Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan or similar suspected


  • This topic is locked This topic is locked
14 replies to this topic

#1 gtc

gtc

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:21 AM

Posted 11 October 2011 - 06:22 AM

(I posted this problem earlier but somebody sent my post to Siberia. As a person who actually donates to BleepingComputer I would appreciate my problem being taken seriously as it is seriously affecting my ability to work and I would like to scan my PC for a hidden nasty that may be taking control of a port, or ports, used by my email client. Thank you.)

A few days ago my Eudora mail client began to play up when I try to read (i.e. download) mail messages from my ISP. Symptom is a message saying either:

"Could not connect to "pop.xxx.xxx.xxx
"Cause: connection refused (10061)"


or:

"Error reading from network"
"Cause: Eudora got tired of waiting for the server. (10100)"


I can still send messages with no problem, so the SMTP side is fine, it's just the POP side that is affected.

If I reboot and start Eudora I can read my mail, but then say 10 minutes later if I click on read mail I get the error message(s). The only way to recover is to reboot, and then a few minutes later the problem reappears. I have spoken with my ISP and they see no issues with my account, etc, so the problem appears to be local to my PC. It seems to me that something is taking over the POP port of closing it down, or similar.

Note: this problem is not apparent if I run Eudora in safe mode, so it seems there's possibly a nasty lurking in normal mode, however nothing is being reported from full scans by my AV (Avast!), Malwarebytes and Ad-Aware, and Avast's various firewall/shield logs are empty.

I'm hoping you guys can suggest other virus/trojan tools to deploy and associated strategy to try to find out what is going on.

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,947 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:21 PM

Posted 13 October 2011 - 01:27 PM

Hello,

Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.

If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 gtc

gtc
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:21 AM

Posted 14 October 2011 - 03:15 AM

Thank you for those instructions.

I now have the 3 log files as follows:

DDS.TXT 16Kb
ATTACH.TXT 21Kb
ARK.TXT 214Kb

... however I cannot attach them because of:

"Used 507.77K of your 512K global upload quota (Max. single file size: 4.23K)"

... so please delete any previous files and recover my upload quota and I'll upload them.

Thanks.

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,947 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:21 PM

Posted 14 October 2011 - 10:40 PM

You can copy and paste the logs into the reply box instead of attaching.

I'll hunt up where you've got your other attachments and see what I can do.

Orange Blossom :cherry:

Edited by Orange Blossom, 14 October 2011 - 10:49 PM.

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 gtc

gtc
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:21 AM

Posted 15 October 2011 - 03:01 PM

Suggest you simply delete all my previous threads. They are ancient history now.


Meanwhile ...


DDS.TXT:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_26
Run by g at 19:05:50 on 2011-10-14
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.2047.189 [GMT 11:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: avast! Internet Security *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Internet Security *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\afwServ.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\soft602\pdfSaver.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\BOINC\boinctray.exe
C:\Program Files\Keybreeze\Keybreeze.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\iiNet\iConnect\launcher.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\DOCUME~1\g\LOCALS~1\Temp\iCBB_11_14 R09-27 IINET B01 Monitor Temporary Items\monSvr.exe
C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\PROGRA~1\Qualcomm\Eudora\Eudora.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\Documents and Settings\All Users\Application Data\BOINC\projects\www.worldcommunitygrid.org\wcg_hpf2_rosetta_6.40_windows_intelx86
C:\Documents and Settings\All Users\Application Data\BOINC\projects\www.worldcommunitygrid.org\wcg_hcc1_img_6.42_windows_intelx86
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.imdb.com/
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://au.search.yahoo.com/search?fr=mcafee&p=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Advertising Cookie Opt-out: {8e425eb4-adbd-4816-b1e8-49bb9decf034} - c:\program files\google\advertising cookie opt-out\opt_out.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [nwiz] nwiz.exe /install
mRun: [HP SchedIndexer] c:\program files\hewlett-packard\laserjet 33xx\hppschedindexer.exe
mRun: [HP AutoIndexer] c:\program files\hewlett-packard\laserjet 33xx\hppautoindexer.exe
mRun: [GBB36X Configure] c:\windows\system32\JMRaidTool.exe boot
mRun: [602PC SUITE PDF Saver] "c:\program files\common files\soft602\pdfSaver.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [boincmgr] "c:\program files\boinc\boincmgr.exe" /a /s
mRun: [boinctray] "c:\program files\boinc\boinctray.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [Keybreeze] c:\program files\keybreeze\Keybreeze.exe /a
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\g\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hplase~1.lnk - c:\program files\hewlett-packard\laserjet 33xx\hppdirector.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\imaget~1.lnk - c:\program files\sony corporation\image transfer\SonyTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\iinet\iconnect\launcher.exe
uPolicies-explorer: EditLevel = 0 (0x0)
uPolicies-explorer: NoCommonGroups = 0 (0x0)
IE: Add to AMV/AVI Video Converter... - c:\program files\media player utilities 4.21\amvconverter\grab.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Free YouTube Download - c:\documents and settings\g\application data\dvdvideosoftiehelpers\freeyoutubedownload.htm
IE: Send Using &Outlook - c:\program files\snipit\snipit\sendusingoutlook.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: australiancorvettesassociation.com\www
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=67633
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160097510473
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1199180574114
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 10.1.1.1
TCP: Interfaces\{991B1C30-7C01-4C7E-8311-C6E35EC706B2} : DhcpNameServer = 10.1.1.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\g\application data\mozilla\firefox\profiles\o9z0iriu.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://au.search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [2011-6-22 12112]
R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [2011-6-22 195416]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-10-7 64512]
R1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [2011-6-22 111320]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-5-26 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-5-26 320856]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-5-26 20568]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-5-26 44768]
R2 avast! Firewall;avast! Firewall;c:\program files\avast software\avast\afwServ.exe [2011-6-22 127192]
R2 cx88xbar;FusionHDTV 88x, WDM Crossbar;c:\windows\system32\drivers\zl88xbar.sys [2006-10-22 10368]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-8-18 2151640]
R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\seagate\seagate dashboard\SeagateDashboardService.exe [2010-5-1 14088]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2011-4-22 92592]
R2 Zulu88Tune;FusionHDTV 88x, WDM Tuner(DVB-T PRO);c:\windows\system32\drivers\zl88tune.sys [2006-10-22 167424]
R2 Zulu88Vid;FusionHDTV 88x, WDM Video Capture;c:\windows\system32\drivers\zl88vcap.sys [2006-10-22 189312]
R3 CXAVSAUD;FusionHDTV 880, WDM Audio Capture;c:\windows\system32\drivers\zl88aud.sys [2006-10-22 9216]
R3 Zulu88BDA;FusionHDTV 88x, BDA DVB Tuner/Demod;c:\windows\system32\drivers\zl88bda.sys [2006-10-22 168320]
R3 Zulu88Ts;FusionHDTV 88x, BDA Receiver(DVB-T);c:\windows\system32\drivers\zl88tcap.sys [2006-10-22 19200]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\admini~1\locals~1\temp\sas_selfextract\sasdifsv.sys --> c:\docume~1\admini~1\locals~1\temp\sas_selfextract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\admini~1\locals~1\temp\sas_selfextract\saskutil.sys --> c:\docume~1\admini~1\locals~1\temp\sas_selfextract\SASKUTIL.SYS [?]
S2 gupdate1c9a961eb75123e;Google Update Service (gupdate1c9a961eb75123e);c:\program files\google\update\GoogleUpdate.exe [2009-3-21 133104]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 BroadWaveService;BroadWave Service;c:\program files\nch swift sound\broadwave\broadwave.exe [2007-8-3 401412]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-3-21 133104]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-8-23 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-8-23 40552]
.
=============== Created Last 30 ================
.
2011-10-09 03:49:08 -------- d-----w- c:\program files\Free Video Joiner
2011-10-07 14:03:07 13 ----a-w- c:\windows\system32\TEMP.BAT
2011-10-07 07:42:51 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-10-07 06:20:19 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-10-07 06:13:21 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-10-07 06:13:10 -------- d-----w- c:\program files\Lavasoft
2011-10-07 05:56:18 -------- d-----w- c:\documents and settings\g\application data\ElevatedDiagnostics
2011-10-05 16:19:33 -------- d-----w- C:\Output
2011-10-05 16:18:21 -------- d-----w- c:\documents and settings\g\application data\YCanPDF
2011-10-05 15:47:57 -------- d-----w- c:\program files\Chami
2011-10-05 15:47:43 299520 ----a-w- c:\windows\uninst.exe
2011-10-04 12:45:36 -------- d-----w- c:\documents and settings\all users\application data\Free Labs
2011-10-04 12:44:06 -------- d-----w- c:\program files\Free Labs
2011-10-02 17:05:43 -------- d-----w- c:\program files\FamilySearch
2011-09-14 11:13:18 -------- d-----w- c:\documents and settings\g\application data\DVDVideoSoft
2011-09-14 11:13:12 -------- d-----w- c:\documents and settings\g\application data\DVDVideoSoftIEHelpers
2011-09-14 11:12:57 -------- d-----w- c:\program files\DVDVideoSoft
2011-09-14 11:12:57 -------- d-----w- c:\program files\common files\DVDVideoSoft
.
==================== Find3M ====================
.
2011-10-02 12:17:22 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-08 14:10:56 2084966 ----a-w- c:\program files\Foxit_JS_ExObjects.dll
2011-09-06 20:45:29 41184 ----a-w- c:\windows\avastSS.scr
2011-09-06 20:38:54 111320 ----a-w- c:\windows\system32\drivers\aswFW.sys
2011-09-06 20:38:05 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-09-06 20:37:39 195416 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2011-08-31 07:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2007-06-13 12:32:26 28672 ----a-w- c:\program files\StopWatch.exe
2007-02-16 14:41:53 450560 ----a-w- c:\program files\fxdecod1.dll
2006-09-26 10:59:06 3801088 ----a-w- c:\program files\FoxitReader.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3320620AS rev.3.AAD -> Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-19
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk1\DR1[0x8A8CDAB8]
3 CLASSPNP[0xBA0F8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000079[0x8A9029E8]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Ide\IdeDeviceP2T0L0-28[0x8A8FDD98]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
user != kernel MBR !!!
.
============= FINISH: 19:06:55.20 ===============

Edited by gtc, 15 October 2011 - 03:02 PM.


#6 gtc

gtc
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:21 AM

Posted 15 October 2011 - 03:02 PM

ATTACH.TXT:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 6/10/2006 10:22:25 AM
System Uptime: 13/10/2011 3:26:04 AM (40 hours ago)
.
Motherboard: Gigabyte Technology Co., Ltd. | | 965P-S3
Processor: Intel® Core™2 CPU 6600 @ 2.40GHz | Socket 775 | 2400/266mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 279 GiB total, 223.97 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is FIXED (NTFS) - 298 GiB total, 295.046 GiB free.
G: is Removable
H: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: Beep
Device ID: ROOT\LEGACY_BEEP\0000
Manufacturer:
Name: Beep
PNP Device ID: ROOT\LEGACY_BEEP\0000
Service: Beep
.
==== System Restore Points ===================
.
RP46: 17/07/2011 4:11:27 PM - System Checkpoint
RP47: 18/07/2011 6:20:34 PM - System Checkpoint
RP48: 19/07/2011 7:21:47 PM - System Checkpoint
RP49: 20/07/2011 7:52:28 PM - System Checkpoint
RP50: 21/07/2011 8:03:29 PM - System Checkpoint
RP51: 22/07/2011 8:50:46 PM - System Checkpoint
RP52: 24/07/2011 2:32:51 AM - System Checkpoint
RP53: 25/07/2011 3:00:40 AM - System Checkpoint
RP54: 26/07/2011 11:45:51 AM - System Checkpoint
RP55: 27/07/2011 6:16:50 PM - System Checkpoint
RP56: 28/07/2011 7:32:47 PM - System Checkpoint
RP57: 30/07/2011 1:07:00 AM - System Checkpoint
RP58: 31/07/2011 2:11:53 AM - System Checkpoint
RP59: 1/08/2011 2:52:47 AM - System Checkpoint
RP60: 2/08/2011 3:49:58 AM - System Checkpoint
RP61: 3/08/2011 4:04:52 AM - System Checkpoint
RP62: 4/08/2011 2:30:11 PM - System Checkpoint
RP63: 5/08/2011 3:58:17 PM - System Checkpoint
RP64: 6/08/2011 6:18:08 PM - System Checkpoint
RP65: 7/08/2011 7:29:08 PM - System Checkpoint
RP66: 8/08/2011 8:10:13 PM - System Checkpoint
RP67: 9/08/2011 8:27:43 PM - System Checkpoint
RP68: 10/08/2011 9:28:15 PM - System Checkpoint
RP69: 11/08/2011 9:58:48 PM - System Checkpoint
RP70: 12/08/2011 1:15:34 PM - Software Distribution Service 3.0
RP71: 13/08/2011 5:10:43 PM - System Checkpoint
RP72: 14/08/2011 6:14:02 PM - System Checkpoint
RP73: 15/08/2011 7:07:21 PM - System Checkpoint
RP74: 16/08/2011 7:17:26 PM - System Checkpoint
RP75: 17/08/2011 7:18:25 PM - System Checkpoint
RP76: 18/08/2011 7:54:20 PM - System Checkpoint
RP77: 19/08/2011 8:52:02 PM - System Checkpoint
RP78: 21/08/2011 1:17:10 AM - System Checkpoint
RP79: 22/08/2011 2:35:44 AM - System Checkpoint
RP80: 23/08/2011 3:36:30 PM - System Checkpoint
RP81: 24/08/2011 4:55:00 PM - System Checkpoint
RP82: 25/08/2011 6:15:10 PM - System Checkpoint
RP83: 27/08/2011 12:29:06 AM - System Checkpoint
RP84: 28/08/2011 5:30:35 PM - System Checkpoint
RP85: 29/08/2011 7:54:44 PM - System Checkpoint
RP86: 30/08/2011 8:06:02 PM - System Checkpoint
RP87: 31/08/2011 9:30:42 PM - System Checkpoint
RP88: 2/09/2011 12:41:17 AM - System Checkpoint
RP89: 3/09/2011 12:48:38 AM - System Checkpoint
RP90: 4/09/2011 7:12:08 AM - System Checkpoint
RP91: 5/09/2011 1:28:56 PM - System Checkpoint
RP92: 6/09/2011 3:23:26 PM - System Checkpoint
RP93: 7/09/2011 4:35:38 PM - System Checkpoint
RP94: 8/09/2011 4:52:15 PM - System Checkpoint
RP95: 9/09/2011 6:13:58 PM - System Checkpoint
RP96: 10/09/2011 2:08:13 PM - Software Distribution Service 3.0
RP97: 11/09/2011 8:32:19 PM - System Checkpoint
RP98: 12/09/2011 8:53:59 PM - System Checkpoint
RP99: 14/09/2011 3:36:28 AM - System Checkpoint
RP100: 15/09/2011 4:00:05 PM - Software Distribution Service 3.0
RP101: 16/09/2011 5:13:39 PM - System Checkpoint
RP102: 17/09/2011 10:23:05 PM - System Checkpoint
RP103: 19/09/2011 3:25:37 AM - System Checkpoint
RP104: 20/09/2011 1:10:41 PM - System Checkpoint
RP105: 21/09/2011 3:11:14 PM - System Checkpoint
RP106: 22/09/2011 4:44:24 PM - System Checkpoint
RP107: 23/09/2011 8:06:21 PM - System Checkpoint
RP108: 24/09/2011 9:05:11 PM - System Checkpoint
RP109: 26/09/2011 4:49:30 AM - System Checkpoint
RP110: 27/09/2011 2:05:45 PM - System Checkpoint
RP111: 28/09/2011 4:46:37 PM - System Checkpoint
RP112: 29/09/2011 6:10:53 PM - System Checkpoint
RP113: 30/09/2011 6:17:38 PM - System Checkpoint
RP114: 1/10/2011 6:53:50 PM - System Checkpoint
RP115: 2/10/2011 8:26:27 PM - System Checkpoint
RP116: 2/10/2011 11:18:48 PM - Software Distribution Service 3.0
RP117: 4/10/2011 4:11:58 AM - System Checkpoint
RP118: 4/10/2011 11:44:05 PM - Installed Windows Macro Recorder
RP119: 6/10/2011 4:25:51 AM - System Checkpoint
RP120: 7/10/2011 3:33:46 PM - System Checkpoint
RP121: 7/10/2011 4:54:57 PM - Installed %1 %2.
RP122: 7/10/2011 5:12:55 PM - Installed Ad-Aware
RP123: 7/10/2011 5:13:08 PM - Installed Ad-Aware
RP124: 8/10/2011 6:57:25 PM - System Checkpoint
RP125: 10/10/2011 7:34:44 PM - System Checkpoint
RP126: 12/10/2011 12:00:33 AM - System Checkpoint
RP127: 12/10/2011 12:49:12 AM - Installed Java™ 6 Update 26
RP128: 13/10/2011 3:47:55 AM - System Checkpoint
RP129: 14/10/2011 4:09:52 AM - System Checkpoint
.
==== Installed Programs ======================
.
Acoustica Effects Pack
Acrobat.com
Ad-Aware
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.6
Adobe Shockwave Player 11.6
AnyMini W, Word Count Software, Version 5.0
ARRL 2011 Handbook
AudibleManager
avast! Internet Security
AVIcodec (remove only)
AVS Update Manager 1.0
AVS Video Converter 6
AVS4YOU Software Navigator 1.3
Belarc Advisor 7.2
Bonjour
Brava! Desktop 7.0
BroadWave Uninstall
Brother's Keeper 6.3
CloneDVD2
Compatibility Pack for the 2007 Office system
Convert
Cookie Monster
Critical Update for Windows Media Player 11 (KB959772)
Crossword Compiler 8 Demo
Crossword Express 7.6
Daniusoft DVD Ripper(Build 2.4.0.2)
Detagger 2.4
Diji Album
DVD-Cover Printmaster 1.4
DVICO FusionHDTV 3.50_Pre
e-tax 2010
EclipseCrossword
Eudora
Eureka's Office Suite 2005
Eureka's Office Suite Manual
EXIFeditor
Express Burn
Express Rip
ffdshow [rev 2033] [2008-07-05]
File Recover 6.1
Final Draft 6
FLV Player 2.0 (build 25)
Free PS Convert driver 8.15
Free Video Joiner 1.1
Free YouTube Download version 3.0.14.908
FreePCB 1.2
Freeware PDF Unlocker
French Spelling Settings
Full Pack Codecs
GeoCalc
Gigabyte Raid Configurer
Golden Records Vinyl to CD Converter
GOM Player
Google Advertising Cookie Opt-out
Google Earth Plug-in
Google Update Helper
GoToAssist Corporate
GPL Ghostscript 8.64
Graphviz
GSview 4.9
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
hp LaserJet 3300 Uninstaller
IBM ViaVoice Pro 8.0 - UK English
iiNet Configure Your Broadband
Image Data Converter SR
Image Transfer
ImageMixer for Sony
interneTIFF 7.0-FREE (IE Browser)
Investment Property Calculator Trial 2.7.1
IZArc 3.5 beta 3
Java Auto Updater
Java™ 6 Update 26
Keybreeze
Logitech MouseWare 9.76
Malwarebytes' Anti-Malware version 1.51.2.1300
Media Player Utilities 4.21
MediaFeed
MediaInfo 0.7.47
Memory Stick Formatter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office Professional Edition 2003
Microsoft Office Project MUI (English) 2007
Microsoft Office Project Standard 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Visio MUI (English) 2007
Microsoft Office Visio Standard 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Windows Script Host
Microsoft Windows XP Video Decoder Checkup Utility
Microsoft WinUsb 1.0
MicroStaff WINASPI
Miditzer Style 216 ver. 0.881
MixPad
Mozilla Firefox 6.0.2 (x86 en-US)
Mp3tag v2.38
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Music Visualizer Library 1.4.00
MYOB BusinessBasics v1
MYOB RetailBasics v3
NCH Toolbox Uninstall
NetMos Multi-IO Controller
NoteTab Light 5 (Remove only)
NoteWorthy Player
NVIDIA Drivers
Olympus DSS Player 3.5 (UK)
OpenMG Limited Patch 3.2-03-01-16-01
OpenMG Limited Patch 3.2-03-01-31-01
OpenMG Secure Module 3.2
Orban/Coding Technologies AAC/aacPlus Player Plugin™ 1.0
Paint Shop Pro 6.02 EVAL
ParetoLogic Data Recovery
PCD Calculator
PDF Editor 3
PDF Ripper 2.01
Personal Ancestral File 5
PhotoMark 1.3
Prism Video Converter
Quasar 3108 Serial Port Relay Driver
QuickTime
radioSHARK
Real Alternative 1.44
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
Realtek High Definition Audio Driver
RealUpgrade 1.1
RecordPad Sound Recorder
Recuva (remove only)
RPM Calculator
SAG Rookwood Cemetery v1.10
Screen Grab Pro
Seagate Dashboard
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Media Encoder (KB2447961)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Encoder (KB979332)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360131)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2416400)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2482017)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2497640)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2530548)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544521)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2559049)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982381)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Shockwave
Sibelius Scorch (all browsers)
Simple HTML To Text Converter 1.2
Slice Uninstall
SnipIT
SonicStage
Sony Picture Utility
Sony USB Driver
SoundTap Uninstall
Spelling Dictionaries Support For Adobe Reader 9
Spin It Again
Stamp Uninstall
STDU Viewer version 1.5.647.0
swMSM
TDSL Personal Edition 1.1
TinyCAD 2.80.03
TomTom HOME 2.8.2.2264
TomTom HOME Visual Studio Merge Modules
TubeData
Tunebite 4.1.0.24
Ulead DVD DiskRecorder 2.1.1
Ulead VideoStudio 9.0 SE DVD
Universal Extractor 1.6
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
Update for Windows XP (KB980182)
URL2File
Usenet.nl
VideoPad Video Editor
Wave Repair 4.9.2
WavePad Uninstall
WebFldrs XP
Win2PDF 3.40
Win2PDF Font Helper 1.21 (GPL Ghostscript 8.62)
WinDjView 1.0.3
Windows Defender
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Live OneCare safety scanner
Windows Macro Recorder
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows PowerShell™ 1.0
Windows XP Creativity Fun Packs - Windows Movie Maker 2
Windows XP Service Pack 3
Wordsearch Generator 1.310
World Community Grid
XLS to Image Converter 2.00
Xml Viewer
YouSendIt Express
YouTube Downloader 3.3
Zinio Reader 4
.
==== Event Viewer Messages From Past Week ========
.
9/10/2011 3:24:03 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
9/10/2011 3:23:51 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 aswSnx aswSP aswTdi BANTExt Fips intelppm SASDIFSV SASKUTIL
7/10/2011 2:14:55 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SASDIFSV SASKUTIL
7/10/2011 2:14:47 PM, error: ParVdm [2] - Unable to get device object pointer for port object.
11/10/2011 10:04:15 PM, error: Print [19] - Sharing printer failed + 1722, Printer PDF-XChange 3.0 share name Printer.
.
==== End Of File ===========================

#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:21 PM

Posted 16 October 2011 - 05:03 AM

Hi,


my first try would be resetting your firewall. It is far more likely that this is cause by a configuration issue in your firewall (which doesn't run in safe mode) than by a trojan.

Please also run a scan with gmer:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

On a side note: Bleepingcomputer.com, as a site, hasn't accepted donations in years, not since I joined this forum anyways.

regards myrti

Edited by myrti, 16 October 2011 - 05:06 AM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 gtc

gtc
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:21 AM

Posted 16 October 2011 - 10:54 AM

On a side note: Bleepingcomputer.com, as a site, hasn't accepted donations in years, not since I joined this forum anyways.

regards myrti

Hi,

Re that, please see:

http://www.bleepingcomputer.com/forums/topic398074.html/page__pid__2265582__st__45#entry2265582

and:

http://www.bleepingcomputer.com/forums/topic341480.html/page__pid__1896967#entry1896967

Re firewall, that was my first considertaion, however as mentioned initially, I can find no evidence of firewall activity being logged (Avast provides my firewall). Also, I disabled all of Avast's filtering, to no avail -- problem persisted. Hence my concern that something nasty is lurking beneath all of my radars.

Re GMER, I will run it in safe mode with no networking and revert. asap.

Thanks.

#9 gtc

gtc
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:21 AM

Posted 16 October 2011 - 11:49 AM

Okay, GMER ran for ~2 hours and produced this log:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-10-17 03:39:08
Windows 5.1.2600 Service Pack 3 Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-28 ST3320620AS rev.3.AAD
Running: 87epwg0c.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kxtdipoc.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF765787E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7657BFE]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance
Reg HKLM\SYSTEM\ControlSet002\Services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400
Reg HKLM\SYSTEM\ControlSet002\Services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0
Reg HKLM\SYSTEM\ControlSet002\Services\aswMon2\Parameters@ProgramFolder \Device\HarddiskVolume1\Program Files\AVAST Software\Avast
Reg HKLM\SYSTEM\ControlSet002\Services\aswSnx\Instances@DefaultInstance aswSnx Instance
Reg HKLM\SYSTEM\ControlSet002\Services\aswSnx\Instances\aswSnx Instance (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\aswSnx\Instances\aswSnx Instance@Altitude 137600
Reg HKLM\SYSTEM\ControlSet002\Services\aswSnx\Instances\aswSnx Instance@Flags 0
Reg HKLM\SYSTEM\ControlSet002\Services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast
Reg HKLM\SYSTEM\ControlSet002\Services\aswSnx\Parameters@DataFolder \DosDevices\C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast
Reg HKLM\SYSTEM\ControlSet002\Services\aswSP\Parameters@BehavShield 1
Reg HKLM\SYSTEM\ControlSet002\Services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast
Reg HKLM\SYSTEM\ControlSet002\Services\aswSP\Parameters@DataFolder \DosDevices\C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast
Reg HKLM\SYSTEM\ControlSet002\Services\aswSP\Parameters@NoWelcomeScreen 1
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Windows PowerShell@AutoBackupLogFiles 0
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Windows PowerShell@File C:\WINDOWS\System32\config\WindowsPowerShell.evt
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Windows PowerShell@MaxSize 15728640
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Windows PowerShell@Retention 0
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Windows PowerShell@Sources PowerShell?Windows PowerShell?
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Windows PowerShell\PowerShell (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Windows PowerShell\PowerShell@EventMessageFile C:\WINDOWS\system32\WindowsPowerShell\v1.0\pwrshmsg.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Windows PowerShell\PowerShell@CategoryMessageFile C:\WINDOWS\system32\WindowsPowerShell\v1.0\pwrshmsg.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Windows PowerShell\PowerShell@CategoryCount 8
Reg HKLM\SYSTEM\CurrentControlSet\Services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance
Reg HKLM\SYSTEM\CurrentControlSet\Services\aswFsBlk\Instances\aswFsBlk Instance
Reg HKLM\SYSTEM\CurrentControlSet\Services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400
Reg HKLM\SYSTEM\CurrentControlSet\Services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\aswMon2\Parameters@ProgramFolder \Device\HarddiskVolume1\Program Files\AVAST Software\Avast
Reg HKLM\SYSTEM\CurrentControlSet\Services\aswSnx\Instances@DefaultInstance aswSnx Instance
Reg HKLM\SYSTEM\CurrentControlSet\Services\aswSnx\Instances\aswSnx Instance
Reg HKLM\SYSTEM\CurrentControlSet\Services\aswSnx\Instances\aswSnx Instance@Altitude 137600
Reg HKLM\SYSTEM\CurrentControlSet\Services\aswSnx\Instances\aswSnx Instance@Flags 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast
Reg HKLM\SYSTEM\CurrentControlSet\Services\aswSnx\Parameters@DataFolder \DosDevices\C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast
Reg HKLM\SYSTEM\CurrentControlSet\Services\aswSP\Parameters@BehavShield 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast
Reg HKLM\SYSTEM\CurrentControlSet\Services\aswSP\Parameters@DataFolder \DosDevices\C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast
Reg HKLM\SYSTEM\CurrentControlSet\Services\aswSP\Parameters@NoWelcomeScreen 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Windows PowerShell@AutoBackupLogFiles 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Windows PowerShell@File C:\WINDOWS\System32\config\WindowsPowerShell.evt
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Windows PowerShell@MaxSize 15728640
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Windows PowerShell@Retention 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Windows PowerShell@Sources PowerShell?Windows PowerShell?
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell@EventMessageFile C:\WINDOWS\system32\WindowsPowerShell\v1.0\pwrshmsg.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell@CategoryMessageFile C:\WINDOWS\system32\WindowsPowerShell\v1.0\pwrshmsg.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell@CategoryCount 8

---- EOF - GMER 1.0.15 ----

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:21 PM

Posted 16 October 2011 - 12:02 PM

Hi,

not to contradict you, but those are donations to individuals. As said the donations for the website itself are currently not possible as the website is running smoothly and no extra funds are needed.
The donations you did go to the person that helped you, which, of course, is very commendable! :) I just wanted to be sure that there are no confusions with regards to where the money goes.

If you are sure that Avast is not the cause try the following: http://email.about.com/od/eudoratips/qt/et103101.htm

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 gtc

gtc
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:21 AM

Posted 18 October 2011 - 08:12 AM

If you are sure that Avast is not the cause try the following: http://email.about.com/od/eudoratips/qt/et103101.htm


The only thing I can be sure of is: I sure can't find anything in Avast's many logs to indicate that it has taken action against the port used for POP method mail retrieval.

I take it that you found nothing of interest lurking in the various scan logs I posted?

Before I came to BleepingComputer with this issue I raised it on the Eudora support forum and they were out of ideas.

I've run the INI file reset and I'll see if that makes any difference.

Edited by gtc, 18 October 2011 - 08:12 AM.


#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:21 PM

Posted 18 October 2011 - 04:17 PM

Hi,

personally I would either reset the Avast firewall or uninstall Avast for tests. It does not look like malware behaviour at all.

If that doesn't work I'd try reinstalling Eudora or possibly creating a new acount within Eudora to see if that fixes it.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 gtc

gtc
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:21 AM

Posted 19 October 2011 - 08:53 AM

Okay, if my PC is apparently clear of malware (which is always good to know) then I'll look to Avast as the most likely culprit. I think the major clue is that I don't have problems in safe mode -- where Avast doesn't operate at any level.

Thanks for your assistance.

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:21 PM

Posted 19 October 2011 - 01:06 PM

Hi,

happy to have helped. If you have no further question relating to malware I'd suggest that you post in the internet/networking subforums with the issue.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:21 PM

Posted 29 January 2012 - 09:47 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users