaming\mjusbsp\TjIpSys.dll
2010-02-26 23:50 . 2010-02-26 23:50 615792 ----a-w- c:\users\john\AppData\Roaming\mjusbsp\SJHandsetMagicJack.dll
2010-02-26 23:50 . 2010-02-26 23:50 87384 ----a-w- c:\users\john\AppData\Roaming\mjusbsp\st00000\mjsetup.exe
2010-02-26 23:50 . 2010-02-26 23:50 138584 ----a-w- c:\users\john\AppData\Roaming\mjusbsp\st00000\magicJack.dll
2010-02-26 23:50 . 2010-02-26 23:50 138584 ----a-w- c:\users\john\AppData\Roaming\mjusbsp\magicJack.dll
2010-02-26 23:46 . 2010-02-26 23:46 12526424 ----a-w- c:\users\john\AppData\Roaming\mjusbsp\magicJack.exe
2010-02-26 23:45 . 2010-03-07 02:10 743872 ---ha-w- c:\users\john\AppData\Roaming\mjusbsp\ar00000\install.exe
2010-02-26 23:45 . 2010-03-02 05:26 743872 ---ha-w- c:\users\john\AppData\Roaming\mjusbsp\Upgrade\install2.exe
2010-02-26 23:45 . 2010-02-26 23:45 743872 ----a-w- c:\users\john\AppData\Roaming\mjusbsp\ug00000\install.exe
2010-02-26 23:45 . 2010-02-26 23:45 87384 ----a-w- c:\users\john\AppData\Roaming\mjusbsp\in00000\mjsetup.exe
2010-02-26 23:45 . 2010-02-26 23:45 138584 ----a-w- c:\users\john\AppData\Roaming\mjusbsp\in00000\magicJack.dll
2010-02-26 23:44 . 2010-02-26 23:44 138584 ----a-w- c:\users\john\AppData\Roaming\mjusbsp\lr00000\magicJack.dll
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\users\john\AppData\Roaming\mjusbsp\ug00000\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\users\john\AppData\Roaming\mjusbsp\st00000\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\users\john\AppData\Roaming\mjusbsp\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\users\john\AppData\Roaming\mjusbsp\in00000\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 50520 ----a-w- c:\users\john\AppData\Roaming\mjusbsp\cdloader2.exe
2010-02-24 14:16 . 2009-10-16 14:28 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39 . 2010-04-02 12:38 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-04-02 12:38 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-04-02 12:38 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-04-02 12:38 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06 . 2010-04-02 12:38 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-04-02 12:38 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-04-02 12:38 411648 ----a-w- c:\windows\system32\drivers\http.sys
2008-10-23 08:44 . 2008-10-23 08:44 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3017FB3E-9A77-4396-88C5-0EC9548FB42F}]
2010-04-20 04:27 2447360 ----a-w- c:\program files\SpeedBit Video Downloader\Toolbar\tbcore3.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{389943B0-C3A2-4E69-82CB-8596A84CB3DC}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4}]
2008-11-19 10:27 157168 ----a-w- c:\programdata\Partner\partner.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 18:02 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\users\john\AppData\Roaming\mjusbsp\cdloader2.exe" [2010-02-26 50520]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-27 2020592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-07 34040]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-16 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-16 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-16 145944]
"RtHDVCpl"="RtHDVCpl.exe" [2008-05-21 6144000]
"PLFSetI"="c:\windows\PLFSetI.exe" [2008-07-30 200704]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-02-22 1037608]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-07-25 875016]
"ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-08-01 405504]
"Acer Product Registration"="c:\program files\Acer\Acer Registration\ACE1.exe" [2007-11-26 3387392]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-15 198160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux4"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:7f,08,ec,bd,f8,58,ca,01

R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-04-04 131072]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-03-28 210432]
R3 rk_remover-boot;rk_remover-boot;c:\windows\system32\drivers\rk_remover.sys [2010-05-01 52736]
R3 TpChoice;Touch Pad Detection Filter driver;c:\windows\system32\DRIVERS\TpChoice.sys [2007-12-26 17968]
R3 USBMULCD;USB Multi-Channel Audio Device Interface;c:\windows\system32\drivers\CM106.sys [2008-10-14 1501696]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-03-15 216200]
S1 AvgTdiX;AVG Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-04-26 242896]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-04-27 61440]
S2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-03-15 308064]
S2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [2008-03-03 16384]
S2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [2008-03-21 24576]
S2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-04-07 50424]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-06-30 112128]
S3 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2008-04-15 51160]
S3 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2008-04-08 43736]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=1008&m=extensa_5630
uInternet Settings,ProxyServer = 208.78.125.19:80
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: skillport.com
Trusted Zone: skillwsa.com
FF - ProfilePath - c:\users\john\AppData\Roaming\Mozilla\Firefox\Profiles\07ojh1lp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\SpeedBit Video Downloader\SPFireFox\components\Engine.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\users\john\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-ESET Online Scanner - c:\program files\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-03 21:25
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x858FEEE4]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x82f9fd24
\Driver\ACPI -> acpi.sys @ 0x8069ed68
\Driver\atapi -> ataport.SYS @ 0x807daa2c
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-05-03 21:28:34
ComboFix-quarantined-files.txt 2010-05-04 01:28

Pre-Run: 36,269,338,624 bytes free
Post-Run: 36,292,853,760 bytes free

- - End Of File - - F8734959CCC5C797D34C60FCC056FC64


#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:20 AM

Posted 04 May 2010 - 04:28 PM

You're welcome

We'll run this next:

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 John Lindsey

John Lindsey
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 04 May 2010 - 05:19 PM

Hi, thewall

I have a format of my external HD going right now. As soon as it's done I'll run the TDSS Killer.

Thanks
John

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:20 AM

Posted 04 May 2010 - 05:45 PM

Alright, thanks for letting me know.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 John Lindsey

John Lindsey
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 04 May 2010 - 11:46 PM

Hello thewall,

I was reading other threads about how these rootkits can block access to Windows Update, and lo and behold, I can't get to it either.
So what I'm experiencing is:

Random search redirects
New tabs popping up by themselves
Google Chrome won't load pages
Can't get to Windows Update

Here's the TDSSKiller log:

00:31:20:840 4340 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
00:31:20:840 4340 ================================================================================
00:31:20:840 4340 SystemInfo:

00:31:20:840 4340 OS Version: 6.0.6002 ServicePack: 2.0
00:31:20:840 4340 Product type: Workstation
00:31:20:840 4340 ComputerName: JOHN-ACER
00:31:20:840 4340 UserName: john
00:31:20:840 4340 Windows directory: C:\Windows
00:31:20:840 4340 Processor architecture: Intel x86
00:31:20:840 4340 Number of processors: 2
00:31:20:840 4340 Page size: 0x1000
00:31:20:840 4340 Boot type: Normal boot
00:31:20:840 4340 ================================================================================
00:31:20:840 4340 UnloadDriverW: NtUnloadDriver error 2
00:31:20:840 4340 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
00:31:20:981 4340 wfopen_ex: Trying to open file C:\Windows\system32\config\system
00:31:21:012 4340 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
00:31:21:012 4340 wfopen_ex: Trying to KLMD file open
00:31:21:012 4340 wfopen_ex: File opened ok (Flags 2)
00:31:21:012 4340 wfopen_ex: Trying to open file C:\Windows\system32\config\software
00:31:21:012 4340 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
00:31:21:012 4340 wfopen_ex: Trying to KLMD file open
00:31:21:012 4340 wfopen_ex: File opened ok (Flags 2)
00:31:21:012 4340 Initialize success
00:31:21:012 4340
00:31:21:012 4340 Scanning Services ...
00:31:21:886 4340 Raw services enum returned 436 services
00:31:21:901 4340
00:31:21:901 4340 Scanning Kernel memory ...
00:31:21:901 4340 Devices to scan: 3
00:31:21:901 4340
00:31:21:901 4340 Driver Name: USBSTOR
00:31:21:901 4340 IRP_MJ_CREATE : 8F10AFC8
00:31:21:901 4340 IRP_MJ_CREATE_NAMED_PIPE : 82077A22
00:31:21:901 4340 IRP_MJ_CLOSE : 8F10B040
00:31:21:901 4340 IRP_MJ_READ : 8F10B0B8
00:31:21:901 4340 IRP_MJ_WRITE : 8F10B0B8
00:31:21:901 4340 IRP_MJ_QUERY_INFORMATION : 82077A22
00:31:21:901 4340 IRP_MJ_SET_INFORMATION : 82077A22
00:31:21:901 4340 IRP_MJ_QUERY_EA : 82077A22
00:31:21:901 4340 IRP_MJ_SET_EA : 82077A22
00:31:21:901 4340 IRP_MJ_FLUSH_BUFFERS : 82077A22
00:31:21:901 4340 IRP_MJ_QUERY_VOLUME_INFORMATION : 82077A22
00:31:21:901 4340 IRP_MJ_SET_VOLUME_INFORMATION : 82077A22
00:31:21:901 4340 IRP_MJ_DIRECTORY_CONTROL : 82077A22
00:31:21:901 4340 IRP_MJ_FILE_SYSTEM_CONTROL : 82077A22
00:31:21:901 4340 IRP_MJ_DEVICE_CONTROL : 8F10ABC4
00:31:21:901 4340 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8F0FE7E4
00:31:21:901 4340 IRP_MJ_SHUTDOWN : 82077A22
00:31:21:901 4340 IRP_MJ_LOCK_CONTROL : 82077A22
00:31:21:901 4340 IRP_MJ_CLEANUP : 82077A22
00:31:21:901 4340 IRP_MJ_CREATE_MAILSLOT : 82077A22
00:31:21:901 4340 IRP_MJ_QUERY_SECURITY : 82077A22
00:31:21:901 4340 IRP_MJ_SET_SECURITY : 82077A22
00:31:21:901 4340 IRP_MJ_POWER : 8F10959C
00:31:21:901 4340 IRP_MJ_SYSTEM_CONTROL : 8F1067A2
00:31:21:901 4340 IRP_MJ_DEVICE_CHANGE : 82077A22
00:31:21:901 4340 IRP_MJ_QUERY_QUOTA : 82077A22
00:31:21:901 4340 IRP_MJ_SET_QUOTA : 82077A22
00:31:21:917 4340 C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
00:31:21:917 4340
00:31:21:917 4340 Driver Name: USBSTOR
00:31:21:917 4340 IRP_MJ_CREATE : 8F10AFC8
00:31:21:917 4340 IRP_MJ_CREATE_NAMED_PIPE : 82077A22
00:31:21:917 4340 IRP_MJ_CLOSE : 8F10B040
00:31:21:917 4340 IRP_MJ_READ : 8F10B0B8
00:31:21:917 4340 IRP_MJ_WRITE : 8F10B0B8
00:31:21:917 4340 IRP_MJ_QUERY_INFORMATION : 82077A22
00:31:21:917 4340 IRP_MJ_SET_INFORMATION : 82077A22
00:31:21:917 4340 IRP_MJ_QUERY_EA : 82077A22
00:31:21:917 4340 IRP_MJ_SET_EA : 82077A22
00:31:21:917 4340 IRP_MJ_FLUSH_BUFFERS : 82077A22
00:31:21:917 4340 IRP_MJ_QUERY_VOLUME_INFORMATION : 82077A22
00:31:21:917 4340 IRP_MJ_SET_VOLUME_INFORMATION : 82077A22
00:31:21:917 4340 IRP_MJ_DIRECTORY_CONTROL : 82077A22
00:31:21:917 4340 IRP_MJ_FILE_SYSTEM_CONTROL : 82077A22
00:31:21:917 4340 IRP_MJ_DEVICE_CONTROL : 8F10ABC4
00:31:21:917 4340 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8F0FE7E4
00:31:21:917 4340 IRP_MJ_SHUTDOWN : 82077A22
00:31:21:917 4340 IRP_MJ_LOCK_CONTROL : 82077A22
00:31:21:917 4340 IRP_MJ_CLEANUP : 82077A22
00:31:21:917 4340 IRP_MJ_CREATE_MAILSLOT : 82077A22
00:31:21:917 4340 IRP_MJ_QUERY_SECURITY : 82077A22
00:31:21:917 4340 IRP_MJ_SET_SECURITY : 82077A22
00:31:21:917 4340 IRP_MJ_POWER : 8F10959C
00:31:21:917 4340 IRP_MJ_SYSTEM_CONTROL : 8F1067A2
00:31:21:917 4340 IRP_MJ_DEVICE_CHANGE : 82077A22
00:31:21:917 4340 IRP_MJ_QUERY_QUOTA : 82077A22
00:31:21:917 4340 IRP_MJ_SET_QUOTA : 82077A22
00:31:21:917 4340 C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
00:31:21:917 4340
00:31:21:917 4340 Driver Name: atapi
00:31:21:917 4340 IRP_MJ_CREATE : 8570EEE4
00:31:21:917 4340 IRP_MJ_CREATE_NAMED_PIPE : 8570EEE4
00:31:21:917 4340 IRP_MJ_CLOSE : 8570EEE4
00:31:21:917 4340 IRP_MJ_READ : 8570EEE4
00:31:21:917 4340 IRP_MJ_WRITE : 8570EEE4
00:31:21:917 4340 IRP_MJ_QUERY_INFORMATION : 8570EEE4
00:31:21:917 4340 IRP_MJ_SET_INFORMATION : 8570EEE4
00:31:21:917 4340 IRP_MJ_QUERY_EA : 8570EEE4
00:31:21:917 4340 IRP_MJ_SET_EA : 8570EEE4
00:31:21:917 4340 IRP_MJ_FLUSH_BUFFERS : 8570EEE4
00:31:21:917 4340 IRP_MJ_QUERY_VOLUME_INFORMATION : 8570EEE4
00:31:21:917 4340 IRP_MJ_SET_VOLUME_INFORMATION : 8570EEE4
00:31:21:917 4340 IRP_MJ_DIRECTORY_CONTROL : 8570EEE4
00:31:21:917 4340 IRP_MJ_FILE_SYSTEM_CONTROL : 8570EEE4
00:31:21:917 4340 IRP_MJ_DEVICE_CONTROL : 8570EEE4
00:31:21:917 4340 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8570EEE4
00:31:21:917 4340 IRP_MJ_SHUTDOWN : 8570EEE4
00:31:21:917 4340 IRP_MJ_LOCK_CONTROL : 8570EEE4
00:31:21:917 4340 IRP_MJ_CLEANUP : 8570EEE4
00:31:21:917 4340 IRP_MJ_CREATE_MAILSLOT : 8570EEE4
00:31:21:917 4340 IRP_MJ_QUERY_SECURITY : 8570EEE4
00:31:21:917 4340 IRP_MJ_SET_SECURITY : 8570EEE4
00:31:21:917 4340 IRP_MJ_POWER : 8570EEE4
00:31:21:917 4340 IRP_MJ_SYSTEM_CONTROL : 8570EEE4
00:31:21:917 4340 IRP_MJ_DEVICE_CHANGE : 8570EEE4
00:31:21:917 4340 IRP_MJ_QUERY_QUOTA : 8570EEE4
00:31:21:917 4340 IRP_MJ_SET_QUOTA : 8570EEE4
00:31:21:917 4340 Driver "atapi" infected by TDSS rootkit!
00:31:21:932 4340 C:\Windows\system32\drivers\atapi.sys - Verdict: 1
00:31:21:932 4340 File "C:\Windows\system32\drivers\atapi.sys" infected by TDSS rootkit ... 00:31:21:932 4340 Processing driver file: C:\Windows\system32\drivers\atapi.sys
00:31:21:995 4340 vfvi6
00:31:22:088 4340 dsvbh1
00:31:22:416 4340 fdfb1
00:31:22:416 4340 Backup copy found, using it..
00:31:22:432 4340 will be cured on next reboot
00:31:22:432 4340 Reboot required for cure complete..
00:31:22:432 4340 Cure on reboot scheduled successfully
00:31:22:432 4340
00:31:22:432 4340 Completed
00:31:22:432 4340
00:31:22:432 4340 Results:
00:31:22:432 4340 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
00:31:22:432 4340 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
00:31:22:432 4340 File objects infected / cured / cured on reboot: 1 / 0 / 1
00:31:22:432 4340
00:31:22:432 4340 fclose_ex: Trying to close file C:\Windows\system32\config\system
00:31:22:432 4340 fclose_ex: Trying to close file C:\Windows\system32\config\software
00:31:22:432 4340 UnloadDriverW: NtUnloadDriver error 1
00:31:22:432 4340 KLMD(ARK) unloaded successfully


GMER, however, wasn't impressed:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-05-05 00:36:59
Windows 6.0.6002 Service Pack 2
Running: ubzo3u5e.exe; Driver: C:\Users\john\AppData\Local\Temp\kxtcipog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8570EEE4

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Thanks
John

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:20 AM

Posted 05 May 2010 - 10:25 AM

Showed right back up. We'll have to go a different route.


  • Click on the Start button, then click on Run...
  • In the empty "Open:" box provided, type cmd and press OK
      This will launch a Command Prompt window (looks like DOS).
  • Type or Copy/Paste: c:\windows\mbr.exe -f >>"C:\mbr.log"
  • press Enter.
  • A "DOS" box will open and quickly disappear. That is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive.
  • Copy and paste the results of the mbr.log in your next reply.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 John Lindsey

John Lindsey
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 05 May 2010 - 11:04 AM

I'm getting an error message:

Windows cannot find c:\windows\mbr.exe. Make sure you typed the name correctly, and then try again.

I copied and pasted and also typed it in manually and got the same error both times.

#10 John Lindsey

John Lindsey
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 05 May 2010 - 11:41 AM

I went to gmer and got it:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

#11 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:20 AM

Posted 05 May 2010 - 12:01 PM

I see the following file at the root of your system. Did you place it there?


C:\atapi.sys
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#12 John Lindsey

John Lindsey
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 05 May 2010 - 01:41 PM

Yes, I found it in c:\windows\system32\DriverStore\FileRepository folder. I ran it thru Virustotal, it came back clean so I copied it to c:\ to make it easier to find.

#13 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:20 AM

Posted 05 May 2010 - 02:26 PM

Good, that eliminates a step for us in the next thing we want to do. Since you have already copied the file to the root of the drive we are going to use the Recovery Environment to replace the infected one.



Next we will need to boot into the Recovery Environment:

Tap F8 on startup and select Repair your computer from the list of startup options.

If Repair your computer is not an option on the Advanced Startup menu, insert your Windows Vista dvd and restart the computer, then when prompted, select Repair your computer
  • select your keyboard layout
  • enter your username and password (if you use one)
  • then the System Recovery Options menu comes up
  • select Command Prompt
It will open to an x:\sources> prompt

(this may vary depending if you boot from cd or an installed RE)


at the X:\sources prompt type the following, hitting Enter after each line:


ren c:\windows\system32\drivers\atapi.sys atapi.old
copy c:\atapi.sys c:\windows\system32\drivers\atapi.sys
exit


You should receive a message that "1 file" has been copied.

{if you do not receive a message that 1 file has been copied, the file will need to be renamed back - type
ren c:\windows\system32\drivers\atapi.old atapi.sys press enter
then type exit, reboot the system normally and report this to me.)


Reboot Normally.


Run GMER for me again and post the log back here.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#14 John Lindsey

John Lindsey
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 05 May 2010 - 03:01 PM

Hey thewall,
I ran into a litle snag. It said it couldn't find c:\atapi.sys
I had to change the name back and restart. Looked in c:\ and sure enough, it wasn't there.
I went and found another one, ran it thru virustotal and copied it back into c:\
After that, everything worked according to plan.

GMER seems a little happier this time:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-05-05 15:59:53
Windows 6.0.6002 Service Pack 2
Running: ubzo3u5e.exe; Driver: C:\Users\john\AppData\Local\Temp\kxtcipog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

I have the full GMER scan running now if you need that log also.

Edited by John Lindsey, 05 May 2010 - 03:02 PM.


#15 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:20 AM

Posted 05 May 2010 - 03:21 PM

You can post it when you get it but the part you put up just now looks better. Why don't you open up your MalwareBytes do an update and a Quick Scan now to see if it picks up anything.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users