Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware infection?


  • This topic is locked This topic is locked
22 replies to this topic

#1 bwolb

bwolb

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 06 May 2010 - 01:22 PM

Hi ~ I was referred to this forum from Blind_Faith of Am I Infected for further help. Link to that thread: Link to previous thread

This is a PC running Win XP SP3. A HelpAssist folder keeps appearing with duplicate Document and Settings files. I delete the folder and turn off the user account (My Computer/Manage/Local Users and Groups/Users, then deactivate the HelpAssist account via Properties). I suspect malware and am seeking help.

DDS Logs and GMER scan log below

Thanks ~ bwolb

DDS.txt

DDS (Ver_10-03-17.01) - NTFSx86
Run by Barry Wolborsky at 8:54:11.06 on Thu 05/06/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.453 [GMT -7:00]

AV: avast! antivirus 4.8.1368 [VPS 100506-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Iomega\REV System Software\RevUDF.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Acronis\TrueImageEchoWorkstation\TrueImageMonitor.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Iomega\REV System Software\imiconxp.exe
C:\Program Files\Acronis\TrueImageEchoWorkstation\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\eVGA\ResChanger2004\ResChanger2004.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Barry Wolborsky\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig?hl=en
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ResChanger2004] c:\program files\evga\reschanger2004\ResChanger2004.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimageechoworkstation\TrueImageMonitor.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [Iomega ImIconXP] c:\program files\iomega\rev system software\imiconxp.exe
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimageechoworkstation\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\viarai~1.lnk - c:\program files\via\raid\raid_tool.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - hxxps://www.officeally.com/XUpload.ocx
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - No File
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 relog_ap

============= SERVICES / DRIVERS ===============

R0 imdrvfsf;Iomega File System Filter Driver;c:\windows\system32\drivers\imdrvfsf.sys [2004-7-13 16006]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2004-8-11 77312]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-10-19 114768]
R1 SASDIFSV;SASDIFSV;c:\docume~1\barryw~1\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2010-5-3 9968]
R1 SASKUTIL;SASKUTIL;c:\docume~1\barryw~1\locals~1\temp\sas_selfextract\SASKUTIL.sys [2010-5-3 74480]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-12-30 486280]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-10-19 20560]
S3 SASENUM;SASENUM;\??\c:\docume~1\barryw~1\locals~1\temp\sas_selfextract\sasenum.sys --> c:\docume~1\barryw~1\locals~1\temp\sas_selfextract\SASENUM.SYS [?]

=============== Created Last 30 ================

2010-05-06 15:52:19 0 ----a-w- c:\documents and settings\barry wolborsky\defogger_reenable
2010-05-03 16:50:13 0 d-----w- c:\docume~1\barryw~1\applic~1\SUPERAntiSpyware.com
2010-05-03 16:50:13 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-04-28 16:47:21 0 d-----w- c:\program files\ESET
2010-04-27 18:26:22 0 d-----w- c:\docume~1\barryw~1\applic~1\Windows Search
2010-04-27 18:01:07 0 d-----w- c:\docume~1\barryw~1\applic~1\Windows Desktop Search
2010-04-26 19:01:54 0 d-----w- c:\program files\Netsmart
2010-04-26 19:01:54 0 d-----w- c:\docume~1\alluse~1\applic~1\Netsmart
2010-04-26 18:39:11 68096 ----a-w- c:\windows\system32\WBTRV32.DLL
2010-04-26 18:39:11 5824 ----a-w- c:\windows\system32\WBTRTHNK.DLL
2010-04-26 18:39:11 43472 ----a-w- c:\windows\system32\WBTRCALL.DLL
2010-04-26 18:39:11 4192 ----a-w- c:\windows\system32\WBTRVRES.DLL
2010-04-26 18:39:11 320512 ----a-w- c:\windows\system32\W32MKDE.EXE
2010-04-26 18:39:11 110080 ----a-w- c:\windows\system32\W32MKRC.DLL
2010-04-26 16:00:20 0 d-sha-r- C:\cmdcons
2010-04-26 15:56:14 98816 ----a-w- c:\windows\sed.exe
2010-04-26 15:56:14 77312 ----a-w- c:\windows\MBR.exe
2010-04-26 15:56:14 261632 ----a-w- c:\windows\PEV.exe
2010-04-26 15:56:14 161792 ----a-w- c:\windows\SWREG.exe
2010-04-19 16:31:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-19 16:30:59 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-19 16:30:54 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-19 16:30:54 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-05-05 20:35:33 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 16:42:01 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-17 16:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2008-12-09 19:19:05 0 -c--a-w- c:\program files\error.dat
2009-12-29 17:59:34 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2008-07-15 18:50:11 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071520080716\index.dat

============= FINISH: 8:57:48.01 ===============

Attach

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 10/9/2005 12:41:37 AM
System Uptime: 5/6/2010 8:38:43 AM (0 hours ago)

Motherboard: http://www.abit.com.tw/ | | KW7(VIA KT880-8237)
Processor: AMD Athlon™ XP 3000+ | Socket A | 2158/166mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 77 GiB total, 57.381 GiB free.
D: is Removable
E: is CDROM ()
F: is CDROM ()
G: is CDROM ()
H: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1167: 4/2/2010 11:56:30 AM - System Checkpoint
RP1168: 4/5/2010 4:02:15 PM - System Checkpoint
RP1169: 4/6/2010 4:03:36 PM - System Checkpoint
RP1170: 4/7/2010 4:35:06 PM - System Checkpoint
RP1171: 4/9/2010 9:12:08 AM - System Checkpoint
RP1172: 4/12/2010 10:31:52 AM - System Checkpoint
RP1173: 4/13/2010 12:57:11 PM - System Checkpoint
RP1174: 4/14/2010 12:00:37 PM - Software Distribution Service 3.0
RP1175: 4/15/2010 2:12:28 PM - System Checkpoint
RP1176: 4/16/2010 2:54:18 PM - System Checkpoint
RP1177: 4/19/2010 2:43:47 PM - System Checkpoint
RP1178: 4/20/2010 3:08:47 PM - System Checkpoint
RP1179: 4/21/2010 4:00:23 PM - System Checkpoint
RP1180: 4/22/2010 4:08:56 PM - System Checkpoint
RP1181: 4/26/2010 8:56:54 AM - ComboFix created restore point
RP1182: 4/27/2010 11:00:04 AM - Installed Windows XP KB915800-v4.
RP1183: 4/27/2010 11:00:21 AM - Installed Windows XP Windows Search 4.0.
RP1184: 4/28/2010 12:01:11 PM - Software Distribution Service 3.0
RP1185: 4/29/2010 1:11:15 PM - System Checkpoint
RP1186: 4/30/2010 1:18:50 PM - System Checkpoint
RP1187: 5/3/2010 4:07:17 PM - System Checkpoint
RP1188: 5/4/2010 4:42:14 PM - System Checkpoint

==== Installed Programs ======================

ABITEQ
Acronis True Image Echo Workstation
Acronis Universal Restore for Acronis True Image Echo Workstation
Ad-Aware SE Personal
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.1
APC PowerChute Personal Edition
avast! Antivirus
Brother BRAdmin Light 1.12
Brother MFC-7440N
Brother MFL-Pro Suite
Critical Update for Windows Media Player 11 (KB959772)
ESET Online Scanner v3
Helper 7.6.0 (2)
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Iomega Product Registration
Iomega REV System Software
Java DB 10.5.3.0
Java™ 6 Update 18
Java™ SE Development Kit 6 Update 18
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Easy Assist v2
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business Connectivity Components
Microsoft Office Ultimate 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office XP Media Content
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser
NVIDIA Drivers
NVIDIA nView Desktop Manager
OGA Notifier 2.0.0048.0
PaperPort Image Printer
Platform
PrintFile
Qwest eChat Support Tools
Realtek AC'97 Audio
ResChanger2004
ScanSoft PaperPort 11
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB978380)
Security Update for Microsoft Office Excel 2007 (KB978382)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB980470)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Spelling Dictionaries Support For Adobe Reader 9
Update for 2007 Microsoft Office System (KB967642)
Update for 2007 Microsoft Office System (KB981715)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Outlook 2007 Junk Email Filter (kb981433)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC 9.0 Runtime
VIA Platform Device Manager
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
WinZip
ZoneAlarm Pro

==== Event Viewer Messages From Past Week ========

5/6/2010 8:54:33 AM, error: Service Control Manager [7016] - The BrSplService service has reported an invalid current state 0.
5/5/2010 8:08:54 AM, error: NetBT [4321] - The name "WORKGROUP :1d" could not be registered on the Interface with IP address 192.168.1.101. The machine with the IP address 192.168.1.105 did not allow the name to be claimed by this machine.
5/4/2010 8:39:28 AM, error: NetBT [4321] - The name "WORKGROUP :1d" could not be registered on the Interface with IP address 192.168.1.101. The machine with the IP address 192.168.1.100 did not allow the name to be claimed by this machine.
5/3/2010 10:45:20 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AFD AmdK7 aswSP aswTdi Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip vsdatant
5/3/2010 10:39:19 AM, error: Service Control Manager [7000] - The SASENUM service failed to start due to the following error: The system cannot find the file specified.
4/30/2010 9:09:50 AM, error: NetBT [4321] - The name "WORKGROUP :1d" could not be registered on the Interface with IP address 192.168.1.101. The machine with the IP address 192.168.1.104 did not allow the name to be claimed by this machine.
4/30/2010 9:09:21 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the TrueVector Internet Monitor service to connect.
4/30/2010 9:09:21 AM, error: Service Control Manager [7000] - The TrueVector Internet Monitor service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/29/2010 8:56:29 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AFD AmdK7 aswSP aswTdi Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip vsdatant
4/29/2010 8:56:29 AM, error: Service Control Manager [7001] - The TrueVector Internet Monitor service depends on the vsdatant service which failed to start because of the following error: A device attached to the system is not functioning.
4/29/2010 8:56:29 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
4/29/2010 8:56:29 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
4/29/2010 8:56:29 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
4/29/2010 8:56:29 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
4/29/2010 8:55:10 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
4/29/2010 8:55:07 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

==== End Of File ===========================

GMER
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-06 11:06:32
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\BARRYW~1\LOCALS~1\Temp\uxtiiaoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xEC6E16B8]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xEC810600]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xEC809D50]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xEC6E1574]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xEC810E10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xEC827D00]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xEC828120]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xEC832210]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xEC810F80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xEC80AC30]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xEC82F750]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xEC6E1A52]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xEC826E40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadDriver [0xEC8038E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xEC830050]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xEC830280]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwMapViewOfSection [0xEC8325C0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xEC80A720]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xEC6E164E]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xEC82A420]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xEC829FF0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwProtectVirtualMemory [0xEC82C470]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xEC6E176E]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xEC831400]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xEC830A10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xEC810150]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xEC6E172E]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xEC8108E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xEC80B050]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationObject [0xEC82C340]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetSecurityObject [0xEC8318B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetSystemInformation [0xEC803010]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xEC6E18AE]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xEC828CF0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xEC828A20]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwUnloadDriver [0xEC803D30]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 104 804E2770 12 Bytes [10, 0E, 81, EC, 00, 7D, 82, ...]
.text ntoskrnl.exe!_abnormal_termination + 1D0 804E283C 12 Bytes [E0, 38, 80, EC, 50, 00, 83, ...] {LOOPNZ 0x3a; SUB AH, 0x50; ADD [EBX-0x7cfd7f14], AL; IN AL, DX }
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF65DA380, 0x550AF5, 0xE8000020]
init C:\WINDOWS\system32\drivers\ALCXSENS.SYS entry point in "init" section [0xF64BC900]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\nvsvc32.exe[1196] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 014C2862
.text C:\WINDOWS\system32\nvsvc32.exe[1196] WS2_32.dll!send 71AB4C27 5 Bytes JMP 014C26EE
.text C:\WINDOWS\system32\nvsvc32.exe[1196] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 014C27E0
.text C:\WINDOWS\system32\nvsvc32.exe[1196] WS2_32.dll!recv 71AB676F 5 Bytes JMP 014C2726
.text C:\WINDOWS\system32\nvsvc32.exe[1196] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 014C275E
.text C:\WINDOWS\system32\SearchIndexer.exe[1516] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\system32\SearchIndexer.exe[1516] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01562862
.text C:\WINDOWS\system32\SearchIndexer.exe[1516] WS2_32.dll!send 71AB4C27 5 Bytes JMP 015626EE
.text C:\WINDOWS\system32\SearchIndexer.exe[1516] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 015627E0
.text C:\WINDOWS\system32\SearchIndexer.exe[1516] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01562726
.text C:\WINDOWS\system32\SearchIndexer.exe[1516] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0156275E
.text C:\WINDOWS\system32\RUNDLL32.EXE[1924] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00EE2862
.text C:\WINDOWS\system32\RUNDLL32.EXE[1924] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00EE26EE
.text C:\WINDOWS\system32\RUNDLL32.EXE[1924] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00EE27E0
.text C:\WINDOWS\system32\RUNDLL32.EXE[1924] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00EE2726
.text C:\WINDOWS\system32\RUNDLL32.EXE[1924] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00EE275E
.text C:\Program Files\internet explorer\iexplore.exe[2256] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2256] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2256] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD101 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2256] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2256] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2256] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2256] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2256] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2256] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2256] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2256] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2256] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2256] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB20 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2256] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\WINDOWS\Explorer.EXE[2784] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00F72862
.text C:\WINDOWS\Explorer.EXE[2784] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00F726EE
.text C:\WINDOWS\Explorer.EXE[2784] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00F727E0
.text C:\WINDOWS\Explorer.EXE[2784] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00F72726
.text C:\WINDOWS\Explorer.EXE[2784] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00F7275E
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[3088] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01B82862
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[3088] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01B826EE
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[3088] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01B827E0
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[3088] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01B82726
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[3088] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01B8275E
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[3228] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 07B72862
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[3228] WS2_32.dll!send 71AB4C27 5 Bytes JMP 07B726EE
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[3228] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 07B727E0
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[3228] WS2_32.dll!recv 71AB676F 5 Bytes JMP 07B72726
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[3228] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 07B7275E
.text C:\WINDOWS\System32\alg.exe[3328] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00C22862
.text C:\WINDOWS\System32\alg.exe[3328] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C226EE
.text C:\WINDOWS\System32\alg.exe[3328] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00C227E0
.text C:\WINDOWS\System32\alg.exe[3328] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00C22726
.text C:\WINDOWS\System32\alg.exe[3328] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00C2275E
.text C:\Program Files\internet explorer\iexplore.exe[3616] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3616] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3616] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD101 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3616] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3616] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3616] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3616] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3616] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3616] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3616] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3616] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3616] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3616] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB20 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3616] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3708] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3708] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3708] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3708] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3708] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3708] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3708] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3708] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3708] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snman380.sys (Acronis Snapshot API/Acronis)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\viamraid \Device\Scsi\viamraid1 868BFEE0
Device \Driver\viamraid \Device\Scsi\viamraid1Port2Path0Target0Lun0 868BFEE0

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS05439.log 131072 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS0543A.log 131072 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS0543B.log 131072 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS0543C.log 131072 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS0543E.log 131072 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS0543F.log 131072 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS05440.log 131072 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS05441.log 131072 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS0543D.log 0 bytes

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 bwolb

bwolb
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 06 May 2010 - 04:09 PM

Hi ~ this is just to say that I'm leaving for the weekend. I'll be back Monday morning. Looking forward to solving this.

Thanks ~ bwolb

#3 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:21 AM

Posted 09 May 2010 - 04:38 AM

Hello and welcome to Bleeping Computer! welcome.gif

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#4 bwolb

bwolb
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 10 May 2010 - 02:31 PM

Good Morning ~ Symptoms I'm experiencing with this computer: 1) a folder titled HelpAssistant (with duplicates of all Documents and Settings folders & files) keeps reappearing despite repeated attempts to delete it and disable the HelpAssist account; 2) Boot up of computer takes up to 10 minutes; 3) initialization of Zone Alarm (firewall) takes several minutes.

DDS Log:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Barry Wolborsky at 9:36:51.50 on Mon 05/10/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.353 [GMT -7:00]

AV: avast! antivirus 4.8.1368 [VPS 100510-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Iomega\REV System Software\RevUDF.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Acronis\TrueImageEchoWorkstation\TrueImageMonitor.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Iomega\REV System Software\imiconxp.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Acronis\TrueImageEchoWorkstation\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\eVGA\ResChanger2004\ResChanger2004.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Barry Wolborsky\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig?hl=en
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ResChanger2004] c:\program files\evga\reschanger2004\ResChanger2004.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimageechoworkstation\TrueImageMonitor.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [Iomega ImIconXP] c:\program files\iomega\rev system software\imiconxp.exe
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimageechoworkstation\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\viarai~1.lnk - c:\program files\via\raid\raid_tool.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - hxxps://www.officeally.com/XUpload.ocx
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - No File
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 relog_ap

============= SERVICES / DRIVERS ===============

R0 imdrvfsf;Iomega File System Filter Driver;c:\windows\system32\drivers\imdrvfsf.sys [2004-7-13 16006]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2004-8-11 77312]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-10-19 114768]
R1 SASDIFSV;SASDIFSV;c:\docume~1\barryw~1\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2010-5-3 9968]
R1 SASKUTIL;SASKUTIL;c:\docume~1\barryw~1\locals~1\temp\sas_selfextract\SASKUTIL.sys [2010-5-3 74480]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-12-30 486280]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-10-19 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-10-19 138680]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-10-19 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-10-19 352920]
S3 SASENUM;SASENUM;\??\c:\docume~1\barryw~1\locals~1\temp\sas_selfextract\sasenum.sys --> c:\docume~1\barryw~1\locals~1\temp\sas_selfextract\SASENUM.SYS [?]

=============== Created Last 30 ================

2010-05-06 15:52:19 0 ----a-w- c:\documents and settings\barry wolborsky\defogger_reenable
2010-05-03 16:50:13 0 d-----w- c:\docume~1\barryw~1\applic~1\SUPERAntiSpyware.com
2010-05-03 16:50:13 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-04-28 16:47:21 0 d-----w- c:\program files\ESET
2010-04-27 18:26:22 0 d-----w- c:\docume~1\barryw~1\applic~1\Windows Search
2010-04-27 18:01:07 0 d-----w- c:\docume~1\barryw~1\applic~1\Windows Desktop Search
2010-04-26 19:01:54 0 d-----w- c:\program files\Netsmart
2010-04-26 19:01:54 0 d-----w- c:\docume~1\alluse~1\applic~1\Netsmart
2010-04-26 18:39:11 68096 ----a-w- c:\windows\system32\WBTRV32.DLL
2010-04-26 18:39:11 5824 ----a-w- c:\windows\system32\WBTRTHNK.DLL
2010-04-26 18:39:11 43472 ----a-w- c:\windows\system32\WBTRCALL.DLL
2010-04-26 18:39:11 4192 ----a-w- c:\windows\system32\WBTRVRES.DLL
2010-04-26 18:39:11 320512 ----a-w- c:\windows\system32\W32MKDE.EXE
2010-04-26 18:39:11 110080 ----a-w- c:\windows\system32\W32MKRC.DLL
2010-04-26 16:00:20 0 d-sha-r- C:\cmdcons
2010-04-26 15:56:14 98816 ----a-w- c:\windows\sed.exe
2010-04-26 15:56:14 77312 ----a-w- c:\windows\MBR.exe
2010-04-26 15:56:14 261632 ----a-w- c:\windows\PEV.exe
2010-04-26 15:56:14 161792 ----a-w- c:\windows\SWREG.exe
2010-04-19 16:31:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-19 16:30:59 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-19 16:30:54 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-19 16:30:54 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-05-07 16:15:59 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 16:42:01 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-17 16:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2008-12-09 19:19:05 0 -c--a-w- c:\program files\error.dat
2009-12-29 17:59:34 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2008-07-15 18:50:11 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071520080716\index.dat

============= FINISH: 9:38:13.90 ===============

GMER Scan Log:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-10 12:30:22
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\BARRYW~1\LOCALS~1\Temp\uxtiiaoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xEFAC06B8]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xEFCD1600]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xEFCCAD50]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xEFAC0574]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xEFCD1E10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xEFCE8D00]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xEFCE9120]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xEFCF3210]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xEFCD1F80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xEFCCBC30]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xEFCF0750]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xEFAC0A52]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xEFCE7E40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadDriver [0xEFCC48E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xEFCF1050]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xEFCF1280]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwMapViewOfSection [0xEFCF35C0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xEFCCB720]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xEFAC064E]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xEFCEB420]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xEFCEAFF0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwProtectVirtualMemory [0xEFCED470]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xEFAC076E]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xEFCF2400]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xEFCF1A10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xEFCD1150]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xEFAC072E]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xEFCD18E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xEFCCC050]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationObject [0xEFCED340]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetSecurityObject [0xEFCF28B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetSystemInformation [0xEFCC4010]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xEFAC08AE]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xEFCE9CF0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xEFCE9A20]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwUnloadDriver [0xEFCC4D30]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 104 804E2770 12 Bytes [10, 1E, CD, EF, 00, 8D, CE, ...] {ADC [ESI], BL; INT 0xef; ADD [EBP-0x6edf1032], CL; INTO ; OUT DX, EAX}
.text ntoskrnl.exe!_abnormal_termination + 1D0 804E283C 12 Bytes [E0, 48, CC, EF, 50, 10, CF, ...] {LOOPNZ 0x4a; INT 3 ; OUT DX, EAX; PUSH EAX; ADC BH, CL; OUT DX, EAX; ADC BYTE [EDX], 0xcf; OUT DX, EAX}
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF658F380, 0x550AF5, 0xE8000020]
init C:\WINDOWS\system32\drivers\ALCXSENS.SYS entry point in "init" section [0xF6471900]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\nvsvc32.exe[1136] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 014C2862
.text C:\WINDOWS\system32\nvsvc32.exe[1136] WS2_32.dll!send 71AB4C27 5 Bytes JMP 014C26EE
.text C:\WINDOWS\system32\nvsvc32.exe[1136] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 014C27E0
.text C:\WINDOWS\system32\nvsvc32.exe[1136] WS2_32.dll!recv 71AB676F 5 Bytes JMP 014C2726
.text C:\WINDOWS\system32\nvsvc32.exe[1136] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 014C275E
.text C:\WINDOWS\system32\SearchIndexer.exe[1644] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2628] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2628] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2628] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD101 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2628] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2628] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2628] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2628] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2628] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2628] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2628] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2628] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2628] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2628] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB20 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2628] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[2804] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 32605335 C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3844] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3844] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3844] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD101 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3844] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3844] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3844] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3844] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3844] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3844] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3844] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3844] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3844] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3844] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB20 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3844] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3996] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3996] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3996] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3996] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3996] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3996] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3996] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3996] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3996] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snman380.sys (Acronis Snapshot API/Acronis)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\viamraid \Device\Scsi\viamraid1 865AB468
Device \Driver\viamraid \Device\Scsi\viamraid1Port2Path0Target0Lun0 865AB468

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- EOF - GMER 1.0.15 ----

Attached Files



#5 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:21 AM

Posted 11 May 2010 - 03:31 PM

Hello, bwolb
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.





Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#6 bwolb

bwolb
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 12 May 2010 - 11:23 AM

Good Morning ~ Here is the ComboFix log:

ComboFix 10-05-11.06 - Barry Wolborsky 05/12/2010 9:10.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.511 [GMT -7:00]
Running from: c:\documents and settings\Barry Wolborsky\Desktop\schrauber.exe
AV: avast! antivirus 4.8.1368 [VPS 100512-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Pro Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Vb40032.dll

.
((((((((((((((((((((((((( Files Created from 2010-04-12 to 2010-05-12 )))))))))))))))))))))))))))))))
.

2010-05-12 16:00 . 2010-05-12 16:00 -------- d-----w- c:\windows\LastGood
2010-05-05 17:34 . 2010-05-05 17:34 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-05-05 17:34 . 2010-05-07 16:04 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2010-05-05 17:32 . 2010-05-06 15:48 -------- d-----w- c:\documents and settings\HelpAssistant\IECompatCache
2010-05-03 16:50 . 2010-05-03 16:50 -------- d-----w- c:\documents and settings\Barry Wolborsky\Application Data\SUPERAntiSpyware.com
2010-05-03 16:50 . 2010-05-03 16:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-28 16:47 . 2010-04-28 16:47 -------- d-----w- c:\program files\ESET
2010-04-27 18:26 . 2010-04-27 18:26 -------- d-----w- c:\documents and settings\Barry Wolborsky\Application Data\Windows Search
2010-04-27 18:01 . 2010-04-27 18:01 -------- d-----w- c:\documents and settings\Barry Wolborsky\Application Data\Windows Desktop Search
2010-04-26 19:01 . 2010-04-26 19:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Netsmart
2010-04-26 19:01 . 2010-04-26 19:01 -------- d-----w- c:\program files\Netsmart
2010-04-26 18:39 . 1997-02-12 17:27 68096 ----a-w- c:\windows\system32\WBTRV32.DLL
2010-04-26 18:39 . 1997-02-04 19:59 43472 ----a-w- c:\windows\system32\WBTRCALL.DLL
2010-04-26 18:39 . 1996-10-08 02:22 320512 ----a-w- c:\windows\system32\W32MKDE.EXE
2010-04-26 18:39 . 1996-09-24 23:40 110080 ----a-w- c:\windows\system32\W32MKRC.DLL
2010-04-26 18:39 . 1996-07-15 16:43 5824 ----a-w- c:\windows\system32\WBTRTHNK.DLL
2010-04-26 18:39 . 1995-04-19 21:16 4192 ----a-w- c:\windows\system32\WBTRVRES.DLL
2010-04-19 16:31 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-19 16:30 . 2010-04-19 16:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-19 16:30 . 2010-04-19 17:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-19 16:30 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-12 15:54 . 2006-02-08 22:28 2665194 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-05-12 00:01 . 2010-05-12 15:55 2167296 ----a-w- c:\windows\Internet Logs\xDBC2.tmp
2010-05-12 00:01 . 2010-05-12 15:55 46592 ----a-w- c:\windows\Internet Logs\xDBC1.tmp
2010-05-11 16:03 . 2008-12-30 17:22 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-05-10 23:38 . 2010-05-11 15:48 50688 ----a-w- c:\windows\Internet Logs\xDBC0.tmp
2010-05-07 22:28 . 2010-05-10 16:28 2162176 ----a-w- c:\windows\Internet Logs\xDBBF.tmp
2010-05-07 22:28 . 2010-05-10 16:28 35840 ----a-w- c:\windows\Internet Logs\xDBBE.tmp
2010-05-06 23:58 . 2010-05-07 16:01 2161664 ----a-w- c:\windows\Internet Logs\xDBBD.tmp
2010-05-06 23:58 . 2010-05-07 16:01 60416 ----a-w- c:\windows\Internet Logs\xDBBC.tmp
2010-05-05 17:29 . 2010-05-06 15:45 8704 ----a-w- c:\windows\Internet Logs\xDBBB.tmp
2010-05-05 17:22 . 2010-05-05 17:29 2147328 ----a-w- c:\windows\Internet Logs\xDBBA.tmp
2010-05-05 17:22 . 2010-05-05 17:29 49664 ----a-w- c:\windows\Internet Logs\xDBB9.tmp
2010-05-05 00:00 . 2010-05-05 15:18 2145792 ----a-w- c:\windows\Internet Logs\xDBB8.tmp
2010-05-05 00:00 . 2010-05-05 15:18 53248 ----a-w- c:\windows\Internet Logs\xDBB7.tmp
2010-05-03 23:46 . 2010-05-04 15:51 2145280 ----a-w- c:\windows\Internet Logs\xDBB6.tmp
2010-05-03 23:46 . 2010-05-04 15:50 52224 ----a-w- c:\windows\Internet Logs\xDBB5.tmp
2010-05-03 17:42 . 2010-05-03 18:05 41984 ----a-w- c:\windows\Internet Logs\xDBB3.tmp
2010-05-03 17:42 . 2010-05-03 18:05 2144768 ----a-w- c:\windows\Internet Logs\xDBB4.tmp
2010-05-03 16:41 . 2010-05-03 17:35 30720 ----a-w- c:\windows\Internet Logs\xDBB1.tmp
2010-05-03 16:41 . 2010-05-03 17:35 2140672 ----a-w- c:\windows\Internet Logs\xDBB2.tmp
2010-04-30 22:10 . 2010-05-03 16:20 38912 ----a-w- c:\windows\Internet Logs\xDBAF.tmp
2010-04-30 22:10 . 2010-05-03 16:20 2140160 ----a-w- c:\windows\Internet Logs\xDBB0.tmp
2010-04-30 00:00 . 2010-04-30 16:18 60928 ----a-w- c:\windows\Internet Logs\xDBAD.tmp
2010-04-30 00:00 . 2010-04-30 16:19 2139648 ----a-w- c:\windows\Internet Logs\xDBAE.tmp
2010-04-29 00:00 . 2010-04-29 15:51 2137088 ----a-w- c:\windows\Internet Logs\xDBAC.tmp
2010-04-29 00:00 . 2010-04-29 15:51 43008 ----a-w- c:\windows\Internet Logs\xDBAB.tmp
2010-04-28 19:53 . 2010-04-28 19:53 34304 ----a-w- c:\windows\Internet Logs\xDBA9.tmp
2010-04-28 19:53 . 2010-04-28 19:53 2136576 ----a-w- c:\windows\Internet Logs\xDBAA.tmp
2010-04-28 19:33 . 2008-07-23 17:49 -------- d-----w- c:\program files\Windows Desktop Search
2010-04-28 19:32 . 2010-04-28 19:40 371712 ----a-w- c:\windows\Internet Logs\xDBA7.tmp
2010-04-28 19:32 . 2010-04-28 19:40 2136064 ----a-w- c:\windows\Internet Logs\xDBA8.tmp
2010-04-27 17:52 . 2010-04-27 17:52 50688 ----a-w- c:\windows\Internet Logs\xDBA6.tmp
2010-04-27 17:32 . 2010-04-27 17:33 383488 ----a-w- c:\windows\Internet Logs\xDBA4.tmp
2010-04-27 17:32 . 2010-04-27 17:33 2105856 ----a-w- c:\windows\Internet Logs\xDBA5.tmp
2010-04-23 22:03 . 2010-04-26 15:54 2068992 ----a-w- c:\windows\Internet Logs\xDBA3.tmp
2010-04-23 22:03 . 2010-04-26 15:54 47616 ----a-w- c:\windows\Internet Logs\xDBA2.tmp
2010-04-22 23:59 . 2010-04-23 16:12 60416 ----a-w- c:\windows\Internet Logs\xDBA1.tmp
2010-04-21 23:54 . 2010-04-22 15:52 47616 ----a-w- c:\windows\Internet Logs\xDB9F.tmp
2010-04-21 23:54 . 2010-04-22 15:52 2067968 ----a-w- c:\windows\Internet Logs\xDBA0.tmp
2010-04-21 16:39 . 2010-04-21 16:44 2067456 ----a-w- c:\windows\Internet Logs\xDB9E.tmp
2010-04-21 16:00 . 2010-04-21 16:44 8704 ----a-w- c:\windows\Internet Logs\xDB9D.tmp
2010-04-20 23:59 . 2010-04-21 16:00 2066944 ----a-w- c:\windows\Internet Logs\xDB9C.tmp
2010-04-20 23:59 . 2010-04-21 16:00 52736 ----a-w- c:\windows\Internet Logs\xDB9B.tmp
2010-04-19 23:43 . 2010-04-20 16:23 2065408 ----a-w- c:\windows\Internet Logs\xDB9A.tmp
2010-04-19 23:43 . 2010-04-20 16:23 54784 ----a-w- c:\windows\Internet Logs\xDB99.tmp
2010-04-16 23:47 . 2010-04-19 16:09 37376 ----a-w- c:\windows\Internet Logs\xDB98.tmp
2010-04-15 23:59 . 2010-04-16 17:56 2054656 ----a-w- c:\windows\Internet Logs\xDB97.tmp
2010-04-15 23:59 . 2010-04-16 17:56 53760 ----a-w- c:\windows\Internet Logs\xDB96.tmp
2010-04-15 17:15 . 2010-04-15 17:16 42496 ----a-w- c:\windows\Internet Logs\xDB95.tmp
2010-04-15 00:04 . 2010-04-15 16:07 67072 ----a-w- c:\windows\Internet Logs\xDB93.tmp
2010-04-15 00:04 . 2010-04-15 16:07 2053632 ----a-w- c:\windows\Internet Logs\xDB94.tmp
2010-04-14 19:07 . 2008-07-22 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-13 23:58 . 2010-04-14 15:55 63488 ----a-w- c:\windows\Internet Logs\xDB92.tmp
2010-04-09 22:05 . 2010-04-12 16:26 31232 ----a-w- c:\windows\Internet Logs\xDB90.tmp
2010-04-09 22:05 . 2010-04-12 16:26 2035712 ----a-w- c:\windows\Internet Logs\xDB91.tmp
2010-04-09 00:00 . 2010-04-09 15:53 2035200 ----a-w- c:\windows\Internet Logs\xDB8F.tmp
2010-04-09 00:00 . 2010-04-09 15:53 48128 ----a-w- c:\windows\Internet Logs\xDB8E.tmp
2010-04-07 23:58 . 2010-04-08 15:19 2034688 ----a-w- c:\windows\Internet Logs\xDB8D.tmp
2010-04-07 23:58 . 2010-04-08 15:19 45056 ----a-w- c:\windows\Internet Logs\xDB8C.tmp
2010-04-07 18:30 . 2010-04-07 18:33 2034176 ----a-w- c:\windows\Internet Logs\xDB8B.tmp
2010-04-07 16:22 . 2010-04-07 18:33 8704 ----a-w- c:\windows\Internet Logs\xDB8A.tmp
2010-04-07 16:21 . 2010-04-07 16:22 54272 ----a-w- c:\windows\Internet Logs\xDB89.tmp
2010-04-06 23:59 . 2010-04-07 15:35 2033152 ----a-w- c:\windows\Internet Logs\xDB88.tmp
2010-04-06 23:59 . 2010-04-07 15:35 54272 ----a-w- c:\windows\Internet Logs\xDB87.tmp
2010-04-06 17:34 . 2010-04-06 17:35 2032640 ----a-w- c:\windows\Internet Logs\xDB86.tmp
2010-04-06 17:34 . 2010-04-06 17:35 51200 ----a-w- c:\windows\Internet Logs\xDB85.tmp
2010-04-06 14:30 . 2010-04-06 16:00 38400 ----a-w- c:\windows\Internet Logs\xDB83.tmp
2010-04-06 14:30 . 2010-04-06 16:00 2032128 ----a-w- c:\windows\Internet Logs\xDB84.tmp
2010-04-06 14:20 . 2010-04-06 14:22 28160 ----a-w- c:\windows\Internet Logs\xDB81.tmp
2010-04-06 14:20 . 2010-04-06 14:22 2031616 ----a-w- c:\windows\Internet Logs\xDB82.tmp
2010-04-05 23:43 . 2010-04-06 14:13 2031104 ----a-w- c:\windows\Internet Logs\xDB80.tmp
2010-04-05 23:43 . 2010-04-06 14:13 51200 ----a-w- c:\windows\Internet Logs\xDB7F.tmp
2010-04-05 17:20 . 2010-04-05 17:21 45056 ----a-w- c:\windows\Internet Logs\xDB7D.tmp
2010-04-05 17:20 . 2010-04-05 17:21 2029056 ----a-w- c:\windows\Internet Logs\xDB7E.tmp
2010-04-01 23:58 . 2010-04-02 15:54 2028032 ----a-w- c:\windows\Internet Logs\xDB7C.tmp
2010-04-01 23:58 . 2010-04-02 15:54 56832 ----a-w- c:\windows\Internet Logs\xDB7B.tmp
2010-04-01 17:56 . 2010-04-01 17:56 -------- d-----w- c:\program files\Microsoft Easy Assist
2010-04-01 17:56 . 2010-04-01 17:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Applications
2010-04-01 00:01 . 2010-04-01 15:56 30208 ----a-w- c:\windows\Internet Logs\xDB79.tmp
2010-04-01 00:01 . 2010-04-01 15:56 2024448 ----a-w- c:\windows\Internet Logs\xDB7A.tmp
2010-03-31 14:52 . 2010-03-31 20:01 8704 ----a-w- c:\windows\Internet Logs\xDB78.tmp
2010-03-31 00:00 . 2010-03-31 14:52 2021888 ----a-w- c:\windows\Internet Logs\xDB77.tmp
2010-03-31 00:00 . 2010-03-31 14:52 55296 ----a-w- c:\windows\Internet Logs\xDB76.tmp
2010-03-30 16:26 . 2005-10-09 07:59 69760 -c--a-w- c:\documents and settings\Barry Wolborsky\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-29 23:49 . 2010-03-30 16:16 2019840 ----a-w- c:\windows\Internet Logs\xDB75.tmp
2010-03-29 23:49 . 2010-03-30 16:16 56832 ----a-w- c:\windows\Internet Logs\xDB74.tmp
2010-03-29 19:06 . 2010-03-29 19:07 2015232 ----a-w- c:\windows\Internet Logs\xDB73.tmp
2010-03-29 19:06 . 2010-03-29 19:07 47616 ----a-w- c:\windows\Internet Logs\xDB72.tmp
2010-03-29 18:14 . 2010-03-29 18:15 2014720 ----a-w- c:\windows\Internet Logs\xDB71.tmp
2010-03-29 18:14 . 2010-03-29 18:15 79360 ----a-w- c:\windows\Internet Logs\xDB70.tmp
2010-03-26 21:49 . 2010-03-29 16:28 55296 ----a-w- c:\windows\Internet Logs\xDB6F.tmp
2010-03-26 19:19 . 2010-03-26 19:21 57344 ----a-w- c:\windows\Internet Logs\xDB6E.tmp
2010-03-26 16:53 . 2010-03-26 16:54 77824 ----a-w- c:\windows\Internet Logs\xDB6C.tmp
2010-03-26 16:53 . 2010-03-26 16:54 2003968 ----a-w- c:\windows\Internet Logs\xDB6D.tmp
2010-03-24 21:10 . 2010-03-25 17:02 2000384 ----a-w- c:\windows\Internet Logs\xDB6B.tmp
2010-03-24 21:09 . 2010-03-25 17:02 49664 ----a-w- c:\windows\Internet Logs\xDB6A.tmp
2010-03-24 18:14 . 2010-03-24 18:16 49152 ----a-w- c:\windows\Internet Logs\xDB68.tmp
2010-03-24 18:14 . 2010-03-24 18:16 1998336 ----a-w- c:\windows\Internet Logs\xDB69.tmp
2010-03-24 00:08 . 2010-03-24 16:04 1997824 ----a-w- c:\windows\Internet Logs\xDB67.tmp
2010-03-24 00:08 . 2010-03-24 16:04 56832 ----a-w- c:\windows\Internet Logs\xDB66.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ResChanger2004"="c:\program files\eVGA\ResChanger2004\ResChanger2004.exe" [2004-03-02 882688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-10-17 1037192]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageEchoWorkstation\TrueImageMonitor.exe" [2009-01-19 1285504]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"SoundMan"="SOUNDMAN.EXE" [2004-07-01 67584]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]
"Iomega ImIconXP"="c:\program files\Iomega\REV System Software\imiconxp.exe" [2004-10-14 57344]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-10-30 77824]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageEchoWorkstation\TimounterMonitor.exe" [2009-01-19 884928]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-01-19 140568]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-12 110696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2009-1-29 221247]
VIA RAID TOOL.lnk - c:\program files\VIA\RAID\raid_tool.exe [2005-10-9 585728]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"BrMfcWnd"=c:\program files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3453:TCP"= 3453:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"1972:TCP"= 1972:TCP:Services
"3246:TCP"= 3246:TCP:Services
"7004:TCP"= 7004:TCP:Services
"9410:TCP"= 9410:TCP:Services
"1691:TCP"= 1691:TCP:Services
"2254:TCP"= 2254:TCP:Services
"1785:TCP"= 1785:TCP:Services
"9112:TCP"= 9112:TCP:Services
"9534:TCP"= 9534:TCP:Services
"2113:TCP"= 2113:TCP:Services
"9440:TCP"= 9440:TCP:Services
"6393:TCP"= 6393:TCP:Services
"9815:TCP"= 9815:TCP:Services
"2488:TCP"= 2488:TCP:Services
"2629:TCP"= 2629:TCP:Services
"3758:TCP"= 3758:TCP:Services
"9347:TCP"= 9347:TCP:Services
"9348:TCP"= 9348:TCP:Services
"1848:TCP"= 1848:TCP:Services
"2196:TCP"= 2196:TCP:Services
"3286:TCP"= 3286:TCP:Services
"5072:TCP"= 5072:TCP:Services

R0 imdrvfsf;Iomega File System Filter Driver;c:\windows\system32\drivers\imdrvfsf.sys [7/13/2004 11:22 AM 16006]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [8/11/2004 9:22 AM 77312]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [10/19/2008 6:08 PM 114768]
R1 SASDIFSV;SASDIFSV;\??\c:\docume~1\BARRYW~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\BARRYW~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
R1 SASKUTIL;SASKUTIL;\??\c:\docume~1\BARRYW~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys --> c:\docume~1\BARRYW~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys [?]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/19/2008 6:08 PM 20560]
S3 SASENUM;SASENUM;\??\c:\docume~1\BARRYW~1\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS --> c:\docume~1\BARRYW~1\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - revfs

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-05-11 c:\windows\Tasks\User_Feed_Synchronization-{17BACFA6-A5BD-4840-B82A-D0738782B455}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-12 09:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1060284298-261478967-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1060284298-261478967-839522115-1003\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-1060284298-261478967-839522115-1003)
@Allowed: (Read) (S-1-5-21-1060284298-261478967-839522115-1003)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(952)
c:\windows\system32\relog_ap.dll
.
Completion time: 2010-05-12 09:20:11
ComboFix-quarantined-files.txt 2010-05-12 16:19

Pre-Run: 61,069,193,216 bytes free
Post-Run: 61,154,394,112 bytes free

- - End Of File - - FADD0E9E7E15990EE8AAC8036CF52922


#7 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:21 AM

Posted 13 May 2010 - 09:34 AM

Hi,


Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.


*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#8 bwolb

bwolb
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 13 May 2010 - 11:59 AM

Hi ~ the HelpAsst log is below. After copying the log, I was about to paste it here and the computer spontaneously rebooted.

C:\Documents and Settings\Barry Wolborsky\Desktop\HelpAsst_mebroot_fix.exe
Thu 05/13/2010 at 9:26:10.17

HelpAssistant account is Active ~ attempting to de-activate

Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
Remove on reboot: C:\WINDOWS\system32\termsrv32.dll

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"2479:TCP"=-
"3453:TCP"=-
"3389:TCP"=-
"1972:TCP"=-
"3246:TCP"=-
"7004:TCP"=-
"9410:TCP"=-
"1691:TCP"=-
"2254:TCP"=-
"1785:TCP"=-
"9112:TCP"=-
"9534:TCP"=-
"2113:TCP"=-
"9440:TCP"=-
"6393:TCP"=-
"9815:TCP"=-
"2488:TCP"=-
"2629:TCP"=-
"3758:TCP"=-
"9347:TCP"=-
"9348:TCP"=-
"1848:TCP"=-
"2196:TCP"=-
"3286:TCP"=-
"5072:TCP"=-
"5488:TCP"=-
"9476:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"2479:TCP"=-
"3453:TCP"=-
"3389:TCP"=-
"1972:TCP"=-
"3246:TCP"=-
"7004:TCP"=-
"9410:TCP"=-
"1691:TCP"=-
"2254:TCP"=-
"1785:TCP"=-
"9112:TCP"=-
"9534:TCP"=-
"2113:TCP"=-
"9440:TCP"=-
"6393:TCP"=-
"9815:TCP"=-
"2488:TCP"=-
"2629:TCP"=-
"3758:TCP"=-
"9347:TCP"=-
"9348:TCP"=-
"1848:TCP"=-
"2196:TCP"=-
"3286:TCP"=-
"5072:TCP"=-
"5488:TCP"=-
"9476:TCP"=-

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-1060284298-261478967-839522115-1000
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant ~ attempting to remove
~ All C:\Documents and Settings\HelpAssistant files successfully removed ~
HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-1060284298-261478967-839522115-1015
~ No profile directory exists for S-1-5-21-1060284298-261478967-839522115-1015 ~
HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-1060284298-261478967-839522115-1016
~ No profile directory exists for S-1-5-21-1060284298-261478967-839522115-1016 ~
HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-1060284298-261478967-839522115-1017
~ No profile directory exists for S-1-5-21-1060284298-261478967-839522115-1017 ~
HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-1060284298-261478967-839522115-1018
~ No profile directory exists for S-1-5-21-1060284298-261478967-839522115-1018 ~

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Thu 05/13/2010 at 9:49:13.82

Account active Yes
Local Group Memberships *Administrators

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: error reading MBR
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys hal.dll
kernel: MBR read successfully
BIOS signateure not found

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv32.dll

~~ Checking profile list ~~

S-1-5-21-1060284298-261478967-839522115-1018
%SystemDrive%\Documents and Settings\HelpAssistant

~~ Checking for HelpAssistant directories ~~

HelpAssistant

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"9476:TCP"=9476:TCP:*:Enabled:Services
"5488:TCP"=5488:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"9476:TCP"=9476:TCP:*:Enabled:Services
"5488:TCP"=5488:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop


~~ EOF ~~


#9 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:21 AM

Posted 13 May 2010 - 03:55 PM

Please run the tool again with the above instructions and post the logfile smile.gif
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#10 bwolb

bwolb
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 17 May 2010 - 11:23 AM

OK ~ I'm a little confused. I have (this morning) run HelpAsst_mebroot_fix.exe again. This deleted the HelpAsst folder then quit without rebooting. Next I ran helpasst -mbrt and this log file is below. Since it is not clear whether an mbr infection is detected or not, I'll run mbr -f then helpasst - mbrt again per the instructions. I'll post that log shortly.

C:\Documents and Settings\Barry Wolborsky\Desktop\HelpAsst_mebroot_fix.exe
Mon 05/17/2010 at 9:09:53.00

HelpAssistant account is Active ~ attempting to de-activate

Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
Remove on reboot: C:\WINDOWS\system32\termsrv32.dll

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"9476:TCP"=-
"5488:TCP"=-
"3389:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"9476:TCP"=-
"5488:TCP"=-
"3389:TCP"=-

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-1060284298-261478967-839522115-1018
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant ~ attempting to remove

~ Not all HelpAssistant files sucessfully removed ~
Remove on reboot: C:\DOCUME~1\HELPAS~1\Cookies\index.dat
Remove on reboot: C:\DOCUME~1\HELPAS~1\LOCALS~1\History\History.IE5\index.dat
Remove on reboot: C:\DOCUME~1\HELPAS~1\LOCALS~1\TEMPOR~1\Content.IE5\index.dat
Remove on reboot: C:\DOCUME~1\HELPAS~1\LOCALS~1\TEMPOR~1\Content.IE5
Remove on reboot: C:\DOCUME~1\HELPAS~1\LOCALS~1\TEMPOR~1
Remove on reboot: C:\DOCUME~1\HELPAS~1\LOCALS~1\History\History.IE5
Remove on reboot: C:\DOCUME~1\HELPAS~1\LOCALS~1\History
Remove on reboot: C:\DOCUME~1\HELPAS~1\LOCALS~1
Remove on reboot: C:\DOCUME~1\HELPAS~1\Cookies
Remove on reboot: C:\Documents and Settings\HelpAssistant


~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Mon 05/17/2010 at 9:16:00.82

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: error reading MBR
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys hal.dll
kernel: MBR read successfully
BIOS signateure not found

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~


#11 bwolb

bwolb
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 17 May 2010 - 11:43 AM

Here is the second helpasst -mbrt log (after mbr -f):
C:\Documents and Settings\Barry Wolborsky\Desktop\HelpAsst_mebroot_fix.exe
Mon 05/17/2010 at 9:09:53.00

HelpAssistant account is Active ~ attempting to de-activate

Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
Remove on reboot: C:\WINDOWS\system32\termsrv32.dll

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"9476:TCP"=-
"5488:TCP"=-
"3389:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"9476:TCP"=-
"5488:TCP"=-
"3389:TCP"=-

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-1060284298-261478967-839522115-1018
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant ~ attempting to remove

~ Not all HelpAssistant files sucessfully removed ~
Remove on reboot: C:\DOCUME~1\HELPAS~1\Cookies\index.dat
Remove on reboot: C:\DOCUME~1\HELPAS~1\LOCALS~1\History\History.IE5\index.dat
Remove on reboot: C:\DOCUME~1\HELPAS~1\LOCALS~1\TEMPOR~1\Content.IE5\index.dat
Remove on reboot: C:\DOCUME~1\HELPAS~1\LOCALS~1\TEMPOR~1\Content.IE5
Remove on reboot: C:\DOCUME~1\HELPAS~1\LOCALS~1\TEMPOR~1
Remove on reboot: C:\DOCUME~1\HELPAS~1\LOCALS~1\History\History.IE5
Remove on reboot: C:\DOCUME~1\HELPAS~1\LOCALS~1\History
Remove on reboot: C:\DOCUME~1\HELPAS~1\LOCALS~1
Remove on reboot: C:\DOCUME~1\HELPAS~1\Cookies
Remove on reboot: C:\Documents and Settings\HelpAssistant


~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Mon 05/17/2010 at 9:16:00.82

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: error reading MBR
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys hal.dll
kernel: MBR read successfully
BIOS signateure not found

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Mon 05/17/2010 at 9:38:23.15

Account active Yes
Local Group Memberships *Administrators

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: error reading MBR
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys hal.dll
kernel: MBR read successfully
BIOS signateure not found

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

S-1-5-21-1060284298-261478967-839522115-1018
%SystemDrive%\Documents and Settings\HelpAssistant

~~ Checking for HelpAssistant directories ~~

HelpAssistant

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"9476:TCP"=9476:TCP:*:Enabled:Services
"5488:TCP"=5488:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"9476:TCP"=9476:TCP:*:Enabled:Services
"5488:TCP"=5488:TCP:*:Enabled:Services


~~ EOF ~~


#12 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:21 AM

Posted 18 May 2010 - 04:47 PM

Hi,

Please post back with a fresh Combofix logfile, I will have a look.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#13 bwolb

bwolb
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 19 May 2010 - 11:31 AM

Good Morning ~ A fresh Combofix log is attached.

bwolb

Attached Files



#14 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:21 AM

Posted 21 May 2010 - 09:35 AM

Hi,

Hiren's BootCD
    *** Please print these instructions ***
    1. Download Hiren's BootCD Iso to the desktop of a clean computer.
    2. Extract the zipped HirensBootCD.zip to your desktop.
    3. Open the extracted HirensBootCD folder and extract the zipped HirensBootCD.iso.
    4. Double click the BurnToCD.cmd bat file contained in the HirensBootCD folder. This will launch BurnCDCC.
    5. Insert a blank CD in your drive.
    6. Press Start. This will burn the image to disc. After it has completed...
    7. Restart your sick computer and boot from the HBCD you created.
      • If your PC is not booting from the CD, you need to change the boot order:
        • Restart your PC
        • As soon as you get an image, press the Setup key. This is usually F2, F10, F12 or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
        • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
        • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
        • The tab should now show your current boot order.
        • If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
        • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
      • Your PC should now boot from your CD.
      • Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
    8. When the CD boots choose "DOS BootCD".



At the Hiren's BootCD main menu, select Next and hit Enter.



At the second menu select 1 MBR (Master Boot Record)Tools



In the list of MBR Tools select 1 MBR Work 1.08



This screen will show the hard drive configuration.



Type 5 to Install standard MBR code then hit Enter
Type 1 to select Standard then hit Enter
Type Y then hit Enter to confirm
Type E then hit Enter to exit
Press Ctrl+Alt+Del to restart the machine


Please post back with a fresh mebroot-fix-logfile
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#15 bwolb

bwolb
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 24 May 2010 - 02:49 PM

OK ~ here is the new mebroot-fix logfile.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users