Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Originally Xp Security 11, now more serious. (I'm trying to write a dissertation please help)


  • This topic is locked This topic is locked
15 replies to this topic

#1 bgriff

bgriff

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 26 April 2011 - 05:51 PM

Hello all, and thank you for taking the time to read my post.

This is started out when I seen a fishy java window open and then close without me being able to do anything. Xp security 2011 got me and I started getting all the standard fake messages and scans.

Ok, no problem. MBAB scanned (after renaming exe) and removed a fair few viruses. Also scanned with SAS.

Problems:
-Svchost.exe using lots of cpu and virtual memory. (I have looked on process explorer, but I don't understand how to explore further into the particular svchost that is using up all my resources).

-Can't access windows update website and it doesn't seem to be updating automatically - Get connection reset error (checking my windowsupdate text file in C:/windows reveals this: Shutdwn FATAL: WUCheckForUpdatesAtShutdown failed

-Windows 32 generic process crashes

-Attack pages randomly opening .cc's etc

-Redirects

-Keep losing sound untill I reinstall AC97 drivers and reboot.

-My address bar on firefox (and IE) no longer searches via Google, but via some dodgy search-results(dot)and I can't find how to delete it.


Programs I have used:
-CCcleaner
-Malwarebytes
-Superantispyware
-Avira
-CTFcleaner
-TDSS Killer

Results so far: Haven't removed any viruses for last 24 hours basically, multiple scans with SAS and Malware bytes TDSS AVIRA etc All showing clean scans yet the problems are persisting, maybe it's a well hidden rootkit?

Also: Now I am starting to get crashes while attempting to run GMER

PAGE_FAULT_IN_NONPAGED_AREA

Technical info:

STOP: 0x00000050 (0xFEDF1008 etc)
AWTDYPOG.sys - address 90B65381 base at 90B6100, datestamp 4d83c76d (this was the file that caused the problem) Any ideas whats going on?



So all in all, everything is pretty FUBARed. All this starting from just a day or two ago, most importantly here is that I am writing my dissertation!! I have backed up my work but I really need my pc to be back in action so I can keep writing my deadline is approaching fast.


Logs for DDS

DDS (Ver_11-03-05.01) - NTFSx86
Run by ben at 23:37:11.73 on Tue 04/26/2011
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.103 [GMT 1:00]
.
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\ben\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
{53707962-6f74-2d53-2644-206d7942484f}
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [<NO NAME>]
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
uRun: [Steam] "c:\program files\valve\steam\steam.exe" -silent
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [AsusStartupHelp] c:\program files\asus\aasp\1.00.17\AsRunHelp.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [AtiPTA] atiptaxx.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [D1T2EUR7FZ] c:\windows\temp\Vz1.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: microsoft.com\update
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} - hxxp://www.vexcast.com/download/vexcast.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\ben\applic~1\mozilla\firefox\profiles\9w8yai10.default\
FF - prefs.js: browser.search.selectedEngine - Hotspot Shield Private Search
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - prefs.js: keyword.URL - hxxp://search.hotspotshield.com/g/results.php?c=s&q=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBook.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBookDB.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpNeoLogger.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSaturn.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSeymour.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartSelect.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSWPOperation.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPLogging.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTC.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTL.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXREStub.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-4-26 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-4-26 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-4-26 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-4-26 61960]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 cpuz130;cpuz130;\??\c:\docume~1\ben\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\ben\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 esgiguard;esgiguard;\??\c:\program files\enigma software group\spyhunter\esgiguard.sys --> c:\program files\enigma software group\spyhunter\esgiguard.sys [?]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\c:\program files\lavalys\everest ultimate edition\kerneld.wnt --> c:\program files\lavalys\everest ultimate edition\kerneld.wnt [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
.
=============== Created Last 30 ================
.
2011-04-26 19:42:49 -------- d-----w- c:\docume~1\ben\applic~1\Avira
2011-04-26 19:31:39 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-04-26 19:31:39 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
2011-04-26 19:31:38 -------- d-----w- c:\program files\Avira
2011-04-26 18:14:34 -------- d-----w- C:\TDSSKiller_Quarantine
2011-04-26 17:55:13 -------- d-----w- c:\program files\CCleaner
2011-04-26 16:30:11 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-04-26 14:32:30 -------- d-----w- c:\program files\Realtek AC97
2011-04-26 00:40:25 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-26 00:40:25 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-26 00:40:25 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-04-26 00:34:52 4122368 ----a-r- c:\windows\system32\drivers\alcxwdm.sys
2011-04-26 00:34:52 147456 ----a-w- c:\windows\system32\RtlCPAPI.dll
2011-04-26 00:34:47 10528768 ----a-w- c:\windows\system32\RTLCPL.exe
2011-04-26 00:32:42 315392 ----a-w- c:\windows\alcupd.exe
2011-04-26 00:32:42 217088 ----a-w- c:\windows\alcrmv.exe
2011-04-25 18:36:43 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-04-25 18:20:03 -------- d-----w- c:\program files\Lavasoft
2011-04-25 15:37:21 -------- d-----w- c:\docume~1\ben\applic~1\Qeivt
2011-04-25 15:37:21 -------- d-----w- c:\docume~1\ben\applic~1\Ipeqg
2011-04-25 14:27:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-25 14:27:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-25 02:44:23 -------- d-----w- c:\windows\system32\NtmsData
2011-04-25 02:09:18 -------- d-----w- c:\windows\41EBC322660F4D16A0DF53147210CBDB.TMP
2011-04-24 23:09:41 593920 ------w- c:\windows\system32\ati2sgag.exe
2011-04-24 23:01:58 1897408 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2011-04-24 23:01:56 4274816 ----a-w- c:\windows\system32\nv4_disp.dll
2011-04-24 22:20:13 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-24 22:20:13 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-24 19:57:24 0 ----a-w- c:\windows\Vdosedojod.bin
2011-04-24 19:57:22 -------- d-----w- c:\docume~1\ben\locals~1\applic~1\{2CE0B5E5-B708-4819-B418-1DA156E9AD50}
2011-04-24 19:35:10 -------- d-----w- c:\docume~1\ben\locals~1\applic~1\Ilivid Player
2011-04-24 19:34:31 -------- d-----w- c:\docume~1\ben\locals~1\applic~1\PackageAware
2011-04-22 02:14:33 -------- d-----w- c:\program files\Phyxion.net
2011-04-22 00:12:59 -------- d-----w- c:\program files\Futuremark
2011-04-08 20:04:36 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2011-04-08 20:04:36 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2011-04-08 20:04:36 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2011-04-08 20:04:36 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2011-04-08 20:04:36 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2011-04-08 20:04:35 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2011-04-08 20:04:35 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2011-04-08 20:04:35 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2011-04-08 20:04:34 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2011-04-08 20:04:34 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2011-04-08 20:04:33 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2011-04-08 20:04:26 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2011-04-07 01:54:04 -------- d-----w- c:\program files\Ventrilo
2011-04-06 00:29:04 -------- d-----w- c:\docume~1\ben\applic~1\TS3Client
2011-04-06 00:27:53 -------- d-----w- c:\program files\TeamSpeak 3 Client
2011-04-05 14:33:24 -------- d-----w- c:\docume~1\ben\applic~1\Mount&Blade Warband
2011-03-30 01:22:26 -------- d-----w- c:\docume~1\ben\applic~1\DDMSettings
2011-03-28 02:19:15 -------- d-----w- c:\program files\GPL MPEG Decoder
.
==================== Find3M ====================
.
2011-04-22 03:05:42 472576 ----a-w- c:\windows\Radeon Omega Drivers v4.8.442 Uninstall.exe
2011-03-21 18:56:22 59904 ----a-w- c:\windows\system32\OVDecode.dll
2011-03-21 18:56:06 51712 ----a-w- c:\windows\system32\OpenCL.dll
2011-03-21 18:55:46 12385792 ----a-w- c:\windows\system32\amdocl.dll
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-26 03:32:55 0 ----atw- c:\windows\006350_.tmp
2011-02-17 19:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 19:00:28 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-02-17 19:00:28 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-02-17 19:00:27 17408 ------w- c:\windows\system32\corpol.dll
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-17 11:44:16 389120 ----a-w- c:\windows\system32\html.iec
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ------w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_6B250S0 rev.BANC1B10 -> Harddisk0\DR0 -> \Device\00000032
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86ED4730]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86edaa10]; MOV EAX, [0x86edaa8c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86F69AB8]
3 CLASSPNP[0xF74C7FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000069[0x86F81F18]
5 ACPI[0xF735E620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86F69030]
\Driver\nvata[0x86F7F660] -> IRP_MJ_CREATE -> 0x86ED4730
error: Read The request is not supported.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\00000068 -> \??\IDE#DiskMaxtor_6B250S0__________________________BANC1B10#3542353056434856202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 23:40:36.45 ===============


Rar.zip contains Attach.txt and Ark.txt

Attached Files

  • Attached File  rar.zip   23.46KB   3 downloads


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:01 PM

Posted 26 April 2011 - 06:12 PM

Good evening. :)

Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingcomputer.com/combofix/how-to-use-combofix *

  • When prompted to save Combofix, change the filename, BEFORE saving it, to svchost.exe
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console, so you are free to choose whether you want to complete this step, but it is in your interests to do so.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for!

So long, and thanks for all the fish.

 

 


#3 bgriff

bgriff
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 26 April 2011 - 07:22 PM

ComboFix 11-04-26.02 - ben 04/27/2011 0:57.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.546 [GMT 1:00]
Running from: c:\documents and settings\ben\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}


Hello there,

Thank you so much for the quick response I am tripping out with the fact my dissertation has to be in soon and this is the only pc I have access too (and no windows disk to reformat).

Here is the log, I still can't access Windows Update it says connection reset.

I forgot to rename the file to svchost.exe will that make a big difference?

All the best,


Ben


.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\ben\Local Settings\Application Data\{2CE0B5E5-B708-4819-B418-1DA156E9AD50}
c:\documents and settings\ben\Local Settings\Application Data\{2CE0B5E5-B708-4819-B418-1DA156E9AD50}\chrome.manifest
c:\documents and settings\ben\Local Settings\Application Data\{2CE0B5E5-B708-4819-B418-1DA156E9AD50}\chrome\content\_cfg.js
c:\documents and settings\ben\Local Settings\Application Data\{2CE0B5E5-B708-4819-B418-1DA156E9AD50}\chrome\content\overlay.xul
c:\documents and settings\ben\Local Settings\Application Data\{2CE0B5E5-B708-4819-B418-1DA156E9AD50}\install.rdf
C:\Install.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\Nagasoft
c:\windows\system32\Nagasoft\Codecs\asyncflt.ax
c:\windows\system32\Nagasoft\Codecs\atrc.dll
c:\windows\system32\Nagasoft\Codecs\cook.dll
c:\windows\system32\Nagasoft\Codecs\drvc.dll
c:\windows\system32\Nagasoft\Codecs\raac.dll
c:\windows\system32\Nagasoft\Codecs\RealMediaSplitter.ax
c:\windows\system32\Nagasoft\Codecs\WMFDemux.dll
c:\windows\system32\Nagasoft\GifShower.dll
c:\windows\system32\Nagasoft\vjocx.dll
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\usp10(2).dll
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
C:\winntse.bin
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_vvdsvc
-------\Legacy_vvdsvc
-------\Service_vvdsvc
-------\Service_vvdsvc
.
.
((((((((((((((((((((((((( Files Created from 2011-03-27 to 2011-04-27 )))))))))))))))))))))))))))))))
.
.
2011-04-26 19:42 . 2011-04-26 19:42 -------- d-----w- c:\documents and settings\ben\Application Data\Avira
2011-04-26 19:31 . 2011-04-26 19:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-04-26 19:31 . 2011-03-04 15:11 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-04-26 19:31 . 2011-03-04 13:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-04-26 19:31 . 2010-06-17 13:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-04-26 19:31 . 2010-06-17 13:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-04-26 19:31 . 2011-04-26 19:31 -------- d-----w- c:\program files\Avira
2011-04-26 18:14 . 2011-04-26 18:14 -------- d-----w- C:\TDSSKiller_Quarantine
2011-04-26 17:55 . 2011-04-26 17:55 -------- d-----w- c:\program files\CCleaner
2011-04-26 16:30 . 2011-04-26 16:30 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-04-26 14:32 . 2011-04-26 14:32 -------- d-----w- c:\program files\Realtek AC97
2011-04-26 00:41 . 2011-04-26 00:41 -------- d-----w- c:\program files\Common Files\Java
2011-04-26 00:40 . 2011-04-26 00:39 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-04-26 00:40 . 2011-04-26 00:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-26 00:40 . 2011-04-26 00:39 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-26 00:34 . 2008-09-24 09:40 4122368 ----a-r- c:\windows\system32\drivers\alcxwdm.sys
2011-04-26 00:34 . 2006-10-18 01:53 147456 ----a-w- c:\windows\system32\RtlCPAPI.dll
2011-04-26 00:34 . 2006-12-08 14:20 10528768 ----a-w- c:\windows\system32\RTLCPL.exe
2011-04-26 00:32 . 2006-07-31 10:27 217088 ----a-w- c:\windows\alcrmv.exe
2011-04-26 00:32 . 2006-07-31 10:19 315392 ----a-w- c:\windows\alcupd.exe
2011-04-25 18:36 . 2011-04-25 18:36 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-04-25 18:20 . 2011-04-25 18:20 -------- d-----w- c:\program files\Lavasoft
2011-04-25 15:37 . 2011-04-25 16:56 -------- d-----w- c:\documents and settings\ben\Application Data\Qeivt
2011-04-25 15:37 . 2011-04-25 15:38 -------- d-----w- c:\documents and settings\ben\Application Data\Ipeqg
2011-04-25 14:27 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-25 14:27 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-25 11:42 . 2011-04-25 11:47 -------- d-----w- c:\documents and settings\NetworkService\Application Data\HPAppData
2011-04-25 02:44 . 2011-04-26 12:36 -------- d-----w- c:\windows\system32\NtmsData
2011-04-25 02:09 . 2011-04-25 03:07 -------- d-----w- c:\windows\41EBC322660F4D16A0DF53147210CBDB.TMP
2011-04-24 23:09 . 2007-09-28 20:05 593920 ------w- c:\windows\system32\ati2sgag.exe
2011-04-24 23:01 . 2004-08-03 20:29 1897408 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2011-04-24 23:01 . 2008-04-13 23:12 4274816 ----a-w- c:\windows\system32\nv4_disp.dll
2011-04-24 22:20 . 2011-04-24 22:20 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-24 19:57 . 2011-04-24 19:57 0 ----a-w- c:\windows\Vdosedojod.bin
2011-04-24 19:35 . 2011-04-24 19:35 -------- d-----w- c:\documents and settings\ben\Local Settings\Application Data\Ilivid Player
2011-04-24 19:34 . 2011-04-24 19:34 -------- d-----w- c:\documents and settings\ben\Local Settings\Application Data\PackageAware
2011-04-22 02:14 . 2011-04-22 02:14 -------- d-----w- c:\program files\Phyxion.net
2011-04-22 00:12 . 2011-04-22 00:12 -------- d-----w- c:\program files\Futuremark
2011-04-08 20:04 . 2010-06-02 03:55 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2011-04-08 20:04 . 2010-06-02 03:55 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2011-04-08 20:04 . 2010-06-02 03:55 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2011-04-08 20:04 . 2010-05-26 10:41 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2011-04-08 20:04 . 2010-05-26 10:41 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2011-04-08 20:04 . 2010-05-26 10:41 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2011-04-08 20:04 . 2010-05-26 10:41 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2011-04-08 20:04 . 2010-05-26 10:41 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2011-04-08 20:04 . 2010-02-04 09:01 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2011-04-08 20:04 . 2010-02-04 09:01 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2011-04-08 20:04 . 2010-02-04 09:01 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2011-04-08 20:04 . 2010-02-04 09:01 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2011-04-07 17:04 . 2011-04-26 17:57 -------- d-----w- c:\documents and settings\ben\Application Data\Ventrilo
2011-04-07 01:54 . 2011-04-07 01:54 -------- d-----w- c:\program files\Ventrilo
2011-04-06 00:29 . 2011-04-26 17:57 -------- d-----w- c:\documents and settings\ben\Application Data\TS3Client
2011-04-06 00:27 . 2011-04-06 00:28 -------- d-----w- c:\program files\TeamSpeak 3 Client
2011-04-05 14:33 . 2011-04-06 14:31 -------- d-----w- c:\documents and settings\ben\Application Data\Mount&Blade Warband
2011-03-30 01:22 . 2011-03-30 01:22 -------- d-----w- c:\documents and settings\ben\Application Data\DDMSettings
2011-03-28 02:19 . 2011-03-28 02:19 -------- d-----w- c:\program files\GPL MPEG Decoder
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-21 18:56 . 2011-03-21 18:56 59904 ----a-w- c:\windows\system32\OVDecode.dll
2011-03-21 18:56 . 2011-03-21 18:56 51712 ----a-w- c:\windows\system32\OpenCL.dll
2011-03-21 18:55 . 2011-03-21 18:55 12385792 ----a-w- c:\windows\system32\amdocl.dll
2011-03-07 05:33 . 2007-11-26 09:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2004-08-03 23:56 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-03 22:17 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-26 03:32 . 2011-02-26 03:32 0 ----atw- c:\windows\006350_.tmp
2011-02-17 19:00 . 2004-08-03 23:56 832512 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 19:00 . 2004-08-03 23:56 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-02-17 19:00 . 2004-08-03 23:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-02-17 19:00 . 2004-08-03 23:56 17408 ------w- c:\windows\system32\corpol.dll
2011-02-17 13:18 . 2004-08-03 22:15 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-03 22:14 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-06-27 19:16 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-17 11:44 . 2004-08-03 21:59 389120 ----a-w- c:\windows\system32\html.iec
2011-02-15 12:56 . 2004-08-03 23:56 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2004-08-03 23:56 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-03 23:56 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2004-08-03 23:56 978944 ------w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-03 23:56 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2007-11-26 09:48 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2007-11-26 09:48 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-18 17:53 . 2011-04-24 22:58 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Steam"="c:\program files\valve\steam\steam.exe" [2010-11-21 1242448]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-04-20 2423752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"AsusStartupHelp"="c:\program files\ASUS\AASP\1.00.17\AsRunHelp.exe" [2006-11-14 363008]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-19 16858112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-23 202256]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-02-15 1230704]
"AtiPTA"="atiptaxx.exe" [2006-02-22 344064]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Taskman"=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^ben^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\ben\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-04-20 15:57 2423752 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
2007-11-13 15:48 3411968 ----a-w- c:\program files\Veoh Networks\Veoh\VeohClient.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]
2009-10-06 00:14 2075384 ----a-w- c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\call of duty 4\\iw3sp.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\call of duty 4\\iw3mp.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\dawn of war gold\\W40k.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\dawn of war gold\\W40kWA.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\dawn of war soulstorm\\soulstorm.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\dawn of war dark crusade\\darkcrusade.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2010\\fm.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\football manager 2009\\fm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Electronic Arts\\Warhammer Online - Age of Reckoning\\warpatch.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\dawn of war 2\\DOW2.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\dawn of war ii - retribution beta\\DOW2.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\mountblade warband\\mb_warband.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 7:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 7:41 PM 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/26/2011 8:31 PM 135336]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 11:58 AM 11336]
S3 cpuz130;cpuz130;\??\c:\docume~1\ben\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\ben\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt --> c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 7:15 PM 12872]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WUAUSERV
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-27 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]
.
2011-04-27 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-527237240-1606980848-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]
.
2011-04-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]
.
2011-04-24 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-527237240-1606980848-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
Trusted Zone: microsoft.com\update
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
FF - ProfilePath - c:\documents and settings\ben\Application Data\Mozilla\Firefox\Profiles\9w8yai10.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - prefs.js: keyword.URL - hxxp://google.com
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-AdobeUpdater - c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
SafeBoot-klmdb.sys
MSConfigStartUp-avast! - c:\progra~1\ALWILS~1\Avast4\ashDisp.exe
MSConfigStartUp-DAEMON Tools Lite - c:\program files\DAEMON Tools Lite\DTLite.exe
MSConfigStartUp-Livestation - c:\program files\Livestation\Livestation.exe
MSConfigStartUp-LogMeIn Hamachi Ui - c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe
AddRemove-53F13DB4D9611FD63BE580F06F0729BF236ABE68 - c:\progra~1\DIFX\7B44739871F4D539FA473F57A832EA4B6A59EF06\DPInst.exe
AddRemove-2kv4.8.442 - c:\windows\Radeon Omega Drivers v4.8.442
AddRemove-Veetle TV - c:\program files\Veetle\UninstallVeetleTV.exe
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_6B250S0 rev.BANC1B10 -> Harddisk0\DR0 -> \Device\00000032
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
error: Read Incorrect function.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\0000006a -> \??\IDE#DiskMaxtor_6B250S0__________________________BANC1B10#3542353056434856202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(692)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(752)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2004)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\rundll32.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\RTHDCPL.EXE
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
.
**************************************************************************
.
Completion time: 2011-04-27 01:16:06 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-27 00:15
.
Pre-Run: 120,615,256,064 bytes free
Post-Run: 121,216,827,392 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
.
- - End Of File - - 03537041E1FE2DF08AF82A362BC13A1E

#4 bgriff

bgriff
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 26 April 2011 - 07:32 PM

Here is an updated DDS report.




AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\RTHDCPL.EXE
c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\ben\Desktop\123.com.exe
C:\Documents and Settings\ben\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
{53707962-6f74-2d53-2644-206d7942484f}
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Steam] "c:\program files\valve\steam\steam.exe" -silent
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [AsusStartupHelp] c:\program files\asus\aasp\1.00.17\AsRunHelp.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [AtiPTA] atiptaxx.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: microsoft.com\update
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} - hxxp://www.vexcast.com/download/vexcast.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\ben\applic~1\mozilla\firefox\profiles\9w8yai10.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - prefs.js: keyword.URL - hxxp://google.com
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-4-26 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-4-26 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-4-26 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-4-26 61960]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 cpuz130;cpuz130;\??\c:\docume~1\ben\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\ben\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 esgiguard;esgiguard;\??\c:\program files\enigma software group\spyhunter\esgiguard.sys --> c:\program files\enigma software group\spyhunter\esgiguard.sys [?]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\c:\program files\lavalys\everest ultimate edition\kerneld.wnt --> c:\program files\lavalys\everest ultimate edition\kerneld.wnt [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
.
=============== Created Last 30 ================
.
2011-04-26 23:55:11 -------- d-sha-r- C:\cmdcons
2011-04-26 23:50:14 98816 ----a-w- c:\windows\sed.exe
2011-04-26 23:50:14 89088 ----a-w- c:\windows\MBR.exe
2011-04-26 23:50:14 256512 ----a-w- c:\windows\PEV.exe
2011-04-26 23:50:14 161792 ----a-w- c:\windows\SWREG.exe
2011-04-26 23:49:53 -------- d-----w- C:\ComboFix
2011-04-26 19:42:49 -------- d-----w- c:\docume~1\ben\applic~1\Avira
2011-04-26 19:31:39 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-04-26 19:31:39 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
2011-04-26 19:31:38 -------- d-----w- c:\program files\Avira
2011-04-26 18:14:34 -------- d-----w- C:\TDSSKiller_Quarantine
2011-04-26 17:55:13 -------- d-----w- c:\program files\CCleaner
2011-04-26 16:30:11 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-04-26 14:32:30 -------- d-----w- c:\program files\Realtek AC97
2011-04-26 00:40:25 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-26 00:40:25 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-26 00:40:25 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-04-26 00:34:52 4122368 ----a-r- c:\windows\system32\drivers\alcxwdm.sys
2011-04-26 00:34:52 147456 ----a-w- c:\windows\system32\RtlCPAPI.dll
2011-04-26 00:34:47 10528768 ----a-w- c:\windows\system32\RTLCPL.exe
2011-04-26 00:32:42 315392 ----a-w- c:\windows\alcupd.exe
2011-04-26 00:32:42 217088 ----a-w- c:\windows\alcrmv.exe
2011-04-25 18:36:43 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-04-25 18:20:03 -------- d-----w- c:\program files\Lavasoft
2011-04-25 15:37:21 -------- d-----w- c:\docume~1\ben\applic~1\Qeivt
2011-04-25 15:37:21 -------- d-----w- c:\docume~1\ben\applic~1\Ipeqg
2011-04-25 14:27:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-25 14:27:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-25 02:44:23 -------- d-----w- c:\windows\system32\NtmsData
2011-04-25 02:09:18 -------- d-----w- c:\windows\41EBC322660F4D16A0DF53147210CBDB.TMP
2011-04-24 23:09:41 593920 ------w- c:\windows\system32\ati2sgag.exe
2011-04-24 23:01:58 1897408 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2011-04-24 23:01:56 4274816 ----a-w- c:\windows\system32\nv4_disp.dll
2011-04-24 22:20:13 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-24 22:20:13 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-24 19:57:24 0 ----a-w- c:\windows\Vdosedojod.bin
2011-04-24 19:35:10 -------- d-----w- c:\docume~1\ben\locals~1\applic~1\Ilivid Player
2011-04-24 19:34:31 -------- d-----w- c:\docume~1\ben\locals~1\applic~1\PackageAware
2011-04-22 02:14:33 -------- d-----w- c:\program files\Phyxion.net
2011-04-22 00:12:59 -------- d-----w- c:\program files\Futuremark
2011-04-08 20:04:36 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2011-04-08 20:04:36 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2011-04-08 20:04:36 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2011-04-08 20:04:36 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2011-04-08 20:04:36 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2011-04-08 20:04:35 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2011-04-08 20:04:35 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2011-04-08 20:04:35 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2011-04-08 20:04:34 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2011-04-08 20:04:34 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2011-04-08 20:04:33 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2011-04-08 20:04:26 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2011-04-07 01:54:04 -------- d-----w- c:\program files\Ventrilo
2011-04-06 00:29:04 -------- d-----w- c:\docume~1\ben\applic~1\TS3Client
2011-04-06 00:27:53 -------- d-----w- c:\program files\TeamSpeak 3 Client
2011-04-05 14:33:24 -------- d-----w- c:\docume~1\ben\applic~1\Mount&Blade Warband
2011-03-30 01:22:26 -------- d-----w- c:\docume~1\ben\applic~1\DDMSettings
2011-03-28 02:19:15 -------- d-----w- c:\program files\GPL MPEG Decoder
.
==================== Find3M ====================
.
2011-04-22 03:05:42 472576 ----a-w- c:\windows\Radeon Omega Drivers v4.8.442 Uninstall.exe
2011-03-21 18:56:22 59904 ----a-w- c:\windows\system32\OVDecode.dll
2011-03-21 18:56:06 51712 ----a-w- c:\windows\system32\OpenCL.dll
2011-03-21 18:55:46 12385792 ----a-w- c:\windows\system32\amdocl.dll
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-26 03:32:55 0 ----atw- c:\windows\006350_.tmp
2011-02-17 19:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 19:00:28 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-02-17 19:00:28 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-02-17 19:00:27 17408 ------w- c:\windows\system32\corpol.dll
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-17 11:44:16 389120 ----a-w- c:\windows\system32\html.iec
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ------w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_6B250S0 rev.BANC1B10 -> Harddisk0\DR0 -> \Device\00000032
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86ECE730]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86ed4a10]; MOV EAX, [0x86ed4a8c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86F80030]
3 CLASSPNP[0xF74C7FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000006b[0x86F6C538]
5 ACPI[0xF735E620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86F6C650]
\Driver\nvata[0x86F7DF38] -> IRP_MJ_CREATE -> 0x86ECE730
error: Read Incorrect function.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\0000006a -> \??\IDE#DiskMaxtor_6B250S0__________________________BANC1B10#3542353056434856202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 1:27:42.78 ===============

#5 bgriff

bgriff
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 26 April 2011 - 09:54 PM

Svchost.exe is worrying me at the moment, it keeps lagging the hell out of my machine and I could it using 700,000 vm and 300,000+ memory not 2 minutes ago. Yet when I ctrl + alt + delete and end it nothing adverse happens to my machine. youtube videos still steam (even if not fully loaded) etc.


Update: Worrying number of svchosts open (9/10 never had this many, and one related to system keeps going into over drive.

All virus scans report clean only picking up tracking cookies now.
Windows update still completely blocked.
Few generic host crashes
Taking so long to reboot
Google chrome won't load at all, Iexplorer takes many clicks to open, only firefox is working properly.
Attack pages have slowed down but still thre.

Worried abt TDL3 rootkit possible infection showing up in logs

Edited by bgriff, 27 April 2011 - 11:24 AM.


#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:01 PM

Posted 27 April 2011 - 01:50 PM

Good evening. :)

I appreciate your need to have the PC clean, but infections aren't written to be easily removed and so you have to work through various options until you get the one that works. Sometimes it's the first one and sometimes it isn't and there's nothing you can do to change that.

Download TDSSKiller.zip from Kaspersky from here and save it to your Desktop.

  • You will then need to extract the file(s) from the zipped folder.
  • To do this: Right-click on the zipped folder and from the menu that appears, click on Extract All...
    In the Extraction Wizard window that opens, click on Next> and in the next window that appears, click on Next> again.
    In the final window, click on Finish

  • Please close all open programs as this may result in a reboot being necessary.
  • Double click TDSSKiller.exe to begin.
  • Click Start scan and allow the tool to do just that.
  • One the scan has completed, if the tool has identified anything allow it to carry out it's default action(s) - you'll need to click Continue where appropriate.
  • Finally, if it prompts you to reboot your machine, please click Reboot Now and ensure that your machine does so.
  • If the scan finds nothing, please click the Report button and let me have a copy of the text file that opens.
  • If you reboot your machine, the log, which i'd like to see, will be located at the root of you hard drive as C:\TDSSKiller.Version_Date_Time_log.txt.
    Please check that you get the one with the right date and time. :)

So long, and thanks for all the fish.

 

 


#7 bgriff

bgriff
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 27 April 2011 - 03:08 PM

Sorry for being impatient, I just only have this computer to finish my dissertation due in a few weeks.

If I try to browse my computer to upload the folder it crashes my browser (tried 5+ times)

So here is the copy + paste

2011/04/26 19:17:57.0015 3844 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/26 19:17:57.0203 3844 ================================================================================
2011/04/26 19:17:57.0203 3844 SystemInfo:
2011/04/26 19:17:57.0203 3844
2011/04/26 19:17:57.0203 3844 OS Version: 5.1.2600 ServicePack: 3.0
2011/04/26 19:17:57.0203 3844 Product type: Workstation
2011/04/26 19:17:57.0203 3844 ComputerName: MSHOME
2011/04/26 19:17:57.0203 3844 UserName: ben
2011/04/26 19:17:57.0203 3844 Windows directory: C:\WINDOWS
2011/04/26 19:17:57.0203 3844 System windows directory: C:\WINDOWS
2011/04/26 19:17:57.0203 3844 Processor architecture: Intel x86
2011/04/26 19:17:57.0203 3844 Number of processors: 2
2011/04/26 19:17:57.0203 3844 Page size: 0x1000
2011/04/26 19:17:57.0203 3844 Boot type: Normal boot
2011/04/26 19:17:57.0203 3844 ================================================================================
2011/04/26 19:17:57.0640 3844 !crdlk
2011/04/26 19:17:58.0000 3844 Initialize success
2011/04/26 19:18:24.0328 0216 ================================================================================
2011/04/26 19:18:24.0328 0216 Scan started
2011/04/26 19:18:24.0328 0216 Mode: Manual;
2011/04/26 19:18:24.0328 0216 ================================================================================
2011/04/26 19:18:24.0843 0216 Aavmker4 (d301f57713a0f6f8a3295ae6ebb69617) C:\WINDOWS\system32\drivers\Aavmker4.sys
2011/04/26 19:18:25.0015 0216 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/04/26 19:18:25.0093 0216 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/04/26 19:18:25.0187 0216 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/04/26 19:18:25.0265 0216 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
2011/04/26 19:18:25.0468 0216 AmdK8 (efbb0956baed786e137351b5ca272aef) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
2011/04/26 19:18:25.0734 0216 AsIO (663f2fb92608073824ee3106886120f3) C:\WINDOWS\system32\drivers\AsIO.sys
2011/04/26 19:18:25.0781 0216 aswMon2 (71785f529c7b251b188245843bbf85db) C:\WINDOWS\system32\drivers\aswMon2.sys
2011/04/26 19:18:25.0843 0216 aswRdr (7bab4923cabb4404bf05fd111e75e49b) C:\WINDOWS\system32\drivers\aswRdr.sys
2011/04/26 19:18:25.0906 0216 aswTdi (e8a2678eab78c2060d5eb26803667dc2) C:\WINDOWS\system32\drivers\aswTdi.sys
2011/04/26 19:18:25.0968 0216 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/04/26 19:18:26.0000 0216 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/04/26 19:18:26.0187 0216 ati2mtag (ec2743bf722d4356375a0a01b69a81e0) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/04/26 19:18:26.0359 0216 ATITool (0e4bb35c5305099ac82053ac992e3e0e) C:\WINDOWS\system32\DRIVERS\ATITool.sys
2011/04/26 19:18:26.0406 0216 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/04/26 19:18:26.0468 0216 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/04/26 19:18:26.0531 0216 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/04/26 19:18:26.0578 0216 Bridge (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
2011/04/26 19:18:26.0593 0216 BridgeMP (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
2011/04/26 19:18:26.0687 0216 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/04/26 19:18:26.0781 0216 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/04/26 19:18:26.0843 0216 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/04/26 19:18:26.0890 0216 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/04/26 19:18:27.0109 0216 cpudrv (d01f685f8b4598d144b0cce9ff95d8d5) C:\Program Files\SystemRequirementsLab\cpudrv.sys
2011/04/26 19:18:27.0406 0216 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/04/26 19:18:27.0468 0216 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/04/26 19:18:27.0546 0216 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/04/26 19:18:27.0578 0216 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/04/26 19:18:27.0656 0216 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/04/26 19:18:27.0750 0216 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/04/26 19:18:27.0828 0216 ENTECH (fd9fc82f134b1c91004ffc76a5ae494b) C:\WINDOWS\system32\DRIVERS\ENTECH.sys
2011/04/26 19:18:27.0906 0216 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/04/26 19:18:27.0984 0216 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/04/26 19:18:28.0031 0216 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/04/26 19:18:28.0078 0216 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/04/26 19:18:28.0203 0216 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/04/26 19:18:28.0328 0216 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/04/26 19:18:28.0359 0216 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/04/26 19:18:28.0421 0216 giveio (77ebf3e9386daa51551af429052d88d0) C:\WINDOWS\system32\giveio.sys
2011/04/26 19:18:28.0578 0216 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/04/26 19:18:28.0671 0216 hamachi (833051c6c6c42117191935f734cfbd97) C:\WINDOWS\system32\DRIVERS\hamachi.sys
2011/04/26 19:18:28.0765 0216 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/04/26 19:18:28.0906 0216 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/04/26 19:18:29.0171 0216 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/04/26 19:18:29.0218 0216 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/04/26 19:18:29.0281 0216 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/04/26 19:18:29.0343 0216 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/04/26 19:18:29.0468 0216 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/04/26 19:18:29.0515 0216 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/04/26 19:18:29.0765 0216 IntcAzAudAddService (8998a1e6f899f790e5eff9cd2c431a23) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/04/26 19:18:29.0890 0216 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/04/26 19:18:29.0968 0216 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/04/26 19:18:30.0093 0216 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/04/26 19:18:30.0140 0216 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/04/26 19:18:30.0218 0216 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/04/26 19:18:30.0265 0216 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/04/26 19:18:30.0328 0216 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/04/26 19:18:30.0390 0216 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/04/26 19:18:30.0437 0216 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/04/26 19:18:30.0515 0216 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/04/26 19:18:30.0578 0216 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/04/26 19:18:30.0765 0216 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/04/26 19:18:30.0875 0216 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/04/26 19:18:30.0937 0216 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/04/26 19:18:31.0000 0216 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/04/26 19:18:31.0062 0216 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/04/26 19:18:31.0140 0216 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/04/26 19:18:31.0234 0216 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/04/26 19:18:31.0312 0216 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/04/26 19:18:31.0375 0216 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/04/26 19:18:31.0421 0216 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/04/26 19:18:31.0484 0216 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/04/26 19:18:31.0546 0216 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/04/26 19:18:31.0625 0216 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
2011/04/26 19:18:31.0671 0216 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/04/26 19:18:31.0796 0216 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/04/26 19:18:31.0921 0216 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/04/26 19:18:31.0968 0216 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/04/26 19:18:32.0015 0216 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/04/26 19:18:32.0093 0216 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/04/26 19:18:32.0156 0216 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/04/26 19:18:32.0203 0216 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/04/26 19:18:32.0281 0216 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/04/26 19:18:32.0343 0216 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/04/26 19:18:32.0453 0216 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/04/26 19:18:32.0562 0216 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/04/26 19:18:32.0781 0216 nvata (947c4a0e7b25bcecc3b40f0f1070378b) C:\WINDOWS\system32\DRIVERS\nvata.sys
2011/04/26 19:18:32.0859 0216 NVENETFD (4d6f0d3fb17c1ba64942f415c73adcdb) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
2011/04/26 19:18:32.0921 0216 nvnetbus (921e63aa1e1a20302223d016acafb52b) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
2011/04/26 19:18:33.0000 0216 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/04/26 19:18:33.0046 0216 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/04/26 19:18:33.0109 0216 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/04/26 19:18:33.0156 0216 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/04/26 19:18:33.0234 0216 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/04/26 19:18:33.0281 0216 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/04/26 19:18:33.0359 0216 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/04/26 19:18:33.0421 0216 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/04/26 19:18:33.0828 0216 Point32 (b4f59a953ef9e507f0d00c3a68580b8b) C:\WINDOWS\system32\DRIVERS\point32.sys
2011/04/26 19:18:33.0890 0216 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/04/26 19:18:33.0953 0216 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/04/26 19:18:34.0015 0216 Ps2 (390c204ced3785609ab24e9c52054a84) C:\WINDOWS\system32\DRIVERS\PS2.sys
2011/04/26 19:18:34.0078 0216 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/04/26 19:18:34.0125 0216 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/04/26 19:18:34.0187 0216 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/04/26 19:18:34.0421 0216 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/04/26 19:18:34.0468 0216 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/04/26 19:18:34.0562 0216 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/04/26 19:18:34.0687 0216 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/04/26 19:18:34.0765 0216 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/04/26 19:18:34.0828 0216 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/04/26 19:18:34.0906 0216 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/04/26 19:18:35.0015 0216 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/04/26 19:18:35.0093 0216 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/04/26 19:18:35.0171 0216 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2011/04/26 19:18:35.0234 0216 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/04/26 19:18:35.0265 0216 SASENUM (7ce61c25c159f50f9eaf6d77fc83fa35) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
2011/04/26 19:18:35.0281 0216 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/04/26 19:18:35.0437 0216 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/04/26 19:18:35.0515 0216 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/04/26 19:18:35.0562 0216 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/04/26 19:18:35.0656 0216 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/04/26 19:18:35.0812 0216 speedfan (5d6401db90ec81b71f8e2c5c8f0fef23) C:\WINDOWS\system32\speedfan.sys
2011/04/26 19:18:35.0906 0216 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/04/26 19:18:35.0984 0216 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/04/26 19:18:36.0062 0216 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/04/26 19:18:36.0234 0216 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/04/26 19:18:36.0281 0216 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/04/26 19:18:36.0484 0216 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/04/26 19:18:36.0546 0216 taphss (0c3b2a9c4bd2dd9a6c2e4084314dd719) C:\WINDOWS\system32\DRIVERS\taphss.sys
2011/04/26 19:18:36.0625 0216 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/04/26 19:18:36.0703 0216 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/04/26 19:18:36.0750 0216 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/04/26 19:18:36.0812 0216 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/04/26 19:18:36.0937 0216 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/04/26 19:18:37.0140 0216 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/04/26 19:18:37.0265 0216 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/04/26 19:18:37.0328 0216 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/04/26 19:18:37.0375 0216 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/04/26 19:18:37.0421 0216 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/04/26 19:18:37.0468 0216 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/04/26 19:18:37.0515 0216 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/04/26 19:18:37.0562 0216 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/04/26 19:18:37.0671 0216 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/04/26 19:18:37.0890 0216 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/04/26 19:18:37.0953 0216 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/04/26 19:18:38.0062 0216 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/04/26 19:18:38.0171 0216 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/04/26 19:18:38.0234 0216 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/04/26 19:18:38.0265 0216 ================================================================================
2011/04/26 19:18:38.0265 0216 Scan finished
2011/04/26 19:18:38.0265 0216 ================================================================================
2011/04/26 19:18:44.0343 3832 Deinitialize success

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:01 PM

Posted 27 April 2011 - 03:40 PM

Given that you didn't rename ComboFix last time, and that it's usually a match for this sort of nasty, I think you should repeat the CF instructions but make sure that you download a fresh copy and rename it this time BEFORE you save it to your PC - i'm not sure that it will make any difference, but this tool is probably the easiest to run so we'll exhaust this possibility before we move on.

Do you have a flashdrive of 128 Mb or bigger that you can wipe clean to use for a little tool to help with this nasty, should it be necessary?

So long, and thanks for all the fish.

 

 


#9 bgriff

bgriff
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 27 April 2011 - 05:03 PM

Hi would a formatted Ipod be ok?

I just ran combofix, having some real problems opening explorer.exe now finally got it up after closing and opening the exe a few times. Unfortunately it crashed and the folder in C:/ doesn't contain a log (I think I got generic host crash as it was finishing) what should I do?

The .txt file crashed and wouldn't let me access it to post it here.

Edited by bgriff, 27 April 2011 - 05:04 PM.


#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:01 PM

Posted 27 April 2011 - 05:32 PM

Reboot the PC and tell me if it's stable now.

So long, and thanks for all the fish.

 

 


#11 bgriff

bgriff
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 27 April 2011 - 05:43 PM

Yes it's ok now windows explorer loaded up fine.

Still can't access windows update though, and I am worried that the generic host 32 crash may have stopped combofix from completing?

Edit: rebooted again windows explorer is doing the same thing - not loading properly. I have to end the task and then start it again a few times.

Edited by bgriff, 27 April 2011 - 06:04 PM.


#12 bgriff

bgriff
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 27 April 2011 - 08:00 PM

Ok re-ran combo, here is log file:

ComboFix 11-04-27.01 - ben 04/28/2011 1:45.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.649 [GMT 1:00]
Running from: c:\documents and settings\ben\Desktop\test.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((( Files Created from 2011-03-28 to 2011-04-28 )))))))))))))))))))))))))))))))
.
.
2011-04-27 23:20 . 2011-04-27 23:20 -------- d-----w- C:\asusupdate
2011-04-27 22:05 . 2011-04-27 22:24 -------- d-----w- c:\documents and settings\ben\Application Data\Download Manager
2011-04-27 21:17 . 2011-04-27 21:40 -------- d-----w- C:\test
2011-04-27 20:37 . 2010-11-09 14:35 21992 ----a-w- c:\windows\system32\drivers\cpuz135_x32.sys
2011-04-27 15:23 . 2011-04-27 15:23 -------- d-----w- c:\program files\Realtek AC97
2011-04-26 23:49 . 2011-04-27 21:17 -------- d-----w- C:\ComboFix
2011-04-26 19:42 . 2011-04-26 19:42 -------- d-----w- c:\documents and settings\ben\Application Data\Avira
2011-04-26 19:31 . 2011-04-26 19:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-04-26 19:31 . 2011-03-04 15:11 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-04-26 19:31 . 2011-03-04 13:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-04-26 19:31 . 2010-06-17 13:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-04-26 19:31 . 2010-06-17 13:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-04-26 19:31 . 2011-04-26 19:31 -------- d-----w- c:\program files\Avira
2011-04-26 18:14 . 2011-04-26 18:14 -------- d-----w- C:\TDSSKiller_Quarantine
2011-04-26 17:55 . 2011-04-26 17:55 -------- d-----w- c:\program files\CCleaner
2011-04-26 16:30 . 2011-04-26 16:30 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-04-26 00:41 . 2011-04-26 00:41 -------- d-----w- c:\program files\Common Files\Java
2011-04-26 00:40 . 2011-04-26 00:39 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-04-26 00:40 . 2011-04-26 00:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-26 00:40 . 2011-04-26 00:39 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-26 00:34 . 2008-09-24 09:40 4122368 ----a-r- c:\windows\system32\drivers\alcxwdm.sys
2011-04-26 00:34 . 2006-10-18 01:53 147456 ----a-w- c:\windows\system32\RtlCPAPI.dll
2011-04-26 00:34 . 2006-12-08 14:20 10528768 ----a-w- c:\windows\system32\RTLCPL.exe
2011-04-26 00:32 . 2006-07-31 10:27 217088 ----a-w- c:\windows\alcrmv.exe
2011-04-26 00:32 . 2006-07-31 10:19 315392 ----a-w- c:\windows\alcupd.exe
2011-04-25 18:36 . 2011-04-25 18:36 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-04-25 18:20 . 2011-04-25 18:20 -------- d-----w- c:\program files\Lavasoft
2011-04-25 15:37 . 2011-04-25 16:56 -------- d-----w- c:\documents and settings\ben\Application Data\Qeivt
2011-04-25 15:37 . 2011-04-25 15:38 -------- d-----w- c:\documents and settings\ben\Application Data\Ipeqg
2011-04-25 14:27 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-25 14:27 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-25 11:42 . 2011-04-25 11:47 -------- d-----w- c:\documents and settings\NetworkService\Application Data\HPAppData
2011-04-25 02:44 . 2011-04-27 04:47 -------- d-----w- c:\windows\system32\NtmsData
2011-04-25 02:09 . 2011-04-25 03:07 -------- d-----w- c:\windows\41EBC322660F4D16A0DF53147210CBDB.TMP
2011-04-24 23:09 . 2007-09-28 20:05 593920 ------w- c:\windows\system32\ati2sgag.exe
2011-04-24 23:01 . 2004-08-03 20:29 1897408 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2011-04-24 23:01 . 2008-04-13 23:12 4274816 ----a-w- c:\windows\system32\nv4_disp.dll
2011-04-24 22:20 . 2011-04-24 22:20 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-24 19:57 . 2011-04-24 19:57 0 ----a-w- c:\windows\Vdosedojod.bin
2011-04-24 19:35 . 2011-04-24 19:35 -------- d-----w- c:\documents and settings\ben\Local Settings\Application Data\Ilivid Player
2011-04-24 19:34 . 2011-04-24 19:34 -------- d-----w- c:\documents and settings\ben\Local Settings\Application Data\PackageAware
2011-04-22 02:14 . 2011-04-22 02:14 -------- d-----w- c:\program files\Phyxion.net
2011-04-22 00:12 . 2011-04-22 00:12 -------- d-----w- c:\program files\Futuremark
2011-04-08 20:04 . 2010-06-02 03:55 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2011-04-08 20:04 . 2010-06-02 03:55 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2011-04-08 20:04 . 2010-06-02 03:55 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2011-04-08 20:04 . 2010-05-26 10:41 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2011-04-08 20:04 . 2010-05-26 10:41 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2011-04-08 20:04 . 2010-05-26 10:41 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2011-04-08 20:04 . 2010-05-26 10:41 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2011-04-08 20:04 . 2010-05-26 10:41 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2011-04-08 20:04 . 2010-02-04 09:01 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2011-04-08 20:04 . 2010-02-04 09:01 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2011-04-08 20:04 . 2010-02-04 09:01 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2011-04-08 20:04 . 2010-02-04 09:01 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2011-04-07 17:04 . 2011-04-26 17:57 -------- d-----w- c:\documents and settings\ben\Application Data\Ventrilo
2011-04-07 01:54 . 2011-04-07 01:54 -------- d-----w- c:\program files\Ventrilo
2011-04-06 00:29 . 2011-04-26 17:57 -------- d-----w- c:\documents and settings\ben\Application Data\TS3Client
2011-04-06 00:27 . 2011-04-06 00:28 -------- d-----w- c:\program files\TeamSpeak 3 Client
2011-04-05 14:33 . 2011-04-06 14:31 -------- d-----w- c:\documents and settings\ben\Application Data\Mount&Blade Warband
2011-03-30 01:22 . 2011-03-30 01:22 -------- d-----w- c:\documents and settings\ben\Application Data\DDMSettings
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-21 18:56 . 2011-03-21 18:56 59904 ----a-w- c:\windows\system32\OVDecode.dll
2011-03-21 18:56 . 2011-03-21 18:56 51712 ----a-w- c:\windows\system32\OpenCL.dll
2011-03-21 18:55 . 2011-03-21 18:55 12385792 ----a-w- c:\windows\system32\amdocl.dll
2011-03-07 05:33 . 2007-11-26 09:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2004-08-03 23:56 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-03 22:17 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-26 03:32 . 2011-02-26 03:32 0 ----atw- c:\windows\006350_.tmp
2011-02-17 19:00 . 2004-08-03 23:56 832512 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 19:00 . 2004-08-03 23:56 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-02-17 19:00 . 2004-08-03 23:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-02-17 19:00 . 2004-08-03 23:56 17408 ------w- c:\windows\system32\corpol.dll
2011-02-17 13:18 . 2004-08-03 22:15 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-03 22:14 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-06-27 19:16 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-17 11:44 . 2004-08-03 21:59 389120 ----a-w- c:\windows\system32\html.iec
2011-02-15 12:56 . 2004-08-03 23:56 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2004-08-03 23:56 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-03 23:56 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2004-08-03 23:56 978944 ------w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-03 23:56 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2007-11-26 09:48 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-03-18 17:53 . 2011-04-24 22:58 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-04-27_00.11.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-28 00:29 . 2011-04-28 00:29 16384 c:\windows\Temp\Perflib_Perfdata_51c.dat
+ 2001-08-23 12:00 . 2011-04-27 20:52 77660 c:\windows\system32\perfc009.dat
+ 2001-08-23 12:00 . 2011-04-27 20:52 456912 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Steam"="c:\program files\valve\steam\steam.exe" [2010-11-21 1242448]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-04-20 2423752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"AsusStartupHelp"="c:\program files\ASUS\AASP\1.00.17\AsRunHelp.exe" [2006-11-14 363008]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-19 16858112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-23 202256]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-02-15 1230704]
"AtiPTA"="atiptaxx.exe" [2006-02-22 344064]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^ben^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\ben\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-04-20 15:57 2423752 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
2007-11-13 15:48 3411968 ----a-w- c:\program files\Veoh Networks\Veoh\VeohClient.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]
2009-10-06 00:14 2075384 ----a-w- c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\call of duty 4\\iw3sp.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\call of duty 4\\iw3mp.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\dawn of war gold\\W40k.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\dawn of war gold\\W40kWA.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\dawn of war soulstorm\\soulstorm.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\dawn of war dark crusade\\darkcrusade.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2010\\fm.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\football manager 2009\\fm.exe"=
"c:\\Program Files\\Electronic Arts\\Warhammer Online - Age of Reckoning\\warpatch.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\dawn of war 2\\DOW2.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\dawn of war ii - retribution beta\\DOW2.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\mountblade warband\\mb_warband.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 7:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 7:41 PM 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/26/2011 8:31 PM 135336]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [4/27/2011 9:37 PM 21992]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 11:58 AM 11336]
S3 cpuz130;cpuz130;\??\c:\docume~1\ben\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\ben\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt --> c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 7:15 PM 12872]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1606980848-682003330-1003Core.job
- c:\documents and settings\ben\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-04-27 15:01]
.
2011-04-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1606980848-682003330-1003UA.job
- c:\documents and settings\ben\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-04-27 15:01]
.
2011-04-28 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]
.
2011-04-28 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-527237240-1606980848-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]
.
2011-04-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]
.
2011-04-24 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-527237240-1606980848-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
Trusted Zone: microsoft.com\update
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
FF - ProfilePath - c:\documents and settings\ben\Application Data\Mozilla\Firefox\Profiles\9w8yai10.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - prefs.js: keyword.URL - hxxp://google.com
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-28 01:55
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_6B250S0 rev.BANC1B10 -> Harddisk0\DR0 -> \Device\00000032
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86EC8730]<<
c:\docume~1\ben\LOCALS~1\Temp\catchme.sys
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86ecea10]; MOV EAX, [0x86ecea8c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86F7F030]
3 CLASSPNP[0xF74C7FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000006b[0x86F0B538]
5 ACPI[0xF735E620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86F0B650]
\Driver\nvata[0x86F47E60] -> IRP_MJ_CREATE -> 0x86EC8730
error: Read Incorrect function.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\0000006a -> \??\IDE#DiskMaxtor_6B250S0__________________________BANC1B10#3542353056434856202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(764)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2976)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-04-28 01:58:56
ComboFix-quarantined-files.txt 2011-04-28 00:58
ComboFix2.txt 2011-04-27 21:40
ComboFix3.txt 2011-04-27 00:16
.
Pre-Run: 120,790,929,408 bytes free
Post-Run: 120,786,087,936 bytes free
.
- - End Of File - - B9B81BA4A53A90643852DF62A6FC9A4C

#13 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:01 PM

Posted 28 April 2011 - 02:21 PM

Good evening. :)

I've no idea whether an iPod works or not - I don't see why not, but i've never tried. I think we'll try one other tool first, as it means we won't have to rely on Apple!

Download aswMBR.exe from here and save it to your Desktop.

  • Double click the tool to run it.
  • Click the Scan button to, well, start the scan - obvious really!
  • Once the scan reports "Scan finished successfully", which takes less than a minute on my system, click Save log.
  • On my system it offers to save it to the Desktop, which may or may not be it's default behaviour, but it's as handy a place as any.
  • You'll also see a file called MBR.dat appear as well - this is a backup that it created, just in case it's needed. Keep it handy for now.

I'd like the contents of aswMBR.txt in your next reply, if you'd be so kind.

So long, and thanks for all the fish.

 

 


#14 bgriff

bgriff
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 28 April 2011 - 02:32 PM

Hello good sir, I ran fixmbr from my recovery console. And then a new copy of combofix.

Access to windows update is granted, no generic 32 errors, all browsers working, no svchost.exe going mad.. So it looks like it may all be clear (fingers crossed).

Would you still like me to run that tool or would you have me do some other kind of scans?

All the best and thanks for your help to date.

Ben

#15 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:01 PM

Posted 28 April 2011 - 04:43 PM

Nice. You can skip the tool as that was going to be looking at the mbr and you've already made that unnecessary - I guess that makes me a candidate for early retirement.
:deadhorse:

I think that a little second opinion scan for leftovers and that should be about that.

Download Malwarebytes' Anti-Malware from here and save it to your Desktop - unless you already have it, in which case skip to the "updating" bit below.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Ensure a checkmark is placed next to both Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware and then click Finish.
  • If an update is found, it will download and install the latest version - you'll need to clear it with your firewall.
  • Once the program has loaded, select Perform full scan and then Scan.
  • When the scan has finished, click OK and then Show Results to view the results - no surprise there!
  • If MBAM finds anything, check the box(es) and click Remove Selected.
  • Please note - Leave unchecked any boxes that have \System Volume Information\ in the filepath. These pose no immediate risk to your PC unless you use System Restore and will be dealt with later.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Let me have the MBAM log, a fresh DDS log AND a description of how your PC is behaving.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users