Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32:Trojan-gen; Attempt to destroy Firewall


  • This topic is locked This topic is locked
28 replies to this topic

#1 GST1

GST1

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 23 November 2010 - 02:30 PM

Hello.
Thank you for providing and maintaining this Forum. This site is also well recommended on the MozillaZine Forum.

The only real noticeable symptom that I am experiencing is on a cold OS start.
I have my firewall set to run as a Startup Process. When everything was working properly, the firewall would load nearly "immediately" after the desktop was displayed.
Over the last several weeks, it began to take about five minutes to load; it has now progressed to about 35 - 40 minutes. During this time there is some sort of fight seemingly going on, as the CPU usage is 'spiked' @ 100% for that period (relating directly to that process). After it does in fact finish loading, everything seems to work fine. The firewall blocks/allows traffic, as it should, and it's built in 'packet sniffer' does not show any suspect data packets being transferred.
While it would make sense to uninstall/reinstall the firewall, previous attempts at such (on another exactly cloned HDD) resulted in the inability to reinstall it; thus making the firewall completely unavailable.

While recently running my Avast (v 5.0.677) A/V program on a boot-time scan, it detected "Win32:Trojan-gen" in a program that I had downloaded and also in a Windows "System Restore" file.
It's detection came as a fair surprise, as the program containing it (an .exe file, therein) was downloaded many months ago and I do not recall ever actually installing it. I can offer no explanation as to why it had not been detected sooner.
In searching for info relating to this virus, I came across the possibility that this trojan may be responsible for trying to disable my firewall.

Other installed security programs installed, which are regularly updated (as req'd) and run include:
Malware Bytes' Anti Malware
Spybot S&D (w/"TeaTimer" running)
Sygate Firewall with a very highly restricted 'allowed' connection settings.
Several security extensions on Firefox browser (v 3.6.12). [I do not use I.E., whatsoever, and have done all to restrict/block it short of uninstalling.]

What I have thus far done:

1. On installation of OS (over two years ago), disabled many non-essential "Services".

2. Some time ago, using Spybot > Tools > "System Startup" >> disabled the following, as it was likely malware, noted also as having "a blank entry under the Startup Item/Name Field".
I have also disabled several other non-essential startup items.

Located: HK_CU:Run, (DISABLED)
where: S-1-5-21-854245398-1580436667-1957994488-1003...
command:
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E

3. Conducted as thorough research as possible, in order to find the source of the present difficulty, and eradicate it.

4. In addition to regularly running aforementioned A/V and anti-malware programs, I have previously run Sysinternals "RootkitRevealer", Trend Micro's "HiJackThis", and "GMER".

Using HJT, I have disabled the following, and saved them in "Backups":

O23 - Service: QRG - Unknown owner - C:\DOCUME~1\GSR\LOCALS~1\Temp\QRG.exe (file missing)

O23 - Service: SH - Unknown owner - C:\DOCUME~1\GSR\LOCALS~1\Temp\SH.exe (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll; Windows Registry Editor Version 5.00; [HKEY_CLASSES_ROOT\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}]
@="Browseui preloader";[HKEY_CLASSES_ROOT\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
"ThreadingModel"="Both"

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll; Windows Registry Editor Version 5.00; [HKEY_CLASSES_ROOT\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}] @="Component Categories cache daemon"

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

While I realize that I was over-zealous in basically preventing all these from running, as I only kept active the entries that I knew to be required.
However, the "Services" QRG.exe and SH.exe are highly suspect.
I believe that the "(file missing)" noted above was a result of my having already completely purged the "\Temp" file in which they resided.
I have absolutely no idea where these two Services came from; they are now disabled, but still remain in "Services". They also are entered in the Registry as a sub-directory of "Search Assistant". I am not at all familiar with that entry, and would never knowingly install such.

5. After performing everything that I could reasonably consider, I now enter this Forum to seek your kind assistance.

I have read and followed the "Preparation Guide..." to the best of my ability; including:
A. Using DeFogger to Disable CD Emulation Software.
B. Downloaded and Run DDS (see dds.txt and attach.txt files merged below).
C. Created a GMER Log (please also see below).

I look forward to your response and thank you for your consideration.

********************************************************************************************


DDS (Ver_10-11-10.01) - NTFSx86
Run by GSR at 15:58:23.78 on 21.Nov.10
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.319.166 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\VX1\MXTask.exe
C:\PROGRA~1\VX1\mxtask.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\GSR\Desktop\RT Kit\ddsPrograms.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Bar =
mSearch Bar =
uInternet Settings,ProxyServer = http=localhost:8080
uInternet Settings,ProxyOverride = <local>
uSearchAssistant =
uCustomizeSearch =
BHO: Accelerator Plugin: {656ec4b7-072b-4698-b504-2a414c1f0037} - c:\progra~1\propel~1\PRPL_I~1.DLL
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
LSP: c:\program files\propel accelerator\prplsf.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
Name-Space Handler: ftp\DLA.IEClickMon - {A5A08E80-B472-11D2-89D1-0080C8C12A3A} - c:\progra~1\iolo\system~1\URLSTO~1.DLL
Name-Space Handler: http\DLA.IEClickMon - {A5A08E80-B472-11D2-89D1-0080C8C12A3A} - c:\progra~1\iolo\system~1\URLSTO~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gsr\applic~1\mozilla\firefox\profiles\4ocgel70.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - blank
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 1

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-5-8 165584]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-8 40384]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-8 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-8 40384]
R3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\NtApm.sys [2008-10-6 9344]
S3 mxDisk;mxDisk;c:\progra~1\vx1\mxDisk.sys [2003-6-12 57092]
S3 SGUARD;SGUARD;c:\windows\system32\drivers\SGuard.sys [2008-10-6 17857]
S4 QRG;QRG;c:\docume~1\gsr\locals~1\temp\qrg.exe --> c:\docume~1\gsr\locals~1\temp\QRG.exe [?]
S4 SH;SH;c:\docume~1\gsr\locals~1\temp\sh.exe --> c:\docume~1\gsr\locals~1\temp\SH.exe [?]

=============== Created Last 30 ================

2010-11-05 17:15:27 66520 ----a-w- c:\program files\mozilla firefox\plugins\npnul32.dll
2010-11-05 17:15:27 25048 ----a-w- c:\program files\mozilla firefox\components\browserdirprovider.dll
2010-11-05 17:15:27 140248 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2010-10-23 00:24:49 -------- d--h--w- c:\windows\system32\GroupPolicy

==================== Find3M ====================

2010-09-07 15:12:17 38848 ----a-w- c:\windows\avastSS.scr

============= FINISH: 15:59:50.51 ===============

*******************************************************************************************


DDS (Ver_10-11-10.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 06.Oct.08 07:54:58
System Uptime: 21.Nov.10 09:10:54 (6 hours ago)

Motherboard: Gigabyte Technology Co. Ltd. | | 7ZX
Processor: AMD Athlon™ Processor | Socket-A | 801/10000mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 49 GiB total, 45.498 GiB free.
D: is CDROM ()
E: is CDROM ()
S: is FIXED (NTFS) - 19 GiB total, 18.593 GiB free.
X: is FIXED (NTFS) - 9 GiB total, 7.077 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E968-E325-11CE-BFC1-08002BE10318}
Description: ALL-IN-WONDER 9200 SERIES - Secondary
Device ID: PCI\VEN_1002&DEV_5941&SUBSYS_2F731002&REV_01\3&27043229&0&0108
Manufacturer: ATI Technologies Inc.
Name: ALL-IN-WONDER 9200 SERIES - Secondary
PNP Device ID: PCI\VEN_1002&DEV_5941&SUBSYS_2F731002&REV_01\3&27043229&0&0108
Service: ati2mtag

Class GUID: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Description: Terminal Server Device Redirector
Device ID: ROOT\RDPDR\0000
Manufacturer: (Standard system devices)
Name: Terminal Server Device Redirector
PNP Device ID: ROOT\RDPDR\0000
Service: rdpdr

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Adobe Flash Player Plugin
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATI DVD Decoder 2.2.0.0
ATI Multimedia Center 8.8.0.0
avast! Free Antivirus
DAO
DVDDec
FileAlyzer
Generic - HCF PCI Modem
HiJackThis
hp deskjet 5550 series
hp deskjet 5550 series (Remove only)
hp instant support
hp print screen utility
InCD
iolo technologies' System Mechanic 5 Professional
Logitech MouseWare 9.79.1
Malwarebytes' Anti-Malware
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
MMC88
Mozilla Firefox (3.6.12)
Mozilla Thunderbird (2.0.0.22)
Nero Media Player
Nero OEM
NeroVision Express 2
NetWaiting
PhotoFiltre
PowerDesk 5.0
Propel Accelerator
Scott's Space Invaders v 1.9
Spybot - Search & Destroy
upapp
VCOM SystemSuite 5
WebFldrs XP
Windows Installer 3.1 (KB893803)
Windows Media Encoder 9 Series

==== Event Viewer Messages From Past Week ========

19.Nov.10 08:11:44, error: Service Control Manager [7034] - The InCD Helper service terminated unexpectedly. It has done this 1 time(s).
17.Nov.10 05:12:46, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for FailureActions with the following error: Access is denied.

==== End Of File ===========================

********************************************************************************************

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-11-21 16:23:41
Windows 5.1.2600 Service Pack 1
Running: gmer.exe; Driver: C:\DOCUME~1\GSR\LOCALS~1\Temp\pxtdqpow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwClose [0xEBD40CF0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateKey [0xEBD40BAC]
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwCreateThread [0xF8814B40]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteKey [0xEBD41160]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteValueKey [0xEBD4108A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDuplicateObject [0xEBD40782]
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwMapViewOfSection [0xF8814860]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenKey [0xEBD40C86]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenProcess [0xEBD406C2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenThread [0xEBD40726]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwQueryValueKey [0xEBD40DA6]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xEBD4122E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRestoreKey [0xEBD40D66]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwSetValueKey [0xEBD40EE6]
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwTerminateProcess [0xF8814CF0]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xEBD4DBAE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0xEBD4D9D2]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0xEBD4DB0C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!KeInitializeInterrupt + B67 804DA23C 1 Byte [06]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 170 805025EC 4 Bytes [F0, 0C, D4, EB]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1B0 8050262C 4 Bytes [AC, 0B, D4, EB]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1E0 8050265C 4 Bytes [40, 4B, 81, F8]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 208 80502684 4 Bytes [60, 11, D4, EB]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 210 8050268C 4 Bytes [8A, 10, D4, EB] {MOV DL, [EAX]; AAM 0xeb}
.text ...
PAGE ntoskrnl.exe!ZwLoadDriver 805505A5 7 Bytes JMP EBD4DB10 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntoskrnl.exe!ObMakeTemporaryObject 8055ED00 5 Bytes JMP EBD495D4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntoskrnl.exe!NtCreateSection 8057FB92 7 Bytes JMP EBD4D9D6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntoskrnl.exe!ObInsertObject 8057FCA9 5 Bytes JMP EBD4AFFA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntoskrnl.exe!ZwCreateProcessEx 80590950 7 Bytes JMP EBD4DBB2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
.text tcpip.sys!IPTransmit + 93E EBE3D6A2 6 Bytes CALL F8314490 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPTransmit + A35E EBE470C2 6 Bytes CALL F8314490 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPSetIPSecStatus + 53A EBE5186C 6 Bytes CALL F8314490 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text wanarp.sys F867F0C1 4 Bytes CALL F831457C Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text wanarp.sys F867F0C6 2 Bytes [90, 90] {NOP ; NOP }
? C:\DOCUME~1\GSR\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[868] kernel32.dll!SetUnhandledExceptionFilter 77E7E5A1 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\aswTdi \Device\AswUdpFilter wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\aswTdi \Device\ASWTDI wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\aswTdi \Device\AswTcpFilter wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- EOF - GMER 1.0.15 ----

*******************
End of this post.

BC AdBot (Login to Remove)

 


#2 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:32 AM

Posted 01 December 2010 - 09:26 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks.

DR

#3 GST1

GST1
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 01 December 2010 - 11:41 AM

Hello and thank you for your response.

Please find updated logs, as requested.

I am still experiencing the symptoms, as described above; the only difference being that it is now taking closer to one hour for my firewall to load after a cold OS start.
This gives me plenty of time to down an uninterrupted pot of coffee; my CMPT being unusable, otherwise, during this period.

The only additional problem has been a very strange complete OS lockup:
It occurred when online, with the browser opened, and when attempting to open my Thunderbird mail program (these were the only two Applications running). Resulted in complete lockup, with absolutely nothing responding; necessitated a hard shutdown. Upon next boot, I was presented with the 'Windows did not close properly...' options, and decided to enter Safe Mode. I began running a MBAM scan; it started to run and then, very abruptly, my system shutdown (on it's own and hard).
On next boot, the bios would not recognize the HDD, even when configured manually. I was finally able to get system to boot after flashing the bios and using the Backup Bios (my Gigabyte MB has a Dual Bios).
I have had three separate instances of "Hard drive not recognized" upon boot, since then (in the past week). After flashing the bios and using Backup, as described, I was again able to get the system working.
I have since been able to enter Windows Safe Mode and successfully run anti-malware scans; nothing was found.

Thank you for your consideration.

*******************************************************************************


DDS (Ver_10-11-10.01) - NTFSx86
Run by GSR at 10:02:46.22 on 01.Dec.10
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.319.100 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\VX1\MXTask.exe
C:\PROGRA~1\VX1\mxtask.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\GSR\Desktop\RT Kit\ddsPrograms.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Bar =
mSearch Bar =
uInternet Settings,ProxyServer = http=localhost:8080
uInternet Settings,ProxyOverride = <local>
uSearchAssistant =
uCustomizeSearch =
BHO: Accelerator Plugin: {656ec4b7-072b-4698-b504-2a414c1f0037} - c:\progra~1\propel~1\PRPL_I~1.DLL
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
LSP: c:\program files\propel accelerator\prplsf.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
Name-Space Handler: ftp\DLA.IEClickMon - {A5A08E80-B472-11D2-89D1-0080C8C12A3A} - c:\progra~1\iolo\system~1\URLSTO~1.DLL
Name-Space Handler: http\DLA.IEClickMon - {A5A08E80-B472-11D2-89D1-0080C8C12A3A} - c:\progra~1\iolo\system~1\URLSTO~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gsr\applic~1\mozilla\firefox\profiles\4ocgel70.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - blank
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 1

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-5-8 165584]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-8 40384]
R3 mxDisk;mxDisk;c:\progra~1\vx1\mxDisk.sys [2003-6-12 57092]
R3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\NtApm.sys [2008-10-6 9344]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-8 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-8 40384]
S3 SGUARD;SGUARD;c:\windows\system32\drivers\SGuard.sys [2008-10-6 17857]
S4 QRG;QRG;c:\docume~1\gsr\locals~1\temp\qrg.exe --> c:\docume~1\gsr\locals~1\temp\QRG.exe [?]
S4 SH;SH;c:\docume~1\gsr\locals~1\temp\sh.exe --> c:\docume~1\gsr\locals~1\temp\SH.exe [?]

=============== Created Last 30 ================

2010-11-05 17:15:27 66520 ----a-w- c:\program files\mozilla firefox\plugins\npnul32.dll
2010-11-05 17:15:27 25048 ----a-w- c:\program files\mozilla firefox\components\browserdirprovider.dll
2010-11-05 17:15:27 140248 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll

==================== Find3M ====================

2010-09-07 15:12:17 38848 ----a-w- c:\windows\avastSS.scr

============= FINISH: 10:03:45.35 ===============

*******************************************************************************


DDS (Ver_10-11-10.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 06.Oct.08 07:54:58
System Uptime: 12.Jan.10 07:17:07 (7755 hours ago)

Motherboard: Gigabyte Technology Co. Ltd. | | 7ZX
Processor: AMD Athlon™ Processor | Socket-A | 801/10000mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 49 GiB total, 45.511 GiB free.
D: is CDROM ()
E: is CDROM ()
S: is FIXED (NTFS) - 19 GiB total, 18.593 GiB free.
X: is FIXED (NTFS) - 9 GiB total, 7.077 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E968-E325-11CE-BFC1-08002BE10318}
Description: ALL-IN-WONDER 9200 SERIES - Secondary
Device ID: PCI\VEN_1002&DEV_5941&SUBSYS_2F731002&REV_01\3&27043229&0&0108
Manufacturer: ATI Technologies Inc.
Name: ALL-IN-WONDER 9200 SERIES - Secondary
PNP Device ID: PCI\VEN_1002&DEV_5941&SUBSYS_2F731002&REV_01\3&27043229&0&0108
Service: ati2mtag

Class GUID: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Description: Terminal Server Device Redirector
Device ID: ROOT\RDPDR\0000
Manufacturer: (Standard system devices)
Name: Terminal Server Device Redirector
PNP Device ID: ROOT\RDPDR\0000
Service: rdpdr

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Adobe Flash Player Plugin
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATI DVD Decoder 2.2.0.0
ATI Multimedia Center 8.8.0.0
avast! Free Antivirus
DAO
DVDDec
FileAlyzer
Generic - HCF PCI Modem
HiJackThis
hp deskjet 5550 series
hp deskjet 5550 series (Remove only)
hp instant support
hp print screen utility
InCD
iolo technologies' System Mechanic 5 Professional
Logitech MouseWare 9.79.1
Malwarebytes' Anti-Malware
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
MMC88
Mozilla Firefox (3.6.12)
Mozilla Thunderbird (2.0.0.22)
Nero Media Player
Nero OEM
NeroVision Express 2
NetWaiting
PhotoFiltre
PowerDesk 5.0
Propel Accelerator
Scott's Space Invaders v 1.9
Spybot - Search & Destroy
upapp
VCOM SystemSuite 5
WebFldrs XP
Windows Installer 3.1 (KB893803)
Windows Media Encoder 9 Series

==== Event Viewer Messages From Past Week ========

26.Nov.10 15:58:19, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 aswSP aswTdi Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip wpsdrvnt
26.Nov.10 15:58:19, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
26.Nov.10 15:58:19, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
26.Nov.10 15:57:38, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
26.Nov.10 15:56:46, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

==== End Of File ===========================

*******************************************************************************

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-12-01 10:27:16
Windows 5.1.2600 Service Pack 1
Running: gmer.exe; Driver: C:\DOCUME~1\GSR\LOCALS~1\Temp\pxtdqpow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwClose [0xB2DDCCF0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateKey [0xB2DDCBAC]
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwCreateThread [0xF8814B40]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteKey [0xB2DDD160]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteValueKey [0xB2DDD08A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDuplicateObject [0xB2DDC782]
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwMapViewOfSection [0xF8814860]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenKey [0xB2DDCC86]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenProcess [0xB2DDC6C2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenThread [0xB2DDC726]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwQueryValueKey [0xB2DDCDA6]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xB2DDD22E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRestoreKey [0xB2DDCD66]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwSetValueKey [0xB2DDCEE6]
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwTerminateProcess [0xF8814CF0]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xB2DE9BAE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0xB2DE99D2]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0xB2DE9B0C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!KeInitializeInterrupt + B67 804DA23C 1 Byte [06]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 170 805025EC 4 Bytes [F0, CC, DD, B2]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1B0 8050262C 4 Bytes [AC, CB, DD, B2]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1E0 8050265C 4 Bytes [40, 4B, 81, F8]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 208 80502684 4 Bytes [60, D1, DD, B2]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 210 8050268C 4 Bytes [8A, D0, DD, B2]
.text ...
PAGE ntoskrnl.exe!ZwLoadDriver 805505A5 7 Bytes JMP B2DE9B10 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntoskrnl.exe!ObMakeTemporaryObject 8055ED00 5 Bytes JMP B2DE55D4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntoskrnl.exe!NtCreateSection 8057FB92 7 Bytes JMP B2DE99D6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntoskrnl.exe!ObInsertObject 8057FCA9 5 Bytes JMP B2DE6FFA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntoskrnl.exe!ZwCreateProcessEx 80590950 7 Bytes JMP B2DE9BB2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
.text tcpip.sys!IPTransmit + 93E B2ED96A2 6 Bytes CALL F8314490 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPTransmit + A35E B2EE30C2 6 Bytes CALL F8314490 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPSetIPSecStatus + 53A B2EED86C 6 Bytes CALL F8314490 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text wanarp.sys F866F0C1 4 Bytes CALL F831457C Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text wanarp.sys F866F0C6 2 Bytes [90, 90] {NOP ; NOP }
? C:\DOCUME~1\GSR\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[868] kernel32.dll!SetUnhandledExceptionFilter 77E7E5A1 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \FileSystem\Ntfs \Ntfs mxDisk.sys
AttachedDevice \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\aswTdi \Device\AswUdpFilter wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\aswTdi \Device\ASWTDI wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\aswTdi \Device\AswTcpFilter wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- EOF - GMER 1.0.15 ----

*****************
End of this post.

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,824 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:32 PM

Posted 02 December 2010 - 07:25 AM

Hello there and sorry for the delay.

First of all, your XP installation is seriously outdated. Service pack 1 isn't supported any more for years by Microsoft. Lets first see what malware needs to be cleaned up here.

COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Log.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 GST1

GST1
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 02 December 2010 - 10:05 PM

Hello Elise; thank you for your response and assistance.

Yes, I am acutely aware that I am running SP1. The biggest reason that I have not installed SP2 or 3 is because of an extremely slow dial-up ISP. I have been determined to "plug the holes that define a Windows OS", so this is not a real concern of mine.

I have managed to update the "Windows Installer-KB893803-v2-x86" package; so that most programs install w/o a reboot.

**********************************************************

To the concern of the ComboFix scan; I was quite surprised that it resulted in a desktop shortcut for I.E., as well as trying to reset I.E. as my default browser. No big deal, otherwise.

Here is the result of that scan:

ComboFix 10-12-01.01 - GSR 02.Dec.10 17:17:18.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.319.112 [GMT -5:00]
Running from: c:\documents and settings\GSR\Desktop\RT Kit\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\qmgr.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-11-02 to 2010-12-02 )))))))))))))))))))))))))))))))
.

2010-11-05 17:15 . 2010-10-27 06:10 66520 ----a-w- c:\program files\Mozilla Firefox\plugins\npnul32.dll
2010-11-05 17:15 . 2010-10-27 06:10 140248 ----a-w- c:\program files\Mozilla Firefox\components\brwsrcmp.dll
2010-11-05 17:15 . 2010-10-27 06:10 25048 ----a-w- c:\program files\Mozilla Firefox\components\browserdirprovider.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-12 18:07 . 2010-10-12 18:07 388096 ----a-r- c:\documents and settings\GSR\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-07 15:12 . 2010-06-30 19:52 38848 ----a-w- c:\windows\avastSS.scr
2010-09-07 15:11 . 2010-05-09 00:31 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-07 14:52 . 2010-05-09 00:31 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-07 14:52 . 2010-05-09 00:31 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-07 14:47 . 2010-05-09 00:31 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-07 14:47 . 2010-05-09 00:31 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-07 14:47 . 2010-05-09 00:31 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-07 14:46 . 2010-05-09 00:31 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
.

------- Sigcheck -------



[-] 2003-05-30 14:00 . 7BA80564F369A96AF84E3AA27E75E90B . 1634304 . . [5.3.0000001.902 built by: DIRECTX] . . c:\windows\system32\d3d9.dll

c:\windows\System32\wscntfy.exe ... is missing !!
c:\windows\System32\xmlprov.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=
"ATI Launchpad"=
"Search and Recover Disk Image Service"="c:\program files\SaR\DiskImageService.exe"
"System Mechanic Startup Guard"="c:\program files\SaR\StartupGuard.exe"
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ATIPTA"=c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
"Logitech Utility"=Logi_MwX.Exe
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"Fix-It AV"=c:\progra~1\VX1\MemCheck.exe
"InCD"=c:\program files\Ahead\InCD\InCD.exe

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [08.May.10 19:31 165584]
R3 mxDisk;mxDisk;c:\progra~1\VX1\mxDisk.sys [12.Jun.03 14:47 57092]
R3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\NtApm.sys [06.Oct.08 07:22 9344]
S3 SGUARD;SGUARD;c:\windows\system32\drivers\SGuard.sys [06.Oct.08 17:48 17857]
S4 QRG;QRG;c:\docume~1\GSR\LOCALS~1\Temp\QRG.exe --> c:\docume~1\GSR\LOCALS~1\Temp\QRG.exe [?]
S4 SH;SH;c:\docume~1\GSR\LOCALS~1\Temp\SH.exe --> c:\docume~1\GSR\LOCALS~1\Temp\SH.exe [?]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mSearch Bar =
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant =
uCustomizeSearch =
LSP: c:\program files\Propel Accelerator\prplsf.dll
Name-Space Handler: ftp\DLA.IEClickMon - {A5A08E80-B472-11D2-89D1-0080C8C12A3A} - c:\progra~1\iolo\SYSTEM~1\URLSTO~1.DLL
Name-Space Handler: http\DLA.IEClickMon - {A5A08E80-B472-11D2-89D1-0080C8C12A3A} - c:\progra~1\iolo\SYSTEM~1\URLSTO~1.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\GSR\Application Data\Mozilla\Firefox\Profiles\4ocgel70.default\
FF - prefs.js: browser.startup.homepage - blank
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Auto Shutdown: amin.eft_Shutdown@gmail.com - c:\documents and settings\GSR\Application Data\Mozilla\Firefox\Profiles\4ocgel70.default\extensions\amin.eft_Shutdown@gmail.com
FF - Extension: Element Hiding Helper for Adblock Plus: elemhidehelper@adblockplus.org - c:\documents and settings\GSR\Application Data\Mozilla\Firefox\Profiles\4ocgel70.default\extensions\elemhidehelper@adblockplus.org
FF - Extension: UnPlug: unplug@compunach - c:\documents and settings\GSR\Application Data\Mozilla\Firefox\Profiles\4ocgel70.default\extensions\unplug@compunach
FF - Extension: SmoothWheel (mozdev.org): {5F590AA2-1221-4113-A6F4-A4BB62414FAC} - c:\documents and settings\GSR\Application Data\Mozilla\Firefox\Profiles\4ocgel70.default\extensions\{5F590AA2-1221-4113-A6F4-A4BB62414FAC}
FF - Extension: SmoothWheel (AMO): {5F590AA2-1221-4113-A6F4-A4BB62414FAC} - c:\documents and settings\GSR\Application Data\Mozilla\Firefox\Profiles\4ocgel70.default\extensions\{5F590AA2-1221-4113-A6F4-A4BB62414FAC}
FF - Extension: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - c:\documents and settings\GSR\Application Data\Mozilla\Firefox\Profiles\4ocgel70.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Extension: Mozilla Archive Format: {7f57cf46-4467-4c2d-adfa-0cba7c507e54} - c:\documents and settings\GSR\Application Data\Mozilla\Firefox\Profiles\4ocgel70.default\extensions\{7f57cf46-4467-4c2d-adfa-0cba7c507e54}
FF - Extension: CookieCuller: {99B98C2C-7274-45a3-A640-D9DF1A1C8460} - c:\documents and settings\GSR\Application Data\Mozilla\Firefox\Profiles\4ocgel70.default\extensions\{99B98C2C-7274-45a3-A640-D9DF1A1C8460}
FF - Extension: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - c:\documents and settings\GSR\Application Data\Mozilla\Firefox\Profiles\4ocgel70.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Extension: FoxClocks: {d37dc5d0-431d-44e5-8c91-49419370caa1} - c:\documents and settings\GSR\Application Data\Mozilla\Firefox\Profiles\4ocgel70.default\extensions\{d37dc5d0-431d-44e5-8c91-49419370caa1}
FF - Extension: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - c:\documents and settings\GSR\Application Data\Mozilla\Firefox\Profiles\4ocgel70.default\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
FF - Extension: Tab Mix Plus: {dc572301-7619-498c-a57d-39143191b318} - c:\documents and settings\GSR\Application Data\Mozilla\Firefox\Profiles\4ocgel70.default\extensions\{dc572301-7619-498c-a57d-39143191b318}
FF - Extension: BlockSite: {dd3d7613-0246-469d-bc65-2a3cc1668adc} - c:\documents and settings\GSR\Application Data\Mozilla\Firefox\Profiles\4ocgel70.default\extensions\{dd3d7613-0246-469d-bc65-2a3cc1668adc}
FF - Extension: MultirowBookmarksToolbar: {FBF6D7FB-F305-4445-BB3D-FEF66579A033} - c:\documents and settings\GSR\Application Data\Mozilla\Firefox\Profiles\4ocgel70.default\extensions\{FBF6D7FB-F305-4445-BB3D-FEF66579A033}
FF - Extension: ScrapBook: {53A03D43-5363-4669-8190-99061B2DEBA5} - c:\documents and settings\GSR\Application Data\Mozilla\Firefox\Profiles\4ocgel70.default\extensions\{53A03D43-5363-4669-8190-99061B2DEBA5}
FF - Extension: RequestPolicy: requestpolicy@requestpolicy.com - c:\documents and settings\GSR\Application Data\Mozilla\Firefox\Profiles\4ocgel70.default\extensions\requestpolicy@requestpolicy.com
FF - Extension: AnyColor: anycolor.pavlos256@gmail.com - c:\documents and settings\GSR\Application Data\Mozilla\Firefox\Profiles\4ocgel70.default\extensions\anycolor.pavlos256@gmail.com
FF - Extension: Black Stratini: {b41cb5f0-2e52-11de-8c30-0800200c9a66} - c:\documents and settings\GSR\Application Data\Mozilla\Firefox\Profiles\4ocgel70.default\extensions\{b41cb5f0-2e52-11de-8c30-0800200c9a66}
FF - Extension: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - c:\documents and settings\GSR\Application Data\Mozilla\Firefox\Profiles\4ocgel70.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Extension: ChromEdit Plus: chromeditplus@webdesigns.ms11.net - c:\documents and settings\GSR\Application Data\Mozilla\Firefox\Profiles\4ocgel70.default\extensions\chromeditplus@webdesigns.ms11.net
FF - Extension: Extension List Dumper: extensionlistdumper@sogame.cat - c:\documents and settings\GSR\Application Data\Mozilla\Firefox\Profiles\4ocgel70.default\extensions\extensionlistdumper@sogame.cat
FF - Extension: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - c:\documents and settings\GSR\Application Data\Mozilla\Firefox\Profiles\4ocgel70.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Extension: Session Manager: {1280606b-2510-4fe0-97ef-9b5a22eafe30} - c:\documents and settings\GSR\Application Data\Mozilla\Firefox\Profiles\4ocgel70.default\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}
FF - Extension: Add Bookmark Here : abhere2@moztw.org - c:\documents and settings\GSR\Application Data\Mozilla\Firefox\Profiles\4ocgel70.default\extensions\abhere2@moztw.org
FF - Extension: ToolbarButtons: {03B08592-E5B4-45ff-A0BE-C1D975458688} - c:\documents and settings\GSR\Application Data\Mozilla\Firefox\Profiles\4ocgel70.default\extensions\{03B08592-E5B4-45ff-A0BE-C1D975458688}
FF - Extension: QuickFox Notes: amin.eft_bmnotes@gmail.com - c:\documents and settings\GSR\Application Data\Mozilla\Firefox\Profiles\4ocgel70.default\extensions\amin.eft_bmnotes@gmail.com
FF - Extension: Clippings: {91aa5abe-9de4-4347-b7b5-322c38dd9271} - c:\documents and settings\GSR\Application Data\Mozilla\Firefox\Profiles\4ocgel70.default\extensions\{91aa5abe-9de4-4347-b7b5-322c38dd9271}
FF - Extension: CheckPlaces: checkplaces@andyhalford.com - c:\documents and settings\GSR\Application Data\Mozilla\Firefox\Profiles\4ocgel70.default\extensions\checkplaces@andyhalford.com
FF - Extension: Mosaic-Fox: {f9bddc00-152b-11de-8c30-0800200c9a66} - c:\documents and settings\GSR\Application Data\Mozilla\Firefox\Profiles\4ocgel70.default\extensions\{f9bddc00-152b-11de-8c30-0800200c9a66}
FF - Extension: NewsFox: {899DF1F8-2F43-4394-8315-37F6744E6319} - c:\documents and settings\GSR\Application Data\Mozilla\Firefox\Profiles\4ocgel70.default\extensions\{899DF1F8-2F43-4394-8315-37F6744E6319}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-02 17:25
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(452)
c:\windows\System32\ODBC32.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(508)
c:\program files\Propel Accelerator\prplsf.dll
c:\windows\System32\dssenh.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\progra~1\VX1\mxtask.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2010-12-02 17:29:35 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-02 22:29

Pre-Run: 48,763,527,168 bytes free
Post-Run: 48,734,740,480 bytes free

- - End Of File - - EACE4F880F27047D78E5F3DEFDF9E7EE

*****************
End of this post.

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,824 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:32 PM

Posted 03 December 2010 - 04:18 AM

Please see here different ways to get Service Pack 3. http://support.microsoft.com/kb/322389

It really makes no sense continuing the cleanup without updating first. Your computer is wide open for a variety of threats this way. Going online this way is practically inviting malware to infect your computer.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 GST1

GST1
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 03 December 2010 - 12:26 PM

Hello again Elise,

I do understand your concerns with regard to the Service Packs. I'm certain that many knowledgeable individuals would consider that a sticking point.
I followed the link suggested, and got on the frustrating merry-go-round that seems to define the M/S site.

In a small sidebar rant: Although I realize it is beyond any user's control: Why does my browser report (through security protocols that I have established) that there are (denied) requests to connect to "twitter.com" when on the M/S site?? I've noticed very many sites, lately, that are also making requests to "facebook.com and fbcnd.com"...

*********************************************************

Please understand that through considerable research and deployment, I believe that the methods that I have employed to protect my OS and online activities more than compensate for any available Windows updates. [It is somewhat reassuring that many of their updates reflect what I have already performed.]

Also please note that, IMHO, there is apparently extremely little appearing as resembling malware on this system. There seems to be only one item detected by ComboFix "c:\windows\system32\qmgr.dll . . . [as] infected!!". Other highly recommended scanners that I have installed (such as MBAM, Spybot) have detected absolutely nothing.

If you would please offer suggestions as to the complete removal (and any possible necessary replacement) of that apparently problematic driver, "qmgr.dll", I would most appreciate it.

I realize that you have a real flood of postings on this Forum, and I certainly empathize.
The only "real" difficulty in my system, is getting the firewall to load w/o taking an hour; or, thereabouts.

I remain most desired of what can be pursued in the conquest of such.

Thank you,
Gartt

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,824 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:32 PM

Posted 03 December 2010 - 01:34 PM

Please understand that through considerable research and deployment, I believe that the methods that I have employed to protect my OS and online activities more than compensate for any available Windows updates. [It is somewhat reassuring that many of their updates reflect what I have already performed.]

I highly doubt this is even possible. What you describe is like putting new seatbelts in a car that hasn't working brakes.

Combofix displays those files as missing/infected because this servicepack is so old. Many of your security programs are unable to function properly as well.

Of course it is up to you if you stick with it or not, I understand it is quite hard to download it (maybe you can ask a friend or family member to download it for you and burn it to a CD), but there is nothing I can do if you co not first install it. So, either you install the service pack or we will close this topic. It just makes no sense to continue; our tools' output is not reliable with this servicepack.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 GST1

GST1
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 04 December 2010 - 11:30 AM

Hello again Elise,

There are, indeed, many vulnerabilities inherent to a "Windows OS" that can be overcome. Get completely rid of that "Remote Desktop" application, for starters.
I did enjoy your analogy, though.

While the recommended scanners may find false positives or missing drivers; I am not completely clear on the notion that if a program 'properly installs': how would/could it not function properly?
It would seem that any program would install it's own necessary Registry entries/drivers/et cetera, and therefore function rather autonomously.
I previously updated the "Windows Installer-KB893803-v2-x86" package specifically because 'a (very) few' newer programs relied on it.

In considering your suggestion to have someone download/burn to CD an updated Service Pack, the only viable alternative that I notice is to reference: "Windows XP Service Pack 2 Network Installation Package for IT Professionals and Developers" (a 266.0MB d/l). All of the other M/S SP2 or 3 updates that I observe, are downloaded/installed directly to the user's system. Please correct me, otherwise.

I will follow on that advice to update to at least SP2. I will get back to you after such.

Thank you for your time and consideration.
Gartt

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,824 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:32 PM

Posted 04 December 2010 - 11:38 AM

Hi Gartt, this is the one you need: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=2fcde6ce-b5fb-4488-8c50-fe22559d164e

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 GST1

GST1
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 04 December 2010 - 12:42 PM

Hello Elise,

Thank you for that direct link.

That looks especially promising as it seems to enable the update process directly from SP1 To SP3.

I will ask someone to d/l that for me, and will install ASAP.

Your assistance is much appreciated,
Gartt

P.S. Even though my "Post Options" confirm that I am "...currently receiving email notification of replies", I have not received notifications of your last two responses.

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,824 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:32 PM

Posted 04 December 2010 - 01:03 PM

Notifications can sometimes be buggy, I also noticed the site being down a few times today, maybe that is related.

This download will indeed do the update to SP3 at once. Please let me know once you are ready to move on.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 GST1

GST1
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 04 December 2010 - 10:36 PM

Thanks.
Will do.

#14 GST1

GST1
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 10 December 2010 - 01:49 PM

Hi Elise,

I had someone d/l that SP3 update, got their computer today, burned to disc, then noticed that it is a .ISO image file. I have no idea how to work with this type of file.

In reviewing a related .PDF "Overview of Windows XP Service Pack 3", I found another download that is an .EXE file:
http://www.microsoft.com/downloads/en/details.aspx?familyid=5B33B5A8-5E76-401F-BE08-1E1555D4F3D4&displaylang=en&pf=true

It appears to me to be basically the same Service Pack 3 update, only I believe that the .EXE file should be not much difficulty to work with.

I will get them to d/l this for me, and install ASAP.

Thank You.
Gartt

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,824 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:32 PM

Posted 10 December 2010 - 02:28 PM

Hi Gartt, you can burn the .iso to a CD. See how to write an iso to a CD

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users