Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Antimalware Doctor & possibly other threats


  • This topic is locked This topic is locked
14 replies to this topic

#1 joshrd

joshrd

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:12 AM

Posted 03 February 2011 - 02:52 PM

Hello! I got infected with the AntiMalware Doctor and possible some other threats after visiting allsp.com. Normally my antivirus picks it up, but I don't know what happened.
Anyway, I ran the tutorial on getting rid of AntiMalware doctor. I did it in safe mode. Once done, I restarted, and it wouldn't boot back up (blue screen was too fast to get a code error). Same thing happened when I tried it again. So here are the log files. Thanks guys!


DDS (Ver_10-12-12.02) - NTFSx86
Run by Josh at 14:15:27.20 on Thu 02/03/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.957.556 [GMT -5:00]

AV: ESET Smart Security 4.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Enabled*

============== Running Processes ===============

D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\keyhook.exe
D:\Program Files\Synaptics\SynTP\SynTPLpr.exe
D:\Program Files\Synaptics\SynTP\SynTPEnh.exe
D:\Program Files\ESET\ESET Smart Security\egui.exe
D:\Program Files\Creative\SBLive 24-Bit External\Surround Mixer\CTSysVol.exe
D:\WINDOWS\system32\RunDll32.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\sistray.exe
svchost.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
D:\Program Files\ESET\ESET Smart Security\ekrn.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\WINDOWS\system32\svchost.exe -k imgsvc
D:\Documents and Settings\Josh\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - d:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - d:\progra~1\micros~3\office14\GROOVEEX.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - d:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - d:\progra~1\micros~3\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] d:\windows\system32\ctfmon.exe
uRun: [Google Update] "d:\documents and settings\josh\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Ojoxigenoguquto] rundll32.exe "d:\windows\i3msto6.dll",Startup
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [SiS Windows KeyHook] d:\windows\system32\keyhook.exe
mRun: [SynTPLpr] d:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] d:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [egui] "d:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [CTSysVol] d:\program files\creative\sblive 24-bit external\surround mixer\CTSysVol.exe /r
mRun: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
mRun: [UpdReg] d:\windows\UpdReg.EXE
mRun: [Adobe ARM] "d:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [BCSSync] "d:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [Nhosavaqe] rundll32.exe "d:\windows\igulobakamodeta.dll",Startup
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\utilit~1.lnk - d:\windows\system32\sistray.exe
IE: E&xport to Microsoft Excel - d:\progra~1\micros~3\office14\EXCEL.EXE/3000
IE: S&end to OneNote - d:\progra~1\micros~3\office14\ONBttnIE.dll/105
IE: Send To &Bluetooth - d:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - d:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
Trusted Zone: aol.com\free
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://www.kccsoft.com/authorware_web_files/awswaxd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - d:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - d:\windows\system32\BTXPPanel.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - d:\progra~1\micros~3\office14\GROOVEEX.DLL

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;d:\windows\system32\drivers\ehdrv.sys [2009-5-14 107256]
R2 ekrn;ESET Service;d:\program files\eset\eset smart security\ekrn.exe [2009-5-14 731840]
R3 HSFHWSIS;HSFHWSIS;d:\windows\system32\drivers\HSFHWSIS.sys [2009-6-16 200576]
R3 sbusb;Sound Blaster USB Audio Driver;d:\windows\system32\drivers\sbusb.sys [2009-6-17 1643648]
S3 KORGUMDS;KORG USB-MIDI Driver for Windows;d:\windows\system32\drivers\KORGUMDS.SYS [2007-3-29 21984]
S3 kx1avs;kx1avs;d:\windows\system32\drivers\kx1avs.sys --> d:\windows\system32\drivers\kx1avs.sys [?]
S3 kx1usb;kx1usb;d:\windows\system32\drivers\kx1usb.sys --> d:\windows\system32\drivers\kx1usb.sys [?]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;d:\program files\microsoft office\office14\GROOVE.EXE [2010-1-21 30963576]
S3 osppsvc;Office Software Protection Platform;d:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 PTSimBus;PenTablet Bus Enumerator;d:\windows\system32\drivers\ptsimbus.sys --> d:\windows\system32\drivers\PTSimBus.sys [?]
S3 PTSimHid;PenTablet Simulated HID MiniDriver;d:\windows\system32\drivers\ptsimhid.sys --> d:\windows\system32\drivers\PTSimHid.sys [?]

=============== Created Last 30 ================

2011-02-03 10:54:58 54016 ----a-w- d:\windows\system32\drivers\lmuqafti.sys
2011-02-03 06:03:21 -------- d-----w- d:\docume~1\josh\applic~1\Malwarebytes
2011-02-03 05:58:16 54016 ----a-w- d:\windows\system32\drivers\wnuhnxws.sys
2011-02-03 04:23:50 -------- d-----w- d:\docume~1\josh\applic~1\0FFC93161B6AC8F8BB8C7A0FEF63B4E9
2011-02-02 03:40:58 -------- d-----w- d:\program files\Power Tab Software
2011-02-02 03:07:40 -------- d-----w- d:\docume~1\josh\applic~1\Guitar Pro 6
2011-02-02 03:07:40 -------- d-----w- d:\docume~1\alluse~1\applic~1\Guitar Pro 6
2011-01-31 20:42:57 0 ----a-w- d:\windows\Ryodujitife.bin
2011-01-31 20:42:56 -------- d-----w- d:\docume~1\josh\locals~1\applic~1\{853046D8-E892-4E45-BFE9-5CF8B42E457F}
2011-01-23 01:41:02 -------- d-----w- d:\program files\Cycling '74
2011-01-23 01:22:30 233472 ----a-w- d:\windows\system32\REX Shared Library.dll
2011-01-23 01:22:29 368640 ----a-w- d:\windows\system32\ReWire.dll
2011-01-23 01:07:01 -------- d-----w- d:\program files\Ableton
2011-01-13 02:07:53 -------- d-----w- d:\docume~1\josh\applic~1\Tor
2011-01-13 02:07:50 -------- d-----w- d:\program files\Vidalia Bundle
2011-01-07 17:08:23 -------- d-----w- d:\program files\Foxit Software

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- d:\windows\system32\isign32.dll
2010-11-09 14:52:35 249856 ----a-w- d:\windows\system32\odbc32.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST94019A rev.3.05 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x864B55AF]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x864bb7b0]; MOV EAX, [0x864bb82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x86549AB8]
3 CLASSPNP[0xF7580FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000079[0x865C79E8]
5 ACPI[0xF72FE620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x86557940]
\Driver\atapi[0x8654ABF0] -> IRP_MJ_CREATE -> 0x864B55AF
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST94019A________________________________3.05____#5&33c1643&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x864B53F5
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 14:16:37.71 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:12 PM

Posted 04 February 2011 - 06:59 PM

Good evening. :)

Do I take it from the DDS log that you've resolved the PC's inability to boot up, or not?

So long, and thanks for all the fish.

 

 


#3 joshrd

joshrd
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:12 AM

Posted 05 February 2011 - 11:25 AM

Hazaa! It boots back up without the malware loading up. However, since the attack, I get this error when it logs into Windows:
"Error loading D:/Windows/i3msto6.dll The specified module could not be found"

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:12 PM

Posted 05 February 2011 - 03:52 PM

Good evening. :)

Take a trip to this webpage for download links and instructions for running Combofix by sUBs.*

  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console so, should you choose not to allow the installation, you may not get the results you hoped for.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for either.

So long, and thanks for all the fish.

 

 


#5 joshrd

joshrd
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:12 AM

Posted 08 February 2011 - 12:07 PM

PC's working fine now. No more website redirection or blue screens of death. Thanks a lot for your help. Here's the ComboFix log:


ComboFix 11-02-06.01 - Josh 02/07/2011 0:48.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.957.638 [GMT -5:00]
Running from: d:\documents and settings\Josh\Desktop\ComboFix.exe
AV: ESET Smart Security 4.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\documents and settings\Josh\Application Data\Adobe\plugs
d:\windows\system32\Data

.
((((((((((((((((((((((((( Files Created from 2011-01-07 to 2011-02-07 )))))))))))))))))))))))))))))))
.

2011-02-07 04:39 . 2011-02-07 04:39 54016 ----a-w- d:\windows\system32\drivers\tisdpf.sys
2011-02-07 01:49 . 2011-02-07 01:49 54016 ----a-w- d:\windows\system32\drivers\lxbmdf.sys
2011-02-06 23:59 . 2011-02-06 23:59 -------- d-s---w- d:\documents and settings\NetworkService\UserData
2011-02-06 18:38 . 2011-02-06 19:26 -------- d-----w- d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-02-06 18:38 . 2011-02-06 18:41 -------- d-----w- d:\program files\Spybot - Search & Destroy
2011-02-05 18:58 . 2008-04-14 10:41 21504 -c--a-w- d:\windows\system32\dllcache\hidserv.dll
2011-02-05 18:58 . 2008-04-14 10:41 21504 ----a-w- d:\windows\system32\hidserv.dll
2011-02-05 18:58 . 2008-04-14 05:09 14592 -c--a-w- d:\windows\system32\dllcache\kbdhid.sys
2011-02-05 18:58 . 2008-04-14 05:09 14592 ----a-w- d:\windows\system32\drivers\kbdhid.sys
2011-02-04 01:04 . 2011-02-04 01:04 -------- d-----w- D:\Sets
2011-02-03 10:54 . 2011-02-03 10:54 54016 ----a-w- d:\windows\system32\drivers\lmuqafti.sys
2011-02-03 06:42 . 2011-02-03 06:42 -------- d-s---w- d:\documents and settings\LocalService\UserData
2011-02-03 06:03 . 2011-02-03 06:03 -------- d-----w- d:\documents and settings\Josh\Application Data\Malwarebytes
2011-02-03 05:58 . 2011-02-03 05:58 54016 ----a-w- d:\windows\system32\drivers\wnuhnxws.sys
2011-02-03 04:23 . 2011-02-07 02:01 -------- d-----w- d:\documents and settings\Josh\Application Data\0FFC93161B6AC8F8BB8C7A0FEF63B4E9
2011-02-02 03:40 . 2011-02-02 03:40 -------- d-----w- d:\program files\Power Tab Software
2011-02-02 03:07 . 2011-02-02 03:40 -------- d-----w- d:\documents and settings\Josh\Application Data\Guitar Pro 6
2011-02-02 03:07 . 2011-02-02 03:07 -------- d-----w- d:\documents and settings\All Users\Application Data\Guitar Pro 6
2011-01-31 20:42 . 2011-02-05 16:22 0 ----a-w- d:\windows\Ryodujitife.bin
2011-01-31 20:42 . 2011-01-31 20:42 -------- d-----w- d:\documents and settings\Josh\Local Settings\Application Data\{853046D8-E892-4E45-BFE9-5CF8B42E457F}
2011-01-23 01:41 . 2011-01-23 01:41 -------- d-----w- d:\program files\Cycling '74
2011-01-23 01:22 . 2009-12-23 23:30 233472 ----a-w- d:\windows\system32\REX Shared Library.dll
2011-01-23 01:22 . 2009-12-23 23:30 368640 ----a-w- d:\windows\system32\ReWire.dll
2011-01-23 01:07 . 2011-01-23 01:07 -------- d-----w- d:\program files\Ableton
2011-01-13 02:07 . 2011-01-19 04:10 -------- d-----w- d:\documents and settings\Josh\Application Data\Tor
2011-01-13 02:07 . 2011-01-19 04:10 -------- d-----w- d:\documents and settings\Josh\Application Data\Vidalia
2011-01-13 02:07 . 2011-01-13 02:07 -------- d-----w- d:\program files\Vidalia Bundle

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-20 23:09 . 2010-09-02 15:19 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2010-09-02 15:19 20952 ----a-w- d:\windows\system32\drivers\mbam.sys
2010-11-18 18:12 . 2009-06-15 19:49 81920 ----a-w- d:\windows\system32\isign32.dll
2010-11-09 14:52 . 2008-04-14 04:42 249856 ----a-w- d:\windows\system32\odbc32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="d:\documents and settings\Josh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-29 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="SiSPower.dll" [2005-02-25 49152]
"SiS Windows KeyHook"="d:\windows\system32\keyhook.exe" [2005-03-04 32768]
"SynTPLpr"="d:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 98394]
"SynTPEnh"="d:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 688218]
"egui"="d:\program files\ESET\ESET Smart Security\egui.exe" [2009-05-14 2029640]
"CTSysVol"="d:\program files\Creative\SBLive 24-Bit External\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"SbUsb AudCtrl"="sbusbdll.dll" [2004-07-09 119296]
"UpdReg"="d:\windows\UpdReg.EXE" [2000-05-11 90112]
"Adobe ARM"="d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"BCSSync"="d:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - d:\windows\system32\sistray.exe [2009-6-16 331776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi5"=KORGUMDD.DRV

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=d:\windows\pss\BTTray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 03:07 932288 ----a-r- d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 08:47 35760 ----a-w- d:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 11:58 611712 ----a-w- d:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 20:44 3883856 ----a-w- d:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 -c--a-w- d:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2005-02-23 10:13 77824 -c--a-w- d:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 09:17 149280 -c--a-w- d:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia]
2010-11-19 18:15 5636136 ----a-w- d:\program files\Vidalia Bundle\Vidalia\vidalia.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"d:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\uTorrent\\uTorrent.exe"=
"d:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7971:TCP"= 7971:TCP:BitComet 7971 TCP
"7971:UDP"= 7971:UDP:BitComet 7971 UDP
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 sptd;sptd;d:\windows\system32\drivers\sptd.sys [6/18/2009 12:57 PM 721904]
R1 ehdrv;ehdrv;d:\windows\system32\drivers\ehdrv.sys [5/14/2009 2:47 PM 107256]
R2 ekrn;ESET Service;d:\program files\ESET\ESET Smart Security\ekrn.exe [5/14/2009 2:47 PM 731840]
R3 HSFHWSIS;HSFHWSIS;d:\windows\system32\drivers\HSFHWSIS.sys [6/16/2009 9:30 PM 200576]
R3 sbusb;Sound Blaster USB Audio Driver;d:\windows\system32\drivers\sbusb.sys [6/17/2009 11:29 AM 1643648]
S3 KORGUMDS;KORG USB-MIDI Driver for Windows;d:\windows\system32\drivers\KORGUMDS.SYS [3/29/2007 12:11 AM 21984]
S3 kx1avs;kx1avs;d:\windows\system32\Drivers\kx1avs.sys --> d:\windows\system32\Drivers\kx1avs.sys [?]
S3 kx1usb;kx1usb;d:\windows\system32\Drivers\kx1usb.sys --> d:\windows\system32\Drivers\kx1usb.sys [?]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;d:\program files\Microsoft Office\Office14\GROOVE.EXE [1/21/2010 5:51 PM 30963576]
S3 osppsvc;Office Software Protection Platform;d:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]
S3 PTSimBus;PenTablet Bus Enumerator;d:\windows\system32\DRIVERS\PTSimBus.sys --> d:\windows\system32\DRIVERS\PTSimBus.sys [?]
S3 PTSimHid;PenTablet Simulated HID MiniDriver;d:\windows\system32\DRIVERS\PTSimHid.sys --> d:\windows\system32\DRIVERS\PTSimHid.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2011-02-05 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-839522115-2146978909-1003Core.job
- d:\documents and settings\Josh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-29 19:20]

2011-02-07 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-839522115-2146978909-1003UA.job
- d:\documents and settings\Josh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-29 19:20]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: S&end to OneNote - d:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
IE: Send To &Bluetooth - d:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: aol.com\free
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - d:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-Ojoxigenoguquto - d:\windows\i3msto6.dll
MSConfigStartUp-DAEMON Tools Pro Agent - d:\program files\DAEMON Tools Pro\DTProAgent.exe
MSConfigStartUp-iTunesHelper - d:\program files\iTunes\iTunesHelper.exe
AddRemove-Arturia CS-80V v1.5 - d:\progra~1\Arturia\CS-80V\UNWISE.EXE
AddRemove-Arturia Minimoog V v1.0 - d:\progra~1\Arturia\MINIMO~1\UNWISE.EXE
AddRemove-Brainworx BX Digital VST_is1 - d:\program files\Brainworx Music\Uninstall\unins000.exe
AddRemove-Camel Audio Camel Phat VST v3.15 - d:\progra~1\VSTPLU~1\VSTPLU~1\CAMELP~1\UNWISE.EXE
AddRemove-G-sonique Renegade VSTi - d:\progra~1\VSTPLU~1\Renegade\UNINST~1\UNWISE.EXE
AddRemove-Steinberg Mastering Edition Enhanced 2002 - d:\progra~1\VSTPLU~1\STEINB~1\UNWISE.EXE
AddRemove-ToxicIII v1.2 Orion Edition Unlocked VSTi - d:\progra~1\VSTPLU~1\TOXIC3~1\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-07 01:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1177238915-839522115-2146978909-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{86A061ED-016E-8200-7953-F71D1078F6D3}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"hapjpchgacgeidol"=hex:61,61,00,00
"hapjpchgkaacmmek"=hex:61,61,00,00
"iadpalldfapbbnmieo"=hex:6a,61,70,6e,6c,63,64,6d,66,62,62,62,61,63,63,67,66,70,
70,65,00,04
"hajoojgebeomhedl"=hex:6b,61,6f,6e,61,63,70,66,67,6b,6f,6e,6c,67,6f,64,6c,6d,
6a,6a,6e,6d,00,00

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{86A061ED-016E-8200-7953-F71D1078F6D3}\InProcServer32*]
"ianolpbddhinioclfa"=hex:61,61,00,00
"ianolpbddhkoooahok"=hex:61,61,00,00
"janopnckhljdjglhnlng"=hex:6a,61,70,6e,6c,63,64,6d,66,62,62,62,61,63,63,67,66,
70,70,65,00,04
"ianofoimngjieoldah"=hex:6a,61,70,6e,69,63,68,6d,6a,64,63,62,61,66,66,65,6a,63,
6d,62,00,0a

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\||A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2100)
d:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
d:\progra~1\MICROS~3\Office14\1033\GrooveIntlResource.dll
.
------------------------ Other Running Processes ------------------------
.
d:\windows\system32\WgaTray.exe
d:\program files\Bonjour\mDNSResponder.exe
d:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
d:\windows\system32\RunDll32.exe
d:\program files\Java\jre6\bin\jqs.exe
d:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2011-02-07 01:05:53 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-07 06:05

Pre-Run: 4,113,129,472 bytes free
Post-Run: 4,165,087,232 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(3)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 541B3518C14147CDED684A1456556B24

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:12 PM

Posted 08 February 2011 - 03:14 PM

Good evening. :)

A quick second-opinion scan to ensure all is well, then a quick tidy-up and you're done.

Download Malwarebytes' Anti-Malware from here and save it to your Desktop - unless you already have it, in which case skip to the "updating" bit below.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Ensure a checkmark is placed next to both Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware and then click Finish.
  • If an update is found, it will download and install the latest version - you'll need to clear it with your firewall.
  • Once the program has loaded, select Perform full scan and then Scan.
  • When the scan has finished, click OK and then Show Results to view the results - no surprise there!
  • If MBAM finds anything, check the box(es) and click Remove Selected.
  • Please note - Leave unchecked any boxes that have \System Volume Information\ in the filepath. These pose no immediate risk to your PC unless you use System Restore and will be dealt with later.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Let me have the MBAM log, a fresh DDS log AND a description of how your PC is behaving.

So long, and thanks for all the fish.

 

 


#7 joshrd

joshrd
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:12 AM

Posted 09 February 2011 - 12:51 PM

The system seems to be running smoothly. Nothing abnormal going on. Here's the DDS report (and I've attached the mbam log):


DDS (Ver_10-12-12.02) - NTFSx86
Run by Josh at 12:44:57.55 on Wed 02/09/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.957.454 [GMT -5:00]

AV: ESET Smart Security 4.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Enabled*

============== Running Processes ===============

D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\keyhook.exe
D:\Program Files\Synaptics\SynTP\SynTPLpr.exe
D:\Program Files\Synaptics\SynTP\SynTPEnh.exe
D:\Program Files\ESET\ESET Smart Security\egui.exe
D:\Program Files\Creative\SBLive 24-Bit External\Surround Mixer\CTSysVol.exe
D:\WINDOWS\system32\RunDll32.exe
D:\WINDOWS\system32\sistray.exe
svchost.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
D:\Program Files\ESET\ESET Smart Security\ekrn.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\WINDOWS\system32\svchost.exe -k imgsvc
D:\Documents and Settings\Josh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Documents and Settings\Josh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Documents and Settings\Josh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Documents and Settings\Josh\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - d:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - d:\progra~1\micros~3\office14\GROOVEEX.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - d:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - d:\progra~1\micros~3\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Google Update] "d:\documents and settings\josh\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [SiS Windows KeyHook] d:\windows\system32\keyhook.exe
mRun: [SynTPLpr] d:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] d:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [egui] "d:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [CTSysVol] d:\program files\creative\sblive 24-bit external\surround mixer\CTSysVol.exe /r
mRun: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
mRun: [UpdReg] d:\windows\UpdReg.EXE
mRun: [Adobe ARM] "d:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [BCSSync] "d:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\utilit~1.lnk - d:\windows\system32\sistray.exe
IE: E&xport to Microsoft Excel - d:\progra~1\micros~3\office14\EXCEL.EXE/3000
IE: S&end to OneNote - d:\progra~1\micros~3\office14\ONBttnIE.dll/105
IE: Send To &Bluetooth - d:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - d:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
Trusted Zone: aol.com\free
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://www.kccsoft.com/authorware_web_files/awswaxd.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - d:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - d:\windows\system32\BTXPPanel.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - d:\progra~1\micros~3\office14\GROOVEEX.DLL

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;d:\windows\system32\drivers\ehdrv.sys [2009-5-14 107256]
R2 ekrn;ESET Service;d:\program files\eset\eset smart security\ekrn.exe [2009-5-14 731840]
R3 HSFHWSIS;HSFHWSIS;d:\windows\system32\drivers\HSFHWSIS.sys [2009-6-16 200576]
R3 sbusb;Sound Blaster USB Audio Driver;d:\windows\system32\drivers\sbusb.sys [2009-6-17 1643648]
S3 KORGUMDS;KORG USB-MIDI Driver for Windows;d:\windows\system32\drivers\KORGUMDS.SYS [2007-3-29 21984]
S3 kx1avs;kx1avs;d:\windows\system32\drivers\kx1avs.sys --> d:\windows\system32\drivers\kx1avs.sys [?]
S3 kx1usb;kx1usb;d:\windows\system32\drivers\kx1usb.sys --> d:\windows\system32\drivers\kx1usb.sys [?]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;d:\program files\microsoft office\office14\GROOVE.EXE [2010-1-21 30963576]
S3 osppsvc;Office Software Protection Platform;d:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 PTSimBus;PenTablet Bus Enumerator;d:\windows\system32\drivers\ptsimbus.sys --> d:\windows\system32\drivers\PTSimBus.sys [?]
S3 PTSimHid;PenTablet Simulated HID MiniDriver;d:\windows\system32\drivers\ptsimhid.sys --> d:\windows\system32\drivers\PTSimHid.sys [?]

=============== Created Last 30 ================

2011-02-07 05:36:34 98816 ----a-w- d:\windows\sed.exe
2011-02-07 05:36:34 89088 ----a-w- d:\windows\MBR.exe
2011-02-07 05:36:34 256512 ----a-w- d:\windows\PEV.exe
2011-02-07 05:36:34 161792 ----a-w- d:\windows\SWREG.exe
2011-02-07 04:39:21 54016 ----a-w- d:\windows\system32\drivers\tisdpf.sys
2011-02-07 01:49:58 54016 ----a-w- d:\windows\system32\drivers\lxbmdf.sys
2011-02-06 18:38:30 -------- d-----w- d:\program files\Spybot - Search & Destroy
2011-02-06 18:38:30 -------- d-----w- d:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-02-05 18:58:27 21504 -c--a-w- d:\windows\system32\dllcache\hidserv.dll
2011-02-05 18:58:27 21504 ----a-w- d:\windows\system32\hidserv.dll
2011-02-05 18:58:21 14592 -c--a-w- d:\windows\system32\dllcache\kbdhid.sys
2011-02-05 18:58:21 14592 ----a-w- d:\windows\system32\drivers\kbdhid.sys
2011-02-04 01:04:39 -------- d-----w- D:\Sets
2011-02-03 10:54:58 54016 ----a-w- d:\windows\system32\drivers\lmuqafti.sys
2011-02-03 06:03:21 -------- d-----w- d:\docume~1\josh\applic~1\Malwarebytes
2011-02-03 05:58:16 54016 ----a-w- d:\windows\system32\drivers\wnuhnxws.sys
2011-02-03 04:23:50 -------- d-----w- d:\docume~1\josh\applic~1\0FFC93161B6AC8F8BB8C7A0FEF63B4E9
2011-02-02 03:40:58 -------- d-----w- d:\program files\Power Tab Software
2011-02-02 03:07:40 -------- d-----w- d:\docume~1\josh\applic~1\Guitar Pro 6
2011-02-02 03:07:40 -------- d-----w- d:\docume~1\alluse~1\applic~1\Guitar Pro 6
2011-01-31 20:42:57 0 ----a-w- d:\windows\Ryodujitife.bin
2011-01-31 20:42:56 -------- d-----w- d:\docume~1\josh\locals~1\applic~1\{853046D8-E892-4E45-BFE9-5CF8B42E457F}
2011-01-23 01:41:02 -------- d-----w- d:\program files\Cycling '74
2011-01-23 01:22:30 233472 ----a-w- d:\windows\system32\REX Shared Library.dll
2011-01-23 01:22:29 368640 ----a-w- d:\windows\system32\ReWire.dll
2011-01-23 01:07:01 -------- d-----w- d:\program files\Ableton
2011-01-13 02:07:53 -------- d-----w- d:\docume~1\josh\applic~1\Tor
2011-01-13 02:07:50 -------- d-----w- d:\program files\Vidalia Bundle

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- d:\windows\system32\isign32.dll

============= FINISH: 12:45:32.38 ===============

Attached Files



#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:12 PM

Posted 09 February 2011 - 03:05 PM

Good evening. :)

I'd like some information on four files that are referenced in your DDS log, assuimng they are actually still present on your system.

Please go to Jotti's and click on the Browse... button at the top and navigate to the following files in turn, and then click on Submit:

d:\windows\system32\drivers\lmuqafti.sys
d:\windows\system32\drivers\wnuhnxws.sys
d:\windows\system32\Drivers\kx1avs.sys
d:\windows\system32\Drivers\kx1usb.sys


When all the scans have been completed, for each file in turn, please copy and paste the "Permalink" that you'll find in the "Jotti's malware scan" box in the upper left hand part of the page into your next reply.


You may need to set Windows to show All Hidden Files and Folders - Instructions can be found here.
* These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after you have done.
*

So long, and thanks for all the fish.

 

 


#9 joshrd

joshrd
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:12 AM

Posted 09 February 2011 - 07:16 PM

Hello!
I couldn't find the last two files (they weren't hidden either), so here are the first two:
http://virusscan.jotti.org/en/scanresult/b30fe243abb61295757582c4901fdd6a352907e4/a660de8e508fa3109c60042f9c1e645b9867b8ec
http://virusscan.jotti.org/en/scanresult/a660de8e508fa3109c60042f9c1e645b9867b8ec/9afe227d2f37ee224a8238f7f8b61c37917e04c8

Thanks for the help!

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:12 PM

Posted 10 February 2011 - 03:48 PM

Good evening. :)

Don't like them , so we'll get rid of them.

Copy and paste the following into Notepad (Start > All Programs > Accessories > Notepad):

File::
d:\windows\system32\drivers\lmuqafti.sys
d:\windows\system32\drivers\wnuhnxws.sys


Save it to your Desktop with the following filename: CFScript
Drag and drop CFScript.txt onto your copy of Combofix and let it do it's thing.
Let me have the log produced, as before, and a description of how the PC is behaving.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

On a slightly different note, I see you use Chrome. It's been on my "to try" list for a while, but i'm kind of wedded to Firefox for all the add-ons I rely on - how do you rate Chrome as a browser?

So long, and thanks for all the fish.

 

 


#11 joshrd

joshrd
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:12 AM

Posted 10 February 2011 - 06:49 PM

Hello! I really appreciate the help. About Chrome: I actually switched to Chrome from Firefox because it started slowing down on me, and crashing a lot. Chrome's a lot lighter, and keeps browsing to its basics. It also uses less toolbars, so the webpage takes up most of the screen. I'm sure Chrome has similar add-ons as Firefox. Sometimes though, I have to zoom in, then zoom out to see embedded scrollbars/checkboxes. I definitely recommend it.

Here's the comboFix log:


ComboFix 11-02-09.05 - Josh 02/10/2011 18:29:51.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.957.581 [GMT -5:00]
Running from: d:\documents and settings\Josh\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Josh\Desktop\CFScript.txt
AV: ESET Smart Security 4.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

FILE ::
"d:\windows\system32\drivers\lmuqafti.sys"
"d:\windows\system32\drivers\wnuhnxws.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\documents and settings\Josh\Local Settings\Application Data\{853046D8-E892-4E45-BFE9-5CF8B42E457F}
d:\documents and settings\Josh\Local Settings\Application Data\{853046D8-E892-4E45-BFE9-5CF8B42E457F}\chrome.manifest
d:\documents and settings\Josh\Local Settings\Application Data\{853046D8-E892-4E45-BFE9-5CF8B42E457F}\chrome\content\_cfg.js
d:\documents and settings\Josh\Local Settings\Application Data\{853046D8-E892-4E45-BFE9-5CF8B42E457F}\chrome\content\overlay.xul
d:\documents and settings\Josh\Local Settings\Application Data\{853046D8-E892-4E45-BFE9-5CF8B42E457F}\install.rdf
d:\windows\system32\drivers\lmuqafti.sys
d:\windows\system32\drivers\wnuhnxws.sys

.
((((((((((((((((((((((((( Files Created from 2011-01-10 to 2011-02-10 )))))))))))))))))))))))))))))))
.

2011-02-07 04:39 . 2011-02-07 04:39 54016 ----a-w- d:\windows\system32\drivers\tisdpf.sys
2011-02-07 01:49 . 2011-02-07 01:49 54016 ----a-w- d:\windows\system32\drivers\lxbmdf.sys
2011-02-06 23:59 . 2011-02-06 23:59 -------- d-s---w- d:\documents and settings\NetworkService\UserData
2011-02-06 18:38 . 2011-02-08 19:57 -------- d-----w- d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-02-06 18:38 . 2011-02-06 18:41 -------- d-----w- d:\program files\Spybot - Search & Destroy
2011-02-05 18:58 . 2008-04-14 10:41 21504 -c--a-w- d:\windows\system32\dllcache\hidserv.dll
2011-02-05 18:58 . 2008-04-14 10:41 21504 ----a-w- d:\windows\system32\hidserv.dll
2011-02-05 18:58 . 2008-04-14 05:09 14592 -c--a-w- d:\windows\system32\dllcache\kbdhid.sys
2011-02-05 18:58 . 2008-04-14 05:09 14592 ----a-w- d:\windows\system32\drivers\kbdhid.sys
2011-02-04 01:04 . 2011-02-04 01:04 -------- d-----w- D:\Sets
2011-02-03 06:42 . 2011-02-03 06:42 -------- d-s---w- d:\documents and settings\LocalService\UserData
2011-02-03 06:03 . 2011-02-03 06:03 -------- d-----w- d:\documents and settings\Josh\Application Data\Malwarebytes
2011-02-03 04:23 . 2011-02-07 02:01 -------- d-----w- d:\documents and settings\Josh\Application Data\0FFC93161B6AC8F8BB8C7A0FEF63B4E9
2011-02-02 03:40 . 2011-02-02 03:40 -------- d-----w- d:\program files\Power Tab Software
2011-02-02 03:07 . 2011-02-02 03:40 -------- d-----w- d:\documents and settings\Josh\Application Data\Guitar Pro 6
2011-02-02 03:07 . 2011-02-02 03:07 -------- d-----w- d:\documents and settings\All Users\Application Data\Guitar Pro 6
2011-01-31 20:42 . 2011-02-05 16:22 0 ----a-w- d:\windows\Ryodujitife.bin
2011-01-23 01:41 . 2011-01-23 01:41 -------- d-----w- d:\program files\Cycling '74
2011-01-23 01:22 . 2009-12-23 23:30 233472 ----a-w- d:\windows\system32\REX Shared Library.dll
2011-01-23 01:22 . 2009-12-23 23:30 368640 ----a-w- d:\windows\system32\ReWire.dll
2011-01-23 01:07 . 2011-01-23 01:07 -------- d-----w- d:\program files\Ableton
2011-01-13 02:07 . 2011-01-19 04:10 -------- d-----w- d:\documents and settings\Josh\Application Data\Tor
2011-01-13 02:07 . 2011-01-19 04:10 -------- d-----w- d:\documents and settings\Josh\Application Data\Vidalia
2011-01-13 02:07 . 2011-01-13 02:07 -------- d-----w- d:\program files\Vidalia Bundle

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-20 23:09 . 2010-09-02 15:19 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2010-09-02 15:19 20952 ----a-w- d:\windows\system32\drivers\mbam.sys
2010-11-18 18:12 . 2009-06-15 19:49 81920 ----a-w- d:\windows\system32\isign32.dll
.

((((((((((((((((((((((((((((( SnapShot@2011-02-07_06.00.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-02-08 07:28 . 2011-02-08 07:28 16384 d:\windows\Temp\Perflib_Perfdata_708.dat
+ 2008-03-20 22:06 . 2009-06-25 18:20 1485176 d:\windows\system32\LegitCheckControl.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="d:\documents and settings\Josh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-29 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="SiSPower.dll" [2005-02-25 49152]
"SiS Windows KeyHook"="d:\windows\system32\keyhook.exe" [2005-03-04 32768]
"SynTPLpr"="d:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 98394]
"SynTPEnh"="d:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 688218]
"egui"="d:\program files\ESET\ESET Smart Security\egui.exe" [2009-05-14 2029640]
"CTSysVol"="d:\program files\Creative\SBLive 24-Bit External\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"SbUsb AudCtrl"="sbusbdll.dll" [2004-07-09 119296]
"UpdReg"="d:\windows\UpdReg.EXE" [2000-05-11 90112]
"Adobe ARM"="d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"BCSSync"="d:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - d:\windows\system32\sistray.exe [2009-6-16 331776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi5"=KORGUMDD.DRV

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=d:\windows\pss\BTTray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 03:07 932288 ----a-r- d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 08:47 35760 ----a-w- d:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 11:58 611712 ----a-w- d:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 20:44 3883856 ----a-w- d:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 -c--a-w- d:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2005-02-23 10:13 77824 -c--a-w- d:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 09:17 149280 -c--a-w- d:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia]
2010-11-19 18:15 5636136 ----a-w- d:\program files\Vidalia Bundle\Vidalia\vidalia.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"d:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\uTorrent\\uTorrent.exe"=
"d:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7971:TCP"= 7971:TCP:BitComet 7971 TCP
"7971:UDP"= 7971:UDP:BitComet 7971 UDP
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 sptd;sptd;d:\windows\system32\drivers\sptd.sys [6/18/2009 12:57 PM 721904]
R1 ehdrv;ehdrv;d:\windows\system32\drivers\ehdrv.sys [5/14/2009 2:47 PM 107256]
R2 ekrn;ESET Service;d:\program files\ESET\ESET Smart Security\ekrn.exe [5/14/2009 2:47 PM 731840]
R3 HSFHWSIS;HSFHWSIS;d:\windows\system32\drivers\HSFHWSIS.sys [6/16/2009 9:30 PM 200576]
R3 osppsvc;Office Software Protection Platform;d:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]
R3 sbusb;Sound Blaster USB Audio Driver;d:\windows\system32\drivers\sbusb.sys [6/17/2009 11:29 AM 1643648]
S3 KORGUMDS;KORG USB-MIDI Driver for Windows;d:\windows\system32\drivers\KORGUMDS.SYS [3/29/2007 12:11 AM 21984]
S3 kx1avs;kx1avs;d:\windows\system32\Drivers\kx1avs.sys --> d:\windows\system32\Drivers\kx1avs.sys [?]
S3 kx1usb;kx1usb;d:\windows\system32\Drivers\kx1usb.sys --> d:\windows\system32\Drivers\kx1usb.sys [?]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;d:\program files\Microsoft Office\Office14\GROOVE.EXE [1/21/2010 5:51 PM 30963576]
S3 PTSimBus;PenTablet Bus Enumerator;d:\windows\system32\DRIVERS\PTSimBus.sys --> d:\windows\system32\DRIVERS\PTSimBus.sys [?]
S3 PTSimHid;PenTablet Simulated HID MiniDriver;d:\windows\system32\DRIVERS\PTSimHid.sys --> d:\windows\system32\DRIVERS\PTSimHid.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2011-02-10 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-839522115-2146978909-1003Core.job
- d:\documents and settings\Josh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-29 19:20]

2011-02-10 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-839522115-2146978909-1003UA.job
- d:\documents and settings\Josh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-29 19:20]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: S&end to OneNote - d:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
IE: Send To &Bluetooth - d:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: aol.com\free
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - d:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-10 18:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1177238915-839522115-2146978909-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{86A061ED-016E-8200-7953-F71D1078F6D3}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"hapjpchgacgeidol"=hex:61,61,00,00
"hapjpchgkaacmmek"=hex:61,61,00,00
"iadpalldfapbbnmieo"=hex:6a,61,70,6e,6c,63,64,6d,66,62,62,62,61,63,63,67,66,70,
70,65,00,04
"hajoojgebeomhedl"=hex:6b,61,6f,6e,61,63,70,66,67,6b,6f,6e,6c,67,6f,64,6c,6d,
6a,6a,6e,6d,00,00

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{86A061ED-016E-8200-7953-F71D1078F6D3}\InProcServer32*]
"ianolpbddhinioclfa"=hex:61,61,00,00
"ianolpbddhkoooahok"=hex:61,61,00,00
"janopnckhljdjglhnlng"=hex:6a,61,70,6e,6c,63,64,6d,66,62,62,62,61,63,63,67,66,
70,70,65,00,04
"ianofoimngjieoldah"=hex:6a,61,70,6e,69,63,68,6d,6a,64,63,62,61,66,66,65,6a,63,
6d,62,00,0a

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\||A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
Completion time: 2011-02-10 18:38:14
ComboFix-quarantined-files.txt 2011-02-10 23:38
ComboFix2.txt 2011-02-07 06:05

Pre-Run: 1,914,171,392 bytes free
Post-Run: 2,073,423,872 bytes free

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 4ED1000A635BFA77B2BFD1FB47B71605

#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:12 PM

Posted 11 February 2011 - 03:38 PM

Good evening. :)

Thanks for the browser info - i'll have a dabble this weekend.

OK, there's what seems to be some leftovers still showing in the CF log, but as the two nasty files have been deleted it should be simple enough to remove them - if the two files didn't go nicely i'd have been a little more concerned.

Copy and paste the following into Notepad (Start > All Programs > Accessories > Notepad):

Regnull::
[HKEY_USERS\S-1-5-21-1177238915-839522115-2146978909-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{86A061ED-016E-8200-7953-F71D1078F6D3}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{86A061ED-016E-8200-7953-F71D1078F6D3}\InProcServer32*]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\||A~*]

Driver::
kx1avs
kx1usb

File::
d:\windows\system32\Drivers\kx1avs.sys
d:\windows\system32\Drivers\kx1usb.sys


Save it to your Desktop with the following filename: CFScript
Drag and drop CFScript.txt onto your copy of Combofix and let it do it's thing.
Let me have the log produced, as before.

So long, and thanks for all the fish.

 

 


#13 joshrd

joshrd
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:12 AM

Posted 14 February 2011 - 08:19 PM

Good day! How'd you find Chrome? It's pretty weak security-wise, but it's great for browsing. Here's the latest log:

ComboFix 11-02-13.04 - Josh 02/14/2011 19:48:37.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.957.616 [GMT -5:00]
Running from: d:\documents and settings\Josh\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Josh\Desktop\CFScript.txt
AV: ESET Smart Security 4.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Created a new restore point

FILE ::
"d:\windows\system32\Drivers\kx1avs.sys"
"d:\windows\system32\Drivers\kx1usb.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_kx1avs
-------\Service_kx1usb


((((((((((((((((((((((((( Files Created from 2011-01-15 to 2011-02-15 )))))))))))))))))))))))))))))))
.

2011-02-07 04:39 . 2011-02-07 04:39 54016 ----a-w- d:\windows\system32\drivers\tisdpf.sys
2011-02-07 01:49 . 2011-02-07 01:49 54016 ----a-w- d:\windows\system32\drivers\lxbmdf.sys
2011-02-06 23:59 . 2011-02-06 23:59 -------- d-s---w- d:\documents and settings\NetworkService\UserData
2011-02-06 18:38 . 2011-02-08 19:57 -------- d-----w- d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-02-06 18:38 . 2011-02-06 18:41 -------- d-----w- d:\program files\Spybot - Search & Destroy
2011-02-05 18:58 . 2008-04-14 10:41 21504 -c--a-w- d:\windows\system32\dllcache\hidserv.dll
2011-02-05 18:58 . 2008-04-14 10:41 21504 ----a-w- d:\windows\system32\hidserv.dll
2011-02-05 18:58 . 2008-04-14 05:09 14592 -c--a-w- d:\windows\system32\dllcache\kbdhid.sys
2011-02-05 18:58 . 2008-04-14 05:09 14592 ----a-w- d:\windows\system32\drivers\kbdhid.sys
2011-02-04 01:04 . 2011-02-04 01:04 -------- d-----w- D:\Sets
2011-02-03 06:42 . 2011-02-03 06:42 -------- d-s---w- d:\documents and settings\LocalService\UserData
2011-02-03 06:03 . 2011-02-03 06:03 -------- d-----w- d:\documents and settings\Josh\Application Data\Malwarebytes
2011-02-03 04:23 . 2011-02-07 02:01 -------- d-----w- d:\documents and settings\Josh\Application Data\0FFC93161B6AC8F8BB8C7A0FEF63B4E9
2011-02-02 03:40 . 2011-02-02 03:40 -------- d-----w- d:\program files\Power Tab Software
2011-02-02 03:07 . 2011-02-02 03:40 -------- d-----w- d:\documents and settings\Josh\Application Data\Guitar Pro 6
2011-02-02 03:07 . 2011-02-02 03:07 -------- d-----w- d:\documents and settings\All Users\Application Data\Guitar Pro 6
2011-01-31 20:42 . 2011-02-05 16:22 0 ----a-w- d:\windows\Ryodujitife.bin
2011-01-30 19:57 . 2011-01-30 19:57 103864 ----a-w- d:\program files\Internet Explorer\Plugins\nppdf32.dll
2011-01-23 01:41 . 2011-01-23 01:41 -------- d-----w- d:\program files\Cycling '74
2011-01-23 01:22 . 2009-12-23 23:30 233472 ----a-w- d:\windows\system32\REX Shared Library.dll
2011-01-23 01:22 . 2009-12-23 23:30 368640 ----a-w- d:\windows\system32\ReWire.dll
2011-01-23 01:07 . 2011-01-23 01:07 -------- d-----w- d:\program files\Ableton

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-20 23:09 . 2010-09-02 15:19 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2010-09-02 15:19 20952 ----a-w- d:\windows\system32\drivers\mbam.sys
2010-11-18 18:12 . 2009-06-15 19:49 81920 ----a-w- d:\windows\system32\isign32.dll
.

((((((((((((((((((((((((((((( SnapShot@2011-02-07_06.00.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-02-15 00:58 . 2011-02-15 00:58 16384 d:\windows\Temp\Perflib_Perfdata_69c.dat
+ 2010-09-23 08:47 . 2010-09-23 08:47 35760 d:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\reader_sl.exe
+ 2010-09-23 07:03 . 2010-09-23 07:03 99776 d:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\eula.exe
+ 2010-09-23 06:52 . 2010-09-23 06:52 27048 d:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\acrotextextractor.exe
+ 2010-09-22 22:12 . 2010-09-22 22:12 15800 d:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\AcroRd32Info.exe
+ 2010-09-10 22:17 . 2010-09-10 22:17 684032 d:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\JP2KLib.dll
+ 2010-09-23 00:41 . 2010-09-23 00:41 542168 d:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\AdobeCollabSync.exe
+ 2010-09-23 08:47 . 2010-09-23 08:47 349616 d:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\AcroRd32.exe
+ 2010-09-22 22:04 . 2010-09-22 22:04 660912 d:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\AcroPDF.dll
+ 2010-09-22 23:39 . 2010-09-22 23:39 280024 d:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\acrobroker.exe
+ 2010-09-22 22:50 . 2010-09-22 22:50 251296 d:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\a3dutility.exe
+ 2008-03-20 22:06 . 2009-06-25 18:20 1485176 d:\windows\system32\LegitCheckControl.DLL
+ 2010-09-22 22:05 . 2010-09-22 22:05 2405784 d:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\rt3d.dll
+ 2010-06-19 21:51 . 2010-06-19 21:51 5713920 d:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\AGM.dll
+ 2011-01-31 10:45 . 2011-01-31 10:45 11135488 d:\windows\Installer\1819c6ab.msp
+ 2010-09-23 07:03 . 2010-09-23 07:03 20460984 d:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\AcroRd32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="d:\documents and settings\Josh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-29 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="SiSPower.dll" [2005-02-25 49152]
"SiS Windows KeyHook"="d:\windows\system32\keyhook.exe" [2005-03-04 32768]
"SynTPLpr"="d:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 98394]
"SynTPEnh"="d:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 688218]
"egui"="d:\program files\ESET\ESET Smart Security\egui.exe" [2009-05-14 2029640]
"CTSysVol"="d:\program files\Creative\SBLive 24-Bit External\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"SbUsb AudCtrl"="sbusbdll.dll" [2004-07-09 119296]
"UpdReg"="d:\windows\UpdReg.EXE" [2000-05-11 90112]
"Adobe ARM"="d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"BCSSync"="d:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - d:\windows\system32\sistray.exe [2009-6-16 331776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi5"=KORGUMDD.DRV

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=d:\windows\pss\BTTray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 03:07 932288 ----a-r- d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- d:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 11:58 611712 ----a-w- d:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 20:44 3883856 ----a-w- d:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 -c--a-w- d:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2005-02-23 10:13 77824 -c--a-w- d:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 09:17 149280 -c--a-w- d:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia]
2010-11-19 18:15 5636136 ----a-w- d:\program files\Vidalia Bundle\Vidalia\vidalia.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"d:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\uTorrent\\uTorrent.exe"=
"d:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7971:TCP"= 7971:TCP:BitComet 7971 TCP
"7971:UDP"= 7971:UDP:BitComet 7971 UDP
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 sptd;sptd;d:\windows\system32\drivers\sptd.sys [6/18/2009 12:57 PM 721904]
R1 ehdrv;ehdrv;d:\windows\system32\drivers\ehdrv.sys [5/14/2009 2:47 PM 107256]
R2 ekrn;ESET Service;d:\program files\ESET\ESET Smart Security\ekrn.exe [5/14/2009 2:47 PM 731840]
R3 HSFHWSIS;HSFHWSIS;d:\windows\system32\drivers\HSFHWSIS.sys [6/16/2009 9:30 PM 200576]
R3 sbusb;Sound Blaster USB Audio Driver;d:\windows\system32\drivers\sbusb.sys [6/17/2009 11:29 AM 1643648]
S3 KORGUMDS;KORG USB-MIDI Driver for Windows;d:\windows\system32\drivers\KORGUMDS.SYS [3/29/2007 12:11 AM 21984]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;d:\program files\Microsoft Office\Office14\GROOVE.EXE [1/21/2010 5:51 PM 30963576]
S3 osppsvc;Office Software Protection Platform;d:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]
S3 PTSimBus;PenTablet Bus Enumerator;d:\windows\system32\DRIVERS\PTSimBus.sys --> d:\windows\system32\DRIVERS\PTSimBus.sys [?]
S3 PTSimHid;PenTablet Simulated HID MiniDriver;d:\windows\system32\DRIVERS\PTSimHid.sys --> d:\windows\system32\DRIVERS\PTSimHid.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2011-02-14 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-839522115-2146978909-1003Core.job
- d:\documents and settings\Josh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-29 19:20]

2011-02-15 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-839522115-2146978909-1003UA.job
- d:\documents and settings\Josh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-29 19:20]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: S&end to OneNote - d:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
IE: Send To &Bluetooth - d:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: aol.com\free
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - d:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-14 19:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\||A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2620)
d:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
d:\progra~1\MICROS~3\Office14\1033\GrooveIntlResource.dll
.
------------------------ Other Running Processes ------------------------
.
d:\program files\Bonjour\mDNSResponder.exe
d:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
d:\windows\system32\RunDll32.exe
d:\program files\Java\jre6\bin\jqs.exe
d:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2011-02-14 20:03:37 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-15 01:03
ComboFix2.txt 2011-02-10 23:38
ComboFix3.txt 2011-02-07 06:05

Pre-Run: 2,751,180,800 bytes free
Post-Run: 2,740,056,064 bytes free

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - EF8890E8C7E82552975DED90642A7A22

#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:12 PM

Posted 15 February 2011 - 03:16 PM

Good evening. :)

How'd you find Chrome?

Ah, well, I er.... didn't actually get around to installing it! :whistle: I did unlock and flash a custom ROM onto my smartphone though. Rome wasn't built in a day, and all that.

One registry key that hasn't deleted and two files that I didn't pick up on last time - hopefully this will see the back of both:

Copy and paste the following into Notepad (Start > All Programs > Accessories > Notepad):

RegLockDel::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\||A~*]

File::
d:\windows\system32\drivers\tisdpf.sys
d:\windows\system32\drivers\lxbmdf.sys


Save it to your Desktop with the following filename: CFScript
Drag and drop CFScript.txt onto your copy of Combofix and let it do it's thing.
Let me have the log produced, as usual.

So long, and thanks for all the fish.

 

 


#15 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:12 PM

Posted 20 February 2011 - 03:02 PM

As there has been no response for five days this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users