Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC seems fixed. Would like advice on viruses found


  • This topic is locked This topic is locked
15 replies to this topic

#1 doveman

doveman

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 07 June 2010 - 02:46 PM

Hi

Unfortunately I ran ComboFix before joining this site and reading the instructions but I've made the other logs now and I'd be grateful if someone could give them a quick look to make sure there's nothing else I need to do. The errors at the end of Attach.txt regarding System Restore and the Security Center and Help services can be ignored as I've deliberately disabled those services.

Basically I realised there was a problem as my PC became very unresponsive when it was doing hard drive activity (such as unraring a large file from one hard drive to another), so that scrolling pages in IE was very slow and alt-tabbing was slow, which seemed strange as my Phenom II X3 720 was showing very low usage.

Today I noticed that when clicking on folders in Windows Explorer, they were much slower than they should be to open and close, which was particularly noticeable when closing them as the contents/subfolders would disappear in a quite laboured fashion, rather than almost instantly as is normally the case.

Anyway, I ran ComboFix which found a few things, namely three instances of sfextra.dll (all identical by content), run_setup.exe, msconfig.exe and VB40032.DLL. It also said c:\windows\system32\srsvc.dll was infected, so I restored that from my XP CD. It hasn't put the infected file in the Quarantine folder for some reason though.

My computer seems to be running as it should now, but the thing that's puzzling is that when I checked the deleted/quarantined files using Virus Total online scan, which uses 41 engines, sfextra.dll was only identifed by McAfee-GW-Edition as "Heuristic.BehavesLike.Win32.Suspicious.H" and msconfig.exe and VB40032.DLL weren't identified by anything.

The one that was identified by 5 engines was run_setup.exe as follows:

Jiangmin 13.0.900 2010.06.07 Adware/Agent.azp
McAfee-GW-Edition 2010.1 2010.06.07 Artemis!3E9B4B6C260B
Panda 10.0.2.7 2010.06.06 Suspicious file
Prevx 3.0 2010.06.07 Medium Risk Malware
TheHacker 6.5.2.0.292 2010.06.04 Aplicacion/Agent.uf

I notice the Attach.txt shows something called "Advertising Center" which I can't see anywhere in my Add/Remove programs list. Do I need to be worrying about getting rid of that? Is there anything to suggest I had a keylogger trojan on my system? I'm using Sandboxie now which will hopefully avoid any further infections.

Actually, I just turned my Anti-virus back on (Avira free) and my PC started acting wierd again and after Ctrl-Alt-Deleting a few times, which was necessary before the Task Manager appeared, I could see that MOM.exe and lsass.exe and avguard.exe were all at 33% CPU and my CPU bar was at 100%, so something's still not right.

----
DDS (Ver_10-03-17.01) - NTFSx86
Run by Main at 17:45:54.37 on 07/06/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2814.2327 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NeoSmart Technologies\ToolTipFixer\ToolTipFixer.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
I:\Tech\USB Utils\Virus Scan\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: GuardId.MSIEBrowser.BHO: {5b0a01d2-b8a0-4e56-9e6b-cba0ef4b4eb5} - mscoree.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
uRun: [POP Peeper] "c:\program files\pop peeper\POPPeeper.exe" -min
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
uRun: [Rainlendar2] c:\program files\rainlendar2\Rainlendar2.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [iTraffic Monitor] c:\program files\itraffic monitor\iTrafficMon.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RTHDCPL] RTHDCPL.EXE
dRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
dRun: [Eraser] c:\program files\eraser\Eraser.exe -hide
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launchy.lnk - c:\program files\launchy\Launchy.exe
uPolicies-explorer: NoSMHelp = 1 (0x1)
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoInstrumentation = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoInstrumentation = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1262261776390
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1262261768312
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {B843F9BD-9451-43D9-B7B8-4DE99F38BF32} = 192.168.1.254
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dllcredssp.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\main\applic~1\mozilla\firefox\profiles\o7ap41s8.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-3-25 11608]
R1 fwdrv;Kerio Personal Firewall Driver;c:\windows\system32\drivers\FWDRV.SYS [2010-5-20 102912]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-3-25 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-3-25 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-3-25 60936]
R2 DLPortIO;DriverLINX Port I/O Driver;c:\windows\system32\drivers\DLPORTIO.sys [2010-2-2 3584]
R2 ToolTipFixer;ToolTipFixer;c:\program files\neosmart technologies\tooltipfixer\ToolTipFixer.exe [2008-10-14 61952]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2009-9-30 116736]
R3 ZRTP;ZRTP Service;c:\windows\system32\drivers\zrtp.sys [2009-3-22 1052768]
S0 cfadisk;CompactFlash Filter Driver;c:\windows\system32\drivers\cfadisk.sys --> c:\windows\system32\drivers\cfadisk.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-5-28 1691480]
S3 Bcfilter;Jetico Personal Firewall Network Monitor;c:\windows\system32\drivers\bcfilter.sys --> c:\windows\system32\drivers\bcfilter.sys [?]
S3 BcfilterMP;BcfilterMP;c:\windows\system32\drivers\bcfilter.sys --> c:\windows\system32\drivers\bcfilter.sys [?]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-5-28 12672]
S3 DELTAII;Service for M-Audio Delta Driver (WDM);c:\windows\system32\drivers\deltaII.sys [2009-10-10 302728]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2010-2-8 8704]
S3 etdrv;etdrv;c:\windows\etdrv.sys [2009-5-28 17488]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2010-2-8 3072]
S3 GFIBckHSched;GFI Backup 2009 - Home Edition Scheduler Service;c:\progra~1\gfi\gfibac~1\GFIHSC~1.EXE [2009-11-7 1412392]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.0;c:\windows\system32\drivers\libusb0.sys [2009-11-10 28672]
S3 MCEIR;%MCEIR.SvcDesc%;c:\windows\system32\drivers\MCEIR.sys [2009-12-18 18560]
S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2009-12-10 14424]
S3 portio32;portio32;c:\windows\system32\drivers\portio32.sys [2009-11-5 2048]
S3 PRISM;Intersil PRISM Wireless LAN Driver;c:\windows\system32\drivers\prismnds.sys --> c:\windows\system32\drivers\PRISMNDS.sys [?]
S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [2009-10-2 36928]
S3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\ultramonmirror.sys --> c:\windows\system32\drivers\UltraMonMirror.sys [?]
S3 WinRing0_1_1_1;WinRing0_1_1_1;c:\k10stat\WinRing0.sys [2009-8-22 13904]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 GFIBckHAtt;GFI Backup 2009 - Home Edition Attendant Service;c:\progra~1\gfi\gfibac~1\GFIHInst.exe [2009-11-7 440616]

=============== Created Last 30 ================

2010-06-07 16:41:27 176 ----a-w- c:\documents and settings\main\defogger_reenable
2010-06-07 12:31:33 171008 ----a-w- c:\windows\system32\srsvc.dll
2010-06-07 12:31:33 171008 ----a-w- c:\windows\system32\dllcache\srsvc.dll
2010-06-07 12:21:32 98816 ----a-w- c:\windows\sed.exe
2010-06-07 12:21:32 77312 ----a-w- c:\windows\MBR.exe
2010-06-07 12:21:32 256512 ----a-w- c:\windows\PEV.exe
2010-06-07 12:21:32 161792 ----a-w- c:\windows\SWREG.exe
2010-06-07 12:21:25 0 d-----w- C:\ComboFix
2010-06-05 09:50:51 0 d-----w- c:\temp\XP
2010-06-04 09:43:55 0 d-----w- c:\program files\common files\reFX
2010-06-03 23:44:11 0 d-----w- c:\program files\energyXT
2010-06-03 23:37:34 0 d-----w- c:\program files\Kreatives.org
2010-06-03 23:36:28 0 d-----w- c:\docume~1\main\applic~1\GetRightToGo
2010-06-03 21:36:34 0 d-----w- c:\program files\VSThost
2010-06-03 20:22:50 0 d-----w- c:\program files\common files\EZB Systems
2010-06-03 20:22:49 0 d-----w- c:\program files\UltraISO
2010-06-03 20:07:03 0 d-----w- c:\program files\MagicISO
2010-06-03 14:37:02 0 d-----w- c:\windows\uninstall
2010-05-30 11:42:21 5 ----a-w- c:\windows\apeleiha.ini
2010-05-30 11:26:45 0 d-----w- c:\program files\Vstplugins
2010-05-29 11:43:59 1122304 ----a-w- c:\windows\system32\libeay32.dll
2010-05-29 10:45:57 0 d-----w- C:\OpenSSL-Win32
2010-05-27 22:35:09 52 ----a-w- c:\windows\intuprof.ini
2010-05-27 09:48:20 0 d-----w- c:\program files\Microsoft Chart Controls
2010-05-26 11:08:39 1251872 ----a-w- c:\windows\RtlExUpd.dll
2010-05-26 09:29:52 0 d-----w- c:\program files\ATI
2010-05-26 09:29:38 0 d-----w- c:\program files\ATI Technologies
2010-05-26 08:58:29 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2010-05-23 12:34:05 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2010-05-23 12:34:05 547 ----a-w- c:\windows\system32\ffdshow.ax.manifest
2010-05-23 12:34:05 547 ----a-w- c:\windows\system32\ff_vfw.dll.manifest
2010-05-23 12:34:05 1708 ----a-w- c:\windows\system32\openIE.js
2010-05-23 12:34:05 0 d-----w- c:\windows\system32\languages
2010-05-23 12:34:05 0 d-----w- c:\windows\system32\custom matrices
2010-05-23 12:34:04 46603 ----a-w- c:\windows\system32\unins000.dat
2010-05-23 12:34:04 1185359 ----a-w- c:\windows\system32\unins000.exe
2010-05-23 12:33:48 33019 ----a-w- c:\windows\system32\CoreAAC-uninstall.exe
2010-05-23 12:33:38 497664 ----a-w- c:\windows\system32\ac3filter.acm
2010-05-23 12:33:38 0 d-----w- c:\program files\AC3Filter
2010-05-22 14:11:50 0 d-----w- c:\program files\SBaGen
2010-05-22 06:17:15 0 d-----w- c:\windows\XSxS
2010-05-22 06:17:15 0 d-----w- c:\program files\Xenocode
2010-05-20 12:35:06 0 d-----w- c:\docume~1\main\applic~1\WinBatch
2010-05-20 11:29:41 102912 ------w- c:\windows\system32\drivers\FWDRV.SYS
2010-05-20 09:48:02 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-05-20 09:48:00 0 d-----w- c:\program files\DAEMON Tools Lite
2010-05-19 21:30:56 411368 ----a-w- c:\windows\system32\deployJava1.dll

==================== Find3M ====================

2010-04-30 16:22:46 84512 ----a-w- c:\windows\SOUNDMAN.EXE
2010-04-30 16:22:46 358944 ----a-w- c:\windows\vncutil.exe
2010-04-30 16:22:46 1833504 ----a-w- c:\windows\SkyTel.exe
2010-04-30 16:22:40 9721888 ----a-w- c:\windows\RTLCPL.EXE
2010-04-30 16:22:40 1489440 ----a-w- c:\windows\RtlUpd.exe
2010-04-30 16:22:34 51232 ----a-w- c:\windows\system32\RtkCoInstXP.dll
2010-04-30 16:22:34 19523616 ----a-w- c:\windows\RTHDCPL.EXE
2010-04-30 16:22:34 129568 ----a-w- c:\windows\RtkAudioService.exe
2010-04-30 16:22:28 2177568 ----a-w- c:\windows\MicCal.exe
2010-04-30 16:22:22 64032 ----a-w- c:\windows\ALCMTR.EXE
2010-04-30 16:22:22 2815520 ----a-w- c:\windows\ALCWZRD.EXE
2010-04-30 15:56:24 6032928 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
2010-04-10 16:14:23 737280 ----a-w- c:\windows\iun6002.exe
2010-04-07 02:02:28 45056 ----a-w- c:\windows\system32\aticalrt.dll
2010-04-07 02:02:16 45056 ----a-w- c:\windows\system32\aticalcl.dll
2010-04-07 02:01:28 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2010-04-07 02:00:26 3981312 ----a-w- c:\windows\system32\aticaldd.dll
2010-04-07 01:52:16 14356480 ----a-w- c:\windows\system32\atioglxx.dll
2010-04-07 01:46:42 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-04-07 01:45:46 300544 ----a-w- c:\windows\system32\ati2dvag.dll
2010-04-07 01:41:38 3620288 ----a-w- c:\windows\system32\ati3duag.dll
2010-04-07 01:31:00 208896 ----a-w- c:\windows\system32\atipdlxx.dll
2010-04-07 01:30:44 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2010-04-07 01:30:32 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2010-04-07 01:30:24 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2010-04-07 01:30:10 159744 ----a-w- c:\windows\system32\ati2evxx.dll
2010-04-07 01:28:56 602112 ----a-w- c:\windows\system32\ati2evxx.exe
2010-04-07 01:28:06 2220928 ----a-w- c:\windows\system32\ativvaxx.dll
2010-04-07 01:27:40 887724 ----a-w- c:\windows\system32\ativva6x.dat
2010-04-07 01:27:34 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2010-04-07 01:23:14 585728 ----a-w- c:\windows\system32\atikvmag.dll
2010-04-07 01:21:52 393216 ----a-w- c:\windows\system32\atiok3x2.dll
2010-04-07 01:21:20 184320 ----a-w- c:\windows\system32\atiadlxx.dll
2010-04-07 01:20:54 17408 ----a-w- c:\windows\system32\atitvo32.dll
2010-04-07 01:15:22 638976 ----a-w- c:\windows\system32\ati2cqag.dll
2010-04-07 01:14:06 65024 ----a-w- c:\windows\system32\atimpc32.dll
2010-04-07 01:14:06 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2010-03-18 15:47:22 17760 ----a-w- c:\windows\system32\aspnet_counters.dll
2010-03-18 12:16:28 771424 ----a-w- c:\windows\system32\msvcr100_clr0400.dll
2010-03-18 12:16:28 70472 ----a-w- c:\windows\system32\dxva2.dll
2010-03-18 12:16:28 486216 ----a-w- c:\windows\system32\evr.dll
2010-03-18 09:09:00 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-03-18 09:09:00 49488 ----a-w- c:\windows\system32\netfxperf.dll
2010-03-18 09:09:00 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-03-18 09:09:00 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-03-17 21:29:16 215128 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-03-17 15:06:30 202234 ----a-w- c:\windows\system32\atiicdxx.dat
2010-02-04 13:23:25 2 ----a-w- c:\program files\mshexc.bmp
2010-01-09 03:55:15 17368 ----a-w- c:\program files\unins000.dat
2010-01-09 03:55:15 11088 ----a-w- c:\program files\unins000.msg
2010-01-09 03:54:52 782088 ----a-w- c:\program files\unins000.exe
2009-08-03 17:03:58 29184 ----a-w- c:\program files\RemoveDrive.exe
2007-09-07 15:35:20 1941504 ----a-r- c:\program files\CDSpeed v4.7.75.exe
2007-04-06 14:46:28 4037888 ----a-r- c:\program files\Foxit_Reader.exe
2006-09-28 15:09:20 1462272 ----a-r- c:\program files\InfoTool.exe
2006-07-25 16:45:12 1089536 ----a-r- c:\program files\DriveSpeed.exe
2006-05-07 18:13:24 12232362 ----a-w- c:\program files\mencoder.exe

============= FINISH: 17:46:03.85 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:04 PM

Posted 10 June 2010 - 05:34 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:04 PM

Posted 14 June 2010 - 07:31 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:04 PM

Posted 15 June 2010 - 01:37 PM

Reopened at user's request

-----------------------------------------

Please ask your questions, doveman. smile.gif
Posted Image
m0le is a proud member of UNITE

#5 doveman

doveman
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 15 June 2010 - 04:52 PM

Thanks for re-opening the thread.

I'm not convinced my system is completely clean yet as I've noticed today that Windows Explorer is still doing that wierd thing where when I expand a folder it expands quite slowly. It stopped doing this after I cleaned the system before.

I don't appear to be having any problems with Avira now and there's nothing using any substantial processor time whilst this problem is happening. It still happens even with Avira disabled, so it's not down to that scanning the folders. I also don't think it's caused by a Visual Effect, as the only two I have enabled are "Smooth edges of screen fonts" and "Use visual styles on windows and buttons".

I've also tried killing as many non-system processes as I can to see if any of those are causing it, but that didn't make any difference.

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:04 PM

Posted 15 June 2010 - 04:55 PM

Okay, nothing really terrible in the symptoms but let's see some logs

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


And

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.


Then

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#7 doveman

doveman
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 17 June 2010 - 09:28 AM

Here's the logs requested.

Windows Explorer has stopped behaving wierdly, for the moment at least, but I did notice another wierd glitch. When the User Login page is displayed, every minute or so it flashes and I get a glimpse of my desktop background. I'm not sure if it's showing the whole desktop, icons and all, or just the background because it's so quick.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Main at 1:41:39.20 on 17/06/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2814.2368 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\mom.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
I:\Tech\USB Utils\Virus Scan\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: GuardId.MSIEBrowser.BHO: {5b0a01d2-b8a0-4e56-9e6b-cba0ef4b4eb5} - mscoree.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
uRun: [POP Peeper] "c:\program files\pop peeper\POPPeeper.exe" -min
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
uRun: [Rainlendar2] c:\program files\rainlendar2\Rainlendar2.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [iTraffic Monitor] c:\program files\itraffic monitor\iTrafficMon.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RTHDCPL] RTHDCPL.EXE
dRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
dRun: [Eraser] c:\program files\eraser\Eraser.exe -hide
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launchy.lnk - c:\program files\launchy\Launchy.exe
uPolicies-explorer: NoSMHelp = 1 (0x1)
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoInstrumentation = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoInstrumentation = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1262261776390
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1262261768312
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {B843F9BD-9451-43D9-B7B8-4DE99F38BF32} = 192.168.1.254
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dllcredssp.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\main\applic~1\mozilla\firefox\profiles\o7ap41s8.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-3-25 11608]
R1 fwdrv;Kerio Personal Firewall Driver;c:\windows\system32\drivers\FWDRV.SYS [2010-5-20 102912]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-3-25 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-3-25 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-3-25 60936]
R2 DLPortIO;DriverLINX Port I/O Driver;c:\windows\system32\drivers\DLPORTIO.sys [2010-2-2 3584]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
R3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2009-12-10 14424]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2009-9-30 116736]
R3 ZRTP;ZRTP Service;c:\windows\system32\drivers\zrtp.sys [2009-3-22 1052768]
S0 cfadisk;CompactFlash Filter Driver;c:\windows\system32\drivers\cfadisk.sys --> c:\windows\system32\drivers\cfadisk.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 ToolTipFixer;ToolTipFixer;c:\program files\neosmart technologies\tooltipfixer\ToolTipFixer.exe [2008-10-14 61952]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-5-28 1691480]
S3 Bcfilter;Jetico Personal Firewall Network Monitor;c:\windows\system32\drivers\bcfilter.sys --> c:\windows\system32\drivers\bcfilter.sys [?]
S3 BcfilterMP;BcfilterMP;c:\windows\system32\drivers\bcfilter.sys --> c:\windows\system32\drivers\bcfilter.sys [?]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-5-28 12672]
S3 DELTAII;Service for M-Audio Delta Driver (WDM);c:\windows\system32\drivers\deltaII.sys [2009-10-10 302728]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2010-2-8 8704]
S3 etdrv;etdrv;c:\windows\etdrv.sys [2009-5-28 17488]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2010-2-8 3072]
S3 GFIBckHSched;GFI Backup 2009 - Home Edition Scheduler Service;c:\progra~1\gfi\gfibac~1\GFIHSC~1.EXE [2009-11-7 1412392]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.0;c:\windows\system32\drivers\libusb0.sys [2009-11-10 28672]
S3 MCEIR;%MCEIR.SvcDesc%;c:\windows\system32\drivers\MCEIR.sys [2009-12-18 18560]
S3 portio32;portio32;c:\windows\system32\drivers\portio32.sys [2009-11-5 2048]
S3 PRISM;Intersil PRISM Wireless LAN Driver;c:\windows\system32\drivers\prismnds.sys --> c:\windows\system32\drivers\PRISMNDS.sys [?]
S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [2009-10-2 36928]
S3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\ultramonmirror.sys --> c:\windows\system32\drivers\UltraMonMirror.sys [?]
S3 WinRing0_1_1_1;WinRing0_1_1_1;c:\k10stat\WinRing0.sys [2009-8-22 13904]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 GFIBckHAtt;GFI Backup 2009 - Home Edition Attendant Service;c:\progra~1\gfi\gfibac~1\GFIHInst.exe [2009-11-7 440616]

=============== Created Last 30 ================

2010-06-16 20:28:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Note
2010-06-16 16:38:50 0 d-----w- c:\program files\NVIDIA Corporation
2010-06-16 16:38:13 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-06-16 16:38:13 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-06-16 16:38:13 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-06-16 16:38:13 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-06-16 15:03:42 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{0691F710-1ECA-4B5A-9727-25554F1BFDC6}
2010-06-15 19:40:54 0 d-----w- c:\windows\system32\NtmsData
2010-06-15 18:32:06 470272 ----a-w- c:\program files\fxdecod1.dll
2010-06-10 15:06:54 121229 ----a-w- c:\windows\File Renamer - Basic Uninstaller.exe
2010-06-10 15:06:54 0 d-----w- c:\program files\File Renamer
2010-06-10 15:01:17 0 d-----w- c:\program files\TagScanner
2010-06-10 14:56:36 0 d-----w- c:\program files\TagRename
2010-06-10 14:53:58 0 d-----w- c:\program files\ExtraRename10
2010-06-07 12:31:33 171008 ----a-w- c:\windows\system32\srsvc.dll
2010-06-07 12:31:33 171008 ----a-w- c:\windows\system32\dllcache\srsvc.dll
2010-06-07 12:21:32 98816 ----a-w- c:\windows\sed.exe
2010-06-07 12:21:32 77312 ----a-w- c:\windows\MBR.exe
2010-06-07 12:21:32 256512 ----a-w- c:\windows\PEV.exe
2010-06-07 12:21:32 161792 ----a-w- c:\windows\SWREG.exe
2010-06-07 12:21:25 0 d-----w- C:\ComboFix
2010-06-05 09:50:51 0 d-----w- c:\temp\XP
2010-06-04 09:43:55 0 d-----w- c:\program files\common files\reFX
2010-06-03 23:44:11 0 d-----w- c:\program files\energyXT
2010-06-03 23:37:34 0 d-----w- c:\program files\Kreatives.org
2010-06-03 23:36:28 0 d-----w- c:\docume~1\main\applic~1\GetRightToGo
2010-06-03 21:36:34 0 d-----w- c:\program files\VSThost
2010-06-03 20:22:50 0 d-----w- c:\program files\common files\EZB Systems
2010-06-03 20:22:49 0 d-----w- c:\program files\UltraISO
2010-06-03 20:07:03 0 d-----w- c:\program files\MagicISO
2010-06-03 14:37:02 0 d-----w- c:\windows\uninstall
2010-05-30 11:42:21 5 ----a-w- c:\windows\apeleiha.ini
2010-05-30 11:26:45 0 d-----w- c:\program files\Vstplugins
2010-05-29 11:43:59 1122304 ----a-w- c:\windows\system32\libeay32.dll
2010-05-29 10:45:57 0 d-----w- C:\OpenSSL-Win32
2010-05-27 22:35:09 52 ----a-w- c:\windows\intuprof.ini
2010-05-27 09:48:20 0 d-----w- c:\program files\Microsoft Chart Controls
2010-05-26 11:08:39 1251872 ----a-w- c:\windows\RtlExUpd.dll
2010-05-26 09:29:52 0 d-----w- c:\program files\ATI
2010-05-26 09:29:38 0 d-----w- c:\program files\ATI Technologies
2010-05-26 08:58:29 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2010-05-23 12:34:05 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2010-05-23 12:34:05 547 ----a-w- c:\windows\system32\ffdshow.ax.manifest
2010-05-23 12:34:05 547 ----a-w- c:\windows\system32\ff_vfw.dll.manifest
2010-05-23 12:34:05 1708 ----a-w- c:\windows\system32\openIE.js
2010-05-23 12:34:05 0 d-----w- c:\windows\system32\languages
2010-05-23 12:34:05 0 d-----w- c:\windows\system32\custom matrices
2010-05-23 12:34:04 46603 ----a-w- c:\windows\system32\unins000.dat
2010-05-23 12:34:04 1185359 ----a-w- c:\windows\system32\unins000.exe
2010-05-23 12:33:48 33019 ----a-w- c:\windows\system32\CoreAAC-uninstall.exe
2010-05-23 12:33:38 497664 ----a-w- c:\windows\system32\ac3filter.acm
2010-05-23 12:33:38 0 d-----w- c:\program files\AC3Filter
2010-05-22 14:11:50 0 d-----w- c:\program files\SBaGen
2010-05-22 06:17:15 0 d-----w- c:\windows\XSxS
2010-05-22 06:17:15 0 d-----w- c:\program files\Xenocode
2010-05-20 12:35:06 0 d-----w- c:\docume~1\main\applic~1\WinBatch
2010-05-20 11:29:41 102912 ------w- c:\windows\system32\drivers\FWDRV.SYS
2010-05-20 09:48:02 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-05-20 09:48:00 0 d-----w- c:\program files\DAEMON Tools Lite
2010-05-19 21:30:56 411368 ----a-w- c:\windows\system32\deployJava1.dll

==================== Find3M ====================

2010-04-30 16:22:46 84512 ----a-w- c:\windows\SOUNDMAN.EXE
2010-04-30 16:22:46 358944 ----a-w- c:\windows\vncutil.exe
2010-04-30 16:22:46 1833504 ----a-w- c:\windows\SkyTel.exe
2010-04-30 16:22:40 9721888 ----a-w- c:\windows\RTLCPL.EXE
2010-04-30 16:22:40 1489440 ----a-w- c:\windows\RtlUpd.exe
2010-04-30 16:22:34 51232 ----a-w- c:\windows\system32\RtkCoInstXP.dll
2010-04-30 16:22:34 19523616 ----a-w- c:\windows\RTHDCPL.EXE
2010-04-30 16:22:34 129568 ----a-w- c:\windows\RtkAudioService.exe
2010-04-30 16:22:28 2177568 ----a-w- c:\windows\MicCal.exe
2010-04-30 16:22:22 64032 ----a-w- c:\windows\ALCMTR.EXE
2010-04-30 16:22:22 2815520 ----a-w- c:\windows\ALCWZRD.EXE
2010-04-30 15:56:24 6032928 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
2010-04-29 14:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 14:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-10 16:14:23 737280 ----a-w- c:\windows\iun6002.exe
2010-04-07 02:02:28 45056 ----a-w- c:\windows\system32\aticalrt.dll
2010-04-07 02:02:16 45056 ----a-w- c:\windows\system32\aticalcl.dll
2010-04-07 02:01:28 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2010-04-07 02:00:26 3981312 ----a-w- c:\windows\system32\aticaldd.dll
2010-04-07 01:52:16 14356480 ----a-w- c:\windows\system32\atioglxx.dll
2010-04-07 01:46:42 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-04-07 01:45:46 300544 ----a-w- c:\windows\system32\ati2dvag.dll
2010-04-07 01:41:38 3620288 ----a-w- c:\windows\system32\ati3duag.dll
2010-04-07 01:31:00 208896 ----a-w- c:\windows\system32\atipdlxx.dll
2010-04-07 01:30:44 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2010-04-07 01:30:32 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2010-04-07 01:30:24 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2010-04-07 01:30:10 159744 ----a-w- c:\windows\system32\ati2evxx.dll
2010-04-07 01:28:56 602112 ----a-w- c:\windows\system32\ati2evxx.exe
2010-04-07 01:28:06 2220928 ----a-w- c:\windows\system32\ativvaxx.dll
2010-04-07 01:27:40 887724 ----a-w- c:\windows\system32\ativva6x.dat
2010-04-07 01:27:34 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2010-04-07 01:23:14 585728 ----a-w- c:\windows\system32\atikvmag.dll
2010-04-07 01:21:52 393216 ----a-w- c:\windows\system32\atiok3x2.dll
2010-04-07 01:21:20 184320 ----a-w- c:\windows\system32\atiadlxx.dll
2010-04-07 01:20:54 17408 ----a-w- c:\windows\system32\atitvo32.dll
2010-04-07 01:15:22 638976 ----a-w- c:\windows\system32\ati2cqag.dll
2010-04-07 01:14:06 65024 ----a-w- c:\windows\system32\atimpc32.dll
2010-04-07 01:14:06 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2010-02-04 13:23:25 2 ----a-w- c:\program files\mshexc.bmp
2010-01-09 03:55:15 17368 ----a-w- c:\program files\unins000.dat
2010-01-09 03:55:15 11088 ----a-w- c:\program files\unins000.msg
2010-01-09 03:54:52 782088 ----a-w- c:\program files\unins000.exe
2009-08-03 17:03:58 29184 ----a-w- c:\program files\RemoveDrive.exe
2007-09-07 15:35:20 1941504 ----a-r- c:\program files\CDSpeed v4.7.75.exe
2007-04-06 14:46:28 4037888 ----a-r- c:\program files\Foxit_Reader.exe
2006-09-28 15:09:20 1462272 ----a-r- c:\program files\InfoTool.exe
2006-07-25 16:45:12 1089536 ----a-r- c:\program files\DriveSpeed.exe
2006-05-07 18:13:24 12232362 ----a-w- c:\program files\mencoder.exe
2004-01-28 09:50:42 704512 ----a-r- c:\program files\QuickPar.exe

============= FINISH: 1:41:50.25 ===============



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-17 01:51:26
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\temp\user\uxldapod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\Drivers\fwdrv.sys ZwClose [0xA8D90D1E]
SSDT \SystemRoot\system32\Drivers\fwdrv.sys ZwCreateFile [0xA8D9062B]
SSDT BA77A54E ZwCreateKey
SSDT \SystemRoot\system32\Drivers\fwdrv.sys ZwCreateProcess [0xA8D90C92]
SSDT \SystemRoot\system32\Drivers\fwdrv.sys ZwCreateProcessEx [0xA8D90C17]
SSDT \SystemRoot\system32\Drivers\fwdrv.sys ZwCreateSection [0xA8D90713]
SSDT BA77A544 ZwCreateThread
SSDT BA77A553 ZwDeleteKey
SSDT BA77A55D ZwDeleteValueKey
SSDT BA77A562 ZwLoadKey
SSDT BA77A530 ZwOpenProcess
SSDT BA77A535 ZwOpenThread
SSDT BA77A56C ZwReplaceKey
SSDT BA77A567 ZwRestoreKey
SSDT BA77A558 ZwSetValueKey

Code 8B080B0C ZwRequestPort
Code 8B080BAC ZwRequestWaitReplyPort
Code 8B080B0B NtRequestPort
Code 8B080BAB NtRequestWaitReplyPort

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!NtRequestPort 805A2A5A 5 Bytes JMP 8B080B10
PAGE ntkrnlpa.exe!NtRequestWaitReplyPort 805A2D86 5 Bytes JMP 8B080BB0
PAGENDSM NDIS.sys!NdisMIndicateStatus B9E099EF 6 Bytes JMP A8D8E6D8 \SystemRoot\system32\Drivers\fwdrv.sys
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB5888000, 0x235F87, 0xE8000020]
.text win32k.sys!EngAcquireSemaphore + 20E2 BF808296 5 Bytes JMP 8B0804D0
.text win32k.sys!EngFreeUserMem + 5BD2 BF80EE1D 5 Bytes JMP 8B080430
.text win32k.sys!BRUSHOBJ_pvAllocRbrush + 322E BF81E72F 5 Bytes JMP 8B0809D0
.text win32k.sys!EngSetLastError + 77CA BF8287BB 5 Bytes JMP 8B080610
.text win32k.sys!EngCreateBitmap + DDB2 BF845B93 5 Bytes JMP 8B0806B0
.text win32k.sys!EngStretchBlt + 40AB BF8693C7 5 Bytes JMP 8B080890
.text win32k.sys!EngCreatePalette + 1C0 BF86EF2A 5 Bytes JMP 8B080570
.text win32k.sys!EngAlphaBlend + 3E8 BF8C30F9 5 Bytes JMP 8B080750
.text win32k.sys!PATHOBJ_vGetBounds + 7650 BF8EFFCB 5 Bytes JMP 8B080930
.text win32k.sys!EngCreateClip + 19C1 BF9131E9 5 Bytes JMP 8B080A70
.text win32k.sys!EngCreateClip + 2597 BF913DBF 5 Bytes JMP 8B0807F0

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [A8D8E520] \SystemRoot\system32\Drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [A8D8E53B] \SystemRoot\system32\Drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [A8D8E5CB] \SystemRoot\system32\Drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [A8D8E5EE] \SystemRoot\system32\Drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [A8D8E5CB] \SystemRoot\system32\Drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [A8D8E53B] \SystemRoot\system32\Drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [A8D8E520] \SystemRoot\system32\Drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\rspndr.sys[NDIS.SYS!NdisRegisterProtocol] [A8D8E5CB] \SystemRoot\system32\Drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\rspndr.sys[NDIS.SYS!NdisOpenAdapter] [A8D8E53B] \SystemRoot\system32\Drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\rspndr.sys[NDIS.SYS!NdisDeregisterProtocol] [A8D8E5EE] \SystemRoot\system32\Drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\rspndr.sys[NDIS.SYS!NdisCloseAdapter] [A8D8E520] \SystemRoot\system32\Drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\NMnt.sys[NDIS.SYS!NdisRegisterProtocol] [A8D8E5CB] \SystemRoot\system32\Drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\NMnt.sys[NDIS.SYS!NdisCloseAdapter] [A8D8E520] \SystemRoot\system32\Drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\NMnt.sys[NDIS.SYS!NdisDeregisterProtocol] [A8D8E5EE] \SystemRoot\system32\Drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\NMnt.sys[NDIS.SYS!NdisOpenAdapter] [A8D8E53B] \SystemRoot\system32\Drivers\fwdrv.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume6 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume7 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume8 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume9 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Tcpip \Device\Udp fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 2
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA7 0xB5 0xA9 0x9A ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x64 0xCE 0x71 0xE2 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x1D 0x18 0x8D 0x07 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x15 0x0A 0x7F 0xFC ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xE5 0xD5 0x3F 0x6A ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x75 0x27 0x9E 0x03 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x0B 0x9D 0x8D 0x74 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xF4 0x94 0x46 0xFF ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xFD 0x26 0x08 0xD5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x9A 0x86 0xE2 0x1D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDF 0xD6 0x79 0x77 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xE5 0xD5 0x3F 0x6A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x71 0x1D 0x3F 0x7B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x0B 0x9D 0x8D 0x74 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xF4 0x94 0x46 0xFF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xFD 0x26 0x08 0xD5 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 2
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x9A 0x86 0xE2 0x1D ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDF 0xD6 0x79 0x77 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xE5 0xD5 0x3F 0x6A ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x71 0x1D 0x3F 0x7B ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x0B 0x9D 0x8D 0x74 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xF4 0x94 0x46 0xFF ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xFD 0x26 0x08 0xD5 ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 30: copy of MBR

---- EOF - GMER 1.0.15 ----

Attached Files



#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:04 PM

Posted 17 June 2010 - 04:48 PM

Please run MBAM

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Run OTL again as below.

Under the Custom Scans/Fixes box at the bottom, paste in the following

CODE
:OTL

:reg
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"securityproviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, credssp.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
""=""%1" %*"


Then click the Run Fix button at the top

Let the program run unhindered.

When done it will say "Fix Complete press ok to open the log"
Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Posted Image
m0le is a proud member of UNITE

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:04 PM

Posted 19 June 2010 - 06:52 PM

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#10 doveman

doveman
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 20 June 2010 - 02:22 AM

Sorry I took so long. I was a bit confused by your mention of running OTL again as I'd not heard of it before, but I managed to find it.

Note, MBAM found some suspect files but some are legitimate tools that I have and the others I'm not convinced are bad, so I haven't removed them as you instructed, but none are on my system drive anyway so won't be causing any problems.

--------------------------------------
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4213

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

18/06/2010 21:47:02
mbam-log-2010-06-18 (21-47-02).txt

Scan type: Full scan (C:\|D:\|E:\|I:\|J:\|S:\|X:\|)
Objects scanned: 710896
Time elapsed: 1 hour(s), 13 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
I:\To backup\Bart PE\plugin\True_Image_Server_8\files\system\cmdow.exe (Malware.Tool) -> No action taken.
I:\Tech\Recovery-Discs\BartPE\My plugins\plugin\True_Image_Server_8\files\system\cmdow.exe (Malware.Tool) -> No action taken.
I:\Tech\Recovery-Discs\Winbuilder\Target\LiveXP\i386\System32\deskadp.dll (Malware.Packer.Gen) -> No action taken.
I:\Tech\Recovery-Discs\Winbuilder\Target\LiveXP\i386\System32\deskmon.dll (Trojan.Agent) -> No action taken.
I:\Tech\Recovery-Discs\Winbuilder\Target\LiveXP\i386\System32\themeui.dll (Malware.Packer.Gen) -> No action taken.
I:\Tech\Recovery-Discs\Reatogo-235\plugin\Nero_autoHelp\Files\msvcrt.dll (Malware.Packer.Gen) -> No action taken.
I:\Tech\Recovery-Discs\Reatogo-235\plugin\Nero_autoHelp\Files\shfolder.dll (Malware.Packer.Gen) -> No action taken.
I:\Tech\USB Utils\switchblade\tools\netpass.exe (Password.Stealer) -> No action taken.
I:\Tech\USB Utils\switchblade\tools\pspv.exe (Password.Tool) -> No action taken.
I:\Tech\USB Utils\System Utils\Show XP Key\RockXP4.exe (Hacktool.PasswordDump) -> No action taken.
I:\Tech\USB Utils\WIP\CMD\netpass.exe (Password.Stealer) -> No action taken.
I:\Tech\USB Utils\WIP\CMD\pspv.exe (Password.Tool) -> No action taken.
--------------------------------------------------------------------------------------
========== OTL ==========
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\\"securityproviders"|"msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, credssp.dll" /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\\""|""%1" %*" /E : value set successfully!

OTL by OldTimer - Version 3.2.6.0 log created on 06202010_081323


#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:04 PM

Posted 20 June 2010 - 04:07 PM

QUOTE
I was a bit confused by your mention of running OTL again as I'd not heard of it before, but I managed to find it.


If you are not sure just post on the topic. I apologise for that, I didn't give the link for OTL.

QUOTE
some are legitimate tools that I have and the others I'm not convinced are bad,


Every one of those files is infected, MBAM has an excellent detection rate and unless you can tell me 100% that these files were found through a legitimate source then you should remove them. If you want you can check a file as below.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Go to Jotti

When the jotti page has finished loading, click the Browse button and navigate to one of these files and click Submit.

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at VirusTotal
Posted Image
m0le is a proud member of UNITE

#12 doveman

doveman
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 20 June 2010 - 05:52 PM

I re-downloaded cmdow from http://www.commandline.co.uk/cmdow/ and checked the hashes using rehash, which all matched, so I'm pretty sure it's OK.

However, if I check it with Virus Total, it's still identified as a "bad" file by 22/41 of the engines, as shown here:
http://www.virustotal.com/analisis/3193905...1756-1277072339

As the Cmdow page says, "Some anti-virus software vendors now classify cmdow.exe as a hacking tool because it can hide windows.", so I think it's just a false positive.

deskadp.dll is only flagged by 2/41 engines, so I think that's OK
http://www.virustotal.com/analisis/4618c51...ed30-1275488698

deskmon.dll is only flagged by 2/39 engines
http://www.virustotal.com/analisis/09f25a7...94a8-1244409236

and the same for themeui.dll
http://www.virustotal.com/analisis/0f91369...fcb4-1244409239

msvcrt.dll isn't flagged by anything
http://www.virustotal.com/analisis/a74b1a5...65da-1274188516

and shfolder.dll is only flagged by one engine
http://www.virustotal.com/analisis/3b28d2a...c989-1274189014

I believe these five files are probably flagged by MBAM as they've been modified to enable things to work in a Recovery/Live XP (XP booted and running from CD) environment, so MBAM thinks they're suspicious because they've been modified.

As for the rest, they're all tools for retrieving passwords, which can be used for both good and bad, so I understand why MBAM flags them, but I don't need to delete them.

So I think in some cases, MBAM is overcautious although I appreciate in most cases it's better to eliminate any suspicious files. None of the files MBAM identified on my hard drive are infecting my system however, so it appears to be clean now. I should probably investigate other avenues now, such as drivers, to try and fix the problems I'm experiencing and free you up to help someone else.

If I could just refer back to my first post though and ask about the virus found when I first scanned my system, namely run_setup.exe. From what I can tell, it appears to be Adware/Medium Risk Malware, so it doesn't appear to be a key logger type virus but I'd be grateful for your advice on that point.

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:04 PM

Posted 20 June 2010 - 06:08 PM

The run_setup.exe is part of a low level adware threat which doesn't include a keylogger.

If you're happy to keep the file that's being flagged then that's fine, some of the IDs do tend towards heuristic or non-virus so it looks like you're okay to keep them.

Ask, which is also present, also falls within the keep/don't keep area

the Ask toolbar is not recommended. This toolbar enhances internet browsing and provides a direct link to the "ask.com" search engine. This program is not known to be bundled with spyware - The company strongly denies the toolbar as being malware.

Please read why it might be good to remove it here.



I agree that apart from those points your system is clean though.

You're clean. Good stuff! thumbup2.gif

Let's do some clearing up


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Use and update your AntiVirus Software

You must have a good antivirus. There are plenty to choose from but I personally recommend the free options of Avast and Avira Antivir. If you want to purchase a security program then I recommend any of the following: AVG, Norton, McAfee, Kaspersky and ESET Nod32.

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it, happy surfing!

Cheers.

m0le


Posted Image
m0le is a proud member of UNITE

#14 doveman

doveman
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 20 June 2010 - 06:54 PM

Thanks very much for your assistance and advice. thumbup.gif

I'll certainly remove the Ask toolbar as I never use it and don't remember being asked to install it. I've got it disabled already, so it shouldn't be causing any problems.

Have a good week smile.gif



#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:04 PM

Posted 20 June 2010 - 07:03 PM

Ask doesn't always, ahem, ask to be installed.

You have a good week too, doveman thumbup2.gif
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users