Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with malware win defrag, but Rootkit (TDL4)


  • This topic is locked This topic is locked
8 replies to this topic

#1 Majin1983

Majin1983

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:00 AM

Posted 12 December 2010 - 05:54 PM

My computer contracted the malware Win Defrag, to which I downloaded the anti malware program Malwarebytes' Anti-Malware. After using it, the program didnt seem to get rid of the problem completely, so I attempted to delete the files the program was using directly, as suggested in this guide:

http://www.bleepingcomputer.com/virus-removal/remove-win-defrag

My computer continued to act irratically, a windows error popup appearing every now and then informing me of an error, followed by my inability to use administrator privileges.

The error popups include (I appologise that these are in japanese, but I am posting from the error themselves):

問題の署名:
問題イベント名: APPCRASH
アプリケーション名: svchost.exe
アプリケーションのバージョン: 6.0.6001.18000
アプリケーションのタイムスタンプ: 47918b89
障害モジュールの名前: ntdll.dll
障害モジュールのバージョン: 6.0.6002.18005
障害モジュールのタイムスタンプ: 49e03821
例外コード: c000071b
例外オフセット: 000888f5
OS バージョン: 6.0.6002.2.2.0.768.3
ロケール ID: 1041
追加情報 1: 0e02
追加情報 2: b21b56b606e7544720668ce364087082
追加情報 3: 0e02
追加情報 4: b21b56b606e7544720668ce364087082

プライバシーに関する声明をお読みください:
http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0411

The above is the most frequent popup, I can receive this 3 or 4 times before the system starts limiting my activities. The other popup I have received (twice now in total) is:

問題イベント名: BEX
アプリケーション名: svchost.exe
アプリケーションのバージョン: 6.0.6001.18000
アプリケーションのタイムスタンプ: 47918b89
障害モジュールの名前: StackHash_1ba3
障害モジュールのバージョン: 0.0.0.0
障害モジュールのタイムスタンプ: 00000000
例外オフセット: 4f505050
例外コード: c0000005
例外データ: 00000008
OS バージョン: 6.0.6002.2.2.0.768.3
ロケール ID: 1041
追加情報 1: 1ba3
追加情報 2: bd715785af2b3640481a130b0e633d4e
追加情報 3: 78ea
追加情報 4: 5fbae27a3a66cc99e51b45cd911b0218

I checked these popups, but I was informed my windows may have an error in it so I should attempt to update it. However, whenever I try to I get an error message:
code 80072EFE

I am unsure what this means as most sites i have looked this is are unhelpful.

As a result of the above popups, i am unable to perform many actions. Upon attempting to reinstall vista to repair the damage (but keep my current information), i discovered I was unable to do so and that the computers Disk Management and Device Manager were not recognising the drive I have partitioned as my C: and D: drives. Disk Management lists my DVD drive (Disk 0) and my external harddisk (Drive 1), but no drive 0. As a result, if I attempt to perform the upgrade reinstallation for vista, i am informed that I do not have enough partition space and if I attempt to do a full reinstallation, i am informed that there is no c drive to install onto.

The past couple of days, I have had to restart my computer on multiple occasions to ensure that I can use it for my daily purposes, but there are times when I get the blue screen of death (This has happened twice, both times after I 'woke' the computer from sleep mode after using it in a friends house, using the friends internet service. I am unsure if this is a valid reason, but it is my guess as to why the system crashed). A few times I have opened up windows after typing in my user name password and the computer screen remained black, with the white mouse icon on screen. During this time, I waited up to 20 minutes with no change, thus I used ctrl+alt+delete to check in the task manager if explorer was running, which it was. Unforunately, very few other programs were running at the same time, so i decided that it would be best to shutdown the computer and then restart it. After doing that, the computer would allow me access to windows. I have also had occurances where, just after the dell logo finishes loading, but before windows starts, the computer screen remains all black with no computer action.

I have followed the instructions of this forum and request what help I can. This is a japanese laptop however, so I am unsure how helpful everyone can be. I appreciate any aid anyone can give as I am very worried over the computer. I have to do several restarts recently to get it to work without any issues (no blank screen before or after windows, neither any blue screen of death). Thank you.

Attached File  Attach.txt   6.18KB   0 downloads
Attached File  ark.txt   40.13KB   1 downloads

DDS (Ver_10-12-12.02) - NTFSx86
Run by Majin83 at 21:51:16.35 on 2010/12/12
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_22
AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\BUFFALO\clientmgrv\bin\BWH32S.exe
C:\Windows\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\System32\TBLMOUSE.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Windows\sttray.exe
C:\Windows\ehome\ehtray.exe
C:\My Programs\Daemon Tools\daemon.exe
C:\Program Files\Citrus Alarm Clock\citrusac.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\BUFFALO\clientmgrv\bin\cmvMain.exe
C:\Windows\ehome\ehmsas.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\atwtusb.exe
C:\Windows\system32\atwtusb.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\My Programs\Yahoo Messanger\Messenger\ymsgr_tray.exe
C:\My Programs\Opera 9\opera.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Majin83\Desktop\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://uk.youtube.com/profile?user=MajinOtaku83
uWindow Title = Dell により提供された Internet Explorer
mDefault_Page_URL = hxxp://www.google.co.jp/ig/dell?hl=ja&client=dell-row&channel=jp&ibd=0070301
uInternet Settings,ProxyOverride = <local>;*.local
uInternet Settings,ProxyServer = http=127.0.0.1:5577
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live サインイン ヘルパー: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [DAEMON Tools] "c:\my programs\daemon tools\daemon.exe" -lang 1033
uRun: [Citrus Alarm Clock] c:\program files\citrus alarm clock\citrusac.exe
uRun: [<NO NAME>]
uRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [Messenger (Yahoo!)] "c:\myprog~1\yahoom~1\messen~1\YahooMessenger.exe" -quiet
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [tblmouse] tblmouse.exe U
mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SigmatelSysTrayApp] sttray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\audibl~1.lnk - c:\my programs\movie programs\audible\bin\AudibleDownloadHelper.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\windows\installer\{53a01cc6-14b0-4512-a2e7-10d39bf83dc4}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\ハラツ~1.lnk - c:\program files\buffalo\clientmgrv\bin\cmvMain.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SEH: DVDIdleShell Class: {93994de8-8239-4655-b1d1-5f4e91300429} - c:\my programs\dvd region+css free\DVDShell.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\majin83\appdata\roaming\mozilla\firefox\profiles\8egaa8vu.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2536667&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.gmail.com
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\my programs\movie programs\vlc\npvlc.dll
FF - plugin: c:\my programs\opera 9\program\plugins\np_gp.dll
FF - plugin: c:\my programs\opera 9\program\plugins\np32dsw.dll
FF - plugin: c:\my programs\opera 9\program\plugins\npdivx32.dll
FF - plugin: c:\my programs\opera 9\program\plugins\npdrmv2.dll
FF - plugin: c:\my programs\opera 9\program\plugins\nppl3260.dll
FF - plugin: c:\my programs\opera 9\program\plugins\npqtplugin.dll
FF - plugin: c:\my programs\opera 9\program\plugins\npqtplugin2.dll
FF - plugin: c:\my programs\opera 9\program\plugins\npqtplugin3.dll
FF - plugin: c:\my programs\opera 9\program\plugins\npqtplugin4.dll
FF - plugin: c:\my programs\opera 9\program\plugins\npqtplugin5.dll
FF - plugin: c:\my programs\opera 9\program\plugins\npqtplugin6.dll
FF - plugin: c:\my programs\opera 9\program\plugins\npqtplugin7.dll
FF - plugin: c:\my programs\opera 9\program\plugins\nprjplug.dll
FF - plugin: c:\my programs\opera 9\program\plugins\nprpjplug.dll
FF - plugin: c:\my programs\opera 9\program\plugins\NPSWF32.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: British English Dictionary>: en-GB@dictionaries.addons.mozilla.org - %profile%\extensions\en-GB@dictionaries.addons.mozilla.org
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Veoh Browser Plug-in: videofinder@veoh.com - c:\program files\veoh networks\veoh\plugins\noreg\VideoFinder4
FF - Ext: XULRunner: {C2EB8DC6-A7E9-4344-8B61-ECECD3E70650} - c:\users\majin83\appdata\local\{C2EB8DC6-A7E9-4344-8B61-ECECD3E70650}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-6-20 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-6-20 17744]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2007-3-9 50768]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-17 40384]
R2 BWH32S;BWH32S;c:\program files\buffalo\clientmgrv\bin\BWH32S.exe [2008-4-17 57648]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-10-10 24652]
R2 WTService;WTService;c:\windows\system32\atwtusb.exe -s --> c:\windows\system32\atwtusb.exe -s [?]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-17 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-17 40384]
S1 aiptektp;Pen Pad;c:\windows\system32\drivers\aiptektp.sys [2008-12-13 23168]
S3 Bufeap;BUFFALO EAP Driver;c:\windows\system32\drivers\BUFEAP.sys [2008-4-17 14848]
S3 V0100VID;Creative WebCam Vista Pro;c:\windows\system32\drivers\V0100Vid.sys [2007-3-9 91155]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [2007-3-29 223128]
S3 XPADFL02;XPAD Filter Service 02;c:\windows\system32\drivers\xPADFL02.sys [2009-7-27 27904]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2007-2-22 2808664]

=============== Created Last 30 ================

2010-12-10 09:54:17 784136 ----a-w- c:\progra~2\microsoft\ehome\packages\mcespotlight\mcespotlight\SpotlightResources.dll
2010-12-07 22:05:05 -------- d-----w- c:\windows\system32\vi-VN
2010-12-07 22:05:05 -------- d-----w- c:\windows\system32\eu-ES
2010-12-07 22:05:05 -------- d-----w- c:\windows\system32\ca-ES
2010-12-07 21:52:00 -------- d-----w- c:\windows\system32\SPReview
2010-12-07 21:33:54 45056 ----a-w- c:\program files\common files\microsoft shared\ink\ja\Microsoft.Ink.Resources.dll
2010-12-07 21:33:42 928768 ----a-w- c:\windows\system32\scavenge.dll
2010-12-07 21:33:30 57856 ----a-w- c:\windows\system32\compcln.exe
2010-12-07 21:31:59 9728 ----a-w- c:\windows\system32\fdBthProxy.dll
2010-12-07 21:30:59 657408 ----a-w- c:\windows\system32\WMVXENCD.DLL
2010-12-07 21:29:58 714240 ----a-w- c:\windows\system32\timedate.cpl
2010-12-07 21:25:58 -------- d-----w- c:\windows\system32\EventProviders
2010-12-07 18:14:13 193024 ----a-w- c:\windows\system32\recdisc.exe
2010-12-07 18:14:12 6656 ----a-w- c:\windows\system32\sdspres.dll
2010-12-07 18:13:27 28160 ----a-w- c:\windows\system32\sxproxy.dll
2010-12-07 18:11:59 311296 ----a-w- c:\windows\system32\wbem\msiprov.dll
2010-12-07 18:10:59 87552 ----a-w- c:\windows\system32\Robocopy.exe
2010-12-07 18:09:57 55296 ----a-w- c:\windows\system32\fsutil.exe
2010-12-07 18:03:51 -------- d-----w- C:\4903c8efdfa9d581a095
2010-12-07 16:52:20 45056 ----a-r- c:\users\majin83\appdata\roaming\microsoft\installer\{2764ca82-dfb9-4498-af85-719340bf5305}\NewShortcut1_2764CA82DFB94498AF85719340BF5305.exe
2010-12-07 16:52:15 -------- d-----w- c:\windows\system32\vmm32
2010-12-07 12:36:01 -------- d-----w- C:\UBCD4Win
2010-12-04 12:11:41 -------- d-----w- c:\progra~2\RegSERVO
2010-12-03 10:10:17 -------- d-----w- C:\perflogs
2010-12-03 09:59:34 -------- d-----w- c:\users\majin83\appdata\local\MigWiz
2010-12-01 10:06:06 -------- d-----w- c:\users\majin83\appdata\roaming\WhiteSmokeSetup
2010-12-01 08:31:54 -------- d-----w- c:\users\majin83\appdata\roaming\DriverCure
2010-12-01 08:31:53 -------- d-----w- c:\users\majin83\appdata\roaming\ParetoLogic
2010-12-01 01:42:54 -------- d-----w- c:\program files\ParetoLogic
2010-12-01 01:37:18 -------- d-----w- c:\program files\common files\ParetoLogic
2010-12-01 01:37:18 -------- d-----w- c:\progra~2\ParetoLogic
2010-12-01 01:37:16 -------- d-----w- c:\progra~2\XoftSpySE
2010-12-01 00:36:50 0 ----a-w- c:\users\majin83\appdata\local\Lbonoz.bin
2010-12-01 00:36:47 -------- d-----w- c:\users\majin83\appdata\local\{C2EB8DC6-A7E9-4344-8B61-ECECD3E70650}
2010-11-17 08:26:15 38848 ----a-w- c:\windows\avastSS.scr
2010-11-17 08:24:46 -------- d-----w- c:\progra~2\Alwil Software
2010-11-16 09:58:40 -------- d-----w- c:\users\majin83\appdata\roaming\Ehvi
2010-11-16 09:58:40 -------- d-----w- c:\users\majin83\appdata\roaming\Ehihe
2010-11-13 00:12:31 -------- d-----w- c:\program files\iPod
2010-11-13 00:12:26 -------- d-----w- c:\program files\iTunes

==================== Find3M ====================

2010-12-07 18:46:20 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2010-12-07 18:46:02 82432 ----a-w- c:\windows\system32\axaltocm.dll
2010-10-20 16:37:10 2421760 ----a-w- c:\windows\system32\wucltux.dll
2010-10-20 16:34:28 87552 ----a-w- c:\windows\system32\wudriver.dll
2010-10-20 16:32:41 171608 ----a-w- c:\windows\system32\wuwebv.dll
2010-10-20 16:32:40 33792 ----a-w- c:\windows\system32\wuapp.exe
2010-09-15 03:50:37 472808 ----a-w- c:\windows\system32\deployJava1.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: Hitachi_HTS541616J9SA00 rev.SB4OC74P -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x86863446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86869504]; MOV EAX, [0x86869580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x82A89912] -> \Device\Harddisk0\DR0[0x861C4AC8]
3 CLASSPNP[0x88FA68B3] -> ntkrnlpa!IofCallDriver[0x82A89912] -> [0x85A8A918]
5 acpi[0x831B26BC] -> ntkrnlpa!IofCallDriver[0x82A89912] -> [0x850895A0]
\Driver\atapi[0x864CD8D0] -> IRP_MJ_CREATE -> 0x86863446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskHitachi_HTS541616J9SA00_________________SB4OC74P#5&db0340c&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86863292
\Driver\atapi -> 0x850581e8
user != kernel MBR !!!
sectors 312581806 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 21:52:30.48 ===============

Edited by Majin1983, 12 December 2010 - 07:00 PM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:00 AM

Posted 19 December 2010 - 04:41 PM

Hello Majin1983 ,

Posted Image

Sorry for the delay. :( If you still need help, please post a new DDS/HijackThis log and I'll be happy to look at it. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Majin1983

Majin1983
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:00 AM

Posted 20 December 2010 - 04:42 AM

Tea,

Thank you very much for the response. Yes, i still do need help with the computer, though it seems to have calmed down a little and isnt not working every other time i turn it on. I am still gettting the problem of loosing the ability to access administrator only programs, along with the issue involving no c or d drive mentioned in the Disk manager or device manager.

I also had a system crash, leading to a blue screen, the error as follows:

問題の署名:
問題イベント名: BlueScreen
OS バージョン: 6.0.6002.2.2.0.768.3
ロケール ID: 1041

この問題に関する追加情報:
BCCode: 4e
BCP1: 00000007
BCP2: 0007E28B
BCP3: 00000001
BCP4: 00000000
OS Version: 6_0_6002
Service Pack: 2_0
Product: 768_1

この問題の説明に役立つファイル:
C:\Windows\Minidump\Mini122010-01.dmp
C:\Users\Majin83\AppData\Local\Temp\WER-78062-0.sysdata.xml
C:\Users\Majin83\AppData\Local\Temp\WER8323.tmp.version.txt

プライバシーに関する声明をお読みください:
http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0411

This was caused while i was running gmer.exe scaning system and tryin to open another program. I restarted the computer and just ran gmer and i have managed to get another arc.txt

I also got a new DSS and attach file, just in case anything new has come up so you could compare it to the old one i posted.

Another thing, is that after 2 or 3 error messages, my desktop appearance/theme changes from Windows Vista Basic (I dont like aero, takes up too much memory) to windows standard appearance. This doesnt make a huge difference for me, but it is irritating to have to change it.

Thank you again so much for the offer to help, I am really worried about my computer as i have managed to save some files, but the system wont let me back anything up.

Attached File  Attach.txt   6.15KB   0 downloads
Attached File  ark.txt   37.61KB   0 downloads

DDS.txt file content:


DDS (Ver_10-12-12.02) - NTFSx86
Run by Majin83 at 8:32:30.37 on 2010/12/20
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_23
AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\BUFFALO\clientmgrv\bin\BWH32S.exe
C:\Windows\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\taskeng.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\Dwm.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\atwtusb.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\atwtusb.exe
C:\Windows\System32\TBLMOUSE.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Windows\sttray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\My Programs\Daemon Tools\daemon.exe
C:\Program Files\Citrus Alarm Clock\citrusac.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\My Programs\Yahoo Messanger\Messenger\YahooMessenger.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\BUFFALO\clientmgrv\bin\cmvMain.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Majin83\Desktop\dds.scr
C:\Windows\system32\conime.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://uk.youtube.com/profile?user=MajinOtaku83
uWindow Title = Dell により提供された Internet Explorer
mDefault_Page_URL = hxxp://www.google.co.jp/ig/dell?hl=ja&client=dell-row&channel=jp&ibd=0070301
uInternet Settings,ProxyOverride = <local>;*.local
uInternet Settings,ProxyServer = http=127.0.0.1:5577
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live サインイン ヘルパー: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [DAEMON Tools] "c:\my programs\daemon tools\daemon.exe" -lang 1033
uRun: [Citrus Alarm Clock] c:\program files\citrus alarm clock\citrusac.exe
uRun: [<NO NAME>]
uRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [Messenger (Yahoo!)] "c:\myprog~1\yahoom~1\messen~1\YahooMessenger.exe" -quiet
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [tblmouse] tblmouse.exe U
mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\audibl~1.lnk - c:\my programs\movie programs\audible\bin\AudibleDownloadHelper.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\windows\installer\{53a01cc6-14b0-4512-a2e7-10d39bf83dc4}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\ハラツ~1.lnk - c:\program files\buffalo\clientmgrv\bin\cmvMain.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SEH: DVDIdleShell Class: {93994de8-8239-4655-b1d1-5f4e91300429} - c:\my programs\dvd region+css free\DVDShell.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\majin83\appdata\roaming\mozilla\firefox\profiles\8egaa8vu.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2536667&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.gmail.com
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\my programs\movie programs\vlc\npvlc.dll
FF - plugin: c:\my programs\opera 9\program\plugins\np_gp.dll
FF - plugin: c:\my programs\opera 9\program\plugins\np32dsw.dll
FF - plugin: c:\my programs\opera 9\program\plugins\npdivx32.dll
FF - plugin: c:\my programs\opera 9\program\plugins\npdrmv2.dll
FF - plugin: c:\my programs\opera 9\program\plugins\nppl3260.dll
FF - plugin: c:\my programs\opera 9\program\plugins\npqtplugin.dll
FF - plugin: c:\my programs\opera 9\program\plugins\npqtplugin2.dll
FF - plugin: c:\my programs\opera 9\program\plugins\npqtplugin3.dll
FF - plugin: c:\my programs\opera 9\program\plugins\npqtplugin4.dll
FF - plugin: c:\my programs\opera 9\program\plugins\npqtplugin5.dll
FF - plugin: c:\my programs\opera 9\program\plugins\npqtplugin6.dll
FF - plugin: c:\my programs\opera 9\program\plugins\npqtplugin7.dll
FF - plugin: c:\my programs\opera 9\program\plugins\nprjplug.dll
FF - plugin: c:\my programs\opera 9\program\plugins\nprpjplug.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: British English Dictionary: en-GB@dictionaries.addons.mozilla.org - %profile%\extensions\en-GB@dictionaries.addons.mozilla.org
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Veoh Browser Plug-in: videofinder@veoh.com - c:\program files\veoh networks\veoh\plugins\noreg\VideoFinder4
FF - Ext: XULRunner: {C2EB8DC6-A7E9-4344-8B61-ECECD3E70650} - c:\users\majin83\appdata\local\{C2EB8DC6-A7E9-4344-8B61-ECECD3E70650}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-6-20 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-6-20 17744]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2007-3-9 50768]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-17 40384]
R2 BWH32S;BWH32S;c:\program files\buffalo\clientmgrv\bin\BWH32S.exe [2008-4-17 57648]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-10-10 24652]
R2 WTService;WTService;c:\windows\system32\atwtusb.exe -s --> c:\windows\system32\atwtusb.exe -s [?]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-17 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-17 40384]
S1 aiptektp;Pen Pad;c:\windows\system32\drivers\aiptektp.sys [2008-12-13 23168]
S3 Bufeap;BUFFALO EAP Driver;c:\windows\system32\drivers\BUFEAP.sys [2008-4-17 14848]
S3 V0100VID;Creative WebCam Vista Pro;c:\windows\system32\drivers\V0100Vid.sys [2007-3-9 91155]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [2007-3-29 223128]
S3 XPADFL02;XPAD Filter Service 02;c:\windows\system32\drivers\xPADFL02.sys [2009-7-27 27904]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2007-2-22 2808664]

=============== Created Last 30 ================

2010-12-18 10:28:57 -------- d-----w- c:\program files\iPod
2010-12-18 10:28:50 -------- d-----w- c:\program files\iTunes
2010-12-10 09:54:17 784136 ----a-w- c:\progra~2\microsoft\ehome\packages\mcespotlight\mcespotlight\SpotlightResources.dll
2010-12-07 22:05:05 -------- d-----w- c:\windows\system32\vi-VN
2010-12-07 22:05:05 -------- d-----w- c:\windows\system32\eu-ES
2010-12-07 22:05:05 -------- d-----w- c:\windows\system32\ca-ES
2010-12-07 21:52:00 -------- d-----w- c:\windows\system32\SPReview
2010-12-07 21:33:54 45056 ----a-w- c:\program files\common files\microsoft shared\ink\ja\Microsoft.Ink.Resources.dll
2010-12-07 21:33:42 928768 ----a-w- c:\windows\system32\scavenge.dll
2010-12-07 21:33:30 57856 ----a-w- c:\windows\system32\compcln.exe
2010-12-07 21:31:59 9728 ----a-w- c:\windows\system32\fdBthProxy.dll
2010-12-07 21:30:59 657408 ----a-w- c:\windows\system32\WMVXENCD.DLL
2010-12-07 21:29:58 714240 ----a-w- c:\windows\system32\timedate.cpl
2010-12-07 21:25:58 -------- d-----w- c:\windows\system32\EventProviders
2010-12-07 18:14:13 193024 ----a-w- c:\windows\system32\recdisc.exe
2010-12-07 18:14:12 6656 ----a-w- c:\windows\system32\sdspres.dll
2010-12-07 18:13:27 28160 ----a-w- c:\windows\system32\sxproxy.dll
2010-12-07 18:11:59 311296 ----a-w- c:\windows\system32\wbem\msiprov.dll
2010-12-07 18:10:59 87552 ----a-w- c:\windows\system32\Robocopy.exe
2010-12-07 18:09:57 55296 ----a-w- c:\windows\system32\fsutil.exe
2010-12-07 18:03:51 -------- d-----w- C:\4903c8efdfa9d581a095
2010-12-07 16:52:20 45056 ----a-r- c:\users\majin83\appdata\roaming\microsoft\installer\{2764ca82-dfb9-4498-af85-719340bf5305}\NewShortcut1_2764CA82DFB94498AF85719340BF5305.exe
2010-12-07 16:52:15 -------- d-----w- c:\windows\system32\vmm32
2010-12-07 12:36:01 -------- d-----w- C:\UBCD4Win
2010-12-04 12:11:41 -------- d-----w- c:\progra~2\RegSERVO
2010-12-03 10:10:17 -------- d-----w- C:\perflogs
2010-12-03 09:59:34 -------- d-----w- c:\users\majin83\appdata\local\MigWiz
2010-12-01 10:06:06 -------- d-----w- c:\users\majin83\appdata\roaming\WhiteSmokeSetup
2010-12-01 08:31:54 -------- d-----w- c:\users\majin83\appdata\roaming\DriverCure
2010-12-01 08:31:53 -------- d-----w- c:\users\majin83\appdata\roaming\ParetoLogic
2010-12-01 01:42:54 -------- d-----w- c:\program files\ParetoLogic
2010-12-01 01:37:18 -------- d-----w- c:\program files\common files\ParetoLogic
2010-12-01 01:37:18 -------- d-----w- c:\progra~2\ParetoLogic
2010-12-01 01:37:16 -------- d-----w- c:\progra~2\XoftSpySE
2010-12-01 00:36:50 0 ----a-w- c:\users\majin83\appdata\local\Lbonoz.bin
2010-12-01 00:36:47 -------- d-----w- c:\users\majin83\appdata\local\{C2EB8DC6-A7E9-4344-8B61-ECECD3E70650}
2010-11-29 17:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 17:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2010-12-07 18:46:20 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2010-12-07 18:46:02 82432 ----a-w- c:\windows\system32\axaltocm.dll
2010-11-12 18:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-20 16:37:10 2421760 ----a-w- c:\windows\system32\wucltux.dll
2010-10-20 16:34:28 87552 ----a-w- c:\windows\system32\wudriver.dll
2010-10-20 16:32:41 171608 ----a-w- c:\windows\system32\wuwebv.dll
2010-10-20 16:32:40 33792 ----a-w- c:\windows\system32\wuapp.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: Hitachi_HTS541616J9SA00 rev.SB4OC74P -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x86886446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8688c504]; MOV EAX, [0x8688c580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x82A5B912] -> \Device\Harddisk0\DR0[0x85C9D0F8]
3 CLASSPNP[0x88FA08B3] -> ntkrnlpa!IofCallDriver[0x82A5B912] -> [0x85AE5918]
5 acpi[0x831B36BC] -> ntkrnlpa!IofCallDriver[0x82A5B912] -> [0x85A5E030]
\Driver\atapi[0x86871D28] -> IRP_MJ_CREATE -> 0x86886446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskHitachi_HTS541616J9SA00_________________SB4OC74P#5&db0340c&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86886292
\Driver\atapi -> 0x85a201e8
user != kernel MBR !!!
sectors 312581806 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 8:37:28.51 ===============

Edited by Majin1983, 20 December 2010 - 07:21 AM.


#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:00 AM

Posted 20 December 2010 - 11:22 AM

Hello there,

Well, your new log still shows a rootkit, so let's start with this :

Download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • If Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Majin1983

Majin1983
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:00 AM

Posted 20 December 2010 - 12:22 PM

Tea,

Thank you very much for the swift response. i tried the program out, it came up with 1 problem which it cured upon restart (of sorts), at least I think it did. The computer is acting much faster than it was beforehand, so I am feeling much much more confident.

Also, my computer has detected the disk drive, but i am a little confused as to how the drive appears. It now shows 2 drives, both blank but contain different parts of the same selected driver.

Attached File  Disk Manager 1.jpg   124.31KB   1 downloads

The above shows the saved image of the Disk Manager window. As you can see, the top blank drive is selected, with the disk 0 part section 47MB.

Attached File  Disk Manager 2.jpg   124.54KB   1 downloads

This next image shows the same as the first, except that now i have selected the lower blank drive, which has selected the disk 0 part section 2.00GB.

I am a little confused as to what these entail. Do I have to work on my drive at all?

My last question is whether you can look at the log I post and identify if the problem has been cured of my computer? I would be very grateful.

Attached File  TDSSKiller.2.4.12.0_20.12.2010_17.01.16_log.txt   104.94KB   1 downloads

Thank you very much again. I am sorryto bother you the week before Christmas, but I really appreciate it.

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:00 AM

Posted 20 December 2010 - 12:43 PM

Hello,

You're welcome, and don't be sorry. :) I love doing this, matters not what time of year it is.

I'm no hardware expert, so I can't answer your question on that with certainty. Malware is my forte, so I'm not sure why there is the difference there.

tdl4 is gone now. However I do have a question....do you use Whitesmoke Translator? c:\users\majin83\appdata\roaming\WhiteSmokeSetup

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 Majin1983

Majin1983
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:00 AM

Posted 20 December 2010 - 02:50 PM

Tea,

Sorry for the delay with the responce, busy with relatives.

I must admit I have not used that program. I wasnt aware I had installed it, so thanks for bringing it up. Is ths program a malware or fake program of sorts? I dont know that much I admit, though I am curious yet wary of most programs.

I had an original post which someone pointed out I should get here, so do you recon it would work if i posted the images I showed above there and asked questions about hardware? I figure its best ask one of the forum experts before i do some horrendous breach of etiquette.

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:00 AM

Posted 20 December 2010 - 03:01 PM

Whitesmoke has been causing a LOT of problems lately. It gets installed with the rootkit you had. See if you can delete that folder c:\users\majin83\appdata\roaming\WhiteSmokeSetup

If it won't go let me know so we can make it go. :thumbup2:

If it comes to it, there is a hardware forum here. If you do post there, link them to this thread so they can see what events led up to it.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:00 AM

Posted 27 December 2010 - 12:11 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users