Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help: Worst rootkit infection :(


  • This topic is locked This topic is locked
48 replies to this topic

#1 Warpath

Warpath

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 20 March 2013 - 09:37 AM

Vista SP0 (internet is expensive in my country so can't upgrade to SP1 and SP2)

 

I have been infected by the worst case of rootkit. I don't know when but recently i realised there was something wrong with my computer and as usual, i download ComboFix cause i only keep ONE anti virus toolkit on my PC called Super Anti-Spyware Professional cause i know htat most "anti-viruses" are thsemlves virus so i do not trust them...

 

before you go on about not discussing Combofix, listen to what i did. I ran Combofix, but after it finished running, it crashed so no LOGS, thats when i realsied i may be infected by something BIG...I realsied i was infected by a rootkit.. I have been fighing this virus since Feb 26th

 

Hijackthis would not show the name/location of the virus (it halted searching for 023 onwards)

MBAR couldn't find anything

TDSSKiller also found nothing

Rootrepeal failed (crashed after starting)

Rootkitbuster failed after starting too

McAfee's rootkit remover failed too

RogueKiller couldn't find it

*Spybot S&D couldn't find it

 

I ran a few other checks such as

* runscanner

* unhide

* dds

 

 

None of them found anything, all but GMER, who found out i had an infection and this is the log info

 

GMER 2.1.19081 - http://www.gmer.net
Rootkit scan 2013-03-20 00:42:35
Windows 6.0.6000  \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST380215A rev.3.AAD 74.53GB
Running: 6uppxqy0.exe; Driver: C:\Users\admin\AppData\Local\Temp\agrcrpod.sys


---- System - GMER 2.1 ----

SSDT     \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com)         ZwTerminateProcess [0x8A181620]

---- Kernel code sections - GMER 2.1 ----

.text    ntoskrnl.exe!_alloca_probe + 574                                                                                      828565C4 4 Bytes  [20, 16, 18, 8A]
?        C:\Windows\System32\Drivers\sptd.sys                                                                                  The process cannot access the file because it is being used by another process.
.text    USBPORT.SYS!DllUnload                                                                                                 8B12DACF 5 Bytes  JMP 84BD7780
PAGE     spsys.sys!?SPVersion@@3PADA + 1807                                                                                    8C28803F 504 Bytes  [8B, FF, 55, 8B, EC, 8B, 45, ...]
PAGE     spsys.sys!?SPVersion@@3PADA + 1A00                                                                                    8C288238 434 Bytes  [04, 3B, C1, 73, 05, 8B, 02, ...]
PAGE     spsys.sys!?SPVersion@@3PADA + 1BB3                                                                                    8C2883EB 120 Bytes  [5D, 0C, EB, 03, 8B, 4D, 10, ...]
PAGE     spsys.sys!?SPVersion@@3PADA + 1C2C                                                                                    8C288464 1379 Bytes  [8B, 4E, 10, 31, 4D, D4, 8B, ...]
PAGE     spsys.sys!?SPVersion@@3PADA + 2190                                                                                    8C2889C8 478 Bytes  [87, 37, 0E, 00, 00, FF, 24, ...]
PAGE     ...                                                                                                                   
         C:\Program Files\CyberLink\PowerDVD8\000.fcl                                                                          entry point in "" section [0x8C6C341C]
.clc     C:\Program Files\CyberLink\PowerDVD8\000.fcl                                                                          unknown last code section [0x8C6C4000, 0x1000, 0xE0000020]

---- Kernel IAT/EAT - GMER 2.1 ----

IAT      \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar]                                             [86F1A61E] \SystemRoot\System32\Drivers\sptd.sys
IAT      \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar]                                              [86F19AD4] \SystemRoot\System32\Drivers\sptd.sys
IAT      \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort]                                      [86F1A748] \SystemRoot\System32\Drivers\sptd.sys
IAT      \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort]                                             [86F19B9C] \SystemRoot\System32\Drivers\sptd.sys
IAT      \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort]                                       [86F19C1A] \SystemRoot\System32\Drivers\sptd.sys
IAT      \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR]                                                    [86F2EACA] \SystemRoot\System32\Drivers\sptd.sys
IAT      \SystemRoot\system32\drivers\ataport.SYS[ntoskrnl.exe!IoConnectInterruptEx]                                           [86F2F96C] \SystemRoot\System32\Drivers\sptd.sys
IAT      \SystemRoot\system32\drivers\pci.sys[ntoskrnl.exe!IoDetachDevice]                                                     [86F2F832] \SystemRoot\System32\Drivers\sptd.sys
IAT      \SystemRoot\system32\drivers\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack]                                        [86F51892] \SystemRoot\System32\Drivers\sptd.sys
IAT      \SystemRoot\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!IoConnectInterrupt]                                            [86F2F886] \SystemRoot\System32\Drivers\sptd.sys
IAT      \SystemRoot\system32\DRIVERS\storport.sys[ntoskrnl.exe!IoConnectInterruptEx]                                          [86F2F96C] \SystemRoot\System32\Drivers\sptd.sys

---- User IAT/EAT - GMER 2.1 ----

IAT      C:\Windows\Explorer.EXE[1768] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage]                                  [74F6FE0C] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16386_none_9ea0ac9ec96e7127\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT      C:\Windows\Explorer.EXE[1768] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI]                              [74F3C53D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16386_none_9ea0ac9ec96e7127\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT      C:\Windows\Explorer.EXE[1768] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode]                        [74F2A31F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16386_none_9ea0ac9ec96e7127\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT      C:\Windows\Explorer.EXE[1768] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode]                          [74F2CBEF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16386_none_9ea0ac9ec96e7127\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT      C:\Windows\Explorer.EXE[1768] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC]                               [74F28AAA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16386_none_9ea0ac9ec96e7127\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT      C:\Windows\Explorer.EXE[1768] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream]                      [74F3DAB8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16386_none_9ea0ac9ec96e7127\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT      C:\Windows\Explorer.EXE[1768] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight]                              [74F27D8D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16386_none_9ea0ac9ec96e7127\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT      C:\Windows\Explorer.EXE[1768] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth]                               [74F27CF4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16386_none_9ea0ac9ec96e7127\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT      C:\Windows\Explorer.EXE[1768] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage]                                [74F26A4E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16386_none_9ea0ac9ec96e7127\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT      C:\Windows\Explorer.EXE[1768] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM]                        [74FBBE7C] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16386_none_9ea0ac9ec96e7127\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT      C:\Windows\Explorer.EXE[1768] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile]                           [74F48A5E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16386_none_9ea0ac9ec96e7127\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT      C:\Windows\Explorer.EXE[1768] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics]                              [74F290CD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16386_none_9ea0ac9ec96e7127\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT      C:\Windows\Explorer.EXE[1768] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree]                                        [74F32248] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16386_none_9ea0ac9ec96e7127\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT      C:\Windows\Explorer.EXE[1768] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc]                                       [74F32273] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16386_none_9ea0ac9ec96e7127\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT      C:\Windows\Explorer.EXE[1768] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown]                                 [74F37724] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16386_none_9ea0ac9ec96e7127\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT      C:\Windows\Explorer.EXE[1768] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup]                                  [74F37546] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16386_none_9ea0ac9ec96e7127\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT      C:\Windows\Explorer.EXE[1768] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM]                   [74F6861D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16386_none_9ea0ac9ec96e7127\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 2.1 ----

Device   \FileSystem\Ntfs \Ntfs                                                                                                83D4A1E8
Device   \Driver\volmgr \Device\VolMgrControl                                                                                  83D471E8
Device   \Driver\usbuhci \Device\USBPDO-0                                                                                      84D647A0
Device   \Driver\usbuhci \Device\USBPDO-1                                                                                      84D647A0
Device   \Driver\usbuhci \Device\USBPDO-2                                                                                      84D647A0
Device   \Driver\usbehci \Device\USBPDO-3                                                                                      84C657A0
Device   \Driver\volmgr \Device\HarddiskVolume1                                                                                83D471E8
Device   \Driver\cdrom \Device\CdRom0                                                                                          84D777A0
Device   \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0                                                                           83D491E8
Device   \Driver\atapi \Device\Ide\IdePort0                                                                                    83D491E8
Device   \Driver\atapi \Device\Ide\IdePort1                                                                                    83D491E8
Device   \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-2                                                                           83D491E8
Device   \Driver\netbt \Device\NetBt_Wins_Export                                                                               84F6F1E8
Device   \Driver\iScsiPrt \Device\RaidPort0                                                                                    84CBA1E8
Device   \Driver\usbuhci \Device\USBFDO-0                                                                                      84D647A0
Device   \Driver\usbuhci \Device\USBFDO-1                                                                                      84D647A0
Device   \Driver\usbuhci \Device\USBFDO-2                                                                                      84D647A0
Device   \Driver\usbehci \Device\USBFDO-3                                                                                      84C657A0
Device                                                                                                                         Fs_Rec.SYS (File System Recognizer Driver/Microsoft Corporation)
Device                                                                                                                         InCDfs.SYS (InCD File System Driver/Nero AG)

---- Trace I/O - GMER 2.1 ----

Trace    ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x83d491e8]<<                                          83d491e8
Trace    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84b2c578]                                                               84b2c578
Trace    3 ntoskrnl.exe[828a811d] -> nt!IofCallDriver -> [0x84af9a80]                                                          84af9a80
Trace    5 acpi.sys[8044732a] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x84b31bb0]                                 84b31bb0
Trace    \Driver\atapi[0x84af3948] -> IRP_MJ_CREATE -> 0x83d491e8                                                              83d491e8

---- Processes - GMER 2.1 ----

Process   (*** hidden *** )                                                                                                    [4] 83D2D8A0                                                                                                                                                         

---- Services - GMER 2.1 ----

Service  C:\Windows\system32\ (*** hidden *** )                                                                                [AUTO] rtksbh                                                                                                                                                         <-- ROOTKIT !!!

---- Registry - GMER 2.1 ----

Reg      HKLM\SYSTEM\CurrentControlSet\Services\rtksbh@DisplayName                                                             Monitor Shell
Reg      HKLM\SYSTEM\CurrentControlSet\Services\rtksbh@Type                                                                    32
Reg      HKLM\SYSTEM\CurrentControlSet\Services\rtksbh@Start                                                                   2
Reg      HKLM\SYSTEM\CurrentControlSet\Services\rtksbh@ErrorControl                                                            0
Reg      HKLM\SYSTEM\CurrentControlSet\Services\rtksbh@ImagePath                                                               %SystemRoot%\system32\svchost.exe -k netsvcs
Reg      HKLM\SYSTEM\CurrentControlSet\Services\rtksbh@ObjectName                                                              LocalSystem
Reg      HKLM\SYSTEM\CurrentControlSet\Services\rtksbh@Description                                                             Windows Firewall helps protect your computer by preventing unauthorized users from gaining access to your computer through the Internet or a network.
Reg      HKLM\SYSTEM\CurrentControlSet\Services\rtksbh\Parameters                                                              
Reg      HKLM\SYSTEM\CurrentControlSet\Services\rtksbh\Parameters@ServiceDll                                                   C:\Windows\system32\
Reg      HKLM\SYSTEM\CurrentControlSet\Services\rtksbh                                                                         
Reg      HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1                                                                    771343423
Reg      HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2                                                                    285507792
Reg      HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0                                                                    1
Reg      HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4                                      
Reg      HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                   0
Reg      HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                                0x6D 0xEE 0x8E 0xE2 ...
Reg      HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0                                   C:\Program Files\DAEMON Tools\
Reg      HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001                             
Reg      HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh                       0x97 0x56 0xD7 0xD9 ...
Reg      HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0                          0x20 0x01 0x00 0x00 ...
Reg      HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40                       
Reg      HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh                 0x97 0x47 0x30 0xDC ...
Reg      HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41                       
Reg      HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh                 0x94 0x80 0xFD 0x11 ...
Reg      HKLM\SYSTEM\ControlSet005\Services\rtksbh@DisplayName                                                                 Monitor Shell
Reg      HKLM\SYSTEM\ControlSet005\Services\rtksbh@Type                                                                        32
Reg      HKLM\SYSTEM\ControlSet005\Services\rtksbh@Start                                                                       2
Reg      HKLM\SYSTEM\ControlSet005\Services\rtksbh@ErrorControl                                                                0
Reg      HKLM\SYSTEM\ControlSet005\Services\rtksbh@ImagePath                                                                   %SystemRoot%\system32\svchost.exe -k netsvcs
Reg      HKLM\SYSTEM\ControlSet005\Services\rtksbh@ObjectName                                                                  LocalSystem
Reg      HKLM\SYSTEM\ControlSet005\Services\rtksbh@Description                                                                 Windows Firewall helps protect your computer by preventing unauthorized users from gaining access to your computer through the Internet or a network.
Reg      HKLM\SYSTEM\ControlSet005\Services\rtksbh\Parameters (not active ControlSet)                                          
Reg      HKLM\SYSTEM\ControlSet005\Services\rtksbh\Parameters@ServiceDll                                                       C:\Windows\system32\
Reg      HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)                  
Reg      HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                       0
Reg      HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                                    0x6D 0xEE 0x8E 0xE2 ...
Reg      HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0                                       C:\Program Files\DAEMON Tools\
Reg      HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)         
Reg      HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh                           0x97 0x56 0xD7 0xD9 ...
Reg      HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0                              0x20 0x01 0x00 0x00 ...
Reg      HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)   
Reg      HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh                     0x97 0x47 0x30 0xDC ...
Reg      HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)   
Reg      HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh                     0x94 0x80 0xFD 0x11 ...
Reg      HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1244561939-528365288-2617857063-1000@RefCount  20

---- EOF - GMER 2.1 ----
 

 

DDS LOG

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 7.0.6000.16386  BrowserJavaVersion: 1.6.0_30
Run by admin at 2:15:07 on 2013-03-18
Microsoft® Windows Vista™ Home Premium   6.0.6000.0.1252.1.1033.18.1535.822 [GMT 12:00]
.
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\tcpsvcs.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox 4.0 Beta 9\firefox.exe
C:\Users\admin\Desktop\runscanner.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k iissvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = www.google.com
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spb\spybotportable\app\spybot\SDHelper.dll
mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spb\spybotportable\app\spybot\SDHelper.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: NameServer = 183.81.133.150 183.81.133.151
TCP: Interfaces\{D0889D86-FC42-4023-BF8F-7C6D93B3317F} : DHCPNameServer = 183.81.133.150 183.81.133.151
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\admin\appdata\roaming\mozilla\firefox\profiles\vq65h98v.default\
FF - prefs.js: browser.startup.homepage - hxxp://addpro.imdb.com/updates/history|
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 9050
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox 4.0 beta 9\plugins\npdeployJava1.dll
FF - plugin: c:\program files\tvuplayer\npTVUAx.dll
FF - plugin: c:\users\admin\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\users\admin\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\admin\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-18 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-11 67656]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\cyberlink\powerdvd8\000.fcl [2008-5-15 61424]
R2 MSF32;MSF32;c:\program files\mysecretfolder\MSF32.SYS [2009-8-21 43856]
R2 NetProbe;NetProbe Packet Driver;c:\windows\system32\drivers\NetProbe.sys [2009-3-24 5365]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-26 35088]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2009-7-23 112128]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2012-3-18 21992]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2006-11-2 167936]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2011-6-2 11336]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [2009-7-23 100736]
S3 massfilter;MBB Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2011-4-1 9216]
S3 MFE_RR;MFE_RR;c:\users\admin\appdata\local\temp\mfe_rr.sys [2013-3-13 16488]
S3 PsSdk31;PsSdk31;c:\windows\system32\drivers\pssdk31.drv [2010-1-24 30272]
S3 PSSDK42;PSSDK42;c:\windows\system32\drivers\pssdk42.sys [2009-10-10 38976]
S3 PSSDKLBF;PSSDKLBF;c:\windows\system32\drivers\pssdklbf.sys [2009-10-10 53312]
S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [2011-4-1 114688]
S3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\drivers\zteusbvoice.sys [2011-4-1 105856]
S4 PIF;PIF;c:\users\admin\appdata\local\temp\PIF.exe [2013-3-13 502656]
S4 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2010-7-4 119016]
S4 UKC;UKC;c:\users\admin\appdata\local\temp\UKC.exe [2013-3-13 535424]
S4 UUFTTUSAL;UUFTTUSAL;c:\users\admin\appdata\local\temp\UUFTTUSAL.exe [2013-3-13 580480]
S4 VMCService;Vodafone Mobile Connect Service;c:\program files\vodafone\vodafone mobile connect\bin\VMCService.exe [2009-9-18 9216]
S4 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2006-11-2 987648]
S4 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2006-11-2 251904]
S4 WNOBZW;WNOBZW;c:\users\admin\appdata\local\temp\WNOBZW.exe [2013-3-9 482176]
.
=============== File Associations ===============
.
FileExt: .reg: Applications\wordpad.exe="c:\program files\windows nt\accessories\WORDPAD.EXE" "%1" [UserChoice]
.
=============== Created Last 30 ================
.
2013-03-17 11:39:45    --------    d-----w-    c:\users\admin\appdata\roaming\Runscanner.net
2013-03-17 05:21:10    --------    d-----w-    c:\users\admin\appdata\roaming\SUPERAntiSpyware.com
2013-03-17 05:21:00    --------    d-----w-    c:\program files\SUPERAntiSpyware
2013-03-13 04:51:01    --------    d-sh--w-    C:\$RECYCLE.BIN
2013-03-13 03:59:11    --------    d-----w-    C:\TDSSKiller_Quarantine
2013-03-13 03:49:41    256904    ----a-w-    c:\windows\system32\drivers\tmcomm.sys
2013-03-09 00:04:00    --------    d-----w-    c:\users\admin\Pavark
2013-03-08 13:44:15    --------    d-----w-    c:\program files\SPB
2013-03-06 11:41:54    --------    d-----w-    c:\users\admin\appdata\roaming\K-Meleon
2013-03-03 14:05:58    --------    d-----w-    c:\users\admin\appdata\local\temp
2013-03-03 14:02:09    --------    d-----w-    C:\tromy7262t
2013-03-03 14:01:20    --------    d-----w-    C:\tromy
2013-03-03 11:58:13    --------    d-----w-    c:\programdata\Malwarebytes
2013-03-03 10:43:15    132256    ----a-w-    c:\windows\system32\drivers\tmrkb.sys
2013-02-28 04:58:52    --------    d-----w-    c:\program files\Mozilla Firefox 4.0 Beta 9
.
==================== Find3M  ====================
.
2013-02-27 06:14:39    30272    ----a-w-    c:\windows\system32\drivers\pssdk31.drv
.
============= FINISH:  2:16:21.35 ===============

 

Tromy is Combofix,i saved it under a random name to aboid it geting deleted by thevirus

SPB is Spybot folder

tmcomm.sys is the sys file for TDSSkille ri think.
 

 

I even tried runing it in safe mode, the virus had control  the nas well (i has written itself to the safe mode files too)

and when i tried running CHKDSK and SFC

 

I ran Resource  Monitor and i saw this > tFueGlJ.jpg

 

 

The virus can control and MANIPULATE  any programs that tried to find  and kill it...I'm at a loss here, what can i Do? :(

I tried starting safeboot again today adn my computer crashed 3 times as if the virus now no longer allows me to go to safe mode.....I even tried booting thru the installation disc...which went about 90% and crashed saying it can't fix some of the errors

 

It won't allow me to read the CBS files too, as soon as i try to open , i get a blank notepad with access denied warning.

 

 

 

 

I fought a rootkit virus in 2009 hiding under the name "rtksbh" and imitating itself as "Monitor Shell" (firewall) but I find that program is still there and i have no PERMISSION to delete or change it in the registry (I did somehow remove it from services)....lets jist say the virus is not only HIDDEN in system32, It is GOD-MODE hidden.. I can't even search for it, find the folder name and delete it (when i do a righ click over "drivers" fodler, it tells me there is 5 foldes in it, when i open there is 3 so 2 are SUPER-HIDDEN)...I worry if i delete the wrong file, the comp would crash..what must i Do?


Edited by hamluis, 20 March 2013 - 10:14 AM.
Moved from Vista to Malware Removal Logs - Hamluis.


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,003 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:00 PM

Posted 24 March 2013 - 08:04 AM

Greetings Warpath and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that. :thumbup2:

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, do not use the StartNewTopic.gif button but use the AddReply.gif button instead.
  • In the upper right hand corner of the topic you will see the WatchTopic.gif button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Please run this program for me.

===================================================

Farbar's Recovery Scan Tool

--------------------

For this step you will need a USB flash drive and start on a clean computer.
  • Please download Farbar Recovery Scan Tool and save it to a flash drive. You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Plug the flashdrive into the infected PC and follow the 2 step process below to enter the System Recovery Options using one of the three options listed, then running Farbar's Recover Scan Tool
----------

Entering into the System Recovery Options


Option #1 - Windows 8

To enter System Recovery Options in Windows 8:--

Option #2 - Using Advanced Boot Option

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
--

Option #3 - Using Windows Installation Disk

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next
----------

Running Farbar's Recovery Scan Tool in System Recovery
  • Once you are in the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in Notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select Computer and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    • Note: Replace letter e with the drive letter of your flash drive.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:
  • FRST log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 Warpath

Warpath
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 24 March 2013 - 09:36 AM

hi

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-03-2013 (ATTENTION: FRST version is 12 days old)
Ran by SYSTEM at 25-03-2013 02:18:36
Running from E:\
Windows Vista ™ Home Premium   (X86) OS Language: English(US)
The current controlset is ControlSet002

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto [222208 2006-11-02] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 183.81.133.150 183.81.133.151

==================== Services (Whitelisted) ===================

4 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [106280 2013-03-21] (SurfRight B.V.)
4 InCDsrv; C:\Program Files\Ahead\InCD\InCDsrv.exe [878592 2006-01-15] (Nero AG)
4 SbieSvc; "C:\Program Files\Sandboxie\SbieSvc.exe" [75496 2010-07-04] (tzuk)
4 VMCService; "C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe" [9216 2009-09-17] (Vodafone)
4 DrWebEngine; "C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwengine.exe" [x]
4 rpcapd; "C:\Program Files\WinPcap\rpcapd.exe" -d -f "C:\Program Files\WinPcap\rpcapd.ini" [x]

==================== Drivers (Whitelisted) ====================

3 ac97intc; C:\Windows\System32\drivers\ac97intc.sys [108032 2006-11-01] (Intel Corporation)
3 AnyDVD; C:\Windows\System32\Drivers\AnyDVD.sys [108104 2010-12-01] (SlySoft, Inc.)
3 basic2; C:\Windows\System32\DRIVERS\basic2.sys [82770 2001-10-15] (Conexant Systems)
3 cpudrv; \??\C:\Program Files\SystemRequirementsLab\cpudrv.sys [11336 2011-06-01] ()
1 ElbyCDIO; C:\Windows\System32\Drivers\ElbyCDIO.sys [31088 2010-12-16] (Elaborate Bytes AG)
4 Fsks; C:\Windows\System32\DRIVERS\fsksnt.sys [124701 2001-10-15] (Conexant Systems)
3 GVCplDrv; C:\Windows\System32\Drivers\GVCplDrv.sys [23040 2004-05-02] ()
3 hwusbfake; C:\Windows\System32\DRIVERS\ewusbfake.sys [100736 2009-07-22] (Huawei Technologies Co., Ltd.)
4 InCDfs; C:\Windows\System32\Drivers\InCDfs.sys [102016 2006-01-16] (Nero AG)
1 InCDPass; C:\Windows\System32\DRIVERS\InCDPass.sys [29440 2006-01-16] (Nero AG)
1 InCDrec; C:\Windows\System32\Drivers\InCDrec.sys [8704 2006-01-15] (Nero AG)
1 incdrm; C:\Windows\System32\Drivers\incdrm.sys [32640 2006-01-17] (Nero AG)
4 K56; C:\Windows\System32\DRIVERS\k56nt.sys [429199 2001-10-15] (Conexant Systems)
3 KeyMaestro; \??\C:\Windows\System32\Drivers\Maestro0.sys [34016 2000-08-07] (Vireo Software)
3 massfilter; C:\Windows\System32\DRIVERS\massfilter.sys [9216 2010-04-18] (MBB Incorporated)
4 MSF32; \??\C:\Program Files\MySecretFolder\MSF32.SYS [43856 2009-03-24] (WinAbility® Software Corporation)
2 NetProbe; C:\Windows\System32\DRIVERS\netprobe.sys [5365 2009-03-23] ()
2 NPF; C:\Windows\System32\drivers\npf.sys [35088 2010-06-25] (CACE Technologies, Inc.)
3 PsSdk31; \??\C:\Windows\system32\Drivers\pssdk31.drv [30272 2013-02-26] (microOLAP Technologies LTD)
3 PSSDK42; \??\C:\Windows\system32\Drivers\pssdk42.sys [38976 2009-10-09] (microOLAP Technologies LTD)
3 PSSDKLBF; \??\C:\Windows\system32\Drivers\pssdklbf.sys [53312 2009-10-09] (microOLAP Technologies LTD)
3 Rksample; C:\Windows\System32\DRIVERS\rksample.sys [62134 2001-10-15] (Conexant Systems)
3 s616bus; C:\Windows\System32\DRIVERS\s616bus.sys [83208 2007-04-03] (MCCI Corporation)
1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12872 2010-02-17] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67656 2010-05-10] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
3 SbieDrv; \??\C:\Program Files\Sandboxie\SbieDrv.sys [119016 2010-07-04] (tzuk)
2 SoftFax; C:\Windows\System32\DRIVERS\faxnt.sys [215323 2001-10-15] (Conexant Systems)
2 SpeakerPhone; C:\Windows\System32\DRIVERS\spkpnt.sys [80097 2001-10-15] (Conexant Systems)
0 sptd; C:\Windows\System32\Drivers\sptd.sys [466008 2013-03-21] (Duplex Secure Ltd.)
3 STAC97; C:\Windows\System32\drivers\STAC97.sys [123984 2002-02-25] (SigmaTel, Inc.)
2 StreamDispatcher; C:\Windows\System32\DRIVERS\strmdisp.sys [33452 2001-10-18] (Conexant Systems)
2 Tones; C:\Windows\System32\DRIVERS\tonesnt.sys [59663 2001-10-15] (Conexant Systems)
2 V124; C:\Windows\System32\DRIVERS\v124nt.sys [542477 2001-10-15] (Conexant Systems)
3 ZTEusbnet; C:\Windows\System32\DRIVERS\ZTEusbnet.sys [114688 2010-03-24] (ZTE Corporation)
3 ZTEusbvoice; C:\Windows\System32\DRIVERS\ZTEusbvoice.sys [105856 2010-04-18] (ZTE Incorporated)
2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}; \??\C:\Program Files\CyberLink\PowerDVD8\000.fcl [61424 2008-05-14] (Cyberlink Corp.)
2 Aspi32;  [x]
4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]
3 catchme; \??\C:\ComboFix\catchme.sys [x]
4 Fallback; C:\Windows\System32\DRIVERS\fallback.sys [x]
3 HSFHWBS2; C:\Windows\System32\DRIVERS\HSFHWBS2.sys [x]
3 HSF_DP; C:\Windows\System32\DRIVERS\HSF_DP.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 ManyCam; C:\Windows\System32\DRIVERS\ManyCam.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
3 VMnetAdapter; C:\Windows\System32\DRIVERS\vmnetadapter.sys [x]
3 ZSMC301b; C:\Windows\System32\Drivers\usbVM31b.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-03-25 02:07 - 2013-03-25 02:07 - 00000000 ____D C:\FRST
2013-03-23 16:47 - 2013-03-23 16:47 - 00153928 ____A C:\Windows\Minidump\Mini032413-01.dmp
2013-03-22 06:13 - 2013-03-22 06:13 - 00000876 ____A C:\Users\admin\Desktop\vlc - Shortcut.lnk
2013-03-22 00:47 - 2013-03-22 00:47 - 00014423 ____A C:\ComboFix.txt
2013-03-21 23:39 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2013-03-21 23:39 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2013-03-21 23:39 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2013-03-21 23:39 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2013-03-21 23:39 - 2000-08-30 16:00 - 00212480 ____A (SteelWerX) C:\Windows\SWXCACLS.exe
2013-03-21 23:39 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2013-03-21 23:39 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2013-03-21 23:39 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2013-03-21 23:32 - 2013-03-21 23:33 - 05042224 ____R (Swearware) C:\Users\admin\Desktop\ComboFix.exe
2013-03-21 22:03 - 2013-03-21 22:08 - 00014918 ____A C:\Users\admin\Documents\Show-Hidden.txt
2013-03-21 21:35 - 2013-03-21 21:35 - 00039956 ____A C:\Users\admin\Documents\HitmanPro_20130322_1735.log
2013-03-21 21:22 - 2013-03-21 21:22 - 00000000 ____D C:\Program Files\HitmanPro
2013-03-21 21:21 - 2013-03-21 21:36 - 00000000 ____D C:\ProgramData\HitmanPro
2013-03-21 20:59 - 2013-03-21 20:59 - 00001342 ____A C:\AdwCleaner[R2].txt
2013-03-21 20:39 - 2013-03-21 20:39 - 00000313 ____A C:\AdwCleaner[S1].txt
2013-03-21 20:38 - 2013-03-21 20:39 - 00001223 ____A C:\AdwCleaner[R1].txt
2013-03-19 20:51 - 2013-03-19 20:51 - 00153928 ____A C:\Windows\Minidump\Mini032013-01.dmp
2013-03-19 20:41 - 2013-03-20 16:45 - 00000362 ____A C:\Users\admin\Desktop\rtk.txt
2013-03-19 20:33 - 2013-03-19 20:33 - 00015384 ____A C:\Users\admin\Documents\drivers cmd.txt
2013-03-19 18:26 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\nircmd.exe
2013-03-19 04:47 - 2013-03-19 04:48 - 00004484 ____A C:\Users\admin\Documents\startup.txt
2013-03-19 00:48 - 2013-03-19 00:48 - 00000000 ____A C:\Windows\setuperr.log
2013-03-19 00:48 - 2013-03-19 00:48 - 00000000 ____A C:\Windows\setupact.log
2013-03-18 22:58 - 2013-03-18 22:58 - 00000258 _RASH C:\ProgramData\ntuser.pol
2013-03-18 19:21 - 2013-03-18 19:21 - 00000960 ____A C:\Users\Public\Desktop\xplorer2.lnk
2013-03-18 19:21 - 2013-03-18 19:21 - 00000000 ____D C:\Program Files\zabkat
2013-03-17 07:35 - 2013-03-17 07:35 - 00153880 ____A C:\Windows\Minidump\Mini031813-01.dmp
2013-03-17 03:39 - 2013-03-17 03:39 - 00000000 ____D C:\Users\admin\AppData\Roaming\Runscanner.net
2013-03-17 02:44 - 2013-03-20 07:08 - 00013987 ____A C:\Users\admin\Desktop\TESTS.txt
2013-03-16 21:21 - 2013-03-16 21:24 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2013-03-16 21:21 - 2013-03-16 21:21 - 00001760 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Professional.lnk
2013-03-16 21:21 - 2013-03-16 21:21 - 00000000 ____D C:\Users\admin\AppData\Roaming\SUPERAntiSpyware.com
2013-03-12 21:02 - 2013-03-12 21:11 - 00000000 ____D C:\Users\admin\Documents\RK_Quarantine
2013-03-12 20:15 - 2013-03-08 06:35 - 00422512 ___RA C:\Windows\System32\Drivers\etc\hosts.20130313-161538.backup
2013-03-12 19:59 - 2013-03-21 23:21 - 00000000 ____D C:\TDSSKiller_Quarantine
2013-03-12 19:49 - 2013-03-12 19:49 - 00256904 ____A (Trend Micro Inc.) C:\Windows\System32\Drivers\tmcomm.sys
2013-03-12 16:01 - 2013-03-12 16:02 - 22073344 ____A C:\Windows\System32\LXCMRLXA
2013-03-08 16:04 - 2013-03-17 07:33 - 00000000 ____D C:\Users\admin\Pavark
2013-03-08 06:35 - 2013-02-25 06:44 - 00000027 ____A C:\Windows\System32\Drivers\etc\hosts.20130309-023531.backup
2013-03-08 06:13 - 2013-03-08 06:35 - 113436891 ____A C:\Windows\System32\VUJSFN
2013-03-08 05:44 - 2013-03-08 05:44 - 00000000 ____D C:\Program Files\SPB
2013-03-08 04:31 - 2013-03-08 04:44 - 00001945 ____A C:\Windows\epplauncher.mif
2013-03-06 03:41 - 2013-03-06 03:42 - 00000000 ____D C:\Users\admin\AppData\Roaming\K-Meleon
2013-03-06 03:41 - 2013-03-06 03:41 - 00000764 ____A C:\Users\admin\Desktop\K-Meleon.lnk
2013-03-04 03:16 - 2013-03-04 03:05 - 23430233 ____A C:\Users\admin\Desktop\9BE6Fd01.mp4
2013-03-03 16:18 - 2013-03-03 16:18 - 00388608 ____A (Trend Micro Inc.) C:\Users\admin\Desktop\HijackThis.exe
2013-03-03 06:02 - 2013-03-03 06:08 - 00000000 ____D C:\tromy7262t
2013-03-03 06:01 - 2013-03-03 06:01 - 00000000 ____D C:\tromy
2013-03-03 03:58 - 2013-03-03 03:58 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-03-03 02:43 - 2013-03-03 03:36 - 00132256 ____A (trend_company_name) C:\Windows\System32\Drivers\tmrkb.sys
2013-03-02 23:16 - 2013-03-02 23:17 - 02237968 ____A (Kaspersky Lab ZAO) C:\Users\admin\Desktop\tdsskiller.exe
2013-03-02 22:44 - 2013-03-02 22:45 - 00153880 ____A C:\Windows\Minidump\Mini030313-01.dmp
2013-02-27 20:58 - 2013-02-27 21:00 - 00000000 ____D C:\Program Files\Mozilla Firefox 4.0 Beta 9
2013-02-26 05:25 - 2013-02-26 05:25 - 00153880 ____A C:\Windows\Minidump\Mini022713-01.dmp
2013-02-26 05:23 - 2013-03-23 16:47 - 183203710 ____A C:\Windows\MEMORY.DMP
2013-02-26 05:23 - 2013-03-22 00:07 - 00005970 ____A C:\Windows\PFRO.log
2013-02-25 23:57 - 2013-02-25 23:58 - 00000020 ____A C:\Users\admin\defogger_reenable
2013-02-25 22:31 - 2013-02-25 22:31 - 00064548 ____A C:\Users\admin\Documents\cc_20130226_183100.reg
2013-02-25 22:29 - 2013-02-25 22:29 - 00376832 ____A C:\Users\admin\Desktop\6uppxqy0.exe

==================== One Month Modified Files and Folders ========

2013-03-25 02:07 - 2013-03-25 02:07 - 00000000 ____D C:\FRST
2013-03-24 05:44 - 2010-05-12 23:59 - 00131072 ____A C:\Windows\System32\Ikeext.etl
2013-03-24 05:44 - 2009-06-15 17:41 - 00000000 ___RD C:\Users\admin\Desktop\Extraz
2013-03-24 05:44 - 2006-11-02 05:01 - 00032570 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-03-24 05:44 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-03-24 05:36 - 2006-11-02 02:33 - 01591034 ____A C:\Windows\System32\PerfStringBackup.INI
2013-03-24 04:46 - 2006-11-02 04:47 - 00003552 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-03-24 04:46 - 2006-11-02 04:47 - 00003552 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-03-23 21:53 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\tracing
2013-03-23 16:49 - 2012-03-17 01:09 - 00034901 ____A C:\ProgramData\nvModes.dat
2013-03-23 16:49 - 2012-03-17 01:09 - 00034901 ____A C:\ProgramData\nvModes.001
2013-03-23 16:47 - 2013-03-23 16:47 - 00153928 ____A C:\Windows\Minidump\Mini032413-01.dmp
2013-03-23 16:47 - 2013-02-26 05:23 - 183203710 ____A C:\Windows\MEMORY.DMP
2013-03-23 16:47 - 2009-06-14 21:46 - 00000000 ____D C:\Windows\Minidump
2013-03-22 20:52 - 2010-12-05 07:31 - 00000000 ____D C:\Users\admin\AppData\Roaming\vlc
2013-03-22 19:23 - 2012-05-23 00:56 - 00275888 ____A C:\Windows\WindowsUpdate.log
2013-03-22 06:28 - 2009-09-16 04:51 - 00000000 ____D C:\Users\admin\AppData\Roaming\dvdcss
2013-03-22 06:13 - 2013-03-22 06:13 - 00000876 ____A C:\Users\admin\Desktop\vlc - Shortcut.lnk
2013-03-22 00:47 - 2013-03-22 00:47 - 00014423 ____A C:\ComboFix.txt
2013-03-22 00:47 - 2011-04-02 06:43 - 00000000 ____D C:\Qoobox
2013-03-22 00:10 - 2006-11-02 02:23 - 00000215 ____A C:\Windows\system.ini
2013-03-22 00:07 - 2013-02-26 05:23 - 00005970 ____A C:\Windows\PFRO.log
2013-03-22 00:06 - 2006-11-02 02:22 - 36438016 ____A C:\Windows\System32\config\SOFTWARE.bak
2013-03-22 00:06 - 2006-11-02 02:22 - 35127296 ____A C:\Windows\System32\config\SYSTEM.bak
2013-03-22 00:06 - 2006-11-02 02:22 - 09453568 ____A C:\Windows\System32\config\COMPON~2.bak
2013-03-22 00:06 - 2006-11-02 02:22 - 04718592 ____A C:\Windows\System32\config\DEFAULT.bak
2013-03-22 00:06 - 2006-11-02 02:22 - 00057344 ____A C:\Windows\System32\config\SAM.bak
2013-03-22 00:06 - 2006-11-02 02:22 - 00032768 ____A C:\Windows\System32\config\SECURITY.bak
2013-03-22 00:05 - 2011-04-02 06:44 - 00000000 ____D C:\Windows\ERDNT
2013-03-21 23:33 - 2013-03-21 23:32 - 05042224 ____R (Swearware) C:\Users\admin\Desktop\ComboFix.exe
2013-03-21 23:23 - 2009-10-21 01:17 - 00466008 ____A (Duplex Secure Ltd.) C:\Windows\System32\Drivers\sptd.sys
2013-03-21 23:21 - 2013-03-12 19:59 - 00000000 ____D C:\TDSSKiller_Quarantine
2013-03-21 22:08 - 2013-03-21 22:03 - 00014918 ____A C:\Users\admin\Documents\Show-Hidden.txt
2013-03-21 21:36 - 2013-03-21 21:21 - 00000000 ____D C:\ProgramData\HitmanPro
2013-03-21 21:35 - 2013-03-21 21:35 - 00039956 ____A C:\Users\admin\Documents\HitmanPro_20130322_1735.log
2013-03-21 21:22 - 2013-03-21 21:22 - 00000000 ____D C:\Program Files\HitmanPro
2013-03-21 20:59 - 2013-03-21 20:59 - 00001342 ____A C:\AdwCleaner[R2].txt
2013-03-21 20:48 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\registration
2013-03-21 20:39 - 2013-03-21 20:39 - 00000313 ____A C:\AdwCleaner[S1].txt
2013-03-21 20:39 - 2013-03-21 20:38 - 00001223 ____A C:\AdwCleaner[R1].txt
2013-03-20 17:29 - 2011-12-30 03:39 - 00007498 ____A C:\Users\admin\Desktop\js.txt
2013-03-20 16:45 - 2013-03-19 20:41 - 00000362 ____A C:\Users\admin\Desktop\rtk.txt
2013-03-20 07:08 - 2013-03-17 02:44 - 00013987 ____A C:\Users\admin\Desktop\TESTS.txt
2013-03-19 20:51 - 2013-03-19 20:51 - 00153928 ____A C:\Windows\Minidump\Mini032013-01.dmp
2013-03-19 20:33 - 2013-03-19 20:33 - 00015384 ____A C:\Users\admin\Documents\drivers cmd.txt
2013-03-19 05:18 - 2010-04-18 18:22 - 00000000 ____D C:\ProgramData\NVIDIA
2013-03-19 05:07 - 2002-01-04 02:18 - 00001356 ____A C:\Users\admin\AppData\Local\d3d9caps.dat
2013-03-19 04:58 - 2013-02-16 05:22 - 00000000 ____D C:\Users\admin\Desktop\mbar
2013-03-19 04:48 - 2013-03-19 04:47 - 00004484 ____A C:\Users\admin\Documents\startup.txt
2013-03-19 04:04 - 2010-05-17 00:05 - 00000105 ____A C:\Windows\System32\_WKERNEL.SYL
2013-03-19 02:32 - 2009-07-09 23:55 - 00000000 ____D C:\Program Files\CDBurnerXP
2013-03-19 02:32 - 2009-06-14 17:32 - 00082520 ____A C:\Users\admin\AppData\Local\GDIPFONTCACHEV1.DAT
2013-03-19 02:23 - 2006-11-02 04:47 - 00340040 ____A C:\Windows\System32\FNTCACHE.DAT
2013-03-19 00:48 - 2013-03-19 00:48 - 00000000 ____A C:\Windows\setuperr.log
2013-03-19 00:48 - 2013-03-19 00:48 - 00000000 ____A C:\Windows\setupact.log
2013-03-18 22:58 - 2013-03-18 22:58 - 00000258 _RASH C:\ProgramData\ntuser.pol
2013-03-18 22:58 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\System32\GroupPolicy
2013-03-18 19:21 - 2013-03-18 19:21 - 00000960 ____A C:\Users\Public\Desktop\xplorer2.lnk
2013-03-18 19:21 - 2013-03-18 19:21 - 00000000 ____D C:\Program Files\zabkat
2013-03-17 17:37 - 2012-11-26 01:26 - 00000000 ____D C:\Program Files\NetworkActiv Sniffer
2013-03-17 17:37 - 2009-06-15 17:54 - 00000000 ____D C:\Program Files\Opera
2013-03-17 07:35 - 2013-03-17 07:35 - 00153880 ____A C:\Windows\Minidump\Mini031813-01.dmp
2013-03-17 07:33 - 2013-03-08 16:04 - 00000000 ____D C:\Users\admin\Pavark
2013-03-17 03:39 - 2013-03-17 03:39 - 00000000 ____D C:\Users\admin\AppData\Roaming\Runscanner.net
2013-03-17 02:57 - 2009-06-15 00:21 - 00000000 ____D C:\Windows\pss
2013-03-16 21:24 - 2013-03-16 21:21 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2013-03-16 21:21 - 2013-03-16 21:21 - 00001760 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Professional.lnk
2013-03-16 21:21 - 2013-03-16 21:21 - 00000000 ____D C:\Users\admin\AppData\Roaming\SUPERAntiSpyware.com
2013-03-16 02:51 - 2009-06-14 18:07 - 00101888 ____A C:\Users\admin\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-03-15 05:28 - 2009-06-29 19:55 - 00000000 ____D C:\Users\admin\Documents\docs
2013-03-13 11:36 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\System32\LogFiles
2013-03-12 21:11 - 2013-03-12 21:02 - 00000000 ____D C:\Users\admin\Documents\RK_Quarantine
2013-03-12 19:49 - 2013-03-12 19:49 - 00256904 ____A (Trend Micro Inc.) C:\Windows\System32\Drivers\tmcomm.sys
2013-03-12 16:02 - 2013-03-12 16:01 - 22073344 ____A C:\Windows\System32\LXCMRLXA
2013-03-08 16:04 - 2009-06-14 17:31 - 00000000 ____D C:\users\admin
2013-03-08 06:35 - 2013-03-12 20:15 - 00422512 ___RA C:\Windows\System32\Drivers\etc\hosts.20130313-161538.backup
2013-03-08 06:35 - 2013-03-08 06:13 - 113436891 ____A C:\Windows\System32\VUJSFN
2013-03-08 05:44 - 2013-03-08 05:44 - 00000000 ____D C:\Program Files\SPB
2013-03-08 04:44 - 2013-03-08 04:31 - 00001945 ____A C:\Windows\epplauncher.mif
2013-03-08 04:03 - 2009-06-15 20:38 - 00000000 ____D C:\Users\admin\AppData\Roaming\X-Chat 2
2013-03-06 03:42 - 2013-03-06 03:41 - 00000000 ____D C:\Users\admin\AppData\Roaming\K-Meleon
2013-03-06 03:41 - 2013-03-06 03:41 - 00000764 ____A C:\Users\admin\Desktop\K-Meleon.lnk
2013-03-06 03:41 - 2009-06-16 21:53 - 00000000 ____D C:\Users\admin\AppData\Local\K-Meleon
2013-03-06 03:41 - 2009-06-16 21:50 - 00000000 ____D C:\Program Files\K-Meleon
2013-03-04 03:05 - 2013-03-04 03:16 - 23430233 ____A C:\Users\admin\Desktop\9BE6Fd01.mp4
2013-03-03 16:18 - 2013-03-03 16:18 - 00388608 ____A (Trend Micro Inc.) C:\Users\admin\Desktop\HijackThis.exe
2013-03-03 06:08 - 2013-03-03 06:02 - 00000000 ____D C:\tromy7262t
2013-03-03 06:01 - 2013-03-03 06:01 - 00000000 ____D C:\tromy
2013-03-03 04:47 - 2011-04-02 05:53 - 00003916 ____N C:\Win32.Worm.Downladup.Gen.log
2013-03-03 03:58 - 2013-03-03 03:58 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-03-03 03:36 - 2013-03-03 02:43 - 00132256 ____A (trend_company_name) C:\Windows\System32\Drivers\tmrkb.sys
2013-03-02 23:17 - 2013-03-02 23:16 - 02237968 ____A (Kaspersky Lab ZAO) C:\Users\admin\Desktop\tdsskiller.exe
2013-03-02 22:45 - 2013-03-02 22:44 - 00153880 ____A C:\Windows\Minidump\Mini030313-01.dmp
2013-03-02 14:42 - 2012-08-30 02:34 - 00002647 ____A C:\Users\Public\Desktop\Vodafone Mobile Connect.lnk
2013-02-28 18:53 - 2009-06-16 23:45 - 00000000 ____D C:\Users\admin\AppData\Roaming\Winamp
2013-02-27 21:00 - 2013-02-27 20:58 - 00000000 ____D C:\Program Files\Mozilla Firefox 4.0 Beta 9
2013-02-27 03:14 - 2012-11-05 14:50 - 00000000 ____D C:\Program Files\FaceOnBody2
2013-02-26 22:14 - 2010-01-23 04:35 - 00030272 ____A (microOLAP Technologies LTD) C:\Windows\System32\Drivers\pssdk31.drv
2013-02-26 05:25 - 2013-02-26 05:25 - 00153880 ____A C:\Windows\Minidump\Mini022713-01.dmp
2013-02-25 23:58 - 2013-02-25 23:57 - 00000020 ____A C:\Users\admin\defogger_reenable
2013-02-25 22:31 - 2013-02-25 22:31 - 00064548 ____A C:\Users\admin\Documents\cc_20130226_183100.reg
2013-02-25 22:29 - 2013-02-25 22:29 - 00376832 ____A C:\Users\admin\Desktop\6uppxqy0.exe
2013-02-25 17:34 - 2008-07-28 19:32 - 00000000 ____D C:\getservice
2013-02-25 17:04 - 2010-05-17 00:05 - 00000000 ____D C:\Program Files\WinUtilities
2013-02-25 06:44 - 2013-03-08 06:35 - 00000027 ____A C:\Windows\System32\Drivers\etc\hosts.20130309-023531.backup
2013-02-25 05:38 - 2009-10-28 13:55 - 00000116 ____A C:\Windows\NeroDigital.ini


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe
[2006-11-02 00:47] - [2006-11-02 01:45] - 2923520 ____A (Microsoft Corporation) FD8C53FB002217F6F888BCF6F5D7084D

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll
[2006-11-02 00:38] - [2006-11-02 01:46] - 0633856 ____A (Microsoft Corporation) E698A5437B89A285ACA3FF022356810A

C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys
[2006-11-02 00:52] - [2006-11-02 01:51] - 0208488 ____A (Microsoft Corporation) 11EF6C1CAEF76B685233450A126125D6


==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-03-21 23:22:57

==================== Memory info ===========================

Percentage of memory in use: 27%
Total physical RAM: 1534.94 MB
Available physical RAM: 1109.76 MB
Total Pagefile: 1367.64 MB
Available Pagefile: 1197.54 MB
Total Virtual: 2047.88 MB
Available Virtual: 1976.97 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:74.53 GB) (Free:32 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (LRMCFRE_EN_DVD) (CDROM) (Total:2.49 GB) (Free:0 GB) UDF
3 Drive e: () (Removable) (Total:1.88 GB) (Free:1.88 GB) FAT
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

  Disk ###  Status      Size     Free     Dyn  Gpt
  --------  ----------  -------  -------  ---  ---
  Disk 0    Online        75 GB  1081 KB         
  Disk 1    Online      1926 MB      0 B         

Partitions of Disk 0:
===============

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary             75 GB  1024 KB

=========================================================

Disk: 0
Partition 1
Type  : 07
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     C                NTFS   Partition     75 GB  Healthy            

=========================================================

Partitions of Disk 1:
===============

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           1922 MB  4096 KB

=========================================================

Disk: 1
Partition 1
Type  : 06
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     E                FAT    Removable   1922 MB  Healthy            

=========================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: 999CA4E5

Partition 1:
=========
Hex: 8020210007FEFFFF0008000000E85009
Active: YES
Type: 07 (NTFS)
Size: 75 GB

==============================
Partitions of Disk 1:
===============
Disk ID: 00000000

Partition 1:
=========
Hex: 008203000612D2D20020000000103C00
Active: NO
Type: 06
Size: 2 GB


Last Boot: 2013-03-24 04:56

==================== End Of Log ============================

 

6uppxqy0.exe is GMER

SPB is spybot

tmcomm.sys is the sysfiel for TDSSKiller

tromy is Combofix

 

 i assume sed, grep, zip is from combofix?

 

what i can't access is

 

C:\Windows\System32\LXCMRLXA

C:\Windows\System32\VUJSFN

 

 

i tried fixing the comp via system recovery tools, it failed too..

 

btw, here is a screenshot of the virus taking control of COMBOFIX

 

uC7IqDT.jpg


Edited by Warpath, 24 March 2013 - 10:09 AM.


#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,003 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:00 PM

Posted 24 March 2013 - 01:34 PM

Greetings,

Please run these two programs for me.

===================================================

Farbar's Recovery Scan Tool - Run Fix

--------------------
  • From a clean computer press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt
C:\Windows\System32\LXCMRLXA
C:\Windows\System32\VUJSFN
  • Insert the USB device into your infected computer
  • Enter the System Recovery Options (press F8 during boot up) and select Command Prompt.
  • Run FRST as you did the first time and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the flashdrive (Fixlog.txt) please post it to your reply.
===================================================

Running TDSSKiller with Changed Parameters

--------------------
  • Please download TDSSKiller from here and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters

tds2.jpg

  • Check Loaded Modules, Verify Driver Digital Signature, and Detect TDLFS file system
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now

2012081514h0118.png

  • Click Start Scan and allow the scan process to run

tds4-1.jpg

  • If threats are detected select Skip for all of them unless I instruct you otherwise
  • Click Continue

tds6.jpg

  • Click Reboot computer
  • Please zip and attach in your reply the TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Farbar log
  • TDSSKiller zip file

Edited by Oh My, 24 March 2013 - 01:35 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 Warpath

Warpath
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 24 March 2013 - 10:25 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 13-03-2013
Ran by SYSTEM at 2013-03-25 14:40:37 Run:1
Running from E:\

==============================================

C:\Windows\System32\LXCMRLXA moved successfully.
C:\Windows\System32\VUJSFN moved successfully.

==== End of Fixlog ====

 

again, nothing, the VIRUS IS STILL RUNNING IN THE RESOURCE MONITOR, as i said before, this virus may be here for years and thus the fasbar only scans for 30 days so would not find it......I also think the virus has "special permission" in the group policy and thus unless we find out and remove those permissions, removing the virus is impossible, i will not run any more scanners cause as i said in my OP, only GMER finds it EXISTS but can do nothing about it....it prevents me from finding it in the registry too...and more importantly, i still don't know the name of the virus..its literally like chasing a ghost.....

 

Please I need a HUMAN REPLY this time from Oh my..............

 

 

Attached Files



#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,003 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:00 PM

Posted 24 March 2013 - 10:35 PM

Why do you think you are getting an automated response?

Please do this.

===================================================

Ubuntu MRB and Driver Report Using a USB

--------------
  • You will need a USB device with at least 2 GB of space. Warning: During this process all information will be removed from your USB device.
  • Download Ubuntu Live Ubuntu 12.04 LTS (either 64 or 32 bit) and save it to your desktop. This is a large file so allow it some time to download.
  • Download Pen Drive Linux's USB Installer and save it to your desktop
  • Double click the Universal-USB-Installer icon, select Run, then I Agree
  • On the dropdown list under Step 1 select Ubuntu 12.04 Desktop you downloaded to your desktop

create-usb-windows-1-12.png

  • Select the Browse button under Step 2, locate, and double click the Ubuntu file you downloaded to your desktop

create-usb-windows-2-12.png
create-usb-windows-3.png

  • Select your USB device under Step 3

create-usb-windows-4-12.png

  • Place a check mark in the Format (your USB drive letter, i.e E):\ Drive (Erases Content) box
  • Disregard Step 4
  • Click Create, then Yes
  • Once the process has completed click Close
  • Download udriver.sh to your USB device
  • With the USB device inserted into the infected computer restart your computer
  • If your computer does not automatically boot from the USB device please see here
  • Select Run from USB device
  • Please allow the program to automatically load to the Ubuntu desktop
  • Select English, then click Try Ubuntu
  • Click on the Dash Home icon located just underneath the Ubuntu Desktop title bar at the top
  • Type terminal in the search box then press Enter
  • A command prompt window will open
  • Now please type the following and press Enter. Makes sure there is a space between the different colors.

sudo dd if=/dev/sda of=mbr.txt bs=512 count=1

  • A mbr.txt file will be created in your Home folder
  • Type Exit then press Enter
  • Click on the Home Folder which is most likely the third icon down on the left
  • Under Devices please click the USB device (if that is not present remove the USB device and plug it back in)
  • Locate the udriver.sh icon listed in the USB contents window, right click, select Move to, then click Home
  • Close any open windows
  • Click the Dash Home icon (1st icon on left)
  • Select the Terminal icon
  • Type the following at the prompt and hit Enter

sudo bash udriver.sh

  • Wait until report.txt pops up or the command line indicates the search is finished. This can take a while, so please be patient!
  • The report.txt file will be located in the Home folder (same folder as mbr.txt)
  • Type the following at the prompt and hit Enter

sudo bash udriver.sh -af

  • You will be prompted to input a file name. Please type the following then press Enter:

Winlogon.exe

  • After the search is completed please type the following then press Enter:

atapi.sys

  • After the search is completed please type the following then press Enter:

volsnap.sys

  • After the search is completed please type the following then press Enter:

explorer.exe

  • After the search is completed please type the following then press Enter:

Userinit.exe

  • After the last search is complete please type Exit and press Enter
  • Click the Home Folder
  • Right click on filefind.txt, and select Send to...
  • Click the drop down list next to Send as:, select Removable disks and shares, click the USB device (may be there by default), then click Send
  • Repeat these steps for report.txt
  • Remove the USB device from your computer
  • In the upper right hand corner of your screen select the icon just to the right of the time
  • Click Shut down..., then Restart
  • Your computer should reboot into Windows
  • Insert the USB device back into your computer
  • Zip the report.txt file and attach it to your reply. Attach but do not zip the mbr.txt and filefind.txt files.
===================================================

Things I would like to see in your next reply. :thumbsup2:
  • report.zip
  • mbr.txt
  • filefind.txt

Edited by Oh My, 24 March 2013 - 10:45 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 Warpath

Warpath
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 24 March 2013 - 11:33 PM

I have already mentioned i have LIMITED internet data and thus i can't download LARGE files, I have already wasted over 4 gigs of data trying to find out what i have by downloading all these random and literally USELESS scanners..

 

Now you are asking me to get a whole new OS?. .I could have easily upgraded my Vista to Windows 7 but i chose not to because i felt i can fight this..there has to be some other option than this...I don't think i want another OS on my computer...is there another option?..i already said i know what the problem is and its the registry, the virus has created a new group policy and hiding in the registry....if you can't help me another way, can you atleast tell me what i have so that i can fin some other options online?

 

everytime i'm forced to "reboot" i feel the virus is getting stronger and having more control over the system....i lost my last harddrive because i ran so many checks and scanners that the virus was able to take full control of my HDD and literally KILLED it...that time i was infected with a virut...


Edited by Warpath, 24 March 2013 - 11:34 PM.


#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,003 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:00 PM

Posted 25 March 2013 - 12:22 AM

I am not requesting anything that is useless. Please let me know if you are willing and able to follow my instructions. Without completing the steps I have requested I will be unable to help you.

Please let me know what you would like to do.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 Warpath

Warpath
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 25 March 2013 - 01:19 AM

no i have mentioned in my Op, i have run all scanners and all the MAJOR rootkit finders, they have all failed so in those cases they are all useless, they might work if I'm able to remove the virus's user control rights..tell me how to do that and then maybe j can run those scanners again and it might find them...new "services" in the Registry get created everytime i restart the computer and the 200mb file which farbar moved to quarantine may not be the only virus in the comp...as i said earlier, the worst virus i fought was a Virut and i lost, I do not want to do that again.....is there another option....in terms of fixing the registry and User rights on the PC?

 

internet is expensive in my country, i can't afford to download files that are so big and there is a good chance the download will crash mid way due to the ISP placing barrier to prevent major downloads (piracy laws)...

 

The virus could very well be a bootkit or rootkit whistler virus, but an evolved form..


Edited by Warpath, 25 March 2013 - 01:36 AM.


#10 Warpath

Warpath
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 25 March 2013 - 01:49 AM

anyways i ran MBRcheck adn this is the log
 
MBRCheck, version 1.2.3
© 2010, AD

Command-line:            
Windows Version:        Windows Vista Home Premium Edition
Windows Information:         (build 6000), 32-bit
Logical Drives Mask:        0x0000003c

Kernel Drivers (total 158):
  0x83000000 \SystemRoot\system32\ntoskrnl.exe
  0x83395000 \SystemRoot\system32\hal.dll
  0x806C6000 \SystemRoot\system32\kdcom.dll
  0x80666000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
  0x8065D000 \SystemRoot\system32\PSHED.dll
  0x80655000 \SystemRoot\system32\BOOTVID.dll
  0x8061A000 \SystemRoot\system32\CLFS.SYS
  0x80539000 \SystemRoot\system32\CI.dll
  0x8050B000 \SystemRoot\system32\drivers\97984384.sys
  0x80490000 \SystemRoot\system32\drivers\Wdf01000.sys
  0x80483000 \SystemRoot\system32\drivers\WDFLDR.SYS
  0x876E9000 \SystemRoot\System32\Drivers\sptd.sys
  0x80440000 \SystemRoot\system32\drivers\acpi.sys
  0x80437000 \SystemRoot\system32\drivers\WMILIB.SYS
  0x8042F000 \SystemRoot\system32\drivers\msisadrv.sys
  0x80420000 \SystemRoot\system32\drivers\volmgr.sys
  0x876C4000 \SystemRoot\system32\drivers\pci.sys
  0x80410000 \SystemRoot\System32\drivers\mountmgr.sys
  0x80409000 \SystemRoot\system32\drivers\intelide.sys
  0x876B6000 \SystemRoot\system32\drivers\PCIIDEX.SYS
  0x8766C000 \SystemRoot\System32\drivers\volmgrx.sys
  0x80401000 \SystemRoot\system32\drivers\atapi.sys
  0x8764E000 \SystemRoot\system32\drivers\ataport.SYS
  0x8761D000 \SystemRoot\system32\drivers\fltmgr.sys
  0x8760D000 \SystemRoot\system32\drivers\fileinfo.sys
  0x87509000 \SystemRoot\system32\drivers\ndis.sys
  0x874DE000 \SystemRoot\system32\drivers\msrpc.sys
  0x874A5000 \SystemRoot\system32\drivers\NETIO.SYS
  0x87AF8000 \SystemRoot\System32\Drivers\Ntfs.sys
  0x8743B000 \SystemRoot\System32\Drivers\ksecdd.sys
  0x87405000 \SystemRoot\system32\drivers\volsnap.sys
  0x87AF0000 \SystemRoot\System32\Drivers\spldr.sys
  0x87AE1000 \SystemRoot\System32\drivers\partmgr.sys
  0x87AD2000 \SystemRoot\System32\Drivers\mup.sys
  0x87AAD000 \SystemRoot\System32\drivers\ecache.sys
  0x87A9C000 \SystemRoot\system32\drivers\disk.sys
  0x87A7B000 \SystemRoot\system32\drivers\CLASSPNP.SYS
  0x87A6B000 \SystemRoot\system32\DRIVERS\agp440.sys
  0x87A62000 \SystemRoot\system32\drivers\crcdisk.sys
  0x88D19000 \SystemRoot\system32\DRIVERS\intelppm.sys
  0x8C8F8000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
  0x8AC01000 \SystemRoot\system32\DRIVERS\nvBridge.kmd
  0x8BC2F000 \SystemRoot\System32\drivers\dxgkrnl.sys
  0x8BC22000 \SystemRoot\System32\drivers\watchdog.sys
  0x88C46000 \SystemRoot\system32\DRIVERS\usbuhci.sys
  0x8ACE2000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
  0x8AFDE000 \SystemRoot\system32\DRIVERS\usbehci.sys
  0x8AFB4000 \SystemRoot\System32\Drivers\AnyDVD.sys
  0x8AF9C000 \SystemRoot\system32\DRIVERS\cdrom.sys
  0x88D88000 \SystemRoot\System32\DRIVERS\InCDPass.sys
  0x88D90000 \SystemRoot\System32\Drivers\incdrm.SYS
  0x8BED4000 \SystemRoot\system32\drivers\STAC97.sys
  0x8BEA7000 \SystemRoot\system32\drivers\portcls.sys
  0x8BE82000 \SystemRoot\system32\drivers\drmk.sys
  0x8BE58000 \SystemRoot\system32\drivers\ks.sys
  0x8C6F0000 \SystemRoot\system32\DRIVERS\serial.sys
  0x88C16000 \SystemRoot\system32\DRIVERS\serenum.sys
  0x8C5C1000 \SystemRoot\system32\DRIVERS\parport.sys
  0x8C4EE000 \SystemRoot\system32\DRIVERS\i8042prt.sys
  0x8AD1F000 \SystemRoot\system32\DRIVERS\kbdclass.sys
  0x8C858000 \SystemRoot\system32\DRIVERS\msiscsi.sys
  0x8C818000 \SystemRoot\system32\DRIVERS\storport.sys
  0x8AD2A000 \SystemRoot\system32\DRIVERS\TDI.SYS
  0x8C801000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
  0x8AD35000 \SystemRoot\system32\DRIVERS\ndistapi.sys
  0x8C37A000 \SystemRoot\system32\DRIVERS\ndiswan.sys
  0x88EE9000 \SystemRoot\system32\DRIVERS\raspppoe.sys
  0x8C205000 \SystemRoot\system32\DRIVERS\raspptp.sys
  0x8C28A000 \SystemRoot\system32\DRIVERS\termdd.sys
  0x8AD40000 \SystemRoot\system32\DRIVERS\mouclass.sys
  0x8AC0B000 \SystemRoot\system32\DRIVERS\swenum.sys
  0x8C631000 \SystemRoot\system32\DRIVERS\mssmbios.sys
  0x8C019000 \SystemRoot\system32\DRIVERS\umbus.sys
  0x8D473000 \SystemRoot\system32\DRIVERS\usbhub.sys
  0x88F00000 \SystemRoot\System32\Drivers\NDProxy.SYS
  0x8C778000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
  0x88CF6000 \SystemRoot\System32\Drivers\Null.SYS
  0x88CFD000 \SystemRoot\System32\Drivers\Beep.SYS
  0x88D04000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
  0x88E59000 \SystemRoot\System32\drivers\vga.sys
  0x8C3A0000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
  0x88DC1000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
  0x88D30000 \SystemRoot\system32\drivers\rdpencdd.sys
  0x8C510000 \SystemRoot\System32\Drivers\InCDrec.SYS
  0x8C54A000 \SystemRoot\System32\Drivers\InCDfs.SYS
  0x8AD82000 \SystemRoot\System32\Drivers\Msfs.SYS
  0x8BF47000 \SystemRoot\System32\Drivers\Npfs.SYS
  0x8C74B000 \SystemRoot\System32\DRIVERS\rasacd.sys
  0x8D69F000 \SystemRoot\System32\drivers\tcpip.sys
  0x8C531000 \SystemRoot\System32\drivers\fwpkclnt.sys
  0x8AC27000 \SystemRoot\system32\DRIVERS\tdx.sys
  0x8C75D000 \SystemRoot\system32\DRIVERS\hidusb.sys
  0x88F20000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
  0x8AC03000 \SystemRoot\system32\DRIVERS\USBD.SYS
  0x88D38000 \SystemRoot\system32\DRIVERS\mouhid.sys
  0x88C32000 \SystemRoot\system32\DRIVERS\smb.sys
  0x8ACB0000 \SystemRoot\System32\DRIVERS\netbt.sys
  0x8AEED000 \SystemRoot\system32\drivers\afd.sys
  0x8D779000 \SystemRoot\system32\drivers\ws2ifsl.sys
  0x8AED7000 \SystemRoot\system32\DRIVERS\pacer.sys
  0x8BF71000 \SystemRoot\system32\DRIVERS\netbios.sys
  0x8AC9D000 \SystemRoot\system32\DRIVERS\wanarp.sys
  0x8AEB5000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
  0x8AF76000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
  0x8AE7A000 \SystemRoot\system32\DRIVERS\rdbss.sys
  0x8C6B3000 \SystemRoot\system32\drivers\nsiproxy.sys
  0x8C6BD000 \SystemRoot\System32\Drivers\ElbyCDIO.sys
  0x8AE63000 \SystemRoot\System32\Drivers\dfsc.sys
  0x8ADE8000 \SystemRoot\system32\DRIVERS\udfs.sys
  0x8D5F6000 \SystemRoot\System32\Drivers\crashdmp.sys
  0x8ADA3000 \SystemRoot\System32\Drivers\dump_dumpata.sys
  0x88D70000 \SystemRoot\System32\Drivers\dump_atapi.sys
  0x9D200000 \SystemRoot\System32\win32k.sys
  0x8C6C7000 \SystemRoot\System32\drivers\Dxapi.sys
  0x8C2D5000 \SystemRoot\system32\DRIVERS\monitor.sys
  0x9D000000 \SystemRoot\System32\TSDDD.dll
  0x9D010000 \SystemRoot\System32\cdd.dll
  0x8C1AA000 \SystemRoot\system32\drivers\luafv.sys
  0x8C460000 \SystemRoot\system32\drivers\spsys.sys
  0x88FD0000 \SystemRoot\system32\DRIVERS\lltdio.sys
  0x8AC0F000 \SystemRoot\system32\DRIVERS\netprobe.sys
  0x8C04D000 \SystemRoot\system32\DRIVERS\rspndr.sys
  0x8D566000 \SystemRoot\system32\drivers\HTTP.sys
  0x8C5A6000 \SystemRoot\System32\DRIVERS\srvnet.sys
  0x8C6D7000 \SystemRoot\system32\DRIVERS\bowser.sys
  0x8C5DD000 \SystemRoot\System32\drivers\mpsdrv.sys
  0x8C8DA000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
  0x8D43A000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
  0x8C785000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
  0x8D406000 \SystemRoot\System32\DRIVERS\srv2.sys
  0x9FA74000 \SystemRoot\System32\DRIVERS\srv.sys
  0x8D794000 \SystemRoot\system32\DRIVERS\asyncmac.sys
  0x88CDA000 \SystemRoot\system32\DRIVERS\parvdm.sys
  0x8C513000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
  0x88CE1000 \SystemRoot\system32\drivers\npf.sys
  0x9F87B000 \SystemRoot\system32\drivers\peauth.sys
  0x8C645000 \SystemRoot\System32\Drivers\secdrv.SYS
  0xA278F000 \SystemRoot\system32\DRIVERS\faxnt.sys
  0x8C887000 \SystemRoot\system32\DRIVERS\spkpnt.sys
  0x8AC55000 \SystemRoot\system32\DRIVERS\strmdisp.sys
  0x8ADAE000 \SystemRoot\System32\drivers\tcpipreg.sys
  0x8BF7F000 \SystemRoot\system32\DRIVERS\tonesnt.sys
  0xA2715000 \SystemRoot\system32\DRIVERS\v124nt.sys
  0xA2674000 \??\C:\Program Files\CyberLink\PowerDVD8\000.fcl
  0x8ADB9000 \SystemRoot\system32\drivers\tdtcp.sys
  0x88EB9000 \SystemRoot\System32\DRIVERS\tssecsrv.sys
  0x9FBA2000 \SystemRoot\System32\Drivers\RDPWD.SYS
  0x9FB31000 \SystemRoot\system32\DRIVERS\ewusbmdm.sys
  0xA971B000 \SystemRoot\system32\DRIVERS\cdfs.sys
  0x88E4D000 \??\C:\Users\admin\AppData\Local\Temp\aswMBR.sys
  0x8BC01000 \SystemRoot\system32\DRIVERS\usbccgp.sys
  0x8D65E000 \SystemRoot\system32\drivers\modem.sys
  0x8C72C000 \SystemRoot\system32\DRIVERS\ewusbnet.sys
  0x8BD82000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
  0x8C026000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
  0x8C0AC000 \SystemRoot\system32\DRIVERS\WUDFPf.sys
  0x9FBE8000 \??\C:\Windows\system32\Drivers\PROCEXP113.SYS
  0x76E40000 \Windows\System32\ntdll.dll

Processes (total 37):
       0 System Idle Process
       4 System
     364 C:\Windows\System32\smss.exe
     436 csrss.exe
     484 C:\Windows\System32\wininit.exe
     492 csrss.exe
     532 C:\Windows\System32\services.exe
     560 C:\Windows\System32\winlogon.exe
     572 C:\Windows\System32\lsass.exe
     580 C:\Windows\System32\lsm.exe
     760 C:\Windows\System32\svchost.exe
     816 C:\Windows\System32\svchost.exe
     864 C:\Windows\System32\svchost.exe
     928 C:\Windows\System32\svchost.exe
     948 C:\Windows\System32\svchost.exe
    1080 C:\Windows\System32\audiodg.exe
    1112 C:\Windows\System32\SLsvc.exe
    1140 C:\Windows\System32\svchost.exe
    1296 C:\Windows\System32\svchost.exe
    1468 C:\Windows\System32\spoolsv.exe
    1500 C:\Windows\System32\svchost.exe
    1620 C:\Windows\System32\dwm.exe
    1648 C:\Windows\explorer.exe
    1944 C:\Windows\System32\svchost.exe
     284 C:\Windows\System32\TCPSVCS.EXE
     392 C:\Windows\System32\svchost.exe
     748 C:\Windows\System32\svchost.exe
    2196 C:\Windows\System32\wbem\unsecapp.exe
    2236 WmiPrvSE.exe
    2560 C:\Windows\System32\perfmon.exe
    2232 C:\Windows\System32\taskmgr.exe
    3952 WUDFHost.exe
    3004 C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
    2276 C:\Program Files\Mozilla Firefox 4.0 Beta 9\firefox.exe
    1176 C:\Users\admin\desktop\procexp.exe
    1912 C:\Users\admin\desktop\Extraz\IP\smsniff.exe
    1484 C:\Users\admin\desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00100000  (NTFS)

PhysicalDrive0 Model Number: ST380215A, Rev: 3.AAD   

      Size  Device Name          MBR Status
  --------------------------------------------
     74 GB  \\.\PhysicalDrive0   Unknown MBR code
            SHA1: 1C02D1F61A8850FE57BB59AB7B44BD44A699A619


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
  [1] Dump the MBR of a physical disk to file.
  [2] Restore the MBR of a physical disk with a standard boot code.
  [3] Exit.

Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): -1

Done!
 
I didn't know what "Enter the physical disk number to fix (0-99, -1 to cancel)" was so i didn't choose any, can you help?
 
so now I'm sure hat i have a whistler type rootkit
 
btw, my comp doesn't have  a Cd-writer
 
I was watching the resource monitor when MBRcheck was running, for some odd reason it did not take CONTROL of it like it did to all other scanners...

EDIT, I RAN THIS AGAIN with the right option (3) ..the virus was still there, ran OTL, it crashed a a few times while scanning the service i mentioned earlier (rtksbh) and when i tried the cleanup option, i found it deleted MBRcheck, aswMBR and TDSSKILLER from the desktop as well as all its logfiles in C:/..makes me wonder if the virus controlled it and told it to delete those..... its getting stronger :(

 

 

 

I assume rtksbh = Rootkit.Win32.Agent.sbh ?


Edited by Warpath, 25 March 2013 - 02:37 AM.


#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,003 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:00 PM

Posted 25 March 2013 - 08:44 AM

Greetings,

I am afraid we need to come to an understanding. If you desire help then I must give the instructions and you must follow the instructions, only completing the instructions I provide and nothing else. You have taken independent steps which do not help us but actually complicates matters more. It seems you want me to provide you with an instant answer, or a new path for you to act upon independently.

I don't think you understand. We need to get a picture of the state of your computer BEFORE Windows loads. Malware sometimes is set to launch upon Windows startup and during that process it then hides itself sufficiently to either not be found or be very difficult to deal with. The way around that possibility is to perform what I have requested you do in Post #6, namely run Ubuntu. If you have a tree that is drawing in poison at the root source you can pick all the damaged fruit off its limbs you want but you will never resolve the issue. Damaged fruit will continue to appear over and over again. Until we determine whether or not you have a root(kit) source problem I can not effectively help you.

It is unfortunate you have a cost issue with your internet but certain steps need to be taken. We can try to use another program which requires a smaller download. This program tends to be a little less reliable than the first program I requested you run.

The bottom line is if we are unable to get this information to either confirm or rule out certain things I can't help you. And if you take any further independent actions/steps I won't help you.

Should you desire to continue please perform the below. In doing so I will accept that as your agreement that you will perform what is asked of you and that you will refrain from any further independent actions.

===================================================

xPUD MBR Dump and Driver Scan using USB

--------------------

Try this please. You will need a USB drive with no less than 64 mb of space.
  • Insert your USB drive. Caution: The next step will remove all information from your USB device.
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Download xPUD 0.9.2 iso, saving the file to your Desktop.
  • Download UNetbootin and save it to your Desktop as well.
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded.
  • Press Run then OK.
  • Note: If you receive the message "You must select a distribution to load" just follow the instructions/image below
  • Select the Diskimage Option then click the Browse Button located on the right side of the textbox field.

SelectDiskImage.gif

  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download driver.sh to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?) If it is not there remove the USB device for 5 seconds then reinsert.
  • Confirm that you see driver.sh that you downloaded there
  • Click Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh and press Enter
  • After it has finished a report will be located on your USB device named report.txt
  • Now type bash driver.sh -af and press Enter
  • You will be prompted to input a file name. Please type the following then press Enter:

Winlogon.exe

  • After the search is completed please type the following then press Enter:

volsnap.sys

  • After the search is completed please type the following then press Enter:

explorer.exe

  • After the search is completed please type the following then press Enter:

Userinit.exe

  • After the search is complete please type Exit and press Enter
  • A report will be located in the USB drive as filefind.txt
  • Now please type the following and press Enter. Makes sure there is a space between the different colors.

dd if=/dev/sda of=mbr.zip bs=512 count=1

  • After it has finished (within just a few seconds) a file will be located on your USB drive named mbr.bin.
  • Remove the USB drive, insert it back in your working computer
  • Copy and paste the contents of filefind.txt in your reply
  • Please zip and attach report.txt to your reply
  • Please attach mbr.zip to your reply
===================================================

Things I would like to see in your next reply. :thumbsup2:
  • filefind.txt
  • report.zip
  • mbr.zip

Edited by Oh My!, 25 March 2016 - 02:25 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,003 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:00 PM

Posted 28 March 2013 - 09:25 AM

Greetings,

===================================================

3 Day Bump

It has been more than 3 days since my last post.
  • Do you still need help with this?
  • If after 48hrs you have not replied to this thread then it will have to be closed.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 Warpath

Warpath
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 30 March 2013 - 04:56 AM

sorry, i think i have figured out what i have, Its Mebromi :(

 

my internet is pathetic and have been unable to come online for the last 3 days, not sure if its the virus or what...



#14 Warpath

Warpath
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 30 March 2013 - 06:31 AM

the virus cannot be removed unless someone can tell em how to remove the user group setting on vista, I'm usually

Users (admin-PC\Users)

 

but now i see

Administrators (admin-PC\Administrators)

 

apart from

SYSTEM

 

can someone tell me how to fix this and then we can move forward...

everytime i run something, the (Administrators (admin-PC\Administrators)) takes control and manipulates its data so it cannot detect it, unless i can get rid of it, any scanner will be useless..



#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,003 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:00 PM

Posted 30 March 2013 - 10:13 AM

Greetings,

I would like to see if we can successfully run a couple of programs. Please do this.

===================================================

Re-installing and Running ComboFix

--------------------

I would like you to delete Combofix and then re-install it. We will then run the program again with the new copy.
  • Right click on the ComboFix Icon combofix.gif on your desktop and select Delete.
  • Please download ComboFix from one of these locations and save it to your desktop:

Bleepingcomputer

ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Press windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type c:\combofix.exe /nombr and press Enter
  • When finished, it will produce a log. Please include the C:\Combofix.txt log in your next reply.
===================================================

OTL

--------------------
  • Please download OTL and save it to your desktop
  • Double click on the otlicon.png icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the runscan.png button.
  • Copy and paste the two reports in your next reply.

OTL.txt <-- Will be opened
Extra.txt <-- Will be minimized

===================================================

Manually Exporting Registry Key

-------------------
  • Press windows key Windows_Logo_key.gif+ r on your keyboard at the same time
  • Type regedit and press Enter
  • Navigate to the following registry entry

HKLM\SYSTEM\CurrentControlSet\Services\rtksbh

  • Right click on the key and select Export
  • A file should be on your desktop
  • Right click on the file and select Edit
  • A Notepad document will open
  • Copy and paste the information in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:
  • Combofix log
  • OTL log
  • Extra log
  • Registry Key export

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users