Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Svchost.exe crash, possible TDL3 rootkit infection


  • This topic is locked This topic is locked
21 replies to this topic

#1 Jesusjones1024

Jesusjones1024

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 19 December 2010 - 12:21 AM

Hello. Long time listener, first time caller :grinner: (tom lykus anyone?)
I've usually been able to use your existing threads, but this one really has me stumped.

While online, a pop-up opened and immediately downloaded "Test.exe" onto my desktop. Even though I rushed to delete it, soon my desktop icons dissapeared and any applications I tried to open were present in the task manager but visually unable to populate. System restore was unable to load and pop-ups were abundant.

Being two weeks later, I've managed to restored my desktop icons and it's at least usable, but two big issues remain:

1) 2-3 hours after boot, svchost.exe has an error and I am unable to open most programs (other than IE), my sound fails, and it freezes at the shut down screen. Also, my desktop definitely loads up slower.

2) At random times svchost.exe starts using up to 99% of the cpu; slowing everything to a crawl and forcing my fan to rev up like a dwarf hamster on adderall. :guitar:

Avast picks up nothing yet a microsoft scan picks up an issue in javaAttached File  untitled2.JPG   199.15KB   7 downloads (screenshot in attachments)

I've done all I know how to do so it's definitely time to call in the big dogs. I appreciate in advance any responses.





(gmer.exe errors and instantly reboots my pc during scan. So currently I am unable to post an ark.txt log)









DDS (Ver_10-12-12.02) - NTFSx86
Run by Administrator at 0:23:04.20 on Sat 12/18/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1562 [GMT -6:00]

AV: Spyware Doctor with AntiVirus *Enabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\y2k9keym.default\
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-12-7 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-12-7 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-12-7 40384]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-12-7 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-12-7 40384]
R3 GenericMount;Generic Mount Driver;c:\windows\system32\drivers\GenericMount.sys [2009-9-21 57840]
S3 MAUSBFASTTRACK;Service for M-Audio FastTrack;c:\windows\system32\drivers\MAudioFastTrack.sys [2010-10-24 158344]
S3 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [2004-8-4 5120]
S3 ZD1211BU(WLAN);IEEE 802.11g USB Wireless LAN(WLAN);c:\windows\system32\drivers\ZD1211BU.sys [2010-10-1 450560]
S4 GenericMount Helper Service;GenericMount Helper Service;c:\program files\norton ghost\shared\drivers\GenericMountHelper.exe [2009-9-21 1574408]
S4 SymSnapService;SymSnapService;c:\program files\norton ghost\shared\drivers\SymSnapService.exe [2009-9-21 1964528]

=============== Created Last 30 ================

2010-12-11 16:14:31 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-12-07 09:47:33 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Threat Expert
2010-12-07 08:35:27 38848 ----a-w- c:\windows\avastSS.scr
2010-12-07 08:35:16 -------- d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-12-07 07:41:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\Webroot
2010-12-06 21:26:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-06 21:26:24 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-12-05 03:56:48 -------- d-----w- c:\docume~1\admini~1\applic~1\webroot
2010-12-05 03:55:27 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Webroot
2010-12-05 03:44:59 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\PackageAware
2010-12-05 03:43:08 -------- d-----w- c:\docume~1\alluse~1\applic~1\CA
2010-12-04 18:51:41 -------- d-----w- c:\program files\CCleaner
2010-12-02 02:00:20 -------- d-----w- c:\program files\iPod
2010-12-02 02:00:17 -------- d-----w- c:\program files\iTunes
2010-12-02 02:00:17 -------- d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-12-02 01:59:51 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2010-12-02 01:59:50 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin.dll
2010-12-02 01:58:28 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-12-02 01:58:28 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-12-02 01:58:05 -------- d-----w- c:\program files\Bonjour
2010-11-29 04:04:04 -------- d-----w- c:\docume~1\admini~1\applic~1\OpenOffice.org
2010-11-29 04:00:40 -------- d-----w- c:\program files\JRE
2010-11-29 04:00:29 -------- d-----w- c:\program files\OpenOffice.org 3
2010-11-29 03:59:59 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-29 03:59:59 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2010-11-23 10:05:44 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Conduit
2010-11-23 10:05:29 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Temp
2010-11-19 06:13:08 647168 ----a-w- c:\windows\system32\sonicismdsp.dll
2010-11-19 06:13:08 551936 ----a-w- c:\windows\th_inst2.exe
2010-11-19 04:40:04 -------- d-----w- c:\program files\Antares Audio Technologies
2010-11-19 04:40:04 -------- d-----w- c:\docume~1\admini~1\applic~1\Antares
2010-11-19 04:39:52 1777664 ----a-w- c:\windows\system32\gdiplus.dll

==================== Find3M ====================

2010-11-08 07:20:24 89088 ----a-w- c:\windows\MBR.exe
2010-10-07 18:23:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-10-07 18:23:02 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-10-07 18:23:02 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-10-07 18:23:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3120025A rev.4.06 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T1L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A555555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a55b7b0]; MOV EAX, [0x8a55b82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x8A565AB8]
3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\00000062[0x8A567908]
5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E13B9] -> [0x8A589940]
\Driver\atapi[0x8A5CCA80] -> IRP_MJ_CREATE -> 0x8A555555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T1L0-3 -> \??\IDE#DiskST3120025A______________________________4.06____#4a35305454545a42202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A55539B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 0:24:43.57 ===============

Attached Files


Edited by Jesusjones1024, 19 December 2010 - 03:09 AM.


BC AdBot (Login to Remove)

 


#2 Jesusjones1024

Jesusjones1024
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 19 December 2010 - 02:02 AM

Thought I'd post a picture of the svchost error that I referenced on "1"
Attached File  untitled321.JPG   33.86KB   5 downloads

#3 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:09:51 AM

Posted 29 December 2010 - 01:33 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic and do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#4 Jesusjones1024

Jesusjones1024
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 03 January 2011 - 01:58 AM

No problem! Just happy I got some kind of response. I'm ready to take this beast down.

And GMER is still crashing in the middle of a scan.

-Ross









DDS (Ver_10-12-12.02) - NTFSx86
Run by Administrator at 0:48:19.55 on Mon 01/03/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1571 [GMT -6:00]

AV: Spyware Doctor with AntiVirus *Enabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\WINDOWS\system32\M-AudioTaskBarIcon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Sony\ACID Pro 7.0\acid70.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
mWinlogon: Userinit=userinit.exe
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [M-Audio Taskbar Icon] c:\windows\system32\M-AudioTaskBarIcon.exe
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\y2k9keym.default\
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-12-7 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-12-7 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-12-7 40384]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-12-7 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-12-7 40384]
R3 GenericMount;Generic Mount Driver;c:\windows\system32\drivers\GenericMount.sys [2009-9-21 57840]
S3 MAUSBFASTTRACK;Service for M-Audio FastTrack;c:\windows\system32\drivers\maudiofasttrack.sys --> c:\windows\system32\drivers\MAudioFastTrack.sys [?]
S3 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [2004-8-4 5120]
S3 ZD1211BU(WLAN);IEEE 802.11g USB Wireless LAN(WLAN);c:\windows\system32\drivers\ZD1211BU.sys [2010-10-1 450560]
S4 GenericMount Helper Service;GenericMount Helper Service;c:\program files\norton ghost\shared\drivers\GenericMountHelper.exe [2009-9-21 1574408]
S4 SymSnapService;SymSnapService;c:\program files\norton ghost\shared\drivers\SymSnapService.exe [2009-9-21 1964528]

=============== Created Last 30 ================

2010-12-22 18:16:34 -------- d-----w- c:\program files\M-Audio
2010-12-22 18:10:17 -------- d-----w- c:\docume~1\admini~1\applic~1\DSound
2010-12-22 18:10:07 -------- d-----w- c:\program files\DSound
2010-12-22 18:10:07 -------- d-----w- c:\program files\ASIO
2010-12-11 16:14:31 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-12-07 09:47:33 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Threat Expert
2010-12-07 08:35:27 38848 ----a-w- c:\windows\avastSS.scr
2010-12-07 08:35:16 -------- d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-12-07 07:41:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\Webroot
2010-12-06 21:26:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-06 21:26:24 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-12-05 03:56:48 -------- d-----w- c:\docume~1\admini~1\applic~1\webroot
2010-12-05 03:55:27 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Webroot
2010-12-05 03:44:59 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\PackageAware
2010-12-05 03:43:08 -------- d-----w- c:\docume~1\alluse~1\applic~1\CA
2010-12-04 18:51:41 -------- d-----w- c:\program files\CCleaner

==================== Find3M ====================

2010-12-11 16:28:11 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-11 21:29:20 644104 ----a-w- c:\windows\system32\M-AudioTaskBarIcon.exe
2010-11-11 21:29:18 253448 ----a-w- c:\windows\system32\M-AudioFastTrackProControlPanelApplet.cpl
2010-11-11 21:29:14 32776 ----a-w- c:\windows\system32\mausbasio.dll
2010-11-11 21:29:08 2526189 ----a-w- c:\windows\system32\madiousb.dll
2010-11-08 07:20:24 89088 ----a-w- c:\windows\MBR.exe
2010-10-07 18:23:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-10-07 18:23:02 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-10-07 18:23:02 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-10-07 18:23:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3120025A rev.4.06 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T1L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A577555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a57d7b0]; MOV EAX, [0x8a57d82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x8A5ABAB8]
3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\00000062[0x8A5CD510]
5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E13B9] -> [0x8A5AE940]
\Driver\atapi[0x8A586EA0] -> IRP_MJ_CREATE -> 0x8A577555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T1L0-3 -> \??\IDE#DiskST3120025A______________________________4.06____#4a35305454545a42202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A57739B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 0:52:52.97 ===============

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:51 AM

Posted 03 January 2011 - 11:07 PM

Hello

My name is gringo and I will be Helping you from this point forward

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes unless I tell you so.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

If you have not done so please Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Here is the first thing I would like you to do.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 Jesusjones1024

Jesusjones1024
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 06 January 2011 - 04:57 PM

Hey Gringo! Thanks for willing to help me! I'll respond ASAP now :clapping:

Here's my ComboFix log, yet I'm still receiving the svchost error a few hours after boot.
I'm curious though because CombF stated that "spyware doctor" was still runnning, even after I revo installed that a while back.
I had a problem with AVG showing up on CF years back after uninstalling it as well. Spyware Doctor doesn't show up on any program lists either.

CF also said I had a rootkit and restarted my comp. Thanks Gringo! :bowdown:




ComboFix 11-01-06.03 - Administrator 01/06/2011 14:58:04.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1686 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\iSh\Virus Stuff\Installers\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Spyware Doctor with AntiVirus *Enabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.

((((((((((((((((((((((((( Files Created from 2010-12-06 to 2011-01-06 )))))))))))))))))))))))))))))))
.

2011-01-06 20:44 . 2011-01-06 20:45 -------- d-----w- C:\32788R22FWJFW
2010-12-22 18:16 . 2010-12-22 18:16 -------- d-----w- c:\program files\M-Audio
2010-12-22 18:10 . 2010-12-22 18:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\DSound
2010-12-22 18:10 . 2010-12-22 18:10 -------- d-----w- c:\program files\DSound
2010-12-22 18:10 . 2010-12-22 18:10 -------- d-----w- c:\program files\ASIO
2010-12-11 16:30 . 2010-12-11 16:30 -------- d-----w- c:\program files\Common Files\Java
2010-12-11 16:14 . 2010-12-11 16:28 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-12-11 11:55 . 2010-12-14 13:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-12-11 11:55 . 2010-12-11 11:55 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-12-11 11:55 . 2010-12-11 11:55 -------- d-----w- c:\documents and settings\Default User\Application Data\Apple Computer
2010-12-11 11:54 . 2010-12-11 11:55 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Apple Computer
2010-12-09 23:05 . 2010-12-18 06:29 -------- d-----w- c:\program files\Windows Live Safety Center
2010-12-09 21:21 . 2010-12-09 22:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-11 16:28 . 2010-11-29 03:59 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-29 23:42 . 2010-11-01 09:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 23:42 . 2010-11-01 09:18 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-11 21:29 . 2010-11-11 21:29 644104 ----a-w- c:\windows\system32\M-AudioTaskBarIcon.exe
2010-11-11 21:29 . 2010-11-11 21:29 253448 ----a-w- c:\windows\system32\M-AudioFastTrackProControlPanelApplet.cpl
2010-11-11 21:29 . 2010-11-11 21:29 32776 ----a-w- c:\windows\system32\mausbasio.dll
2010-11-11 21:29 . 2010-11-11 21:29 2526189 ----a-w- c:\windows\system32\madiousb.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-12-07_07.12.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-07 08:19 . 2007-11-07 08:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 12:07 . 2008-07-29 12:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 12:07 . 2008-07-29 12:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2011-01-06 20:54 . 2011-01-06 20:54 16384 c:\windows\temp\Perflib_Perfdata_480.dat
+ 2010-12-07 08:35 . 2010-09-07 15:52 46672 c:\windows\system32\drivers\aswTdi.sys
+ 2010-12-07 08:35 . 2010-09-07 15:47 23376 c:\windows\system32\drivers\aswRdr.sys
+ 2010-12-07 08:35 . 2010-09-07 15:47 94544 c:\windows\system32\drivers\aswmon.sys
+ 2010-12-07 08:35 . 2010-09-07 15:47 17744 c:\windows\system32\drivers\aswFsBlk.sys
+ 2010-12-07 08:35 . 2010-09-07 15:46 28880 c:\windows\system32\drivers\aavmker4.sys
+ 2010-09-25 05:52 . 2010-12-07 07:36 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2010-09-25 05:52 . 2010-12-07 06:46 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2010-09-25 05:52 . 2010-12-07 06:46 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-09-25 05:52 . 2010-12-07 07:36 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-09-25 05:52 . 2010-12-07 07:36 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2010-09-25 05:52 . 2010-12-07 06:46 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-12-07 08:35 . 2010-09-07 16:12 38848 c:\windows\avastSS.scr
+ 2008-07-29 14:05 . 2008-07-29 14:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
- 2010-11-29 03:59 . 2010-11-29 03:59 153376 c:\windows\system32\javaws.exe
+ 2010-12-11 16:29 . 2010-12-11 16:28 153376 c:\windows\system32\javaws.exe
+ 2010-12-11 16:29 . 2010-12-11 16:28 145184 c:\windows\system32\javaw.exe
- 2010-11-29 03:59 . 2010-11-29 03:59 145184 c:\windows\system32\javaw.exe
- 2010-11-29 03:59 . 2010-11-29 03:59 145184 c:\windows\system32\java.exe
+ 2010-12-11 16:29 . 2010-12-11 16:28 145184 c:\windows\system32\java.exe
+ 2010-12-22 18:16 . 2010-11-11 21:29 158600 c:\windows\system32\DRVSTORE\MAudioFast_DE6F6B0485B8BE504A327D45290A20C8122417C6\MAudioFastTrackPro.sys
+ 2010-12-07 08:35 . 2010-09-07 15:52 165584 c:\windows\system32\drivers\aswSP.sys
+ 2010-12-07 08:35 . 2010-09-07 15:47 100176 c:\windows\system32\drivers\aswmon2.sys
+ 2010-12-07 08:35 . 2010-09-07 16:11 167592 c:\windows\system32\aswBoot.exe
+ 2010-12-25 02:58 . 2010-11-19 04:34 195296 c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
+ 2010-12-11 16:30 . 2010-12-11 16:30 180224 c:\windows\Installer\1d373.msi
+ 2010-12-11 16:27 . 2010-12-11 16:27 677376 c:\windows\Installer\1d36e.msi
+ 2010-12-07 09:43 . 2010-12-07 09:43 228352 c:\windows\Installer\1ac2ea.msi
- 2010-12-02 02:01 . 2010-12-02 02:01 380928 c:\windows\Installer\{FAE36873-1941-4076-A9A5-48812B5EA0B7}\iTunesIco.exe
+ 2010-12-02 02:01 . 2010-12-11 11:55 380928 c:\windows\Installer\{FAE36873-1941-4076-A9A5-48812B5EA0B7}\iTunesIco.exe
+ 2010-08-06 00:28 . 2010-08-06 00:28 464272 c:\windows\Downloaded Program Files\wlscBase.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
+ 2010-12-22 18:16 . 2010-12-22 18:16 1398272 c:\windows\Installer\962e6.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
"M-Audio Taskbar Icon"="c:\windows\system32\M-AudioTaskBarIcon.exe" [2010-11-11 644104]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-24 09:15 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 3]
2010-09-29 02:33 2407632 ----a-w- c:\program files\IObit\Advanced SystemCare 3\AWC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-01 15:21 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-16 20:04 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
2006-10-27 00:48 434528 ----a-w- c:\progra~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-09-20 14:32 77824 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-09-20 14:32 77824 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-09-20 14:36 114688 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-09-20 14:35 94208 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-11-18 02:59 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\M-Audio Taskbar Icon]
2010-11-11 21:29 644104 ----a-w- c:\windows\system32\M-AudioTaskBarIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 20:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 15.0]
2010-03-04 00:39 2598760 ----a-w- c:\program files\Norton Ghost\Agent\VProTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2010-04-12 08:40 180224 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 17:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-11-01 00:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetRefresh]
2003-11-20 20:01 525824 ----a-w- c:\program files\Compaq\SetRefresh\SetRefresh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]
2003-07-30 16:08 143360 ----a-w- c:\program files\Analog Devices\SoundMAX\SMTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 17:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mnmsrvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"c:\\Program Files\\Microsoft Games\\Halo Trial\\halo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/7/2010 2:35 AM 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/7/2010 2:35 AM 17744]
R3 GenericMount;Generic Mount Driver;c:\windows\system32\drivers\GenericMount.sys [9/21/2009 7:26 PM 57840]
S3 MAUSBFASTTRACK;Service for M-Audio FastTrack;c:\windows\system32\DRIVERS\MAudioFastTrack.sys --> c:\windows\system32\DRIVERS\MAudioFastTrack.sys [?]
S3 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [8/4/2004 6:00 AM 5120]
S3 ZD1211BU(WLAN);IEEE 802.11g USB Wireless LAN(WLAN);c:\windows\system32\drivers\ZD1211BU.sys [10/1/2010 1:49 PM 450560]
S4 GenericMount Helper Service;GenericMount Helper Service;c:\program files\Norton Ghost\Shared\Drivers\GenericMountHelper.exe [9/21/2009 7:25 PM 1574408]
S4 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [9/21/2009 7:19 PM 1964528]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\y2k9keym.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-06 15:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3120025A rev.4.06 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T1L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A577555]<<
c:\docume~1\ADMINI~1\LOCALS~1\Temp\catchme.sys
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a57d7b0]; MOV EAX, [0x8a57d82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x8A587AB8]
3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\00000062[0x8A5A8510]
5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E13B9] -> [0x8A5D4940]
\Driver\atapi[0x8A59F030] -> IRP_MJ_CREATE -> 0x8A577555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T1L0-3 -> \??\IDE#DiskST3120025A______________________________4.06____#4a35305454545a42202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A57739B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2308677863-2063735477-2416093373-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3b,b3,99,e1,17,87,aa,4c,96,f7,e4,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3b,b3,99,e1,17,87,aa,4c,96,f7,e4,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3b,b3,99,e1,17,87,aa,4c,96,f7,e4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(776)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(836)
c:\windows\system32\WININET.dll
.
Completion time: 2011-01-06 15:22:11
ComboFix-quarantined-files.txt 2011-01-06 21:22
ComboFix2.txt 2010-12-07 07:20

Pre-Run: 75,383,074,816 bytes free
Post-Run: 75,775,938,560 bytes free

- - End Of File - - EE1761F62163CE047A82CAF9C315E5AB

Edited by Jesusjones1024, 06 January 2011 - 04:58 PM.


#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:51 AM

Posted 06 January 2011 - 06:59 PM

Hello

It looks like the rootkit is still active. I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 Jesusjones1024

Jesusjones1024
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 06 January 2011 - 11:25 PM

Awesome program. Definitely found a rootkit and "cured" it on reboot because when I scanned again it was clean.

The content of the first, dirty, scan is below.


2011/01/06 22:13:30.0316 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
2011/01/06 22:13:30.0316 ================================================================================
2011/01/06 22:13:30.0316 SystemInfo:
2011/01/06 22:13:30.0316
2011/01/06 22:13:30.0316 OS Version: 5.1.2600 ServicePack: 3.0
2011/01/06 22:13:30.0316 Product type: Workstation
2011/01/06 22:13:30.0316 ComputerName: HP20957231264
2011/01/06 22:13:30.0316 UserName: Administrator
2011/01/06 22:13:30.0316 Windows directory: C:\WINDOWS
2011/01/06 22:13:30.0316 System windows directory: C:\WINDOWS
2011/01/06 22:13:30.0316 Processor architecture: Intel x86
2011/01/06 22:13:30.0316 Number of processors: 2
2011/01/06 22:13:30.0316 Page size: 0x1000
2011/01/06 22:13:30.0316 Boot type: Normal boot
2011/01/06 22:13:30.0316 ================================================================================
2011/01/06 22:13:30.0738 Initialize success
2011/01/06 22:14:04.0550 ================================================================================
2011/01/06 22:14:04.0550 Scan started
2011/01/06 22:14:04.0550 Mode: Manual;
2011/01/06 22:14:04.0550 ================================================================================
2011/01/06 22:14:04.0878 Aavmker4 (8d488938e2f7048906f1fbd3af394887) C:\WINDOWS\system32\drivers\Aavmker4.sys
2011/01/06 22:14:05.0378 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys
2011/01/06 22:14:05.0628 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/01/06 22:14:05.0816 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/01/06 22:14:06.0003 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/01/06 22:14:06.0253 adpu320 (0ea9b1f0c6c90a509c8603775366adb7) C:\WINDOWS\system32\DRIVERS\adpu320.sys
2011/01/06 22:14:06.0488 aeaudio (3cb6ae5435987b1f8c83fd2730479878) C:\WINDOWS\system32\drivers\aeaudio.sys
2011/01/06 22:14:06.0691 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/01/06 22:14:06.0878 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/01/06 22:14:07.0222 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/01/06 22:14:07.0441 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/01/06 22:14:08.0425 aswFsBlk (a0d86b8ac93ef95620420c7a24ac5344) C:\WINDOWS\system32\drivers\aswFsBlk.sys
2011/01/06 22:14:08.0613 aswMon2 (7d880c76a285a41284d862e2d798ec0d) C:\WINDOWS\system32\drivers\aswMon2.sys
2011/01/06 22:14:08.0800 aswRdr (69823954bbd461a73d69774928c9737e) C:\WINDOWS\system32\drivers\aswRdr.sys
2011/01/06 22:14:09.0003 aswSP (7ecc2776638b04553f9a85bd684c3abf) C:\WINDOWS\system32\drivers\aswSP.sys
2011/01/06 22:14:09.0175 aswTdi (095ed820a926aa8189180b305e1bcfc9) C:\WINDOWS\system32\drivers\aswTdi.sys
2011/01/06 22:14:09.0363 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/01/06 22:14:09.0582 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/01/06 22:14:09.0925 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/01/06 22:14:10.0144 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/01/06 22:14:10.0347 b57w2k (4826fcf97c47b361a2e2f68cd487a19e) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2011/01/06 22:14:10.0535 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/01/06 22:14:10.0738 Blfp (9976971b7092f5bff20073ab31ba1598) C:\WINDOWS\system32\DRIVERS\baspxp32.sys
2011/01/06 22:14:11.0128 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/01/06 22:14:11.0503 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/01/06 22:14:11.0675 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/01/06 22:14:11.0878 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/01/06 22:14:12.0894 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/01/06 22:14:13.0160 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/01/06 22:14:13.0425 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\DRIVERS\dmio.sys
2011/01/06 22:14:13.0628 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/01/06 22:14:13.0816 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/01/06 22:14:14.0019 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/01/06 22:14:14.0207 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/01/06 22:14:14.0394 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/01/06 22:14:14.0644 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/01/06 22:14:14.0847 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/01/06 22:14:15.0035 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/01/06 22:14:15.0222 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/01/06 22:14:15.0410 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/01/06 22:14:15.0628 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/01/06 22:14:15.0816 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/01/06 22:14:16.0003 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/01/06 22:14:16.0175 GenericMount (69f8f310654d699c7e5bd5c67279980f) C:\WINDOWS\system32\DRIVERS\GenericMount.sys
2011/01/06 22:14:16.0378 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/01/06 22:14:16.0597 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/01/06 22:14:16.0941 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/01/06 22:14:17.0441 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/01/06 22:14:17.0628 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
2011/01/06 22:14:17.0816 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
2011/01/06 22:14:18.0035 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
2011/01/06 22:14:18.0238 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
2011/01/06 22:14:18.0425 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
2011/01/06 22:14:18.0628 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
2011/01/06 22:14:18.0816 iAimFP5 (0308aef61941e4af478fa1a0f83812f5) C:\WINDOWS\system32\DRIVERS\wADV07nt.sys
2011/01/06 22:14:18.0988 iAimFP6 (714038a8aa5de08e12062202cd7eaeb5) C:\WINDOWS\system32\DRIVERS\wADV08nt.sys
2011/01/06 22:14:19.0175 iAimFP7 (7bb3aa595e4507a788de1cdc63f4c8c4) C:\WINDOWS\system32\DRIVERS\wADV09nt.sys
2011/01/06 22:14:19.0347 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
2011/01/06 22:14:19.0535 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
2011/01/06 22:14:19.0738 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
2011/01/06 22:14:19.0925 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
2011/01/06 22:14:20.0113 iAimTV5 (791cc45de6e50445be72e8ad6401ff45) C:\WINDOWS\system32\DRIVERS\wATV10nt.sys
2011/01/06 22:14:20.0300 iAimTV6 (352fa0e98bc461ce1ce5d41f64db558d) C:\WINDOWS\system32\DRIVERS\wATV06nt.sys
2011/01/06 22:14:20.0550 ialm (9a883c3c4d91292c0d09de7c728e781c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/01/06 22:14:20.0832 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/01/06 22:14:21.0175 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/01/06 22:14:21.0363 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/01/06 22:14:21.0550 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/01/06 22:14:21.0785 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/01/06 22:14:22.0003 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/01/06 22:14:22.0191 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/01/06 22:14:22.0394 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/01/06 22:14:22.0582 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/01/06 22:14:22.0816 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/01/06 22:14:23.0035 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/01/06 22:14:23.0222 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/01/06 22:14:23.0410 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/01/06 22:14:23.0597 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/01/06 22:14:24.0113 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/01/06 22:14:24.0285 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/01/06 22:14:24.0488 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/01/06 22:14:24.0722 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/01/06 22:14:24.0894 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/01/06 22:14:25.0285 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/01/06 22:14:25.0488 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/01/06 22:14:25.0691 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/01/06 22:14:25.0878 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/01/06 22:14:26.0113 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/01/06 22:14:26.0332 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/01/06 22:14:26.0503 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/01/06 22:14:26.0707 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/01/06 22:14:26.0957 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/01/06 22:14:27.0144 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/01/06 22:14:27.0332 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/01/06 22:14:27.0519 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/01/06 22:14:27.0722 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/01/06 22:14:27.0925 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/01/06 22:14:28.0097 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/01/06 22:14:28.0316 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/01/06 22:14:28.0519 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/01/06 22:14:28.0785 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/01/06 22:14:28.0957 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/01/06 22:14:29.0128 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/01/06 22:14:29.0332 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
2011/01/06 22:14:29.0519 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/01/06 22:14:29.0722 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/01/06 22:14:29.0894 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/01/06 22:14:30.0097 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/01/06 22:14:30.0425 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/01/06 22:14:30.0597 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/01/06 22:14:31.0738 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/01/06 22:14:31.0925 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/01/06 22:14:32.0128 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/01/06 22:14:33.0082 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/01/06 22:14:33.0269 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/01/06 22:14:33.0457 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/01/06 22:14:33.0644 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/01/06 22:14:33.0847 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/01/06 22:14:34.0050 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/01/06 22:14:34.0222 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/01/06 22:14:34.0410 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/01/06 22:14:34.0628 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/01/06 22:14:34.0863 SCDEmu (20b2751cd4c8f3fd989739ca661b9f30) C:\WINDOWS\system32\drivers\SCDEmu.sys
2011/01/06 22:14:35.0066 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/01/06 22:14:35.0238 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/01/06 22:14:35.0425 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/01/06 22:14:35.0628 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/01/06 22:14:36.0003 smwdm (86d17b6760dd2b09e932ff101714e0dc) C:\WINDOWS\system32\drivers\smwdm.sys
2011/01/06 22:14:36.0347 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/01/06 22:14:36.0535 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/01/06 22:14:36.0738 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/01/06 22:14:36.0957 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/01/06 22:14:37.0160 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/01/06 22:14:37.0347 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/01/06 22:14:37.0503 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/01/06 22:14:37.0691 Symmpi (f2b7e8416f508368ac6730e2ae1c614f) C:\WINDOWS\system32\DRIVERS\symmpi.sys
2011/01/06 22:14:37.0910 symsnap (a5cf31080e99718949bcc38c83f13452) C:\WINDOWS\system32\DRIVERS\symsnap.sys
2011/01/06 22:14:38.0082 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/01/06 22:14:38.0269 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/01/06 22:14:38.0441 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/01/06 22:14:38.0644 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/01/06 22:14:38.0847 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/01/06 22:14:39.0082 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/01/06 22:14:39.0269 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/01/06 22:14:39.0628 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/01/06 22:14:40.0019 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/01/06 22:14:40.0207 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/01/06 22:14:40.0410 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/01/06 22:14:40.0597 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/01/06 22:14:40.0785 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/01/06 22:14:40.0972 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/01/06 22:14:41.0160 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/01/06 22:14:41.0378 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/01/06 22:14:41.0628 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/01/06 22:14:41.0816 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/01/06 22:14:42.0035 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/01/06 22:14:42.0253 VProEventMonitor (ef3506b04eb9124240b35148eaacbaa5) C:\WINDOWS\system32\DRIVERS\vproeventmonitor.sys
2011/01/06 22:14:42.0441 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/01/06 22:14:42.0660 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
2011/01/06 22:14:42.0988 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/01/06 22:14:43.0175 WimFltr (090a2b8f055343815556a01f725f6c35) C:\WINDOWS\system32\DRIVERS\wimfltr.sys
2011/01/06 22:14:43.0410 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/01/06 22:14:43.0644 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/01/06 22:14:43.0816 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/01/06 22:14:44.0050 ZD1211BU(WLAN) (fa30e1c37b67de5a2e4cb8815d022880) C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys
2011/01/06 22:14:44.0253 ZDPSp50 (00ae175b903d45ed4a62384d3315dc2a) C:\WINDOWS\system32\Drivers\ZDPSp50.sys
2011/01/06 22:14:44.0285 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/01/06 22:14:44.0285 ================================================================================
2011/01/06 22:14:44.0285 Scan finished
2011/01/06 22:14:44.0285 ================================================================================
2011/01/06 22:14:44.0300 Detected object count: 1
2011/01/06 22:15:09.0832 \HardDisk0 - will be cured after reboot
2011/01/06 22:15:09.0832 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/01/06 22:15:13.0003 Deinitialize success

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:51 AM

Posted 06 January 2011 - 11:28 PM

Hello

lets double check things now.

please rerun combofix for me and send me the report


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 Jesusjones1024

Jesusjones1024
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 07 January 2011 - 12:35 AM

no error for a few hours now....good god i think you did it.









ComboFix 11-01-06.03 - Administrator 01/06/2011 23:24:33.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1664 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\iSh\Virus Stuff\Installers\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Spyware Doctor with AntiVirus *Enabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.

((((((((((((((((((((((((( Files Created from 2010-12-07 to 2011-01-07 )))))))))))))))))))))))))))))))
.

2010-12-22 18:16 . 2010-12-22 18:16 -------- d-----w- c:\program files\M-Audio
2010-12-22 18:10 . 2010-12-22 18:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\DSound
2010-12-22 18:10 . 2010-12-22 18:10 -------- d-----w- c:\program files\DSound
2010-12-22 18:10 . 2010-12-22 18:10 -------- d-----w- c:\program files\ASIO
2010-12-11 16:30 . 2010-12-11 16:30 -------- d-----w- c:\program files\Common Files\Java
2010-12-11 16:14 . 2010-12-11 16:28 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-12-11 11:55 . 2010-12-14 13:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-12-11 11:55 . 2010-12-11 11:55 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-12-11 11:55 . 2010-12-11 11:55 -------- d-----w- c:\documents and settings\Default User\Application Data\Apple Computer
2010-12-11 11:54 . 2010-12-11 11:55 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Apple Computer
2010-12-09 23:05 . 2010-12-18 06:29 -------- d-----w- c:\program files\Windows Live Safety Center
2010-12-09 21:21 . 2010-12-09 22:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-31 20:06 . 2010-12-07 08:35 38848 ----a-w- c:\windows\avastSS.scr
2010-12-31 20:06 . 2010-12-07 08:35 188216 ----a-w- c:\windows\system32\aswBoot.exe
2010-12-31 20:00 . 2010-12-07 08:35 293968 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-12-31 19:59 . 2010-12-07 08:35 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-12-31 19:59 . 2010-12-07 08:35 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-12-31 19:59 . 2010-12-07 08:35 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-12-31 19:56 . 2010-12-07 08:35 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-12-31 19:56 . 2010-12-07 08:35 29264 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-12-31 19:56 . 2010-12-07 08:35 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-12-11 16:28 . 2010-11-29 03:59 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-29 23:42 . 2010-11-01 09:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 23:42 . 2010-11-01 09:18 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-11 21:29 . 2010-11-11 21:29 644104 ----a-w- c:\windows\system32\M-AudioTaskBarIcon.exe
2010-11-11 21:29 . 2010-11-11 21:29 253448 ----a-w- c:\windows\system32\M-AudioFastTrackProControlPanelApplet.cpl
2010-11-11 21:29 . 2010-11-11 21:29 32776 ----a-w- c:\windows\system32\mausbasio.dll
2010-11-11 21:29 . 2010-11-11 21:29 2526189 ----a-w- c:\windows\system32\madiousb.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-12-07_07.12.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-07 08:19 . 2007-11-07 08:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 12:07 . 2008-07-29 12:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 12:07 . 2008-07-29 12:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2011-01-07 04:35 . 2011-01-07 04:35 16384 c:\windows\temp\Perflib_Perfdata_468.dat
- 2010-09-25 05:52 . 2010-12-07 06:46 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2010-09-25 05:52 . 2010-12-07 07:36 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2010-09-25 05:52 . 2010-12-07 07:36 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2010-09-25 05:52 . 2010-12-07 06:46 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-07-29 14:05 . 2008-07-29 14:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2010-12-11 16:29 . 2010-12-11 16:28 153376 c:\windows\system32\javaws.exe
- 2010-11-29 03:59 . 2010-11-29 03:59 153376 c:\windows\system32\javaws.exe
+ 2010-12-11 16:29 . 2010-12-11 16:28 145184 c:\windows\system32\javaw.exe
- 2010-11-29 03:59 . 2010-11-29 03:59 145184 c:\windows\system32\javaw.exe
+ 2010-12-11 16:29 . 2010-12-11 16:28 145184 c:\windows\system32\java.exe
- 2010-11-29 03:59 . 2010-11-29 03:59 145184 c:\windows\system32\java.exe
+ 2010-12-22 18:16 . 2010-11-11 21:29 158600 c:\windows\system32\DRVSTORE\MAudioFast_DE6F6B0485B8BE504A327D45290A20C8122417C6\MAudioFastTrackPro.sys
+ 2010-12-25 02:58 . 2010-11-19 04:34 195296 c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
+ 2010-12-11 16:30 . 2010-12-11 16:30 180224 c:\windows\Installer\1d373.msi
+ 2010-12-11 16:27 . 2010-12-11 16:27 677376 c:\windows\Installer\1d36e.msi
+ 2010-12-07 09:43 . 2010-12-07 09:43 228352 c:\windows\Installer\1ac2ea.msi
- 2010-12-02 02:01 . 2010-12-02 02:01 380928 c:\windows\Installer\{FAE36873-1941-4076-A9A5-48812B5EA0B7}\iTunesIco.exe
+ 2010-12-02 02:01 . 2010-12-11 11:55 380928 c:\windows\Installer\{FAE36873-1941-4076-A9A5-48812B5EA0B7}\iTunesIco.exe
+ 2010-08-06 00:28 . 2010-08-06 00:28 464272 c:\windows\Downloaded Program Files\wlscBase.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
+ 2010-12-22 18:16 . 2010-12-22 18:16 1398272 c:\windows\Installer\962e6.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-12-31 3395600]
"M-Audio Taskbar Icon"="c:\windows\system32\M-AudioTaskBarIcon.exe" [2010-11-11 644104]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-24 09:15 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 3]
2010-09-29 02:33 2407632 ----a-w- c:\program files\IObit\Advanced SystemCare 3\AWC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-01 15:21 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-16 20:04 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
2006-10-27 00:48 434528 ----a-w- c:\progra~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-09-20 14:32 77824 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-09-20 14:32 77824 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-09-20 14:36 114688 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-09-20 14:35 94208 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-11-18 02:59 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\M-Audio Taskbar Icon]
2010-11-11 21:29 644104 ----a-w- c:\windows\system32\M-AudioTaskBarIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 20:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 15.0]
2010-03-04 00:39 2598760 ----a-w- c:\program files\Norton Ghost\Agent\VProTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2010-04-12 08:40 180224 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 17:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-11-01 00:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetRefresh]
2003-11-20 20:01 525824 ----a-w- c:\program files\Compaq\SetRefresh\SetRefresh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]
2003-07-30 16:08 143360 ----a-w- c:\program files\Analog Devices\SoundMAX\SMTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 17:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mnmsrvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"c:\\Program Files\\Microsoft Games\\Halo Trial\\halo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/7/2010 2:35 AM 293968]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/7/2010 2:35 AM 17744]
R3 GenericMount;Generic Mount Driver;c:\windows\system32\drivers\GenericMount.sys [9/21/2009 7:26 PM 57840]
S3 MAUSBFASTTRACK;Service for M-Audio FastTrack;c:\windows\system32\DRIVERS\MAudioFastTrack.sys --> c:\windows\system32\DRIVERS\MAudioFastTrack.sys [?]
S3 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [8/4/2004 6:00 AM 5120]
S3 ZD1211BU(WLAN);IEEE 802.11g USB Wireless LAN(WLAN);c:\windows\system32\drivers\ZD1211BU.sys [10/1/2010 1:49 PM 450560]
S4 GenericMount Helper Service;GenericMount Helper Service;c:\program files\Norton Ghost\Shared\Drivers\GenericMountHelper.exe [9/21/2009 7:25 PM 1574408]
S4 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [9/21/2009 7:19 PM 1964528]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\y2k9keym.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-06 23:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2308677863-2063735477-2416093373-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3b,b3,99,e1,17,87,aa,4c,96,f7,e4,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3b,b3,99,e1,17,87,aa,4c,96,f7,e4,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3b,b3,99,e1,17,87,aa,4c,96,f7,e4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(464)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-01-06 23:33:28
ComboFix-quarantined-files.txt 2011-01-07 05:33
ComboFix2.txt 2011-01-06 21:22
ComboFix3.txt 2010-12-07 07:20

Pre-Run: 75,688,394,752 bytes free
Post-Run: 75,694,223,360 bytes free

- - End Of File - - 154F03D90EEEFB2BDCBF7CEF7129D272

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:51 AM

Posted 07 January 2011 - 01:04 AM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Adobe Reader 8.2.5
Hardcore


and click on remove

Update Adobe Reader

Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.
[/list]
Clear your Java Cache

  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 Jesusjones1024

Jesusjones1024
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 07 January 2011 - 09:50 PM

MY COMPUTER IS ALIVE!!!! haha, yes sir. Its been at least a night and no errors. It seems to be running a lot smoother as well.

Followed all your steps, except "Hardcore" is actually a plugin I use frequently for guitar effects. It's got a scary name but I've never had any problems with it?

The only thing that I can find still going on is when I'm in the start menu, I am unable to right click anything. I'm thinking it was something I accidentally disabled through HJ when my desktop icons were gone and I tried disabling random bogies :whistle: . I have backups created in Hijack I can restore if you know the name... "extra button" or something?

:trumpet: THANKS AGAIN GRINGO!





Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5481

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/7/2011 8:24:36 PM
mbam-log-2011-01-07 (20-24-36).txt

Scan type: Quick scan
Objects scanned: 165688
Time elapsed: 8 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




















Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:40:28 PM, on 1/7/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\WINDOWS\system32\M-AudioTaskBarIcon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Administrator\Desktop\iSh\Virus Stuff\HijackThis.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\system32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 3186 bytes

Edited by Jesusjones1024, 08 January 2011 - 01:04 AM.


#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:51 AM

Posted 08 January 2011 - 01:19 AM

Restore HijackThis entries
The HijackThis log backup contains all entries that have been deleted...both good and bad entries.
Let's restore the deleted entries, that we need.
  • Run HijackThis.
    If using Vista, you must right click (hijackthis.exe) and choose "Run As Administrator".
    • If you are on the "scan & fix stuff" page... Press the Main Menu...button.
  • On the Main Menu, press the "View the list of backups" button.
  • Place a check in the boxes of every entry.
  • With ALL entries checked, press the "Restore" button, then reply Yes at the prompt.
    Once the restore is done...
  • Press the "Back" button... the press the "Scan"..button.
    When the scan is completed
  • Press the "Save log" ...button. Save it to your desktop.
    Notepad will open, with a copy of the "hijackthis.log".
  • Please copy/paste the contents of the hijackthis.log file in your next reply.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 Jesusjones1024

Jesusjones1024
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 09 January 2011 - 03:55 AM

Here you go!



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:54:10 AM, on 1/9/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Documents and Settings\Administrator\Desktop\iSh\Virus Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Webroot Browser Helper Object - {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} - C:\Program Files\Webroot\Security\current\products\WISC\toolbar\LPBar.dll (file missing)
O2 - BHO: WRCommonBHO - {D93EC24D-8741-4D41-B83D-A5793B998416} - C:\Program Files\Webroot\Security\current\plugins\browserextension\WebrootBHO.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {97ab88ef-346b-4179-a0b1-7445896547a5} - (no file)
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Rfitucaqiqejej] rundll32.exe "C:\WINDOWS\orejexijokiqov.dll",Startup
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [1133359] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1133359.exe
O4 - HKCU\..\Run: [Kvavecuxisetacok] rundll32.exe "C:\WINDOWS\cordmsth.dll",Startup
O4 - HKCU\..\Run: [kkjtGGvYfk.exe] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kkjtGGvYfk.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GenericMount Helper Service - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\GenericMountHelper.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe

--
End of file - 5556 bytes

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:51 AM

Posted 09 January 2011 - 04:24 AM

do you have your right click back?

go ahead and remove these lines from hijack again

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Rfitucaqiqejej] rundll32.exe "C:\WINDOWS\orejexijokiqov.dll",Startup
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [1133359] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1133359.exe
O4 - HKCU\..\Run: [Kvavecuxisetacok] rundll32.exe "C:\WINDOWS\cordmsth.dll",Startup
O4 - HKCU\..\Run: [kkjtGGvYfk.exe] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kkjtGGvYfk.exe
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users