Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

pcspeedmaximizer browser pop up


  • This topic is locked This topic is locked
11 replies to this topic

#1 supra_toy

supra_toy

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 16 December 2010 - 06:27 PM

Hello.

After browsing the internet to find a solution to my problem I found bleepingcomputer.com and though, what the heck I would give it a try.

So my problems started after downloading avgfree software. At that time I also downloaded some free-ware suggested for regristy repair by the name "Advanced system care ver. 3.7.2" After downloading these I noticed my computer was running really slow, and I was getting popups (sometimes) when I would open my browser (IE ver 7.0.5730.13). I have since removed the AVG software thinking that my computer just wasen't up to the task of running virus protection in the background. Looking back that may not have been the best idea but what's done is done.

When not connected to the internet the computer seems to run fine but the moment I connect to the internet (using a netgear wiresles usb adapter and a apple "time machine" combination router/back up drive) is when the problem seems to start. I've also had problems when first starting up the computer that it never makes it to the windows screan and ends up restarting spontaniously (and at that time runs the standard disk check) usually after this restart the computer makes it to the windows screan ok. The computer also displays a window showing items on the desktop I diden't set it up like this so i don't know why.

The popup from today was a redirect to a web site at " h " t " t " p " " ://pcspeedmamimizer.s3.amazonaws.com/index.html" saying someting about my regestry being damaged. "Errors have been found in your opperating system registry. Click to download free regristry cleaner software"

System spec.

OS Name Microsoft Windows XP Home Edition
Version 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer Microsoft Corporation
System Type X86-based PC
Processor x86 Family 6 Model 8 Stepping 6 GenuineIntel ~1005 Mhz
BIOS Version/Date Award Software, Inc. ASUS CUSL2-C ACPI BIOS Revision 1006.A, 2/27/2001
SMBIOS Version 2.3
Windows Directory C:\WINDOWS
System Directory C:\WINDOWS\system32
Boot Device \Device\HarddiskVolume1
Hardware Abstraction Layer Version = "5.1.2600.5512 (xpsp.080413-2111)"
Time Zone Pacific Standard Time
Total Physical Memory 512.00 MB
Available Physical Memory 191.25 MB
Total Virtual Memory 2.00 GB
Available Virtual Memory 1.96 GB
Page File Space 1.13 GB
Page File C:\pagefile.sys

5 - Enable a firewall

I have enabled windows firewall (not that it wasen't enabled to begin with...)

6 - Disable your CD Emulation Software

I have disabled the CD emulation software using DeFogger

7 - Download and Run DDS which will create a log of programs running on your computer.

here is the DSS

DDS (Ver_10-12-12.02) - FAT32x86
Run by wsm at 14:16:56.10 on Thu 12/16/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.244 [GMT -8:00]

FW: AVG Firewall *Disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
SVCHOST.EXE
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Anvshell.exe
C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe
C:\Program Files\AirPort\APAgent.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\wsm\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.celicasupra.com/forums/forum.php
uInternet Settings,ProxyOverride = *.local;<local>
uURLSearchHooks: H - No File
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ASUS SmartDoctor] c:\program files\asus\smartdoctor\SmartDoctor.exe /start
uRun: [MSMSGS] "c:\program files\messenger\MSMSGS.EXE" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Uniblue RegistryBooster 2009] c:\windows\system32\ctfmon.exe
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
mRun: [Anvshell] c:\windows\Anvshell.exe
mRun: [nwiz] nwiz.exe /install
mRun: [MaxBlastMonitor.exe] c:\program files\maxtor\maxblast\MaxBlastMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\maxtor\maxblast\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\maxtor\schedule2\schedhlp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AirPort Base Station Agent] "c:\program files\airport\APAgent.exe"
StartupFolder: c:\documents and settings\wsm\start menu\programs\startup\PowerReg Scheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\MICROS~1.LNK -
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
LSP: c:\program files\iobit\advanced systemcare 3\SPICtrl.dll
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204696136249
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204750917820
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2008-3-4 66048]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2008-3-4 272128]
S3 USR1806;U.S. Robotics Faxmodem Driver 1806;c:\windows\system32\drivers\USR1806.SYS [2008-3-16 793598]

=============== Created Last 30 ================

2010-12-05 01:07:50 -------- d-sh--w- C:\FOUND.003
2010-11-30 02:58:20 -------- d-----w- c:\docume~1\alluse~1\applic~1\IObit
2010-11-27 18:56:18 -------- d-sh--w- C:\FOUND.002
2010-11-21 00:03:12 -------- d-sh--w- C:\FOUND.001

==================== Find3M ====================

2010-09-18 20:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 07:53:26 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 07:53:26 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 07:53:26 953856 ----a-w- c:\windows\system32\mfc40u.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: MAXTOR_STM3320620A rev.3.AAE -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82EFEEC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x82417872; SUB DWORD [EBP-0x4], 0x8241712e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x82F6BAB8]
3 CLASSPNP[0xF86F6FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\0000006d[0x82F96F18]
5 ACPI[0xF866D620] -> nt!IofCallDriver[0x804E37D5] -> [0x82F93940]
[0x82F76318] -> IRP_MJ_CREATE -> 0x82EFEEC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskMAXTOR_STM3320620A______________________3.AAE___#5&5045810&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x82EFEAEA
user & kernel MBR OK
sectors 625142446 (+255): user != kernel
Warning: possible TDL3 rootkit infection !

============= FINISH: 14:19:04.55 ===============


I've attached the attach.txt

8 - Create a GMER Log

GMER Log

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-16 15:36:33
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 MAXTOR_STM3320620A rev.3.AAE
Running: gmer.exe; Driver: C:\DOCUME~1\wsm\LOCALS~1\Temp\awxiyuow.sys


---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[1352] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4D9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1352] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E35272E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1352] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3526AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1352] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3526F3 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1352] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E35263B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1352] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E352675 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1352] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E352769 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1352] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E20178A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1352] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E352944 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T1L0-17 82EFEAEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 82EFEAEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 82EFEAEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-f 82EFEAEA
Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskMAXTOR_STM3320620A______________________3.AAE___#5&5045810&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sectors 625142192 (+254): rootkit-like behavior;

---- EOF - GMER 1.0.15 ----

I don't know if this log will be of any help but I've included it anyways...

Here is the hijack analysis report generated by the advanced system care

Logfile of Advanced SystemCare 3 Security Analyzer
Scan saved at 1:43:49 PM, on 12/16/2010
Platform: Windows XP (WinNT 5.1)
MSIE: Internet Explorer v7.0 (7.0.5730.13)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Anvshell.exe
C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe
C:\Program Files\AirPort\APAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKCU\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe /start
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKLM\..\Run: [Anvshell] C:\WINDOWS\Anvshell.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MaxBlastMonitor.exe] C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AirPort Base Station Agent] "C:\Program Files\AirPort\APAgent.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204696136249
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204750917820
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_20) - http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} (Java Plug-in 1.6.0_20) - http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.6.0_20) - http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe



Ok I think thats everything that is asked for in the preparation guide, If I've missed anything let me know, any help is greatly appricated.

Best regards

Will

Attached Files


Edited by supra_toy, 16 December 2010 - 08:57 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:07 AM

Posted 26 December 2010 - 06:32 PM

Hi supra_toy,

Welcome to Malware Removal (VTSMR) forum and sorry for the delay. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. In case of making changes I shall assume my assistance is not needed any more. Thank you.

If the issue is not resolved please update me on the current condition of your computer. Also please run DDS and post a fresh DDS.txt to your reply. No need for the Attach.txt

#3 supra_toy

supra_toy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 27 December 2010 - 02:18 PM

Ok tring this for the third time now, grr working from the infected computer now

Still having problems Pop ups and slow computer, crash, stall.

Pop ups include:
http : / / clchere.com/wam/?sub=113594
"$1000 walmart gift card"
http : / / newsdaily7.com/income/indexed.php?sub=113594
"work at home mom"

Inbetween the time I first posted and now windows has done a automatic update.

"Malicious software was removed from your computer click here to complete removal process"

"full scan - malicious software was detected and paritally romoved" (supposedly)

Windows malicious software removal tool December 2010 found the following virus

Win32/Alureon

After searching the internet it looks as if this is a pretty nasty virus so I will either have to fix it or nuke the computer.

Here is the DSS

DDS (Ver_10-12-12.02) - FAT32x86
Run by wsm at 10:11:06.55 on Mon 12/27/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.253 [GMT -8:00]

FW: AVG Firewall *Disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
SVCHOST.EXE
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Anvshell.exe
C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe
C:\Program Files\AirPort\APAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Documents and Settings\wsm\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.celicasupra.com/forums/forum.php
uInternet Settings,ProxyOverride = *.local;<local>
uURLSearchHooks: H - No File
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ASUS SmartDoctor] c:\program files\asus\smartdoctor\SmartDoctor.exe /start
uRun: [MSMSGS] "c:\program files\messenger\MSMSGS.EXE" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Uniblue RegistryBooster 2009] c:\windows\system32\ctfmon.exe
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
mRun: [Anvshell] c:\windows\Anvshell.exe
mRun: [nwiz] nwiz.exe /install
mRun: [MaxBlastMonitor.exe] c:\program files\maxtor\maxblast\MaxBlastMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\maxtor\maxblast\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\maxtor\schedule2\schedhlp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AirPort Base Station Agent] "c:\program files\airport\APAgent.exe"
StartupFolder: c:\documents and settings\wsm\start menu\programs\startup\PowerReg Scheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\MICROS~1.LNK -
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
LSP: c:\program files\iobit\advanced systemcare 3\SPICtrl.dll
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204696136249
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204750917820
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2008-3-4 66048]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2008-3-4 272128]
S3 USR1806;U.S. Robotics Faxmodem Driver 1806;c:\windows\system32\drivers\USR1806.SYS [2008-3-16 793598]

=============== Created Last 30 ================

2010-12-22 02:52:22 -------- d-sh--w- C:\FOUND.005
2010-12-17 08:17:46 35600 ----a-w- c:\windows\system32\drivers\hbmslbeo.sys
2010-12-17 01:58:33 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-17 01:43:50 45568 ------w- c:\windows\system32\dllcache\wab.exe
2010-12-16 22:47:52 -------- d-sh--w- C:\FOUND.004
2010-12-05 01:07:50 -------- d-sh--w- C:\FOUND.003
2010-11-30 02:58:20 -------- d-----w- c:\docume~1\alluse~1\applic~1\IObit
2010-11-27 18:56:18 -------- d-sh--w- C:\FOUND.002

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:34:12 832512 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:34:12 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-11-06 00:34:12 1830912 ------w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:34:12 17408 ------w- c:\windows\system32\corpol.dll
2010-11-03 12:25:54 389120 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: MAXTOR_STM3320620A rev.3.AAE -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82EFEEC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x82417872; SUB DWORD [EBP-0x4], 0x8241712e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x82F6BAB8]
3 CLASSPNP[0xF86F6FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\0000006d[0x82F96F18]
5 ACPI[0xF866D620] -> nt!IofCallDriver[0x804E37D5] -> [0x82F93940]
[0x82F79B28] -> IRP_MJ_CREATE -> 0x82EFEEC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskMAXTOR_STM3320620A______________________3.AAE___#5&5045810&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x82EFEAEA
user & kernel MBR OK
sectors 625142446 (+255): user != kernel
Warning: possible TDL3 rootkit infection !

============= FINISH: 10:13:29.47 ===============

Let me know what I need to do next.

Thanks for the help.

Best regards
Will

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:07 AM

Posted 27 December 2010 - 02:29 PM

Thanks for the feedback.

We go directly for the fix. But before that turn off automatic update until we are done.

  • Turn off Windows automatic updates as it might lead to unexpected results at this stage:
    • Go to start -> Control Panel -> double-click System to open it.
    • Go to the Automatic Updates tab.
    • Select the "Turn off Automatic Updates" box.
    • Click Apply and then OK.
    • Important: Reboot.
  • Please download TDSSKiller.zip and and extract it.
    • Run TDSSKiller.exe.
    • Click Start scan.
    • When it is finished the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click Continue
    • Let reboot if needed and tell me if the tool needed a reboot.
    • Click on Report and post the contents of the text file that will open.

      Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log have a name like: TDSSKiller.Version_Date_Time_log.txt.


#5 supra_toy

supra_toy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 27 December 2010 - 08:48 PM

The computer rebooted and befor setteling in rebooted again doing a disk check.

here is the log.

2010/12/27 17:13:39.0011 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
2010/12/27 17:13:39.0011 ================================================================================
2010/12/27 17:13:39.0011 SystemInfo:
2010/12/27 17:13:39.0011
2010/12/27 17:13:39.0011 OS Version: 5.1.2600 ServicePack: 3.0
2010/12/27 17:13:39.0011 Product type: Workstation
2010/12/27 17:13:39.0011 ComputerName: WSM-7CPBXQ01LDM
2010/12/27 17:13:39.0011 UserName: wsm
2010/12/27 17:13:39.0011 Windows directory: C:\WINDOWS
2010/12/27 17:13:39.0011 System windows directory: C:\WINDOWS
2010/12/27 17:13:39.0011 Processor architecture: Intel x86
2010/12/27 17:13:39.0011 Number of processors: 1
2010/12/27 17:13:39.0011 Page size: 0x1000
2010/12/27 17:13:39.0011 Boot type: Normal boot
2010/12/27 17:13:39.0011 ================================================================================
2010/12/27 17:13:39.0542 Initialize success
2010/12/27 17:13:51.0980 ================================================================================
2010/12/27 17:13:51.0980 Scan started
2010/12/27 17:13:51.0980 Mode: Manual;
2010/12/27 17:13:51.0980 ================================================================================
2010/12/27 17:14:09.0355 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/12/27 17:14:10.0847 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/12/27 17:14:21.0342 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/12/27 17:14:23.0375 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/12/27 17:14:24.0917 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/12/27 17:15:12.0906 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/12/27 17:15:18.0174 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/12/27 17:15:28.0940 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/12/27 17:15:30.0962 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/12/27 17:15:32.0955 AVGIDSEH (84853f800cd69252c3c764fe50d0346f) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
2010/12/27 17:15:33.0606 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/12/27 17:15:35.0249 BlueletAudio (852a1bd08e7dfeb9e30b5440881c0501) C:\WINDOWS\system32\DRIVERS\blueletaudio.sys
2010/12/27 17:15:36.0971 BlueletSCOAudio (8fc27b12a02b43947787f0ef1885df9b) C:\WINDOWS\system32\DRIVERS\BlueletSCOAudio.sys
2010/12/27 17:15:41.0257 Bridge (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
2010/12/27 17:15:41.0387 BridgeMP (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
2010/12/27 17:15:43.0130 BT (533af26dab9d3f24d6d45c72275b15cf) C:\WINDOWS\system32\DRIVERS\btnetdrv.sys
2010/12/27 17:15:45.0163 Btcsrusb (52efea5e3e81bd88202c0148cc5ea0f5) C:\WINDOWS\system32\Drivers\btcusb.sys
2010/12/27 17:15:47.0066 BTHidEnum (ce643d0918123d76a5caab008fca9663) C:\WINDOWS\system32\Drivers\vbtenum.sys
2010/12/27 17:15:48.0838 BTHidMgr (4a21acc644692dab4486231839b687c2) C:\WINDOWS\system32\Drivers\BTHidMgr.sys
2010/12/27 17:15:48.0838 Suspicious file (Forged): C:\WINDOWS\system32\Drivers\BTHidMgr.sys. Real md5: 4a21acc644692dab4486231839b687c2, Fake md5: dfca4fe4c8aec786b4d0f432eb730f48
2010/12/27 17:15:48.0868 BTHidMgr - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/12/27 17:15:50.0450 BTNetFilter (4f26303becbb7cc5ca8ff39593124cf2) C:\Program Files\IVT Corporation\BlueSoleil\Device\Win2k\BTNetFilter.sys
2010/12/27 17:15:51.0592 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/12/27 17:15:57.0040 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/12/27 17:16:01.0446 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/12/27 17:16:05.0662 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/12/27 17:16:33.0753 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/12/27 17:16:38.0740 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/12/27 17:16:43.0367 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/12/27 17:16:43.0717 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/12/27 17:16:47.0873 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/12/27 17:16:56.0886 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/12/27 17:16:59.0390 EAPPkt (efacd8d57a42a93e244a0dbd357e8cb8) C:\WINDOWS\system32\DRIVERS\EAPPkt.sys
2010/12/27 17:17:01.0833 EIO (1438427631a46b759c0d1cb5f6268fd7) C:\WINDOWS\system32\drivers\EIO.sys
2010/12/27 17:17:03.0836 EL90XBC (6e883bf518296a40959131c2304af714) C:\WINDOWS\system32\DRIVERS\el90xbc5.sys
2010/12/27 17:17:06.0610 es1371 (24e564f710d887ecc75cfe59882ecc5d) C:\WINDOWS\system32\drivers\es1371mp.sys
2010/12/27 17:17:10.0816 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/12/27 17:17:15.0112 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/12/27 17:17:19.0268 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/12/27 17:17:23.0354 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/12/27 17:17:23.0995 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/12/27 17:17:24.0626 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/12/27 17:17:24.0996 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/12/27 17:17:29.0032 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
2010/12/27 17:17:32.0878 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/12/27 17:17:38.0065 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/12/27 17:17:44.0444 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/12/27 17:17:57.0743 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/12/27 17:18:01.0759 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/12/27 17:18:10.0522 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/12/27 17:18:10.0872 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/12/27 17:18:11.0744 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/12/27 17:18:15.0609 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/12/27 17:18:19.0405 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/12/27 17:18:23.0360 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/12/27 17:18:27.0456 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/12/27 17:18:31.0312 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/12/27 17:18:35.0227 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/12/27 17:18:39.0203 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/12/27 17:18:41.0476 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/12/27 17:18:47.0505 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/12/27 17:18:51.0411 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/12/27 17:18:55.0156 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/12/27 17:18:56.0498 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/12/27 17:19:00.0364 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/12/27 17:19:08.0635 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/12/27 17:19:10.0188 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/12/27 17:19:14.0173 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/12/27 17:19:16.0116 msgame (082a950191dde602bbea8ef4e5900251) C:\WINDOWS\system32\DRIVERS\msgame.sys
2010/12/27 17:19:20.0012 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/12/27 17:19:23.0697 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/12/27 17:19:27.0382 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/12/27 17:19:27.0713 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/12/27 17:19:31.0248 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/12/27 17:19:34.0983 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/12/27 17:19:38.0819 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/12/27 17:19:42.0464 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/12/27 17:19:46.0089 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/12/27 17:19:47.0762 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/12/27 17:19:51.0347 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/12/27 17:19:55.0062 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/12/27 17:19:59.0098 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/12/27 17:20:02.0703 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/12/27 17:20:04.0866 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
2010/12/27 17:20:05.0487 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/12/27 17:20:08.0231 nv (a0c87b2852e62cf9465e645873e76670) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/12/27 17:20:09.0473 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/12/27 17:20:10.0334 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/12/27 17:20:13.0749 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
2010/12/27 17:20:17.0234 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/12/27 17:20:20.0819 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/12/27 17:20:21.0520 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/12/27 17:20:24.0885 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/12/27 17:20:37.0623 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/12/27 17:21:29.0788 PfModNT (2f5532f9b0f903b26847da674b4f55b2) C:\WINDOWS\system32\PfModNT.sys
2010/12/27 17:21:33.0153 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/12/27 17:21:36.0688 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/12/27 17:21:37.0249 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/12/27 17:22:00.0683 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/12/27 17:22:04.0148 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/12/27 17:22:07.0593 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/12/27 17:22:08.0123 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/12/27 17:22:11.0528 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/12/27 17:22:12.0159 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/12/27 17:22:15.0634 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/12/27 17:22:18.0949 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/12/27 17:22:20.0071 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2010/12/27 17:22:21.0783 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2010/12/27 17:22:24.0667 RTLWUSB (c3880bf1bad0b8eb69efb07a9c3fa7d9) C:\WINDOWS\system32\DRIVERS\wg111v2.sys
2010/12/27 17:22:27.0812 sbpci (4939d6f53ec3a18674deba8532f193ca) C:\WINDOWS\system32\drivers\sbpci.sys
2010/12/27 17:22:30.0786 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/12/27 17:22:34.0101 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/12/27 17:22:37.0366 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/12/27 17:22:40.0640 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/12/27 17:22:46.0338 snapman (b6aa9bbff890ffea333ffe81d0b888ff) C:\WINDOWS\system32\DRIVERS\snapman.sys
2010/12/27 17:22:54.0060 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/12/27 17:22:57.0384 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/12/27 17:22:58.0977 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/12/27 17:23:02.0271 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/12/27 17:23:05.0586 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/12/27 17:23:27.0147 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/12/27 17:23:28.0749 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/12/27 17:23:32.0064 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/12/27 17:23:35.0169 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/12/27 17:23:38.0343 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/12/27 17:23:40.0136 tifsfilter (b84b82c0cbeb1b0d7eb7a946bade5830) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
2010/12/27 17:23:41.0968 timounter (74711884439bdf9ccf446c79cb05fac0) C:\WINDOWS\system32\DRIVERS\timntr.sys
2010/12/27 17:23:49.0740 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/12/27 17:23:58.0703 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/12/27 17:24:03.0259 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/12/27 17:24:06.0253 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/12/27 17:24:09.0198 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/12/27 17:24:12.0202 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/12/27 17:24:15.0166 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/12/27 17:24:18.0241 USR1806 (9954d3230c4dd155285e90fe04fbb136) C:\WINDOWS\system32\DRIVERS\USR1806.SYS
2010/12/27 17:24:20.0294 VComm (51750b0539986186c6931fc40d171521) C:\WINDOWS\system32\DRIVERS\VComm.sys
2010/12/27 17:24:22.0126 VcommMgr (6d9c891c0a761afed1f3609c2e56f2b9) C:\WINDOWS\system32\Drivers\VcommMgr.sys
2010/12/27 17:24:25.0231 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/12/27 17:24:32.0621 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/12/27 17:24:35.0676 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/12/27 17:24:38.0740 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2010/12/27 17:24:46.0681 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/12/27 17:24:48.0023 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2010/12/27 17:24:50.0707 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/12/27 17:24:53.0481 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/12/27 17:24:54.0022 ================================================================================
2010/12/27 17:24:54.0022 Scan finished
2010/12/27 17:24:54.0022 ================================================================================
2010/12/27 17:24:54.0072 Detected object count: 1
2010/12/27 17:31:01.0430 BTHidMgr (4a21acc644692dab4486231839b687c2) C:\WINDOWS\system32\Drivers\BTHidMgr.sys
2010/12/27 17:31:01.0430 Suspicious file (Forged): C:\WINDOWS\system32\Drivers\BTHidMgr.sys. Real md5: 4a21acc644692dab4486231839b687c2, Fake md5: dfca4fe4c8aec786b4d0f432eb730f48
2010/12/27 17:31:01.0761 Backup copy found, using it..
2010/12/27 17:31:01.0791 C:\WINDOWS\system32\Drivers\BTHidMgr.sys - will be cured after reboot
2010/12/27 17:31:01.0791 Rootkit.Win32.TDSS.tdl3(BTHidMgr) - User select action: Cure
2010/12/27 17:32:10.0189 Deinitialize success

regards

will

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:07 AM

Posted 28 December 2010 - 04:46 AM

The rootkit is taken care off by TDSSKiller.

  • Download and run the AVG Uninstaller. It will remove any left over from AVG.
  • Please download Malwarebytes' Anti-Malware from one of these locations:
    malwarebytes.org
    majorgeeks.com
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the MBAM log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


#7 supra_toy

supra_toy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 28 December 2010 - 09:16 PM

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5410

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

12/28/2010 6:12:07 PM
mbam-log-2010-12-28 (18-12-07).txt

Scan type: Quick scan
Objects scanned: 129191
Time elapsed: 7 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:07 AM

Posted 29 December 2010 - 05:26 AM

  • To Clear the Java Runtime Environment (JRE) cache, do this:
    • Click Start > Control Panel.
    • Double-click the Java icon.
      -The Java Control Panel appears.
    • Click "Settings" under Temporary Internet Files.
      -The Temporary Files Settings dialog box appears.
    • Click "Delete Files".
      -The Delete Temporary Files dialog box appears.
      -There are three options on this window to clear the cache.
      • Delete Files
      • View Applications
      • View Applets
    • Click "OK" on Delete Temporary Files window.
      -Note: This deletes all the Downloaded Applications and Applets from the cache.
    • Click "OK" on Temporary Files Settings window.
    • Close the Java Control Panel.
    You can also view these instructions along with screenshots here.
  • Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
    Please update your Java to the latest version (version 6 update 23).
    Please uninstall the following if Java didn't remove it automatically:

    Java 6 update 20
  • You need to install an antivirus program to have a proper protection. I recommend this good free antivirus:

    Avira
    • Download the installer from softpedia.com link as it has a secure download mirror.
    • Install and update it then let it scan the computer and remove what it finds.
    • Copy and paste the content of the report to your reply.
  • Also tell me how is the computer running.


#9 supra_toy

supra_toy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 30 December 2010 - 12:15 AM

Avira AntiVir Personal
Report file date: Wednesday, December 29, 2010 19:26

Scanning for 2309058 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : WSM-7CPBXQ01LDM

Version information:
BUILD.DAT : 10.0.0.609 31824 Bytes 12/13/2010 09:43:00
AVSCAN.EXE : 10.0.3.5 435368 Bytes 12/13/2010 16:39:58
AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 20:57:06
LUKE.DLL : 10.0.3.2 104296 Bytes 12/13/2010 16:40:08
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 07:40:50
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 17:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 15:45:04
VBASE002.VDF : 7.11.0.1 2048 Bytes 12/14/2010 15:45:06
VBASE003.VDF : 7.11.0.2 2048 Bytes 12/14/2010 15:45:08
VBASE004.VDF : 7.11.0.3 2048 Bytes 12/14/2010 15:45:12
VBASE005.VDF : 7.11.0.4 2048 Bytes 12/14/2010 15:45:12
VBASE006.VDF : 7.11.0.5 2048 Bytes 12/14/2010 15:45:14
VBASE007.VDF : 7.11.0.6 2048 Bytes 12/14/2010 15:45:16
VBASE008.VDF : 7.11.0.7 2048 Bytes 12/14/2010 15:45:18
VBASE009.VDF : 7.11.0.8 2048 Bytes 12/14/2010 15:45:20
VBASE010.VDF : 7.11.0.9 2048 Bytes 12/14/2010 15:45:22
VBASE011.VDF : 7.11.0.10 2048 Bytes 12/14/2010 15:45:24
VBASE012.VDF : 7.11.0.11 2048 Bytes 12/14/2010 15:45:26
VBASE013.VDF : 7.11.0.52 128000 Bytes 12/16/2010 15:45:28
VBASE014.VDF : 7.11.0.91 226816 Bytes 12/20/2010 15:45:32
VBASE015.VDF : 7.11.0.122 136192 Bytes 12/21/2010 15:45:34
VBASE016.VDF : 7.11.0.156 122880 Bytes 12/24/2010 15:45:36
VBASE017.VDF : 7.11.0.185 146944 Bytes 12/27/2010 15:45:40
VBASE018.VDF : 7.11.0.186 2048 Bytes 12/27/2010 15:45:42
VBASE019.VDF : 7.11.0.187 2048 Bytes 12/27/2010 15:45:44
VBASE020.VDF : 7.11.0.188 2048 Bytes 12/27/2010 15:45:46
VBASE021.VDF : 7.11.0.189 2048 Bytes 12/27/2010 15:45:48
VBASE022.VDF : 7.11.0.190 2048 Bytes 12/27/2010 15:45:48
VBASE023.VDF : 7.11.0.191 2048 Bytes 12/27/2010 15:45:50
VBASE024.VDF : 7.11.0.192 2048 Bytes 12/27/2010 15:45:52
VBASE025.VDF : 7.11.0.193 2048 Bytes 12/27/2010 15:45:54
VBASE026.VDF : 7.11.0.194 2048 Bytes 12/27/2010 15:45:56
VBASE027.VDF : 7.11.0.195 2048 Bytes 12/27/2010 15:45:58
VBASE028.VDF : 7.11.0.196 2048 Bytes 12/27/2010 15:46:00
VBASE029.VDF : 7.11.0.197 2048 Bytes 12/27/2010 15:46:02
VBASE030.VDF : 7.11.0.198 2048 Bytes 12/27/2010 15:46:02
VBASE031.VDF : 7.11.0.220 94208 Bytes 12/29/2010 03:23:28
Engineversion : 8.2.4.126
AEVDF.DLL : 8.1.2.1 106868 Bytes 12/13/2010 16:39:52
AESCRIPT.DLL : 8.1.3.48 1286524 Bytes 12/13/2010 16:39:52
AESCN.DLL : 8.1.7.2 127349 Bytes 12/13/2010 16:39:52
AESBX.DLL : 8.1.3.2 254324 Bytes 12/13/2010 16:39:52
AERDL.DLL : 8.1.9.2 635252 Bytes 12/13/2010 16:39:52
AEPACK.DLL : 8.2.4.5 512375 Bytes 12/29/2010 15:46:22
AEOFFICE.DLL : 8.1.1.10 201084 Bytes 12/13/2010 16:39:50
AEHEUR.DLL : 8.1.2.57 3142008 Bytes 12/29/2010 15:46:18
AEHELP.DLL : 8.1.16.0 246136 Bytes 12/13/2010 16:39:44
AEGEN.DLL : 8.1.5.0 397685 Bytes 12/13/2010 16:39:44
AEEMU.DLL : 8.1.3.0 393589 Bytes 12/13/2010 16:39:44
AECORE.DLL : 8.1.19.0 196984 Bytes 12/13/2010 16:39:42
AEBB.DLL : 8.1.1.0 53618 Bytes 12/13/2010 16:39:42
AVWINLL.DLL : 10.0.0.0 19304 Bytes 12/13/2010 16:39:58
AVPREF.DLL : 10.0.0.0 44904 Bytes 12/13/2010 16:39:56
AVREP.DLL : 10.0.0.8 62209 Bytes 6/17/2010 22:27:14
AVREG.DLL : 10.0.3.2 53096 Bytes 12/13/2010 16:39:56
AVSCPLR.DLL : 10.0.3.2 84328 Bytes 12/13/2010 16:39:58
AVARKT.DLL : 10.0.22.6 231784 Bytes 12/13/2010 16:39:54
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 12/13/2010 16:39:54
SQLITE3.DLL : 3.6.19.0 355688 Bytes 6/17/2010 22:27:24
AVSMTP.DLL : 10.0.0.17 63848 Bytes 12/13/2010 16:39:58
NETNT.DLL : 10.0.0.0 11624 Bytes 6/17/2010 22:27:22
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 21:10:22
RCTEXT.DLL : 10.0.58.0 97128 Bytes 12/13/2010 16:40:22

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Wednesday, December 29, 2010 19:26

Starting search for hidden objects.
C:\Documents and Settings\wsm\My Documents\My Music\Creedence Clearwater Revival\Chronicle, Vol. 2
C:\Documents and Settings\wsm\My Documents\My Music\Creedence Clearwater Revival\Chronicle, Vol. 2
[NOTE] The registry entry is invisible.

The scan of running processes will be started
Scan process 'msdtc.exe' - '40' Module(s) have been scanned
Scan process 'dllhost.exe' - '61' Module(s) have been scanned
Scan process 'dllhost.exe' - '45' Module(s) have been scanned
Scan process 'vssvc.exe' - '43' Module(s) have been scanned
Scan process 'avscan.exe' - '70' Module(s) have been scanned
Scan process 'avcenter.exe' - '65' Module(s) have been scanned
Scan process 'alg.exe' - '36' Module(s) have been scanned
Scan process 'wscntfy.exe' - '17' Module(s) have been scanned
Scan process 'avshadow.exe' - '25' Module(s) have been scanned
Scan process 'WMPNetwk.exe' - '70' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '12' Module(s) have been scanned
Scan process 'jqs.exe' - '35' Module(s) have been scanned
Scan process 'AWC.exe' - '63' Module(s) have been scanned
Scan process 'svchost.exe' - '34' Module(s) have been scanned
Scan process 'ctfmon.exe' - '25' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '35' Module(s) have been scanned
Scan process 'avgnt.exe' - '45' Module(s) have been scanned
Scan process 'jusched.exe' - '51' Module(s) have been scanned
Scan process 'APAgent.exe' - '42' Module(s) have been scanned
Scan process 'schedhlp.exe' - '19' Module(s) have been scanned
Scan process 'TimounterMonitor.exe' - '25' Module(s) have been scanned
Scan process 'MaxBlastMonitor.exe' - '27' Module(s) have been scanned
Scan process 'avguard.exe' - '55' Module(s) have been scanned
Scan process 'Anvshell.exe' - '23' Module(s) have been scanned
Scan process 'schedul2.exe' - '21' Module(s) have been scanned
Scan process 'svchost.exe' - '33' Module(s) have been scanned
Scan process 'sched.exe' - '42' Module(s) have been scanned
Scan process 'Explorer.EXE' - '96' Module(s) have been scanned
Scan process 'spoolsv.exe' - '60' Module(s) have been scanned
Scan process 'svchost.exe' - '52' Module(s) have been scanned
Scan process 'svchost.exe' - '35' Module(s) have been scanned
Scan process 'svchost.exe' - '158' Module(s) have been scanned
Scan process 'svchost.exe' - '42' Module(s) have been scanned
Scan process 'svchost.exe' - '51' Module(s) have been scanned
Scan process 'lsass.exe' - '62' Module(s) have been scanned
Scan process 'services.exe' - '27' Module(s) have been scanned
Scan process 'winlogon.exe' - '71' Module(s) have been scanned
Scan process 'csrss.exe' - '12' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '373' files ).


Starting the file scan:

Begin scan in 'C:\' <LOCAL DISK>


End of the scan: Wednesday, December 29, 2010 20:57
Used time: 1:30:56 Hour(s)

The scan has been done completely.

5586 Scanned directories
207751 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
207751 Files not concerned
1912 Archives were scanned
0 Warnings
0 Notes
310368 Objects were scanned with rootkit scan
1 Hidden objects were found

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:07 AM

Posted 30 December 2010 - 03:12 PM

It looks good. :thumbup2:

Everything looks good.

  • You may delete any tool or log we used from your computer.
  • First Set a New Restore Point then Remove the Old Restore Points to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    To set a new restore point:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
  • Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

To remove the old restore points:
  • Go to Start > Run then type: Cleanmgr in the box and click "OK".
  • You get a window to select the drive to clean, the default is already set to (C:) drive. Click OK.
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
  • Click OK and Yes.
Recommendations:
  • I recommend using Site Advisor for safe surfing. It is a free extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how safe a site is.
  • I recommend installing this small application for safe surfing: Javacools© SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
  • Download and install it.
  • Update it manually by clicking on Updates in the left pane and then Check for Updates.
  • Then enable all the protections by clicking on Protection Status on the left pane. Then click on Enable All Protection.
  • The free version doesn't have an automatic update. Update it once in two or three weeks and enable all protection again.
[/list]
Happy Surfing supra_toy. :)

Edited by farbar, 30 December 2010 - 03:13 PM.


#11 supra_toy

supra_toy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 30 December 2010 - 11:30 PM

ok Removed the logs. kept the toos for now,

Set new restore point and deleted old ones.

Downloaded the site advisor
and spywareblaster.

Been so busy havent' had time to use it much but it seems better now.

Coupple of questions.

I had a removable hard drive that I had connected to this machine for backing up word and excel docs and pictures and music. I've had it unpluged for a while but am afraid it was connected while computer was infected. should I now reconnect it and wipe it clean and start over? (not really a big deal since all the stuff i want to back up is in only a few folders)

Thanks again for all your help.

Best regards and happy new year

Will aka supra_toy

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:07 AM

Posted 30 December 2010 - 11:54 PM

You may let the removable hard drive scanned or cleaned as you like. This rootkit is not an autorun infection and the removable should be clean.

You are most welcome and a happy new year to you too. :)

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users