Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Serious rootkit/virus


  • This topic is locked This topic is locked
2 replies to this topic

#1 spencercorliss

spencercorliss

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 27 May 2010 - 08:49 PM

From:
http://www.bleepingcomputer.com/forums/t/319669/i-think-im-infected-with-something/

My computer is very slow from a performance stand point, the wireless usb mouse is jerky around the screen. Its basicly like I'm vpn in to my own box. I also and locked out of certain folders and services and continually get demoted to a standard user account. I also have multi HID devices listed including a second keyboard and multiple PCI-USB controllers

I have tried everything to fix my issue including Fdisk/reformat, HDwipe with randoms/reinstall, wiped mbr, loading from a boot sector on cd and USB drive, rewrite bios, older drivers etc etc. Im fairly tech savvy and have never come across anything like this



Gmer was reporting that the file in c:\windows\system32\config was already in use, and created no log, the other logs are as follows:


defogger_disable by jpshortstuff (23.02.10.1)
Log created at 18:18 on 26/05/2010 (Administrator)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...
SPTD -> Disabled (Service running -> reboot required)


-=E.O.F=-


*********** DDS



DDS (Ver_10-03-17.01) - NTFSX64
Run by Administrator at 18:22:45.43 on Wed 05/26/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4095.2913 [GMT -7:00]

SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k NetworkService
C:\Program Files (x86)\AMD\OverDrive\AODAssist.exe
C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe
C:\Program Files (x86)\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Sidebar\Gadgets\GPUMonitor-23-[Guru3D.com].gadget\GPUMonitor.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskmgr.exe
C:\Users\Administrator\Desktop\dds.scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uStart Page = www.yahoo.com
mWinlogon: Userinit=userinit.exe
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files (x86)\norton internet security\engine\17.7.0.12\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files (x86)\norton internet security\engine\17.7.0.12\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files (x86)\java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files (x86)\norton internet security\engine\17.7.0.12\coIEPlg.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [StartCCC] "c:\program files (x86)\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: {6FA951D5-0C4C-4052-BCE3-2511A7E7D957} = 68.116.46.115,68.116.46.70
mRun-x64: [RtHDVCpl] c:\program files\realtek\audio\hda\RAVCpl64.exe -s

================= FIREFOX ===================

FF - ProfilePath - c:\users\admini~1\appdata\roaming\mozilla\firefox\profiles\4hcqo9ya.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\coffplgn\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files (x86)\java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nisx64\1107000.00c\symds64.sys [2010-5-26 433200]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nisx64\1107000.00c\symefa64.sys [2010-5-26 221232]
R1 BHDrvx64;BHDrvx64;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\bashdefs\20100429.001\BHDrvx64.sys [2010-4-29 678448]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nisx64\1107000.00c\cchpx64.sys [2010-5-26 615040]
R1 IDSVia64;IDSVia64;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\ipsdefs\20100520.001\IDSviA64.sys [2009-10-28 466992]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv64.sys [2010-2-17 14920]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\saskutil64.sys [2010-2-17 12360]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nisx64\1107000.00c\ironx64.sys [2010-5-26 150064]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nisx64\1107000.00c\symtdiv.sys [2010-5-26 451120]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-5-4 202752]
R2 AODService;AODService;c:\program files (x86)\amd\overdrive\AODAssist.exe [2010-4-23 136616]
R2 AsSysCtrlService;ASUS System Control Service;c:\program files (x86)\asus\assysctrlservice\1.00.02\AsSysCtrlService.exe [2010-5-22 96896]
R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x64.sys [2010-5-22 20968]
R2 NIS;Norton Internet Security;c:\program files (x86)\norton internet security\engine\17.7.0.12\ccsvchst.exe [2010-5-26 126392]
R2 SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore64.exe [2010-4-28 120832]
R3 amdiox64;AMD IO Driver;c:\windows\system32\drivers\amdiox64.sys [2010-5-26 46136]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2010-5-4 6789632]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-5-4 221184]
R3 AODDriver2;AODDriver2;c:\program files (x86)\amd\overdrive\amd64\AODDriver2.sys [2010-4-23 52352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-25 132656]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt64win7.sys [2010-5-22 325664]
S2 AMD FusionUtility Service;AMD FusionUtility Service;c:\program files (x86)\amd\fusion utility for desktop\FusionUtility2Service.exe [2010-4-14 275832]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-22 1255736]
S4 AMD Reservation Manager;AMD Reservation Manager;c:\program files (x86)\amd\reservation manager\AMD Reservation Manager.exe [2010-4-14 140160]

=============== Created Last 30 ================

2010-05-27 01:18:48 20 ----a-w- c:\users\administrator\defogger_reenable
2010-05-27 00:58:07 0 d-----w- c:\users\admini~1\appdata\roaming\SUPERAntiSpyware.com
2010-05-27 00:58:07 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-05-27 00:58:04 0 d-----w- c:\programdata\SASCORE
2010-05-27 00:58:03 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-26 11:25:15 0 d-----w- c:\programdata\ATI
2010-05-26 11:25:13 0 d-----w- c:\program files\common files\ATI Technologies
2010-05-26 11:25:13 0 d-----w- c:\program files (x86)\common files\ATI Technologies
2010-05-26 11:24:17 0 d-----w- c:\program files (x86)\ATI Technologies
2010-05-26 11:24:15 0 d-----w- c:\program files\ATI
2010-05-26 11:23:51 0 d-----w- c:\program files\ATI Technologies
2010-05-26 10:01:45 46136 ----a-w- c:\windows\system32\drivers\amdiox64.sys
2010-05-26 10:01:44 0 d-----w- c:\programdata\AMD
2010-05-26 09:46:29 0 d-----w- c:\program files (x86)\ATI
2010-05-26 07:38:09 834544 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-05-26 07:37:31 0 d-----w- c:\users\admini~1\appdata\roaming\DAEMON Tools Lite
2010-05-26 07:37:29 0 d-----w- c:\programdata\DAEMON Tools Lite
2010-05-26 07:36:15 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-05-26 06:51:18 2048 ----a-w- c:\windows\syswow64\tzres.dll
2010-05-26 06:51:18 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-26 06:29:23 0 d-----w- c:\program files\HP
2010-05-26 06:29:17 61952 ----a-w- c:\windows\system32\ZIMF.DLL
2010-05-26 06:29:17 567296 ----a-w- c:\windows\system32\ZSHP1018.EXE
2010-05-26 06:29:17 49664 ----a-w- c:\windows\system32\ZTAG.DLL
2010-05-26 06:29:17 128380 ----a-w- c:\windows\system32\hp1018.img
2010-05-26 06:29:17 127488 ----a-w- c:\windows\system32\ZSPOOL.DLL
2010-05-26 06:29:17 115200 ----a-w- c:\windows\system32\ZLhp1018.DLL
2010-05-26 06:29:17 10632 ----a-w- c:\windows\system32\ZSHP1018.CHM
2010-05-26 06:19:18 0 d-----r- C:\My Documents Storage
2010-05-26 06:04:15 0 d-----w- c:\programdata\Blizzard Entertainment
2010-05-26 06:04:15 0 d-----w- c:\program files (x86)\StarCraft II Beta
2010-05-26 06:04:15 0 d-----w- c:\program files (x86)\common files\Blizzard Entertainment
2010-05-26 06:03:59 0 d-----w- c:\programdata\Blizzard
2010-05-26 05:40:01 0 d-----w- c:\programdata\TrackMania
2010-05-26 05:30:03 0 d-----w- c:\programdata\Futuremark
2010-05-26 05:21:59 5073256 ----a-w- c:\windows\system32\d3dx9_35.dll
2010-05-26 04:48:22 0 d-----w- c:\program files (x86)\Steam
2010-05-26 04:48:22 0 d-----w- c:\program files (x86)\common files\Steam
2010-05-26 04:06:50 0 d-----w- c:\program files (x86)\Malwarebytes' Anti-Malwar
2010-05-23 06:18:59 0 d-----w- c:\program files (x86)\Futuremark
2010-05-23 05:48:22 20968 ----a-w- c:\windows\system32\drivers\cpuz133_x64.sys
2010-05-23 05:48:21 0 d-----w- c:\program files\CPUID
2010-05-23 05:00:57 0 d-----w- c:\program files\PerformanceTest
2010-05-23 04:09:28 261081804 ----a-w- c:\windows\MEMORY.DMP
2010-05-23 03:48:44 0 d-----w- c:\windows\syswow64\Wat
2010-05-23 03:48:44 0 d-----w- c:\windows\system32\Wat
2010-05-23 03:17:28 0 d-----w- c:\program files (x86)\common files\Symantec Shared
2010-05-23 03:13:01 311808 ----a-w- c:\windows\system32\msv1_0.dll
2010-05-23 03:13:01 257024 ----a-w- c:\windows\syswow64\msv1_0.dll
2010-05-23 03:12:02 14336 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
2010-05-23 03:03:17 0 d-----w- c:\program files (x86)\AMD
2010-05-23 03:01:07 24664 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-23 03:01:07 0 d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2010-05-23 02:57:22 0 d-----w- c:\windows\syswow64\Macromed
2010-05-23 02:52:41 540688 ----a-w- c:\windows\system32\d3dx10_39.dll
2010-05-23 02:52:41 4992520 ----a-w- c:\windows\system32\D3DX9_39.dll
2010-05-23 02:52:41 1942552 ----a-w- c:\windows\system32\D3DCompiler_39.dll
2010-05-23 02:52:40 3977496 ----a-w- c:\windows\system32\d3dx9_31.dll
2010-05-23 02:52:38 0 d-----w- c:\programdata\Passmark
2010-05-23 02:52:25 0 d-----w- c:\programdata\Sun
2010-05-23 02:52:19 411368 ----a-w- c:\windows\syswow64\deployJava1.dll
2010-05-23 02:52:19 153376 ----a-w- c:\windows\syswow64\javaws.exe
2010-05-23 02:52:19 145184 ----a-w- c:\windows\syswow64\javaw.exe
2010-05-23 02:52:19 145184 ----a-w- c:\windows\syswow64\java.exe
2010-05-23 02:45:21 0 ----a-w- c:\windows\ativpsrm.bin
2010-05-23 02:43:09 109016 ---ha-w- c:\windows\syswow64\mlfcache.dat
2010-05-23 02:41:00 0 d-----w- C:\ATI
2010-05-23 02:36:20 0 d-----w- c:\programdata\Apple Computer
2010-05-23 02:36:06 0 d-----w- c:\programdata\Apple
2010-05-23 01:35:26 53808 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2010-05-23 01:35:01 854 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.INF
2010-05-23 01:35:01 7440 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.CAT
2010-05-23 01:35:01 173104 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
2010-05-23 01:35:00 0 d-----w- c:\program files\Symantec
2010-05-23 01:35:00 0 d-----w- c:\program files\common files\Symantec Shared
2010-05-23 01:34:47 0 d-----w- c:\windows\system32\drivers\NISx64
2010-05-23 01:34:46 0 d-----w- c:\program files (x86)\Norton Internet Security
2010-05-23 01:34:45 0 d-----w- c:\programdata\Norton
2010-05-23 01:33:13 0 d-----w- c:\programdata\NortonInstaller
2010-05-23 01:33:13 0 d-----w- c:\program files (x86)\NortonInstaller
2010-05-23 01:16:14 0 d-----w- c:\windows\Panther
2010-05-23 01:14:50 0 d-----w- c:\program files\Realtek
2010-05-23 01:14:32 0 d--h--w- c:\program files (x86)\Temp
2010-05-23 01:14:02 0 d-----w- c:\program files (x86)\ASUS
2010-05-23 01:13:24 74272 ----a-w- c:\windows\system32\RtNicProp64.dll
2010-05-23 01:13:24 325664 ----a-w- c:\windows\system32\drivers\Rt64win7.sys
2010-05-23 01:13:24 107552 ----a-w- c:\windows\system32\RTNUninst64.dll
2010-05-23 01:13:03 0 d-----w- c:\program files (x86)\Realtek
2010-05-23 01:12:12 0 d-----w- c:\users\admini~1\appdata\roaming\DeviceVm
2010-05-23 01:12:12 0 d-----w- c:\programdata\DeviceVm
2010-05-23 01:11:12 16440 ----a-w- c:\windows\system32\drivers\AtiPcie.sys
2010-05-23 01:10:54 0 d-sh--w- c:\windows\Installer
2010-05-23 01:08:15 1769 ----a-w- c:\windows\Language_trs.ini
2010-05-23 01:08:13 32061 ----a-w- c:\windows\Ascd_tmp.ini
2010-05-23 01:00:57 0 d-----w- c:\users\admini~1\appdata\roaming\Malwarebytes
2010-05-23 01:00:56 0 d-----w- c:\programdata\Malwarebytes
2010-05-23 00:25:00 0 d-sh--w- C:\Recovery
2010-05-05 02:47:08 6789632 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2010-05-05 02:43:40 19735040 ----a-w- c:\windows\system32\atio6axx.dll
2010-05-05 02:20:00 42640 ----a-w- c:\windows\system32\atiapfxx.blb
2010-05-05 02:19:48 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2010-05-05 02:19:38 506880 ----a-w- c:\windows\syswow64\aticfx32.dll
2010-05-05 02:16:04 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-05-05 02:15:56 455168 ----a-w- c:\windows\system32\atieclxx.exe
2010-05-05 02:15:10 202752 ----a-w- c:\windows\system32\atiesrxx.exe
2010-05-05 02:14:44 15024128 ----a-w- c:\windows\syswow64\atioglxx.dll
2010-05-05 02:13:38 120320 ----a-w- c:\windows\system32\atitmm64.dll
2010-05-05 02:13:20 421376 ----a-w- c:\windows\system32\atipdl64.dll
2010-05-05 02:13:10 356352 ----a-w- c:\windows\syswow64\atipdlxx.dll
2010-05-05 02:12:56 278528 ----a-w- c:\windows\syswow64\Oemdspif.dll
2010-05-05 02:12:50 12288 ----a-w- c:\windows\system32\atimuixx.dll
2010-05-05 02:12:44 59392 ----a-w- c:\windows\system32\atiedu64.dll
2010-05-05 02:12:36 43520 ----a-w- c:\windows\syswow64\ati2edxx.dll
2010-05-05 02:08:46 3611648 ----a-w- c:\windows\syswow64\atidxx32.dll
2010-05-05 01:41:48 3788288 ----a-w- c:\windows\syswow64\atiumdag.dll
2010-05-05 01:41:12 43008 ----a-w- c:\windows\system32\aticalrt64.dll
2010-05-05 01:41:10 53248 ----a-w- c:\windows\syswow64\aticalrt.dll
2010-05-05 01:41:02 39936 ----a-w- c:\windows\system32\aticalcl64.dll
2010-05-05 01:41:00 53248 ----a-w- c:\windows\syswow64\aticalcl.dll
2010-05-05 01:40:50 5194752 ----a-w- c:\windows\system32\aticaldd64.dll
2010-05-05 01:38:58 4022272 ----a-w- c:\windows\syswow64\aticaldd.dll
2010-05-05 01:33:24 4902400 ----a-w- c:\windows\system32\atiumd64.dll
2010-05-05 01:24:38 2738176 ----a-w- c:\windows\system32\atiumd6a.dll
2010-05-05 01:24:02 334336 ----a-w- c:\windows\system32\atiadlxx.dll
2010-05-05 01:23:40 14848 ----a-w- c:\windows\system32\atig6pxx.dll
2010-05-05 01:23:36 12800 ----a-w- c:\windows\syswow64\atiglpxx.dll
2010-05-05 01:23:36 12800 ----a-w- c:\windows\system32\atiglpxx.dll
2010-05-05 01:23:32 16384 ----a-w- c:\windows\system32\atig6txx.dll
2010-05-05 01:23:28 15360 ----a-w- c:\windows\syswow64\atigktxx.dll
2010-05-05 01:23:24 221184 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2010-05-05 01:22:26 28160 ----a-w- c:\windows\syswow64\atiuxpag.dll
2010-05-05 01:22:20 28160 ----a-w- c:\windows\system32\atiu9p64.dll
2010-05-05 01:22:16 531632 ----a-w- c:\windows\system32\atiumd6a.cap
2010-05-05 01:22:12 20480 ----a-w- c:\windows\syswow64\atiu9pag.dll
2010-05-05 01:21:38 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2010-05-05 01:19:16 3015680 ----a-w- c:\windows\syswow64\atiumdva.dll
2010-05-05 01:18:52 531632 ----a-w- c:\windows\syswow64\atiumdva.cap
2010-05-05 01:08:42 53248 ----a-w- c:\windows\system32\atimpc64.dll
2010-05-05 01:08:42 53248 ----a-w- c:\windows\system32\amdpcom64.dll
2010-05-05 01:08:38 52224 ----a-w- c:\windows\syswow64\atimpc32.dll
2010-05-05 01:08:38 52224 ----a-w- c:\windows\syswow64\amdpcom32.dll
2010-04-28 21:17:50 2110 ----a-w- c:\windows\syswow64\atipblag.dat
2010-04-28 21:17:50 2110 ----a-w- c:\windows\system32\atipblag.dat

==================== Find3M ====================

2010-05-05 02:18:36 584704 ----a-w- c:\windows\system32\aticfx64.dll
2010-05-05 01:56:30 4225536 ----a-w- c:\windows\system32\atidxx64.dll
2010-05-05 01:35:00 55296 ----a-w- c:\windows\system32\coinst.dll
2010-05-05 01:23:52 237568 ----a-w- c:\windows\syswow64\atiadlxy.dll
2010-05-05 01:22:36 36864 ----a-w- c:\windows\system32\atiuxp64.dll
2010-04-17 04:24:34 27536 ----a-w- c:\windows\system32\drivers\dc3d.sys
2010-03-25 15:56:00 203331 ----a-w- c:\windows\system32\atiicdxx.dat
2010-03-08 21:59:59 612352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 21:33:56 427520 ----a-w- c:\windows\syswow64\vbscript.dll
2010-03-04 07:57:35 976896 ----a-w- c:\windows\system32\inetcomm.dll
2010-03-04 07:33:23 740864 ----a-w- c:\windows\syswow64\inetcomm.dll
2010-02-27 15:17:00 5509008 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-27 12:07:48 3954568 ----a-w- c:\windows\syswow64\ntkrnlpa.exe
2010-02-27 12:07:48 3899280 ----a-w- c:\windows\syswow64\ntoskrnl.exe
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini
2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 18:23:20.03 ===============



Attached Files



BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:04:38 AM

Posted 31 May 2010 - 05:48 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:38 AM

Posted 06 June 2010 - 04:35 PM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users