Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit ?


  • This topic is locked This topic is locked
7 replies to this topic

#1 roboticus

roboticus

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 15 December 2010 - 05:48 AM

I'm sorry if I'm being brief, but something is really causing major problems and blue screening my machine, so I have to get this in quickly.

Was able to perform all the instructions up until gmer ---- every time I run it, my machine blue screens.

See attached zip for:

attach.txt
dds.txt
combofix.log

and a very brief gmer.log

Attached Files



BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:04 PM

Posted 24 December 2010 - 07:46 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 roboticus

roboticus
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 24 December 2010 - 09:34 AM

I accidentally created another post - Orange Blossom advised of my violation - I just wasn't sure if I had done it correctly and this post was disregarded - here is the information I have currently:

gmer.log:

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateKey [0xB1B8C768]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateValueKey [0xB1B8C9BE]

DDS.txt:


DDS (Ver_10-12-12.02) - NTFSx86
Run by WISEAU at 4:14:32.87 on Wed 12/15/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2709 [GMT -6:00]

AV: COMODO Antivirus *Enabled/Updated* {043803A5-4F86-4ef7-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\explorer.exe
svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\flashget\Defogger.exe
C:\flashget\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [RTHDCPL] RTHDCPL.EXE
StartupFolder: c:\docume~1\wiseau\startm~1\programs\startup\logite~1.lnk - c:\program files\common files\logishrd\ereg\setpoint\eReg.exe
uPolicies-explorer: NoInstrumentation = 1 (0x1)
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1292351186468
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\wiseau\applic~1\mozilla\firefox\profiles\1vdnc4v8.default\
FF - prefs.js: browser.search.selectedEngine - qrobe.it
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://websearch.search-results.com/redirect?client=ff&src=kw&tb=ATU-SRS&o=102365&locale=en_US&apn_uid=C1117A47-E583-4AAE-805D-B86E01613C64&apn_ptnrs=Q8&apn_sauid=ECE5708D-D3E5-4216-AF64-86CDB50B8C92&apn_dtid=YYYYYYYYUS&q=
FF - plugin: c:\documents and settings\wiseau\application data\mozilla\firefox\profiles\1vdnc4v8.default\extensions\devicedetection@logitech.com\plugins\npLogitechDeviceDetection.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: DownThemAll! AntiContainer: anticontainer@downthemall.net - %profile%\extensions\anticontainer@downthemall.net
FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
FF - Ext: ToolbarButtons: {03B08592-E5B4-45ff-A0BE-C1D975458688} - %profile%\extensions\{03B08592-E5B4-45ff-A0BE-C1D975458688}
FF - Ext: FlashGot: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} - %profile%\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
FF - Ext: Easy DragToGo: {21cfaec0-dbb3-11dc-95ff-0800200c9a66} - %profile%\extensions\{21cfaec0-dbb3-11dc-95ff-0800200c9a66}
FF - Ext: SwiftTabs: {5F4EC95A-FFA8-11DE-898C-667D55D89593} - %profile%\extensions\{5F4EC95A-FFA8-11DE-898C-667D55D89593}
FF - Ext: MR Tech Toolkit: {9669CC8F-B388-42FE-86F4-CB5E7F5A8BDC} - %profile%\extensions\{9669CC8F-B388-42FE-86F4-CB5E7F5A8BDC}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Tab Mix Plus: {dc572301-7619-498c-a57d-39143191b318} - %profile%\extensions\{dc572301-7619-498c-a57d-39143191b318}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: InFormEnter: {5546F97E-11A5-46b0-9082-32AD74AAA920} - %profile%\extensions\{5546F97E-11A5-46b0-9082-32AD74AAA920}
FF - Ext: Autofill Forms: autofillForms@blueimp.net - %profile%\extensions\autofillForms@blueimp.net
FF - Ext: Fasterfox: {c36177c0-224a-11da-8cd6-0800200c9a66} - %profile%\extensions\{c36177c0-224a-11da-8cd6-0800200c9a66}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

============= SERVICES / DRIVERS ===============

R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2010-9-10 15592]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-9-10 239240]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2010-12-11 10448]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-9-10 1901056]
S3 EuDisk;EASEUS Disk Enumerator;c:\windows\system32\drivers\EuDisk.sys [2010-12-11 122504]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-12-15 10:04:37 -------- d-s---w- C:\ComboFix
2010-12-15 09:44:26 -------- d-sha-r- C:\cmdcons
2010-12-15 09:42:27 98816 ----a-w- c:\windows\sed.exe
2010-12-15 09:42:27 89088 ----a-w- c:\windows\MBR.exe
2010-12-15 09:42:27 256512 ----a-w- c:\windows\PEV.exe
2010-12-15 09:42:27 161792 ----a-w- c:\windows\SWREG.exe
2010-12-15 06:54:34 315904 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpfpp70w.dll
2010-12-15 06:54:33 123904 ----a-w- c:\windows\system32\hpf3l70w.dll
2010-12-15 06:53:46 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys
2010-12-15 06:53:46 6784 ----a-w- c:\windows\system32\drivers\serscan.sys
2010-12-15 06:49:36 452408 ----a-w- c:\windows\system32\hpzids01.dll
2010-12-15 06:49:34 713728 ----a-w- c:\windows\system32\hposwia_d02d.dll
2010-12-15 06:49:34 589824 ----a-w- c:\windows\system32\hpost_d02d.dll
2010-12-15 06:49:34 372736 ----a-w- c:\windows\system32\hppldcoi.dll
2010-12-15 06:49:34 315392 ----a-w- c:\windows\system32\hposc_d02a.dll
2010-12-15 06:49:34 309760 ----a-w- c:\windows\system32\difxapi.dll
2010-12-15 06:49:18 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-12-15 06:49:18 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-12-15 06:49:13 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-12-15 06:49:13 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-12-14 19:10:35 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-14 06:18:35 69632 ----a-w- c:\windows\Alcmtr.exe
2010-12-14 06:05:37 121344 ----a-w- c:\windows\system32\lagarith.dll
2010-12-14 06:05:31 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-12-14 04:37:20 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin6.dll
2010-12-14 04:37:20 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2010-12-14 04:36:11 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2010-12-14 04:36:11 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2010-12-14 04:36:11 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2010-12-14 04:36:11 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2010-12-14 04:36:11 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2010-12-14 04:34:46 -------- d-----w- c:\docume~1\wiseau\locals~1\applic~1\Apple
2010-12-14 04:32:39 -------- d-----w- c:\docume~1\wiseau\locals~1\applic~1\Apple Computer
2010-12-14 02:44:24 -------- d-----w- c:\windows\system32\winrm
2010-12-14 02:44:20 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2010-12-14 01:25:09 53248 ----a-r- c:\docume~1\wiseau\applic~1\microsoft\installer\{3ee9bcae-e9a9-45e5-9b1c-83a4d357e05c}\ARPPRODUCTICON.exe
2010-12-14 00:49:22 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-12-14 00:49:11 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-12-14 00:49:11 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-12-14 00:49:11 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-12-14 00:49:11 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-12-14 00:49:11 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-12-14 00:49:11 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-12-14 00:49:11 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-12-14 00:49:11 117760 ------w- c:\windows\system32\prntvpt.dll
2010-12-12 23:38:31 49152 ----a-w- c:\windows\system32\ChCfg.exe
2010-12-12 23:38:11 86016 ----a-w- c:\windows\SoundMan.exe
2010-12-12 23:38:11 282624 ----a-w- c:\windows\system32\RTSndMgr.cpl
2010-12-12 23:38:11 1826816 ----a-w- c:\windows\SkyTel.exe
2010-12-12 23:38:11 1191936 ----a-w- c:\windows\RtlUpd.exe
2010-12-12 23:38:10 9715200 ----a-w- c:\windows\RTLCPL.exe
2010-12-12 23:38:09 4637696 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
2010-12-12 23:38:07 16860672 ----a-w- c:\windows\RTHDCPL.exe
2010-12-12 23:38:05 2165760 ----a-w- c:\windows\MicCal.exe
2010-12-12 23:38:04 299008 ----a-w- c:\windows\system32\ALSndMgr.cpl
2010-12-12 23:38:04 2808832 ----a-w- c:\windows\alcwzrd.exe
2010-12-12 23:37:58 520192 ----a-w- c:\windows\RtlExUpd.dll
2010-12-12 23:37:58 315392 ----a-w- c:\windows\HideWin.exe
2010-12-12 22:12:32 -------- d-----w- C:\VritualRoot
2010-12-12 21:51:50 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-12-12 21:51:50 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-12 19:42:45 -------- d-----w- c:\docume~1\wiseau\applic~1\uTorrent
2010-12-12 18:44:14 -------- d-----w- c:\program files\HighMAT CD Writing Wizard
2010-12-12 10:52:17 -------- d-----w- c:\docume~1\wiseau\locals~1\applic~1\QuickPar
2010-12-12 10:40:05 -------- d-----w- c:\docume~1\wiseau\applic~1\Philipp Winterberg
2010-12-12 09:53:38 839680 ----a-w- c:\windows\system32\lameACM.acm
2010-12-12 09:53:38 287744 ----a-w- c:\windows\system32\divxa32.acm
2010-12-12 09:53:38 232448 ----a-w- c:\windows\system32\mp3fhg.acm
2010-12-12 09:53:38 151552 ----a-w- c:\windows\system32\ac3acm.acm
2010-12-12 04:52:59 -------- d-----w- c:\windows\Downloaded Installations
2010-12-12 03:35:21 702272 ----a-w- c:\windows\system32\drivers\sfi.dat
2010-12-12 03:08:47 -------- d-----w- c:\docume~1\wiseau\locals~1\applic~1\Supremus Corporation
2010-12-12 03:08:23 20616 ----a-w- c:\windows\system32\drivers\eufs.sys
2010-12-12 03:08:17 14216 ----a-w- c:\windows\system32\drivers\eudskacs.sys
2010-12-12 03:08:16 26248 ----a-w- c:\windows\system32\drivers\eubakup.sys
2010-12-12 03:08:15 122504 ----a-w- c:\windows\system32\drivers\EuDisk.sys
2010-12-12 03:00:21 1446264 ----a-w- c:\program files\mozilla firefox\plugins\npLegitCheckPlugin.dll
2010-12-12 02:57:25 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-12-12 02:57:24 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-12-12 02:57:00 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-12-12 02:55:20 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Comodo
2010-12-12 02:34:19 374048 ----a-w- c:\windows\system32\yk51x86.dll
2010-12-12 02:34:19 374048 ----a-w- c:\windows\system32\yk51x86(9).dll
2010-12-12 02:34:19 374048 ----a-w- c:\windows\system32\yk51x86(8).dll
2010-12-12 02:34:19 374048 ----a-w- c:\windows\system32\yk51x86(7).dll
2010-12-12 02:34:19 374048 ----a-w- c:\windows\system32\yk51x86(6).dll
2010-12-12 02:34:19 374048 ----a-w- c:\windows\system32\yk51x86(5).dll
2010-12-12 02:34:19 374048 ----a-w- c:\windows\system32\yk51x86(4).dll
2010-12-12 02:34:19 374048 ----a-w- c:\windows\system32\yk51x86(3).dll
2010-12-12 02:34:19 374048 ----a-w- c:\windows\system32\yk51x86(2).dll
2010-12-12 02:34:19 374048 ----a-w- c:\windows\system32\yk51x86(11).dll
2010-12-12 02:34:19 374048 ----a-w- c:\windows\system32\yk51x86(10).dll
2010-12-12 02:34:19 298784 ----a-w- c:\windows\system32\drivers\yk51x86.sys
2010-12-12 01:57:42 -------- d-----w- c:\docume~1\wiseau\applic~1\TMP
2010-12-12 00:36:33 -------- d-----w- c:\docume~1\wiseau\locals~1\applic~1\Logishrd
2010-12-11 23:41:34 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-12-11 21:39:49 40960 ----a-w- c:\windows\system32\usbmonit.exe
2010-12-11 21:39:49 36864 ----a-w- c:\windows\system32\deluidrv.exe
2010-12-11 21:39:49 32768 ----a-w- c:\windows\system32\delentry.exe
2010-12-11 21:32:16 -------- d-----w- c:\docume~1\wiseau\applic~1\Foxit Software
2010-12-11 21:22:21 -------- d-----w- c:\docume~1\wiseau\locals~1\applic~1\Identities
2010-12-11 20:13:06 -------- d-----w- c:\docume~1\wiseau\applic~1\Logishrd
2010-12-11 20:09:00 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin5.dll
2010-12-11 20:09:00 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin4.dll
2010-12-11 20:09:00 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin3.dll
2010-12-11 20:09:00 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin2.dll
2010-12-11 20:09:00 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin.dll
2010-12-11 20:08:57 180224 ----a-w- c:\windows\system32\QTCF.dll
2010-12-11 19:26:58 -------- d-sh--w- c:\documents and settings\wiseau\IECompatCache
2010-12-11 19:24:45 -------- d-sh--w- c:\documents and settings\wiseau\PrivacIE
2010-12-11 19:09:56 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2010-12-11 19:08:43 -------- d-----w- c:\windows\SxsCaPendDel
2010-12-11 18:48:08 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-12-11 18:48:08 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-11 18:45:21 -------- d-----w- C:\Downloads
2010-12-11 18:37:05 165376 ----a-w- c:\windows\system32\unrar.dll
2010-12-11 18:37:04 39936 ----a-w- c:\windows\system32\huffyuv.dll
2010-12-11 18:37:04 237568 ----a-w- c:\windows\system32\yv12vfw.dll
2010-12-11 18:37:03 810496 ----a-w- c:\windows\system32\xvidcore.dll
2010-12-11 18:37:03 630784 ----a-w- c:\windows\system32\vp7vfw.dll
2010-12-11 18:37:03 438272 ----a-w- c:\windows\system32\vp6vfw.dll
2010-12-11 18:37:03 391680 ----a-w- c:\windows\system32\I263_32.drv
2010-12-11 18:37:03 2942464 ----a-w- c:\windows\system32\x264vfw.dll
2010-12-11 18:37:03 183808 ----a-w- c:\windows\system32\xvidvfw.dll
2010-12-11 18:37:03 108032 ----a-w- c:\windows\system32\ff_vfw.dll
2010-12-11 18:33:23 -------- d-----w- c:\docume~1\wiseau\applic~1\Canneverbe Limited
2010-12-11 18:33:21 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Canneverbe Limited
2010-12-11 18:33:12 7168 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2010-12-11 16:22:40 -------- d-sh--w- c:\documents and settings\wiseau\IETldCache
2010-12-11 16:20:14 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-12-11 16:18:47 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-12-11 16:18:46 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-12-11 16:18:46 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-12-11 10:20:46 -------- d-----w- c:\docume~1\wiseau\locals~1\applic~1\Power2Go
2010-12-11 10:08:18 -------- d-----w- C:\Sun
2010-12-11 09:49:57 32000 ----a-w- c:\windows\system32\drivers\tap0901.sys
2010-12-11 09:38:15 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Spybot - Search & Destroy
2010-12-11 09:36:27 505128 ----a-w- c:\windows\system32\msvcp71.dll
2010-12-11 09:36:27 353576 ----a-w- c:\windows\system32\msvcr71.dll
2010-12-11 09:36:27 29480 ----a-w- c:\windows\system32\msxml3a.dll
2010-12-11 09:35:04 59904 ----a-w- c:\windows\system32\wbemdisp.tlb
2010-12-11 09:35:04 102912 ----a-w- c:\windows\system32\Vb6stkit.dll
2010-12-11 09:35:04 102160 ----a-w- c:\windows\system32\VB6KO.DLL
2010-12-11 09:35:03 115016 ----a-w- c:\windows\system32\MSINET.OCX
2010-12-11 09:13:40 266360 ----a-w- c:\windows\system32\TweakUI.exe
2010-12-11 09:12:05 -------- d-----r- C:\flashget
2010-12-11 09:09:11 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-12-11 09:09:11 59904 -c--a-w- c:\windows\system32\dllcache\icardie.dll
2010-12-11 09:09:11 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-12-11 09:09:11 445952 -c--a-w- c:\windows\system32\dllcache\ieapfltr.dll
2010-12-11 09:09:11 3698584 -c--a-w- c:\windows\system32\dllcache\ieapfltr.dat
2010-12-11 09:09:11 1991680 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-12-11 09:09:11 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2010-12-11 09:09:11 11080704 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-12-11 08:59:02 18944 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\mdippr.dll
2010-12-11 08:59:02 17920 ----a-w- c:\windows\system32\mdimon.dll
2010-12-11 08:55:58 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2010-12-11 08:55:56 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
2010-12-11 08:55:38 10448 ----a-w- c:\windows\system32\drivers\LBeepKE.sys
2010-12-11 08:52:10 -------- d-----w- c:\docume~1\wiseau\locals~1\applic~1\Mozilla
2010-12-11 08:11:10 73216 ------w- c:\windows\system32\drivers\atintuxx.sys
2010-12-11 08:03:32 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-12-11 08:03:32 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-12-11 08:03:17 357248 -c----w- c:\windows\system32\dllcache\srv.sys
2010-12-11 08:03:08 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-12-11 08:03:04 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-12-11 08:01:37 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-12-11 08:00:29 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-12-11 07:59:47 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-12-11 07:59:47 218112 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-12-11 07:52:20 33792 ----a-w- c:\windows\system32\drivers\AmdPPM.sys
2010-12-11 07:39:55 -------- d-----w- c:\windows\setup.pss
2010-12-11 07:24:13 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2010-12-11 06:59:21 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-12-11 06:59:14 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-12-11 06:55:59 6144 -c--a-w- c:\windows\system32\dllcache\kbd101a.dll
2010-12-11 06:54:59 7168 -c--a-w- c:\windows\system32\dllcache\wamregps.dll
2010-12-11 06:54:52 7680 -c--a-w- c:\windows\system32\dllcache\inetmgr.exe
2010-12-11 06:54:52 19968 -c--a-w- c:\windows\system32\dllcache\inetsloc.dll
2010-12-11 06:54:51 5632 -c--a-w- c:\windows\system32\dllcache\iisrstap.dll
2010-12-11 06:54:51 169984 -c--a-w- c:\windows\system32\dllcache\iisui.dll
2010-12-11 06:54:51 14336 -c--a-w- c:\windows\system32\dllcache\iisreset.exe
2010-12-11 06:54:50 6144 -c--a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2010-12-11 06:53:20 -------- d-sh--w- c:\documents and settings\all users.windows\DRM
2010-12-11 06:52:08 99840 -c--a-w- c:\windows\system32\dllcache\helphost.exe
2010-12-11 06:52:08 6656 -c--a-w- c:\windows\system32\dllcache\hcappres.dll
2010-12-11 06:52:08 35328 -c--a-w- c:\windows\system32\dllcache\notiflag.exe
2010-12-11 06:52:08 21504 -c--a-w- c:\windows\system32\dllcache\brpinfo.dll
2010-12-11 06:52:08 11264 -c--a-w- c:\windows\system32\dllcache\atrace.dll
2010-12-11 06:52:08 11264 ----a-w- c:\windows\system32\atrace.dll
2010-12-11 06:49:53 -------- d-----w- c:\program files\Messenger
2010-12-11 06:48:59 343040 ----a-w- c:\windows\system32\mspaint.exe
2010-12-11 01:36:05 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2010-12-11 00:38:11 3072 ----a-w- c:\windows\system32\drivers\audstub.sys
2010-12-11 00:37:21 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2010-12-11 00:36:35 6400 ----a-w- c:\windows\system32\drivers\enum1394.sys
2010-12-11 00:36:08 74240 ----a-w- c:\windows\system32\usbui.dll
2010-12-10 22:25:06 -------- d-----w- c:\program files\Ashampoo
2010-12-10 20:52:22 -------- d-----w- c:\program files\FreshDevices
2010-12-10 18:34:25 -------- d-----w- c:\program files\Free Download Manager
2010-12-09 22:39:30 -------- d-----w- c:\program files\FlashGet
2010-12-02 01:45:48 -------- d-----w- c:\program files\LopeSoft
2010-12-01 23:21:36 -------- d-----w- c:\program files\QuickPar
2010-12-01 09:30:33 -------- d-----w- c:\program files\WMV9_VCM
2010-11-30 13:50:02 -------- d-----w- c:\program files\QT Lite
2010-11-29 23:37:59 -------- d-----w- c:\program files\MSECache
2010-11-26 12:59:48 -------- d-----w- c:\program files\MSXML 4.0
2010-11-26 00:04:16 -------- d-----w- c:\windows\system32\URTTEMP
2010-11-18 18:12:44 81920 -c----w- c:\windows\system32\dllcache\isign32.dll

==================== Find3M ====================

2010-12-11 07:32:31 240592 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-12-11 07:32:31 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-12-11 07:32:28 240592 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ------w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-16 18:55:00 888424 ----a-w- c:\windows\system32\nvdispco32.dll
2010-10-16 18:55:00 813672 ----a-w- c:\windows\system32\nvgenco32.dll
2010-10-16 18:55:00 6359552 ----a-w- c:\windows\system32\nv4_disp.dll
2010-10-16 18:55:00 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-10-16 18:55:00 4882432 ----a-w- c:\windows\system32\nvcuda.dll
2010-10-16 18:55:00 2932840 ----a-w- c:\windows\system32\nvcuvid.dll
2010-10-16 18:55:00 2666600 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-10-16 18:55:00 2293194 ----a-w- c:\windows\system32\nvdata.bin
2010-10-16 18:55:00 1462272 ----a-w- c:\windows\system32\nvapi.dll
2010-10-16 18:55:00 14532608 ----a-w- c:\windows\system32\nvoglnt.dll
2010-10-16 18:55:00 13012992 ----a-w- c:\windows\system32\nvcompiler.dll
2010-10-16 18:04:22 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-10-16 18:04:16 277608 ----a-w- c:\windows\system32\nvmccs.dll
2010-10-16 18:04:16 13851752 ----a-w- c:\windows\system32\nvcpl.dll
2010-10-16 18:04:16 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-10-16 18:04:14 156776 ----a-w- c:\windows\system32\nvsvc32.exe
2010-10-16 18:04:14 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-09-18 18:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll

============= FINISH: 4:15:13.00 ===============

#4 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:08:04 PM

Posted 25 December 2010 - 07:51 PM

Hi robocticus,

Please uninstall Comodo. Does the BSOD persist?

#5 roboticus

roboticus
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 25 December 2010 - 09:17 PM

The BSODs were occurring when running gmer only - do you suspect failed attempts by Comodo to Sandbox gmer were causing the BSODs ?

The only reason I thought I might even have a rootkit was due to some info I saw during a review of Autoruns logs and you know how sometimes you convince yourself that there's something wrong, but there really isn't. I'm sure you know the phenomenon.

With that said, I was already getting sick of Sandbox and disabled it shortly after all of this and I haven't gotten another BSOD. Everything seems to be running smoothly, but the variations of ZWEnumerate that I saw in the log files seem to be indicated as rootkits, yet I also found them to be legitimate programmer tool errors and other non-threatening compiling problems related to apps I don't even have installed.

Are you telling me to install another AV application and move on or to uninstall Comodo and then run all the steps again ?

I've been a Help Desk analyst for over five years, but my current situation with Windows has forced me to work around WGA and I felt like I had probably not used the best judgment in the workarounds I utilized and that caused a rootkit 'infection'. It's a long story. (never buy a Gateway GT5692 - my hard drive failed, the bundled CD was defective and I don't trust OS images that don't come from a legit source, so I have a valid key for Vista that I can't really use and was forced to go back and install XP on a machine totally not designed for it - I'm still fighting Gateway just to get them to send me the correct 64-bit Vista OS that originally came installed on the machine. After the 500GB internal SATA drive failed , I had to reinstall the OS and low and behold, the recovery cd is 32-bit Vista Home.

I am seriously considering making the move to Kubuntu.

Please clarify and I will do the needful - I appreciate your help.

Respectfully,

Roboticus Goldfarb

#6 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:08:04 PM

Posted 26 December 2010 - 08:19 AM

Hi Roboticus,

I will definitely never buy that computer! :D

Linux is always a better option if you don't depend on Windows programs. It does take a bit more effort to use linux though ;)

I suggested uninstalling Comodo because I was dealing with another log where comodo was causing continuous BSODS, no need to uninstall it since this is not your case. If the zwenumerate ssdts is the only thing you saw in the gmer log I wouldn't be worried about it. Many security programs use some rootkit functionalities to help protect the computer.

What info are you referring to here:

The only reason I thought I might even have a rootkit was due to some info I saw during a review of Autoruns logs

?

#7 roboticus

roboticus
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 28 December 2010 - 12:00 AM

Disregard, don't waste your time. Thanks for your help.

#8 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:08:04 PM

Posted 28 December 2010 - 07:21 AM

This topic will be closed. If you need it to be reopened please send me a PM :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users