Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hidden rootkit found message from Avast!


  • This topic is locked This topic is locked
2 replies to this topic

#1 mak1976

mak1976

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 08 March 2011 - 02:40 PM

Hi Bleeping computer Team!

I found you after attempting to remove the possible Malware!I will appreciate very much if you can find a solution for me.
Here is the DDS log and the attached file.
Thanks and regards

Al Khan
------------------------------

DDS (Ver_11-03-05.01) - NTFSx86
Run by MAKHAN at 12:20:33.77 on 08/03/2011
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.2.1033.18.1790.868 [GMT -5:00]
.
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\system32\atiesrxx.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\atieclxx.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\windows\System32\LEXBCES.EXE
C:\windows\system32\taskhost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\windows\System32\LEXPPS.EXE
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Blaze Media Pro\NMSAccess32.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\windows\system32\taskeng.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Real\realplayer\Update\realsched.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\HP\LoadRunner\LAUNCH_SERVICE\bin\magentproc.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\windows\System32\svchost.exe -k secsvcs
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\windows\system32\NOTEPAD.EXE
C:\Users\MAKHAN\Desktop\Defogger.exe
C:\windows\system32\conhost.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\system32\DllHost.exe
C:\Users\MAKHAN\Desktop\dds.scr
C:\windows\system32\conhost.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: BHOManager Class: {474264bc-9571-47c1-85b9-780f756dc9ce} - c:\windows\system32\BHOManager.dll
BHO: Plugin Class: {56cd20f0-7c09-11d5-a768-0050042307ce} - c:\program files\sap\sap tutor\PlayerIE.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
uRun: [MyTOSHIBA] "c:\program files\toshiba\my toshiba\MyToshiba.exe" /AUTO
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [SVPWUTIL] c:\program files\toshiba\utilities\SVPWUTIL.exe SVPwUTIL
mRun: [HWSetup] "c:\program files\toshiba\utilities\HWSetup.exe" hwSetUP
mRun: [KeNotify] c:\program files\toshiba\utilities\KeNotify.exe
mRun: [ToshibaServiceStation] "c:\program files\toshiba\toshiba service station\ToshibaServiceStation.exe" /hide:60
mRun: [TosSENotify] c:\program files\toshiba\toshiba hdd ssd alert\TosWaitSrv.exe
mRun: [NortonOnlineBackupReminder] "c:\program files\toshiba\toshiba online backup\activation\TobuActivation.exe" UNATTENDED
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [FaxCenterServer4_in_1] "c:\program files\lexmark 4200 series\fax\fm3032.exe" /s
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
StartupFolder: c:\users\makhan\appdata\roaming\micros~1\windows\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\loadru~1.lnk - c:\program files\hp\loadrunner\launch_service\bin\magentproc.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\paloal~1.lnk - c:\program files\common files\palo alto software\9.0\PAS9_Update.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download with Mipony - file://c:\program files\mipony\browser\IEContext.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mif5ba~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mif5ba~1\office12\REFIEBAR.DLL
Handler: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} -
Handler: vfsp - {E4CB5121-E242-11D4-8ED6-00010219EB22} -
SEH: ShHook Class: {a5949e07-8536-4625-a3d0-2dd83f559990} - c:\windows\system32\ShellHook.dll
mASetup: {01250B8F-D947-4F8A-9408-FE8E3EE2EC92} - c:\program files\toshiba\my toshiba\MyToshiba.exe /SETUP
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\makhan\appdata\roaming\mozilla\firefox\profiles\33fo80ab.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - prefs.js: browser.search.selectedEngine - SweetIM Search
FF - prefs.js: browser.startup.homepage - hxxp://help.sap.com/saphelp_nw04/helpdata/en/1b/e81c3b84e65e7be10000000a11402f/frameset.htm|http://www.saptransactioncodes.com/search|http://www.payscale.com/research/CA/Job=SAP_Testing_Analyst/Job-Listings/Mississauga-Ontario|http://www.saptechies.com/category/industry-solutions/|http://ca.indeed.com/viewjob?jk=129f94caf040663a&chnl=rclisting&atk=15pc69rfe0g4g0dp&jsa=2876&inchal=apiresults|http://www.workopolis.com/EN/job/11956986?uc=E12&cid=271%3A19L%3A13678&utm_source=Indeed&utm_medium=organic&utm_campaign=Indeed|http://ca.indeed.com/viewjob?jk=379f57972cb809f2&chnl=rclisting&atk=15pc69rfe0g4g0dp&jsa=2876&inchal=apiresults|https://sjobs.brassring.com/1033/ASP/TG/cim_jobdetail.asp?jobId=371247&partnerid=25172&siteid=5235|http://www.allinterview.com/showqa/Basis/page1.html|http://www.erpgenie.com/sap-technical/security/sap-security-interview-questions
FF - prefs.js: keyword.URL - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: SkipScreen: SkipScreen@SkipScreen - %profile%\extensions\SkipScreen@SkipScreen
FF - Ext: SweetIM Toolbar for Firefox: {EEE6C361-6118-11DC-9C72-001320C79847} - %profile%\extensions\{EEE6C361-6118-11DC-9C72-001320C79847}
FF - Ext: Selenium IDE: Ruby Formatters: rubyformatters@seleniumhq.org - %profile%\extensions\rubyformatters@seleniumhq.org
FF - Ext: Selenium IDE: Java Formatters: javaformatters@seleniumhq.org - %profile%\extensions\javaformatters@seleniumhq.org
FF - Ext: Selenium IDE: Groovy Formatters: groovyformatters@seleniumhq.org - %profile%\extensions\groovyformatters@seleniumhq.org
FF - Ext: Selenium IDE: Perl Formatter: perlformatters@seleniumhq.org - %profile%\extensions\perlformatters@seleniumhq.org
FF - Ext: Selenium IDE: PHP Formatters: phpformatters@seleniumhq.org - %profile%\extensions\phpformatters@seleniumhq.org
FF - Ext: Selenium IDE: {a6fd85ed-e919-4a43-a5af-8da18bda539f} - %profile%\extensions\{a6fd85ed-e919-4a43-a5af-8da18bda539f}
FF - Ext: Selenium IDE: Python Formatters: pythonformatters@seleniumhq.org - %profile%\extensions\pythonformatters@seleniumhq.org
FF - Ext: Selenium IDE: C# Formatters: csharpformatters@seleniumhq.org - %profile%\extensions\csharpformatters@seleniumhq.org
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: Dictionary.com Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: Softonic-Eng7 Community Toolbar: {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - %profile%\extensions\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\real\realplayer\browserrecordplugin\firefox\Ext
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-3-5 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-10-7 301528]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-12-21 176128]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-10-7 19544]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-10-7 53592]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-3-5 42184]
R2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\toshiba\configfree\CFIWmxSvcs.exe [2009-8-10 185712]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2009-3-10 46448]
R2 paldrv;paldrv;c:\windows\system32\pal_drv.sys [2011-1-31 10951]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-12-21 167936]
R3 TMachInfo;TMachInfo;c:\program files\toshiba\toshiba service station\TMachInfo.exe [2009-12-21 51512]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\toshiba\toshiba hdd ssd alert\TosSmartSrv.exe [2009-8-3 111960]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-7 135664]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-10-7 1343400]
.
=============== Created Last 30 ================
.
2011-03-08 04:04:54 -------- d-sh--w- C:\$RECYCLE.BIN
2011-03-08 04:04:42 -------- d-----w- c:\users\makhan\appdata\local\temp
2011-03-07 03:48:37 -------- d-----w- c:\program files\MiPony
2011-03-06 12:09:33 -------- d-----w- c:\program files\Microsoft Games
2011-03-06 12:03:49 -------- d-----w- C:\inetpub
2011-03-06 03:47:33 98816 ----a-w- c:\windows\sed.exe
2011-03-06 03:47:33 89088 ----a-w- c:\windows\MBR.exe
2011-03-06 03:47:33 256512 ----a-w- c:\windows\PEV.exe
2011-03-06 03:47:33 161792 ----a-w- c:\windows\SWREG.exe
2011-03-05 16:59:36 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-03-05 05:52:10 5890896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{d072f606-0585-4f6e-bc22-03f1ae3a871d}\mpengine.dll
2011-03-05 05:30:31 0 ----a-w- c:\users\makhan\appdata\local\Clolag.bin
2011-03-05 04:53:02 -------- d-----w- c:\program files\ConduitEngine
2011-03-05 04:52:58 -------- d-----w- c:\program files\Softonic-Eng7
2011-03-04 17:31:18 -------- d-----w- c:\program files\Ask.com
2011-03-04 16:07:34 -------- d-----w- c:\users\makhan\appdata\local\ElevatedDiagnostics
2011-02-26 05:13:53 -------- d-----w- c:\users\makhan\appdata\local\ApplicationHistory
2011-02-26 04:54:54 -------- d-----w- c:\program files\Mercury Interactive
2011-02-26 04:24:59 -------- d-----w- c:\windows\system32\URTTEMP
2011-02-24 20:59:50 -------- d-----w- c:\program files\common files\Mercury
2011-02-24 20:59:18 -------- d-----w- c:\users\makhan\appdata\local\Programs
2011-02-24 20:49:53 -------- d-----w- c:\program files\Microsoft WSE
2011-02-24 11:55:52 276992 ----a-w- c:\windows\system32\wcncsvc.dll
2011-02-22 20:01:54 442880 ----a-w- c:\windows\system32\XpsPrint.dll
2011-02-22 20:01:53 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-20 18:21:35 -------- d-----w- c:\users\makhan\appdata\roaming\BSplayer Pro
2011-02-20 18:21:33 -------- d-----w- c:\program files\Webteh
2011-02-18 21:50:46 -------- d-----w- c:\program files\common files\Macrovision Shared
2011-02-18 21:49:55 29272 ----a-r- c:\windows\system32\AdobePDF.dll
2011-02-14 17:23:47 -------- d-----w- c:\program files\DjVuZone
2011-02-14 17:13:39 -------- d-----w- c:\users\makhan\Tracing
2011-02-14 17:13:24 98304 ----a-w- c:\windows\system32\redmonnt.dll
2011-02-14 17:13:00 -------- d-----w- c:\program files\FoxTabPDFConverter
2011-02-13 05:38:48 -------- d-----w- c:\program files\djvureader
2011-02-12 16:36:21 -------- d-----w- c:\users\makhan\appdata\roaming\Installer
2011-02-10 21:40:50 204288 ----a-w- c:\windows\system32\upnp.dll
2011-02-10 21:38:18 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-02-10 21:38:18 294400 ----a-w- c:\windows\system32\atmfd.dll
2011-02-10 21:38:15 1289536 ----a-w- c:\windows\system32\ntdll.dll
2011-02-10 21:38:14 3957120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-02-10 21:38:14 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-02-10 21:37:25 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2011-02-09 14:48:26 48648 ----a-w- c:\progra~2\microsoft\ehome\packages\mceclientux\updateablemarkup-2\Markup.dll
.
==================== Find3M ====================
.
2011-02-26 05:12:46 1025 ----a-w- c:\windows\system32\va9hh69.dll
2011-02-26 05:12:45 1024 ----a-w- c:\windows\system32\grcauth2.dll
2011-02-26 05:12:45 1024 ----a-w- c:\windows\system32\grcauth1.dll
2011-02-26 05:12:44 1025 ----a-w- c:\windows\system32\clauth2.dll
2011-02-26 05:12:44 1025 ----a-w- c:\windows\system32\clauth1.dll
2011-02-23 15:04:21 40648 ----a-w- c:\windows\avastSS.scr
2011-02-02 22:11:20 222080 ----a-w- c:\windows\system32\MpSigStub.exe
2011-01-05 05:37:33 428032 ----a-w- c:\windows\system32\vbscript.dll
2011-01-05 03:37:38 2329088 ----a-w- c:\windows\system32\win32k.sys
2010-12-21 05:38:24 73728 ----a-w- c:\windows\system32\wscsvc.dll
2010-12-21 05:38:24 51200 ----a-w- c:\windows\system32\wscapi.dll
2010-12-21 05:38:22 981504 ----a-w- c:\windows\system32\wininet.dll
2010-12-21 05:38:22 350720 ----a-w- c:\windows\system32\winhttp.dll
2010-12-21 05:38:21 204800 ----a-w- c:\windows\system32\WebClnt.dll
2010-12-21 05:38:16 14336 ----a-w- c:\windows\system32\slwga.dll
2010-12-21 05:36:17 1389568 ----a-w- c:\windows\system32\msxml6.dll
2010-12-21 05:36:16 1236992 ----a-w- c:\windows\system32\msxml3.dll
2010-12-21 05:34:12 80384 ----a-w- c:\windows\system32\davclnt.dll
2010-12-18 05:29:40 44544 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-18 05:29:31 541184 ----a-w- c:\windows\system32\kerberos.dll
2010-12-18 04:20:55 386048 ----a-w- c:\windows\system32\html.iec
2010-12-18 03:47:59 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-12-15 14:45:31 24 --sha-w- c:\windows\S3C5C5DB9.tmp
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7600 Disk: TOSHIBA_MK2555GSX rev.FG001M -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-1
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85C9E439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x85ca47b8]; MOV EAX, [0x85ca4834]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x82C7E448] -> \Device\Harddisk0\DR0[0x85C4D948]
3 CLASSPNP[0x885D259E] -> ntkrnlpa!IofCallDriver[0x82C7E448] -> [0x85FCB028]
\Driver\atapi[0x85C4D030] -> IRP_MJ_CREATE -> 0x85C9E439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x132; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-1 -> \??\IDE#DiskTOSHIBA_MK2555GSX_______________________FG001M__#5&b7edd2e&0&1.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 488397166 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 12:21:52.32 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:06:31 AM

Posted 08 March 2011 - 07:25 PM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. :)

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  • These instructions have been specifically tailored to your computer and the issues you are experiencing with your computer. It's important to note that these instructions are not suitable for any other computer, even if the issues are fairly similar.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Please do not PM me directly for help. If you have any questions, post them in this topic.
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________

Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.



NEXT:



Running TDSSKiller

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


NEXT:


Running OTL

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


NEXT:



Please be sure to include an update on how things are running in your next reply.

Edited by SweetTech, 11 March 2011 - 09:50 AM.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:06:31 AM

Posted 11 March 2011 - 09:50 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users