Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Rootkit TDSS, trojans, etc. Can't make it go away for good

Started by ph1290 , Jun 21 2011 05:21 AM

  • This topic is locked This topic is locked

#16
maliprog
Posted 30 June 2011 - 02:01 PM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi ph1290,

Your logs and system are clean now. I'm glad we fix up your computer. We need to clean up your PC from programs we used.

Step 1

Please start OTL one more time and click CleanUp button. OTL will restart your system at the end. Remove all other application we used to clean your PC.

General recommendations

Here are some recommendations you should follow to minimize infection risk in the future:

1. Enable Windows Update
  • Click Start, click Run, type sysdm.cpl, and then press ENTER.
  • Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them option.
  • Click OK button

2. Delete Temp files

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

3. Make Backups of Important Files

Please read this article Home Computer Data Backup.


4. Regularly update your software

To eliminate design flaws and security vulnerabilities, all software needs to be updated to the latest version or the vendor’s patch installed.

You should download Update Checker from here. The program will automaticly check for newer version of software installed on your system.
  • 0

Advertisements

#17
ph1290
Posted 30 June 2011 - 08:21 PM

ph1290

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Not there yet... Got a couple of redirects. Ran MBAM 6/28 and again today. Both times it found some items. I am posting both logs.

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6949

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/28/2011 11:58:54 PM
mbam-log-2011-06-28 (23-58-54).txt

Scan type: Quick scan
Objects scanned: 221395
Time elapsed: 7 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\localservice\application data\020000004280165e1270c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\application data\020000004280165e1270o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\application data\020000004280165e1270p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\application data\020000004280165e1270s.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\020000004280165e1270c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\020000004280165e1270o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\020000004280165e1270p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\020000004280165e1270s.manifest (Malware.Trace) -> Quarantined and deleted successfully.





today's log

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6949

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/30/2011 10:24:12 PM
mbam-log-2011-06-30 (22-24-12).txt

Scan type: Quick scan
Objects scanned: 216883
Time elapsed: 8 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#18
maliprog
Posted 30 June 2011 - 11:46 PM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi ph1290,

Just when I taught we nail it... :). Now we have work do to.

Step 1

Re-Run aswMBR

  • Click Scan
  • On completion of the scan
  • Click the FIXMBR Button
  • Save the log as before and post in your next reply
Step 2

Delete your version of Combofix and download new one. Do on more scan with Combofix

Step 3

Run AVPTool scan and post log here for me.

Step 4

Please don't forget to include these items in your reply:

  • aswMBR log
  • Combofix log
  • AVPTool log
It would be helpful if you could post each log in separate post
  • 0

#19
ph1290
Posted 02 July 2011 - 01:54 PM

ph1290

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
aswmbr log

aswMBR version 0.9.7.675 Copyright© 2011 AVAST Software
Run date: 2011-06-21 09:16:09
-----------------------------
09:16:09.140 OS Version: Windows 5.1.2600 Service Pack 3
09:16:09.140 Number of processors: 2 586 0x1706
09:16:09.140 ComputerName: 7-51896 UserName:
09:16:11.859 Initialize success
09:16:36.171 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-12
09:16:36.171 Disk 0 Vendor: HITACHI_HTS543216L9SA00 FB2ZC48C Size: 152627MB BusType: 3
09:16:38.187 Disk 0 MBR read successfully
09:16:38.187 Disk 0 MBR scan
09:16:38.187 Disk 0 Windows XP default MBR code
09:16:40.187 Disk 0 scanning sectors +312575760
09:16:40.218 Disk 0 scanning C:\WINDOWS\system32\drivers
09:16:54.968 Service scanning
09:16:56.296 Disk 0 trace - called modules:
09:16:56.328 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8afd41ed]<<
09:16:56.328 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b058ab8]
09:16:56.328 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\00000099[0x8b02d9e8]
09:16:56.328 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-12[0x8b059d98]
09:16:56.328 \Driver\atapi[0x8b12d2d0] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x8afd41ed
09:16:56.656 Scan finished successfully
09:17:12.203 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\harrisap\Desktop\MBR.dat"
09:17:12.218 The log file has been saved successfully to "C:\Documents and Settings\harrisap\Desktop\aswMBR.txt"


aswMBR version 0.9.7.675 Copyright© 2011 AVAST Software
Run date: 2011-07-02 07:40:55
-----------------------------
07:40:55.218 OS Version: Windows 5.1.2600 Service Pack 3
07:40:55.218 Number of processors: 2 586 0x1706
07:40:55.218 ComputerName: 7-51896 UserName:
07:40:56.828 Initialize success
07:43:27.640 AVAST engine defs: 11070200
07:43:35.937 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-12
07:43:35.953 Disk 0 Vendor: HITACHI_HTS543216L9SA00 FB2ZC48C Size: 152627MB BusType: 3
07:43:37.968 Disk 0 MBR read successfully
07:43:37.968 Disk 0 MBR scan
07:43:37.968 Disk 0 Windows XP default MBR code
07:43:39.968 Disk 0 scanning sectors +312575760
07:43:39.984 Disk 0 scanning C:\WINDOWS\system32\drivers
07:43:59.234 Service scanning
07:44:00.343 Disk 0 trace - called modules:
07:44:00.359 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
07:44:00.375 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b07bab8]
07:44:00.375 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\0000009b[0x8b0519e8]
07:44:00.375 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-12[0x8b086d98]
07:44:01.078 AVAST engine scan C:\WINDOWS
08:14:51.906 File: C:\WINDOWS\system32\atioglx232.dll **INFECTED** Win32:Malware-gen
08:20:22.125 File: C:\WINDOWS\system32\mciole1632.dll **INFECTED** Win32:Malware-gen
08:25:57.265 AVAST engine scan C:\Documents and Settings\harrisap
09:00:38.062 AVAST engine scan C:\Documents and Settings\All Users
09:03:50.140 Scan finished successfully
09:08:51.421 Disk 0 Windows 501 MBR fixed successfully
09:09:13.062 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\harrisap\Desktop\MBR.dat"
09:09:13.062 The log file has been saved successfully to "C:\Documents and Settings\harrisap\Desktop\aswMBR.txt"
  • 0

#20
ph1290
Posted 02 July 2011 - 01:55 PM

ph1290

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
combofix log


ComboFix 11-07-01.02 - harrisap 07/02/2011 9:12.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3050.2028 [GMT -4:00]
Running from: c:\documents and settings\harrisap\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Service_6to4
.
.
((((((((((((((((((((((((( Files Created from 2011-06-02 to 2011-07-02 )))))))))))))))))))))))))))))))
.
.
2011-07-01 00:48 . 2011-07-01 00:48 -------- d-----w- c:\program files\iPod
2011-07-01 00:48 . 2011-07-01 00:49 -------- d-----w- c:\program files\iTunes
2011-07-01 00:44 . 2011-07-01 00:44 -------- d-----w- c:\program files\Bonjour
2011-07-01 00:34 . 2011-07-01 00:34 -------- d-----w- c:\program files\Safari
2011-07-01 00:31 . 2011-07-01 00:31 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
2011-07-01 00:31 . 2011-07-01 00:31 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
2011-07-01 00:31 . 2011-07-01 00:31 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2011-07-01 00:31 . 2011-07-01 00:31 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2011-07-01 00:31 . 2011-07-01 00:31 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
2011-07-01 00:31 . 2011-07-01 00:31 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2011-07-01 00:31 . 2011-07-01 00:31 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
2011-07-01 00:31 . 2011-07-01 00:31 -------- d-----w- c:\program files\QuickTime
2011-06-28 11:06 . 2009-10-22 17:54 37392 ----a-w- c:\windows\system32\drivers\45932412.sys
2011-06-28 11:06 . 2009-10-10 03:31 315408 ----a-w- c:\windows\system32\drivers\4593241.sys
2011-06-28 11:06 . 2009-09-25 21:59 128016 ----a-w- c:\windows\system32\drivers\45932411.sys
2011-06-26 00:10 . 2011-06-26 00:10 -------- d-----w- c:\windows\Cache
2011-06-26 00:10 . 2011-06-26 00:10 -------- d-----w- c:\program files\HP Photo Creations
2011-06-26 00:10 . 2011-06-26 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Photo Creations
2011-06-26 00:10 . 2011-06-26 00:10 -------- d-----w- c:\documents and settings\harrisap\Application Data\HpUpdate
2011-06-26 00:05 . 2011-06-26 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2011-06-25 22:56 . 2011-06-25 22:56 169472 ----a-w- c:\windows\system32\mciole1632.dll
2011-06-25 18:34 . 2011-03-02 10:43 175616 ----a-w- c:\windows\system32\unrar.dll
2011-06-25 18:34 . 2011-03-19 19:00 151552 ----a-w- c:\windows\system32\ac3acm.acm
2011-06-25 18:34 . 2010-11-03 18:08 237568 ----a-w- c:\windows\system32\yv12vfw.dll
2011-06-25 18:34 . 2008-09-24 18:41 839680 ----a-w- c:\windows\system32\lameACM.acm
2011-06-25 18:34 . 2011-06-16 08:00 73216 ----a-w- c:\windows\system32\ff_vfw.dll
2011-06-25 18:34 . 2011-06-25 18:35 -------- d-----w- c:\program files\K-Lite Codec Pack
2011-06-20 14:01 . 2011-06-20 14:01 -------- d-----w- c:\documents and settings\harrisap\Application Data\SUPERAntiSpyware.com
2011-06-20 14:01 . 2011-06-21 01:41 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-06-18 04:06 . 2011-06-18 04:06 0 ---ha-w- c:\documents and settings\harrisap\pftwgunibm.tmp
2011-06-18 02:59 . 2011-06-18 02:59 349696 ----a-w- c:\windows\system32\atioglx232.dll
2011-06-13 22:31 . 2011-06-13 22:31 -------- d-----w- c:\program files\ESET
2011-06-13 05:29 . 2011-06-21 03:40 -------- d-----w- c:\program files\Xactware
2011-06-12 12:59 . 2011-06-12 12:59 -------- d-----w- c:\documents and settings\harrisap\Application Data\SPE
2011-06-12 05:11 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-06 03:48 . 2011-06-06 03:48 -------- d-----w- c:\windows\PIF
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-02 13:21 . 2007-11-15 10:11 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2011-07-02 13:21 . 2007-11-15 19:11 58288 ----a-w- c:\windows\system32\rpcnet.dll
2011-06-24 01:23 . 2007-11-15 16:58 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2011-06-02 00:15 . 2010-02-23 02:18 243200 ----a-w- c:\windows\system32\xvidvfw.dll
2011-06-02 00:10 . 2010-02-23 02:18 644608 ----a-w- c:\windows\system32\xvidcore.dll
2011-05-28 14:34 . 2010-07-26 11:10 13160 ----a-w- c:\windows\system32\Upgrd.exe
2011-05-28 14:34 . 2007-11-15 19:11 58288 ------w- c:\windows\system32\rpcnet.exe
2011-05-26 21:19 . 2011-05-26 21:19 0 ----a-w- c:\documents and settings\harrisap\Local Settings\Application Data\BIT5A.tmp
2011-05-10 12:06 . 2010-07-11 12:57 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-05-10 12:06 . 2010-07-11 12:57 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 20:20 . 2011-04-06 20:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01DDBE95-1B2C-411A-AF1F-D5B285186F8c}]
2011-06-18 02:59 349696 ----a-w- c:\windows\system32\atioglx232.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D878C055-93D0-B676-E86D-BDA5143E8BB5}]
2011-06-25 22:56 169472 ----a-w- c:\windows\system32\mciole1632.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\YspService.exe" [2010-04-01 243000]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-10-08 125368]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-05-14 1323008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-06-12 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\mciole1632.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PrintNow.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PrintNow.lnk
backup=c:\windows\pss\PrintNow.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Conime]
2008-04-14 09:42 27648 ----a-w- c:\windows\system32\conime.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EKIJ5000StatusMonitor]
2009-04-07 21:27 1511424 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-06-07 21:51 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pdfFactory Dispatcher v1]
2003-07-11 01:19 380928 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\fppdis1.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pdfFactory Dispatcher v3]
2009-06-12 19:39 606208 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\fppdis3a.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 21:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-06-10 16:26 2424192 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-11-03 23:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%programfiles%\UltaVnc\winvnc.exe"= %programfiles%\UltaVnc\winvnc.exe:LocalSubNet,192.168.24.0/255.255.255.0,199.231.8.0/255.255.255.0,192.168.151.0/255.255.255.0:enabled:UltraVnc
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\Hp\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2967:TCP"= 2967:TCP:199.231.8.0/255.255.255.0:Enabled:NAV10.1
"5900:TCP"= 5900:TCP:LocalSubNet,192.168.24.0/255.255.255.0,199.231.8.0/255.255.255.0,192.168.151.0/255.255.255.0:Enabled:UltraVnc-Port
"2967:UDP"= 2967:UDP:199.231.8.0/255.255.255.0:Enabled:NAV9.1
"38293:UDP"= 38293:UDP:199.231.8.0/255.255.255.0:Enabled:NAV9.2
"139:TCP"= 139:TCP:LocalSubNet,199.231.8.0/255.255.255.0,192.168.24.0/255.255.255.0,192.168.151.0/255.255.255.0:Enabled:@xpsp2res.dll,-22004
"445:TCP"= 445:TCP:LocalSubNet,199.231.8.0/255.255.255.0,192.168.24.0/255.255.255.0,192.168.151.0/255.255.255.0:Enabled:@xpsp2res.dll,-22005
"137:UDP"= 137:UDP:LocalSubNet,199.231.8.0/255.255.255.0,192.168.24.0/255.255.255.0,192.168.151.0/255.255.255.0:Enabled:@xpsp2res.dll,-22001
"138:UDP"= 138:UDP:LocalSubNet,199.231.8.0/255.255.255.0,192.168.24.0/255.255.255.0,192.168.151.0/255.255.255.0:Enabled:@xpsp2res.dll,-22002
"3389:TCP"= 3389:TCP:LocalSubnet,192.168.24.0/255.255.255.0,192.168.151.0/255.255.255.0,199.231.8.0/255.255.255.0:Enabled:@xpsp2res.dll,-22009
"2568:TCP"= 2568:TCP:199.231.8.0/255.255.255.0:Enabled:SMS-CliHealth
"2701:TCP"= 2701:TCP:199.231.8.0/255.255.255.0:Enabled:SMS-Ping
"2702:TCP"= 2702:TCP:199.231.8.0/255.255.255.0:Enabled:SMS-RemoteControl
"2703:TCP"= 2703:TCP:199.231.8.0/255.255.255.0:Enabled:SMS-Chat
"2704:TCP"= 2704:TCP:199.231.8.0/255.255.255.0:Enabled:SMS-FileXfr
"9322:TCP"= 9322:TCP:EKDiscovery
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\RemoteAdminSettings]
"Enabled"= 1 (0x1)
"RemoteAddresses"= *
.
R0 45932412;45932412 Boot Guard Driver;c:\windows\system32\drivers\45932412.sys [6/28/2011 7:06 AM 37392]
R1 45932411;45932411;c:\windows\system32\drivers\45932411.sys [6/28/2011 7:06 AM 128016]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 F5 Networks Component Installer;F5 Networks Component Installer;c:\windows\system32\F5InstallerService.exe [6/4/2008 9:51 AM 262784]
R2 MSSQL$XACTWARE;SQL Server (XACTWARE);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [8/5/2008 5:58 PM 29184016]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [10/7/2007 9:48 PM 116664]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [5/14/2009 11:41 AM 243856]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/9/2011 7:13 AM 105592]
R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\covpndrv.sys [5/14/2009 6:19 PM 33920]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/19/2010 8:59 AM 136176]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKDiscovery.exe --> c:\program files\Kodak\AiO\Center\EKDiscovery.exe [?]
S2 KodakSvc;Kodak AiO Device Service;"c:\program files\Kodak\AiO\center\KodakSvc.exe" --> c:\program files\Kodak\AiO\center\KodakSvc.exe [?]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [5/14/2009 11:41 AM 475520]
S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [12/2/2008 12:07 PM 10752]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/19/2010 8:59 AM 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/12/2011 1:11 AM 39984]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [7/7/2008 1:23 PM 20480]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [5/9/2008 12:08 PM 174336]
S3 OracleOraHome81ClientCache;OracleOraHome81ClientCache;c:\oracle\ora81\bin\ONRSD.EXE [10/19/2000 12:55 PM 411244]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [3/20/2009 8:03 PM 32408]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]
S4 PuranDefrag;PuranDefrag;c:\windows\system32\PuranDefragS.exe [7/8/2010 4:43 PM 229376]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 08:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 21:57]
.
2011-07-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-19 12:59]
.
2011-07-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-19 12:59]
.
2011-06-15 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
2009-07-10 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PCDR5\pcdr5cuiw32.exe [2008-12-12 23:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: adp.com
Trusted Zone: centra.com
Trusted Zone: dhl-usa.com
Trusted Zone: learn.com
Trusted Zone: microsoft.com
Trusted Zone: virtela.net
Trusted Zone: windowsupdate.com
TCP: DhcpNameServer = 97.64.209.36 97.64.168.13
TCP: Interfaces\{BD21A35D-410C-445D-8CDC-301D6B859268}: DhcpNameServer = 97.64.209.36 97.64.168.13
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {68132570-CED6-11D5-91AE-000039F5040E} - hxxp://www.employeeedge.com/NAVUPDPRJ.CAB
DPF: {E66D35B8-E70D-42A6-B1F5-DB784CB92B15} - file://C:/Program Files/F5 VPN/F5_TMP/urvncx.cab
.
.
------- File Associations -------
.
.txt=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-02 09:23
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(988)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(1100)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\notes\ntmulti.exe
c:\program files\Visioneer\OneTouch 4.0\OtService.exe
c:\windows\system32\rpcnet.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\windows\system32\msiexec.exe
c:\program files\Synaptics\SynTP\SynTPLpr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2011-07-02 09:29:20 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-02 13:29
ComboFix2.txt 2011-06-25 23:03
.
Pre-Run: 94,505,803,776 bytes free
Post-Run: 96,059,011,072 bytes free
.
Current=5 Default=5 Failed=4 LastKnownGood=2 Sets=1,2,3,4,5
- - End Of File - - B9B0638E5C738823E817452A8468D787
  • 0

#21
ph1290
Posted 02 July 2011 - 01:56 PM

ph1290

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
vrt log


Autoscan: stopped 3 hours ago (events: 2, objects: 2, time: 00:00:05)
7/2/2011 9:38:43 AM Task stopped
7/2/2011 9:38:37 AM Task started
Autoscan: completed 2 hours ago (events: 2, objects: 321265, time: 01:36:03)
7/2/2011 9:38:53 AM Task started
7/2/2011 11:14:56 AM Task completed
  • 0

#22
maliprog
Posted 03 July 2011 - 01:55 AM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi ph1290,

How is your system now? Problems?
  • 0

#23
maliprog
Posted 07 July 2011 - 02:45 PM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP