Continuing "Win32:Malware-Gen" warnings in Avast [Solved]
Started by
Neddie11
, Jan 13 2010 03:18 PM
#16
Posted 21 January 2010 - 03:17 PM
#17
Posted 21 January 2010 - 03:21 PM
OK I guess we are looking at something rooty here - to disable Avast right click the icon and select shield control > disable until computer restarted
Download ComboFix from one of these locations:
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Download ComboFix from one of these locations:
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
#18
Posted 21 January 2010 - 03:40 PM
Here's the ComboFix log:
ComboFix 10-01-21.01 - Nick 21-01-2010 22:28:42.3.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.31.1033.18.3067.2272 [GMT 1:00]
Gestart vanuit: c:\users\Nick\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\jwwbqss.dll
.
(((((((((((((((((((( Bestanden Gemaakt van 2009-12-21 to 2010-01-21 ))))))))))))))))))))))))))))))
.
2010-01-21 21:35 . 2010-01-21 21:35 -------- d-----w- c:\users\Nick\AppData\Local\temp
2010-01-21 21:35 . 2010-01-21 21:35 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-21 21:35 . 2010-01-21 21:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-21 21:26 . 2010-01-21 21:27 -------- d-----w- C:\32788R22FWJFW
2010-01-21 21:13 . 2010-01-19 11:42 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-01-21 21:13 . 2010-01-19 13:13 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-01-21 21:13 . 2010-01-19 11:43 23248 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-01-21 21:13 . 2010-01-19 11:46 46544 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-01-21 21:13 . 2010-01-19 11:43 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-01-21 21:12 . 2010-01-19 11:57 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-01-21 21:12 . 2010-01-19 11:57 152672 ----a-w- c:\windows\system32\aswBoot.exe
2010-01-21 21:12 . 2010-01-21 21:12 -------- d-----w- c:\programdata\Alwil Software
2010-01-21 20:01 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-21 20:01 . 2010-01-21 20:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-21 20:01 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-14 23:02 . 2010-01-14 23:02 52224 ----a-w- c:\users\Nick\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-14 23:02 . 2010-01-14 23:02 117760 ----a-w- c:\users\Nick\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-14 23:01 . 2010-01-14 23:01 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-01-14 23:01 . 2010-01-14 23:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-14 23:01 . 2010-01-14 23:01 -------- d-----w- c:\users\Nick\AppData\Roaming\SUPERAntiSpyware.com
2010-01-14 22:58 . 2010-01-14 22:58 -------- d-----w- c:\program files\SpywareBlaster
2010-01-14 22:54 . 2010-01-14 22:54 -------- d-----w- c:\users\Nick\AppData\Roaming\Auslogics
2010-01-13 20:03 . 2010-01-13 20:03 -------- d-----w- c:\program files\TrendMicro
2010-01-13 18:52 . 2009-10-19 14:10 108544 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 18:52 . 2009-10-19 14:10 70656 ----a-w- c:\windows\system32\fontsub.dll
2010-01-10 15:53 . 2010-01-13 22:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-10 15:53 . 2010-01-13 22:16 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-01 15:25 . 2010-01-01 15:25 -------- d-----w- c:\users\Nick\AppData\Local\Threat Expert
2010-01-01 14:42 . 2010-01-01 14:42 -------- d-----w- c:\users\Nick\AppData\Roaming\Malwarebytes
2010-01-01 14:42 . 2010-01-01 14:42 -------- d-----w- c:\programdata\Malwarebytes
2009-12-27 15:03 . 2009-12-27 15:03 -------- d-----w- c:\programdata\SAMSUNG
2009-12-27 15:02 . 2006-11-14 08:11 13312 ----a-w- c:\windows\system32\drivers\KMDFMEMIO.sys
2009-12-27 15:02 . 2010-01-04 14:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-27 14:17 . 2010-01-04 14:34 -------- d-----w- c:\windows\system32\AGEIA
2009-12-27 14:17 . 2010-01-04 14:34 -------- d-----w- c:\program files\AGEIA Technologies
2009-12-27 14:17 . 2010-01-14 23:00 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-27 14:15 . 2010-01-04 14:33 -------- d-----w- C:\NVIDIA
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-21 21:15 . 2009-11-05 20:14 694684 ----a-w- c:\windows\system32\perfh013.dat
2010-01-21 21:15 . 2009-11-05 20:14 131278 ----a-w- c:\windows\system32\perfc013.dat
2010-01-21 21:12 . 2009-10-31 16:05 -------- d-----w- c:\program files\Alwil Software
2010-01-21 10:26 . 2009-11-01 15:45 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-14 10:12 . 2009-10-31 15:08 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-13 18:55 . 2009-10-31 15:34 -------- d-----w- c:\programdata\Microsoft Help
2010-01-10 16:50 . 2009-07-13 23:11 21584 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-04 14:34 . 2009-11-22 12:04 -------- d-----w- c:\program files\Datel
2009-12-29 14:25 . 2009-11-01 15:46 -------- d-----w- c:\programdata\NVIDIA
2009-12-27 15:02 . 2009-12-27 15:02 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_KMDFMEMIO_01000.Wdf
2009-12-08 17:31 . 2009-11-17 17:15 -------- d-----w- c:\users\Nick\AppData\Roaming\gtk-2.0
2009-11-22 13:40 . 2009-11-22 13:40 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-05 20:13 . 2009-11-05 20:14 341322 ----a-w- c:\windows\system32\perfi013.dat
2009-11-05 20:13 . 2009-11-05 20:14 43068 ----a-w- c:\windows\system32\perfd013.dat
2009-11-05 20:13 . 2009-11-05 20:13 43068 ----a-w- c:\windows\inf\PERFLIB\0413\perfd.dat
2009-11-05 20:13 . 2009-11-05 20:13 43068 ----a-w- c:\windows\inf\PERFLIB\0413\perfc.dat
2009-11-05 20:13 . 2009-11-05 20:13 341322 ----a-w- c:\windows\inf\PERFLIB\0413\perfi.dat
2009-11-05 20:13 . 2009-11-05 20:13 341322 ----a-w- c:\windows\inf\PERFLIB\0413\perfh.dat
2009-11-03 12:33 . 2009-10-31 14:56 108824 ----a-w- c:\users\Nick\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-31 16:53 . 2009-10-31 16:53 284147 ----a-r- c:\users\Nick\AppData\Roaming\Microsoft\Installer\{47609E69-4C5E-48B1-A889-24C6B82B5C04}\_93A0BD079836122C39D406.exe
2009-10-31 16:53 . 2009-10-31 16:53 284147 ----a-r- c:\users\Nick\AppData\Roaming\Microsoft\Installer\{47609E69-4C5E-48B1-A889-24C6B82B5C04}\_6FEFF9B68218417F98F549.exe
2009-10-31 16:53 . 2009-10-31 16:53 284147 ----a-r- c:\users\Nick\AppData\Roaming\Microsoft\Installer\{47609E69-4C5E-48B1-A889-24C6B82B5C04}\_3207B59E601B5F75D71B21.exe
2009-10-29 07:22 . 2009-11-25 20:10 2048 ----a-w- c:\windows\system32\tzres.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-19 13793824]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-01-19 2743104]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 13:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
R1 aswSP;aswSP;c:\windows\System32\drivers\aswSP.sys [21-1-2010 22:13 162640]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5-1-2010 7:56 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5-1-2010 7:56 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [21-1-2010 22:13 19024]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [21-1-2010 22:13 51792]
R2 KMDFMEMIO;SAMSUNG Kernel Driver;c:\windows\System32\drivers\KMDFMEMIO.sys [27-12-2009 16:02 13312]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\netw5v32.sys [10-6-2009 22:18 4231168]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\System32\drivers\nvhda32v.sys [21-8-2009 20:24 66592]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5-1-2010 7:56 7408]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\System32\drivers\yk62x86.sys [13-7-2009 23:02 311296]
.
.
------- Bijkomende Scan -------
.
uStart Page = hxxp://www.google.nl/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x863C8618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
IoDeviceObjectType -> DumpProcedure -> 0xd46a624f
SecurityProcedure -> 0x856c7810
QueryNameProcedure -> 0x856c79a0
user & kernel MBR OK
**************************************************************************
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Voltooingstijd: 2010-01-21 22:38:28
ComboFix-quarantined-files.txt 2010-01-21 21:38
Pre-Run: 95.540.277.248 bytes beschikbaar
Post-Run: 95.520.940.032 bytes beschikbaar
- - End Of File - - A4A047A5FBAD3457F5AD4CADB14C0E99
ComboFix 10-01-21.01 - Nick 21-01-2010 22:28:42.3.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.31.1033.18.3067.2272 [GMT 1:00]
Gestart vanuit: c:\users\Nick\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\jwwbqss.dll
.
(((((((((((((((((((( Bestanden Gemaakt van 2009-12-21 to 2010-01-21 ))))))))))))))))))))))))))))))
.
2010-01-21 21:35 . 2010-01-21 21:35 -------- d-----w- c:\users\Nick\AppData\Local\temp
2010-01-21 21:35 . 2010-01-21 21:35 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-21 21:35 . 2010-01-21 21:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-21 21:26 . 2010-01-21 21:27 -------- d-----w- C:\32788R22FWJFW
2010-01-21 21:13 . 2010-01-19 11:42 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-01-21 21:13 . 2010-01-19 13:13 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-01-21 21:13 . 2010-01-19 11:43 23248 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-01-21 21:13 . 2010-01-19 11:46 46544 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-01-21 21:13 . 2010-01-19 11:43 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-01-21 21:12 . 2010-01-19 11:57 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-01-21 21:12 . 2010-01-19 11:57 152672 ----a-w- c:\windows\system32\aswBoot.exe
2010-01-21 21:12 . 2010-01-21 21:12 -------- d-----w- c:\programdata\Alwil Software
2010-01-21 20:01 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-21 20:01 . 2010-01-21 20:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-21 20:01 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-14 23:02 . 2010-01-14 23:02 52224 ----a-w- c:\users\Nick\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-14 23:02 . 2010-01-14 23:02 117760 ----a-w- c:\users\Nick\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-14 23:01 . 2010-01-14 23:01 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-01-14 23:01 . 2010-01-14 23:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-14 23:01 . 2010-01-14 23:01 -------- d-----w- c:\users\Nick\AppData\Roaming\SUPERAntiSpyware.com
2010-01-14 22:58 . 2010-01-14 22:58 -------- d-----w- c:\program files\SpywareBlaster
2010-01-14 22:54 . 2010-01-14 22:54 -------- d-----w- c:\users\Nick\AppData\Roaming\Auslogics
2010-01-13 20:03 . 2010-01-13 20:03 -------- d-----w- c:\program files\TrendMicro
2010-01-13 18:52 . 2009-10-19 14:10 108544 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 18:52 . 2009-10-19 14:10 70656 ----a-w- c:\windows\system32\fontsub.dll
2010-01-10 15:53 . 2010-01-13 22:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-10 15:53 . 2010-01-13 22:16 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-01 15:25 . 2010-01-01 15:25 -------- d-----w- c:\users\Nick\AppData\Local\Threat Expert
2010-01-01 14:42 . 2010-01-01 14:42 -------- d-----w- c:\users\Nick\AppData\Roaming\Malwarebytes
2010-01-01 14:42 . 2010-01-01 14:42 -------- d-----w- c:\programdata\Malwarebytes
2009-12-27 15:03 . 2009-12-27 15:03 -------- d-----w- c:\programdata\SAMSUNG
2009-12-27 15:02 . 2006-11-14 08:11 13312 ----a-w- c:\windows\system32\drivers\KMDFMEMIO.sys
2009-12-27 15:02 . 2010-01-04 14:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-27 14:17 . 2010-01-04 14:34 -------- d-----w- c:\windows\system32\AGEIA
2009-12-27 14:17 . 2010-01-04 14:34 -------- d-----w- c:\program files\AGEIA Technologies
2009-12-27 14:17 . 2010-01-14 23:00 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-27 14:15 . 2010-01-04 14:33 -------- d-----w- C:\NVIDIA
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-21 21:15 . 2009-11-05 20:14 694684 ----a-w- c:\windows\system32\perfh013.dat
2010-01-21 21:15 . 2009-11-05 20:14 131278 ----a-w- c:\windows\system32\perfc013.dat
2010-01-21 21:12 . 2009-10-31 16:05 -------- d-----w- c:\program files\Alwil Software
2010-01-21 10:26 . 2009-11-01 15:45 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-14 10:12 . 2009-10-31 15:08 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-13 18:55 . 2009-10-31 15:34 -------- d-----w- c:\programdata\Microsoft Help
2010-01-10 16:50 . 2009-07-13 23:11 21584 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-04 14:34 . 2009-11-22 12:04 -------- d-----w- c:\program files\Datel
2009-12-29 14:25 . 2009-11-01 15:46 -------- d-----w- c:\programdata\NVIDIA
2009-12-27 15:02 . 2009-12-27 15:02 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_KMDFMEMIO_01000.Wdf
2009-12-08 17:31 . 2009-11-17 17:15 -------- d-----w- c:\users\Nick\AppData\Roaming\gtk-2.0
2009-11-22 13:40 . 2009-11-22 13:40 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-05 20:13 . 2009-11-05 20:14 341322 ----a-w- c:\windows\system32\perfi013.dat
2009-11-05 20:13 . 2009-11-05 20:14 43068 ----a-w- c:\windows\system32\perfd013.dat
2009-11-05 20:13 . 2009-11-05 20:13 43068 ----a-w- c:\windows\inf\PERFLIB\0413\perfd.dat
2009-11-05 20:13 . 2009-11-05 20:13 43068 ----a-w- c:\windows\inf\PERFLIB\0413\perfc.dat
2009-11-05 20:13 . 2009-11-05 20:13 341322 ----a-w- c:\windows\inf\PERFLIB\0413\perfi.dat
2009-11-05 20:13 . 2009-11-05 20:13 341322 ----a-w- c:\windows\inf\PERFLIB\0413\perfh.dat
2009-11-03 12:33 . 2009-10-31 14:56 108824 ----a-w- c:\users\Nick\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-31 16:53 . 2009-10-31 16:53 284147 ----a-r- c:\users\Nick\AppData\Roaming\Microsoft\Installer\{47609E69-4C5E-48B1-A889-24C6B82B5C04}\_93A0BD079836122C39D406.exe
2009-10-31 16:53 . 2009-10-31 16:53 284147 ----a-r- c:\users\Nick\AppData\Roaming\Microsoft\Installer\{47609E69-4C5E-48B1-A889-24C6B82B5C04}\_6FEFF9B68218417F98F549.exe
2009-10-31 16:53 . 2009-10-31 16:53 284147 ----a-r- c:\users\Nick\AppData\Roaming\Microsoft\Installer\{47609E69-4C5E-48B1-A889-24C6B82B5C04}\_3207B59E601B5F75D71B21.exe
2009-10-29 07:22 . 2009-11-25 20:10 2048 ----a-w- c:\windows\system32\tzres.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-19 13793824]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-01-19 2743104]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 13:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
R1 aswSP;aswSP;c:\windows\System32\drivers\aswSP.sys [21-1-2010 22:13 162640]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5-1-2010 7:56 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5-1-2010 7:56 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [21-1-2010 22:13 19024]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [21-1-2010 22:13 51792]
R2 KMDFMEMIO;SAMSUNG Kernel Driver;c:\windows\System32\drivers\KMDFMEMIO.sys [27-12-2009 16:02 13312]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\netw5v32.sys [10-6-2009 22:18 4231168]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\System32\drivers\nvhda32v.sys [21-8-2009 20:24 66592]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5-1-2010 7:56 7408]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\System32\drivers\yk62x86.sys [13-7-2009 23:02 311296]
.
.
------- Bijkomende Scan -------
.
uStart Page = hxxp://www.google.nl/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x863C8618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
IoDeviceObjectType -> DumpProcedure -> 0xd46a624f
SecurityProcedure -> 0x856c7810
QueryNameProcedure -> 0x856c79a0
user & kernel MBR OK
**************************************************************************
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Voltooingstijd: 2010-01-21 22:38:28
ComboFix-quarantined-files.txt 2010-01-21 21:38
Pre-Run: 95.540.277.248 bytes beschikbaar
Post-Run: 95.520.940.032 bytes beschikbaar
- - End Of File - - A4A047A5FBAD3457F5AD4CADB14C0E99
Attached Files
#19
Posted 21 January 2010 - 04:05 PM
Hmm no suspicious drivers, one bad dll killed
Could you now run a sweep for orphans with MBAM
Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from Here or Here
Double Click mbam-setup.exe to install the application.
Could you now run a sweep for orphans with MBAM
Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from Here or Here
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply.
#20
Posted 21 January 2010 - 04:15 PM
The MBAM log for you, I haven't had any warnings since I ran ComboFix:
Malwarebytes' Anti-Malware 1.44
Database versie: 3610
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
21-1-2010 23:13:52
mbam-log-2010-01-21 (23-13-52).txt
Scan type: Snelle Scan
Objecten gescand: 102567
Verstreken tijd: 3 minute(s), 52 second(s)
Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 0
Registersleutels geïnfecteerd: 0
Registerwaarden geïnfecteerd: 0
Registerdata bestanden geïnfecteerd: 0
Mappen geïnfecteerd: 0
Bestanden geïnfecteerd: 0
Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige items gevonden)
Geheugenmodulen geïnfecteerd:
(Geen kwaadaardige items gevonden)
Registersleutels geïnfecteerd:
(Geen kwaadaardige items gevonden)
Registerwaarden geïnfecteerd:
(Geen kwaadaardige items gevonden)
Registerdata bestanden geïnfecteerd:
(Geen kwaadaardige items gevonden)
Mappen geïnfecteerd:
(Geen kwaadaardige items gevonden)
Bestanden geïnfecteerd:
(Geen kwaadaardige items gevonden)
Malwarebytes' Anti-Malware 1.44
Database versie: 3610
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
21-1-2010 23:13:52
mbam-log-2010-01-21 (23-13-52).txt
Scan type: Snelle Scan
Objecten gescand: 102567
Verstreken tijd: 3 minute(s), 52 second(s)
Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 0
Registersleutels geïnfecteerd: 0
Registerwaarden geïnfecteerd: 0
Registerdata bestanden geïnfecteerd: 0
Mappen geïnfecteerd: 0
Bestanden geïnfecteerd: 0
Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige items gevonden)
Geheugenmodulen geïnfecteerd:
(Geen kwaadaardige items gevonden)
Registersleutels geïnfecteerd:
(Geen kwaadaardige items gevonden)
Registerwaarden geïnfecteerd:
(Geen kwaadaardige items gevonden)
Registerdata bestanden geïnfecteerd:
(Geen kwaadaardige items gevonden)
Mappen geïnfecteerd:
(Geen kwaadaardige items gevonden)
Bestanden geïnfecteerd:
(Geen kwaadaardige items gevonden)
#21
Posted 21 January 2010 - 04:21 PM
Nice I would like you to run for about 24 hours or so to ensure that there are no more alerts. If there aren't I shall then remove my tools and tidy up
#22
Posted 21 January 2010 - 04:26 PM
So should I keep my laptop running for twentyfour hours straight or should I just shut it down and see what it's like when I start it up tomorrow?
Thanks for your fantastic help again BTW
Thanks for your fantastic help again BTW
#23
Posted 21 January 2010 - 04:37 PM
Use it as you normally would stopping/starting/surfing etc. that should see whether there are any remnants
#24
Posted 22 January 2010 - 05:15 PM
Well, it's been a day now and fortunately I can say I haven't had any alerts of any kind. Let's hope the topic can remain closed for (much) longer this time
#25
Posted 22 January 2010 - 05:18 PM
But you get the bonus of a second clean spiel
Nah just kidding - run OTS and hit the cleanup button and the tools will vanish
Have fun and enjoy
Nah just kidding - run OTS and hit the cleanup button and the tools will vanish
Have fun and enjoy
#26
Posted 23 January 2010 - 05:36 AM
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
#27
Posted 07 February 2010 - 09:02 AM
Lets have another look
To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.
Download OTS to your Desktop
To attach a file, do the following:
To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.
Download OTS to your Desktop
- Close ALL OTHER PROGRAMS.
- Double-click on OTS.exe to start the program.
- Check the box that says Scan All Users
- Under Additional Scans check the following:
- Reg - Shell Spawning
- File - Lop Check
- File - Purity Scan
- Evnt - EvtViewer (last 10)
- Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
%SYSTEMDRIVE%\*.*
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
- Now click the Run Scan button on the toolbar.
- Let it run unhindered until it finishes.
- When the scan is complete Notepad will open with the report file loaded in it.
- Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
To attach a file, do the following:
- Click Add Reply
- Under the reply panel is the Attachments Panel
- Browse for the attachment file you want to upload, then click the green Upload button
- Once it has uploaded, click the Manage Current Attachments drop down box
- Click on to insert the attachment into your post
#29
Posted 07 February 2010 - 10:12 AM
Ah ha this time I can see it
Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.
I will review the information when it comes back in.
THEN
Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from Here or Here
Double Click mbam-setup.exe to install the application.
Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.
[Unregister Dlls] [Registry - Safe List] < Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List YY -> "C:\Windows\TEMP\obyx.tmp\svchost.exe" -> C:\Windows\TEMP\obyx.tmp\svchost.exe [C:\Windows\TEMP\obyx.tmp\svchost.exe:*:Enabled:svchost] [Custom Items] :files C:\Windows\TEMP\obyx.tmp :end [Empty Temp Folders]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.
I will review the information when it comes back in.
THEN
Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from Here or Here
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply.
Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
#30
Posted 07 February 2010 - 10:41 AM
So, all the scan results are in; let's have a look. Actually after I ran the OTS fix and scan, I got another malware alert from avast about the svchost.exe file, so we're not out of the woods just yet it seems
This is what OTS said after I ran the fix:
All Processes Killed
[Registry - Safe List]
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\obyx.tmp\svchost.exe deleted successfully.
File C:\Windows\TEMP\obyx.tmp\svchost.exe not found.
[Custom Items]
========== FILES ==========
File/Folder C:\Windows\TEMP\obyx.tmp not found.
[Empty Temp Folders]
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Nick
->Temp folder emptied: 9425986 bytes
->Temporary Internet Files folder emptied: 34859366 bytes
->Java cache emptied: 0 bytes
User: Public
->Temp folder emptied: 0 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3040 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 42.00 mb
< End of fix log >
OTS by OldTimer - Version 3.1.20.1 fix logfile created on 02072010_171946
Files\Folders moved on Reboot...
File move failed. C:\Windows\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.
Registry entries deleted on Reboot...
After that I ran the 'regular' OTS scan, like you asked and this is the log:
OTS.Txt 131.72KB 136 downloads
And finally the MBAM log:
Malwarebytes' Anti-Malware 1.44
Database versie: 3701
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
7-2-2010 17:36:46
mbam-log-2010-02-07 (17-36-46).txt
Scan type: Snelle Scan
Objecten gescand: 105454
Verstreken tijd: 2 minute(s), 38 second(s)
Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 0
Registersleutels geïnfecteerd: 0
Registerwaarden geïnfecteerd: 0
Registerdata bestanden geïnfecteerd: 0
Mappen geïnfecteerd: 0
Bestanden geïnfecteerd: 0
Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige items gevonden)
Geheugenmodulen geïnfecteerd:
(Geen kwaadaardige items gevonden)
Registersleutels geïnfecteerd:
(Geen kwaadaardige items gevonden)
Registerwaarden geïnfecteerd:
(Geen kwaadaardige items gevonden)
Registerdata bestanden geïnfecteerd:
(Geen kwaadaardige items gevonden)
Mappen geïnfecteerd:
(Geen kwaadaardige items gevonden)
Bestanden geïnfecteerd:
(Geen kwaadaardige items gevonden)
This is what OTS said after I ran the fix:
All Processes Killed
[Registry - Safe List]
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\obyx.tmp\svchost.exe deleted successfully.
File C:\Windows\TEMP\obyx.tmp\svchost.exe not found.
[Custom Items]
========== FILES ==========
File/Folder C:\Windows\TEMP\obyx.tmp not found.
[Empty Temp Folders]
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Nick
->Temp folder emptied: 9425986 bytes
->Temporary Internet Files folder emptied: 34859366 bytes
->Java cache emptied: 0 bytes
User: Public
->Temp folder emptied: 0 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3040 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 42.00 mb
< End of fix log >
OTS by OldTimer - Version 3.1.20.1 fix logfile created on 02072010_171946
Files\Folders moved on Reboot...
File move failed. C:\Windows\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.
Registry entries deleted on Reboot...
After that I ran the 'regular' OTS scan, like you asked and this is the log:
OTS.Txt 131.72KB 136 downloads
And finally the MBAM log:
Malwarebytes' Anti-Malware 1.44
Database versie: 3701
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
7-2-2010 17:36:46
mbam-log-2010-02-07 (17-36-46).txt
Scan type: Snelle Scan
Objecten gescand: 105454
Verstreken tijd: 2 minute(s), 38 second(s)
Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 0
Registersleutels geïnfecteerd: 0
Registerwaarden geïnfecteerd: 0
Registerdata bestanden geïnfecteerd: 0
Mappen geïnfecteerd: 0
Bestanden geïnfecteerd: 0
Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige items gevonden)
Geheugenmodulen geïnfecteerd:
(Geen kwaadaardige items gevonden)
Registersleutels geïnfecteerd:
(Geen kwaadaardige items gevonden)
Registerwaarden geïnfecteerd:
(Geen kwaadaardige items gevonden)
Registerdata bestanden geïnfecteerd:
(Geen kwaadaardige items gevonden)
Mappen geïnfecteerd:
(Geen kwaadaardige items gevonden)
Bestanden geïnfecteerd:
(Geen kwaadaardige items gevonden)
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users