Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is my computer clean?


  • This topic is locked This topic is locked
24 replies to this topic

#1 ddpoet

ddpoet

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 09 March 2011 - 01:51 PM

I've been struggling with some serious problems. I've run Malwarebytes, AVG, TDSSKiller, Combofix, Spybot, Adaware, PC Pitstop, HiJack This and CCleaner. Malware that has turned up includes Trojanwin32.generic.pak!cobra level 2, trojanhorsepsw.generic8.awxb. AVG Linkscanner was blocked: message was exploit blackhole exploit kit. Process name was c:/windows/system32/sychost.exe. Combofix scan log says bootkit tdl4 was found and disinfected. My browser is not being redirected anymore, so I might be ok, but I would really like to know for sure. I'm not able to run a gmer scan; I've downloaded it, but when I open the exe file, it seems to begin a scan, but then my computer locks up and I have to shut it down with the power button. I will try to attach logs from combofix and hijackthis- I hope they will be useful to you. I hope this information will give you enough to be able to take a look. I appreciate your help; thank you.

Attached Files



BC AdBot (Login to Remove)

 


#2 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:12:50 AM

Posted 14 March 2011 - 03:45 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic and do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log



Thanks and again sorry for the delay.

Best Regards,
oneof4.


#3 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:12:50 AM

Posted 18 March 2011 - 12:06 PM

Do you still need help?

Best Regards,
oneof4.


#4 ddpoet

ddpoet
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 18 March 2011 - 12:24 PM

Yes, I do. Did you see my reply with the most recent dds log attachment?

#5 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:12:50 AM

Posted 18 March 2011 - 12:48 PM

Hi ddpoet :)

Yes, I do. Did you see my reply with the most recent dds log attachment?


All I see is your original post, dated March 9. Please follow my instructions in post #2.

Best Regards,
oneof4.


#6 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:12:50 AM

Posted 21 March 2011 - 01:01 PM

Do you still need help?

Best Regards,
oneof4.


#7 ddpoet

ddpoet
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 21 March 2011 - 03:23 PM

Yes I do thanks for the follow-up. Maybe you might get the message I was working on about 2mins ago, when I hit enter and lost it. Long story short, I think I opened a new post- can you find it? Had a DDS attach.txt, but I didn't save the dds text file, by accident. I gave up on a GMER log, because everytime I ran GMER it rebooted my system and I got a scary message that said the system recovered from a serious error. It would be great if you could find the new post I made today and looked at it. If you want me to run through the process again, I could do it tomorrow. Please let me know, and thanks for your help. The computer has been locking up on me a lot, and the speakers have static.

#8 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:12:50 AM

Posted 21 March 2011 - 09:39 PM

Hi :)

Sorry, I'm not finding it.

Refer back to Post #2 and re-run DDS, then instead of GMER try this:

Scan With RKUnHooker

Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

Best Regards,
oneof4.


#9 ddpoet

ddpoet
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 24 March 2011 - 06:17 PM

Here's another try- hope I get it right this time. Thanks again.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by John at 17:44:06.85 on Thu 03/24/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.702.142 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\Program Files\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\QZ9HBSS0\dds[1].scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab?1270695672013
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1245385073968
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\john\applic~1\mozilla\firefox\profiles\px1z9w57.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4d74400d&v=6.011.025.001&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - prefs.js: network.proxy.type - 1
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\john\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\john\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
FF - Ext: AVG Security Toolbar em:version=6.011.025.001 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - c:\program files\avg\avg10\toolbar\firefox\avg@igeared
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2009-6-18 13696]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 26192]
S1 MpKsl3737888e;MpKsl3737888e;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e26903c1-a54c-475d-a07d-1216fb0c63fe}\mpksl3737888e.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e26903c1-a54c-475d-a07d-1216fb0c63fe}\MpKsl3737888e.sys [?]
S1 MpKsl40549e39;MpKsl40549e39;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c24a3527-45d6-45a0-983c-8a4e861b7b19}\mpksl40549e39.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c24a3527-45d6-45a0-983c-8a4e861b7b19}\MpKsl40549e39.sys [?]
S1 MpKsl74f69abc;MpKsl74f69abc;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c24a3527-45d6-45a0-983c-8a4e861b7b19}\mpksl74f69abc.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c24a3527-45d6-45a0-983c-8a4e861b7b19}\MpKsl74f69abc.sys [?]
S1 MpKsl94c9441a;MpKsl94c9441a;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{de91a604-fc7a-44a8-acfb-11d1be8953b6}\mpksl94c9441a.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{de91a604-fc7a-44a8-acfb-11d1be8953b6}\MpKsl94c9441a.sys [?]
S1 MpKsl9ecfa291;MpKsl9ecfa291;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c24a3527-45d6-45a0-983c-8a4e861b7b19}\mpksl9ecfa291.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c24a3527-45d6-45a0-983c-8a4e861b7b19}\MpKsl9ecfa291.sys [?]
S1 MpKsla9eabcf9;MpKsla9eabcf9;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9a0f51b4-69d2-4367-9ec8-a749b0a7ddc0}\mpksla9eabcf9.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9a0f51b4-69d2-4367-9ec8-a749b0a7ddc0}\MpKsla9eabcf9.sys [?]
S1 MpKslfa4172f7;MpKslfa4172f7;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c24a3527-45d6-45a0-983c-8a4e861b7b19}\mpkslfa4172f7.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c24a3527-45d6-45a0-983c-8a4e861b7b19}\MpKslfa4172f7.sys [?]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-3-6 517448]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
.
=============== Created Last 30 ================
.
2011-03-10 02:38:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-10 02:38:12 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-10 02:38:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-07 03:49:16 -------- d--h--w- C:\$AVG
2011-03-07 02:24:44 -------- d-----w- c:\docume~1\john\locals~1\applic~1\AVG Security Toolbar
2011-03-07 02:16:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2011-03-07 02:14:49 -------- d-----w- c:\windows\system32\drivers\AVG
2011-03-03 20:43:21 -------- d-sha-r- C:\cmdcons
2011-03-03 20:40:48 98816 ----a-w- c:\windows\sed.exe
2011-03-03 20:40:48 89088 ----a-w- c:\windows\MBR.exe
2011-03-03 20:40:48 256512 ----a-w- c:\windows\PEV.exe
2011-03-03 20:40:48 161792 ----a-w- c:\windows\SWREG.exe
2011-03-02 16:30:58 -------- d-----w- c:\program files\Quick Web Player
2011-03-01 23:51:58 -------- d-----w- c:\docume~1\alluse~1\applic~1\Driver Whiz
2011-02-27 20:25:13 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-02-27 20:05:31 -------- d-----w- c:\docume~1\john\locals~1\applic~1\Sunbelt Software
2011-02-24 02:09:00 -------- d-----w- c:\docume~1\john\locals~1\applic~1\Deployment
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ------w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ------w- c:\windows\system32\encdec.dll
2011-02-02 23:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 17:47:32.35 ===============


RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
ntoskrnl.exe-->NtOpenProcess, Type: Address change 0x80574AA9-->F53406C0 [C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys]
ntoskrnl.exe-->NtTerminateProcess, Type: Address change 0x805839B9-->F5340770 [C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys]
ntoskrnl.exe-->NtTerminateThread, Type: Address change 0x80577F1F-->F5340810 [C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys]
ntoskrnl.exe-->NtWriteVirtualMemory, Type: Address change 0x8057F712-->F53408B0 [C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys]

Attached Files



#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:50 AM

Posted 25 March 2011 - 11:25 AM

Hello and sorry for the delay.

You mentioned you ran Combofix. Can you please post me its log? It can be found at c:\combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 ddpoet

ddpoet
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 25 March 2011 - 11:58 AM

I already deleted that one. I can run another one- do you want me to paste or attatch?

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:50 AM

Posted 25 March 2011 - 12:14 PM

Please run it (make sure you update it if prompted) and paste the log in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 ddpoet

ddpoet
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 29 March 2011 - 12:25 PM

Sorry it took me so long to reply, but here is my combofix log. Hope this helps you. Thank you very much for your time and help.

ComboFix 11-03-28.05 - John 03/29/2011 12:04:07.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.702.463 [GMT -5:00]
Running from: c:\documents and settings\John\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-29 )))))))))))))))))))))))))))))))
.
.
2011-03-10 02:38 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-10 02:38 . 2011-03-10 02:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-10 02:38 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-07 03:49 . 2011-03-07 03:49 -------- d-----w- C:\$AVG
2011-03-07 02:24 . 2011-03-07 02:24 -------- d-----w- c:\documents and settings\John\Local Settings\Application Data\AVG Security Toolbar
2011-03-02 16:30 . 2011-03-02 16:34 -------- d-----w- c:\program files\Quick Web Player
2011-03-02 16:03 . 2011-03-03 20:36 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-03-01 23:51 . 2011-03-01 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Driver Whiz
2011-02-27 20:25 . 2011-02-27 20:25 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-02-27 20:05 . 2011-02-27 20:05 -------- d-----w- c:\documents and settings\John\Local Settings\Application Data\Sunbelt Software
2011-02-27 20:00 . 2011-03-03 20:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2009-06-18 04:20 186880 ------w- c:\windows\system32\encdec.dll
2011-02-09 13:53 . 2009-06-18 04:20 270848 ------w- c:\windows\system32\sbe.dll
2011-02-02 23:11 . 2011-01-04 21:27 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-02 07:58 . 2009-06-18 03:48 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2009-06-18 03:48 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2001-08-23 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2001-08-23 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2001-08-23 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Personal Coach.lnk]
path=
backup=c:\windows\pss\Personal Coach.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]
LTMSG.exe 7 [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2008-03-26 02:27 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 22:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2006-01-11 20:08 577536 ----a-w- c:\windows\soundman.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"seclogon"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"ERSvc"=2 (0x2)
"cisvc"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [6/18/2009 11:10 PM 13696]
S1 MpKsl3737888e;MpKsl3737888e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E26903C1-A54C-475D-A07D-1216FB0C63FE}\MpKsl3737888e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E26903C1-A54C-475D-A07D-1216FB0C63FE}\MpKsl3737888e.sys [?]
S1 MpKsl40549e39;MpKsl40549e39;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C24A3527-45D6-45A0-983C-8A4E861B7B19}\MpKsl40549e39.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C24A3527-45D6-45A0-983C-8A4E861B7B19}\MpKsl40549e39.sys [?]
S1 MpKsl74f69abc;MpKsl74f69abc;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C24A3527-45D6-45A0-983C-8A4E861B7B19}\MpKsl74f69abc.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C24A3527-45D6-45A0-983C-8A4E861B7B19}\MpKsl74f69abc.sys [?]
S1 MpKsl94c9441a;MpKsl94c9441a;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DE91A604-FC7A-44A8-ACFB-11D1BE8953B6}\MpKsl94c9441a.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DE91A604-FC7A-44A8-ACFB-11D1BE8953B6}\MpKsl94c9441a.sys [?]
S1 MpKsl9ecfa291;MpKsl9ecfa291;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C24A3527-45D6-45A0-983C-8A4E861B7B19}\MpKsl9ecfa291.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C24A3527-45D6-45A0-983C-8A4E861B7B19}\MpKsl9ecfa291.sys [?]
S1 MpKsla9eabcf9;MpKsla9eabcf9;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9A0F51B4-69D2-4367-9EC8-A749B0A7DDC0}\MpKsla9eabcf9.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9A0F51B4-69D2-4367-9EC8-A749B0A7DDC0}\MpKsla9eabcf9.sys [?]
S1 MpKslfa4172f7;MpKslfa4172f7;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C24A3527-45D6-45A0-983C-8A4E861B7B19}\MpKslfa4172f7.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C24A3527-45D6-45A0-983C-8A4E861B7B19}\MpKslfa4172f7.sys [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\px1z9w57.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4d74400d&v=6.011.025.001&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - prefs.js: network.proxy.type - 1
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-29 12:13
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3348)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-03-29 12:18:20
ComboFix-quarantined-files.txt 2011-03-29 17:18
ComboFix2.txt 2011-03-03 21:22
.
Pre-Run: 40,807,317,504 bytes free
Post-Run: 40,861,044,736 bytes free
.
- - End Of File - - 82A3B39B569AFBDAFB9A254794F1674F

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:50 AM

Posted 29 March 2011 - 01:07 PM

Thank you. Can you please give me some more details on your problem. Are the lock ups completely random? What about the sound, does that happen always?
Please try to reboot your computer in Safe Mode with Networking and let me know how things run there.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 ddpoet

ddpoet
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 01 April 2011 - 01:33 PM

My computer takes a very long time to start-up, and as it starts the speakers have static. And the cursor jumps around. Today when I turned it on, it locked up before I could sign on, and I had to power it off to restart it. I installed AVG last night; at first it wouldn't run the install, then I got it to install but it took much longer than than normal. I'm in safe mode with networking right now, and the speakers don't work- when I went into the control panel, I couldn't adjust the volume. Everything else seems to be ok, as far as I can tell. I don't have problems with browser redirection any more- I think all the antivirus stuff I ran rooted out those trojans and keylogger infections. Did you find anything in the combofix log that would help you figure out if I'm free of the malware and viruses? I want to backup this computer to an external hard drive, but I don't want to bring any infected files along with it. Any suggestions on that?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users