Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winsock FUBAR'd - Probably a rootkit


  • Please log in to reply
7 replies to this topic

#1 RPinDummy

RPinDummy

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 08 June 2010 - 07:21 PM

Hello all.

For the past two days I've been fighting with a pretty weird virus infection on my laptop. I ran several malware cleaners, some of them found positives which I properly cleaned. But there still seems to be something going on with this computer. Specially with my Winsock.

At msinfo32 it doesn't show all the entries it should according to Microsoft. I tried several fixes and manual tricks and nothing seems to restore it back. As a result my computer is displaying odd behavior: no 32 bits application that uses internet is able to load properly (Messenger and Utorrent refuse to startup, my antivirus won't download new definitions and Winamp can't connect to radios online), but 64bit Internet Explorer is working fine.

I had this same problem before when I installed an update for a driver to my HP scanner. At the time I was able to restore to a previous point with the recovery tool, but this time I had no such luck.

Thanks for any help and insight. Here are my logs:

DDS log


DDS (Ver_10-03-17.01) - NTFSX64
Run by Rodrigopin at 20:13:03,69 on 08/06/2010
Internet Explorer: 7.0.6002.18005
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\AESTSr64.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Eset\nod32krn.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Windows\system32\STacSV64.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Pen_Tablet.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Windows\system32\Pen_Tablet.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray64.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files (x86)\Palm\Hotsync.exe
C:\Windows\OEM02Mon.exe
C:\Program Files (x86)\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files (x86)\Eset\nod32kui.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files (x86)\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files (x86)\Winamp\winamp.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\SysWOW64\conime.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Rodrigopin\Desktop\dds.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - c:\program files (x86)\winamp toolbar\winamptb.dll
mURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - c:\program files (x86)\winamp toolbar\winamptb.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\program files (x86)\winamp toolbar\winamptb.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files (x86)\java\jre1.6.0_07\bin\ssv.dll
BHO: Auxiliar de Conexao do Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files (x86)\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files (x86)\winamp toolbar\winamptb.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [msnmsgr] "c:\program files (x86)\windows live\messenger\msnmsgr.exe" /background
uRun: [DAEMON Tools Lite] "c:\program files (x86)\daemon tools lite\daemon.exe" -autorun
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [DELL Webcam Manager] "c:\program files (x86)\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [HP Software Update] c:\program files (x86)\hp\hp software update\HPWuSchd2.exe
mRun: [nod32kui] "c:\program files (x86)\eset\nod32kui.exe" /WAITSERVICE
mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files (x86)\java\jre1.6.0_07\bin\jusched.exe"
mRun: [HotSync] "c:\program files\palmsource\desktop\HotSync.exe" -AllUsers
mRun: [TkBellExe] "c:\program files (x86)\common files\real\update_ob\realsched.exe" -osboot
dRunOnce: [<NO NAME>]
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\autoca~1.lnk - c:\program files (x86)\common files\autodesk shared\acstart17.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\hotsyn~1.lnk - c:\program files (x86)\palm\Hotsync.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Winamp Search - c:\programdata\winamp toolbar\ietoolbar\resources\en-us\local\search.html
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~2\java\jre16~1.0_0\bin\ssv.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
TB-X64: Winamp Toolbar: {EBF2BA02-9094-4C5A-858B-BB198F3D8DE2} -
TB-X64: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
mRun-x64: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun-x64: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun-x64: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun-x64: [Persistence] c:\windows\system32\igfxpers.exe
mRun-x64: [Apoint] c:\program files\delltpad\Apoint.exe
mRun-x64: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun-x64: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray64.exe
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

================= FIREFOX ===================

FF - ProfilePath - c:\users\rodrig~1\appdata\roaming\mozilla\firefox\profiles\ncb37sem.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.br/firefox?client=firefox-a&rls=org.mozilla:pt-BR:official
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=
FF - component: c:\users\rodrigopin\appdata\roaming\mozilla\firefox\profiles\ncb37sem.default\extensions\nicofox@littlebtc\platform\winnt_x86-msvc\components\winprocess.dll
FF - plugin: c:\progra~2\palm\packag~1\NPInstal.dll
FF - plugin: c:\program files (x86)\mozilla firefox\plugins\npRLCT4Player.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv64.sys [2010-2-17 14920]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\saskutil64.sys [2010-2-17 12360]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AESTSr64.exe [2010-3-23 86016]
R2 NOD32krn;NOD32 Kernel Service;c:\program files (x86)\eset\nod32krn.exe [2009-4-6 552064]
R2 SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore64.exe [2010-4-28 120832]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2009-4-2 3589416]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2009-4-2 36392]
R3 NETw4v64;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\drivers\NETw4v64.sys [2007-9-26 3196416]
R3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk60x64.sys [2007-12-6 391680]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe [2009-9-25 89920]
S3 NETw3v64;Intel® PRO/Wireless 3945ABG Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\drivers\NETw3v64.sys [2008-1-20 3154432]
S3 PerfHost;Performance Counter DLL Host;c:\windows\syswow64\perfhost.exe [2008-1-20 19968]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\drivers\point64k.sys [2009-5-28 33160]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [2009-4-2 115240]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [2009-4-2 19496]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [2009-4-2 158760]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [2009-4-2 137256]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [2009-4-2 34344]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [2009-4-2 136744]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [2009-4-2 151592]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-4-2 18216]

============== File Associations ===============

.scr=AutoCADScriptFile

=============== Created Last 30 ================

2010-06-08 22:34:44 65536 --sha-w- c:\users\rodrigopin\ntuser.dat{d0e3e3eb-72b9-11df-929a-002269c21137}.TM.blf
2010-06-08 22:34:44 524288 --sha-w- c:\users\rodrigopin\ntuser.dat{d0e3e3eb-72b9-11df-929a-002269c21137}.TMContainer00000000000000000002.regtrans-ms
2010-06-08 22:34:44 524288 --sha-w- c:\users\rodrigopin\ntuser.dat{d0e3e3eb-72b9-11df-929a-002269c21137}.TMContainer00000000000000000001.regtrans-ms
2010-06-08 04:10:42 65536 --sha-w- c:\users\rodrigopin\ntuser.dat{249479e7-72b1-11df-9e5a-002269c21137}.TM.blf
2010-06-08 04:10:42 524288 --sha-w- c:\users\rodrigopin\ntuser.dat{249479e7-72b1-11df-9e5a-002269c21137}.TMContainer00000000000000000002.regtrans-ms
2010-06-08 04:10:42 524288 --sha-w- c:\users\rodrigopin\ntuser.dat{249479e7-72b1-11df-9e5a-002269c21137}.TMContainer00000000000000000001.regtrans-ms
2010-06-08 02:21:42 0 d-----w- c:\users\rodrig~1\appdata\roaming\Regrun
2010-06-08 02:19:26 0 d-sh--r- C:\desktop.ini
2010-06-08 02:19:26 0 d-sh--r- C:\comment.htt
2010-06-08 02:19:26 0 d-sh--r- C:\autorun.inf
2010-06-08 02:15:11 0 d-----w- c:\program files (x86)\Greatis
2010-06-08 02:04:20 0 d-----w- C:\_OTS
2010-06-08 00:56:32 0 d-----w- c:\program files (x86)\Trend Micro
2010-06-07 20:28:39 6144 ----a-w- c:\windows\system32\EDF8.tmp
2010-06-07 20:21:53 6144 ----a-w- c:\windows\system32\BD18.tmp
2010-06-07 20:21:28 0 d-----w- c:\users\rodrigopin\DoctorWeb
2010-06-07 20:21:11 0 d-----w- c:\program files (x86)\Sophos
2010-06-07 19:35:49 0 d-----w- c:\users\rodrig~1\appdata\roaming\SUPERAntiSpyware.com
2010-06-07 19:35:49 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-06-07 19:35:44 0 d-----w- c:\programdata\SASCORE
2010-06-07 19:35:42 0 d-----w- c:\program files\SUPERAntiSpyware
2010-06-07 19:35:00 0 d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2010-06-05 23:37:35 0 d-----w- c:\users\rodrig~1\appdata\roaming\Malwarebytes
2010-06-05 23:37:24 24664 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-05 23:37:24 0 d-----w- c:\programdata\Malwarebytes
2010-06-05 22:37:49 0 d-----w- c:\program files (x86)\Enigma Software Group
2010-06-05 22:36:18 0 d-----w- c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP
2010-06-05 22:36:11 0 d-----w- c:\program files (x86)\common files\Wise Installation Wizard
2010-06-05 22:21:16 0 d-----w- c:\windows\system32\appmgmt
2010-05-29 20:21:09 0 d-----w- c:\program files (x86)\Gravity
2010-05-27 22:28:16 453456 ----a-w- c:\windows\syswow64\d3dx10_42.dll
2010-05-27 22:28:14 1892184 ----a-w- c:\windows\syswow64\D3DX9_42.dll
2010-05-25 21:56:06 2048 ----a-w- c:\windows\syswow64\tzres.dll
2010-05-25 21:56:06 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-11 22:25:14 974848 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-11 22:25:14 738816 ----a-w- c:\windows\syswow64\inetcomm.dll

==================== Find3M ====================

2010-06-08 22:42:02 644790 ----a-w- c:\windows\system32\perfh019.dat
2010-06-08 22:42:02 382072 ----a-w- c:\windows\system32\perfh011.dat
2010-06-08 22:42:02 125670 ----a-w- c:\windows\system32\perfc019.dat
2010-06-08 22:42:02 101350 ----a-w- c:\windows\system32\perfc011.dat
2010-05-12 14:21:16 270208 ------w- c:\windows\system32\MpSigStub.exe
2010-04-27 17:45:56 72856 ----a-w- c:\windows\syswow64\xliveinstallhost.exe
2010-04-27 17:45:56 187544 ----a-w- c:\windows\syswow64\xliveinstall.dll
2010-04-02 20:17:52 15426200 ----a-w- c:\windows\syswow64\xlive.dll
2010-04-02 20:17:52 13642904 ----a-w- c:\windows\syswow64\xlivefnt.dll
2010-03-23 23:17:21 51200 ----a-w- c:\windows\inf\infpub.dat
2010-03-23 23:17:21 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-03-23 23:17:18 86016 ----a-w- c:\windows\inf\infstor.dat
2009-10-20 23:15:36 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-04-02 02:51:11 30674 ----a-w- c:\windows\inf\perflib\0411\perfd.dat
2009-04-02 02:51:11 30674 ----a-w- c:\windows\inf\perflib\0411\perfc.dat
2009-04-02 02:51:11 139030 ----a-w- c:\windows\inf\perflib\0411\perfi.dat
2009-04-02 02:51:11 139030 ----a-w- c:\windows\inf\perflib\0411\perfh.dat
2008-02-06 08:59:24 38684 ----a-w- c:\windows\inf\perflib\0419\perfd.dat
2008-02-06 08:59:24 38684 ----a-w- c:\windows\inf\perflib\0419\perfc.dat
2008-02-06 08:59:23 332666 ----a-w- c:\windows\inf\perflib\0419\perfi.dat
2008-02-06 08:59:23 332666 ----a-w- c:\windows\inf\perflib\0419\perfh.dat
2008-01-21 03:21:14 174 --sha-w- c:\program files\desktop.ini
2008-01-21 03:21:14 174 --sha-w- c:\program files (x86)\desktop.ini
2006-11-02 15:14:32 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 15:14:32 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 15:14:32 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 15:14:32 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 10:52:12 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:52:12 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:52:10 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:52:10 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-04-03 02:02:52 76 --sh--r- c:\windows\CT4CET.bin
2010-03-09 23:24:37 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2010-03-09 23:24:37 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2010-03-09 23:24:37 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 20:13:20,42 ===============

GMER log

For some reasong GMER is unable to scan any entries except for Registry, Services and Files. All other checkboxes appear grayed out for me. Is it due to my OS being Vista 64?


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-08 21:01:46
Windows 6.0.6002 Service Pack 2
Running: gmer.exe


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002269c21137
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files (x86)\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x10 0xB1 0x33 0x8A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xBF 0x0A 0xAA 0x29 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x8A 0x70 0xCB 0x55 ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002269c21137 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files (x86)\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x10 0xB1 0x33 0x8A ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xBF 0x0A 0xAA 0x29 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x8A 0x70 0xCB 0x55 ...
Reg HKCU\Software\Microsoft\Windows Live\Communications Clients\Shared\1143007367\Groups@Dispon 0
Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@H:\Downloads\[090327] [Norn Soft] \x3042\x307e\x3042\x306d 1
Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@H:\Downloads\[090313] [Norn] \x30c4\x30f3\x30c7\x30ec 1
Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@H:\Downloads\ 1

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:01 AM

Posted 13 June 2010 - 07:56 AM

Hi,

I dont recognize any malware in the log, but that dosnt mean you dont have or had any. You mentioned winsock. There is a utility for repairing it. You may have tried it already:

http://support.microsoft.com/?kbid=811259


QUOTE
update for a driver

My 'rule' : if its working ok there is no need to update the driver.

How Can I Reduce My Risk to Malware?


#3 RPinDummy

RPinDummy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 13 June 2010 - 12:13 PM

Sorry about the bumping. I undestand now that it's not gonna help.

QUOTE(shelf life @ Jun 13 2010, 07:56 AM) View Post
QUOTE
update for a driver

My 'rule' : if its working ok there is no need to update the driver.


My rule too, but the update pops up once a week or so asking for permission, and this time I might have clicked allow without realizing. It's pretty annoying.

EDIT: I have tried that fix before, and I did try it again just to be sure. Didn't work.

Edited by RPinDummy, 13 June 2010 - 12:37 PM.


#4 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:01 AM

Posted 13 June 2010 - 02:32 PM

Have you tried system file checker?

How Can I Reduce My Risk to Malware?


#5 RPinDummy

RPinDummy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 13 June 2010 - 03:52 PM

Yup. sfc said it fixed some corrupted files, but I took a look at the log and none of them were related to the problem at hand.

Rebooted but the problem still persists.

#6 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:01 AM

Posted 13 June 2010 - 08:08 PM

Can you post the last Malwarebytes log. You should find it like this:
The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

We will also get another download to run:
Please download: RootRepeal

http://ad13.geekstogo.com/RootRepeal.exe

Click the icon on your desktop to start.
Click on the Report tab at the bottom of the window
Next, Click on the Scan button
In the Select Scan Window check everything:

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click the OK button
In the next dialog window select all the drives that are listed
Click OK to start the scan

May take some time to complete.
When done click the Save Report button.
Save the report to your desktop
To Exit RootRepeal: click File>Exit
Post the report in your reply

How Can I Reduce My Risk to Malware?


#7 RPinDummy

RPinDummy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 15 June 2010 - 04:31 PM

Here's the log. RootRepeal won't run on a 64bit OS, it seems.




Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

05/06/2010 20:45:08
mbam-log-2010-06-05 (20-45-08).txt

Scan type: Quick scan
Objects scanned: 118875
Time elapsed: 5 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\.norton2009Reset (Trojan.Hacktool) ->

Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf

(Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk

(Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu

(Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu

(Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#8 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:01 AM

Posted 15 June 2010 - 05:01 PM

QUOTE
I had this same problem before when I installed an update for a driver to my HP scanner


I think that in device manager if you find the scanner in the list right click on it and select properties, you should find a option to "roll back" the driver.
Iam in linux now but i will check a Windows machine if you cant find it. Of course all this is assuming its the cause of the problem.

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users