Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Svchost memory leak bug


  • This topic is locked This topic is locked
18 replies to this topic

#1 TO_design

TO_design

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 24 June 2011 - 12:33 AM

Not sure if this is where I should post this topic or not but I am in dire need of some help!! My system has been infected with the memory leak bug that hides itself in or as a svchost.exe process and even after killing the process will come back a few minutes later. Basically if you watch the process list in the Task Manager you will see multiple svchost.exe processes running, now I know that most of these are needed to run different aspects of the system so I dont fear how many there are, but there will be one that pops up and grows within a few seconds from 12k to 500k+ which usually uses 50-100% of the CPU and slows down the system to a slugs pace! And I am assuming it is hiding itself in an existing svchost process because when I kill the process it affects the sound on the computer as well as the styling of the windows (goes from the windows xp look to like a windows ME look) I have tried everything I possibly can cleaning the system with programs like CCleaner and have multiple anti spyware/virus programs such as AVG, Mbam, superantispyware, TDSSkiller, rkill, etc. as well as restores. I have recently downloaded hijackthis! but don't want to mess around with registry stuff because I'm not too keen on that aspect of the system so I don't want to cause more problems than I have with this bug. When I run the scans in either normal or safe mode sometimes it will find malicious stuff, remove it, prompt me to restart, then once the system is up and running again the svchost starts eating all the memory about 10 minutes after restart until I have to kill it again and sometimes the scans won't find anything at all and say the system is clean. I am running windows xp pro and I'm not sure if it helps but this mainly happens when it is connected to the internet, if i pull the connection it stops taking up all the memory but then I have to restart before I can connect to the internet again. Oh and if I try searching for most things on google or search engines it redirects me to other search pages and sometimes pop ups will come up for 'myonlinearcade' or other websites which AVG will say is a threat and get rid of it. Hopefully I can find some help to rid my computer of this annoying little bug and not have to worry about watching Task Manager constantly making sure my usage isn't spiking my computer to death. Thanks in advance!!

TO

Here are the logs DDS gave

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Taylor at 1:58:48 on 2011-06-24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.572 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Shared Files\CTSched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\Hide My IP\HideMyIpSrv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\taskmgr.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
uRun: [AdobeBridge]
uRun: [Creative Software Update] "c:\program files\creative\shared files\software update\AutoUpdate.exe" /Silent
uRun: [Google Update] "c:\documents and settings\taylor\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [CreativeTaskScheduler] "c:\program files\creative\shared files\CTSched.exe" /logon
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [CTXFIREG] CTxfiReg.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTDVDDET] "c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDET.EXE"
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] nwiz.exe /install
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\windows\system32\HMIPCore.dll
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://68.116.52.180/activex/AMC.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{E7E660A5-ABC0-4E6E-92A2-072DA4247F2C} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{FDB9E078-D48B-4E05-9294-8B57BF3AF640} : DhcpNameServer = 192.168.2.1
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 297168]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-10 14336]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2009-6-23 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2009-6-23 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2009-6-23 566296]
R3 HideMyIpSRV;HideMyIpSRV;c:\program files\hide my ip\HideMyIpSrv.exe [2010-6-5 2752816]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-5-20 984392]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2009-6-23 99352]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2010-1-28 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2009-6-23 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2009-6-23 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2009-6-23 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2009-6-23 566296]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-9-22 39984]
S3 XDva317;XDva317;\??\c:\windows\system32\xdva317.sys --> c:\windows\system32\XDva317.sys [?]
S3 XDva321;XDva321;\??\c:\windows\system32\xdva321.sys --> c:\windows\system32\XDva321.sys [?]
S3 XDva323;XDva323;\??\c:\windows\system32\xdva323.sys --> c:\windows\system32\XDva323.sys [?]
S3 XDva326;XDva326;\??\c:\windows\system32\xdva326.sys --> c:\windows\system32\XDva326.sys [?]
S3 XDva327;XDva327;\??\c:\windows\system32\xdva327.sys --> c:\windows\system32\XDva327.sys [?]
S3 XDva332;XDva332;\??\c:\windows\system32\xdva332.sys --> c:\windows\system32\XDva332.sys [?]
S3 XDva336;XDva336;\??\c:\windows\system32\xdva336.sys --> c:\windows\system32\XDva336.sys [?]
S3 XDva337;XDva337;\??\c:\windows\system32\xdva337.sys --> c:\windows\system32\XDva337.sys [?]
S3 XDva341;XDva341;\??\c:\windows\system32\xdva341.sys --> c:\windows\system32\XDva341.sys [?]
S3 XDva342;XDva342;\??\c:\windows\system32\xdva342.sys --> c:\windows\system32\XDva342.sys [?]
S3 XDva343;XDva343;\??\c:\windows\system32\xdva343.sys --> c:\windows\system32\XDva343.sys [?]
S3 XDva344;XDva344;\??\c:\windows\system32\xdva344.sys --> c:\windows\system32\XDva344.sys [?]
S3 XDva345;XDva345;\??\c:\windows\system32\xdva345.sys --> c:\windows\system32\XDva345.sys [?]
S3 XDva346;XDva346;\??\c:\windows\system32\xdva346.sys --> c:\windows\system32\XDva346.sys [?]
S3 XDva347;XDva347;\??\c:\windows\system32\xdva347.sys --> c:\windows\system32\XDva347.sys [?]
S3 XDva349;XDva349;\??\c:\windows\system32\xdva349.sys --> c:\windows\system32\XDva349.sys [?]
S3 XDva359;XDva359;\??\c:\windows\system32\xdva359.sys --> c:\windows\system32\XDva359.sys [?]
S3 XDva361;XDva361;\??\c:\windows\system32\xdva361.sys --> c:\windows\system32\XDva361.sys [?]
S3 XDva362;XDva362;\??\c:\windows\system32\xdva362.sys --> c:\windows\system32\XDva362.sys [?]
S3 XDva366;XDva366;\??\c:\windows\system32\xdva366.sys --> c:\windows\system32\XDva366.sys [?]
S3 XDva367;XDva367;\??\c:\windows\system32\xdva367.sys --> c:\windows\system32\XDva367.sys [?]
S3 XDva368;XDva368;\??\c:\windows\system32\xdva368.sys --> c:\windows\system32\XDva368.sys [?]
S3 XDva370;XDva370;\??\c:\windows\system32\xdva370.sys --> c:\windows\system32\XDva370.sys [?]
S3 XDva372;XDva372;\??\c:\windows\system32\xdva372.sys --> c:\windows\system32\XDva372.sys [?]
S3 XDva374;XDva374;\??\c:\windows\system32\xdva374.sys --> c:\windows\system32\XDva374.sys [?]
S3 XDva375;XDva375;\??\c:\windows\system32\xdva375.sys --> c:\windows\system32\XDva375.sys [?]
S3 XDva377;XDva377;\??\c:\windows\system32\xdva377.sys --> c:\windows\system32\XDva377.sys [?]
S3 XDva379;XDva379;\??\c:\windows\system32\xdva379.sys --> c:\windows\system32\XDva379.sys [?]
S3 XDva385;XDva385;\??\c:\windows\system32\xdva385.sys --> c:\windows\system32\XDva385.sys [?]
S4 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
.
=============== Created Last 30 ================
.
2011-06-24 04:59:27 388096 ----a-r- c:\documents and settings\taylor\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-06-24 04:59:26 -------- d-----w- c:\program files\Trend Micro
2011-06-21 16:36:31 20747 ----a-w- c:\windows\system32\drivers\AegisP.sys
2011-06-21 16:36:21 -------- d-----w- c:\program files\Belkin
2011-06-17 04:09:31 -------- d-----w- c:\documents and settings\taylor\application data\SUPERAntiSpyware.com
2011-06-17 04:09:31 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-06-17 04:09:10 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-06-17 03:53:46 -------- d-----w- c:\windows\pss
2011-06-15 07:02:28 -------- d-----w- c:\windows\SxsCaPendDel
2011-06-15 01:21:02 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-06-15 01:09:50 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-06-15 01:09:50 -------- d-----w- c:\windows\system32\wbem\Repository
.
==================== Find3M ====================
.
2011-05-29 13:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 13:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-04-15 01:28:42 134480 ----a-w- c:\windows\system32\drivers\AVGIDSDriver.sys
2011-04-05 04:59:56 297168 ----a-w- c:\windows\system32\drivers\avgtdix.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD1600JS-75MHB0 rev.03.01C03 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-17
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x870C76F0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x870cda10]; MOV EAX, [0x870cda8c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x87113AB8]
3 CLASSPNP[0xF7572FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x870862E8]
\Driver\atapi[0x871A23B0] -> IRP_MJ_CREATE -> 0x870C76F0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x870C753B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 1:59:47.67 ===============

nothing?!

Attached Files


Edited by Andrew, 24 June 2011 - 12:38 PM.
Mod Edit: Merged Replies To Reset Reply Count - AA


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:55 AM

Posted 01 July 2011 - 09:49 PM

Hi,

Please do the following:

  • Please download aswMBR.exe and save it to your desktop.
  • Double click aswMBR.exe to start the tool. (Vista/Windows 7 users - right click to run as administrator)
  • Click Scan

  • Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:55 AM

Posted 09 July 2011 - 10:21 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:55 AM

Posted 11 July 2011 - 06:38 AM

This topic has been re-opened at the request of the person who originally posted.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 TO_design

TO_design
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 11 July 2011 - 02:06 PM

here is the aswMBR log

aswMBR version 0.9.7.705 Copyright© 2011 AVAST Software
Run date: 2011-07-11 12:42:26
-----------------------------
12:42:26.468 OS Version: Windows 5.1.2600 Service Pack 3
12:42:26.468 Number of processors: 2 586 0x404
12:42:26.468 ComputerName: MARCY UserName:
12:42:28.703 Initialize success
12:42:30.640 AVAST engine defs: 11071001
12:42:33.750 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-17
12:42:33.765 Disk 0 Vendor: WDC_WD1600JS-75MHB0 03.01C03 Size: 152587MB BusType: 3
12:42:33.781 Device \Driver\atapi -> DriverStartIo 872f353b
12:42:33.781 Disk 0 MBR read successfully
12:42:33.796 Disk 0 MBR scan
12:42:36.093 Disk 0 MBR:Alureon-G [Rtk]
12:42:36.109 Disk 0 TDL4@MBR code has been found
12:42:36.109 Disk 0 Windows XP default MBR code found via API
12:42:36.140 Disk 0 MBR hidden
12:42:36.156 Disk 0 MBR [TDL4] **ROOTKIT**
12:42:36.171 Disk 0 trace - called modules:
12:42:36.203 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x872f36f0]<<
12:42:36.218 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87336ab8]
12:42:36.234 3 CLASSPNP.SYS[f77c4fd7] -> nt!IofCallDriver -> [0x872a7f18]
12:42:36.515 \Driver\atapi[0x8733bc98] -> IRP_MJ_CREATE -> 0x872f36f0
12:42:38.703 AVAST engine scan C:\WINDOWS
13:14:32.046 AVAST engine scan C:\Documents and Settings\Taylor
13:30:10.000 AVAST engine scan C:\Documents and Settings\All Users
13:32:05.343 Scan finished successfully
13:58:18.906 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Taylor\My Documents\MBR.dat"
13:58:18.937 The log file has been saved successfully to "C:\Documents and Settings\Taylor\My Documents\aswMBR.txt"


and zipped file attatched. thanks!

Attached Files

  • Attached File  MBR.zip   539bytes   0 downloads

Edited by TO_design, 11 July 2011 - 02:07 PM.


#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:55 AM

Posted 11 July 2011 - 02:37 PM

Hi,

Please do the following:

Re-Run aswMBR

Click Scan

On completion of the scan

Click the Fix Button


Save the log as before and post in your next reply



NEXT



Download ComboFix from either of these locations:
Link 1
Link 2


VERY IMPORTANT !!!
Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.



Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 TO_design

TO_design
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 12 July 2011 - 12:49 PM

alrighty so here are the logs...

aswMBR log

aswMBR version 0.9.7.705 Copyright© 2011 AVAST Software
Run date: 2011-07-12 12:41:51
-----------------------------
12:41:51.468 OS Version: Windows 5.1.2600 Service Pack 3
12:41:51.468 Number of processors: 2 586 0x404
12:41:51.468 ComputerName: MARCY UserName:
12:41:52.109 Initialize success
12:43:26.421 AVAST engine defs: 11071201
12:43:30.281 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-17
12:43:30.281 Disk 0 Vendor: WDC_WD1600JS-75MHB0 03.01C03 Size: 152587MB BusType: 3
12:43:32.312 Disk 0 MBR read successfully
12:43:32.312 Disk 0 MBR scan
12:43:32.312 Disk 0 Windows XP default MBR code
12:43:34.312 Disk 0 scanning sectors +312496380
12:43:34.328 Disk 0 scanning C:\WINDOWS\system32\drivers
12:43:51.593 Service scanning
12:43:52.875 Disk 0 trace - called modules:
12:43:52.890 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
12:43:52.890 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8711dab8]
12:43:52.890 3 CLASSPNP.SYS[f7572fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-17[0x8715db00]
12:43:53.531 AVAST engine scan C:\WINDOWS
13:08:40.156 AVAST engine scan C:\Documents and Settings\Taylor
13:34:08.578 AVAST engine scan C:\Documents and Settings\All Users
13:37:46.234 Scan finished successfully
13:44:11.328 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Taylor\My Documents\MBR.dat"
13:44:11.328 The log file has been saved successfully to "C:\Documents and Settings\Taylor\My Documents\aswMBR.txt"





combo fig log:

ComboFix 11-07-12.05 - Taylor 07/12/2011 12:06:11.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.645 [GMT -4:00]
Running from: c:\documents and settings\Taylor\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-06-12 to 2011-07-12 )))))))))))))))))))))))))))))))
.
.
2011-07-05 15:39 . 2011-07-05 15:39 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-07-05 15:39 . 2011-07-05 15:39 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2011-06-25 03:22 . 2011-07-12 15:53 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-06-25 03:22 . 2011-06-25 03:22 -------- d-----w- c:\program files\AVAST Software
2011-06-25 03:22 . 2011-06-26 15:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-06-25 03:22 . 2009-01-25 17:14 15224 ----a-w- c:\windows\system32\sdnclean.exe
2011-06-25 03:22 . 2011-06-26 15:25 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2011-06-25 03:22 . 2011-05-11 00:19 770384 ----a-w- c:\windows\system32\msvcr100.dll
2011-06-25 03:22 . 2011-01-07 19:39 421200 ----a-w- c:\windows\system32\msvcp100.dll
2011-06-24 04:59 . 2011-06-24 04:59 388096 ----a-r- c:\documents and settings\Taylor\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-24 04:59 . 2011-06-24 04:59 -------- d-----w- c:\program files\Trend Micro
2011-06-21 16:36 . 2011-06-21 16:36 20747 ----a-w- c:\windows\system32\drivers\AegisP.sys
2011-06-21 16:36 . 2011-06-21 16:36 -------- d-----w- c:\program files\Belkin
2011-06-20 06:06 . 2011-06-20 06:06 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2011-06-20 06:06 . 2011-06-20 06:06 -------- d-----w- c:\documents and settings\Default User\Application Data\Apple Computer
2011-06-20 06:00 . 2011-06-20 06:06 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Apple Computer
2011-06-17 06:22 . 2011-06-17 06:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2011-06-17 04:09 . 2011-06-17 04:09 -------- d-----w- c:\documents and settings\Taylor\Application Data\SUPERAntiSpyware.com
2011-06-17 04:09 . 2011-06-17 04:09 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-06-17 04:09 . 2011-06-17 04:09 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-06-15 07:02 . 2011-06-15 07:18 -------- d-----w- c:\windows\SxsCaPendDel
2011-06-15 01:21 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-06-15 01:09 . 2011-06-15 01:09 -------- d-----w- c:\windows\system32\wbem\Repository
2011-06-14 03:21 . 2011-06-14 03:21 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-29 13:11 . 2010-09-22 07:58 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 13:11 . 2010-09-22 07:58 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-02 15:31 . 2005-05-24 15:28 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2004-08-10 11:00 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2004-08-10 11:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11 . 2004-08-10 11:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-10 11:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2004-08-10 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2004-08-10 11:00 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2004-08-10 11:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-06-24_17.56.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-07-12 15:57 . 2011-07-12 15:57 16384 c:\windows\Temp\Perflib_Perfdata_580.dat
+ 2008-12-05 06:54 . 2011-04-29 17:25 151552 c:\windows\system32\dllcache\schannel.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Software Update"="c:\program files\Creative\Shared Files\Software Update\AutoUpdate.exe" [2009-01-15 430968]
"CreativeTaskScheduler"="c:\program files\Creative\Shared Files\CTSched.exe" [2006-11-17 53341]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-06-10 2424192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-01-13 37888]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"CTHelper"="CTHELPER.EXE" [2009-06-23 19456]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"nwiz"="nwiz.exe" [2007-12-05 1626112]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2011-05-11 5607080]
"Spybot-S&D Cleaning"="c:\program files\Spybot - Search & Destroy 2\SDCleaner.exe" [2011-05-11 5806912]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg&inst=NzctNDcxNjQ1OTIyLUZQOSs2LUJBUjlHKzEtVEI5KzItRkwrOS1RSVgxKzQtWDIwMTArMi1GMTBNMTBEKzItTElDKzItRkwxMCsxLVNQMSsxLVNQMVRCKzEtU1VQKzMtU1AxUzIrMS1UVUcrMy1TUDFTMysxLUREVCsw&prod=90&ver=10.0.1388" [?]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2010-03-08 21:04 3972440 ----a-w- c:\program files\AIM\aim.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2004-08-10 08:04 59392 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SwitchBoard"=3 (0x3)
"mi-raysat_3dsmax9_32"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"Autodesk Licensing Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDFWSvc.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDMonSvc.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57991:TCP"= 57991:TCP:Pando Media Booster
"57991:UDP"= 57991:UDP:Pando Media Booster
"1128:TCP"= 1128:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/10/2004 7:00 AM 14336]
R2 SDFirewallService;Spybot-S&D 2 Firewall Service;c:\program files\Spybot - Search & Destroy 2\SDFWSvc.exe [6/24/2011 11:22 PM 3585696]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [6/24/2011 11:22 PM 3769048]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [6/23/2009 2:34 PM 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [6/23/2009 2:34 PM 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [6/23/2009 2:34 PM 566296]
R3 HideMyIpSRV;HideMyIpSRV;c:\program files\Hide My IP\HideMyIpSrv.exe [6/5/2010 4:29 AM 2752816]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 SDMonitorService;Spybot-S&D 2 Monitoring Service;c:\program files\Spybot - Search & Destroy 2\SDMonSvc.exe [6/24/2011 11:22 PM 3834456]
S2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [6/24/2011 11:22 PM 3515656]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [6/24/2011 11:22 PM 167040]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [6/23/2009 2:34 PM 99352]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [1/28/2010 2:58 PM 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [6/23/2009 2:34 PM 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [6/23/2009 2:35 PM 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [6/23/2009 2:35 PM 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [6/23/2009 2:34 PM 566296]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [9/22/2010 3:58 AM 39984]
S3 XDva317;XDva317;\??\c:\windows\system32\XDva317.sys --> c:\windows\system32\XDva317.sys [?]
S3 XDva321;XDva321;\??\c:\windows\system32\XDva321.sys --> c:\windows\system32\XDva321.sys [?]
S3 XDva323;XDva323;\??\c:\windows\system32\XDva323.sys --> c:\windows\system32\XDva323.sys [?]
S3 XDva326;XDva326;\??\c:\windows\system32\XDva326.sys --> c:\windows\system32\XDva326.sys [?]
S3 XDva327;XDva327;\??\c:\windows\system32\XDva327.sys --> c:\windows\system32\XDva327.sys [?]
S3 XDva332;XDva332;\??\c:\windows\system32\XDva332.sys --> c:\windows\system32\XDva332.sys [?]
S3 XDva336;XDva336;\??\c:\windows\system32\XDva336.sys --> c:\windows\system32\XDva336.sys [?]
S3 XDva337;XDva337;\??\c:\windows\system32\XDva337.sys --> c:\windows\system32\XDva337.sys [?]
S3 XDva341;XDva341;\??\c:\windows\system32\XDva341.sys --> c:\windows\system32\XDva341.sys [?]
S3 XDva342;XDva342;\??\c:\windows\system32\XDva342.sys --> c:\windows\system32\XDva342.sys [?]
S3 XDva343;XDva343;\??\c:\windows\system32\XDva343.sys --> c:\windows\system32\XDva343.sys [?]
S3 XDva344;XDva344;\??\c:\windows\system32\XDva344.sys --> c:\windows\system32\XDva344.sys [?]
S3 XDva345;XDva345;\??\c:\windows\system32\XDva345.sys --> c:\windows\system32\XDva345.sys [?]
S3 XDva346;XDva346;\??\c:\windows\system32\XDva346.sys --> c:\windows\system32\XDva346.sys [?]
S3 XDva347;XDva347;\??\c:\windows\system32\XDva347.sys --> c:\windows\system32\XDva347.sys [?]
S3 XDva349;XDva349;\??\c:\windows\system32\XDva349.sys --> c:\windows\system32\XDva349.sys [?]
S3 XDva359;XDva359;\??\c:\windows\system32\XDva359.sys --> c:\windows\system32\XDva359.sys [?]
S3 XDva361;XDva361;\??\c:\windows\system32\XDva361.sys --> c:\windows\system32\XDva361.sys [?]
S3 XDva362;XDva362;\??\c:\windows\system32\XDva362.sys --> c:\windows\system32\XDva362.sys [?]
S3 XDva366;XDva366;\??\c:\windows\system32\XDva366.sys --> c:\windows\system32\XDva366.sys [?]
S3 XDva367;XDva367;\??\c:\windows\system32\XDva367.sys --> c:\windows\system32\XDva367.sys [?]
S3 XDva368;XDva368;\??\c:\windows\system32\XDva368.sys --> c:\windows\system32\XDva368.sys [?]
S3 XDva370;XDva370;\??\c:\windows\system32\XDva370.sys --> c:\windows\system32\XDva370.sys [?]
S3 XDva372;XDva372;\??\c:\windows\system32\XDva372.sys --> c:\windows\system32\XDva372.sys [?]
S3 XDva374;XDva374;\??\c:\windows\system32\XDva374.sys --> c:\windows\system32\XDva374.sys [?]
S3 XDva375;XDva375;\??\c:\windows\system32\XDva375.sys --> c:\windows\system32\XDva375.sys [?]
S3 XDva377;XDva377;\??\c:\windows\system32\XDva377.sys --> c:\windows\system32\XDva377.sys [?]
S3 XDva379;XDva379;\??\c:\windows\system32\XDva379.sys --> c:\windows\system32\XDva379.sys [?]
S3 XDva385;XDva385;\??\c:\windows\system32\XDva385.sys --> c:\windows\system32\XDva385.sys [?]
S4 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 2:37 PM 517096]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-21 c:\windows\Tasks\AdobeAAMUpdater-1.0-MARCY-Taylor.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-01-04 08:44]
.
2011-07-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-1677128483-839522115-1003Core.job
- c:\documents and settings\Taylor\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-13 01:06]
.
2011-07-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-1677128483-839522115-1003UA.job
- c:\documents and settings\Taylor\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-13 01:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
LSP: c:\windows\system32\HMIPCore.dll
TCP: DhcpNameServer = 192.168.2.1
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://68.116.52.180/activex/AMC.cab
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)
ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - c:\program files\AVAST Software\Avast\ashShell.dll
HKLM-Run-avast - c:\program files\AVAST Software\Avast\avastUI.exe
Notify-SDWinLogon - SDWinLogon.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-12 12:15
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(528)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(584)
c:\windows\system32\HMIPCore.dll
.
- - - - - - - > 'explorer.exe'(4120)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-07-12 12:17:53
ComboFix-quarantined-files.txt 2011-07-12 16:17
ComboFix2.txt 2011-06-24 18:01
.
Pre-Run: 78,918,164,480 bytes free
Post-Run: 79,326,064,640 bytes free
.
- - End Of File - - 89E9962AD2FC6A05CCEDA88D7686EE72


I don't seem to have the svchost memory leak bug any longer as I have not seen any spikes in usage and have left it connected to the internet which I couldn't do before. So it seems the aswMBR program has successfully removed the rootkit that was affecting me. Thank you very much for helping me get rid of that darn thing!! Now there is just one more issue. When I search for something on google it doesnt seem to be redirecting me to random websites like it did before, but won't let me click on any search results. If I click on any of the links it won't even try to load a webpage but I can still bring up webpages by typing the URL into the address bar. What is the reason I wouldn't be able to click on any of the search results. Also is there any other scans I should do from here on out or any other programs I should run to make sure this thing is really gone? Thanks again!!

edit: Oh!! and it won't let me log into some websites like ebay and stuff.

Edited by TO_design, 12 July 2011 - 12:55 PM.


#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:55 AM

Posted 12 July 2011 - 01:03 PM

Hi

It's probably not entirely clean, please run the following:

Download FixTDSS to yourdesktop and follow the prompts to run it:

http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe


NEXT

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


NEXT


Go here to run an online scanner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 TO_design

TO_design
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 13 July 2011 - 02:01 AM

alrighty so the FixTDSS didn't find anything on the scan and here are the scans for the others

Mbam (didn't find anything):

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7098

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/13/2011 12:01:26 AM
mbam-log-2011-07-13 (00-01-26).txt

Scan type: Quick scan
Objects scanned: 170295
Time elapsed: 3 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


and the ESET scan:


C:\Documents and Settings\Taylor\Desktop\snail mail\Snail.Mail.v1.0.Keygen.zip probably a variant of Win32/Agent.DSNRPIO trojan
C:\Documents and Settings\Taylor\Desktop\snail mail\Snail.Mail.v1.0.Keygen\eclsnm10.exe probably a variant of Win32/Agent.DSNRPIO trojan
C:\System Volume Information\_restore{C6472799-56D1-411A-9350-3459E8A19CAB}\RP606\A0066810.exe a variant of Win32/TrojanDownloader.Whizelown.F trojan
C:\System Volume Information\_restore{C6472799-56D1-411A-9350-3459E8A19CAB}\RP606\A0066811.exe a variant of Win32/TrojanDownloader.Whizelown.F trojan
C:\System Volume Information\_restore{C6472799-56D1-411A-9350-3459E8A19CAB}\RP606\A0066834.exe a variant of Win32/TrojanDownloader.Whizelown.F trojan

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:55 AM

Posted 13 July 2011 - 08:59 AM

Hi,

Please do the following:
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Documents and Settings\Taylor\Desktop\snail mail\Snail.Mail.v1.0.Keygen.zip 
C:\Documents and Settings\Taylor\Desktop\snail mail\Snail.Mail.v1.0.Keygen\eclsnm10.exe 

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image

  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT
Please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 TO_design

TO_design
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 13 July 2011 - 07:15 PM

alrighty here is the next combofix log:

ComboFix 11-07-13.03 - Taylor 07/13/2011 19:56:43.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.422 [GMT -4:00]
Running from: c:\documents and settings\Taylor\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Taylor\Desktop\CFScript.txt
.
FILE ::
"c:\documents and settings\Taylor\Desktop\snail mail\Snail.Mail.v1.0.Keygen.zip"
"c:\documents and settings\Taylor\Desktop\snail mail\Snail.Mail.v1.0.Keygen\eclsnm10.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Taylor\Desktop\snail mail\Snail.Mail.v1.0.Keygen.zip
c:\documents and settings\Taylor\Desktop\snail mail\Snail.Mail.v1.0.Keygen\eclsnm10.exe
c:\documents and settings\Taylor\Recent\Thumbs.db
.
.
((((((((((((((((((((((((( Files Created from 2011-06-14 to 2011-07-14 )))))))))))))))))))))))))))))))
.
.
2011-07-13 12:26 . 2011-07-13 12:26 -------- d-----w- c:\windows\LastGood
2011-07-13 04:08 . 2011-07-13 04:08 -------- d-----w- c:\program files\ESET
2011-07-05 15:39 . 2011-07-05 15:39 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-07-05 15:39 . 2011-07-05 15:39 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2011-06-25 03:22 . 2011-07-12 15:53 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-06-25 03:22 . 2011-06-25 03:22 -------- d-----w- c:\program files\AVAST Software
2011-06-25 03:22 . 2011-06-26 15:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-06-25 03:22 . 2009-01-25 17:14 15224 ----a-w- c:\windows\system32\sdnclean.exe
2011-06-25 03:22 . 2011-06-26 15:25 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2011-06-25 03:22 . 2011-05-11 00:19 770384 ----a-w- c:\windows\system32\msvcr100.dll
2011-06-25 03:22 . 2011-01-07 19:39 421200 ----a-w- c:\windows\system32\msvcp100.dll
2011-06-24 04:59 . 2011-06-24 04:59 388096 ----a-r- c:\documents and settings\Taylor\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-24 04:59 . 2011-06-24 04:59 -------- d-----w- c:\program files\Trend Micro
2011-06-21 16:36 . 2011-06-21 16:36 20747 ----a-w- c:\windows\system32\drivers\AegisP.sys
2011-06-21 16:36 . 2011-06-21 16:36 -------- d-----w- c:\program files\Belkin
2011-06-20 06:06 . 2011-06-20 06:06 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2011-06-20 06:06 . 2011-06-20 06:06 -------- d-----w- c:\documents and settings\Default User\Application Data\Apple Computer
2011-06-20 06:00 . 2011-06-20 06:06 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Apple Computer
2011-06-17 06:22 . 2011-06-17 06:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2011-06-17 04:09 . 2011-06-17 04:09 -------- d-----w- c:\documents and settings\Taylor\Application Data\SUPERAntiSpyware.com
2011-06-17 04:09 . 2011-06-17 04:09 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-06-17 04:09 . 2011-06-17 04:09 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-06-15 07:02 . 2011-06-15 07:18 -------- d-----w- c:\windows\SxsCaPendDel
2011-06-15 01:21 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-06-15 01:09 . 2011-06-15 01:09 -------- d-----w- c:\windows\system32\wbem\Repository
2011-06-14 03:21 . 2011-06-14 03:21 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-29 13:11 . 2010-09-22 07:58 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 13:11 . 2010-09-22 07:58 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-02 15:31 . 2005-05-24 15:28 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2004-08-10 11:00 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2004-08-10 11:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11 . 2004-08-10 11:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-10 11:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2004-08-10 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2004-08-10 11:00 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2004-08-10 11:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-06-24_17.56.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-07-13 06:54 . 2011-07-13 06:54 16384 c:\windows\Temp\Perflib_Perfdata_610.dat
+ 2008-12-05 06:54 . 2011-04-29 17:25 151552 c:\windows\system32\dllcache\schannel.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Software Update"="c:\program files\Creative\Shared Files\Software Update\AutoUpdate.exe" [2009-01-15 430968]
"CreativeTaskScheduler"="c:\program files\Creative\Shared Files\CTSched.exe" [2006-11-17 53341]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-06-10 2424192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-01-13 37888]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"CTHelper"="CTHELPER.EXE" [2009-06-23 19456]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"nwiz"="nwiz.exe" [2007-12-05 1626112]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2011-05-11 5607080]
"Spybot-S&D Cleaning"="c:\program files\Spybot - Search & Destroy 2\SDCleaner.exe" [2011-05-11 5806912]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg&inst=NzctNDcxNjQ1OTIyLUZQOSs2LUJBUjlHKzEtVEI5KzItRkwrOS1RSVgxKzQtWDIwMTArMi1GMTBNMTBEKzItTElDKzItRkwxMCsxLVNQMSsxLVNQMVRCKzEtU1VQKzMtU1AxUzIrMS1UVUcrMy1TUDFTMysxLUREVCsw&prod=90&ver=10.0.1388" [?]
"SpybotDeletingC6429"="del" [X]
"SpybotDeletingC4172"="del" [X]
"SpybotDeletingA2256"="command.com" [2004-08-10 50620]
"SpybotDeletingA461"="command.com" [2004-08-10 50620]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2010-03-08 21:04 3972440 ----a-w- c:\program files\AIM\aim.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2004-08-10 08:04 59392 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SwitchBoard"=3 (0x3)
"mi-raysat_3dsmax9_32"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"Autodesk Licensing Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDFWSvc.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDMonSvc.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57991:TCP"= 57991:TCP:Pando Media Booster
"57991:UDP"= 57991:UDP:Pando Media Booster
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/10/2004 7:00 AM 14336]
R2 SDFirewallService;Spybot-S&D 2 Firewall Service;c:\program files\Spybot - Search & Destroy 2\SDFWSvc.exe [6/24/2011 11:22 PM 3585696]
R2 SDMonitorService;Spybot-S&D 2 Monitoring Service;c:\program files\Spybot - Search & Destroy 2\SDMonSvc.exe [6/24/2011 11:22 PM 3834456]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [6/24/2011 11:22 PM 3515656]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [6/24/2011 11:22 PM 3769048]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [6/23/2009 2:34 PM 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [6/23/2009 2:34 PM 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [6/23/2009 2:34 PM 566296]
R3 HideMyIpSRV;HideMyIpSRV;c:\program files\Hide My IP\HideMyIpSrv.exe [6/5/2010 4:29 AM 2752816]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [6/24/2011 11:22 PM 167040]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [6/23/2009 2:34 PM 99352]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [1/28/2010 2:58 PM 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [6/23/2009 2:34 PM 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [6/23/2009 2:35 PM 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [6/23/2009 2:35 PM 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [6/23/2009 2:34 PM 566296]
S3 XDva317;XDva317;\??\c:\windows\system32\XDva317.sys --> c:\windows\system32\XDva317.sys [?]
S3 XDva321;XDva321;\??\c:\windows\system32\XDva321.sys --> c:\windows\system32\XDva321.sys [?]
S3 XDva323;XDva323;\??\c:\windows\system32\XDva323.sys --> c:\windows\system32\XDva323.sys [?]
S3 XDva326;XDva326;\??\c:\windows\system32\XDva326.sys --> c:\windows\system32\XDva326.sys [?]
S3 XDva327;XDva327;\??\c:\windows\system32\XDva327.sys --> c:\windows\system32\XDva327.sys [?]
S3 XDva332;XDva332;\??\c:\windows\system32\XDva332.sys --> c:\windows\system32\XDva332.sys [?]
S3 XDva336;XDva336;\??\c:\windows\system32\XDva336.sys --> c:\windows\system32\XDva336.sys [?]
S3 XDva337;XDva337;\??\c:\windows\system32\XDva337.sys --> c:\windows\system32\XDva337.sys [?]
S3 XDva341;XDva341;\??\c:\windows\system32\XDva341.sys --> c:\windows\system32\XDva341.sys [?]
S3 XDva342;XDva342;\??\c:\windows\system32\XDva342.sys --> c:\windows\system32\XDva342.sys [?]
S3 XDva343;XDva343;\??\c:\windows\system32\XDva343.sys --> c:\windows\system32\XDva343.sys [?]
S3 XDva344;XDva344;\??\c:\windows\system32\XDva344.sys --> c:\windows\system32\XDva344.sys [?]
S3 XDva345;XDva345;\??\c:\windows\system32\XDva345.sys --> c:\windows\system32\XDva345.sys [?]
S3 XDva346;XDva346;\??\c:\windows\system32\XDva346.sys --> c:\windows\system32\XDva346.sys [?]
S3 XDva347;XDva347;\??\c:\windows\system32\XDva347.sys --> c:\windows\system32\XDva347.sys [?]
S3 XDva349;XDva349;\??\c:\windows\system32\XDva349.sys --> c:\windows\system32\XDva349.sys [?]
S3 XDva359;XDva359;\??\c:\windows\system32\XDva359.sys --> c:\windows\system32\XDva359.sys [?]
S3 XDva361;XDva361;\??\c:\windows\system32\XDva361.sys --> c:\windows\system32\XDva361.sys [?]
S3 XDva362;XDva362;\??\c:\windows\system32\XDva362.sys --> c:\windows\system32\XDva362.sys [?]
S3 XDva366;XDva366;\??\c:\windows\system32\XDva366.sys --> c:\windows\system32\XDva366.sys [?]
S3 XDva367;XDva367;\??\c:\windows\system32\XDva367.sys --> c:\windows\system32\XDva367.sys [?]
S3 XDva368;XDva368;\??\c:\windows\system32\XDva368.sys --> c:\windows\system32\XDva368.sys [?]
S3 XDva370;XDva370;\??\c:\windows\system32\XDva370.sys --> c:\windows\system32\XDva370.sys [?]
S3 XDva372;XDva372;\??\c:\windows\system32\XDva372.sys --> c:\windows\system32\XDva372.sys [?]
S3 XDva374;XDva374;\??\c:\windows\system32\XDva374.sys --> c:\windows\system32\XDva374.sys [?]
S3 XDva375;XDva375;\??\c:\windows\system32\XDva375.sys --> c:\windows\system32\XDva375.sys [?]
S3 XDva377;XDva377;\??\c:\windows\system32\XDva377.sys --> c:\windows\system32\XDva377.sys [?]
S3 XDva379;XDva379;\??\c:\windows\system32\XDva379.sys --> c:\windows\system32\XDva379.sys [?]
S3 XDva385;XDva385;\??\c:\windows\system32\XDva385.sys --> c:\windows\system32\XDva385.sys [?]
S4 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 2:37 PM 517096]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-13 c:\windows\Tasks\AdobeAAMUpdater-1.0-MARCY-Taylor.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-01-04 08:44]
.
2011-07-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-1677128483-839522115-1003Core.job
- c:\documents and settings\Taylor\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-13 01:06]
.
2011-07-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-1677128483-839522115-1003UA.job
- c:\documents and settings\Taylor\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-13 01:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
LSP: c:\windows\system32\HMIPCore.dll
TCP: DhcpNameServer = 192.168.2.1
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://68.116.52.180/activex/AMC.cab
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-13 20:06
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(692)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(756)
c:\windows\system32\HMIPCore.dll
.
Completion time: 2011-07-13 20:08:28
ComboFix-quarantined-files.txt 2011-07-14 00:08
ComboFix2.txt 2011-07-12 16:17
ComboFix3.txt 2011-06-24 18:01
.
Pre-Run: 78,823,018,496 bytes free
Post-Run: 79,019,536,384 bytes free
.
- - End Of File - - D1B63CCDEBA87AF8E7A5231F3306312C


google still will not allow me to click on any of the links after I search and I still cannot sign into some websites like stated before. Also like it was doing before while on the internet, I will be able to go to browse normally but 80% of the time anything im doing on multiple websites internet explorer will stop responding which will then force me to end the IE process and it comes up with the windows message thing if I want to send the info to microsoft or not and this happens anywhere from being on a website for a couple minutes to being on there for 15 or more. It just stops responding at random times.

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:55 AM

Posted 14 July 2011 - 08:46 AM

Please download FixTDSS and save it to your desktop

http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe


Doubleclick the FixTDSS.exe icon to run it > follow the prompts, please let me know if anything is found

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 TO_design

TO_design
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 14 July 2011 - 11:08 AM

nope it said nothing was found after the scan finished

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:55 AM

Posted 14 July 2011 - 07:18 PM

Please reset IE back to default, see if that makes any difference

http://support.microsoft.com/kb/923737

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 TO_design

TO_design
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 16 July 2011 - 12:15 PM

Yep that worked!! I can now click on google searches and it brings up the pages like normal and sign into any websites I couldn't before! Now are there any more things I should run or does the system look like its in good standing now? And I have redownloaded avast so I am using that as my antivirus now. Thanks again for the help!!! You are a life saver!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users