Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

facebook virus


  • This topic is locked This topic is locked
2 replies to this topic

#1 lee.kim

lee.kim

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 13 December 2010 - 09:50 PM

Hi, i fell for a facebook virus my friend sent me. it had something to do with installing a plug-in for adobe player. Well, microsoft security essentials acted up and stopped it. I did a malware bytes scan and picked up and removed traces of rootkit.tdss.gen and a worm.koobface. Just wanted to make sure its gone for good. :)

d.n.s log
------------

DDS (Ver_10-12-12.02) - NTFSx86
Run by du at 19:54:14.84 on Mon 12/13/2010
Internet Explorer: 8.0.6001.18975
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3069.1681 [GMT -5:00]

AV: Microsoft Security Essentials *Enabled/Updated* {BF5CEBDC-F2D3-7540-343C-F0CE11FD6E66}
SP: Microsoft Security Essentials *Enabled/Updated* {043D0A38-D4E9-7ACE-0E8C-CBBC6A7A24DB}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Alienware\Command Center\AlienFusionService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Keyboard Manager\OSD Utility\OSDManager.exe
C:\WINDOWS\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Alienware\Command Center\AlienFusionController.exe
C:\Program Files\Alienware\Command Center\AlienwareAlienFXController.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\du\Documents\Firefox Dl's\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msn.com
uDefault_Page_URL = hxxp://www.alienware.com/Mothership?Comp=%ALIENFACTORY_Company%&SysCode=%ALIENFACTORY_SystemCode%&ai=636E3D34373235343826706F3D35393437373241
mStart Page = hxxp://www.alienware.com/mothership
mDefault_Page_URL = hxxp://www.alienware.com/mothership
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\6.3.2322.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: @c:\program files\msn toolbar\platform\6.3.2322.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\6.3.2322.0\npwinext.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Keyboard OSD Utility] "c:\program files\keyboard manager\osd utility\OSDManager.exe" /lang en /H
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [IaNvSrv] c:\program files\intel\intel matrix storage manager\orom\ianvsrv\IaNvSrv.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [AlienFusion Controller] "c:\program files\alienware\command center\AlienFusionController.exe"
mRun: [AlienFX Controller] "c:\program files\alienware\command center\AlienwareAlienFXController.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\users\du\appdata\roaming\mozilla\firefox\profiles\mpj8hq8t.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=WLETDF&PC=WLEM&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=WLETDF&PC=WLEM&q=
FF - component: c:\users\du\appdata\roaming\mozilla\firefox\profiles\mpj8hq8t.default\extensions\glasser@sixxgate.com\components\dwmxpcom.dll
FF - plugin: c:\progra~1\mi1933~1\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Vista-aero: {07b2a769-ed19-4483-87ce-c643914c81bb} - %profile%\extensions\{07b2a769-ed19-4483-87ce-c643914c81bb}
FF - Ext: Glasser: glasser@sixxgate.com - %profile%\extensions\glasser@sixxgate.com

============= SERVICES / DRIVERS ===============

R0 iaNvStor;Intel® Turbo Memory Controller;c:\windows\system32\drivers\iaNvStor.sys [2008-2-13 209408]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R2 AlienFusionService;Alienware Fusion Service;c:\program files\alienware\command center\AlienFusionService.exe [2008-3-5 8192]
R2 cvhsvc;Client Virtualization Handler;c:\program files\common files\microsoft shared\virtualization handler\CVHSVC.EXE [2010-2-28 821664]
R2 sftlist;Application Virtualization Client;c:\program files\microsoft application virtualization client\sftlist.exe [2010-4-24 483688]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-10-10 179712]
R3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-3-6 21504]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 42368]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfslh.sys [2010-4-24 550760]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplaylh.sys [2010-4-24 195944]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirlh.sys [2010-4-24 21864]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvollh.sys [2010-4-24 19304]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\microsoft application virtualization client\sftvsa.exe [2010-4-24 209768]
R3 winbondcir;Winbond IR Transceiver;c:\windows\system32\drivers\winbondcir.sys [2007-3-28 43008]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-21 136176]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2010-11-28 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2009-6-10 24576]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-22 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]

=============== Created Last 30 ================

2010-12-13 20:19:04 6273872 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{33f54277-9dbc-4894-8430-498d3b513246}\mpengine.dll
2010-12-06 03:40:07 -------- d-----w- c:\users\du\appdata\roaming\Softplicity
2010-12-06 03:39:50 -------- d-----w- c:\program files\TotalAudioConverter
2010-12-01 00:20:07 -------- d-----w- c:\program files\World of Warcraft
2010-11-29 22:02:27 6273872 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2010-11-29 03:59:17 -------- d-----w- c:\users\du\appdata\roaming\dBpoweramp
2010-11-29 03:31:10 -------- d-----w- c:\program files\YouTube Downloader
2010-11-29 02:53:17 -------- d-----w- C:\mobile_video
2010-11-29 02:12:20 -------- d-----w- c:\users\du\dwhelper
2010-11-28 22:34:38 -------- d-----w- c:\program files\Windows Portable Devices
2010-11-28 21:06:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-28 21:06:10 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-28 21:06:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-28 21:05:16 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-11-28 21:04:10 -------- d-----w- c:\windows\en
2010-11-28 21:02:49 39272 ----a-w- c:\windows\system32\drivers\fssfltr.sys
2010-11-28 20:55:09 -------- d-----w- c:\program files\MSN Toolbar
2010-11-28 20:54:43 -------- d-----w- c:\program files\Bing Bar Installer
2010-11-28 20:54:30 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2010-11-28 20:54:30 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2010-11-28 20:54:30 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2010-11-28 20:54:10 469256 ----a-w- c:\program files\common files\windows live\.cache\6528c1a11cb8f3e09\InstallManager_WLE_WLE.exe
2010-11-28 20:54:07 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2010-11-28 20:54:03 94040 ----a-w- c:\program files\common files\windows live\.cache\61990b311cb8f3e08\DSETUP.dll
2010-11-28 20:54:03 525656 ----a-w- c:\program files\common files\windows live\.cache\61990b311cb8f3e08\DXSETUP.exe
2010-11-28 20:54:03 1691480 ----a-w- c:\program files\common files\windows live\.cache\61990b311cb8f3e08\dsetup32.dll
2010-11-28 20:53:58 94040 ----a-w- c:\program files\common files\windows live\.cache\605b0cf11cb8f3e07\DSETUP.dll
2010-11-28 20:53:58 525656 ----a-w- c:\program files\common files\windows live\.cache\605b0cf11cb8f3e07\DXSETUP.exe
2010-11-28 20:53:58 1691480 ----a-w- c:\program files\common files\windows live\.cache\605b0cf11cb8f3e07\dsetup32.dll
2010-11-28 20:53:23 -------- d-----w- c:\users\du\appdata\local\Windows Live
2010-11-28 20:52:52 754688 ----a-w- c:\windows\system32\webservices.dll
2010-11-28 20:52:33 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2010-11-28 20:52:32 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2010-11-28 20:52:32 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2010-11-28 20:49:20 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-11-28 20:49:20 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-11-28 20:49:20 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-11-28 20:39:26 7680 ----a-w- c:\program files\internet explorer\iecompat.dll
2010-11-28 20:39:24 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2010-11-28 20:34:07 -------- d-----w- c:\program files\FileHippo.com
2010-11-28 20:31:02 -------- d-----w- c:\users\du\appdata\local\Mozilla
2010-11-27 20:53:23 -------- d-----w- c:\windows\pss
2010-11-27 19:57:58 -------- d-----w- c:\program files\common files\Steam
2010-11-27 19:57:53 -------- d-----w- c:\program files\Steam
2010-11-26 23:18:45 -------- d-----w- c:\progra~2\CELSYS
2010-11-26 23:18:39 -------- d-----w- c:\users\du\appdata\roaming\Smith Micro
2010-11-26 23:17:12 -------- d-----w- c:\program files\Smith Micro
2010-11-26 22:19:30 45056 ----a-r- c:\users\du\appdata\roaming\microsoft\installer\{b4235490-c3f6-411c-943a-6169993da608}\launcher.exe1_B4235490C3F6411C943A6169993DA608.exe
2010-11-26 22:19:30 45056 ----a-r- c:\users\du\appdata\roaming\microsoft\installer\{b4235490-c3f6-411c-943a-6169993da608}\launcher.exe_B4235490C3F6411C943A6169993DA608.exe
2010-11-26 22:16:48 -------- d-----w- c:\program files\Asiasoft Online
2010-11-26 16:10:38 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{6331ec63-cf99-4150-be58-ed34b74b14c2}\mpengine.dll
2010-11-24 02:04:29 -------- d-----w- c:\program files\Black Isle
2010-11-24 02:04:09 212992 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ILog.dll
2010-11-15 05:26:17 -------- d-----w- c:\users\du\appdata\local\ElevatedDiagnostics
2010-11-15 04:41:41 -------- d-----w- c:\program files\Microsoft ATS
2010-11-14 23:16:16 3648840 ----a-w- c:\windows\system32\GameMon.des
2010-11-14 23:15:19 4682 ----a-w- c:\windows\system32\npptNT2.sys
2010-11-14 23:15:18 5174 ----a-w- c:\windows\system32\nppt9x.vxd
2010-11-14 23:15:05 -------- d-----w- c:\program files\common files\INCA Shared
2010-11-14 23:12:26 -------- d-----w- C:\gPotato.eu
2010-11-14 18:53:22 -------- d-----w- c:\progra~2\WEBREG
2010-11-14 18:52:12 278016 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpzpp5mu.dll
2010-11-14 18:34:33 -------- d-----w- c:\program files\Yahoo!
2010-11-14 18:26:49 -------- d-----w- c:\program files\common files\HP
2010-11-14 18:25:36 271704 ----a-w- c:\windows\system32\hpzids01.dll
2010-11-14 18:25:33 117760 ----a-w- c:\windows\system32\hpzll5mu.dll
2010-11-14 18:24:28 -------- d-----w- c:\program files\HP

==================== Find3M ====================

2010-12-14 00:22:30 3584 ----a-w- c:\windows\system32\acpimof.dll
2010-11-29 03:55:27 6814952 ----a-w- c:\windows\system32\SpoonUninstall.exe
2010-11-25 17:05:47 1890 --sha-w- c:\progra~2\KGyGaAvL.sys
2010-11-08 05:06:52 88 --sh--r- c:\progra~2\787A97A619.sys
2010-11-01 20:51:00 43008 ----a-w- c:\windows\system32\TABCTL32.oca
2010-11-01 20:51:00 265728 ----a-w- c:\windows\system32\MSCOMCTL32.oca
2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-23 05:47:28 49016 ----a-w- c:\windows\system32\sirenacm.dll
2010-09-23 05:32:56 301936 ----a-w- c:\windows\WLXPGSS.SCR
2010-09-15 09:50:37 472808 ----a-w- c:\windows\system32\deployJava1.dll

============= FINISH: 19:54:32.51 ===============
----------------------

GMER log
----------------------
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-13 20:49:43
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 SAMSUNG_ rev.2AA0
Running: gmer.exe; Driver: C:\Users\du\AppData\Local\Temp\pxldapoc.sys

.text ...

---- Kernel code sections - GMER 1.0.15 ----

.text arqdrlgh.SYS 91384000 22 Bytes [82, 73, 01, 82, 6C, 72, 01, ...]
.text arqdrlgh.SYS 91384017 167 Bytes [00, 32, A7, 78, 82, 3D, A5, ...]
.text arqdrlgh.SYS 913840BF 13 Bytes [82, 00, 00, 00, 00, 00, 00, ...] {ADD BYTE [EAX], 0x0; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
.text arqdrlgh.SYS 913840CE 10 Bytes [00, 00, 00, 00, 00, 00, C9, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; LEAVE ; HLT ; POP ESP; DEC EDX}
.text arqdrlgh.SYS 913840DA 12 Bytes [00, 00, 02, 00, 00, 00, 24, ...]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[4452] ntdll.dll!LdrLoadDll 77009390 5 Bytes JMP 000D13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Kernel code sections - GMER 1.0.15 ----

.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x90805340, 0x3EE1D7, 0xE8000020]
.text USBPORT.SYS!DllUnload 8AD4241B 5 Bytes JMP 88B704E0
? C:\Users\du\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !
? System32\drivers\hfscr.sys The system cannot find the path specified. !
? System32\Drivers\spij.sys The system cannot find the path specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Driver\arqdrlgh \Device\Scsi\arqdrlgh1 88ADB1F8
Device \Driver\arqdrlgh \Device\Scsi\arqdrlgh1Port4Path0Target0Lun0 88ADB1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 85D341F8
Device \Driver\atapi \Device\Ide\IdePort0 85D341F8
Device \Driver\atapi \Device\Ide\IdePort1 85D341F8
Device \Driver\BTHUSB \Device\0000007d bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\0000007d bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\0000007f bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\0000007f bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\cdrom \Device\CdRom0 887A61F8
Device \Driver\cdrom \Device\CdRom1 887A61F8
Device \Driver\iaNvStor \Device\Ide\IAACache0 85D331F8
Device \Driver\iaNvStor \Device\Ide\RobsonImd-0 85D331F8
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [834CC6D0] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\iaStor \Device\Ide\iaStor0 [834CC6D0] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\iScsiPrt \Device\RaidPort0 8858F320
Device \Driver\netbt \Device\NetBT_Tcpip_{42A41AA7-BCDF-4F73-A622-0CEA1C4C66C4} 93C2A1F8
Device \Driver\netbt \Device\NetBT_Tcpip_{B56A4294-1F7E-48E0-98A2-4FDF2E2C0D55} 93C2A1F8
Device \Driver\netbt \Device\NetBT_Tcpip_{C65C87D6-60AF-4F2B-88CC-04BC7A1BA456} 93C2A1F8
Device \Driver\netbt \Device\NetBt_Wins_Export 93C2A1F8
Device \Driver\PCI_PNP5094 \Device\00000050 spij.sys
Device \Driver\Smb \Device\NetbiosSmb 93C021F8
Device \Driver\sptd \Device\2396457106 spij.sys
Device \Driver\usbehci \Device\USBFDO-2 88B06500
Device \Driver\usbehci \Device\USBFDO-6 88B06500
Device \Driver\usbehci \Device\USBPDO-2 88B06500
Device \Driver\usbehci \Device\USBPDO-6 88B06500
Device \Driver\usbuhci \Device\USBFDO-0 88875500
Device \Driver\usbuhci \Device\USBFDO-1 88875500
Device \Driver\usbuhci \Device\USBFDO-3 88875500
Device \Driver\usbuhci \Device\USBFDO-4 88875500
Device \Driver\usbuhci \Device\USBFDO-5 88875500
Device \Driver\usbuhci \Device\USBPDO-0 88875500
Device \Driver\usbuhci \Device\USBPDO-1 88875500
Device \Driver\usbuhci \Device\USBPDO-3 88875500
Device \Driver\usbuhci \Device\USBPDO-4 88875500
Device \Driver\usbuhci \Device\USBPDO-5 88875500
Device \Driver\volmgr \Device\HarddiskVolume1 85D2F1F8
Device \Driver\volmgr \Device\HarddiskVolume2 85D2F1F8
Device \Driver\volmgr \Device\HarddiskVolume3 85D2F1F8
Device \Driver\volmgr \Device\VolMgrControl 85D2F1F8
Device \FileSystem\cdfs \Cdfs 9ACEB1F8
Device \FileSystem\fastfat \Fat 9BC22500
Device \FileSystem\fastfat \FatCdrom 9BC22500
Device \FileSystem\Ntfs \Ntfs 85D351F8

---- System - GMER 1.0.15 ----

INT 0x52 ? 88B70F00
INT 0x62 ? 8539CBF8
INT 0x72 ? 8539CBF8
INT 0x82 ? 85D31BF8
INT 0x92 ? 88B70F00
INT 0x92 ? 88B70F00
INT 0x92 ? 88B70F00
INT 0xA3 ? 88B70F00
INT 0xB2 ? 85D33BF8
INT 0xB2 ? 85D33BF8
INT 0xB2 ? 88B70F00

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001dd9f7031c (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001dd9f70c26 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001e4cf122c3 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x34 0xB3 0x63 0xC1 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x01 0x64 0x88 0x98 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xF3 0x35 0x0B 0xED ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001dd9f7031c
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001dd9f70c26
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e4cf122c3
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x34 0xB3 0x63 0xC1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x01 0x64 0x88 0x98 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xF3 0x35 0x0B 0xED ...

---- EOF - GMER 1.0.15 ----



I have attached the files d.n.s "attach.txt". Any help is appreciated.
thank you very much.

Attached Files


Edited by boopme, 13 December 2010 - 09:57 PM.


BC AdBot (Login to Remove)

 


#2 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:09:02 PM

Posted 23 December 2010 - 05:47 AM

Hello and welcome to Bleeping Computer

I'm judicandus and I'll be helping you out.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.


  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\TDSSKiller folder). Please copy and paste the contents of that file here.


We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

#3 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:09:02 PM

Posted 12 January 2011 - 02:47 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users