Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspected Rootkit, Windows 7


  • This topic is locked This topic is locked
10 replies to this topic

#1 sarahsaur

sarahsaur

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 18 March 2011 - 06:52 AM

Hi everyone,

I'd really appreciate some help getting rid of what I think is a rootkit. No idea how I picked it up but I first noticed it when my computer randomly started producing an error saying windows had had a critical error and would restart in 1 minute. It now does this every 10-15 minutes or so and is extremely annoying. I've turned off the setting so that windows 7 doesn't restart upon having a critical error but it still persists. Malware bytes picked up a tonne of trojans which it removed. AVG then picked up a rootkit which it said it could not remove because it was hidden. I managed to run a DDS scan before the computer restarted but only got about half way (i think) through a gmer log and have not been able to keep the system alive long enough to complete the gmer scan. Everything I've managed to get is posted below. Please help :(

Sarah

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Sarahsaur at 22:04:45.69 on Fri 18/03/2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_17
Microsoft Windows 7 Starter 6.1.7600.0.1252.61.1033.18.1014.112 [GMT 11:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\System32\AsusService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\windows\System32\svchost.exe -k HPZ12
C:\windows\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe
C:\Program Files\ASUS\EPC\EeeSplendid\AsAgent.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe
C:\Windows\System32\igfxtray.exe
C:\Program Files\EeePC\HotkeyService\HotKeyMon.exe
C:\Program Files\EeePC\HotkeyService\HotkeyService.exe
C:\Program Files\EeePC\SHE\SuperHybridEngine.exe
C:\Program Files\EeePC\CapsHook\CapsHook.exe
C:\Program Files\Asus\LiveUpdate\LiveUpdate.exe
C:\Windows\System32\igfxpers.exe
C:\windows\system32\wbem\unsecapp.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\windows\system32\conhost.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\igfxsrvc.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\windows\system32\conhost.exe
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\svchost.exe -k bthsvcs
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\taskhost.exe
C:\windows\System32\svchost.exe -k WerSvcGroup
C:\windows\system32\SearchFilterHost.exe
C:\Users\Sarahsaur\Desktop\dds.scr
C:\windows\system32\conhost.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://asus.msn.com
uDefault_Page_URL = hxxp://asus.msn.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [SynAsusAcpi] %ProgramFiles%\Synaptics\SynTP\SynAsusAcpi.exe
mRun: [EeeSplendidAgent] c:\program files\asus\epc\eeesplendid\AsAgent.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [HotkeyMon] AsusSender.exe c:\program files\eeepc\hotkeyservice\HotKeyMon.exe
mRun: [HotkeyService] AsusSender.exe c:\program files\eeepc\hotkeyservice\HotkeyService.exe
mRun: [SuperHybridEngine] AsusSender.exe c:\program files\eeepc\she\SuperHybridEngine.exe
mRun: [LiveUpdate] AsusSender.exe c:\program files\asus\liveupdate\LiveUpdate.exe auto
mRun: [CapsHook] AsusSender.exe c:\program files\eeepc\capshook\CapsHook.exe
mRun: [ASUS WebStorage] c:\program files\asus\asus webstorage\service\AsusWSService.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [ASUSPRP] c:\program files\asus\aprp\APRP.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\sarahs~1\appdata\roaming\mozilla\firefox\profiles\njyki99h.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.http - proxy.racp.edu.au
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: XULRunner: {AC131083-2F0C-4B1A-8ACA-04F459D55C1B} - c:\users\sarahsaur\appdata\local\{AC131083-2F0C-4B1A-8ACA-04F459D55C1B}
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-27 64288]
R1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [2010-3-29 11448]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 21072]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-3-25 43944]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2010-3-29 29472]
R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\drivers\L1C62x86.sys [2010-3-25 51712]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2010-6-13 54632]
.
=============== Created Last 30 ================
.
2011-03-18 03:44:42 -------- d-----w- c:\users\sarahsaur\dev
2011-03-18 03:39:09 -------- d-----w- c:\users\sarahsaur\.ssh
2011-03-18 03:36:40 -------- d-----w- c:\program files\Git
2011-03-17 10:41:20 -------- d-----w- c:\windows\SHELLNEW
2011-03-11 12:16:19 -------- d-----w- c:\program files\CCleaner
2011-03-10 11:35:39 -------- d-----w- c:\users\sarahs~1\appdata\local\ElevatedDiagnostics
2011-03-05 20:26:30 -------- d-----w- c:\users\sarahs~1\appdata\roaming\AVG10
2011-03-05 20:25:03 -------- d--h--w- c:\progra~2\Common Files
2011-03-05 20:21:05 -------- d-----w- c:\windows\system32\drivers\AVG
2011-03-05 20:21:04 -------- d-----w- c:\progra~2\AVG10
2011-03-05 20:20:03 -------- d-----w- c:\program files\AVG
2011-03-05 12:26:43 -------- d-----w- c:\users\sarahs~1\appdata\roaming\Malwarebytes
2011-03-05 12:26:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-05 12:26:34 -------- d-----w- c:\progra~2\Malwarebytes
2011-03-05 12:26:30 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-05 12:26:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-05 12:23:12 -------- d-----w- c:\progra~2\MFAData
2011-03-05 11:46:05 0 ----a-w- c:\users\sarahs~1\appdata\local\Uhomiwojiyerez.bin
2011-03-05 11:46:03 -------- d-----w- c:\users\sarahs~1\appdata\local\{AC131083-2F0C-4B1A-8ACA-04F459D55C1B}
2011-02-21 10:54:43 5890896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{8eaa5df3-6417-4f50-bf99-00d84a12b289}\mpengine.dll
.
==================== Find3M ====================
.
2011-02-02 06:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 22:07:53.22 ===============



GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-03-18 22:22:39
Windows 6.1.7600
Running: gmer.exe; Driver: C:\Users\SARAHS~1\AppData\Local\Temp\fwlyiuoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xA4149780]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xA4149830]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xA41498D0]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xA4149970]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 81C94599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 81CB8F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 4E8 81CC09F8 4 Bytes [80, 97, 14, A4]
.text ntkrnlpa.exe!RtlSidHashLookup + 7B8 81CC0CC8 8 Bytes [30, 98, 14, A4, D0, 98, 14, ...] {XOR [EAX-0x672f5bec], BL; ADC AL, 0xa4}
.text ntkrnlpa.exe!RtlSidHashLookup + 82C 81CC0D3C 4 Bytes [70, 99, 14, A4] {JO 0xffffffffffffff9b; ADC AL, 0xa4}
? System32\Drivers\dytxoutsm.sys A device attached to the system is not functioning. !
? C:\Users\SARAHS~1\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[3608] ntdll.dll!LdrLoadDll 77B4F585 5 Bytes JMP 001213F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 85406B28

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\BTHUSB \Device\00000071 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004a halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\BTHUSB \Device\0000006f bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] dytxoutsm <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002243d42c76
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002243de9548
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\1c4bd60e6753
Reg HKLM\SYSTEM\CurrentControlSet\services\dytxoutsm@hudga -377929869
Reg HKLM\SYSTEM\CurrentControlSet\services\dytxoutsm@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\services\dytxoutsm@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\services\dytxoutsm@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\services\dytxoutsm@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002243d42c76 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002243de9548 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\1c4bd60e6753 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\dytxoutsm@hudga -377929869
Reg HKLM\SYSTEM\ControlSet002\services\dytxoutsm@Type 1
Reg HKLM\SYSTEM\ControlSet002\services\dytxoutsm@Start 0
Reg HKLM\SYSTEM\ControlSet002\services\dytxoutsm@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\services\dytxoutsm@Group Boot Bus Extender

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:31 AM

Posted 21 March 2011 - 07:40 PM

Hello Sarah ,

Posted Image

Sorry for the delay. :(

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. IF YOU USE AVG IT MUST BE UNINSTALLED OR THIS WILL NOT RUN.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to sarah.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 sarahsaur

sarahsaur
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 22 March 2011 - 04:42 AM

Hi tea,

Thanks for your reply. Since my last post, the computer became more and more unstable, I couldn't keep it booted up long enough to even open a program, so I resintalled windows from a hard drive. It seems more stable now but I'm still uncertain that it's entirely fixed. Should I still run combo fix or should I re-run the DDS and GMER scans?

Cheers,

Sarah

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:31 AM

Posted 22 March 2011 - 11:46 AM

Hi Sarah,

Sorry you had to resort to that. :( Yes, a gmer scan would be good, since it absolutely showed a rootkit before. Is there anything that makes you say you aren't sure it's fixed? Still not right?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 sarahsaur

sarahsaur
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 22 March 2011 - 07:38 PM

That's okay, I was just happy to be able to boot it up again :(

It's faster and generally stable for day to day use but I'm still not entirely sure it's fixed because it will randomly BSOD.

It's also been difficult to actually run the gmer scan. The first time it BSODed and said it had a problem with fwlciuoc.sys, the second time it froze on shell32.dll...third time's a charm though, here's a log! :D My main concern is around security - I've changed all my passwords but I don't want to start using it for things like online banking/social media etc until I know it's definitely clean.

GMER 1.0.15.15565 - http://www.gmer.net
Rootkit scan 2011-03-23 11:32:29
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD25 rev.01.0
Running: 1nn2x8b5.exe; Driver: C:\Users\SARAHS~1\AppData\Local\Temp\fwlciuoc.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 81C60589 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 81C85092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text autochk.exe 002B1204 4 Bytes [00, 00, 00, 00] {ADD [EAX], AL; ADD [EAX], AL}
.text autochk.exe 002B120C 1 Byte [00]
.text autochk.exe 002B1210 1 Byte [00]
.text autochk.exe 002B1214 2 Bytes [00, 00] {ADD [EAX], AL}
.text autochk.exe 002B1218 2 Bytes [00, 00] {ADD [EAX], AL}
.text ...

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

Device \Driver\tmwfp \Device\TMWFP AAC23FD0
Device \Driver\tmactmon \Device\TmActMon AADC612A

AttachedDevice \Driver\tdx \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\BTHUSB \Device\00000072 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\BTHUSB \Device\00000074 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\ACPI_HAL \Device\0000004c halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002243d42c76
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002243de9548
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\1c4bd60e6753
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002243d42c76 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002243de9548 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\1c4bd60e6753 (not active ControlSet)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update@BalloonTime 2011-03-19 11:14:00
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update@BalloonType 12
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update@ForcedReboot 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Download@LastSuccessTime 2011-03-22 02:41:27
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intel\xae Matrix Storage Manager\Intel\xae Matrix Storage Console.lnk 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Intel\xae Matrix Storage Manager\Intel\xae Matrix Storage Console.lnk 1

---- EOF - GMER 1.0.15 ----

#6 sarahsaur

sarahsaur
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 29 March 2011 - 11:38 PM

Update: the computer is getting slower and the internet connection is practically dead. Says it's connected but it's so slow it won't load any pages. Please help :(

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:31 AM

Posted 31 March 2011 - 09:28 PM

Hi Sarah,

Can you go back to post #2 and follow those original directions? :) Also, do you use a router? If you do, disconnect it completely from everything, including the power, and reset to default, then put a password on it. While you're disconnected, see if the problem persists on the computer itself.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 sarahsaur

sarahsaur
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 01 April 2011 - 07:16 PM

Hi Tea,

I'm not running a router, just a wireless modem that my ISP sent. No idea how to reset it - should I give my ISP a call? In the mean time, combofix log below:

ComboFix 11-04-01.01 - Sarahsaur 04/02/2011 10:55:43.1.2 - x86
Microsoft Windows 7 Starter 6.1.7600.0.1252.1.1033.18.1014.370 [GMT 11:00]
Running from: c:\users\Sarahsaur\Downloads\ComboFix.exe
AV: Trend Micro Internet Security *Disabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
FW: Trend Micro Personal Firewall *Disabled* {70A91CD9-303D-A217-A80E-6DEE136EDB2B}
SP: Trend Micro Internet Security *Disabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\FullRemove.exe
c:\windows\system32\service
c:\windows\system32\service\29032011_TIS17_PccScan.log
c:\windows\system32\Thumbs.db
.
.
((((((((((((((((((((((((( Files Created from 2011-03-02 to 2011-04-02 )))))))))))))))))))))))))))))))
.
.
2011-04-02 00:06 . 2011-04-02 00:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-25 20:04 . 2011-02-19 05:32 1074176 ----a-w- c:\windows\system32\DWrite.dll
2011-03-25 20:04 . 2011-02-19 05:33 802304 ----a-w- c:\windows\system32\FntCache.dll
2011-03-25 20:04 . 2011-02-19 05:32 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-03-24 23:48 . 2011-03-24 23:48 -------- d-----w- c:\windows\system32\log
2011-03-24 11:01 . 2010-12-20 07:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-24 11:01 . 2011-03-24 11:01 -------- d-----w- c:\programdata\Malwarebytes
2011-03-24 11:01 . 2010-12-20 07:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-24 11:01 . 2011-03-24 11:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-23 11:35 . 2011-03-23 11:35 -------- d-----w- c:\windows\en
2011-03-23 11:34 . 2010-09-22 13:21 39272 ----a-w- c:\windows\system32\drivers\fssfltr.sys
2011-03-23 11:28 . 2009-09-04 06:44 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2011-03-23 11:28 . 2009-09-04 06:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2011-03-23 11:28 . 2009-09-04 06:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2011-03-23 11:24 . 2011-03-29 05:30 -------- d-----w- c:\program files\Microsoft Silverlight
2011-03-20 09:25 . 2009-11-25 01:47 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2011-03-20 09:25 . 2009-11-25 01:47 49472 ----a-w- c:\windows\system32\netfxperf.dll
2011-03-20 09:25 . 2009-11-25 01:47 297808 ----a-w- c:\windows\system32\mscoree.dll
2011-03-20 09:25 . 2009-11-25 01:47 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2011-03-20 09:25 . 2009-11-25 01:47 1130824 ----a-w- c:\windows\system32\dfshim.dll
2011-03-20 08:45 . 2010-03-04 03:57 190976 ----a-w- c:\windows\system32\drivers\ks.sys
2011-03-20 08:44 . 2010-09-14 06:07 276992 ----a-w- c:\windows\system32\wcncsvc.dll
2011-03-20 05:48 . 2011-03-20 05:48 -------- d-----w- C:\Boot
2011-03-20 04:53 . 2010-03-29 09:10 -------- d-----w- c:\users\Default\AppData\Roaming\ASUS WebStorage
2011-03-20 04:53 . 2010-03-29 08:56 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2011-03-20 04:53 . 2010-03-29 08:53 -------- d-----w- c:\users\Default\AppData\Local\Adobe
2011-03-20 04:53 . 2010-03-29 08:45 -------- d-----w- c:\users\Default\AppData\Local\Broadcom
2011-03-20 04:53 . 2010-03-29 08:39 -------- d-----w- c:\users\Default\AppData\Roaming\InstallShield
2011-03-19 12:17 . 2010-06-29 04:57 4247040 ----a-w- c:\program files\Windows NT\Accessories\wordpad.exe
2011-03-19 12:17 . 2010-06-29 05:02 1413632 ----a-w- c:\windows\system32\ole32.dll
2011-03-19 12:17 . 2010-06-14 06:12 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-03-19 12:17 . 2009-09-26 05:58 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys
2011-03-19 12:17 . 2010-08-21 05:32 316928 ----a-w- c:\windows\system32\spoolsv.exe
2011-03-19 12:17 . 2010-07-29 06:30 197632 ----a-w- c:\windows\system32\ir32_32.dll
2011-03-19 12:17 . 2010-07-29 06:30 82944 ----a-w- c:\windows\system32\iccvid.dll
2011-03-19 12:16 . 2010-08-26 04:39 109056 ----a-w- c:\windows\system32\t2embed.dll
2011-03-19 12:16 . 2010-10-12 04:25 516096 ----a-w- c:\program files\Windows Mail\wab.exe
2011-03-19 12:16 . 2010-10-27 04:32 2048 ----a-w- c:\windows\system32\tzres.dll
2011-03-19 12:15 . 2010-08-04 06:15 204288 ----a-w- c:\windows\system32\MSNP.ax
2011-03-19 12:15 . 2010-08-21 05:36 224256 ----a-w- c:\windows\system32\schannel.dll
2011-03-19 12:10 . 2011-01-05 05:37 428032 ----a-w- c:\windows\system32\vbscript.dll
2011-03-19 12:10 . 2010-09-01 04:26 164864 ----a-w- c:\program files\Windows Media Player\wmplayer.exe
2011-03-19 12:10 . 2010-09-01 04:23 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2011-03-19 12:10 . 2010-07-13 05:22 26504 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-03-19 12:08 . 2011-01-07 07:31 442880 ----a-w- c:\windows\system32\XpsPrint.dll
2011-03-19 11:41 . 2010-07-19 18:03 59472 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2011-03-19 11:41 . 2010-07-19 18:03 51792 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2011-03-19 11:41 . 2010-07-19 18:02 163408 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-03-19 11:38 . 2010-07-30 17:29 249424 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2011-03-19 11:38 . 2010-07-30 17:29 36432 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2011-03-19 11:38 . 2010-07-30 17:06 1331512 ----a-w- c:\windows\system32\drivers\vsapint.sys
2011-03-19 11:34 . 2011-03-19 11:34 -------- d-----w- c:\program files\VideoLAN
2011-03-19 11:15 . 1999-03-06 11:38 6144 ----a-w- c:\windows\system32\drivers\ASUSHWIO.SYS
2011-03-19 11:10 . 2011-03-19 11:11 -------- d-----w- c:\program files\E-Cam
2011-03-19 11:10 . 2006-02-07 04:39 32768 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\Objectps.dll
2011-03-19 11:10 . 2002-12-05 03:12 692224 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKernel.dll
2011-03-19 11:10 . 2002-12-05 03:10 155648 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iuser.dll
2011-03-19 11:10 . 2002-12-02 04:22 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\DotNetInstaller.exe
2011-03-19 11:10 . 2002-12-02 02:33 57344 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll
2011-03-19 11:10 . 2002-12-02 02:33 237568 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iscript.dll
2011-03-19 11:10 . 2011-03-19 11:10 282756 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\setup.dll
2011-03-19 11:10 . 2011-03-19 11:10 163972 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iGdi.dll
2011-03-19 11:08 . 2011-03-23 11:34 -------- dc----w- c:\windows\system32\DRVSTORE
2011-03-19 11:06 . 2006-11-29 02:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2011-03-19 11:05 . 2011-03-19 11:05 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2011-03-19 11:04 . 2011-03-24 23:57 -------- d-----w- c:\program files\Microsoft
2011-03-19 11:03 . 2011-03-23 11:33 -------- d-----w- c:\program files\Windows Live
2011-03-19 11:02 . 2010-01-09 06:52 132608 ----a-w- c:\windows\system32\cabview.dll
2011-03-19 11:02 . 2009-12-29 06:55 172032 ----a-w- c:\windows\system32\wintrust.dll
2011-03-19 11:01 . 2011-03-19 11:01 -------- d-----w- c:\program files\Common Files\Windows Live
2011-03-19 10:58 . 2011-03-19 10:58 -------- d-----w- c:\users\Sarahsaur
2011-03-19 10:58 . 2011-03-19 10:58 -------- d-----w- C:\Recovery
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-18 17:53 . 2011-03-24 10:59 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_B]
@="{CC5FC992-B0AA-47CD-9DC2-83445083CBB8}"
[HKEY_CLASSES_ROOT\CLSID\{CC5FC992-B0AA-47CD-9DC2-83445083CBB8}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_O]
@="{618A47A2-528B-4D9A-AFC8-97D3233511E2}"
[HKEY_CLASSES_ROOT\CLSID\{618A47A2-528B-4D9A-AFC8-97D3233511E2}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"EeeSplendidAgent"="c:\program files\ASUS\EPC\EeeSplendid\AsAgent.exe" [2009-12-29 104960]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"HotkeyMon"="AsusSender.exe" [2010-03-04 34728]
"HotkeyService"="AsusSender.exe" [2010-03-04 34728]
"SuperHybridEngine"="AsusSender.exe" [2010-03-04 34728]
"LiveUpdate"="AsusSender.exe" [2010-03-04 34728]
"CapsHook"="AsusSender.exe" [2010-03-04 34728]
"Microsoft Pinyin IME Migration"="c:\progra~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE" [2008-11-03 33128]
"ASUS WebStorage"="c:\program files\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe" [2010-03-16 1754448]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2010-02-23 1024368]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-03-25 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-03-25 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-03-25 150552]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-03-25 8522272]
"ASUSPRP"="c:\program files\ASUS\APRP\APRP.EXE" [2010-03-29 2018032]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-8-3 795936]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eee Docking]
2010-02-08 23:20 415920 ----a-w- c:\program files\ASUS\Eee Docking\Eee Docking.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560]
R3 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys [2010-07-19 51792]
R3 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2010-03-25 497008]
R3 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2010-03-25 689416]
S1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [2010-03-25 11448]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AsusService;Asus Launcher Service;c:\windows\System32\AsusService.exe [2010-03-04 224680]
S2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2010-07-30 36432]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-03-25 43944]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2010-03-25 29472]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x86.sys [2010-03-25 51712]
S3 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\DRIVERS\tmlwf.sys [2010-03-25 146448]
S3 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\DRIVERS\tmwfp.sys [2010-03-25 283152]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://asus.msn.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Sarahsaur\AppData\Roaming\Mozilla\Firefox\Profiles\sy5u98e5.default\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKLM-Run-SynTPEnh - %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
HKLM-Run-SynAsusAcpi - %ProgramFiles%\Synaptics\SynTP\SynAsusAcpi.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2560335077-3909937444-1229753024-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-2560335077-3909937444-1229753024-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-04-02 11:11:32
ComboFix-quarantined-files.txt 2011-04-02 00:11
.
Pre-Run: 79,046,176,768 bytes free
Post-Run: 82,587,979,776 bytes free
.
- - End Of File - - C8014D8D146A5A7D86BB8A05BB72D816


Cheers,

Sarah

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:31 AM

Posted 01 April 2011 - 11:31 PM

Hi Sarah,

Thank you for that. :)

There is nothing in either of those logs that says malware. I'm inclined, at this point, to lean towards a hardware problem. Possibly drivers needing updating for your wireless connection.

I'd like for you to run Check Disk to see if your drive is all right. If you aren't sure how, then look here : http://www.w7forums.com/use-chkdsk-check-disk-t448.html

Let me know how you come out. :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 sarahsaur

sarahsaur
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 14 April 2011 - 05:50 AM

Hi Tea,

Sorry for the delay, have been away. I ran the Check Disk, and the drive is fine. I tried to update drivers for the wireless and they are apparently up to date. Computer seems to be a bit more stable/smoother after a windows update however, so who knows. My main concern was that it was free of malware, so if the rootkit's gone then great. Thanks for all your help!

Sarah

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:31 AM

Posted 12 June 2011 - 01:42 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users