Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Disabled.SecurityCenter Option virus and more


  • This topic is locked This topic is locked
26 replies to this topic

#1 greg55

greg55

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 11 December 2011 - 10:30 PM

I have ran malwarebytes, Avast and another spyware program and they all claim to quarantine and remove the threats but have failed. A previous technician on this site tried to help me but redirected me here stating i need more advanced help. Thanks for your time and help.
DDS log
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Greg at 19:09:10 on 2011-12-11
.
============== Running Processes ===============
.
C:\DOCUME~1\Greg\LOCALS~1\Temp\nsg1D.tmp\ProcessList.txt
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [BiosNotice] c:\program files\biostar\biosnotice\BiosNotice.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{FB06D55A-0C08-43AA-98BE-FC511D7068FD} : DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\greg\application data\mozilla\firefox\profiles\33wvbemw.default\
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
.
============= SERVICES / DRIVERS ===============
.
R? Ambfilt;Ambfilt
R? EagleXNt;EagleXNt
R? MBAMSwissArmy;MBAMSwissArmy
S? !SASCORE;SAS Core Service
S? aswFsBlk;aswFsBlk
S? aswSnx;aswSnx
S? aswSP;aswSP
S? AtiHDAudioService;ATI Function Driver for HD Audio Service
S? avast! Antivirus;avast! Antivirus
S? BIOS;BIOS
S? BS_I2cIo;BS_I2cIo
S? SASDIFSV;SASDIFSV
S? SASKUTIL;SASKUTIL
.
=============== Created Last 30 ================
.
2011-12-11 23:27:16 -------- d-----w- c:\documents and settings\greg\application data\Malwarebytes
2011-12-11 23:27:09 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-12-11 23:27:05 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-11 23:27:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-07 23:09:31 -------- d-----w- c:\windows\system32\LogFiles
2011-11-18 01:07:47 -------- d-----w- c:\documents and settings\greg\application data\OpenOffice.org
2011-11-18 01:03:37 -------- d-----w- c:\program files\OpenOffice.org 3
2011-11-18 01:02:58 476904 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-11-17 20:15:13 -------- d-----w- c:\windows\system32\appmgmt
2011-11-17 17:46:56 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2011-11-17 17:46:56 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2011-11-17 17:46:56 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2011-11-17 17:46:56 8192 ----a-w- c:\windows\system32\kbdkor.dll
2011-11-17 17:46:56 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2011-11-17 17:46:56 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2011-11-17 17:46:56 6144 ----a-w- c:\windows\system32\kbd106.dll
2011-11-17 17:46:56 6144 ----a-w- c:\windows\system32\kbd101c.dll
2011-11-17 17:46:56 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2011-11-17 17:46:56 5632 ----a-w- c:\windows\system32\kbd103.dll
2011-11-17 17:46:52 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2011-11-17 17:46:52 6144 ----a-w- c:\windows\system32\kbd101b.dll
.
==================== Find3M ====================
.
2011-12-12 02:05:18 256 ----a-w- c:\windows\system32\pool.bin
2011-11-19 12:30:08 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 05:48:01 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-10-10 05:48:01 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-10 05:16:04 0 ----a-w- c:\windows\ativpsrm.bin
2011-09-14 18:47:40 53760 ----a-w- c:\windows\system32\OVDecode.dll
2011-09-14 18:47:18 43520 ----a-w- c:\windows\system32\OpenCL.dll
2011-09-14 18:46:58 13625856 ----a-w- c:\windows\system32\amdocl.dll
2011-09-14 18:38:28 37376 ----a-w- c:\windows\system32\amdoclcl.dll
.
============= FINISH: 19:13:37.96 ===============

BC AdBot (Login to Remove)

 


#2 greg55

greg55
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 11 December 2011 - 10:33 PM

It says the gmer file is too large to attach and its too long to post. I have no idea why this is happening here but did not happen before. The DDS attach file had to be re scanned due to randomly being lost after i saved it.

Attached Files



#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:35 PM

Posted 18 December 2011 - 11:25 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/431980 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:35 AM

Posted 18 December 2011 - 09:12 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Can you run aswMBR for me

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.


Then please post or attach any MBAM logs which show the removal of the threats.
Posted Image
m0le is a proud member of UNITE

#5 greg55

greg55
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 19 December 2011 - 02:46 PM

Thanks alot for helping me. I'll follow your instructions and post the logs soon.

#6 greg55

greg55
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 19 December 2011 - 03:37 PM

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-12-19 12:45:59
-----------------------------
12:45:59.250 OS Version: Windows 5.1.2600 Service Pack 2
12:45:59.250 Number of processors: 4 586 0x503
12:45:59.250 ComputerName: GREG-BF5402B9D0 UserName: Greg
12:46:10.750 Initialize success
12:46:10.953 AVAST engine defs: 11120701
12:46:12.609 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
12:46:12.609 Disk 0 Vendor: ST500DM002-1BD142 KC43 Size: 476940MB BusType: 3
12:46:14.656 Disk 0 MBR read successfully
12:46:14.656 Disk 0 MBR scan
12:46:14.656 Disk 0 Windows XP default MBR code
12:46:14.656 Disk 0 scanning sectors +976752000
12:46:14.734 Disk 0 scanning C:\WINDOWS\system32\drivers
12:46:25.453 File: C:\WINDOWS\system32\drivers\redbook.sys **SUSPICIOUS**
12:46:28.171 Service scanning
12:46:29.687 Service .serial \* **LOCKED** 123
12:46:30.437 Modules scanning
12:46:33.250 Module: C:\WINDOWS\system32\DRIVERS\redbook.sys **SUSPICIOUS**
12:46:41.109 Disk 0 trace - called modules:
12:46:41.125 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8a434f10]<<
12:46:41.140 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a651ab8]
12:46:41.140 3 CLASSPNP.SYS[ba0e905b] -> nt!IofCallDriver -> [0x8a2c9f08]
12:46:41.140 \Driver\00005235[0x8a5a6da0] -> IRP_MJ_CREATE -> 0x8a434f10
12:46:55.390 AVAST engine scan C:\WINDOWS
12:47:29.390 AVAST engine scan C:\WINDOWS\system32
12:50:44.890 AVAST engine scan C:\WINDOWS\system32\drivers
12:50:56.500 File: C:\WINDOWS\system32\drivers\redbook.sys **SUSPICIOUS**
12:51:26.343 AVAST engine scan C:\Documents and Settings\Greg
13:29:28.515 AVAST engine scan C:\Documents and Settings\All Users
13:29:51.296 Scan finished successfully
13:36:24.031 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Greg\Desktop\MBR.dat"
13:36:24.031 The log file has been saved successfully to "C:\Documents and Settings\Greg\Desktop\aswMBR.txt"

#7 greg55

greg55
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 19 December 2011 - 03:51 PM

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8399

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

12/19/2011 1:49:30 PM
mbam-log-2011-12-19 (13-49-30).txt

Scan type: Quick scan
Objects scanned: 190536
Time elapsed: 10 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 26

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\Temp\0.8167132094441113.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\0.9670323271730931.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\0.9840557488330522.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\254.5826.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\gggf0.2907908696850786.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\gggf0.538869186460466.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\kna0.4309360270811623.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\kna0.7436525376256624.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\kna0.8438145587207374.exe (Rootkit.0Access) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\nnnv0.06264086680851355.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\nnnv0.3210272175846187.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\nnnv0.5339115998909337.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\nnnv0.5501760509520602.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\nnnv0.5719036867133781.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\nnnv0.6304604438635832.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\nnnv0.976130215039579.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\opre0.19259142438635268.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\opre0.23022618501359082.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\opre0.7020151957201455.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\opre0.7286031286398146.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\opre0.8201249517549059.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\nnnv0.4291637403699885.exe (Exploit.Drop.6) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\nnnv0.5148964900005988.exe (Exploit.Drop.6) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\nnnv0.5941322989819042.exe (Exploit.Drop.6) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\nnnv0.8802885774420589.exe (Exploit.Drop.6) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\ms0cfg32.exe (Exploit.Drop.CFG) -> Quarantined and deleted successfully.

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:35 AM

Posted 19 December 2011 - 09:00 PM

Please run MBRCheck next

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#9 greg55

greg55
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 20 December 2011 - 04:45 PM

It gave me a problem when i try to run it and avast comes up saying its a virus. I say ok to it and when it tried to run i got an "error opening \\.\physical drive0 (5)". Also no log came up.

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:35 AM

Posted 20 December 2011 - 07:40 PM

You have to disable Avast. Check the instructions here if you need to.
Posted Image
m0le is a proud member of UNITE

#11 greg55

greg55
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 21 December 2011 - 12:16 AM

ok thanks
MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 2 (build 2600)
Logical Drives Mask: 0x0000000d

Kernel Drivers (total 128):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E2000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5AC000 dmload.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA671000 amdide.sys
0xBA0C8000 VolSnap.sys
0xB9F0B000 atapi.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9EEC000 fltMgr.sys
0xB9EDA000 sr.sys
0xBA0F8000 PxHelp20.sys
0xB9EC3000 KSecDD.sys
0xB9E36000 Ntfs.sys
0xB9E09000 NDIS.sys
0xB9DEE000 Mup.sys
0xBA318000 \SystemRoot\system32\DRIVERS\AmdPPM.sys
0xB567B000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xB5667000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB5642000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB5612000 \SystemRoot\system32\DRIVERS\Rtenicxp.sys
0xBA138000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA148000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA1C8000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB55D9000 \systemroot\system32\drivers\ks.sys
0xBA428000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xBA430000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xB55B6000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA438000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xBA440000 \SystemRoot\system32\DRIVERS\fdc.sys
0xB55A2000 \SystemRoot\system32\DRIVERS\parport.sys
0xBA258000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA448000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA450000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA57C000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xBA70D000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA5F0000 \SystemRoot\System32\Drivers\RootMdm.sys
0xBA458000 \SystemRoot\System32\Drivers\Modem.SYS
0xBA268000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA580000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB5563000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA278000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA288000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA460000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB5552000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA298000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA468000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA470000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA478000 \SystemRoot\system32\DRIVERS\RimSerial.sys
0xB5521000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA2A8000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA5F2000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB54ED000 \SystemRoot\system32\DRIVERS\update.sys
0xBA59C000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA2B8000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5F4000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xBA2C8000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xA93E9000 \SystemRoot\system32\drivers\AtihdXP3.sys
0xA93C7000 \SystemRoot\system32\drivers\portcls.sys
0xBA2F8000 \SystemRoot\system32\drivers\drmk.sys
0xA8DA0000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xBA380000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xBA624000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA7A0000 \SystemRoot\System32\Drivers\Null.SYS
0xBA626000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA390000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA398000 \SystemRoot\System32\drivers\vga.sys
0xBA628000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA62A000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA3A0000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA3A8000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB5431000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA8D45000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA8CED000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xBA158000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xA8CCC000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xBA168000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA8CA4000 \SystemRoot\system32\DRIVERS\netbt.sys
0xBA3B0000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xA8C82000 \SystemRoot\System32\drivers\afd.sys
0xBA178000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA8C60000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xBA3B8000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xA8C34000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA8BC5000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA1A8000 \SystemRoot\System32\Drivers\Fips.SYS
0xBA62C000 \??\C:\WINDOWS\system32\drivers\BS_I2cIo.sys
0xBA54C000 \??\C:\WINDOWS\system32\drivers\BIOS.sys
0xA8B50000 \SystemRoot\System32\Drivers\aswSP.SYS
0xA8AE0000 \SystemRoot\System32\Drivers\aswSnx.SYS
0xBA3D0000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xBA498000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xBA218000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA8AA0000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA5C2000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xA8AD8000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA4A0000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA75F000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF061000 \SystemRoot\System32\ati2cqag.dll
0xBF137000 \SystemRoot\System32\atikvmag.dll
0xBF1F4000 \SystemRoot\System32\atiok3x2.dll
0xBF279000 \SystemRoot\System32\ati3duag.dll
0xBF9C4000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA8AB8000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xA5F1F000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA5CDE000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xA57F1000 \SystemRoot\system32\drivers\wdmaud.sys
0xB544D000 \SystemRoot\system32\drivers\sysaudio.sys
0xA51AD000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xBA64C000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xA4FEE000 \SystemRoot\system32\DRIVERS\srv.sys
0xA4E6D000 \SystemRoot\System32\Drivers\HTTP.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 44):
0 System Idle Process
4 System
684 C:\WINDOWS\system32\smss.exe
732 csrss.exe
772 C:\WINDOWS\system32\winlogon.exe
816 C:\WINDOWS\system32\services.exe
828 C:\WINDOWS\system32\lsass.exe
996 C:\WINDOWS\system32\ati2evxx.exe
1012 C:\WINDOWS\system32\svchost.exe
1084 svchost.exe
1180 C:\WINDOWS\system32\svchost.exe
1304 svchost.exe
1356 svchost.exe
1560 C:\Program Files\AVAST Software\Avast\AvastSvc.exe
1956 C:\WINDOWS\system32\ati2evxx.exe
324 C:\WINDOWS\system32\LEXBCES.EXE
464 C:\WINDOWS\system32\spoolsv.exe
476 C:\WINDOWS\system32\LEXPPS.EXE
488 C:\WINDOWS\explorer.exe
1040 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
1024 C:\WINDOWS\RTHDCPL.EXE
1124 C:\Program Files\Common Files\Java\Java Update\jusched.exe
1132 C:\Program Files\AVAST Software\Avast\AvastUI.exe
1144 C:\Program Files\DivX\DivX Update\DivXUpdate.exe
1172 C:\Program Files\iTunes\iTunesHelper.exe
1208 C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
1280 C:\Program Files\Pando Networks\Media Booster\PMB.exe
1324 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
1364 C:\WINDOWS\system32\ctfmon.exe
2152 C:\Program Files\OpenOffice.org 3\program\soffice.exe
2192 C:\Program Files\OpenOffice.org 3\program\soffice.bin
2212 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
2684 svchost.exe
2748 C:\Program Files\SUPERAntiSpyware\SASCore.exe
2788 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
2864 C:\Program Files\Bonjour\mDNSResponder.exe
2916 C:\Program Files\Java\jre6\bin\jqs.exe
4084 alg.exe
1980 C:\Program Files\iPod\bin\iPodService.exe
3156 C:\Program Files\Common Files\Java\Java Update\jucheck.exe
4204 C:\Program Files\Mozilla Firefox\firefox.exe
4768 C:\Program Files\Mozilla Firefox\plugin-container.exe
5704 C:\WINDOWS\system32\ping.exe
6116 C:\Documents and Settings\Greg\My Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: ST500DM002-1BD142, Rev: KC43

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

Edited by greg55, 21 December 2011 - 12:19 AM.


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:35 AM

Posted 21 December 2011 - 08:08 PM

The machine looks clean so far. Please run ESET and see if anything else is lurking

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • Copy and paste the resulting log in your next reply
If no log is generated that means nothing was found. Please let me know if this happens.
Posted Image
m0le is a proud member of UNITE

#13 greg55

greg55
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 21 December 2011 - 10:08 PM

thanks i still see virus problems and have a hard time running certain games,programs etc. I'll run this scan you selected and a Malwarebytes after and post the logs.

#14 greg55

greg55
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 22 December 2011 - 01:55 PM

Here is the 1st half of the ESET log. It froze so i had to start all over again. It completed the 2nd time and found alot of bad things
C:\Documents and Settings\Greg\Application Data\Sun\Java\Deployment\cache\6.0\12\6488884c-61c61cc5 Java/Exploit.CVE-2011-3544.D trojan deleted - quarantined
C:\Documents and Settings\Greg\Application Data\Sun\Java\Deployment\cache\6.0\13\55fef8d-64dfbfd9 a variant of Java/TrojanDownloader.OpenConnection.AQ trojan deleted - quarantined
C:\Documents and Settings\Greg\Application Data\Sun\Java\Deployment\cache\6.0\32\2f1ef660-62b8f8d1 a variant of Java/TrojanDownloader.OpenConnection.AQ trojan deleted - quarantined
C:\Documents and Settings\Greg\Application Data\Sun\Java\Deployment\cache\6.0\32\79021a20-6740e620 a variant of Win32/Kryptik.GFN trojan cleaned by deleting - quarantined

2ND log/full
C:\Documents and Settings\Greg\Local Settings\Temp\ICReinstall\cnet_ephpod277_exe.exe a variant of Win32/InstallCore.D application cleaned by deleting - quarantined
C:\Documents and Settings\Greg\My Documents\Downloads\cnet_ephpod277_exe.exe a variant of Win32/InstallCore.D application cleaned by deleting - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\10\7bec11ca-23436436 Java/Exploit.CVE-2011-3544.F trojan deleted - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\12\700f228c-70e66cc1 Java/TrojanDownloader.OpenConnection.AR trojan deleted - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\27\7a9d5d5b-23440d8a Java/Exploit.CVE-2011-3544.F trojan deleted - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\35\1ae8aca3-4a89f6a2 Java/Agent.DY trojan deleted - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\35\786848a3-13fa38be a variant of Win32/Kryptik.XIS trojan cleaned by deleting - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\35\7bd790e3-4aba88f5 a variant of Win32/Kryptik.XEH trojan cleaned by deleting - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\39\665b8c27-14f5f5af a variant of Win32/Kryptik.XRF trojan cleaned by deleting - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\40\6c6c0728-1435f1f9 Java/Agent.DY trojan deleted - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\58\684d1fba-6084abf3 a variant of Win32/Kryptik.XCV trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\redbook.sys Win32/Sirefef.DA trojan unable to clean
C:\WINDOWS\Temp\88.85934.exe a variant of Win32/Kryptik.XEH trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\9.666213.exe a variant of Win32/Kryptik.XDP trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\jar_cache1128335048459616125.tmp Java/Agent.DX trojan deleted - quarantined
C:\WINDOWS\Temp\jar_cache188468191116827122.tmp Java/Exploit.CVE-2011-3544.E trojan deleted - quarantined
C:\WINDOWS\Temp\jar_cache2718045388014380446.tmp Java/Exploit.CVE-2011-3544.E trojan deleted - quarantined
C:\WINDOWS\Temp\jar_cache3621133357061970933.tmp Java/Exploit.CVE-2011-3544.E trojan deleted - quarantined
C:\WINDOWS\Temp\jar_cache3629348159216625133.tmp Java/Exploit.CVE-2011-3544.E trojan deleted - quarantined
C:\WINDOWS\Temp\jar_cache3783787324748584481.tmp Java/Agent.DX trojan deleted - quarantined
C:\WINDOWS\Temp\jar_cache5239851183690793127.tmp Java/Exploit.CVE-2011-3544.E trojan deleted - quarantined
C:\WINDOWS\Temp\kna0.11778137467669059.exe a variant of Win32/Kryptik.XRA trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\kna0.1375422302331918.exe a variant of Win32/Kryptik.XVA trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\kna0.643782400631763.exe a variant of Win32/Kryptik.XUL trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\kna0.6690172892743446.exe a variant of Win32/Kryptik.XVL trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\kna0.7084770839676165.exe a variant of Win32/Kryptik.XTG trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\kna0.9056327878311805.exe a variant of Win32/Kryptik.XVA trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\kna0.9109573318617263.exe a variant of Win32/Kryptik.XVA trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\opre0.9511939314464845.exe a variant of Win32/Kryptik.XRA trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\sghj0.01739084492729881.exe a variant of Win32/Kryptik.XVA trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\sghj0.25149770870284727.exe a variant of Win32/Kryptik.XVA trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\sghj0.6603800991940507.exe a variant of Win32/Kryptik.XVA trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\sghj0.7422563584874353.exe a variant of Win32/Kryptik.XVL trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\sghj0.8490778103622698.exe a variant of Win32/Kryptik.XUL trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\sghj0.9030179057349907.exe a variant of Win32/Kryptik.XRR trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\slp3015282913507758242.tmp Win32/Olmarik.AXW trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\slp7592618612515836109.tmp a variant of Win32/Kryptik.XTY trojan deleted - quarantined
Operating memory a variant of Win32/Sirefef.DN trojan

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:35 AM

Posted 22 December 2011 - 08:48 PM

Please run Combofix, some nasties there for sure.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users