Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Win32 Bamital AF


  • Please log in to reply
11 replies to this topic

#1 king vyper

king vyper

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 22 October 2010 - 11:33 PM

Hello,

I recently got bite by the Bamital Af bug. I was gettting pop-ups when ever I started my PC and my browser keeps getting hijacked. I ran Spybot and avast which addressed some of this but Avast found some it could not get rid of. I followed the guide posted here and here are my logs. There is the possiblity that there maybe over virus or malware but I am not sure.

I have the DDS, Attach and GMER Log attached to this post.

DDS LOG

DDS (Ver_10-10-21.02) - NTFSx86
Run by Home at 0:14:11.09 on Sat 10/23/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1389 [GMT -4:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Home\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
StartupFolder: c:\documents and settings\home\start menu\programs\startup\PowerReg Scheduler V3.exe
StartupFolder: c:\documents and settings\home\start menu\programs\startup\PowerReg Scheduler.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1212431440562
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199204945860
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1199222054250
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\home\applic~1\mozilla\firefox\profiles\xyyw5a3m.default\
FF - prefs.js: browser.search.selectedEngine - Google US
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-2-14 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-2-14 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-1 40384]
R2 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys [2010-5-25 263944]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-1 40384]
R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\system32\drivers\lne100v5.sys [2003-1-1 36224]
S3 avast! Mail Scanner;avast! Mail Scanner;"c:\program files\alwil software\avast4\ashmaisv.exe" /service --> c:\program files\alwil software\avast4\ashMaiSv.exe [?]
S3 genmcmnUSB;USB Scroll Mouse Driver;c:\windows\system32\drivers\gflmouhid.sys [2004-4-19 6656]
S3 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe -service --> c:\windows\system32\lxdxcoms.exe -service [?]
S3 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdxserv.exe [2009-9-21 94208]
S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-7-26 14424]

=============== Created Last 30 ================

2010-10-22 18:10:25 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-10-22 18:10:25 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-19 12:51:45 -------- d-----w- c:\docume~1\home\applic~1\3E1696EF139AEC5D71AD36DDF42FA7CE
2010-10-14 02:49:51 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-14 02:49:51 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-14 02:49:44 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll

==================== Find3M ====================

2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-07 15:12:17 38848 ----a-w- c:\windows\avastSS.scr
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

============= FINISH: 0:14:55.92 ===============

The situtation has hit a critical stage. Explorer.exe has crashed and I can only access it in Safe Mode as a admin.
I don't have a recovery CD, I am considering take the PC back to its factory default setting. Please Help!

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 26 October 2010 - 03:56 PM.


BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,680 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:12:45 AM

Posted 31 October 2010 - 11:49 AM

hi king vyper,

Your log is a few days old. If you still need help simply reply back.

How Can I Reduce My Risk to Malware?


#3 king vyper

king vyper
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 01 November 2010 - 01:06 PM

Yes, I still need help.

#4 shelf life

shelf life

  • Malware Response Team
  • 2,680 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:12:45 AM

Posted 01 November 2010 - 03:15 PM

We will get a download to use. Its called combofix. There is a guide to read first before you use it. Read through the guide then apply the directions on your own machine. Post the combofix log in your reply. Based on the Gmer log I would use this machine as little as possible and no personal or financial info. When not in use power it off so theres no connectivity.

Guide to using Combofix

Edited by shelf life, 01 November 2010 - 03:17 PM.

How Can I Reduce My Risk to Malware?


#5 king vyper

king vyper
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 02 November 2010 - 08:51 AM

Wow, Combofix rocks.

While running combofix, it showed that some of my boot files were corrupted and retarted my PC, when it came back up my deskyop came back also. When the Log popped up so did an Avast Alert pop-up stating it had discovered an rootkit and wanted me to delete it, I have done nothing yet.

ComboFix 10-11-01.05 - Home 11/02/2010 9:25.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1606 [GMT -4:00]
Running from: c:\documents and settings\Home\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Documents\Server\admin.txt
c:\documents and settings\All Users\Documents\Server\server.dat
c:\documents and settings\Home\Application Data\3E1696EF139AEC5D71AD36DDF42FA7CE
c:\documents and settings\Home\Application Data\3E1696EF139AEC5D71AD36DDF42FA7CE\enemies-names.txt
c:\documents and settings\Home\Application Data\3E1696EF139AEC5D71AD36DDF42FA7CE\local.ini
c:\windows\system32\AutoRun.inf

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-10-02 to 2010-11-02 )))))))))))))))))))))))))))))))
.

2010-10-22 18:10 . 2010-10-22 18:10 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-22 18:02 . 2010-10-26 17:23 -------- d-s---w- c:\documents and settings\Administrator
2010-10-14 02:49 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-14 02:49 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-14 02:49 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 16:23 . 2002-08-29 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2002-08-29 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2002-08-29 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2002-08-29 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2006-06-23 16:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2002-08-29 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2002-08-29 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-07 15:12 . 2010-07-02 01:51 38848 ----a-w- c:\windows\avastSS.scr
2010-09-07 15:11 . 2009-02-14 10:48 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-07 14:52 . 2009-02-14 10:48 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-07 14:52 . 2009-02-14 10:48 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-07 14:47 . 2009-02-14 10:48 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-07 14:47 . 2009-02-14 10:48 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-07 14:47 . 2009-02-14 10:48 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-07 14:47 . 2009-02-14 10:48 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-07 14:46 . 2009-02-14 10:48 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-09-01 11:51 . 2002-08-29 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2002-08-29 12:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2002-08-29 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2002-08-29 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2002-08-29 12:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-05-17 09:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2002-08-29 12:00 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2005-06-10 23:55 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-03-06 02:16 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-04 131072]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-02-22 72192]

c:\documents and settings\Home\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2008-7-13 225280]
PowerReg Scheduler.exe [2008-5-31 256000]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 03:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 08:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdxamon]
2008-06-13 16:04 16040 ----a-w- c:\program files\Lexmark 3600-4600 Series\lxdxamon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdxmon.exe]
2008-06-13 16:04 668328 ----a-w- c:\program files\Lexmark 3600-4600 Series\lxdxmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 20:09 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate Notice Ex"=2 (0x2)
"LiveUpdate"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"ACDaemon"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\lxdxcoms.exe"=
"c:\\Program Files\\Lexmark 3600-4600 Series\\lxdxmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxtime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxwbgw.exe"=
"c:\\Program Files\\Lexmark 3600-4600 Series\\frun.exe"=
"c:\\Program Files\\Lexmark 3600-4600 Series\\Diagnostics\\LXDXdiag.exe"=
"c:\\Program Files\\D-Link\\SharePort Utility\\Connect.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"19540:UDP"= 19540:UDP:SXUPTP

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/20/2009 8:42 AM 721904]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/14/2009 6:48 AM 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/14/2009 6:48 AM 17744]
R2 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys [5/25/2010 4:32 PM 263944]
R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\system32\drivers\lne100v5.sys [1/1/2003 12:08 AM 36224]
S3 genmcmnUSB;USB Scroll Mouse Driver;c:\windows\system32\drivers\gflmouhid.sys [4/19/2004 4:01 PM 6656]
S3 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe -service --> c:\windows\system32\lxdxcoms.exe -service [?]
S3 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdxserv.exe [9/21/2009 12:44 PM 94208]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [7/26/2010 10:26 AM 14424]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Home\Application Data\Mozilla\Firefox\Profiles\xyyw5a3m.default\
FF - prefs.js: browser.search.selectedEngine - Google US
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-mediarealease70x700hh - c:\documents and settings\Home\Application Data\3E1696EF139AEC5D71AD36DDF42FA7CE\mediarealease70x700hh.exe
MSConfigStartUp-Ulead AutoDetector - c:\program files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
AddRemove-{2460923D-1AA6-47FE-A375-76308780D20F} - c:\program files\InstallShield Installation Information\{2460923D-1AA6-47FE-A375-76308780D20F}\setup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-02 09:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(644)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2984)
c:\windows\system32\WININET.dll
c:\program files\Logitech\iTouch\iTchHk.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\netdde.exe
c:\windows\System32\dllhost.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
c:\windows\system32\Ati2evxx.exe
.
**************************************************************************
.
Completion time: 2010-11-02 09:41:04 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-02 13:41

Pre-Run: 29,138,288,640 bytes free
Post-Run: 29,186,441,216 bytes free

- - End Of File - - 89685576478B67F84874DE041B48754B

#6 shelf life

shelf life

  • Malware Response Team
  • 2,680 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:12:45 AM

Posted 02 November 2010 - 04:11 PM

Looks like combofix removed the rootkit. If Avast is still giving you the popup alert go ahead and run it. If the item it flags are in something called:Qoobox, that is combofix's quarantine folder. Some AV apps might flag these items. Anything in qoobox is harmless and can be ignored.
We will also get another download which you can keep and use. Link and directions:

Please download the free version of Malwarebytes to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.

How Can I Reduce My Risk to Malware?


#7 king vyper

king vyper
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 03 November 2010 - 08:48 AM

Here is the Log. My PC seems to be finally clean.

Rigt now I am running Avast and using the Windows Firewall. I don;t run a regular spy/Malware program.

Any suggestions?



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5026

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/2/2010 11:12:18 PM
mbam-log-2010-11-02 (23-12-18).txt

Scan type: Full scan (C:\|E:\|)
Objects scanned: 241081
Time elapsed: 51 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 shelf life

shelf life

  • Malware Response Team
  • 2,680 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:12:45 AM

Posted 03 November 2010 - 04:06 PM

Avast has a anti-malware component built in to it along with antivirus. Having two or three anti-malware apps is recommended. Malwarebytes can be the other. Note that the free version of Malwarebytes must be updated manually and a scan started manually. The paid version offers auto updates and a real time protection component that runs in the background.

Windows firewall is fine. Most software firewalls can be complex and annoying with all the popups. Pretty soon people are just clicking right through them or allow all traffic or just turn them off. If you want one there are several free ones you could try.

Lets run one more tool while we are at it. Its called TDSSkiller. Link and directions:

Please download TDSS Killer.exe and save it to your desktop
Double click to launch the utility. After it initializes click the start scan button.

Once the scan completes you can click the continue button.

"The utility will automatically select an action (Cure or Delete) for known malcious objects. A suspicious object will be skipped by default."

"After clicking Next, the utility applies selected actions and outputs the result."

"A reboot might require after disinfection."

A report will be found in your Root drive Local Disk (C:) as TDSSKiller.2.4.2.1_09.08.2010_17.32.21_log.txt (name, version, date, time)
Please post the log report

How Can I Reduce My Risk to Malware?


#9 king vyper

king vyper
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 04 November 2010 - 07:49 AM

2010/11/04 08:46:04.0796 TDSS rootkit removing tool 2.4.6.0 Nov 3 2010 10:11:43
2010/11/04 08:46:04.0796 ================================================================================
2010/11/04 08:46:04.0796 SystemInfo:
2010/11/04 08:46:04.0796
2010/11/04 08:46:04.0796 OS Version: 5.1.2600 ServicePack: 3.0
2010/11/04 08:46:04.0796 Product type: Workstation
2010/11/04 08:46:04.0796 ComputerName: ELISHA
2010/11/04 08:46:04.0796 UserName: Home
2010/11/04 08:46:04.0796 Windows directory: C:\WINDOWS
2010/11/04 08:46:04.0796 System windows directory: C:\WINDOWS
2010/11/04 08:46:04.0796 Processor architecture: Intel x86
2010/11/04 08:46:04.0796 Number of processors: 1
2010/11/04 08:46:04.0796 Page size: 0x1000
2010/11/04 08:46:04.0796 Boot type: Normal boot
2010/11/04 08:46:04.0796 ================================================================================
2010/11/04 08:46:05.0203 Initialize success
2010/11/04 08:46:07.0546 ================================================================================
2010/11/04 08:46:07.0546 Scan started
2010/11/04 08:46:07.0546 Mode: Manual;
2010/11/04 08:46:07.0546 ================================================================================
2010/11/04 08:46:08.0031 Aavmker4 (8d488938e2f7048906f1fbd3af394887) C:\WINDOWS\system32\drivers\Aavmker4.sys
2010/11/04 08:46:08.0343 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/11/04 08:46:08.0484 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/11/04 08:46:08.0640 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/11/04 08:46:08.0750 Afc (fe3ea6e9afc1a78e6edca121e006afb7) C:\WINDOWS\system32\drivers\Afc.sys
2010/11/04 08:46:08.0859 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/11/04 08:46:09.0218 AmdPPM (033448d435e65c4bd72e70521fd05c76) C:\WINDOWS\system32\DRIVERS\AmdPPM.sys
2010/11/04 08:46:09.0375 AN983 (116bff96077a4a724e0aab800525ceb5) C:\WINDOWS\system32\DRIVERS\AN983.sys
2010/11/04 08:46:09.0453 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/11/04 08:46:09.0687 aswFsBlk (a0d86b8ac93ef95620420c7a24ac5344) C:\WINDOWS\system32\drivers\aswFsBlk.sys
2010/11/04 08:46:09.0734 aswMon2 (7d880c76a285a41284d862e2d798ec0d) C:\WINDOWS\system32\drivers\aswMon2.sys
2010/11/04 08:46:09.0812 aswRdr (69823954bbd461a73d69774928c9737e) C:\WINDOWS\system32\drivers\aswRdr.sys
2010/11/04 08:46:09.0906 aswSP (7ecc2776638b04553f9a85bd684c3abf) C:\WINDOWS\system32\drivers\aswSP.sys
2010/11/04 08:46:10.0000 aswTdi (095ed820a926aa8189180b305e1bcfc9) C:\WINDOWS\system32\drivers\aswTdi.sys
2010/11/04 08:46:10.0109 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/11/04 08:46:10.0265 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/11/04 08:46:10.0546 ati2mtag (492bd2a5f65f218d4ede5764a3bb67e9) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/11/04 08:46:10.0750 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/11/04 08:46:10.0828 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/11/04 08:46:10.0921 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/11/04 08:46:11.0000 Bridge (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
2010/11/04 08:46:11.0015 BridgeMP (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
2010/11/04 08:46:11.0109 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/11/04 08:46:11.0265 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/11/04 08:46:11.0359 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/11/04 08:46:11.0421 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/11/04 08:46:11.0687 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/11/04 08:46:11.0812 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/11/04 08:46:12.0000 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/11/04 08:46:12.0125 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/11/04 08:46:12.0203 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/11/04 08:46:12.0296 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/11/04 08:46:12.0390 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/11/04 08:46:12.0453 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/11/04 08:46:12.0515 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/11/04 08:46:12.0562 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/11/04 08:46:12.0625 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/11/04 08:46:12.0687 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/11/04 08:46:12.0765 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/11/04 08:46:12.0828 genmcmnUSB (86f732d2995ada73fd307539ec266d3a) C:\WINDOWS\system32\DRIVERS\gflmouhid.sys
2010/11/04 08:46:12.0906 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/11/04 08:46:12.0968 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/11/04 08:46:13.0078 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/11/04 08:46:13.0265 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/11/04 08:46:13.0328 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/11/04 08:46:13.0562 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/11/04 08:46:13.0656 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/11/04 08:46:13.0765 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/11/04 08:46:13.0890 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/11/04 08:46:14.0046 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/11/04 08:46:14.0171 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/11/04 08:46:14.0250 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/11/04 08:46:14.0390 itchfltr (8f1ba487b35f0c8f637e05113aa815f8) C:\WINDOWS\system32\Drivers\itchfltr.sys
2010/11/04 08:46:14.0578 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/11/04 08:46:14.0640 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/11/04 08:46:14.0750 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/11/04 08:46:14.0859 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/11/04 08:46:15.0109 LCcfltr (fb5e7a5c86c0b58aa155487b141b8457) C:\WINDOWS\system32\drivers\lccfltr.sys
2010/11/04 08:46:15.0187 LNE100 (e7a30b307ac29afbb993049df04bb91b) C:\WINDOWS\system32\DRIVERS\LNE100V5.sys
2010/11/04 08:46:15.0281 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/11/04 08:46:15.0359 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/11/04 08:46:15.0421 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/11/04 08:46:15.0484 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/11/04 08:46:15.0562 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/11/04 08:46:15.0656 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/11/04 08:46:15.0750 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/11/04 08:46:15.0921 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/11/04 08:46:16.0000 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/11/04 08:46:16.0078 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/11/04 08:46:16.0140 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/11/04 08:46:16.0203 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/11/04 08:46:16.0265 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/11/04 08:46:16.0343 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/11/04 08:46:16.0406 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/11/04 08:46:16.0453 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/11/04 08:46:16.0515 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/11/04 08:46:16.0578 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/11/04 08:46:16.0656 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/11/04 08:46:16.0718 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/11/04 08:46:16.0875 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/11/04 08:46:16.0953 nm (1e421a6bcf2203cc61b821ada9de878b) C:\WINDOWS\system32\DRIVERS\NMnt.sys
2010/11/04 08:46:17.0015 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/11/04 08:46:17.0078 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/11/04 08:46:17.0234 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/11/04 08:46:17.0296 nvatabus (46deed4c6c5fa765f9a2c723be60348d) C:\WINDOWS\system32\DRIVERS\nvatabus.sys
2010/11/04 08:46:17.0359 nvax (c99562146abb815809adab4e18c2fa2b) C:\WINDOWS\system32\drivers\nvax.sys
2010/11/04 08:46:17.0421 NVENETFD (23297b3c2ff3510e2e760714fc6f094e) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
2010/11/04 08:46:17.0468 nvnetbus (bcc3722a2db99ad6f367344997c26654) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
2010/11/04 08:46:17.0546 nvnforce (6dcc85a4b74a67e329939504d8676ad5) C:\WINDOWS\system32\drivers\nvapu.sys
2010/11/04 08:46:17.0656 nv_agp (c0fcd544a1c4eea6d11a0ae6a07dac9d) C:\WINDOWS\system32\DRIVERS\nv_agp.sys
2010/11/04 08:46:17.0718 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/11/04 08:46:17.0781 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/11/04 08:46:17.0859 NwlnkIpx (8b8b1be2dba4025da6786c645f77f123) C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
2010/11/04 08:46:17.0921 NwlnkNb (56d34a67c05e94e16377c60609741ff8) C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
2010/11/04 08:46:18.0000 NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
2010/11/04 08:46:18.0078 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/11/04 08:46:18.0140 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/11/04 08:46:18.0187 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/11/04 08:46:18.0265 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/11/04 08:46:18.0328 pbfilter (65fb0c4aa30d84849e0e4c97cb5501ce) C:\Program Files\PeerBlock\pbfilter.sys
2010/11/04 08:46:18.0437 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/11/04 08:46:18.0562 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/11/04 08:46:18.0625 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/11/04 08:46:19.0031 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/11/04 08:46:19.0078 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/11/04 08:46:19.0156 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/11/04 08:46:19.0218 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/11/04 08:46:19.0296 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/11/04 08:46:19.0609 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/11/04 08:46:19.0671 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/11/04 08:46:19.0734 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/11/04 08:46:19.0812 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/11/04 08:46:19.0906 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/11/04 08:46:20.0015 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/11/04 08:46:20.0140 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/11/04 08:46:20.0296 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/11/04 08:46:20.0437 RT2500 (e2988349fe0567cbe4161cc653575a8e) C:\WINDOWS\system32\DRIVERS\RT2500.sys
2010/11/04 08:46:20.0562 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/11/04 08:46:20.0671 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/11/04 08:46:20.0734 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/11/04 08:46:20.0812 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/11/04 08:46:21.0031 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/11/04 08:46:21.0140 sptd (d15da1ba189770d93eea2d7e18f95af9) C:\WINDOWS\system32\Drivers\sptd.sys
2010/11/04 08:46:21.0156 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: d15da1ba189770d93eea2d7e18f95af9
2010/11/04 08:46:21.0171 sptd - detected Locked file (1)
2010/11/04 08:46:21.0296 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/11/04 08:46:21.0421 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/11/04 08:46:21.0531 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/11/04 08:46:21.0578 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/11/04 08:46:21.0718 sxuptp (a83ef476fea47a7a3763fc5784baf792) C:\WINDOWS\system32\DRIVERS\sxuptp.sys
2010/11/04 08:46:22.0062 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/11/04 08:46:22.0203 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/11/04 08:46:22.0343 Tcpip6 (4e53bbcc4be37d7a4bd6ef1098c89ff7) C:\WINDOWS\system32\DRIVERS\tcpip6.sys
2010/11/04 08:46:22.0437 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/11/04 08:46:22.0515 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/11/04 08:46:22.0593 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/11/04 08:46:22.0734 tunmp (8f861eda21c05857eb8197300a92501c) C:\WINDOWS\system32\DRIVERS\tunmp.sys
2010/11/04 08:46:22.0796 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/11/04 08:46:23.0000 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/11/04 08:46:23.0156 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/11/04 08:46:23.0250 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/11/04 08:46:23.0343 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/11/04 08:46:23.0390 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/11/04 08:46:23.0484 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/11/04 08:46:23.0546 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/11/04 08:46:23.0640 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/11/04 08:46:23.0718 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/11/04 08:46:23.0843 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/11/04 08:46:23.0937 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/11/04 08:46:24.0062 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/11/04 08:46:24.0203 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/11/04 08:46:24.0281 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/11/04 08:46:24.0500 ================================================================================
2010/11/04 08:46:24.0500 Scan finished
2010/11/04 08:46:24.0500 ================================================================================
2010/11/04 08:46:24.0515 Detected object count: 1
2010/11/04 08:46:34.0296 Locked file(sptd) - User select action: Skip

#10 shelf life

shelf life

  • Malware Response Team
  • 2,680 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:12:45 AM

Posted 04 November 2010 - 06:58 PM

That all looks ok. Looks like we are done. you can remove combofix like this:
start>run and type in combofix /uninstall
click ok or enter
note the space after the x and before the /

You can delete the TDSSkiller icon form your desktop.

Note that the free version of Malwarebytes must be updated manually and a scan started manually.

You can make a new restore point, the how and the why:

One of the features of Windows XP,Vista and Windows7 is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore archive. Therefore, clearing the restore points is a good idea after malware is removed and your computer appears to be functioning ok.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.(creates a new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot

Last are some tips to help you remain malware free:

10 Tips for Prevention and Avoidance of Malware:
There is no reason why your computer can not stay malware free:

In no special order:

1) It is essential to keep your OS,(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the Windows auto-update feature. Staying updated is also essential for other web based applications like Java, Adobe Flash/Reader, iTunes etc. More and more third party applications are being targeted. Not sure if you are using the latest version of software? Check their version status here.

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software is installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*.

4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. See also E-mail phishing Tricks.

5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?

7) Consider the use of limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista and Windows 7 attempts to address.

8) Install and understand the *limitations* of a software firewall.

9) A tool for automatically hardening and securing Internet Explorer 8.0. Requires site registration for downloading. Changes some of the default settings of IE 8.0, Read the FAQ's. Or see a slide show Here and do it yourself. How to harden FireFox. for safer surfing.

10) Warez, cracks etc are very popular for carrying malware payloads. If you look for these you will encounter malware. If you download/install files via p2p networks you will encounter malware. Can you really trust the source of the file?


More info/tips with pictures in links below.

Happy Safe Surfing.

How Can I Reduce My Risk to Malware?


#11 king vyper

king vyper
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 05 November 2010 - 08:41 AM

Thank you for the help you saved me from having to do a complete reinstall. Also thanks for the tips, espically hardening Fire Fox and IE8 as I use both. I have recently started uing Chrome as it tends to be faster then FF or IE.

Edited by king vyper, 05 November 2010 - 09:15 AM.


#12 shelf life

shelf life

  • Malware Response Team
  • 2,680 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:12:45 AM

Posted 05 November 2010 - 04:58 PM

ok king vyper your welcome. Happy safe surfing "out there"

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users