Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistant TDL4@MBR, multiple viruses?


  • This topic is locked This topic is locked
11 replies to this topic

#1 worries

worries

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 03 May 2011 - 02:07 AM

Hi coles,
The link says to attach the attach.txt and ark.txt. But I do not have the attachment section under the reply box, for me it just reads "options". In any case, I am pasting the logs here.

DDS log:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Anaam at 2:37:46.87 on 03/05/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.2.1033.18.1014.217 [GMT -4:00]
.
AV: Kaspersky Anti-Virus *Enabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\PLFSetL.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Anaam\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.Gateway.com
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\ievkbd.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Google Update] "c:\documents and settings\anaam\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\audio\drivers\AzMixerSel.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [PLFSetL] c:\windows\PLFSetL.exe
mRun: [snp2uvc] rundll32.exe c:\windows\system32\csnp2uvc.dll,ResetCIDS
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\ssmmgr.exe /autorun
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2011\avp.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\anaam\applic~1\mozilla\firefox\profiles\ya58k6a1.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - about:home
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\anaam\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\anaam\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\anaam\local settings\application data\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
.
============= SERVICES / DRIVERS ===============
.
R0 KL1;kl1;c:\windows\system32\drivers\kl1.sys [2010-6-9 132184]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2010-6-9 11352]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2011-5-2 475736]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky anti-virus 2011\avp.exe [2010-11-2 365336]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2010-5-7 32856]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-11-2 19472]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-8-3 38912]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-8-3 1684736]
S3 Normandy;Normandy SR2; [x]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-8-3 162816]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
.
=============== Created Last 30 ================
.
2011-05-02 22:38:46 6470464 ----a-w- C:\HitmanPro35beta.exe
2011-05-02 22:32:35 134464 ----a-w- c:\windows\system32\LnkProtect.dll
2011-05-02 21:06:07 50688 ----a-w- C:\ATF-Cleaner.exe
2011-05-02 20:37:21 -------- d-----w- c:\docume~1\anaam\applic~1\SUPERAntiSpyware.com
2011-05-02 20:37:21 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-05-02 20:37:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-05-02 07:41:57 575488 ----a-w- C:\aswMBR.exe
2011-05-02 06:00:55 -------- d-sh--w- c:\documents and settings\anaam\IECompatCache
2011-05-02 05:32:31 -------- d--h--w- c:\windows\PIF
2011-05-02 05:08:41 150200 ----a-w- c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\kavlinkfilter.dll
2011-05-02 05:08:06 97859 ----a-w- c:\windows\system32\drivers\klick.dat
2011-05-02 05:08:06 115267 ----a-w- c:\windows\system32\drivers\klin.dat
2011-05-02 05:05:39 -------- d-----w- c:\program files\Kaspersky Lab
2011-05-02 05:05:38 -------- d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2011-05-02 03:38:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2011-05-02 03:00:11 -------- d-----w- c:\program files\Softwin
2011-05-02 02:06:42 -------- d-----w- C:\Malwa
2011-05-02 01:01:06 -------- d-----w- c:\windows\setup.pss
2011-05-01 20:52:10 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-05-01 20:52:10 -------- d-----w- c:\windows\system32\wbem\Repository
2011-05-01 19:44:22 -------- d-----w- C:\booga
2011-04-30 03:31:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-30 03:31:38 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-04-29 20:43:40 0 ----a-w- c:\windows\Rjirag.bin
2011-04-29 20:43:39 -------- d-----w- c:\docume~1\anaam\locals~1\applic~1\{D8B7A0C2-86D2-4BE8-8444-EA3D3A6E8314}
2011-04-27 04:39:20 -------- d-----w- c:\program files\Oldgames
2011-04-27 03:00:31 -------- d-----w- c:\docume~1\anaam\locals~1\applic~1\DOSBox
2011-04-27 03:00:16 -------- d-----w- c:\program files\DOSBox-0.74
2011-04-27 00:16:01 -------- d-----w- c:\docume~1\anaam\applic~1\ScummVM
2011-04-27 00:15:13 -------- d-----w- c:\program files\ScummVM
2011-04-24 17:08:04 -------- d-----w- c:\windows\Samsung
2011-04-24 16:53:21 454656 ----a-w- c:\windows\ssndii.exe
2011-04-24 16:53:20 82432 ----a-w- c:\windows\system32\msxml4r.dll
2011-04-24 16:53:20 44544 ----a-w- c:\windows\system32\msxml4a.dll
2011-04-24 16:53:20 21776 ----a-w- c:\windows\system32\msxml2a.dll
2011-04-24 16:53:20 1233920 ----a-w- c:\windows\system32\msxml4.dll
2011-04-24 16:53:00 57344 ----a-w- c:\windows\system32\SUGO3CI.dll
2011-04-24 16:53:00 22663 ----a-w- c:\windows\system32\sugo3LMK.DLL
2011-04-24 16:53:00 151552 ----a-w- c:\windows\system32\SUGO3CI.exe
2011-04-24 16:52:33 41984 ------w- c:\windows\system32\drivers\DGIVECP.SYS
2011-04-24 16:52:21 -------- d-----w- C:\Temp
2011-04-08 17:33:58 57600 -c--a-w- c:\windows\system32\dllcache\redbook.sys
2011-04-08 17:33:58 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-04-08 16:36:41 -------- d-----w- c:\docume~1\alluse~1\applic~1\SecTaskMan
2011-04-08 16:27:35 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-08 16:27:34 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-04-08 16:27:20 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2011-04-07 23:59:31 -------- d-----w- c:\docume~1\anaam\applic~1\Malwarebytes
2011-04-07 23:58:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-07 23:58:52 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-07 23:58:49 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-07 23:58:49 -------- d-----w- c:\program files\Malwarebyte' Anti-Malware
2011-04-07 19:06:27 -------- d-----w- c:\docume~1\anaam\applic~1\AVG
.
==================== Find3M ====================
.
.
============= FINISH: 2:41:44.12 ===============

BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:02 AM

Posted 03 May 2011 - 02:41 PM

Good evening. :)

Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingcomputer.com/combofix/how-to-use-combofix *

  • When prompted to save Combofix, change the filename, BEFORE saving it, to svchost.exe
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console, so you are free to choose whether you want to complete this step, but it is in your interests to do so.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for!

So long, and thanks for all the fish.

 

 


#3 worries

worries
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 03 May 2011 - 06:14 PM

Oki, so I forgot to run it as svchost.exe. >.<"
So here is the log with it being run as it was. Let me know if I should run it with it being renamed.
Nothing is different in the way my computer is acting.
I am also attach the other two logs, one from the dds script, and second one is the gmer log.

ComboFix log:

ComboFix 11-05-03.02 - Anaam 03/05/2011 17:01:07.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.2.1033.18.1014.693 [GMT -4:00]
Running from: c:\documents and settings\Anaam\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Anaam\Application Data\Adobe\plugs
c:\documents and settings\Anaam\Application Data\Adobe\shed
c:\documents and settings\Anaam\Local Settings\Application Data\{D8B7A0C2-86D2-4BE8-8444-EA3D3A6E8314}
c:\documents and settings\Anaam\Local Settings\Application Data\{D8B7A0C2-86D2-4BE8-8444-EA3D3A6E8314}\chrome.manifest
c:\documents and settings\Anaam\Local Settings\Application Data\{D8B7A0C2-86D2-4BE8-8444-EA3D3A6E8314}\chrome\content\_cfg.js
c:\documents and settings\Anaam\Local Settings\Application Data\{D8B7A0C2-86D2-4BE8-8444-EA3D3A6E8314}\chrome\content\overlay.xul
c:\documents and settings\Anaam\Local Settings\Application Data\{D8B7A0C2-86D2-4BE8-8444-EA3D3A6E8314}\install.rdf
.
c:\windows\system32\userinit.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2011-04-03 to 2011-05-03 )))))))))))))))))))))))))))))))
.
.
2011-05-02 22:38 . 2011-05-02 22:39 6470464 ----a-w- C:\HitmanPro35beta.exe
2011-05-02 22:32 . 2011-05-02 22:32 134464 ----a-w- c:\windows\system32\LnkProtect.dll
2011-05-02 21:30 . 2011-05-02 21:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2011-05-02 21:06 . 2011-05-02 21:06 50688 ----a-w- C:\ATF-Cleaner.exe
2011-05-02 20:37 . 2011-05-02 20:37 -------- d-----w- c:\documents and settings\Anaam\Application Data\SUPERAntiSpyware.com
2011-05-02 20:37 . 2011-05-02 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-05-02 20:37 . 2011-05-02 20:37 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-05-02 07:41 . 2011-05-02 07:41 575488 ----a-w- C:\aswMBR.exe
2011-05-02 06:00 . 2011-05-02 06:00 -------- d-sh--w- c:\documents and settings\Anaam\IECompatCache
2011-05-02 05:32 . 2011-05-02 05:32 -------- d--h--w- c:\windows\PIF
2011-05-02 05:08 . 2010-10-06 00:27 150200 ----a-w- c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\kavlinkfilter.dll
2011-05-02 05:08 . 2011-05-02 06:15 97859 ----a-w- c:\windows\system32\drivers\klick.dat
2011-05-02 05:08 . 2011-05-02 06:15 115267 ----a-w- c:\windows\system32\drivers\klin.dat
2011-05-02 05:05 . 2011-05-02 05:05 -------- d-----w- c:\program files\Kaspersky Lab
2011-05-02 05:05 . 2011-05-03 21:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2011-05-02 03:38 . 2011-05-02 03:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2011-05-02 03:02 . 2011-05-02 03:02 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2011-05-02 03:01 . 2011-05-02 03:01 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2011-05-02 03:00 . 2011-05-02 03:01 -------- d-----w- c:\program files\Softwin
2011-05-02 02:06 . 2011-05-02 02:07 -------- d-----w- C:\Malwa
2011-05-02 00:03 . 2011-05-02 00:03 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2011-05-02 00:03 . 2011-05-02 00:03 -------- d-sh--w- c:\documents and settings\NetworkService\IECompatCache
2011-05-01 20:52 . 2011-05-01 20:52 -------- d-----w- c:\windows\system32\wbem\Repository
2011-05-01 19:44 . 2011-05-01 20:51 -------- d-----w- C:\booga
2011-04-30 21:12 . 2011-04-30 21:12 -------- d-----w- c:\documents and settings\Administrator\PrivacIE
2011-04-30 06:16 . 2011-04-30 06:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-04-30 03:31 . 2011-04-30 04:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-04-30 03:31 . 2011-04-30 03:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-29 20:43 . 2011-04-29 20:43 0 ----a-w- c:\windows\Rjirag.bin
2011-04-27 04:39 . 2011-04-27 04:46 -------- d-----w- c:\program files\Oldgames
2011-04-27 03:00 . 2011-04-27 03:00 -------- d-----w- c:\documents and settings\Anaam\Local Settings\Application Data\DOSBox
2011-04-27 03:00 . 2011-04-27 03:53 -------- d-----w- c:\program files\DOSBox-0.74
2011-04-27 00:16 . 2011-04-27 00:16 -------- d-----w- c:\documents and settings\Anaam\Application Data\ScummVM
2011-04-27 00:15 . 2011-04-27 00:49 -------- d-----w- c:\program files\ScummVM
2011-04-24 17:08 . 2011-04-24 17:08 -------- d-----w- c:\windows\Samsung
2011-04-24 17:07 . 2011-04-24 17:07 -------- d-----w- c:\windows\system32\drivers\Samsung
2011-04-24 17:07 . 2011-04-24 17:07 -------- d-----w- c:\program files\Samsung
2011-04-24 16:53 . 2006-03-24 05:18 454656 ----a-w- c:\windows\ssndii.exe
2011-04-24 16:53 . 2003-04-18 20:46 1233920 ----a-w- c:\windows\system32\msxml4.dll
2011-04-24 16:53 . 2003-04-18 20:29 82432 ----a-w- c:\windows\system32\msxml4r.dll
2011-04-24 16:53 . 2003-04-18 20:29 44544 ----a-w- c:\windows\system32\msxml4a.dll
2011-04-24 16:53 . 2000-08-04 05:52 21776 ----a-w- c:\windows\system32\msxml2a.dll
2011-04-24 16:53 . 2006-01-02 19:42 22663 ----a-w- c:\windows\system32\sugo3LMK.DLL
2011-04-24 16:53 . 2005-03-03 23:09 57344 ----a-w- c:\windows\system32\SUGO3CI.dll
2011-04-24 16:53 . 2005-03-03 17:32 151552 ----a-w- c:\windows\system32\SUGO3CI.exe
2011-04-24 16:52 . 2004-08-11 19:39 41984 ----a-w- c:\windows\system32\drivers\DGIVECP.SYS
2011-04-24 16:52 . 2011-04-24 16:52 -------- d-----w- C:\Temp
2011-04-08 17:33 . 2008-04-14 04:10 57600 -c--a-w- c:\windows\system32\dllcache\redbook.sys
2011-04-08 17:33 . 2008-04-14 04:10 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-04-08 16:36 . 2011-05-02 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2011-04-08 16:27 . 2011-05-03 00:06 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-08 16:27 . 2011-04-08 16:27 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-04-08 16:27 . 2011-04-08 16:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-04-07 23:59 . 2011-04-07 23:59 -------- d-----w- c:\documents and settings\Anaam\Application Data\Malwarebytes
2011-04-07 23:58 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-07 23:58 . 2011-04-07 23:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-07 23:58 . 2011-05-02 01:54 -------- d-----w- c:\program files\Malwarebyte' Anti-Malware
2011-04-07 23:58 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-07 19:06 . 2011-04-07 19:49 -------- d-----w- c:\documents and settings\Anaam\Application Data\AVG
2011-04-07 19:02 . 2011-04-30 20:41 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-18 17:53 . 2011-04-07 18:58 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-04-20 2423752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-15 178712]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-24 17529856]
"AzMixerSel"="c:\program files\Realtek\Audio\Drivers\AzMixerSel.exe" [2006-07-17 53248]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PLFSetL"="c:\windows\PLFSetL.exe" [2008-07-03 94208]
"snp2uvc"="c:\windows\system32\csnp2uvc.dll" [2009-02-16 196608]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2009-02-12 862728]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\ssmmgr.exe" [2006-02-14 507904]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe" [2010-11-03 365336]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VideoWebCamera]
2009-05-20 02:30 1552501 ----a-w- c:\program files\VideoWebCamera\VideoWebCamera.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Documents and Settings\\Anaam\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [09/06/2010 4:43 PM 11352]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 2:41 PM 67656]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [07/05/2010 11:06 AM 32856]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [02/11/2009 7:27 PM 19472]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [03/08/2009 5:09 PM 38912]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [03/08/2009 3:18 PM 1684736]
S3 Normandy;Normandy SR2; [x]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [03/08/2009 3:13 PM 162816]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4166307882-2234620177-1106520001-1006Core.job
- c:\documents and settings\Anaam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-25 16:35]
.
2011-05-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4166307882-2234620177-1106520001-1006UA.job
- c:\documents and settings\Anaam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-25 16:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.Gateway.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Anaam\Application Data\Mozilla\Firefox\Profiles\ya58k6a1.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - about:home
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SynTPEnh - %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-03 17:13
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,cd,e5,3d,0d,be,50,eb,46,a5,97,dc,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,cd,e5,3d,0d,be,50,eb,46,a5,97,dc,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1332)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\windows\system32\igfxext.exe
.
**************************************************************************
.
Completion time: 2011-05-03 17:17:54 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-03 21:17
.
Pre-Run: 136,740,913,152 bytes free
Post-Run: 136,940,630,016 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 23009024F7C10E8F74D2B8D230EF75BA

Attached Files



#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:02 AM

Posted 03 May 2011 - 06:23 PM

Download aswMBR.exe from here and save it to your Desktop.

  • Double click the tool to run it.
  • Click the Scan button to, well, start the scan - obvious really!
  • Once the scan reports "Scan finished successfully", which takes less than a minute on my system, click Save log.
  • On my system it offers to save it to the Desktop, which may or may not be it's default behaviour, but it's as handy a place as any.
  • You'll also see a file called MBR.dat appear as well - this is a backup that it created, just in case it's needed. Keep it handy for now.

I'd like the contents of aswMBR.txt in your next reply, if you'd be so kind.

So long, and thanks for all the fish.

 

 


#5 worries

worries
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 03 May 2011 - 06:30 PM

Here it is.

So far, I have been running the internet for a couple of hours. The "Generic Win32 host process" error has not showed up yet.

The MBR.dat is there on my desktop.
However, Kaspersky detects a Rootkit.Win32.TDSS.dat virus in the MBR.dat and removes it automatically.

Here are the contents:

aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-05-03 19:33:56
-----------------------------
19:33:56.484 OS Version: Windows 5.1.2600 Service Pack 3
19:33:56.484 Number of processors: 2 586 0x1C02
19:33:56.484 ComputerName: GATEWAY UserName: Anaam
19:33:57.265 Initialize success
19:33:59.015 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
19:33:59.031 Disk 0 Vendor: ST916031 0001 Size: 152627MB BusType: 3
19:33:59.046 Disk 0 MBR read successfully
19:33:59.062 Disk 0 MBR scan
19:33:59.078 Disk 0 TDL4@MBR code has been found
19:33:59.078 Disk 0 MBR hidden
19:33:59.093 Disk 0 MBR [TDL4] **ROOTKIT**
19:33:59.109 Disk 0 trace - called modules:
19:33:59.125
19:33:59.125 Scan finished successfully
19:34:06.546 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Anaam\Desktop\MBR.dat"
19:34:06.546 The log file has been saved successfully to "C:\Documents and Settings\Anaam\Desktop\aswMBR.txt"

Edited by worries, 03 May 2011 - 08:10 PM.


#6 worries

worries
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 03 May 2011 - 09:16 PM

Update: Since the Generic host processes error wasn't showing up, I tried my luck at running the TDSSkiller again, and I was able to run it past the 80% (where it use to get stuck). It found and removed the TDl4, and ran it again at reboot, and it's showing up clean.

I ran aswMBR again, and here is the log from that. I am also attaching the new gmer log.

aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-05-03 21:27:50
-----------------------------
21:27:50.234 OS Version: Windows 5.1.2600 Service Pack 3
21:27:50.234 Number of processors: 2 586 0x1C02
21:27:50.234 ComputerName: GATEWAY UserName: Anaam
21:27:55.000 Initialize success
21:27:57.640 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
21:27:57.656 Disk 0 Vendor: ST916031 0001 Size: 152627MB BusType: 3
21:27:57.687 Disk 0 MBR read successfully
21:27:57.687 Disk 0 MBR scan
21:27:57.703 Disk 0 unknown MBR code
21:27:57.718 Disk 0 scanning sectors +312578048
21:27:57.750 Disk 0 scanning C:\WINDOWS\system32\drivers
21:28:03.859 Service scanning
21:28:05.265 Disk 0 trace - called modules:
21:28:05.281 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
21:28:05.296 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f908c8]
21:28:05.312 3 CLASSPNP.SYS[f78bdfd7] -> nt!IofCallDriver -> \Device\0000006b[0x86fd93e0]
21:28:05.328 5 ACPI.sys[f7312620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x86fa3030]
21:28:05.359 Scan finished successfully
21:28:16.859 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Anaam\Desktop\MBR.dat"
21:28:16.921 The log file has been saved successfully to "C:\Documents and Settings\Anaam\Desktop\aswMBR2.txt"

Attached Files



#7 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:02 AM

Posted 04 May 2011 - 01:32 PM

Good evening. :)

Pay a visit to the ESET Online Scanner.

  • Click the ESET Online Scanner button and a new window will open - you may need to maximise it.
  • Click the Run ESET Online Scanner button in the new window.
  • If you are using any other browser than IE, you will be prompted to download and run esetsmartinstaller_enu.exe and the scan will run from within the window that the executable opens.
  • Regardless of which browser you are using, you will be shown some terms and conditions and you will need to accept these to continue.
  • If you are running IE for this scan you will then be prompted to allow an ActiveX component to be downloaded, unless you already have it installed, and the scan will run inside IE.
  • When you see the Computer Scan Settings window, you will need to make the following changes:

    • UNCHECK Remove found threats - this is important.
    • Check Scan archives
    • Click on Advanced settings
    • Check Scan for potentially unsafe applications
  • Once ready, click Start to begin - not a surprise really!
  • The anti-virus definitions will now be downloaded, so don't forget to allow them through your firewall if prompted.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

Will you also throw in a fresh DDS log and let me know how the PC is behaving.

So long, and thanks for all the fish.

 

 


#8 worries

worries
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 04 May 2011 - 07:48 PM

Oki, so as soon as the tdss removed the virus, and my gateway recovery management was working again, i restored everything. I am not sure if that usually removes everything but I was really iffy about being connected to the internet on an infected system. So here are the logs on the newly restored computer.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Annie at 20:42:55.91 on 04/05/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.2.1033.18.1014.223 [GMT -4:00]
.
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Norton Internet Security\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\PLFSetL.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Annie\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=1009&m=lt20&r=0xph0511x415l03c4wuj5a48l2u599
uDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=1009&m=lt20&r=0xph0511x415l03c4wuj5a48l2u599
mDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=1009&m=lt20&r=0xph0511x415l03c4wuj5a48l2u599
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=1009&m=lt20&r=0xph0511x415l03c4wuj5a48l2u599
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.5.0.134\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.5.0.134\IPSBHO.DLL
BHO: Partner BHO Class: {83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} - c:\documents and settings\all users\application data\partner\partner.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.5.0.134\coIEPlg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\audio\drivers\AzMixerSel.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [PLFSetL] c:\windows\PLFSetL.exe
mRun: [snp2uvc] rundll32.exe c:\windows\system32\csnp2uvc.dll,ResetCIDS
mRun: [VideoWebCamera] "c:\program files\videowebcamera\VideoWebCamera.exe" -a
mRun: [PLFSetI] c:\program files\PLFSetI.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.5.0.134\CoIEPlg.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
.
============= SERVICES / DRIVERS ===============
.
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.5.0.134\ccSvcHst.exe [2009-8-3 115560]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-8-3 38912]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090226.034\NAVENG.SYS [2009-8-3 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090226.034\NAVEX15.SYS [2009-8-3 876144]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-5-4 135664]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-8-3 1684736]
S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-8-3 24064]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-5-4 135664]
S3 Partner Service;Partner Service;c:\documents and settings\all users\application data\partner\partner.exe [2011-5-4 111088]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\rts5121.sys --> c:\windows\system32\drivers\RTS5121.sys [?]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
.
=============== Created Last 30 ================
.
2011-05-04 21:52:22 -------- d-----w- c:\program files\ESET
2011-05-04 20:29:00 -------- d-----w- c:\docume~1\annie\locals~1\applic~1\Temp
2011-05-04 19:43:29 -------- d-----w- c:\docume~1\annie\locals~1\applic~1\Adobe
2011-05-04 16:45:02 -------- d-sh--w- c:\documents and settings\annie\PrivacIE
2011-05-04 04:09:48 57600 -c--a-w- c:\windows\system32\dllcache\redbook.sys
2011-05-04 04:09:48 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-05-04 04:09:44 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2011-05-04 04:05:30 -------- d-----w- c:\docume~1\alluse~1\applic~1\Partner
2011-05-04 04:01:09 -------- d-----w- c:\program files\Gateway
2011-05-04 03:59:57 225280 ----a-w- c:\windows\system32\rsnp2uvc.dll
2011-05-04 03:59:57 -------- d-----w- c:\program files\common files\SNP2UVC
2011-05-04 03:59:56 -------- d-----w- c:\windows\SUYIN NB Cam
.
==================== Find3M ====================
.
.
============= FINISH: 20:43:26.16 ===============

#9 worries

worries
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 04 May 2011 - 07:49 PM

the attach.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 03/05/2011 11:57:32 PM
System Uptime: 04/05/2011 2:27:49 PM (6 hours ago)
.
Motherboard: Acer | | LT20
Processor: Intel® Atom™ CPU N270 @ 1.60GHz | CPU | 1596/533mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 139 GiB total, 129.224 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1: 03/05/2011 11:57:35 PM - System Checkpoint
RP2: 03/05/2011 11:59:53 PM - Installed WebCam
RP3: 04/05/2011 12:00:15 AM - Installed Video Web Camera
RP4: 04/05/2011 12:00:53 AM - Installed Windows XP Wdf01007.
RP5: 04/05/2011 12:01:08 AM - Installed Gateway Recovery Management
RP6: 04/05/2011 8:32:41 PM - OTS Restore Point
.
==== Installed Programs ======================
.
2007 Microsoft Office Suite Service Pack 1 (SP1)
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9
Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver
Choice Guard
Compatibility Pack for the 2007 Office system
Gateway Games
Gateway Recovery Management
Gateway ScreenSaver
Google Desktop
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954708)
Intel® Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
Junk Mail filter update
Launch Manager
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Application Error Reporting
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Money Essentials
Microsoft Money Shared Libraries
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MSVCRT
MSXML 4.0 SP2 (KB954430)
Norton Internet Security
Realtek High Definition Audio Driver
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Segoe UI
Synaptics Pointing Device Driver
Update for Office 2007 (KB946691)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
USB2.0 Card Reader Software
Video Web Camera
WebCam
WebFldrs XP
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Windows Media Format Runtime
Windows Media Player 10
.
==== Event Viewer Messages From Past Week ========
.
04/05/2011 1:59:06 PM, error: Dhcp [1002] - The IP address lease 172.17.51.102 for the Network Card with network address 904CE534EFB4 has been denied by the DHCP server 1.1.1.1 (The DHCP Server sent a DHCPNACK message).
04/05/2011 1:59:05 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
04/05/2011 1:11:58 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: Waiting for a process to open the other end of the pipe.
.
==== End Of File ===========================

Attached Files


Edited by Noviciate, 05 May 2011 - 01:37 PM.
Log attached


#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:02 AM

Posted 05 May 2011 - 01:41 PM

Good evening. :)

What you seem to have done is to reset the PC to factory settings, which leaves me superfluous - that action tends to remove everything nasty from a system.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your copy of Adobe Reader is out of date. You can get the latest version here, feel free to uncheck the McAfee download first, or you can update from within the program itself: Help > Check for Updates...

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your firewall shows as Disabled, so you need to activate that. While the SP2 firewall is better than nothing, it doesn't monitor outgoing traffic, so anything malicious on your computer can 'phone home' at will.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Some bedtime reading: This is a very good tutorial about keeping your computer safe and secure on the internet. It's a little old, but still contains some good ideas.

So long, and thanks for all the fish.

 

 


#11 worries

worries
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 05 May 2011 - 04:26 PM

I know it was unnecessary but I had already removed all my data, so might as well be on the safe side. =)

But thank you so much for getting it to the point where I could restore it!
The virus was not allowing me to restore my compter

So I am all clean! :D

Thanks a bunch again! <3

#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:02 AM

Posted 05 May 2011 - 04:34 PM

Chalk one up in the Winners column! :dance: As this issue appears to have been resolved, this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users