Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antispyware Soft left trouble.


  • This topic is locked This topic is locked
6 replies to this topic

#1 Majin_lute

Majin_lute

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 01 June 2010 - 01:58 PM

I recently caught Antispyware Soft, but I was able to remove it twice from Malewarbytes' Anti-Malware. I am still having problems from it thought such as my IE not working. I ran a DDS scan and got this log.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Luke at 17:25:25.30 on Fri 05/28/2010
Internet Explorer: 8.0.6001.18904
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3071.1225 [GMT -7:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Norton Internet Security *enabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\hp\HPEZBTN\HPBtnSrv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\schtasks.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\jusched.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\hp\kbd\kbd.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Webroot\WebrootSecurity\SSU.EXE
C:\Windows\System32\mobsync.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Luke\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.0\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Webroot Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.0\CoIEPlg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Webroot Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [Sidebar] "c:\program files\windows sidebar\sidebar.exe" /autoRun
uRun: [WindowsWelcomeCenter] "rundll32.exe" oobefldr.dll,ShowWelcomeCenter
uRun: [HPAdvisor] "c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe" autoRun
uRun: [ehTray.exe] "c:\windows\ehome\ehTray.exe"
uRun: [LightScribe Control Panel] "c:\program files\common files\lightscribe\LightScribeControlPanel.exe" -hidden
uRun: [Pando Media Booster] "c:\program files\pando networks\media booster\PMB.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [WMPNSCFG] "c:\program files\windows media player\WMPNSCFG.exe"
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
mRun: [Windows Defender] "%ProgramFiles%\Windows Defender\MSASCui.exe" -hide
mRun: [hpsysdrv] "c:\hp\support\hpsysdrv.exe"
mRun: [KBD] "c:\hp\kbd\KbdStub.EXE"
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [RtHDVCpl] "RtHDVCpl.exe"
mRun: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [<NO NAME>]
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [NvSvc] "RUNDLL32.EXE" c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] "RUNDLL32.EXE" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\snapfi~1.lnk - c:\program files\snapfish picture mover\SnapfishMediaDetector.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

================= FIREFOX ===================

FF - ProfilePath - c:\users\luke\appdata\roaming\mozilla\firefox\profiles\9vpz7bnd.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=WBR&o=13993&locale=en_US&q=
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-11-6 29808]
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\ipsdefs\20100513.002\IDSvix86.sys [2010-5-17 286768]
R2 HPBtnSrv;HP Chasis Button Service;c:\hp\hpezbtn\HPBtnSrv.exe [2007-11-28 198240]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-8 149352]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-11-6 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2010-1-7 1201640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-26 102448]
R3 HSXHWBS3;HSXHWBS3;c:\windows\system32\drivers\HSXHWBS3.sys [2007-11-28 206336]
R3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\drivers\netr73.sys [2007-11-28 464384]
R3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-1-31 1251720]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2009-2-19 41008]
R3 xcbdaNtsc;ViXS Tuner Card (NTSC);c:\windows\system32\drivers\xcbda.sys [2007-11-28 156928]
S2 EraserSvc11010;Symantec Eraser Service;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-8 149352]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-5-28 23888]
S3 PCD5SRVC{BD6912E3-AC9D80E8-05040000};PCD5SRVC{BD6912E3-AC9D80E8-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\pc-doc~1\PCD5SRVC.pkms [2007-9-12 25760]
S3 rootrepeal;rootrepeal;c:\windows\system32\drivers\rootrepeal.sys [2009-11-26 34816]

=============== Created Last 30 ================

2010-05-27 05:37:19 0 d-----w- c:\programdata\Office Genuine Advantage
2010-05-26 13:02:59 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-12 02:58:37 738304 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-11 18:54:40 0 d-----w- c:\users\luke\appdata\roaming\LolClient

==================== Find3M ====================

2010-05-28 23:44:41 3064 ----a-w- c:\users\luke\appdata\roaming\wklnhst.dat
2010-05-12 18:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-29 22:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 05:38:53 6395 ----a-w- c:\windows\DiabUnin.dat
2010-04-28 05:38:53 2829 ----a-w- c:\windows\DiabUnin.pif
2010-04-28 05:38:53 118784 ----a-w- c:\windows\DiabUnin.exe
2010-04-27 21:45:56 72856 ----a-w- c:\windows\system32\xliveinstallhost.exe
2010-04-27 21:45:56 187544 ----a-w- c:\windows\system32\xliveinstall.dll
2010-04-03 00:17:52 15426200 ----a-w- c:\windows\system32\xlive.dll
2010-04-03 00:17:52 13642904 ----a-w- c:\windows\system32\xlivefnt.dll
2010-03-05 14:01:02 420352 ----a-w- c:\windows\system32\vbscript.dll
2009-10-23 19:22:02 86016 ----a-w- c:\windows\inf\infstor.dat
2009-10-23 19:22:02 51200 ----a-w- c:\windows\inf\infpub.dat
2009-10-23 19:22:02 143360 ----a-w- c:\windows\inf\infstrng.dat
2008-08-17 01:31:50 174 --sha-w- c:\program files\desktop.ini
2008-08-17 01:21:15 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2007-11-28 20:14:36 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 17:26:23.27 ===============

BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:34 AM

Posted 03 June 2010 - 05:09 AM

Hi,

Post attach.txt contents too.

---

Download GMER here by clicking download exe -button and then saving it your desktop:
  • Double-click .exe that you downloaded
  • Click rootkit-tab, uncheck files option and then click scan.
  • Don't check
    Show All
    box while scanning in progress!
  • When scanning is ready, click Copy.
  • This copies log to clipboard
  • Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 Majin_lute

Majin_lute
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 04 June 2010 - 11:33 PM

I ran Gmer once before but looked away for a second and then looked back and noticed I got blue screened. This is a new scan I did of it and I saved it to notebook.


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-04 21:30:19
Windows 6.0.6001 Service Pack 1
Running: bdvucb6f.exe; Driver: C:\Users\Luke\AppData\Local\Temp\kwldapow.sys


---- System - GMER 1.0.15 ----

SSDT 87F64310 ZwAlertResumeThread
SSDT 88130658 ZwAlertThread
SSDT 88182738 ZwAllocateVirtualMemory
SSDT 88008008 ZwAlpcConnectPort
SSDT 88130180 ZwCreateMutant
SSDT 859A28C8 ZwCreateProcess
SSDT 859A26C0 ZwCreateProcessEx
SSDT 8812F790 ZwCreateThread
SSDT 88127728 ZwDebugActiveProcess
SSDT 88130EF0 ZwFreeVirtualMemory
SSDT 881302C8 ZwImpersonateAnonymousToken
SSDT 8819E810 ZwImpersonateThread
SSDT 88130DF0 ZwMapViewOfSection
SSDT 88127CE0 ZwOpenEvent
SSDT 8812F6D0 ZwOpenProcessToken
SSDT 881277E8 ZwOpenSection
SSDT 88130B30 ZwOpenThreadToken
SSDT 84F9B360 ZwQueueApcThread
SSDT 84F9B1F8 ZwReadVirtualMemory
SSDT 8800DEA0 ZwResumeThread
SSDT 88130A50 ZwSetContextThread
SSDT 88130C20 ZwSetInformationProcess
SSDT 88130960 ZwSetInformationThread
SSDT 88127C20 ZwSuspendProcess
SSDT 881307A0 ZwSuspendThread
SSDT 88183CB0 ZwTerminateProcess
SSDT 88130880 ZwTerminateThread
SSDT 88130D10 ZwUnmapViewOfSection
SSDT 88182648 ZwWriteVirtualMemory
SSDT 859A3020 ZwCreateThreadEx
SSDT 84F9B180 ZwCreateUserProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetTimerEx + 350 820F4A14 8 Bytes [10, 43, F6, 87, 58, 06, 13, ...]
.text ntkrnlpa.exe!KeSetTimerEx + 365 820F4A29 3 Bytes [27, 18, 88]
.text ntkrnlpa.exe!KeSetTimerEx + 370 820F4A34 4 Bytes [08, 80, 00, 88]
.text ntkrnlpa.exe!KeSetTimerEx + 428 820F4AEC 4 Bytes [80, 01, 13, 88]
.text ntkrnlpa.exe!KeSetTimerEx + 43C 820F4B00 8 Bytes [C8, 28, 9A, 85, C0, 26, 9A, ...]
.text ...
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8F008340, 0x3514D7, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe[1724] kernel32.dll!CreateThread + 1A 770546E2 4 Bytes CALL 00450771 C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe (Spy Sweeper Client Executable/Webroot Software, Inc.)
.text C:\Program Files\Pando Networks\Media Booster\PMB.exe[3612] kernel32.dll!SetUnhandledExceptionFilter 77036E2D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
.text C:\Program Files\Webroot\WebrootSecurity\SSU.EXE[4132] ntdll.dll!KiUserExceptionDispatcher + A 77CE99F2 5 Bytes JMP 00017DB0 C:\Program Files\Webroot\WebrootSecurity\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\WebrootSecurity\SSU.EXE[4132] kernel32.dll!VirtualProtect 77011DD1 5 Bytes JMP 000169B0 C:\Program Files\Webroot\WebrootSecurity\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\WebrootSecurity\SSU.EXE[4132] kernel32.dll!LoadLibraryExW 770330C3 5 Bytes JMP 00016000 C:\Program Files\Webroot\WebrootSecurity\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\WebrootSecurity\SSU.EXE[4132] kernel32.dll!VirtualFree 77051866 5 Bytes JMP 00016990 C:\Program Files\Webroot\WebrootSecurity\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\WebrootSecurity\SSU.EXE[4132] kernel32.dll!VirtualAlloc 7705B86F 5 Bytes JMP 00016960 C:\Program Files\Webroot\WebrootSecurity\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\WebrootSecurity\SSU.EXE[4132] kernel32.dll!CreateFileA 7705CF71 5 Bytes JMP 00016000 C:\Program Files\Webroot\WebrootSecurity\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe[1724] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!QueueUserWorkItem] [004508C8] C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe (Spy Sweeper Client Executable/Webroot Software, Inc.)
IAT C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe[1724] @ C:\Windows\system32\shell32.dll [KERNEL32.dll!QueueUserWorkItem] [004508C8] C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe (Spy Sweeper Client Executable/Webroot Software, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.15 ----

Attached Files

  • Attached File  Gmer.log   10.13KB   8 downloads


#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:34 AM

Posted 05 June 2010 - 05:42 AM

Hi,

Could you post attach.txt contents of DDS run too, please?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 Majin_lute

Majin_lute
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 09 June 2010 - 07:04 PM

Ok here are the attach.txt files of that scan


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 12/21/2007 8:02:32 PM
System Uptime: 6/4/2010 9:44:04 PM (116 hours ago)

Motherboard: ASUSTeK Computer INC. | | Benicia
Processor: Intel® Core™2 Quad CPU Q6700 @ 2.66GHz | CPU 1 | 2400/267mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 288 GiB total, 171.068 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 1.322 GiB free.
E: is FIXED (NTFS) - 298 GiB total, 297.992 GiB free.
F: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP997: 5/25/2010 9:39:48 AM - Windows Update
RP998: 5/26/2010 12:21:34 AM - Scheduled Checkpoint
RP999: 5/26/2010 11:24:31 AM - Windows Update
RP1000: 5/26/2010 11:27:28 AM - Windows Update
RP1001: 5/26/2010 8:39:32 PM - Installed League of Legends
RP1002: 5/26/2010 9:18:17 PM - Windows Update
RP1003: 5/26/2010 10:52:24 PM - Installed Microsoft Fix it 50191
RP1004: 5/26/2010 11:15:05 PM - Configured League of Legends
RP1005: 5/26/2010 11:19:49 PM - Configured League of Legends
RP1006: 5/27/2010 3:00:10 AM - Windows Update
RP1007: 5/27/2010 11:55:19 PM - Windows Update
RP1008: 5/28/2010 10:51:37 PM - Scheduled Checkpoint
RP1009: 5/30/2010 - Scheduled Checkpoint
RP1010: 5/31/2010 12:16:15 AM - Scheduled Checkpoint
RP1011: 5/31/2010 8:30:05 AM - Windows Update
RP1012: 6/3/2010 3:14:11 PM - Scheduled Checkpoint
RP1013: 6/3/2010 6:01:50 PM - Windows Update
RP1014: 6/4/2010 10:22:15 PM - Scheduled Checkpoint
RP1015: 6/6/2010 12:19:19 AM - Scheduled Checkpoint
RP1016: 6/7/2010 12:37:52 AM - Scheduled Checkpoint
RP1017: 6/7/2010 9:04:02 PM - Windows Update
RP1018: 6/9/2010 12:00:01 AM - Scheduled Checkpoint

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9
Adobe Shockwave Player
Aliens vs. Predator 2
AppCore
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
Battlefield 2™
Bonjour
Call of Duty - United Offensive
Call of Duty Game of the Year Edition
Cards_Calendar_OrderGift_DoMorePlugout
ccCommon
Civilization II Multiplayer Gold Edition
Command & Conquer Red Alert 2
Command & Conquer Tiberian Sun
Compatibility Pack for the 2007 Office system
Component Framework
CyberLink DVD Suite Deluxe
Diablo
Diablo II
DivX Web Player
Enhanced Multimedia Keyboard Solution
Google Toolbar for Internet Explorer
Half-Life
Hamachi 1.0.3.0
Hardware Diagnostic Tools
Hewlett-Packard Active Check
Hewlett-Packard Asset Agent for Health Check
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Customer Experience Enhancements
HP Customer Feedback
HP Easy Setup - Frontend
HP Games
HP On-Screen Cap/Num/Scroll Lock Indicator
HP Photosmart Essential 2.5
HP Picasso Media Center Add-In
HP Total Care Advisor
HP Update
HPPhotoSmartPhotobookWebPack1
Intel® Matrix Storage Manager
iTunes
Java™ SE Runtime Environment 6 Update 1
Kaiba Corp Virtual Duel System 1.4
LabelPrint
League of Legends
LightScribe System Software 1.10.16.1
LightScribe Template Labeler
LiveUpdate (Symantec Corporation)
Malwarebytes' Anti-Malware
MapleStory
Microsoft .NET Framework 3.5 SP1
Microsoft Age of Empires II
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 60 day trial
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Works
mIRC
Mozilla Firefox (3.5.9)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
muvee autoProducer 6.1
Norton AntiVirus
Norton AntiVirus Help
Norton Confidential Core
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
Norton Security Scan
NVIDIA Drivers
OGA Notifier 2.0.0048.0
Pando Media Booster
PCIe Soft Data Fax Modem with SmartCP
Power2Go
PowerDirector
PSSWCORE
Python 2.5
QuickTime
Realtek High Definition Audio Driver
Safari
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB978380)
Security Update for Microsoft Office Excel 2007 (KB978382)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Shogo Demo
Sierra Utilities
Snapfish Picture Mover
SPBBC 32bit
SpongeBob Atlantis SquareOff
Spy Sweeper Core
Starcraft
Steam
Symantec Real Time Storage Protection Component
SymNet
TI Connect 1.6
Tribes 2
Uniblue ProcessScanner
Update for 2007 Microsoft Office System (KB967642)
Update for 2007 Microsoft Office System (KB981715)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 (KB974561)
Update for Microsoft Office Word 2007 Help (KB963665)
VC80CRTRedist - 8.0.50727.762
Ventrilo Client
VideoToolkit01
Warcraft III
Warcraft III: All Products
Warhammer 40,000: Dawn of War II
WeatherBug Gadget
Webroot AntiVirus with Spy Sweeper
Westwood Shared Internet Components
World of Warcraft
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

6/4/2010 9:42:39 PM, Error: Service Control Manager [7043] - The Windows Update service did not shut down properly after receiving a preshutdown control.
6/4/2010 9:41:59 PM, Error: ssidrv [26] -
6/3/2010 2:37:00 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt
6/3/2010 2:36:19 PM, Error: EventLog [6008] - The previous system shutdown at 2:15:32 PM on 6/3/2010 was unexpected.
6/2/2010 9:47:50 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.8 for the Network Card with network address 00164482C8D0 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================

Attached Files



#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:34 AM

Posted 10 June 2010 - 12:12 AM

Hi,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:
  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:34 AM

Posted 16 June 2010 - 10:33 AM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users