Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake Malware/AntiVirus


  • This topic is locked This topic is locked
4 replies to this topic

#1 knerrd

knerrd

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 14 June 2011 - 10:18 AM

I ran Combofix according to the instructions. It seemed to work properly (says it detected rootkit activity and needed to reboot) but the problems seem to be getting worse.

BC AdBot (Login to Remove)

 


#2 knerrd

knerrd
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 14 June 2011 - 12:36 PM

I ran remover.exe and it indicates a rootkit. Here was the output:

Bootkit Remover
© 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000002`00100000

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Controlled by rootkit!

Boot code on some of your physical disks is hidden by a rootkit.
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]


Done;
Press any key to quit...

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:22 AM

Posted 14 June 2011 - 03:49 PM

Hello having run ComboFix we need to see that and a DDS log.

Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
Skip the GMER step and instead post the ComboFix log you have.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 knerrd

knerrd
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 14 June 2011 - 08:36 PM

Thanks for your reply. It appears as though the forum you want me to repost to is this same forum: Security/Virus, Trojan......

Here is my DDS Log

.
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Run by Knerr at 17:03:04 on 2011-06-14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.364 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: C:\Program Files\GalileoCleaner\systemcleaner.exe *Enabled/Updated* {445C2AD3-E094-4496-9AB2-015867D4734C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Acer\Acer VCM\RS_Service.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\HostsMan\hm.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Mozilla Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0709&m=ao751h
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [HostsMan] "c:\program files\hostsman\hm.exe" -s
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxps://65.167.17.6/http/0/172.20.111.7/activex/AMC.cab
TCP: DhcpNameServer = 66.255.85.8 66.255.85.9 4.2.2.1
TCP: Interfaces\{9AFFB4FC-3394-470E-98F5-66FB51E35D5D} : DhcpNameServer = 66.255.85.8 66.255.85.9 4.2.2.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\acer\acer vcm\Skype4COM.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\knerr\application data\mozilla\firefox\profiles\uukqwu9y.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\knerr\application data\mozilla\firefox\profiles\uukqwu9y.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\knerr\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - %profile%\extensions\LogMeInClient@logmein.com
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-6-14 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-11-5 307928]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-11-5 19544]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-5 42184]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-11-14 10384]
R2 RS_Service;Raw Socket Service;c:\program files\acer\acer vcm\RS_Service.exe [2009-4-15 237568]
R3 igd;igd;c:\windows\system32\drivers\igxpmp32.sys [2009-4-15 5095360]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-4-15 1684736]
S3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\3.tmp [2011-6-14 6144]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-4-15 164864]
S3 RtsUIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
.
=============== File Associations ===============
.
exefile="c:\documents and settings\networkservice\local settings\application data\jpl.exe" -a "%1" %*
.
=============== Created Last 30 ================
.
2011-06-14 20:49:39 -------- d-----w- c:\documents and settings\knerr\application data\abelhadigital.com
2011-06-14 20:49:39 -------- d-----w- c:\documents and settings\all users\application data\abelhadigital.com
2011-06-14 20:49:32 -------- d-----w- c:\program files\HostsMan
2011-06-14 20:40:35 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-06-14 15:07:50 6144 ------w- c:\windows\system32\3.tmp
2011-06-14 15:05:11 6144 ------w- c:\windows\system32\2.tmp
2011-06-14 15:04:38 -------- d-----w- c:\program files\Sophos
2011-06-13 20:51:15 -------- d-----w- c:\documents and settings\knerr\application data\GalileoCleaner
2011-06-03 03:25:51 -------- d-----w- c:\windows\system32\LogFiles
.
==================== Find3M ====================
.
2011-05-29 13:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 13:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-10 12:10:59 40112 ----a-w- c:\windows\avastSS.scr
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST9160310AS rev.0303 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86F484D0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86f4e7f0]; MOV EAX, [0x86f4e86c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86FC6AB8]
3 CLASSPNP[0xF75FDFD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000063[0x86F8DF18]
5 ACPI[0xF7494620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86FC5D98]
\Driver\atapi[0x86FDE228] -> IRP_MJ_CREATE -> 0x86F484D0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x86F4831B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 17:09:18.51 ===============


Here is attach.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-12.02)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 7/26/2009 5:14:41 AM
System Uptime: 6/14/2011 4:41:50 PM (1 hours ago)
.
Motherboard: Acer | | JV11-ML
Processor: Intel® Atom™ CPU Z520 @ 1.33GHz | U3E1 | 1240/mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 141 GiB total, 129.652 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP2: 6/14/2011 4:59:37 PM - System Checkpoint
.
==== Installed Programs ======================
.
Acer Crystal Eye webcam 2.2.0.2
Acer eRecovery Management
Acer ScreenSaver
Acer VCM
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.4
Adobe Shockwave Player 11.5
Air Strike 2
Amazon MP3 Downloader 1.0.10
Apple Application Support
Apple Software Update
Atheros Driver Installation Program
avast! Free Antivirus
AXIS Media Control Embedded
Bejeweled 2 Deluxe
C:\Program Files\Acer GameZone\GameConsole
Cake Mania 2
CCleaner
CDDRV_Installer
Choice Guard
Compatibility Pack for the 2007 Office system
Cooking Dash
CyberLink PowerDVD 8
Dream Day First Home
Dream Day Wedding
erLT
ESET Online Scanner v3
eSobi v2
Farm Frenzy
Galapago
Home Sweet Home
HostsMan 3.2.73
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
Intel® Graphics Media Accelerator 500
Java™ 6 Update 16
Jewel Quest Solitaire
Junk Mail filter update
KhalInstallWrapper
Launch Manager
Logitech SetPoint
Mahjong Escape Ancient China
Malwarebytes' Anti-Malware version 1.51.0.1200
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office Basic Edition 2003
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
Mozilla Firefox (3.6.17)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Parking Dash
Peggle
QuickTime
Rainbow Web
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Segoe UI
Sophos Anti-Rootkit 1.5.4
Spybot - Search & Destroy
Star Defender 4
Synaptics Pointing Device Driver
Tradewinds 2
Tri-Peaks Solitaire To Go
Unity Web Player
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
USB2.0 Card Reader Software
WebFldrs XP
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Zuma Deluxe
.
==== Event Viewer Messages From Past Week ========
.
6/14/2011 2:51:26 PM, error: ACPIEC [1] - \Device\ACPIEC: The embedded controller (EC) hardware didn't respond within the timeout period. This may indicate an error in the EC hardware or firmware, or possibly a poorly designed BIOS which accesses the EC in an unsafe manner. The EC driver will retry the failed transaction if possible.
6/13/2011 8:55:02 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 2 time(s).
6/13/2011 7:19:12 PM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: The system cannot find the file specified.
6/13/2011 7:19:06 PM, error: SRService [104] - The System Restore initialization process failed.
6/13/2011 5:42:54 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
6/13/2011 5:42:40 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
6/13/2011 5:42:30 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AFD aswRdr aswSP aswTdi Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
6/13/2011 5:42:30 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
6/13/2011 5:42:30 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/13/2011 5:42:30 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/13/2011 5:42:30 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
6/13/2011 5:42:23 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
6/13/2011 4:53:55 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s).
.
==== End Of File ===========================

I ran combofix again and it seemed to work better this time. here is the log:

ComboFix 11-06-13.01 - Knerr 06/14/2011 14:54:34.7.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.574 [GMT -4:00]
Running from: c:\documents and settings\Knerr\Desktop\combofix.exe.exe
AV: avast! Antivirus *Disabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: c:\program files\GalileoCleaner\systemcleaner.exe *Enabled/Updated* {445C2AD3-E094-4496-9AB2-015867D4734C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\1.tmp
.
.
((((((((((((((((((((((((( Files Created from 2011-05-14 to 2011-06-14 )))))))))))))))))))))))))))))))
.
.
2011-06-14 15:07 . 2010-05-26 14:39 6144 ------w- c:\windows\system32\3.tmp
2011-06-14 15:05 . 2010-05-26 14:39 6144 ------w- c:\windows\system32\2.tmp
2011-06-14 15:04 . 2011-06-14 15:04 -------- d-----w- c:\program files\Sophos
2011-06-13 20:51 . 2011-06-13 20:51 -------- d-----w- c:\documents and settings\Knerr\Application Data\GalileoCleaner
2011-06-13 20:51 . 2011-06-13 20:51 -------- d-----w- c:\program files\GalileoCleaner
2011-06-03 03:25 . 2011-06-14 18:24 -------- d-----w- c:\windows\system32\LogFiles
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-29 13:11 . 2009-11-07 19:01 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 13:11 . 2009-11-07 19:01 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-06-14_00.01.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-15 13:23 . 2011-06-14 18:55 68386 c:\windows\system32\perfc009.dat
- 2009-04-15 13:23 . 2011-06-13 23:48 68386 c:\windows\system32\perfc009.dat
+ 2009-07-26 09:14 . 2011-06-14 06:26 61056 c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
+ 2009-04-15 13:23 . 2011-06-14 18:55 434266 c:\windows\system32\perfh009.dat
- 2009-04-15 13:23 . 2011-06-13 23:48 434266 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-03-24 17567744]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-02-27 1434920]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-03-28 131072]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
c:\documents and settings\Knerr\Start Menu\Programs\Startup\
systemcleaner.lnk - c:\program files\GalileoCleaner\systemcleaner.exe [2011-6-13 697860]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-11-14 813584]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 17:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acer VCM.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acer VCM.lnk
backup=c:\windows\pss\Acer VCM.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Knerr^Start Menu^Programs^Startup^systemcleaner.lnk]
path=c:\documents and settings\Knerr\Start Menu\Programs\Startup\systemcleaner.lnk
backup=c:\windows\pss\systemcleaner.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 03:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel]
2006-07-17 14:40 53248 ----a-w- c:\program files\Realtek\Audio\Drivers\AzMixerSel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2009-03-28 22:42 348160 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2008-04-14 12:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2009-06-17 16:55 55824 ----a-w- c:\windows\KHALMNPR.Exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2009-02-20 01:52 817672 ----a-w- c:\program files\Launch Manager\LManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 12:42 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2008-04-14 12:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVD8LanguageShortcut]
2007-12-14 18:36 50472 ----a-w- c:\program files\CyberLink\PowerDVD8\Language\Language.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PersistenceThread]
2009-03-28 22:43 86016 ----a-w- c:\windows\system32\PersistenceThread.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2008-04-14 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2008-04-14 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 06:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl8]
2008-10-17 17:44 91432 ----a-w- c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shockwave Updater]
2009-07-21 08:17 468408 ----a-w- c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-09-13 01:29 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"JavaQuickStarterService"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/5/2010 10:18 PM 294608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/5/2010 10:18 PM 17744]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [11/14/2009 4:01 PM 10384]
R2 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [4/15/2009 10:59 AM 237568]
R3 igd;igd;c:\windows\system32\drivers\igxpmp32.sys [4/15/2009 9:48 AM 5095360]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [4/15/2009 9:52 AM 1684736]
S3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\3.tmp [6/14/2011 11:07 AM 6144]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [4/15/2009 9:53 AM 164864]
S3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0709&m=ao751h
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxps://65.167.17.6/http/0/172.20.111.7/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\Knerr\Application Data\Mozilla\Firefox\Profiles\uukqwu9y.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - %profile%\extensions\LogMeInClient@logmein.com
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
.
.
------- File Associations -------
.
exefile="c:\documents and settings\NetworkService\Local Settings\Application Data\jpl.exe" -a "%1" %*
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-14 15:07
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST9160310AS rev.0303 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x86F0C31B
user & kernel MBR OK
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\3.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(764)
c:\windows\system32\WININET.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
- - - - - - - > 'lsass.exe'(824)
c:\windows\system32\WININET.dll
.
Completion time: 2011-06-14 15:14:22
ComboFix-quarantined-files.txt 2011-06-14 19:14
ComboFix2.txt 2011-06-14 18:12
ComboFix3.txt 2011-06-14 02:01
ComboFix4.txt 2011-06-14 00:08
ComboFix5.txt 2011-06-14 18:44
.
Pre-Run: 139,164,483,584 bytes free
Post-Run: 139,151,618,048 bytes free
.
- - End Of File - - 4219066838C73E53FE67319AC34B0560

#5 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:10:22 AM

Posted 15 June 2011 - 05:38 PM

Closing as you have a topic created here: http://www.bleepingcomputer.com/forums/topic403886.html

Cheers,
ST.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users