Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.Agent


  • Please log in to reply
1 reply to this topic

#1 boostling

boostling

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:16 AM

Posted 16 January 2011 - 05:07 PM

I'm using a Toshiba Laptop, Windows 7 64-bit with 4GB of RAM and an ATI Radeon Mobility Series 4000 card. Starting last night my laptop has been randomly crashing, sometimes with a BSOD or it just freezes without warning. I an only able to use it in safe mode.

Before we begin, here are my logs:

DDS (Ver_10-12-12.02) - NTFS_AMD64 NETWORK
Run by Matt at 16:47:08.60 on Sun 01/16/2011
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3835.3019 [GMT -5:00]

AV: Norton Internet Security *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Norton Internet Security *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}

============== Running Processes ===============

C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\windows\Explorer.EXE
C:\windows\system32\ctfmon.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Users\Matt\Desktop\dds.scr
C:\windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig?brand=TSND&bmod=TSND
uDefault_Page_URL = hxxp://www.google.com/ig?brand=TSND&bmod=TSND
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND
uInternet Settings,ProxyOverride = <local>;*.local
mWinlogon: Userinit=userinit.exe,
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Partner BHO Class: {83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} - C:\ProgramData\Partner\Partner.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: TOSHIBA Media Controller Plug-in: {f3c88694-effa-4d78-b409-54b7b2535b14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
uRun: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
mRun: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDED
mRun: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
dRun: [JP595IR86O] C:\windows\TEMP\Qwv.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
BHO-X64: Partner BHO Class: {83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} - C:\ProgramData\Partner\Partner64.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg64.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [(Default)]
mRun-x64: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t
mRun-x64: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun-x64: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun-x64: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun-x64: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun-x64: [SmartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
mRun-x64: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe
mRun-x64: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe
mRun-x64: [TosNC] %ProgramFiles%\Toshiba\BulletinBoard\TosNcCore.exe
mRun-x64: [TosReelTimeMonitor] %ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe

================= FIREFOX ===================

FF - ProfilePath - C:\Users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\wa7833se.default\
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSeymour.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
FF - component: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
FF - plugin: C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Ant Video Downloader: anttoolbar@ant.com - %profile%\extensions\anttoolbar@ant.com
FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3

============= SERVICES / DRIVERS ===============

R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-13 59904]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2010-6-29 128752]
R3 FwLnk;FwLnk Driver;C:\Windows\System32\drivers\FwLnk.sys [2010-11-4 9216]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\System32\drivers\L1C62x64.sys [2010-3-4 75816]
S1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2010-2-17 14920]
S1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2010-2-17 12360]
S2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2010-11-4 202752]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2010-2-28 821664]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-7-19 136176]
S2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\18.0.0.128\ccSvcHst.exe [2010-11-4 126904]
S2 Norton PC Checkup Application Launcher;Toshiba Laptop Checkup Application Launcher;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\SymcPCCULaunchSvc.exe [2010-11-4 103792]
S2 PCCUJobMgr;Common Client Job Manager Service;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe [2010-11-4 126392]
S2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-4-24 483688]
S3 amdkmdag;amdkmdag;C:\Windows\System32\drivers\atipmdag.sys [2010-11-4 6403072]
S3 amdkmdap;amdkmdap;C:\Windows\System32\drivers\atikmpag.sys [2010-11-4 188928]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 Partner Service;Partner Service;C:\ProgramData\Partner\Partner.exe [2010-7-19 332272]
S3 PGEffect;Pangu effect driver;C:\Windows\System32\drivers\PGEffect.sys [2010-11-4 35008]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2010-11-4 232992]
S3 Sftfs;Sftfs;C:\Windows\System32\drivers\Sftfslh.sys [2010-4-24 721768]
S3 Sftplay;Sftplay;C:\Windows\System32\drivers\Sftplaylh.sys [2010-4-24 269672]
S3 Sftredir;Sftredir;C:\Windows\System32\drivers\Sftredirlh.sys [2010-4-24 25960]
S3 Sftvol;Sftvol;C:\Windows\System32\drivers\Sftvollh.sys [2010-4-24 22376]
S3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-4-24 209768]
S3 TMachInfo;TMachInfo;C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2010-11-4 51512]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-2-5 137560]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-12-27 1255736]

=============== Created Last 30 ================

2011-01-16 21:13:12 -------- d-----w- C:\Users\Matt\AppData\Roaming\Malwarebytes
2011-01-16 21:13:07 38224 ----a-w- C:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-01-16 21:13:07 -------- d-----w- C:\PROGRA~3\Malwarebytes
2011-01-16 21:13:03 24152 ----a-w- C:\windows\System32\drivers\mbam.sys
2011-01-16 21:13:03 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-01-16 19:55:14 -------- d-----w- C:\Autoruns
2011-01-16 18:10:39 -------- d-----w- C:\Program Files (x86)\Innovative Solutions
2011-01-16 17:36:22 -------- d-----w- C:\Users\Matt\AppData\Local\ElevatedDiagnostics
2011-01-16 16:36:44 -------- d-----w- C:\PROGRA~3\aAkOp00910
2011-01-16 16:25:56 8199504 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{AB2C9EEA-2403-4D94-81C5-73D0350BC01C}\mpengine.dll
2011-01-16 04:46:52 -------- d-----w- C:\PROGRA~3\Tarma Installer
2011-01-11 19:29:52 720896 ----a-w- C:\windows\System32\odbc32.dll
2011-01-11 19:29:51 987136 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msado15.dll
2011-01-11 19:29:51 573440 ----a-w- C:\windows\SysWow64\odbc32.dll
2011-01-11 19:29:51 495616 ----a-w- C:\Program Files\Common Files\System\ado\msadox.dll
2011-01-11 19:29:51 466944 ----a-w- C:\Program Files\Common Files\System\ado\msadomd.dll
2011-01-11 19:29:51 372736 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadox.dll
2011-01-11 19:29:51 352256 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadomd.dll
2011-01-11 19:29:51 258048 ----a-w- C:\Program Files\Common Files\System\msadc\msadco.dll
2011-01-11 19:29:51 208896 ----a-w- C:\Program Files (x86)\Common Files\System\msadc\msadco.dll
2011-01-11 19:29:51 1425408 ----a-w- C:\Program Files\Common Files\System\ado\msado15.dll
2011-01-11 02:30:37 -------- d-----w- C:\Program Files (x86)\KWRPGIIDE
2011-01-11 02:22:28 83968 ----a-w- C:\windows\UnGins.exe
2011-01-11 02:21:42 473600 ----a-w- C:\windows\SysWow64\Harmony.dll
2011-01-11 02:21:42 237568 ----a-w- C:\windows\SysWow64\Unlha32.dll
2011-01-11 02:21:41 -------- d-----w- C:\Program Files (x86)\ASCII
2011-01-09 01:40:02 -------- d-----w- C:\Program Files (x86)\MSXML 4.0
2011-01-08 23:40:40 -------- d-----w- C:\Program Files (x86)\Enterbrain
2011-01-08 18:02:28 -------- d-----w- C:\PROGRA~3\WEBREG
2011-01-08 18:01:33 257024 ----a-w- C:\windows\System32\Spool\prtprocs\x64\hpzppw72.dll
2011-01-08 17:57:22 -------- d-----w- C:\Program Files (x86)\Common Files\Hewlett-Packard
2011-01-08 17:56:48 -------- d-----w- C:\Program Files (x86)\Common Files\HP
2011-01-08 17:55:54 -------- d-----w- C:\Program Files (x86)\HP
2011-01-08 17:55:33 -------- d-----w- C:\Program Files\HP
2011-01-08 17:54:49 966656 ----a-w- C:\windows\System32\hposwia_p01a.dll
2011-01-08 17:54:49 551424 ----a-w- C:\windows\System32\hppldcoi.dll
2011-01-08 17:54:49 512512 ----a-w- C:\windows\System32\hposc_p01a.dll
2011-01-08 17:54:49 1411584 ----a-w- C:\windows\System32\hpost_p01a.dll
2011-01-08 15:58:13 -------- d-----w- C:\Users\Matt\AppData\Local\Sony
2011-01-08 15:52:55 -------- d-----w- C:\Program Files (x86)\Vstplugins
2011-01-08 15:52:25 -------- d-----w- C:\Program Files (x86)\Sony
2011-01-08 15:46:48 -------- d-----w- C:\Users\Matt\AppData\Roaming\AnvSoft
2011-01-08 15:46:45 -------- d-----w- C:\Program Files (x86)\AnvSoft
2011-01-08 15:32:24 -------- d-----w- C:\Program Files (x86)\Audacity 1.3 Beta (Unicode)
2011-01-05 20:45:29 -------- d-----w- C:\Users\Matt\.thumbnails
2011-01-05 20:27:57 -------- d-----w- C:\Users\Matt\.gimp-2.6
2010-12-29 21:07:09 -------- d-----w- C:\Program Files (x86)\KWRPGII
2010-12-29 03:54:35 -------- d-----w- C:\Program Files (x86)\GIMP-2.0
2010-12-28 19:32:45 -------- d-----w- C:\Users\Matt\AppData\Local\SoftGrid Client
2010-12-28 19:32:42 -------- d-----w- C:\Users\Matt\AppData\Roaming\SoftGrid Client
2010-12-28 17:56:53 -------- d-----w- C:\PROGRA~3\VirtualizedApplications
2010-12-28 15:51:20 8199504 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2010-12-28 04:30:57 -------- d-----w- C:\Program Files (x86)\Microsoft Application Virtualization Client
2010-12-27 19:12:12 -------- d-----w- C:\Users\Matt\AppData\Local\Tific
2010-12-27 19:10:27 -------- d-----w- C:\Users\Matt\AppData\Roaming\Tific
2010-12-27 15:13:13 -------- d-----w- C:\Users\Matt\AppData\Roaming\.doomseeker
2010-12-27 15:12:55 -------- d-----w- C:\Program Files (x86)\Skulltag
2010-12-27 15:05:22 -------- d-----w- C:\windows\SysWow64\Wat
2010-12-27 15:05:22 -------- d-----w- C:\windows\System32\Wat
2010-12-27 03:26:55 99176 ----a-w- C:\windows\SysWow64\PresentationHostProxy.dll
2010-12-27 03:26:55 49472 ----a-w- C:\windows\SysWow64\netfxperf.dll
2010-12-27 03:26:55 48960 ----a-w- C:\windows\System32\netfxperf.dll
2010-12-27 03:26:55 444752 ----a-w- C:\windows\System32\mscoree.dll
2010-12-27 03:26:55 320352 ----a-w- C:\windows\System32\PresentationHost.exe
2010-12-27 03:26:55 297808 ----a-w- C:\windows\SysWow64\mscoree.dll
2010-12-27 03:26:55 295264 ----a-w- C:\windows\SysWow64\PresentationHost.exe
2010-12-27 03:26:55 1130824 ----a-w- C:\windows\SysWow64\dfshim.dll
2010-12-27 03:26:55 109912 ----a-w- C:\windows\System32\PresentationHostProxy.dll
2010-12-27 03:26:54 1942856 ----a-w- C:\windows\System32\dfshim.dll
2010-12-27 03:22:58 184832 ----a-w- C:\windows\System32\drivers\usbvideo.sys
2010-12-27 03:22:57 243712 ----a-w- C:\windows\System32\drivers\ks.sys
2010-12-26 14:46:58 633856 ----a-w- C:\windows\System32\comctl32.dll
2010-12-26 14:38:21 -------- d-----w- C:\Users\Matt\AppData\Local\Mozilla
2010-12-26 03:30:52 -------- d-----w- C:\Users\Matt\AppData\Local\TOSHIBA_Corporation
2010-12-26 03:14:15 -------- d-----w- C:\Users\Matt\AppData\Local\Apple Computer
2010-12-26 03:14:06 34152 ----a-w- C:\windows\System32\drivers\GEARAspiWDM.sys
2010-12-26 03:14:06 126312 ----a-w- C:\windows\System32\GEARAspi64.dll
2010-12-26 03:14:06 107368 ----a-w- C:\windows\SysWow64\GEARAspi.dll
2010-12-26 03:12:58 -------- d-----w- C:\Users\Matt\AppData\Local\Apple
2010-12-26 03:12:29 -------- d-----w- C:\Program Files\Bonjour
2010-12-26 03:12:29 -------- d-----w- C:\Program Files (x86)\Bonjour
2010-12-26 02:44:58 -------- d-----w- C:\Program Files\CCleaner
2010-12-26 02:41:34 -------- d-----w- C:\Program Files (x86)\Steam
2010-12-26 02:41:34 -------- d-----w- C:\Program Files (x86)\Common Files\Steam
2010-12-26 02:37:38 -------- d-----w- C:\Users\Matt\AppData\Roaming\SUPERAntiSpyware.com
2010-12-26 02:37:38 -------- d-----w- C:\PROGRA~3\SUPERAntiSpyware.com
2010-12-26 02:36:23 -------- d-----w- C:\PROGRA~3\!SASCORE
2010-12-26 02:36:19 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2010-12-26 02:31:47 -------- d-----w- C:\Users\Matt\AppData\Local\Google
2010-12-26 02:31:15 -------- d-----w- C:\Users\Matt\AppData\Local\Toshiba
2010-12-26 02:31:04 -------- d-----w- C:\Users\Matt\AppData\Local\ATI
2010-12-25 13:50:23 -------- d-----w- C:\Program Files (x86)\StarCraft II
2010-12-25 13:50:23 -------- d-----w- C:\Program Files (x86)\Common Files\Blizzard Entertainment
2010-12-25 13:50:23 -------- d-----w- C:\PROGRA~3\Blizzard Entertainment
2010-12-25 13:43:01 270720 ------w- C:\windows\System32\MpSigStub.exe
2010-12-25 13:32:39 13 --sh--r- C:\windows\System32\drivers\fbd.sys

==================== Find3M ====================

2010-11-29 22:38:30 94208 ----a-w- C:\windows\SysWow64\QuickTimeVR.qtx
2010-11-29 22:38:30 69632 ----a-w- C:\windows\SysWow64\QuickTime.qts
2010-11-04 19:15:18 0 ----a-w- C:\windows\ativpsrm.bin
2010-11-04 06:35:53 1194496 ----a-w- C:\windows\System32\wininet.dll
2010-11-04 06:31:34 57856 ----a-w- C:\windows\System32\licmgr10.dll
2010-11-04 05:52:17 978944 ----a-w- C:\windows\SysWow64\wininet.dll
2010-11-04 05:48:36 44544 ----a-w- C:\windows\SysWow64\licmgr10.dll
2010-11-04 05:16:14 482816 ----a-w- C:\windows\System32\html.iec
2010-11-04 04:41:26 386048 ----a-w- C:\windows\SysWow64\html.iec
2010-11-04 04:35:37 1638912 ----a-w- C:\windows\System32\mshtml.tlb
2010-11-04 04:08:54 1638912 ----a-w- C:\windows\SysWow64\mshtml.tlb
2010-11-02 05:21:51 982912 ----a-w- C:\windows\System32\drivers\dxgkrnl.sys
2010-11-02 05:18:59 662528 ----a-w- C:\windows\System32\XpsPrint.dll
2010-11-02 05:18:59 229888 ----a-w- C:\windows\System32\XpsRasterService.dll
2010-11-02 05:18:58 470016 ----a-w- C:\windows\System32\XpsGdiConverter.dll
2010-11-02 05:18:17 524288 ----a-w- C:\windows\System32\wmicmiplugin.dll
2010-11-02 05:17:38 473600 ----a-w- C:\windows\System32\taskcomp.dll
2010-11-02 05:17:38 1169408 ----a-w- C:\windows\System32\taskschd.dll
2010-11-02 05:16:53 1114624 ----a-w- C:\windows\System32\schedsvc.dll
2010-11-02 05:12:53 1133568 ----a-w- C:\windows\System32\FntCache.dll
2010-11-02 05:12:25 1540608 ----a-w- C:\windows\System32\DWrite.dll
2010-11-02 05:12:08 1837568 ----a-w- C:\windows\System32\d3d10warp.dll
2010-11-02 05:12:07 320512 ----a-w- C:\windows\System32\d3d10_1core.dll
2010-11-02 05:12:06 902656 ----a-w- C:\windows\System32\d2d1.dll
2010-11-02 05:12:06 197120 ----a-w- C:\windows\System32\d3d10_1.dll
2010-11-02 05:10:47 464384 ----a-w- C:\windows\System32\taskeng.exe
2010-11-02 05:10:32 285696 ----a-w- C:\windows\System32\schtasks.exe
2010-11-02 04:59:08 144384 ----a-w- C:\windows\System32\cdd.dll
2010-11-02 04:41:36 442880 ----a-w- C:\windows\SysWow64\XpsPrint.dll
2010-11-02 04:41:36 283648 ----a-w- C:\windows\SysWow64\XpsGdiConverter.dll
2010-11-02 04:41:36 135168 ----a-w- C:\windows\SysWow64\XpsRasterService.dll
2010-11-02 04:40:36 496128 ----a-w- C:\windows\SysWow64\taskschd.dll
2010-11-02 04:40:36 305152 ----a-w- C:\windows\SysWow64\taskcomp.dll
2010-11-02 04:35:51 1074176 ----a-w- C:\windows\SysWow64\DWrite.dll
2010-11-02 04:35:35 1170944 ----a-w- C:\windows\SysWow64\d3d10warp.dll
2010-11-02 04:35:34 739840 ----a-w- C:\windows\SysWow64\d2d1.dll
2010-11-02 04:35:34 218624 ----a-w- C:\windows\SysWow64\d3d10_1core.dll
2010-11-02 04:35:34 161792 ----a-w- C:\windows\SysWow64\d3d10_1.dll
2010-11-02 04:34:44 192000 ----a-w- C:\windows\SysWow64\taskeng.exe
2010-11-02 04:34:33 179712 ----a-w- C:\windows\SysWow64\schtasks.exe
2010-11-02 02:50:58 258048 ----a-w- C:\windows\System32\drivers\dxgmms1.sys
2010-10-27 05:06:22 2048 ----a-w- C:\windows\System32\tzres.dll
2010-10-27 04:32:36 2048 ----a-w- C:\windows\SysWow64\tzres.dll
2010-10-20 05:20:01 46080 ----a-w- C:\windows\System32\atmlib.dll
2010-10-20 04:54:18 34304 ----a-w- C:\windows\SysWow64\atmlib.dll
2010-10-20 03:09:15 3124224 ----a-w- C:\windows\System32\win32k.sys
2010-10-20 03:05:46 367104 ----a-w- C:\windows\System32\atmfd.dll
2010-10-20 02:58:41 294400 ----a-w- C:\windows\SysWow64\atmfd.dll

============= FINISH: 16:48:14.45 ===============


I also noticed that when using Google, I click on certain links and I get redirected to a generic search engine. I have also noticed some software on my computer, such as Net Zero and Translation Software which I never intentionally installed.

My first course of action was to remain in Safe Mode and do a SUPERAntiSpyware scan. The scan was seemingly successful in removing the selected items; I even checked the directories to make sure the files were gone, and there's nothing there. Here's the scan log:

-------------------------------
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/16/2011 at 01:44 PM

Application Version : 4.47.1000

Core Rules Database Version : 6210
Trace Rules Database Version: 4022

Scan type : Complete Scan
Total Scan Time : 00:36:50

Memory items scanned : 396
Memory threats detected : 0
Registry items scanned : 13244
Registry threats detected : 8
File items scanned : 29485
File threats detected : 54

Rogue.SecurityTool[Variant]
(x86) [aAkOp00910] C:\PROGRAMDATA\AAKOP00910\AAKOP00910.EXE
C:\PROGRAMDATA\AAKOP00910\AAKOP00910.EXE
(x86) [aAkOp00910] C:\PROGRAMDATA\AAKOP00910\AAKOP00910.EXE

Adware.Tracking Cookie
C:\Users\Matt\AppData\Roaming\Microsoft\Windows\Cookies\matt@doubleclick[2].txt
C:\Users\Matt\AppData\Roaming\Microsoft\Windows\Cookies\matt@synacortoshiba.112.2o7[1].txt
.revsci.net [ C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\eu5wo0qy.default\cookies.sqlite ]
.revsci.net [ C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\eu5wo0qy.default\cookies.sqlite ]
.revsci.net [ C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\eu5wo0qy.default\cookies.sqlite ]
.revsci.net [ C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\eu5wo0qy.default\cookies.sqlite ]
.revsci.net [ C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\eu5wo0qy.default\cookies.sqlite ]
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@mediabrandsww[1].txt
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@apmebf[2].txt
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@lucidmedia[1].txt
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@adxpose[1].txt
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@servedby.adxpower[2].txt
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@pointroll[2].txt
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@pro-market[1].txt
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@adserving.versaneeds[1].txt
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@content.yieldmanager[2].txt
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@trafficmp[1].txt
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@adtech[1].txt
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@user.lucidmedia[1].txt
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@ads.pointroll[2].txt
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@ad.yieldmanager[2].txt
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@clicksor[1].txt
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@ads.react2media[1].txt
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@mediaplex[2].txt
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@invitemedia[1].txt
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@vidasco.rotator.hadj7.adjuggler[2].txt
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@ru4[2].txt
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@ad.yieldmanager[1].txt
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@realmedia[1].txt
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@opti.inextmedia[2].txt
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@tribalfusion[2].txt
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@zedo[1].txt
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@doubleclick[2].txt
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@yieldmanager[1].txt
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@cdn1.trafficmp[2].txt
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@myroitracking[1].txt
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@fastclick[1].txt
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@adbrite[1].txt
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@statcounter[1].txt
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@atdmt[1].txt
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@media6degrees[1].txt
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@content.yieldmanager[3].txt
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@doubleclick[1].txt
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@harrenmedianetwork[1].txt

Malware.Trace
C:\windows\TASKS\{62C40AA6-4406-467A-A5A5-DFDF1B559B7A}.JOB
C:\windows\TASKS\{22116563-108C-42c0-A7CE-60161B75E508}.job
C:\windows\TASKS\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job
(x86) HKU\.DEFAULT\Software\JP595IR86O
(x86) HKU\S-1-5-18\Software\JP595IR86O
(x86) HKU\.DEFAULT\Software\NtWqIVLZEWZU
(x86) HKU\S-1-5-18\Software\NtWqIVLZEWZU
(x86) HKU\.DEFAULT\SOFTWARE\XML
(x86) HKU\S-1-5-18\SOFTWARE\XML

Trojan.Agent/Gen-TDSS[Rel]
C:\USERS\MIKE\APPDATA\LOCAL\TEMP\65D8.TMP

Trojan.Agent/Gen-FrauderX
C:\WINDOWS\TEMP\QWX.EXE
C:\WINDOWS\TEMP\QWW.EXE

Trojan.Agent/Gen-Fraudtool
C:\WINDOWS\TEMP\IYLUURENE\UDOMKLLUERB.EXE
C:\WINDOWS\TEMP\MPQTE.EXE

Trojan.Agent/Gen-FakeSoft[Atrac]
C:\WINDOWS\TEMP\XDSFI.EXE
------------------------------------


After restarting my computer, I was greeted with an instantaneous BSOD. I then restarted my computer in safe mode and scanned with Malwarebytes. Here's the log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5533

Windows 6.1.7600 (Safe Mode)
Internet Explorer 8.0.7600.16385

1/16/2011 4:34:24 PM
mbam-log-2011-01-16 (16-34-24).txt

Scan type: Full scan (C:\|)
Objects scanned: 272458
Time elapsed: 18 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Mike\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\6D8VF06G\kbwdyfeyta[1].php (Adware.BHO) -> Quarantined and deleted successfully.
c:\Users\Mike\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\F214HWNS\iztbjhowu[1].htm (Rootkit.Agent) -> Quarantined and deleted successfully.
c:\Users\Mike\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\F214HWNS\mmaucwe[3].htm (Adware.Agent) -> Quarantined and deleted successfully.
c:\Users\Mike\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\KZ30X5WF\cptrlg[1].htm (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
c:\Users\Mike\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\KZ30X5WF\iztbjhowu[2].htm (Rootkit.Agent) -> Quarantined and deleted successfully.
c:\Users\Mike\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\QE1OYFX6\cptrlg[1].htm (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
c:\Users\Mike\AppData\Local\Temp\19792079 (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\0PS72R2M\mmaucwe[1].htm (Adware.Agent) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\config\systemprofile\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\0PS72R2M\mmaucwe[1].htm (Adware.Agent) -> Quarantined and deleted successfully.
c:\Windows\Temp\dxfh.exe (Adware.Agent) -> Quarantined and deleted successfully.
-----------------------------------------------------------------------------------


So it seems I have a Rootkit.Agent and a few Trojans. After restarting my computer I did NOT get a BSOD, but my browser is still being hijacked so I know I haven't completely wiped the infection. I am prepared to remove the files manually, and I have downloaded Autoruns to try and trace the startup key. I just need some help locating the remaining files / startup keys. I'm having difficulty doing that because looking at these keys, I see nothing that resembles RootKit.Agent (I imagine the hacker wouldn't be so conspicuous). If you could help me with this issue that would be greatly appreciated. This is a brand new laptop and I don't have access to a reinstallation disc.

Attached Files


Edited by boostling, 16 January 2011 - 05:39 PM.


BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 18 January 2011 - 10:47 PM

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.




Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".


After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users