Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Last virus was W32/Malware!Gemini - Rootkits

  • This topic is locked This topic is locked
2 replies to this topic

#1 Deedeee


  • Members
  • 1 posts
  • Local time:11:43 AM

Posted 06 March 2012 - 08:14 PM

Hi, I am working on a 10 year old dual boot W98 & XP Pro SP3 pc. Have had Vundo a few years ago. This computer and a laptop (dead with power problems)have not been used since April 2011. They both went down within a week. Norton found W32.Spybot.Worm used tool to clean then pc couldn't renew Norton. Started doing Eset, F-Secure, BitDefender online and SuperAntiSpyware, and MalwareBytes scans until cleaned up but found Adware.Vundo/Variant-X32, Trojan.Agent/Gen-Kryptik, Viewpoint, IPVNMon.sys, Visual NDMonitor problems, Trojan.Agent/Gen.Fake Somke, CWS.Svchost32 Tidserv Backdoor, CWS.Smartsearch, CWS.JKSearch, SHDOCVW.DLL Virus. W32/Malware!Gemini. I am having a problem with regional settings and Control Panel shows 2 icons for Network Connections. I have run scans until they find nothing any longer.

Rootkit Reveal shows
HKU\.DEFAULT\Control Panel\International 2/29/2012 2:29 PM 0 bytes Security mismatch.
HKU\.DEFAULT\Control Panel\International\Geo 2/29/2012 2:29 PM 0 bytes Security mismatch.
HKU\.DEFAULT\RemoteAccess\InternetProfile 2/29/2012 2:29 PM 17 bytes Data mismatch between Windows API and raw hive data.
HKU\S-1-5-21-1482476501-1326574676-839522115-1003\Control Panel\International 1/26/2012 7:58 PM 0 bytes Security mismatch.
HKU\S-1-5-21-1482476501-1326574676-839522115-1003\Control Panel\International\Geo 11/1/2008 7:44 AM 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International 2/29/2012 2:29 PM 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International\Geo 2/29/2012 2:29 PM 0 bytes Security mismatch.
HKU\S-1-5-18\RemoteAccess\InternetProfile 2/29/2012 2:29 PM 17 bytes Data mismatch between Windows API and raw hive data.
HKLM\SECURITY\Policy\Secrets\SAC* 1/17/2006 7:11 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 1/17/2006 7:11 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{3D14228D-FBE1-11D0-995D-00C04FD919C1}* 4/10/2006 11:21 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN 2/29/2012 2:29 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\CertMapping 2/29/2012 2:29 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Client 2/29/2012 2:29 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Listener 2/29/2012 2:29 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin 2/29/2012 2:29 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Service 2/29/2012 2:29 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\WinRS 2/29/2012 2:29 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\WinRS\CustomRemoteShell 2/29/2012 2:29 PM 0 bytes Security mismatch.
H:\Documents and Settings\Deedee\Local Settings\Temp\WER23ca.dir00\] 5.13 MB Hidden from Windows API.

There was file damage and the MBR is damaged on the XP partition D:\. My partner deleted the System Volume folder contents on drive D when removing Norton Antivirus and SystemWorks. Ran The computer is running hard and I can not get the Welcome screen back because it thinks it's a server?

Any help would be greatly appreciated.

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_31
Run by Deedee at 16:39:38 on 2012-03-06
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2048.1570 [GMT -6:00]
============== Running Processes ===============
D:\WINDOWS\system32\svchost -k DcomLaunch
D:\WINDOWS\system32\svchost -k rpcss
D:\WINDOWS\System32\svchost.exe -k netsvcs
e:\Program Files\Microsoft\BingBar\7.1.352.0\BBSvc.exe
e:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
e:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
E:\Program Files\Microsoft IntelliPoint\ipoint.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\HP Photosmart 8450 Printer\HP Software Update\HPWuSchd2.exe
E:\Program Files\HP\hpcoretech\hpcmpmgr.exe
D:\Program Files\Common Files\Java\Java Update\jusched.exe
E:\Program Files\ATI Multimedia\RemCtrl\ATIRW.EXE
D:\Documents and Settings\Deedee\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
D:\Documents and Settings\Deedee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
E:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
E:\HP Photosmart 8450 Printer\Digital Imaging\bin\hpqgalry.exe
============== Pseudo HJT Report ===============
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://att.my.yahoo.com/
uWindow Title = Internet Explorer, optimized for Bing and MSN
mSearch Bar = hxxp://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: H - No File
mWinlogon: SFCDisable=1 (0x1)
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - e:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - e:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - d:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - e:\program files\microsoft\bingbar\7.1.352.0\BingExt.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - e:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - e:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - e:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - e:\program files\windows live\toolbar\wltcore.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {4D46ED77-1429-4CF6-8F63-C84B5D710BAF} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [ATI Remote Control] e:\program files\ati multimedia\remctrl\ATIRW.EXE
uRun: [NBJ] "d:\program files\ahead\nero backitup\NBJ.exe"
uRun: [Google Update] "d:\documents and settings\deedee\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [A378B58C58A68AF2069E29FD3EC87A14A5AD37E1._service_run] "d:\documents and settings\deedee\local settings\application data\google\chrome\application\chrome.exe" --type=service
mRun: [StartCCC] "e:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [IntelliPoint] "e:\program files\microsoft intellipoint\ipoint.exe"
mRun: [TkBellExe] "d:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [NeroFilterCheck] d:\windows\system32\NeroCheck.exe
mRun: [HPHUPD06] e:\hp photosmart 8450 printer\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe
mRun: [HPHmon06] d:\windows\system32\hphmon06.exe
mRun: [HP Software Update] e:\hp photosmart 8450 printer\hp software update\HPWuSchd2.exe
mRun: [HP Component Manager] "e:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [C-Media Mixer] Mixer.exe /startup
mRun: [SunJavaUpdateSched] "d:\program files\common files\java\java update\jusched.exe"
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - e:\hp photosmart 8450 printer\digital imaging\bin\hpqtra08.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - e:\hp photosmart 8450 printer\digital imaging\bin\hpqthb08.exe
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
mPolicies-explorer: HonorAutoRunSetting = 0 (0x0)
mPolicies-explorer: NoWelcomeScreen = 0 (0x0)
mPolicies-system: RunStartupScriptSync = 1 (0x1)
mPolicies-system: HideStartupScripts = 1 (0x1)
mPolicies-system: LogonType = 0 (0x0)
IE: Open in InPrivate Window - d:\windows\web\inpriv-ext.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - e:\program files\windows live\writer\WriterBrowserExtension.dll
Trusted Zone: microsoft.com
Trusted Zone: yahoo.com
Trusted Zone: yahoo.com\*.briefcase
Trusted Zone: yahoo.com\*.login
Trusted Zone: yahoo.com\*.rd
DPF: Microsoft XML Parser for Java - file://d:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} - hxxp://quickscan.bitdefender.com/qsax/qsax.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137777400068
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1327854176687
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {A57B79D8-9501-42B7-BA9B-B961454712F2} - hxxps://www.jiwire.com/activeX/wlaninfo.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.5.3.0.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer =
TCP: Interfaces\{3C48A0F8-4815-4A61-BFC7-FB2EC3A3110D} : NameServer =,
TCP: Interfaces\{3C48A0F8-4815-4A61-BFC7-FB2EC3A3110D} : DhcpNameServer =
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - d:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - e:\program files\hp\hpcoretech\comp\hpuiprot.dll
Hosts: HP000E7FD543C2
================= FIREFOX ===================
FF - ProfilePath - d:\documents and settings\deedee\application data\mozilla\firefox\profiles\ub7zf4uf.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/
FF - component: d:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\coffplgn_2010_9_0_6\components\coFFPlgn.dll
FF - component: d:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\ipsffplgn\components\IPSFFPl.dll
FF - plugin: d:\documents and settings\deedee\local settings\application data\google\update\\npGoogleUpdate3.dll
FF - plugin: d:\program files\windows media player\npdrmv2.dll
FF - plugin: d:\program files\windows media player\npdsplay.dll
FF - plugin: d:\program files\windows media player\npwmsdrm.dll
FF - plugin: e:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: e:\program files\google\update\\npGoogleOneClick8.dll
FF - plugin: e:\program files\google\update\\npGoogleOneClick8.dll
FF - plugin: e:\program files\google\update\\npGoogleUpdate3.dll
FF - plugin: e:\program files\google\update\\npGoogleUpdate3.dll
FF - plugin: e:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: e:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: e:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: e:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: e:\program files\microsoft\office live\npOLW.dll
FF - plugin: e:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: e:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: e:\program files\realplayerplus\netscape6\nppl3260.dll
FF - plugin: e:\program files\realplayerplus\netscape6\nprjplug.dll
FF - plugin: e:\program files\realplayerplus\netscape6\nprpjplug.dll
FF - plugin: e:\program files\windows live\photo gallery\NPWLPG.dll
============= SERVICES / DRIVERS ===============
R0 pavboot;pavboot;d:\windows\system32\drivers\pavboot.sys [2012-3-5 28552]
R2 BBSvc;BingBar Service;e:\program files\microsoft\bingbar\7.1.352.0\BBSvc.EXE [2012-1-21 192792]
R2 NPF;NetGroup Packet Filter Driver;d:\windows\system32\drivers\npf.sys [2009-10-20 50704]
S2 gupdate;Google Update Service (gupdate);e:\program files\google\update\GoogleUpdate.exe [2010-2-20 135664]
S3 BBUpdate;BBUpdate;e:\program files\microsoft\bingbar\7.1.352.0\SeaPort.EXE [2012-1-21 240408]
S3 cpudrv;cpudrv;e:\program files\systemrequirementslab\cpudrv.sys [2011-6-2 11336]
S3 DLKRTS;D-Link DFE-530TX+ PCI Adapter;d:\windows\system32\drivers\DLKRTS.SYS [2006-1-20 25434]
S3 fsssvc;Windows Live Family Safety Service;e:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 gupdatem;Google Update Service (gupdatem);e:\program files\google\update\GoogleUpdate.exe [2010-2-20 135664]
S3 MatSvc;Microsoft Automated Troubleshooting Service;e:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568]
S3 MosIrUsb;MosIrUsb.sys;d:\windows\system32\drivers\MosIrUsb.sys [2006-11-29 20736]
S3 ovudfu01;ovudfu01;d:\windows\system32\drivers\atirwrf.sys [2009-2-28 9091]
S3 SEM43XX;Sony Ericsson 802.11 Wireless LAN Adapter Driver SEM43XX;d:\windows\system32\drivers\semwl5.SYS [2005-1-2 368896]
S3 SEMWModem;Sony Ericsson SEMWModem;d:\windows\system32\drivers\GCXX.sys [2005-1-2 114944]
S3 SEMWWNIC;Sony Ericsson SEMWWNIC;d:\windows\system32\drivers\GCXXNet.sys [2005-1-2 53248]
S3 Sony_EricssonWWSC;Sony Ericsson SIM Card Reader;d:\windows\system32\drivers\GCXXSC.sys [2004-12-21 21888]
S4 SBN;SBN;h:\docume~1\deedee\locals~1\temp\sbn.exe --> h:\docume~1\deedee\locals~1\temp\SBN.exe [?]
S4 WinRM;Windows Remote Management (WS-Management);d:\windows\system32\svchost.exe -k WINRM [2001-8-18 14336]
=============== Created Last 30 ================
==================== Find3M ====================
2012-02-23 23:04:39 414368 ----a-w- d:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-15 22:37:42 472808 ----a-w- d:\windows\system32\deployJava1.dll
2012-01-12 16:53:24 1859968 ----a-w- d:\windows\system32\win32k.sys
2011-12-17 19:46:36 916992 ----a-w- d:\windows\system32\wininet.dll
2011-12-17 19:46:36 43520 ----a-w- d:\windows\system32\licmgr10.dll
2011-12-17 19:46:36 1469440 ----a-w- d:\windows\system32\inetcpl.cpl
2011-12-16 12:22:58 385024 ----a-w- d:\windows\system32\html.iec
============= FINISH: 16:41:03.43 ===============

BC AdBot (Login to Remove)


#2 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:05:43 PM

Posted 12 March 2012 - 07:22 PM


Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:05:43 PM

Posted 17 March 2012 - 07:55 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
Posted Image
m0le is a proud member of UNITE

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users