Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

redirecting, email not working please help


  • This topic is locked This topic is locked
2 replies to this topic

#1 dalwil30

dalwil30

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 21 November 2010 - 11:43 AM

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-11-21 10:33:22
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort2 SAMSUNG_SP1203N rev.TL100-24
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fgacapow.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\System32\Drivers\avgldx86.sys entry point in ".rsrc" section [0xF5548694]
? C:\DOCUME~1\Owner\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[1820] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[1820] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[1820] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\Program Files\Internet Explorer\iexplore.exe[2164] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D5000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2164] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D6000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2164] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A3000C
.text C:\Program Files\Internet Explorer\iexplore.exe[2164] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2164] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2164] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E4B6F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2164] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4AA1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2164] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4B0C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2164] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4972 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2164] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E49D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2164] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4BD2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2164] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4A36 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2704] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A3000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2704] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D5000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2704] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A2000C
.text C:\Program Files\Internet Explorer\iexplore.exe[2704] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2704] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AD5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2704] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD135 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2704] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2704] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254666 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2704] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E4B6F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2704] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4AA1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2704] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4B0C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2704] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4972 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2704] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E49D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2704] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4BD2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2704] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4A36 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2704] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB80 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2704] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4EF0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\WINDOWS\System32\svchost.exe[3664] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CF000A
.text C:\WINDOWS\System32\svchost.exe[3664] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D0000A
.text C:\WINDOWS\System32\svchost.exe[3664] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00CE000C
.text C:\WINDOWS\System32\svchost.exe[3664] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0088000A
.text C:\WINDOWS\System32\svchost.exe[3664] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00D8000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 84DECAEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 84DECAEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 84DECAEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 84DECAEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP3T0L0-7 84DECAEA

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Device\Ide\IdeDeviceP2T0L0-12 -> \??\IDE#DiskSAMSUNG_SP1203N_________________________TL100-24#30535130314a5830303639303035202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{AEF8734C-37F9-A64F-D799-844B8A070031}\InprocServer32@ C:\WINDOWS\System32\mswebdvd.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{AEF8734C-37F9-A64F-D799-844B8A070031}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AEF8734C-37F9-A64F-D799-844B8A070031}\ProgID@ MSWebDVD.OverlayCallback.1
Reg HKLM\SOFTWARE\Classes\CLSID\{AEF8734C-37F9-A64F-D799-844B8A070031}\TypeLib@ {38EE5CE1-4B62-11D3-854F-00A0C9C898E7}
Reg HKLM\SOFTWARE\Classes\CLSID\{AEF8734C-37F9-A64F-D799-844B8A070031}\VersionIndependentProgID@ MSWebDVD.OverlayCallback

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sectors 234492800 (+254): rootkit-like behavior;
DDS (Ver_10-11-10.01) - NTFSx86
Run by Owner at 9:55:49.51 on Sun 11/21/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.76 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uWinlogon: Shell=c:\documents and settings\owner\application data\hotfix.exe
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-20 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-9-20 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-20 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-9-20 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-9-20 297752]
S4 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]

=============== Created Last 30 ================


==================== Find3M ====================

2008-01-02 20:47:51 774144 -c--a-w- c:\program files\RngInterstitial.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: SAMSUNG_SP1203N rev.TL100-24 -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-12

device: opened successfully
user: MBR read successfully

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-11-10.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 8/4/2004 8:02:54 PM
System Uptime: 11/21/2010 9:17:14 AM (1 hours ago)

Motherboard: ASUSTek Computer INC. | | Kelut
Processor: AMD Athlon™ XP 2800+ | Socket A | 2083/167mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 108 GiB total, 95.857 GiB free.
D: is FIXED (FAT32) - 4 GiB total, 0.783 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\79917BE01800
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\79917BE01800
Service: NIC1394

==== System Restore Points ===================

RP12: 8/24/2010 10:34:44 PM - System Checkpoint
RP13: 9/6/2010 11:48:02 AM - System Checkpoint
RP14: 9/7/2010 4:27:17 PM - System Checkpoint
RP15: 9/8/2010 2:04:17 PM - Avg8 Update
RP16: 9/15/2010 2:23:17 PM - Software Distribution Service 3.0
RP17: 9/16/2010 5:39:14 PM - System Checkpoint
RP18: 9/20/2010 12:23:12 PM - System Checkpoint
RP19: 9/22/2010 12:44:42 PM - System Checkpoint
RP20: 9/25/2010 8:46:27 AM - System Checkpoint
RP21: 9/27/2010 1:13:07 PM - System Checkpoint
RP22: 10/3/2010 7:35:11 PM - System Checkpoint
RP23: 10/6/2010 1:03:17 PM - Avg8 Update
RP24: 10/18/2010 6:23:12 PM - System Checkpoint
RP25: 10/26/2010 11:55:13 AM - Avg8 Update
RP26: 10/26/2010 11:57:49 AM - Avg8 Update
RP27: 10/27/2010 1:12:30 PM - System Checkpoint
RP28: 11/1/2010 2:22:41 PM - System Checkpoint
RP29: 11/13/2010 8:47:00 PM - System Checkpoint
RP30: 11/18/2010 8:07:25 PM - System Checkpoint

==== Installed Programs ======================


Adobe Flash Player 10 ActiveX
Adobe Reader 9
Adobe Shockwave Player 11.5
Agere Systems PCI Soft Modem
AVG Free 8.5
BufferChm
Camera Support Core Library
Canon Camera Support Core Library
CCScore
Compaq Connections
Critical Update for Windows Media Player 11 (KB959772)
D-Link DSL-300 Family Configuration Utility
Destinations
DeviceFunctionQFolder
DeviceManagementQFolder
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSSONIC
ESSTOOLS
essvatgt
eSupportQFolder
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Deskjet 3900 series
HP Image Zone Express
HP Imaging Device Functions 5.0
HP Product Detection
HP Solution Center & Imaging Support Tools 5.0
HP Update
HPDeskjet3900Series
HPProductAssistant
HpSdpAppCoreApp
Java Auto Updater
Java™ 6 Update 20
Java™ 6 Update 3
Java™ 6 Update 5
kgcbaby
kgcbase
kgchday
kgchlwn
kgcinvt
kgckids
kgcmove
kgcvday
Kodak EasyShare software
KSU
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money Plus
Microsoft Money Shared Libraries
Microsoft National Language Support Downlevel APIs
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Move Networks Player for Internet Explorer
MSN
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
netbrdg
Notifier
OfotoXMI
PCDADDIN
PCDHELP
Print Workshop 2004
PS2
S3 S3Display
S3 S3Gamma2
S3 S3Info2
S3 S3Overlay
S3GSetup
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SFR
SolutionCenter
Sonic Update Manager
Spybot - Search & Destroy
staticcr
Status
tooltips
TrayApp
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VIA Rhine-Family Fast Ethernet Adapter
VIA/S3G Display Driver
VPRINTOL
WebFldrs XP
WebReg
Westward IV: All Aboard
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WIRELESS

==== Event Viewer Messages From Past Week ========

11/20/2010 8:03:50 PM, error: Service Control Manager [7034] - The Telephony service terminated unexpectedly. It has done this 4 time(s).
11/20/2010 8:03:50 PM, error: Service Control Manager [7034] - The System Event Notification service terminated unexpectedly. It has done this 4 time(s).
11/20/2010 8:03:50 PM, error: Service Control Manager [7034] - The Remote Access Connection Manager service terminated unexpectedly. It has done this 4 time(s).
11/20/2010 8:03:50 PM, error: Service Control Manager [7034] - The Network Location Awareness (NLA) service terminated unexpectedly. It has done this 4 time(s).
11/20/2010 8:03:50 PM, error: Service Control Manager [7034] - The COM+ Event System service terminated unexpectedly. It has done this 4 time(s).
11/20/2010 8:03:50 PM, error: Service Control Manager [7031] - The Windows Time service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/20/2010 8:03:50 PM, error: Service Control Manager [7031] - The Windows Management Instrumentation service terminated unexpectedly. It has done this 4 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/19/2010 10:32:22 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
11/19/2010 10:06:14 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
11/17/2010 1:53:09 PM, error: Print [23] - Printer Lexmark 4200 Series,1 failed to initialize because a suitable Lexmark 4200 Series driver could not be found.

==== End Of File ===========================

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x84DECEC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x849f3872; SUB DWORD [EBP-0x4], 0x849f312e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x8530F030]
3 CLASSPNP[0xF77E9FD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\0000005c[0x8538E9A0]
5 ACPI[0xF7760620] -> nt!IofCallDriver[0x804E13B9] -> [0x8538EB58]
[0x84DA7D58] -> IRP_MJ_CREATE -> 0x84DECEC5
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5f; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-12 -> \??\IDE#DiskSAMSUNG_SP1203N_________________________TL100-24#30535130314a5830303639303035202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x84DECAEA
user & kernel MBR OK
sectors 234493054 (+255): user != kernel
Warning: possible TDL3 rootkit infection !

============= FINISH: 10:00:07.82 ===============


---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\XGYLK3EB\page__prune_day__100__sort_by__Z-A__sort_key__last_post__topicfilter__all__st__30[1].htm 129493 bytes
File C:\WINDOWS\System32\Drivers\avgldx86.sys suspicious modification; TDL3 <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

Attached Files

  • Attached File  DDS.txt   5.17KB   0 downloads


BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:06 PM

Posted 30 November 2010 - 06:00 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:06 PM

Posted 05 December 2010 - 05:27 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users