Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected Laptop..has disabled tools such as system restore. High CPU usage. Very slow.


  • This topic is locked This topic is locked
39 replies to this topic

#1 mrfingerz

mrfingerz

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK, London
  • Local time:05:51 AM

Posted 01 November 2010 - 06:55 AM

Hello, As requested in the 'Am I infected' forum here are the DDS logs. Couldn't get gmer to run, tried both download link versions.


DDS (Ver_10-10-31.01) - NTFSx86
Run by Main at 9:57:01.26 on 01/11/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.246.120 [GMT 0:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Main\Desktop\dds.scr
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Page =
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJxdm301YYGB&fl=0&ptb=qTtRPS5C6Wfh9iCZbEt_2A&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=sb&searchfor={searchTerms}
uSearch Bar =
uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant =
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} - hxxp://zone.msn.com/bingame/zpagames/zpa_hrtz.cab99160.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-10-31 21:30:55 -------- d-----w- c:\program files\ESET
2010-10-31 13:11:37 -------- d-----w- C:\TDSSKiller_Quarantine
2010-10-31 01:04:17 -------- d-----w- c:\docume~1\main\applic~1\Avira
2010-10-31 00:33:36 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-10-31 00:32:51 -------- d-----w- c:\program files\Avira
2010-10-31 00:32:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-10-30 15:55:24 -------- d-----w- c:\documents and settings\main\DoctorWeb
2010-10-30 14:42:59 25992 ------w- c:\windows\system32\pgdfgsvc.exe
2010-10-30 13:46:34 -------- d-----w- c:\docume~1\main\applic~1\Auslogics
2010-10-30 08:38:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-30 08:38:17 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-30 08:38:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-28 10:16:50 -------- d--h--w- C:\~AXDW^0KO8I1VQF
2010-10-13 15:58:46 953856 ----a-w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 15:58:43 974848 ----a-w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 15:58:12 617472 ----a-w- c:\windows\system32\dllcache\comctl32.dll

==================== Find3M ====================

2010-10-28 10:16:34 712704 ----a-w- c:\windows\system32\windowscodecs.dll
2010-10-28 10:16:23 28672 ------w- c:\windows\system32\verclsid.exe
2010-10-28 10:16:19 90112 ----a-w- c:\windows\system32\sqlsrv32.rll
2010-10-28 10:16:19 8192 ----a-w- c:\windows\system32\tssoft32.acm
2010-10-28 10:16:19 442368 ----a-w- c:\windows\system32\sqlsrv32.dll
2010-10-28 10:16:15 86016 ----a-w- c:\windows\system32\sl_anet.acm
2010-10-28 10:16:11 90112 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-10-28 10:16:05 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-10-28 10:16:04 503808 ----a-w- c:\windows\system32\msvcp71.dll
2010-10-28 10:16:01 294912 ----a-w- c:\windows\system32\msh263.drv
2010-10-28 10:16:00 188416 ----a-w- c:\windows\system32\msh261.drv
2010-10-28 10:15:03 212992 ----a-w- c:\windows\system32\MFPLAT.dll
2010-10-28 10:15:02 86016 ----a-w- c:\windows\system32\mdmxsdk.dll
2010-10-28 10:14:52 57344 ----a-w- c:\windows\system32\igfxsrvc.dll
2010-10-28 10:14:52 16384 ----a-w- c:\windows\system32\imaadp32.acm
2010-10-28 10:14:52 159744 ----a-w- c:\windows\system32\igfxsrvc.exe
2010-10-28 10:14:51 1503232 ----a-w- c:\windows\system32\igfxress.dll
2010-10-28 10:14:49 135168 ----a-w- c:\windows\system32\igfxres.dll
2010-10-28 10:14:48 147456 ----a-w- c:\windows\system32\igfxpph.dll
2010-10-28 10:14:48 135168 ----a-w- c:\windows\system32\igfxdev.dll
2010-10-28 10:14:47 1241088 ----a-w- c:\windows\system32\ieframe.dll.mui
2010-10-28 10:14:44 73728 ----a-w- c:\windows\system32\hccutils.dll
2010-10-28 10:14:44 69632 ------w- c:\windows\system32\HPZipm12.exe
2010-10-28 10:10:40 28672 ----a-w- c:\windows\system32\dbnmpntw.dll
2010-10-28 10:10:40 24576 ----a-w- c:\windows\system32\dbmsrpcn.dll
2010-10-28 10:10:07 221184 ----a-w- c:\windows\system32\cttune.cpl
2010-10-28 10:10:04 24576 ----a-w- c:\windows\system32\cliconfg.rll
2010-10-28 10:10:04 20480 ----a-w- c:\windows\system32\cliconfg.exe
2010-10-28 10:10:03 77824 ----a-w- c:\windows\system32\cliconfg.dll
2010-09-18 11:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ------w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

============= FINISH: 10:00:20.60 ===============

Here is the attach.txt log

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-10-31.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 16/12/2006 15:39:29
System Uptime: 11/01/2010 09:47:56 (7057 hours ago)

Motherboard: NEC Computers International | | K2W
Processor: Intel® Pentium® M processor 1.73GHz | uFCBGA | 1729/100mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 39 GiB total, 29.32 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Description: Microcode Update Device
Device ID: ROOT\SYSTEM\0001
Manufacturer: (Standard system devices)
Name: Microcode Update Device
PNP Device ID: ROOT\SYSTEM\0001
Service: update

==== System Restore Points ===================

RP1: 30/10/2010 22:34:54 - System Checkpoint
RP2: 30/10/2010 22:35:46 - mmmm
RP3: 31/10/2010 14:13:14 - Revo Uninstaller's restore point - Glary Undelete 1.6.0.262

==== Installed Programs ======================


Adobe Flash Player 10 ActiveX
Apple Software Update
Avira AntiVir Personal - Free Antivirus
BT Broadband Desktop Help
BT Wireless Connection Manager
ClearType Tuning Control Panel Applet
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
ESET Online Scanner v3
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
iTunes
L&H TTS3000 British English
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office XP Professional
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.5
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
Packard Bell Toolbar 1.0
PC Connectivity Solution
QuickTime
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Sonic RecordNow!
Unity Web Player
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
USB Disk Win98 Driver
WebFldrs XP
Windows Imaging Component
Windows Media Format 11 runtime
Windows Media Player 10
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

31/10/2010 23:10:47, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
31/10/2010 21:25:39, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: avgio avipbb Fips intelppm SASDIFSV SASKUTIL ssmdrv
31/10/2010 13:48:47, error: Dhcp [1002] - The IP address lease 192.168.1.65 for the Network Card with network address 00166FBDC359 has been denied by the DHCP server 192.168.1.254 (The DHCP Server sent a DHCPNACK message).
31/10/2010 12:07:43, error: Service Control Manager [7001] - The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
31/10/2010 11:56:30, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
31/10/2010 11:55:32, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
31/10/2010 10:46:09, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
31/10/2010 10:45:55, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avgio avipbb Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL ssmdrv Tcpip
31/10/2010 10:45:55, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
31/10/2010 10:31:22, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
31/10/2010 10:31:22, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
31/10/2010 10:26:49, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 00166FBDC359. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
31/10/2010 01:31:25, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
31/10/2010 01:31:25, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\Main\LOCALS~1\Temp\RarSFX0\redist.dll. Reference error message: The operation completed successfully. .
31/10/2010 01:31:24, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
30/10/2010 18:57:29, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip
30/10/2010 16:18:26, error: Cdrom [11] - The driver detected a controller error on \Device\CdRom0.
01/11/2010 00:07:12, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the iPod Service service to connect.
01/11/2010 00:07:12, error: Service Control Manager [7000] - The iPod Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
01/11/2010 00:07:11, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
01/11/2010 00:06:24, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
01/11/2010 00:06:07, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
01/11/2010 00:03:52, error: Service Control Manager [7022] - The Avira AntiVir Guard service hung on starting.

==== End Of File ===========================

Look forward to hearing what you make of this.
It's nice to be important, it's much more important to be nice.

BC AdBot (Login to Remove)

 


#2 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:01:51 AM

Posted 08 November 2010 - 01:41 PM

Hi mrfingerz,
I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

Best Regards,
oneof4.

Best Regards,
oneof4.


#3 mrfingerz

mrfingerz
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK, London
  • Local time:05:51 AM

Posted 08 November 2010 - 04:18 PM

Hi Oneof4,

Ok, looking forward to it.
It's nice to be important, it's much more important to be nice.

#4 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:01:51 AM

Posted 09 November 2010 - 04:15 PM

Hello mrfingerz, and :welcome: to the Virus/Trojan/Spyware/Malware Removal forum.

I am oneof4, and I am here to help you!
  • I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for

    this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

  • Please perform all steps in the order received and do not proceed if you need clarification.

  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter

    problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed

    suggestions for prevention.

  • At the top of the topic you will see a button called Watch Topic. If you click on this, and then choose Immediate

    Notification
    and then Proceed, you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • If after 5 days you have not replied to this topic, I will assume it has been abandoned, and I will close it.

  • I would also like you to understand that most of us here at Bleeping Computer offer our expert assistance out of the

    goodness of our hearts. Please be courteous and appreciative for the assistance provided.
    :)

  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based

    on the current condition of your computer! Any changes might delay my ability to help you.


    Since it has been a few days since your original post, please perform the following:

    Download DDS by sUBs from one of the following links. Save it to your desktop.
    DDS.scr
    DDS.pif
    Double click on the DDS icon, allow it to run.
    A small box will open, with an explaination about the tool. No input is needed, the scan is running.
    Notepad will open with the results.
    Follow the instructions that pop up for posting the results.
    Close the program window, and delete the program from your desktop.
    Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the

    internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

    Information on A/V control HERE


    Please download GMER from one of the following locations and save it to your desktop:[list]
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your

    desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection

    so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on

    gmer.exe.


    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is

    in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had

    disabled.
-- If you encounter any problems, try running GMER in

safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.

Things I need to see in your next reply:

  • DDS.txt
  • Attach.txt
  • GMER Log

Best Regards,
oneof4.

Best Regards,
oneof4.


#5 mrfingerz

mrfingerz
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK, London
  • Local time:05:51 AM

Posted 10 November 2010 - 04:37 AM

Attached File  Attach.txtnov.txt.zip   1.82KB   2 downloadsAttached File  Attach.txtnov.txt.zip   1.82KB   2 downloadsHi Oneof4.....reran dds and managed to get gmer to run, had to untick 'devices' though.


DDS (Ver_10-10-31.01) - NTFSx86
Run by Main at 22:24:59.70 on 09/11/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.246.99 [GMT 0:00]

AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Main\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Page =
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJxdm301YYGB&fl=0&ptb=qTtRPS5C6Wfh9iCZbEt_2A&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=sb&searchfor={searchTerms}
uSearch Bar =
uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant =
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} - hxxp://zone.msn.com/bingame/zpagames/zpa_hrtz.cab99160.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-10-31 11608]
R1 SASDIFSV;SASDIFSV;c:\docume~1\main\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\docume~1\main\locals~1\temp\sas_selfextract\SASKUTIL.SYS [2010-5-10 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-10-31 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-10-31 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-10-31 60936]

=============== Created Last 30 ================

2010-10-31 21:30:55 -------- d-----w- c:\program files\ESET
2010-10-31 13:11:37 -------- d-----w- C:\TDSSKiller_Quarantine
2010-10-31 01:04:17 -------- d-----w- c:\docume~1\main\applic~1\Avira
2010-10-31 00:33:36 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-10-31 00:32:51 -------- d-----w- c:\program files\Avira
2010-10-31 00:32:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-10-30 15:55:24 -------- d-----w- c:\documents and settings\main\DoctorWeb
2010-10-30 14:42:59 25992 ------w- c:\windows\system32\pgdfgsvc.exe
2010-10-30 13:46:34 -------- d-----w- c:\docume~1\main\applic~1\Auslogics
2010-10-30 08:38:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-30 08:38:17 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-30 08:38:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-28 10:16:50 -------- d--h--w- C:\~AXDW^0KO8I1VQF
2010-10-13 15:58:46 953856 ----a-w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 15:58:43 974848 ----a-w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 15:58:12 617472 ----a-w- c:\windows\system32\dllcache\comctl32.dll

==================== Find3M ====================

2010-10-28 10:16:34 712704 ----a-w- c:\windows\system32\windowscodecs.dll
2010-10-28 10:16:23 28672 ------w- c:\windows\system32\verclsid.exe
2010-10-28 10:16:19 90112 ----a-w- c:\windows\system32\sqlsrv32.rll
2010-10-28 10:16:19 8192 ----a-w- c:\windows\system32\tssoft32.acm
2010-10-28 10:16:19 442368 ----a-w- c:\windows\system32\sqlsrv32.dll
2010-10-28 10:16:15 86016 ----a-w- c:\windows\system32\sl_anet.acm
2010-10-28 10:16:11 90112 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-10-28 10:16:05 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-10-28 10:16:04 503808 ----a-w- c:\windows\system32\msvcp71.dll
2010-10-28 10:16:01 294912 ----a-w- c:\windows\system32\msh263.drv
2010-10-28 10:16:00 188416 ----a-w- c:\windows\system32\msh261.drv
2010-10-28 10:15:03 212992 ----a-w- c:\windows\system32\MFPLAT.dll
2010-10-28 10:15:02 86016 ----a-w- c:\windows\system32\mdmxsdk.dll
2010-10-28 10:14:52 57344 ----a-w- c:\windows\system32\igfxsrvc.dll
2010-10-28 10:14:52 16384 ----a-w- c:\windows\system32\imaadp32.acm
2010-10-28 10:14:52 159744 ----a-w- c:\windows\system32\igfxsrvc.exe
2010-10-28 10:14:51 1503232 ----a-w- c:\windows\system32\igfxress.dll
2010-10-28 10:14:49 135168 ----a-w- c:\windows\system32\igfxres.dll
2010-10-28 10:14:48 147456 ----a-w- c:\windows\system32\igfxpph.dll
2010-10-28 10:14:48 135168 ----a-w- c:\windows\system32\igfxdev.dll
2010-10-28 10:14:47 1241088 ----a-w- c:\windows\system32\ieframe.dll.mui
2010-10-28 10:14:44 73728 ----a-w- c:\windows\system32\hccutils.dll
2010-10-28 10:14:44 69632 ------w- c:\windows\system32\HPZipm12.exe
2010-10-28 10:10:40 28672 ----a-w- c:\windows\system32\dbnmpntw.dll
2010-10-28 10:10:40 24576 ----a-w- c:\windows\system32\dbmsrpcn.dll
2010-10-28 10:10:07 221184 ----a-w- c:\windows\system32\cttune.cpl
2010-10-28 10:10:04 24576 ----a-w- c:\windows\system32\cliconfg.rll
2010-10-28 10:10:04 20480 ----a-w- c:\windows\system32\cliconfg.exe
2010-10-28 10:10:03 77824 ----a-w- c:\windows\system32\cliconfg.dll
2010-09-18 11:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ------w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

============= FINISH: 22:26:37.04 ==============

Here is what I obtained from Gmer....
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-11-10 00:25:20
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Main\LOCALS~1\Temp\fxdiifog.sys


---- System - GMER 1.0.15 ----

SSDT F9B2375E ZwCreateKey
SSDT F9B23754 ZwCreateThread
SSDT F9B23763 ZwDeleteKey
SSDT F9B2376D ZwDeleteValueKey
SSDT F9B23772 ZwLoadKey
SSDT F9B23740 ZwOpenProcess
SSDT F9B23745 ZwOpenThread
SSDT F9B2377C ZwReplaceKey
SSDT F9B23777 ZwRestoreKey
SSDT F9B23768 ZwSetValueKey

---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\Main\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- EOF - GMER 1.0.15 ----

Hope this is of assistance to you. I have attached the text log. Look forward to hearing from you.
Regards.
It's nice to be important, it's much more important to be nice.

#6 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:01:51 AM

Posted 11 November 2010 - 08:33 PM

Hello mrfingerz, :)

Please download MBRCheck to your desktop
Double click MBRCheck.exe to run (With Vista and Win 7 right click and select Run as Administrator)
It will show a Black screen with some data on it
A log named MBRcheck will be on your desktop
Copy and paste that log in your next reply

Best Regards,
oneof4.


#7 mrfingerz

mrfingerz
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK, London
  • Local time:05:51 AM

Posted 11 November 2010 - 09:11 PM

Hi Oneof4,

Here is the requested log....

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 162):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D0000 \WINDOWS\system32\hal.dll
0xF9A50000 \WINDOWS\system32\KDCOM.DLL
0xF9960000 \WINDOWS\system32\BOOTVID.dll
0xF9421000 ACPI.sys
0xF9A52000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF9410000 pci.sys
0xF9550000 isapnp.sys
0xF9964000 compbatt.sys
0xF9968000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF9B18000 pciide.sys
0xF97D0000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF9A54000 aliide.sys
0xF9A56000 intelide.sys
0xF9A58000 toside.sys
0xF9A5A000 viaide.sys
0xF9A5C000 cmdide.sys
0xF9560000 MountMgr.sys
0xF93F1000 ftdisk.sys
0xF97D8000 PartMgr.sys
0xF996C000 ACPIEC.sys
0xF9B19000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF9570000 VolSnap.sys
0xF9970000 cpqarray.sys
0xF93D9000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xF93C1000 atapi.sys
0xF9974000 aha154x.sys
0xF97E0000 sparrow.sys
0xF9978000 symc810.sys
0xF9580000 aic78xx.sys
0xF997C000 dac960nt.sys
0xF9590000 ql10wnt.sys
0xF9980000 amsint.sys
0xF97E8000 asc.sys
0xF9984000 asc3550.sys
0xF97F0000 mraid35x.sys
0xF97F8000 i2omp.sys
0xF9988000 ini910u.sys
0xF95A0000 ql1240.sys
0xF95B0000 aic78u2.sys
0xF9800000 symc8xx.sys
0xF9808000 sym_hi.sys
0xF9810000 sym_u3.sys
0xF9818000 ABP480N5.SYS
0xF9820000 asc3350p.sys
0xF9A5E000 cd20xrnt.sys
0xF95C0000 ultra.sys
0xF93A8000 adpu160m.sys
0xF9828000 dpti2o.sys
0xF95D0000 ql1080.sys
0xF95E0000 ql1280.sys
0xF95F0000 ql12160.sys
0xF9830000 perc2.sys
0xF9A60000 perc2hib.sys
0xF9838000 hpn.sys
0xF998C000 cbidf2k.sys
0xF937C000 dac2w2k.sys
0xF9600000 disk.sys
0xF9610000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF935C000 fltmgr.sys
0xF934A000 sr.sys
0xF9840000 PxHelp20.sys
0xF9333000 KSecDD.sys
0xF9320000 WudfPf.sys
0xF9293000 Ntfs.sys
0xF9266000 NDIS.sys
0xF9620000 sisagp.sys
0xF9630000 viaagp.sys
0xF924C000 Mup.sys
0xF9640000 alim1541.sys
0xF9650000 amdagp.sys
0xF9660000 agp440.sys
0xF9670000 agpCPQ.sys
0xF9A0C000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF9690000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF8FCF000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF8FBB000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF8F93000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF98F0000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF8F6F000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF9920000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF8F5C000 \SystemRoot\system32\DRIVERS\Rtlnicxp.sys
0xF8C49000 \SystemRoot\system32\DRIVERS\w29n51.sys
0xF96A0000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF9890000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF8C1A000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF9A66000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF98D0000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF96B0000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF96C0000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF96D0000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF8BF7000 \SystemRoot\system32\DRIVERS\ks.sys
0xF9938000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xF9B49000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF96E0000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF9A40000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF8BE0000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF96F0000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF9700000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF9898000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF8BCF000 \SystemRoot\system32\DRIVERS\psched.sys
0xF9710000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF98C0000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF98D8000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF98E8000 \SystemRoot\system32\DRIVERS\wanatw4.sys
0xF9720000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF9A6C000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF9220000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF9730000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xAA3A4000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xAA380000 \SystemRoot\system32\drivers\portcls.sys
0xF9750000 \SystemRoot\system32\drivers\drmk.sys
0xAA274000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0xF9910000 \SystemRoot\System32\Drivers\Modem.SYS
0xF9770000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF9A30000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xAA71E000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF9B9E000 \SystemRoot\System32\Drivers\Null.SYS
0xAA71A000 \SystemRoot\System32\Drivers\Beep.SYS
0xF9860000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF9870000 \SystemRoot\System32\drivers\vga.sys
0xAA716000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xAA712000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF9880000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF98A0000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF9A48000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAA157000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAA0FE000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xAA0D6000 \SystemRoot\system32\DRIVERS\netbt.sys
0xAA088000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF9780000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xAA066000 \SystemRoot\System32\drivers\afd.sys
0xF9790000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF98C8000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0xAA044000 \??\C:\DOCUME~1\Main\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS
0xF9928000 \??\C:\DOCUME~1\Main\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS
0xAA019000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA9FA9000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF97B0000 \SystemRoot\System32\Drivers\Fips.SYS
0xA9F86000 \SystemRoot\system32\DRIVERS\avipbb.sys
0xAA706000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
0xF8BAF000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA9F6E000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xAA6F0000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xAA0BA000 \SystemRoot\System32\drivers\Dxapi.sys
0xF9878000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF9BAA000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF020000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF042000 \SystemRoot\System32\ialmdev5.DLL
0xBF077000 \SystemRoot\System32\ialmdd5.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA9E19000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0xA9D21000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA9BAC000 \SystemRoot\system32\drivers\wdmaud.sys
0xA9C51000 \SystemRoot\system32\drivers\sysaudio.sys
0xAA6DE000 \SystemRoot\System32\Drivers\ASCTRM.SYS
0xA977E000 \SystemRoot\system32\DRIVERS\srv.sys
0xA93BB000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 25):
0 System Idle Process
4 System
612 C:\WINDOWS\system32\smss.exe
676 csrss.exe
700 C:\WINDOWS\system32\winlogon.exe
744 C:\WINDOWS\system32\services.exe
756 C:\WINDOWS\system32\lsass.exe
940 C:\WINDOWS\system32\svchost.exe
1020 svchost.exe
1176 C:\WINDOWS\system32\svchost.exe
1276 C:\WINDOWS\system32\svchost.exe
1436 C:\WINDOWS\explorer.exe
1676 C:\WINDOWS\system32\spoolsv.exe
1728 C:\Program Files\Avira\AntiVir Desktop\sched.exe
396 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
448 C:\WINDOWS\system32\HPZipm12.exe
600 C:\WINDOWS\system32\svchost.exe
608 C:\Program Files\iTunes\iTunesHelper.exe
248 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
1088 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
1148 C:\WINDOWS\system32\ctfmon.exe
300 C:\WINDOWS\system32\wuauclt.exe
760 C:\Program Files\iPod\bin\iPodService.exe
116 alg.exe
1776 C:\Documents and Settings\Main\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`f3947600 (NTFS)

PhysicalDrive0 Model Number: ST950814A, Rev: 3.06

Size Device Name MBR Status
--------------------------------------------
46 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!
It's nice to be important, it's much more important to be nice.

#8 mrfingerz

mrfingerz
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK, London
  • Local time:05:51 AM

Posted 15 November 2010 - 06:39 PM

Hi....Haven't heard anything for a while, hope you haven't forgotten me :unsure:
It's nice to be important, it's much more important to be nice.

#9 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:01:51 AM

Posted 15 November 2010 - 10:15 PM

Hello mrfingerz, :)

Sorry for the delay, I should have touched base with you to let you know I had not forgotten you. Sometimes scan logs can take more time than others, plus this weekend was quite full of family oriented activities...sorry again.

Now, back to business:

Let's now run ComboFix.exe. Please visit the following webpage for download links, and instructions for running the tool: (If you cannot get to the website from your infected machine, you will need to use a "clean" machine and download ComboFix to a flash drive.)
Once downloaded, right-click on the ComboFix.exe file and choose Rename; then rename it to "Renamed.exe".

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Best Regards,
oneof4.


#10 mrfingerz

mrfingerz
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK, London
  • Local time:05:51 AM

Posted 16 November 2010 - 12:03 AM

Hi Oneof4,
That's cool, hope you had a nice one, ran combofix, here's the log, it still has high cpu usage and is losing and internet connectivity is poor by the way.

ComboFix 10-11-12.01 - Main 16/11/2010 4:22.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.246.108 [GMT 0:00]
Running from: c:\documents and settings\Main\Desktop\renamed.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2010-10-16 to 2010-11-16 )))))))))))))))))))))))))))))))
.

2010-11-10 09:17 . 2010-11-10 09:17 -------- d-----w- c:\program files\7-Zip
2010-10-31 23:18 . 2010-10-31 23:18 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-10-31 21:32 . 2010-10-31 21:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\Avira
2010-10-31 21:30 . 2010-10-31 21:30 -------- d-----w- c:\program files\ESET
2010-10-31 13:11 . 2010-10-31 13:11 -------- d-----w- C:\TDSSKiller_Quarantine
2010-10-31 12:06 . 2010-10-31 12:06 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-10-31 10:48 . 2010-10-31 10:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-10-31 10:48 . 2010-10-31 10:48 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-10-31 01:04 . 2010-10-31 01:04 -------- d-----w- c:\documents and settings\Main\Application Data\Avira
2010-10-31 00:33 . 2010-11-10 08:45 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-10-31 00:33 . 2010-11-10 08:45 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-10-31 00:33 . 2009-05-11 11:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-10-31 00:33 . 2009-05-11 11:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-10-31 00:32 . 2010-10-31 00:32 -------- d-----w- c:\program files\Avira
2010-10-31 00:32 . 2010-10-31 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-10-30 20:51 . 2010-10-30 20:51 -------- d-----w- c:\documents and settings\Main\Application Data\Sonic
2010-10-30 20:51 . 2010-10-30 20:51 -------- d-----w- c:\documents and settings\Main\Application Data\Leadertech
2010-10-30 15:55 . 2010-10-30 15:55 -------- d-----w- c:\documents and settings\Main\DoctorWeb
2010-10-30 14:42 . 2010-10-30 14:42 25992 ------w- c:\windows\system32\pgdfgsvc.exe
2010-10-30 13:46 . 2010-10-30 13:46 -------- d-----w- c:\documents and settings\Main\Application Data\Auslogics
2010-10-30 08:38 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-30 08:38 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-30 08:38 . 2010-10-30 08:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-30 07:23 . 2010-10-30 07:23 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-10-28 10:16 . 2010-10-29 18:17 -------- d-----w- C:\~AXDW^0KO8I1VQF
2010-10-28 08:41 . 2010-10-30 12:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-28 10:16 . 2006-10-24 12:30 712704 ----a-w- c:\windows\system32\windowscodecs.dll
2010-10-28 10:16 . 2006-03-17 00:38 28672 ------w- c:\windows\system32\verclsid.exe
2010-10-28 10:16 . 2004-08-10 15:38 8192 ----a-w- c:\windows\system32\tssoft32.acm
2010-10-28 10:16 . 2004-08-10 15:38 90112 ----a-w- c:\windows\system32\sqlsrv32.rll
2010-10-28 10:16 . 2004-08-10 15:38 442368 ----a-w- c:\windows\system32\sqlsrv32.dll
2010-10-28 10:16 . 2004-08-10 15:38 86016 ----a-w- c:\windows\system32\sl_anet.acm
2010-10-28 10:16 . 2009-01-05 15:18 90112 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-10-28 10:16 . 2006-07-11 18:35 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-10-28 10:16 . 2006-07-11 18:35 503808 ----a-w- c:\windows\system32\msvcp71.dll
2010-10-28 10:16 . 2004-08-03 23:56 294912 ----a-w- c:\windows\system32\msh263.drv
2010-10-28 10:16 . 2004-08-10 15:56 188416 ----a-w- c:\windows\system32\msh261.drv
2010-10-28 10:15 . 2006-10-18 21:47 212992 ----a-w- c:\windows\system32\MFPLAT.dll
2010-10-28 10:15 . 2010-09-11 11:41 86016 ----a-w- c:\windows\system32\mdmxsdk.dll
2010-10-28 10:14 . 2005-11-03 14:22 57344 ----a-w- c:\windows\system32\igfxsrvc.dll
2010-10-28 10:14 . 2005-11-03 14:22 159744 ----a-w- c:\windows\system32\igfxsrvc.exe
2010-10-28 10:14 . 2004-08-10 15:37 16384 ----a-w- c:\windows\system32\imaadp32.acm
2010-10-28 10:14 . 2005-11-03 14:25 1503232 ----a-w- c:\windows\system32\igfxress.dll
2010-10-28 10:14 . 2006-10-17 09:23 135168 ----a-w- c:\windows\system32\igfxres.dll
2010-10-28 10:14 . 2005-11-03 14:25 147456 ----a-w- c:\windows\system32\igfxpph.dll
2010-10-28 10:14 . 2005-11-03 14:21 135168 ----a-w- c:\windows\system32\igfxdev.dll
2010-10-28 10:14 . 2009-03-08 13:22 1241088 ----a-w- c:\windows\system32\ieframe.dll.mui
2010-10-28 10:14 . 2008-06-02 22:08 69632 ------w- c:\windows\system32\HPZipm12.exe
2010-10-28 10:14 . 2005-11-03 14:21 73728 ----a-w- c:\windows\system32\hccutils.dll
2010-10-28 10:10 . 2004-08-10 15:37 28672 ----a-w- c:\windows\system32\dbnmpntw.dll
2010-10-28 10:10 . 2004-08-10 15:37 24576 ----a-w- c:\windows\system32\dbmsrpcn.dll
2010-10-28 10:10 . 2004-07-29 11:56 221184 ----a-w- c:\windows\system32\cttune.cpl
2010-10-28 10:10 . 2004-08-10 15:37 24576 ----a-w- c:\windows\system32\cliconfg.rll
2010-10-28 10:10 . 2004-08-10 15:37 20480 ----a-w- c:\windows\system32\cliconfg.exe
2010-10-28 10:10 . 2004-08-10 15:37 77824 ----a-w- c:\windows\system32\cliconfg.dll
2010-09-18 11:23 . 2004-08-10 15:37 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-10 15:37 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-10 15:37 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-10 15:37 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2004-08-10 15:38 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-08-10 15:37 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-08-10 15:37 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51 . 2004-08-10 15:37 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-08-10 15:38 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-08-10 15:38 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-08-10 15:38 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2004-08-10 15:38 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2010-09-10 21:26 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2004-08-10 15:37 617472 ----a-w- c:\windows\system32\comctl32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-10 281768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Main\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Main\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
R1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Main\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\Main\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [31/10/2010 00:33 135336]
.
Contents of the 'Scheduled Tasks' folder

2009-05-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-09-01 c:\windows\Tasks\Master CD_DVD Creator.job
- c:\apps\SMP\MCDCHECK.EXE [2005-11-08 14:26]

2006-12-16 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 00:12]

2006-12-16 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 00:12]

2006-12-16 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 00:12]

2008-09-01 c:\windows\Tasks\Setup my PC.job
- c:\apps\SMP\PCSETUP.EXE [2005-11-17 09:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJxdm301YYGB&fl=0&ptb=qTtRPS5C6Wfh9iCZbEt_2A&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=sb&searchfor={searchTerms}
uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
AddRemove-Dynamic Toolbar_is1 - c:\program files\Dynamic Toolbar\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-16 04:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1640)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-11-16 04:42:15
ComboFix-quarantined-files.txt 2010-11-16 04:42

Pre-Run: 31,346,855,936 bytes free
Post-Run: 31,617,601,536 bytes free

- - End Of File - - 2D3DC16179A72F6971B7A20405FC8EA7

Edited by mrfingerz, 16 November 2010 - 06:52 AM.

It's nice to be important, it's much more important to be nice.

#11 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:01:51 AM

Posted 18 November 2010 - 10:50 PM

Hello mrfingerz, :)

Just wanted to let you know I AM working on your log. :busy: I will have something for you tomorrow...I promise.

Best Regards,
oneof4.

Best Regards,
oneof4.


#12 mrfingerz

mrfingerz
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK, London
  • Local time:05:51 AM

Posted 19 November 2010 - 03:29 AM

Hello OneOf4,

Thanks for letting me know and thanks for all your help so far.
It's nice to be important, it's much more important to be nice.

#13 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:01:51 AM

Posted 19 November 2010 - 07:55 AM

Hello, :)

Thanks for letting me know and thanks for all your help so far.

No problem, it's my pleasure. :thumbup2:
Sorry again for the delay.

Please perform the following:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

DDS::
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJxdm301YYGB&fl=0&ptb=qTtRPS5C6Wfh9iCZbEt_2A&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=sb&searchfor={searchTerms}

SkipFix::



Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Best Regards,
oneof4.

Best Regards,
oneof4.


#14 mrfingerz

mrfingerz
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK, London
  • Local time:05:51 AM

Posted 19 November 2010 - 09:54 AM

Hello Oneof4,

Here's the log, windows attemped an update prior to me running ComboFix which failed, I dont know if that's of any importance at all, just thought I'd mention it.

ComboFix 10-11-18.04 - Main 19/11/2010 14:34:57.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.246.104 [GMT 0:00]
Running from: c:\documents and settings\Main\Desktop\Renamed.exe
Command switches used :: c:\documents and settings\Main\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2010-10-19 to 2010-11-19 )))))))))))))))))))))))))))))))
.

2010-11-10 09:17 . 2010-11-10 09:17 -------- d-----w- c:\program files\7-Zip
2010-10-31 23:18 . 2010-10-31 23:18 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-10-31 21:32 . 2010-10-31 21:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\Avira
2010-10-31 21:30 . 2010-10-31 21:30 -------- d-----w- c:\program files\ESET
2010-10-31 13:11 . 2010-10-31 13:11 -------- d-----w- C:\TDSSKiller_Quarantine
2010-10-31 12:06 . 2010-10-31 12:06 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-10-31 10:48 . 2010-10-31 10:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-10-31 10:48 . 2010-10-31 10:48 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-10-31 01:04 . 2010-10-31 01:04 -------- d-----w- c:\documents and settings\Main\Application Data\Avira
2010-10-31 00:33 . 2010-11-10 08:45 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-10-31 00:33 . 2010-11-10 08:45 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-10-31 00:33 . 2009-05-11 11:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-10-31 00:33 . 2009-05-11 11:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-10-31 00:32 . 2010-10-31 00:32 -------- d-----w- c:\program files\Avira
2010-10-31 00:32 . 2010-10-31 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-10-30 20:51 . 2010-10-30 20:51 -------- d-----w- c:\documents and settings\Main\Application Data\Sonic
2010-10-30 20:51 . 2010-10-30 20:51 -------- d-----w- c:\documents and settings\Main\Application Data\Leadertech
2010-10-30 15:55 . 2010-10-30 15:55 -------- d-----w- c:\documents and settings\Main\DoctorWeb
2010-10-30 14:42 . 2010-10-30 14:42 25992 ------w- c:\windows\system32\pgdfgsvc.exe
2010-10-30 13:46 . 2010-10-30 13:46 -------- d-----w- c:\documents and settings\Main\Application Data\Auslogics
2010-10-30 08:38 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-30 08:38 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-30 08:38 . 2010-10-30 08:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-30 07:23 . 2010-10-30 07:23 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-10-28 10:16 . 2010-10-29 18:17 -------- d-----w- C:\~AXDW^0KO8I1VQF
2010-10-28 08:41 . 2010-10-30 12:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-28 10:16 . 2006-10-24 12:30 712704 ----a-w- c:\windows\system32\windowscodecs.dll
2010-10-28 10:16 . 2006-03-17 00:38 28672 ------w- c:\windows\system32\verclsid.exe
2010-10-28 10:16 . 2004-08-10 15:38 8192 ----a-w- c:\windows\system32\tssoft32.acm
2010-10-28 10:16 . 2004-08-10 15:38 90112 ----a-w- c:\windows\system32\sqlsrv32.rll
2010-10-28 10:16 . 2004-08-10 15:38 442368 ----a-w- c:\windows\system32\sqlsrv32.dll
2010-10-28 10:16 . 2004-08-10 15:38 86016 ----a-w- c:\windows\system32\sl_anet.acm
2010-10-28 10:16 . 2009-01-05 15:18 90112 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-10-28 10:16 . 2006-07-11 18:35 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-10-28 10:16 . 2006-07-11 18:35 503808 ----a-w- c:\windows\system32\msvcp71.dll
2010-10-28 10:16 . 2004-08-03 23:56 294912 ----a-w- c:\windows\system32\msh263.drv
2010-10-28 10:16 . 2004-08-10 15:56 188416 ----a-w- c:\windows\system32\msh261.drv
2010-10-28 10:15 . 2006-10-18 21:47 212992 ----a-w- c:\windows\system32\MFPLAT.dll
2010-10-28 10:15 . 2010-09-11 11:41 86016 ----a-w- c:\windows\system32\mdmxsdk.dll
2010-10-28 10:14 . 2005-11-03 14:22 57344 ----a-w- c:\windows\system32\igfxsrvc.dll
2010-10-28 10:14 . 2005-11-03 14:22 159744 ----a-w- c:\windows\system32\igfxsrvc.exe
2010-10-28 10:14 . 2004-08-10 15:37 16384 ----a-w- c:\windows\system32\imaadp32.acm
2010-10-28 10:14 . 2005-11-03 14:25 1503232 ----a-w- c:\windows\system32\igfxress.dll
2010-10-28 10:14 . 2006-10-17 09:23 135168 ----a-w- c:\windows\system32\igfxres.dll
2010-10-28 10:14 . 2005-11-03 14:25 147456 ----a-w- c:\windows\system32\igfxpph.dll
2010-10-28 10:14 . 2005-11-03 14:21 135168 ----a-w- c:\windows\system32\igfxdev.dll
2010-10-28 10:14 . 2009-03-08 13:22 1241088 ----a-w- c:\windows\system32\ieframe.dll.mui
2010-10-28 10:14 . 2008-06-02 22:08 69632 ------w- c:\windows\system32\HPZipm12.exe
2010-10-28 10:14 . 2005-11-03 14:21 73728 ----a-w- c:\windows\system32\hccutils.dll
2010-10-28 10:10 . 2004-08-10 15:37 28672 ----a-w- c:\windows\system32\dbnmpntw.dll
2010-10-28 10:10 . 2004-08-10 15:37 24576 ----a-w- c:\windows\system32\dbmsrpcn.dll
2010-10-28 10:10 . 2004-07-29 11:56 221184 ----a-w- c:\windows\system32\cttune.cpl
2010-10-28 10:10 . 2004-08-10 15:37 24576 ----a-w- c:\windows\system32\cliconfg.rll
2010-10-28 10:10 . 2004-08-10 15:37 20480 ----a-w- c:\windows\system32\cliconfg.exe
2010-10-28 10:10 . 2004-08-10 15:37 77824 ----a-w- c:\windows\system32\cliconfg.dll
2010-09-18 11:23 . 2004-08-10 15:37 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-10 15:37 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-10 15:37 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-10 15:37 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2004-08-10 15:38 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-08-10 15:37 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-08-10 15:37 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51 . 2004-08-10 15:37 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-08-10 15:38 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-08-10 15:38 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-08-10 15:38 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2004-08-10 15:38 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2010-09-10 21:26 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2004-08-10 15:37 617472 ----a-w- c:\windows\system32\comctl32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-10 281768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [31/10/2010 00:33 135336]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Main\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Main\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Main\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\Main\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
.
Contents of the 'Scheduled Tasks' folder

2009-05-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-09-01 c:\windows\Tasks\Master CD_DVD Creator.job
- c:\apps\SMP\MCDCHECK.EXE [2005-11-08 14:26]

2006-12-16 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 00:12]

2006-12-16 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 00:12]

2006-12-16 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 00:12]

2008-09-01 c:\windows\Tasks\Setup my PC.job
- c:\apps\SMP\PCSETUP.EXE [2005-11-17 09:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJxdm301YYGB&fl=0&ptb=qTtRPS5C6Wfh9iCZbEt_2A&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=sb&searchfor={searchTerms}
uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-19 14:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(472)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-11-19 14:44:54
ComboFix-quarantined-files.txt 2010-11-19 14:44
ComboFix2.txt 2010-11-16 04:42

Pre-Run: 31,609,323,520 bytes free
Post-Run: 31,591,432,192 bytes free

- - End Of File - - EF388EE6713686B787EBF74D357F49CB
It's nice to be important, it's much more important to be nice.

#15 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:01:51 AM

Posted 20 November 2010 - 04:27 PM

Hello mrfingerz, :)

Please download Malwarebytes Anti-Malware (v1.46) and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Also,

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

Things I need to see in your next reply:

  • MBAM Log
  • ESET Results
  • How are things running?


Best Regards,
oneof4.

Best Regards,
oneof4.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users