Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winlogon.exe is infected with Win32:Malware-gen


  • This topic is locked This topic is locked
24 replies to this topic

#1 bonky

bonky

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 12 January 2011 - 08:19 PM

I'm running windows XP pro, and have the output of my DDS here:




DDS (Ver_10-12-12.02) - NTFSx86
Run by Daddy at 17:19:13.92 on Wed 01/12/2011
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.537 [GMT -6:00]

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *Disabled*

============== Running Processes ===============

I:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
I:\WINDOWS\System32\svchost.exe -k netsvcs
I:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
I:\WINDOWS\system32\ZoneLabs\vsmon.exe
I:\Program Files\Alwil Software\Avast5\AvastSvc.exe
I:\WINDOWS\Explorer.EXE
I:\WINDOWS\SOUNDMAN.EXE
I:\Program Files\TweakNow PowerPack 2006\RAM2_XP.exe
I:\Program Files\Microsoft IntelliType Pro\itype.exe
I:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
I:\Program Files\Logitech\MouseWare\system\em_exec.exe
I:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
I:\WINDOWS\system32\ctfmon.exe
I:\Documents and Settings\Daddy\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
I:\WINDOWS\system32\spoolsv.exe
I:\Program Files\Uniblue\RegistryBooster\rbmonitor.exe
I:\Program Files\Executive Software\DiskeeperServer\DKService.exe
I:\Program Files\Java\jre6\bin\jqs.exe
I:\Program Files\Common Files\LightScribe\LSSrvc.exe
I:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
I:\WINDOWS\System32\nvsvc32.exe
I:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
I:\WINDOWS\System32\svchost.exe -k imgsvc
I:\WINDOWS\system32\wscntfy.exe
I:\Program Files\Internet Explorer\iexplore.exe
I:\Program Files\Windows Live\Toolbar\wltuser.exe
I:\Program Files\Messenger\msmsgs.exe
I:\Documents and Settings\Daddy\Local Settings\Temp\16.tmp\MBR.DAT
I:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
I:\Documents and Settings\Daddy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.excite.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - i:\program files\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - i:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - i:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - i:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - i:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - i:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - i:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - i:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - i:\program files\orbitdownloader\GrabPro.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - i:\program files\windows live\toolbar\wltcore.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NoAds] "i:\program files\noads\NoAds.exe"
uRun: [ctfmon.exe] i:\windows\system32\ctfmon.exe
uRun: [Google Update] "i:\documents and settings\daddy\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] i:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [NBJ] "i:\program files\ahead\nero backitup\NBJ.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE i:\windows\system32\NvCpl.dll,NvStartup
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [RAM Idle Professional] i:\program files\tweaknow powerpack 2006\RAM2_XP.exe
mRun: [itype] "i:\program files\microsoft intellitype pro\itype.exe"
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [ZoneAlarm Client] "i:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [avast5] i:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [LWS] i:\program files\logitech\lws\webcam software\LWS.exe -hide
uPolicies-explorer: link = 0 (0x0)
uPolicies-explorer: NoSMMyPictures = 0 (0x0)
uPolicies-explorer: MaxRecentDocs = 11 (0xb)
IE: &Download by Orbit - i:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - i:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - i:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - i:\program files\orbitdownloader\orbitmxt.dll/202
IE: Sothink SWF Catcher - i:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - i:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - i:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - i:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - i:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: excite.com\www
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199211186812
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - i:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - i:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - i:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - i:\docume~1\daddy\applic~1\mozilla\firefox\profiles\se3a1z25.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.excite.com/
FF - plugin: i:\documents and settings\daddy\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: i:\progra~1\palm\packag~1\NPInstal.dll
FF - plugin: i:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - i:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - i:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Noia 2.0 eXtreme OPT: noia2_option@kk.noia - %profile%\extensions\noia2_option@kk.noia
FF - Ext: Noia 2.0 (eXtreme): {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e} - %profile%\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: FlashGot: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} - %profile%\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;i:\windows\system32\drivers\pavboot.sys [2010-3-27 28552]
R1 aswSP;aswSP;i:\windows\system32\drivers\aswSP.sys [2010-4-20 165584]
R1 SASDIFSV;SASDIFSV;i:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;i:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 vsdatant;vsdatant;i:\windows\system32\vsdatant.sys [2010-3-30 486280]
R2 aawservice;Lavasoft Ad-Aware Service;i:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 aswFsBlk;aswFsBlk;i:\windows\system32\drivers\aswFsBlk.sys [2010-4-20 17744]
R2 avast! Antivirus;avast! Antivirus;i:\program files\alwil software\avast5\AvastSvc.exe [2010-4-20 40384]
R2 fssfltr;FssFltr;i:\windows\system32\drivers\fssfltr_tdi.sys [2010-7-10 54752]
R2 vsmon;TrueVector Internet Monitor;i:\windows\system32\zonelabs\vsmon.exe -service --> i:\windows\system32\zonelabs\vsmon.exe -service [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;i:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 avast! Mail Scanner;avast! Mail Scanner;i:\program files\alwil software\avast5\AvastSvc.exe [2010-4-20 40384]
S3 avast! Web Scanner;avast! Web Scanner;i:\program files\alwil software\avast5\AvastSvc.exe [2010-4-20 40384]
S3 fsssvc;Windows Live Family Safety Service;i:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;i:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2011-01-12 03:52:21 -------- d-s---w- I:\Combo-Fix
2011-01-11 10:44:06 -------- d-sha-r- I:\cmdcons
2011-01-11 10:42:14 98816 ----a-w- i:\windows\sed.exe
2011-01-11 10:42:14 89088 ----a-w- i:\windows\MBR.exe
2011-01-11 10:42:14 256512 ----a-w- i:\windows\PEV.exe
2011-01-11 10:42:14 161792 ----a-w- i:\windows\SWREG.exe
2011-01-10 04:46:16 -------- d-----w- i:\docume~1\alluse~1\applic~1\aHiOn04200
2011-01-08 21:04:36 -------- d-----w- I:\Downloads

==================== Find3M ====================

2006-05-03 09:06:54 163328 --sh--r- i:\windows\system32\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- i:\windows\system32\msfDX.dll
2008-03-16 12:30:52 216064 --sh--r- i:\windows\system32\nbDX.dll

============= FINISH: 17:20:53.81 ===============




The output of my GMER scan is here:





GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-01-12 19:07:36
Windows 5.1.2600 Service Pack 2 Harddisk2\DR2 -> \Device\Ide\IdeDeviceP3T0L0-22 ST3400832AS rev.3.03
Running: gmer.exe; Driver: I:\DOCUME~1\Daddy\LOCALS~1\Temp\pxtdapow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwClose [0xF4776CF0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xF48CF630]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xF48C8D80]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateKey [0xF4776BAC]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xF48CFE40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xF48CFFB0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xF48C9C60]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteKey [0xF4777160]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteValueKey [0xF477708A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDuplicateObject [0xF4776782]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xF48EF080]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xF48EF2B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xF48C9750]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenKey [0xF4776C86]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenProcess [0xF47766C2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenThread [0xF4776726]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwQueryValueKey [0xF4776DA6]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xF477722E]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xF48EFA40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xF48CF180]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRestoreKey [0xF4776D66]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xF48CA080]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetSecurityObject [0xF48F08E0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwSetValueKey [0xF4776EE6]
SSDT \??\I:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF4861620]

---- Kernel code sections - GMER 1.0.15 ----

.text I:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF6CA4360, 0x1DE5ED, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text I:\WINDOWS\Explorer.EXE[1636] Explorer.EXE 01002742 2 Bytes [34, 15] {XOR AL, 0x15}
.text I:\WINDOWS\Explorer.EXE[1636] Explorer.EXE 01002756 14 Bytes [8B, FF, 55, 8B, EC, 56, 57, ...]
.text I:\WINDOWS\Explorer.EXE[1636] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 00B3711A
.text I:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1792] kernel32.dll!SetUnhandledExceptionFilter 7C84479D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text I:\Program Files\Internet Explorer\iexplore.exe[3860] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 00147144
.text I:\Program Files\Internet Explorer\iexplore.exe[3860] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 42F0F2C1 I:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text I:\Program Files\Internet Explorer\iexplore.exe[3860] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 430A166F I:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text I:\Program Files\Internet Explorer\iexplore.exe[3860] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 430A15F0 I:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text I:\Program Files\Internet Explorer\iexplore.exe[3860] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 430A1634 I:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text I:\Program Files\Internet Explorer\iexplore.exe[3860] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 430A157C I:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text I:\Program Files\Internet Explorer\iexplore.exe[3860] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 430A15B6 I:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text I:\Program Files\Internet Explorer\iexplore.exe[3860] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 430A16AA I:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text I:\Program Files\Internet Explorer\iexplore.exe[3860] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 42F31676 I:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text I:\Program Files\Internet Explorer\iexplore.exe[3860] ws2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 001461EE
.text I:\Program Files\Internet Explorer\iexplore.exe[3860] ws2_32.dll!send 71AB428A 5 Bytes JMP 00145B7A
.text I:\Program Files\Internet Explorer\iexplore.exe[3860] ws2_32.dll!WSARecv 71AB4318 5 Bytes JMP 00145D77
.text I:\Program Files\Internet Explorer\iexplore.exe[3860] ws2_32.dll!recv 71AB615A 5 Bytes JMP 00145BED
.text I:\Program Files\Internet Explorer\iexplore.exe[3860] ws2_32.dll!WSASend 71AB6233 5 Bytes JMP 00145CC8
.text I:\Program Files\Internet Explorer\iexplore.exe[3860] ws2_32.dll!closesocket 71AB9639 5 Bytes JMP 00145FF2

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- EOF - GMER 1.0.15 ----






Again, any help or advice would be greatly appreciated, thank you.

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:42 AM

Posted 12 January 2011 - 08:43 PM

Hello bonky ,

Posted Image

Can you please post the ComboFix report for me? :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 bonky

bonky
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 12 January 2011 - 10:06 PM

I wish I could, but cannot get ComboFix to complete a run. It starts, but never completes a scan, I've tried several times without any success.

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:42 AM

Posted 12 January 2011 - 10:30 PM

Okay...so you never got it to run at all? It will in a bit. :) You may have to either rename it or download a fresh one, but it should run after this.

Navigate to this folder and delete it : i:\documents and settings\allusers\application data\aHiOn04200

Now see if ComboFix will run. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 bonky

bonky
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 12 January 2011 - 10:48 PM

Will do, thank you very much Ma'am!

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:42 AM

Posted 12 January 2011 - 10:56 PM

You're welcome muchly sir/madam (kind of hard to tell by your username)! :lol: Post when you're ready. :)
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 bonky

bonky
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 13 January 2011 - 09:15 AM

I'm an old guy who hasn't filled out his profile information yet :)

I tried a couple of runs with ComboFix, and have had no luck. I renamed it to Combo-Fix, and it didn't work; I went back and removed the folder, downloaded again and had the same result.

It loads the program, backs up the registry and starts the scan, but nothing more happens. It looks as though the program is running, but even after four hours it's still locked in a loop. I'm unable to halt the process, open any other programs or the task manager after starting ComboFix, and have to do a hard reset to break out of it.

I'll be darned if I can figure it out, it must be some process running that is blocking it, but I cannot seem to determine what it is. I'm certainly glad you're helping out, because this one has me baffled!

Thank you again for your help :)

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:42 AM

Posted 13 January 2011 - 09:46 AM

Hello,

You're welcome. :)

Let's see if this helps some too....update to SP3, reboot, then try ComboFix renamed to bonky.exe. Please also post me up a new DDS log since we'll have made several changes by then. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 bonky

bonky
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 14 January 2011 - 08:38 AM

Thank you very much for the help, but still not having any luck with ComboFix. At this point, I'm weighing my options. I'm running an install of XP that's around five years old, so a re-install is probably waaaay overdue, but like many techs, my equipment is the last to receive due attention.

That, and doing an install with along with tracking down five years worth of 3rd-party software and associated registrations would be a real pain.

So I have a question.... The affected file is winlogon.exe, and I have a few clean copies which are backed up on my system (same file size and date). Can I not just boot from recovery console, rename the infected winlogon, copy a new one into system32, then boot normally and if all is well remove the infected copy? At that point a new scan should remove malware, I can flush all temp files, reinstall java, etc and hopefully be ok.

The reason I'm asking is that I'd rather attempt something in one shot, and if it fails, move on with a format and reinstall. I dont have any critical data on this system, just old programs and games that I'd like to keep for sentimental reasons, which most likely would be lost if I am forced to format.

Again, I thank you very much for all your help so far, and for being patient with an old MCSE who has been out of the field for about eight years :)

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:42 AM

Posted 14 January 2011 - 11:00 AM

Hi there,

The affected file is winlogon.exe, and I have a few clean copies which are backed up on my system (same file size and date). Can I not just boot from recovery console, rename the infected winlogon, copy a new one into system32, then boot normally and if all is well remove the infected copy?

You don't even have to go to RC to do that. Simply grab one out of i386, if you updated to SP3, and replace the infected one....or from dllcache. I want to save the system, if no other reason than to allow you to save anything you might want/need before you reformat, should you decide to do so. So....if you replace the winlogon, after a reboot, please try ComboFix again.

And, you're most welcome. You've been kind and patient in a frustrating time and I appreciate it. :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 bonky

bonky
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 16 January 2011 - 02:08 PM

I'm still working on it, and haven't yet made any changes... I really do appreciate your helping me deal with a frustrating situation, and I'm confident I'll arrive at a solution soon. Thank you very much for all your help :)

#12 bonky

bonky
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 18 January 2011 - 10:42 AM

I've installed SP3, and was able to remove the infected winlogon.exe after the update was complete. I'm still unable to run ComboFix, but am currently at work and am unable to access the compter for a few hours. As soon as I'm able, I will re-run scanners and post new logs.

Thank you for all your help, without which I'd never have made this much progress :)

#13 bonky

bonky
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 18 January 2011 - 09:24 PM

Okay, winlogon.exe is fixed, but I have what appears to be a trojan in my IE5 history folder. My latest DDS log is here:



DDS (Ver_10-12-12.02) - NTFSx86
Run by Daddy at 19:03:12.75 on Tue 01/18/2011
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.445 [GMT -6:00]

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *Disabled*

============== Running Processes ===============

I:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
I:\WINDOWS\System32\svchost.exe -k netsvcs
I:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
I:\Program Files\Alwil Software\Avast5\AvastSvc.exe
I:\WINDOWS\system32\spoolsv.exe
I:\Program Files\Executive Software\DiskeeperServer\DKService.exe
I:\Program Files\Java\jre6\bin\jqs.exe
I:\Program Files\Common Files\LightScribe\LSSrvc.exe
I:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
I:\WINDOWS\System32\nvsvc32.exe
I:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
I:\WINDOWS\System32\svchost.exe -k imgsvc
I:\WINDOWS\system32\wscntfy.exe
I:\Program Files\Uniblue\RegistryBooster\rbmonitor.exe
I:\WINDOWS\Explorer.EXE
I:\WINDOWS\SOUNDMAN.EXE
I:\Program Files\TweakNow PowerPack 2006\RAM2_XP.exe
I:\Program Files\Microsoft IntelliType Pro\itype.exe
I:\Program Files\Logitech\MouseWare\system\em_exec.exe
I:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
I:\Program Files\Common Files\Java\Java Update\jusched.exe
I:\WINDOWS\system32\ctfmon.exe
I:\Documents and Settings\Daddy\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
I:\Documents and Settings\Daddy\Local Settings\Temp\11.tmp\MBR.DAT
I:\Documents and Settings\Daddy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.excite.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - i:\program files\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - i:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - i:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - i:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - i:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - i:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - i:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - i:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - i:\program files\orbitdownloader\GrabPro.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - i:\program files\windows live\toolbar\wltcore.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NoAds] "i:\program files\noads\NoAds.exe"
uRun: [ctfmon.exe] i:\windows\system32\ctfmon.exe
uRun: [Google Update] "i:\documents and settings\daddy\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] i:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [NBJ] "i:\program files\ahead\nero backitup\NBJ.exe"
uRun: [Logitech Vid] "i:\program files\logitech\vid hd\Vid.exe" -bootmode
mRun: [NvCplDaemon] RUNDLL32.EXE i:\windows\system32\NvCpl.dll,NvStartup
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [RAM Idle Professional] i:\program files\tweaknow powerpack 2006\RAM2_XP.exe
mRun: [itype] "i:\program files\microsoft intellitype pro\itype.exe"
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [ZoneAlarm Client] "i:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [avast5] i:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [LWS] i:\program files\logitech\lws\webcam software\LWS.exe -hide
mRun: [SunJavaUpdateSched] "i:\program files\common files\java\java update\jusched.exe"
uPolicies-explorer: link = 0 (0x0)
uPolicies-explorer: NoSMMyPictures = 0 (0x0)
uPolicies-explorer: MaxRecentDocs = 11 (0xb)
IE: &Download by Orbit - i:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - i:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - i:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - i:\program files\orbitdownloader\orbitmxt.dll/202
IE: Sothink SWF Catcher - i:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - i:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - i:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - i:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - i:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: excite.com\www
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199211186812
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - i:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - i:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - i:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - i:\docume~1\daddy\applic~1\mozilla\firefox\profiles\se3a1z25.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.excite.com/
FF - plugin: i:\documents and settings\daddy\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: i:\progra~1\palm\packag~1\NPInstal.dll
FF - plugin: i:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: i:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - i:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - i:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Noia 2.0 eXtreme OPT: noia2_option@kk.noia - %profile%\extensions\noia2_option@kk.noia
FF - Ext: Noia 2.0 (eXtreme): {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e} - %profile%\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: FlashGot: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} - %profile%\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;i:\windows\system32\drivers\aswSP.sys [2010-4-20 165584]
R1 SASDIFSV;SASDIFSV;i:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;i:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 vsdatant;vsdatant;i:\windows\system32\vsdatant.sys [2010-3-30 486280]
R2 aswFsBlk;aswFsBlk;i:\windows\system32\drivers\aswFsBlk.sys [2010-4-20 17744]
R2 avast! Antivirus;avast! Antivirus;i:\program files\alwil software\avast5\AvastSvc.exe [2010-4-20 40384]
R2 fssfltr;FssFltr;i:\windows\system32\drivers\fssfltr_tdi.sys [2010-7-10 54752]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;i:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 vsmon;TrueVector Internet Monitor;i:\windows\system32\zonelabs\vsmon.exe -service --> i:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 avast! Mail Scanner;avast! Mail Scanner;i:\program files\alwil software\avast5\AvastSvc.exe [2010-4-20 40384]
S3 avast! Web Scanner;avast! Web Scanner;i:\program files\alwil software\avast5\AvastSvc.exe [2010-4-20 40384]
S3 fsssvc;Windows Live Family Safety Service;i:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;i:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2011-01-18 12:32:04 -------- d-s---w- I:\Bonky3
2011-01-18 04:00:18 144384 ------w- i:\windows\system32\drivers\hdaudbus.sys
2011-01-18 04:00:18 10240 ------w- i:\windows\system32\drivers\sffp_mmc.sys
2011-01-18 03:59:10 19569 ----a-w- i:\windows\005872_.tmp
2011-01-18 00:20:59 -------- d-s---w- I:\Bonky2
2011-01-17 23:16:10 -------- d-----w- I:\he
2011-01-16 04:39:09 472808 ----a-w- i:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-01-16 04:39:08 472808 ----a-w- i:\windows\system32\deployJava1.dll
2011-01-14 13:20:55 -------- d-----w- I:\help
2011-01-11 10:44:06 -------- d-sha-r- I:\cmdcons
2011-01-11 10:42:14 98816 ----a-w- i:\windows\sed.exe
2011-01-11 10:42:14 89088 ----a-w- i:\windows\MBR.exe
2011-01-11 10:42:14 256512 ----a-w- i:\windows\PEV.exe
2011-01-11 10:42:14 161792 ----a-w- i:\windows\SWREG.exe
2011-01-08 21:04:36 -------- d-----w- I:\Downloads

==================== Find3M ====================

2011-01-13 03:19:13 60416 ----a-w- i:\windows\ALCFDRTM.VER
2010-11-12 22:34:10 73728 ----a-w- i:\windows\system32\javacpl.cpl
2006-05-03 09:06:54 163328 --sh--r- i:\windows\system32\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- i:\windows\system32\msfDX.dll
2008-03-16 12:30:52 216064 --sh--r- i:\windows\system32\nbDX.dll

============= FINISH: 19:03:34.70 ===============



Also, I re-ran Gmer, and the results are here:


GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-01-18 17:52:51
Windows 5.1.2600 Service Pack 3 Harddisk2\DR2 -> \Device\Ide\IdeDeviceP3T0L0-22 ST3400832AS rev.3.03
Running: gmer.exe; Driver: I:\DOCUME~1\Daddy\LOCALS~1\Temp\pxtdapow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwClose [0xF405ACF0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xF41DA630]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xF41D3D80]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateKey [0xF405ABAC]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xF41DAE40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xF41DAFB0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xF41D4C60]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteKey [0xF405B160]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteValueKey [0xF405B08A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDuplicateObject [0xF405A782]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xF41FA080]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xF41FA2B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xF41D4750]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenKey [0xF405AC86]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenProcess [0xF405A6C2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenThread [0xF405A726]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwQueryValueKey [0xF405ADA6]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xF405B22E]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xF41FAA40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xF41DA180]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRestoreKey [0xF405AD66]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xF41D5080]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetSecurityObject [0xF41FB8E0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwSetValueKey [0xF405AEE6]
SSDT \??\I:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF416C620]

---- Kernel code sections - GMER 1.0.15 ----

.text I:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF6518360, 0x1DE5ED, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text I:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1512] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F41E0080] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F41DFE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F41E07C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F41DE3D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F41DE3D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F41E0080] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F41DFE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F41E07C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F41E0080] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F41DE3D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F41E07C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F41DFE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F41E07C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F41DFE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F41E0080] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F41DE3D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F41E0080] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F41DFE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F41E07C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\HIDCLASS.SYS[HIDPARSE.SYS!HidP_GetCollectionDescription] [F79B95C4] \SystemRoot\system32\DRIVERS\HIDPARSE.SYS (Hid Parsing Library/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\hidusb.sys[HIDCLASS.SYS!HidRegisterMinidriver] [F6BA2410] \SystemRoot\System32\Drivers\HIDCLASS.SYS (Hid Class Library/Microsoft Corporation)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F41E0080] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F41DE3D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F41E07C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F41DFE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- User IAT/EAT - GMER 1.0.15 ----

IAT I:\WINDOWS\system32\services.exe[724] @ I:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00390002
IAT I:\WINDOWS\system32\services.exe[724] @ I:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00390000
IAT I:\WINDOWS\Explorer.EXE[2564] @ I:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00DB3880] I:\WINDOWS\system32\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT I:\WINDOWS\Explorer.EXE[2564] @ I:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00DB3930] I:\WINDOWS\system32\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT I:\WINDOWS\Explorer.EXE[2564] @ I:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00DB3A60] I:\WINDOWS\system32\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT I:\WINDOWS\Explorer.EXE[2564] @ I:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00DB39D0] I:\WINDOWS\system32\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- EOF - GMER 1.0.15 ----





Thank you very much for any help you might be able to provide, it looks as though I am making some progress :)

Attached Files

  • Attached File  gmer.log   14.46KB   0 downloads


#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:42 AM

Posted 19 January 2011 - 01:15 PM

Hi there,

See if you can uninstall ComboFix, and we'll try it again later.

Uninstall ComboFix by doing the following :

Click Start>Run>Type in, or copy and paste ComboFix /Uninstall > click OK

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 bonky

bonky
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 19 January 2011 - 06:10 PM

Thank you ma'am, I did as you suggested, and MBAM found nothing running, although that may have been because the system is still running on the same boot-up after I'd ran a scan with SuperAntiSpyware which removed a few things.


Here's the MBAM log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5557

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

1/19/2011 4:56:13 PM
mbam-log-2011-01-19 (16-56-13).txt

Scan type: Quick scan
Objects scanned: 143196
Time elapsed: 5 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Thank you very much for continuing to help, it seems as though once I locate a bad file or two, my problems may be over. After a reboot, Avast finds a trojan or two, but is at least able to remove them. I suspect an infected dll may be initiating this during startup, but that's just a guess.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users