Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

difficult zero access type rootkit, cant get rid of it, kills antispyw


  • Please log in to reply

#1
antidotepls

antidotepls

    Member

  • Member
  • PipPip
  • 17 posts
hi,

i've been fighting with a nasty virus all day. it wont let me run malwarebytes or super antispyware, or most antivirus exes for that matter. it kills them after a few seconds then denies access to the progs after that. I can run tdsskiller and it always finds 2 things, cures them (if i run prog again it says clean), but the prob doesn't go away. upon reboot and running tdsskiller again, it always still finds 2 things (albeit in different files than before). cant run combofix either.
i believe there's a search hijack as well, as i did notice a redirect earlier when using google. not sure what to do since it kills most antispyware. i did take a quick look at the registry and i see something called swearware which looks suspicious.
thanks in advance for the help
  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,797 posts
  • MVP
ZeroAccess is pretty nasty and it's also pretty new. Our tools are just learning how to handle it. You can try downloading Combofix again but this time change the name to george.exe and see if it will run. If not then we need to create an OTLPE CD on a clean PC.

You will first need to download ISOBurner
this program will allow you to create a CD from an .iso file.
so first download ISOBurner to the desktop of the uninfected computer.

Now you need to download the OTLPE.iso file to the uninfected computer.
you can download it from HERE
That one will take a little while to download as it is 276.7 MB
Once it has finished downloading, double click the OTLPE.iso icon....
now the ISOBurner will open up automatically and step you through burning the CD...It will tell you to put the CD into the drive and will then burn the .iso file to the CD.

Now take that CD that you have just made to the infected PC and boot with it.
You will need to make sure that the computer is set to boot from CD
You can make sure of that by following the instructions HERE

Now the infected computer will boot from the CD and load the Reat-to-go desktop (It's awfully slow - have to be patient)
Now you will see the OTLPE icon on the desktop:

[*]Your system should now display a REATOGO-X-PE desktop.
[*]you will find an icon on the desktop called OTLPE > Double-click on the OTLPE icon.
[*]When asked "Do you wish to load the remote registry", select Yes
[*]When asked "Do you wish to load remote user profile(s) for scanning", select Yes
[*]Ensure the box "Automatically Load All Remaining Users" is checked and press OK
[*]OTL should now start. Change the following settings
  • Under the Custom Scan box paste this in

    /md5start
    iaStor.sys
    nvstor.sys
    atapi.sys
    nvata.sys
    iastorv.sys
    ipsec.sys
    svchost.exe
    mrxsmb.sys
    serial.sys
    redbook.sys
    services.exe
    netbt.sys
    wuauclt.exe
    /md5stop
[*]Press Run Scan to start the scan.
[*]When finished, the file will be saved in drive C:\OTL.txt
[*]Copy this file to your USB drive if you do not have internet connection on this system
[*]Please post the contents of the C:\OTL.txt file in your reply.
[/list]
Ron
  • 0

#3
antidotepls

antidotepls

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Forgot to mention: it's a netbook, no cd drive. I tried making a bootable usb but the netbook isn't letting me switch to removable drive first in boot order (disabled).
  • 0

#4
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,797 posts
  • MVP
Bit of a challenge then. Can you boot into Safe Mode with Command Prompt?

(Reboot and when you see the maker's logo, hear a beep or it talks about F8, start tapping the F8 key slowly. Keep tapping until the Safe Mode Menu appears and choose Safe Mode with Command Prompt. Login with your usual login.)

We might be able to do something from there.

Perhaps Safe Mode by itself then Start, All Programs, Accessories, Command Prompt (Win7 or Vista => Right click and Run As Administrator), Type

msconfig

check diagnostic boot and apply then reboot. Run OTL if you can. Quickscan

We have to shut off the networking because that's the first thing it infects. Your anti-virus program is probably already toast and may have been replaced by ZA.

You can usually right click on the executable and Properties, Security, then Edit the permissions so that Administrator or Everyone has Full Control then the program will run one more time.

Ron
  • 0

#5
antidotepls

antidotepls

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
here's the OTL log (it didnt look like it attached so i will paste it here. That alternate data stream at the end worries me:

=================================


OTL logfile created on: 9/15/2011 3:57:06 PM - Run 1
OTL by OldTimer - Version 3.2.28.0 Folder = C:\Documents and Settings\peace love\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1015.17 Mb Total Physical Memory | 746.98 Mb Available Physical Memory | 73.58% Memory free
2.38 Gb Paging File | 2.25 Gb Available in Paging File | 94.36% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 82.82 Gb Total Space | 19.86 Gb Free Space | 23.98% Space Free | Partition Type: NTFS
Drive D: | 61.29 Gb Total Space | 61.12 Gb Free Space | 99.73% Space Free | Partition Type: NTFS

Computer Name: PEACEANDLOVE | User Name: peace love | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - File not found -- C:\WINDOWS\3712659677:575649058.exe
PRC - [2011/09/15 15:52:10 | 000,581,632 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\peace love\My Documents\Downloads\OTL.exe
PRC - [2010/10/07 16:39:58 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2010/07/15 15:33:36 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2008/04/14 08:00:00 | 000,026,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\userinit.exe


========== Modules (No Company Name) ==========

MOD - [2009/11/15 11:29:04 | 000,094,208 | ---- | M] () -- C:\Program Files\FileZilla FTP Client\fzshellext.dll
MOD - [2008/06/20 12:02:47 | 000,245,248 | ---- | M] () -- \\?\globalroot\systemroot\system32\mswsock.dll
MOD - [2008/04/14 08:00:00 | 000,258,048 | ---- | M] () -- C:\WINDOWS\ezamupag.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (VSS32)
SRV - File not found [Disabled | Stopped] -- -- (AppMgmt)
SRV - [2011/08/11 19:38:07 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Disabled | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE)
SRV - [2010/07/20 16:42:32 | 000,921,952 | ---- | M] (AVG Technologies CZ, s.r.o.) [Disabled | Stopped] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2010/07/15 15:35:53 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) [Disabled | Stopped] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/04/29 11:30:44 | 000,091,456 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe -- (MotoConnect Service)
SRV - [2007/01/04 20:48:52 | 000,112,152 | R--- | M] (InterVideo) [Disabled | Stopped] -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)
SRV - [2006/10/23 08:50:35 | 000,046,640 | R--- | M] (AOL LLC) [Disabled | Stopped] -- C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe -- (AOL ACS)


========== Driver Services (SafeList) ==========

DRV - [2011/09/12 00:54:35 | 000,243,152 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2011/09/12 00:46:46 | 000,128,016 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\11091301.sys -- (11091301)
DRV - [2011/08/10 23:14:36 | 000,023,624 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hitmanpro35.sys -- (hitmanpro35)
DRV - [2011/07/22 12:27:02 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2011/07/12 17:55:22 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/06/02 16:48:37 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/10/22 13:54:18 | 000,037,392 | ---- | M] (Kaspersky Lab) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\11091302.sys -- (11091302)
DRV - [2009/10/09 23:31:10 | 000,315,408 | ---- | M] (Kaspersky Lab) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\1109130.sys -- (setup_9.0.0.722_07.10.2010_08-33drv)
DRV - [2009/06/30 10:37:16 | 000,028,552 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot)
DRV - [2008/09/23 13:15:00 | 000,038,400 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\l1e51x86.sys -- (L1e)
DRV - [2008/09/18 20:44:38 | 001,326,528 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\athw.sys -- (AR5416)
DRV - [2008/09/18 06:48:58 | 004,816,896 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/08/19 10:16:36 | 000,991,656 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2008/08/19 10:16:28 | 000,047,272 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2008/07/24 05:37:10 | 000,156,816 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
DRV - [2008/05/29 23:46:12 | 000,534,568 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
DRV - [2008/04/08 16:59:28 | 000,010,752 | ---- | M] (ASUSTeK Computer Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASUSACPI.SYS -- (AsusACPI)
DRV - [2008/03/10 06:18:42 | 000,057,384 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwhid.sys -- (btwhid)
DRV - [2008/02/04 05:57:44 | 000,037,160 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
DRV - [2003/01/10 17:13:04 | 000,033,588 | R--- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://eeepc.asus.com/global
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 76 58 C0 04 03 AE 8C 45 A9 87 D6 94 29 3A 9C B1 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.872
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {317B5128-0B0B-49b2-B2DB-1E7560E16C74}:2.6.8
FF - prefs.js..network.proxy.type: 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pandasecurity.com/activescan: C:\Program Files\Panda Security\ActiveScan 2.0\npwrapper.dll (Panda Security, S.L.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2011/09/15 11:10:56 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{C4B91F02-C7EC-4CC0-B05A-DDD2B5953755}: C:\Documents and Settings\peace love\Local Settings\Application Data\{C4B91F02-C7EC-4CC0-B05A-DDD2B5953755} [2011/09/11 17:38:21 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/07/01 19:58:38 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/20 01:04:34 | 000,000,000 | ---D | M]

[2009/04/14 06:24:22 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\peace love\Application Data\Mozilla\Extensions
[2011/09/08 00:53:40 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\peace love\Application Data\Mozilla\Firefox\Profiles\sogffm5o.default\extensions
[2010/10/06 18:15:17 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\peace love\Application Data\Mozilla\Firefox\Profiles\sogffm5o.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/09/08 00:53:39 | 000,000,000 | ---D | M] (SeoQuake) -- C:\Documents and Settings\peace love\Application Data\Mozilla\Firefox\Profiles\sogffm5o.default\extensions\{317B5128-0B0B-49b2-B2DB-1E7560E16C74}
[2009/05/12 00:25:55 | 000,000,000 | ---D | M] (Flash AX Control) -- C:\Documents and Settings\peace love\Application Data\Mozilla\Firefox\Profiles\sogffm5o.default\extensions\[email protected]
[2011/03/20 01:04:38 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/09/11 17:38:21 | 000,000,000 | ---D | M] (XULRunner) -- C:\DOCUMENTS AND SETTINGS\PEACE LOVE\LOCAL SETTINGS\APPLICATION DATA\{C4B91F02-C7EC-4CC0-B05A-DDD2B5953755}
[2009/04/14 06:26:38 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/07/01 19:58:36 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/01/01 04:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

O1 HOSTS File: ([2010/12/15 01:06:04 | 000,426,903 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 14704 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Lbusasufoli] C:\WINDOWS\ezamupag.dll ()
O4 - HKCU..\Run: [Qkohologocelo] C:\WINDOWS\duitshsn.dll (Development Company, L.P.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 [2010/12/19 02:11:09 | 000,000,000 | ---D | M]
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1 [2010/12/19 02:11:09 | 000,000,000 | ---D | M]
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1 [2010/12/19 02:11:09 | 000,000,000 | ---D | M]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &Windows Live Search - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\DownloadPDF.exe (PlotSoft LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - mswsock.dll File not found
O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} http://utilities.pcp...opAntiVirus.dll (PCPitstop AntiVirus)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} https://plugins.valu...ashax/iefax.cab (Flash Casino Helper Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8C081211-1D9D-49F0-8549-EFE9C4AA8176}: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -Explorer.exe (maliprog @ Geekstogo)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\avgrsstarter: DllName - (avgrsstx.dll) - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: C:\Documents and Settings\peace love\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\peace love\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/01/09 02:47:53 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{12b7bc63-d46c-11de-bf72-002243e2af4e}\Shell - "" = AutoRun
O33 - MountPoints2\{12b7bc63-d46c-11de-bf72-002243e2af4e}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{12b7bc63-d46c-11de-bf72-002243e2af4e}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
O33 - MountPoints2\{1b79374c-5f3d-11e0-bfcf-002243e2af4e}\Shell - "" = AutoRun
O33 - MountPoints2\{1b79374c-5f3d-11e0-bfcf-002243e2af4e}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{1b79374c-5f3d-11e0-bfcf-002243e2af4e}\Shell\AutoRun\command - "" = E:\setup.exe -a
O33 - MountPoints2\{c54457e0-9aa7-11de-bf6a-0022437932b3}\Shell - "" = AutoRun
O33 - MountPoints2\{c54457e0-9aa7-11de-bf6a-0022437932b3}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{c54457e0-9aa7-11de-bf6a-0022437932b3}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/09/13 10:57:52 | 000,150,392 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\WINDOWS\junction.exe
[2011/09/12 02:00:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware
[2011/09/12 01:58:07 | 000,010,752 | ---- | C] (PrevX Research) -- C:\WINDOWS\System32\drivers\ZeroAccess.vir
[2011/09/12 00:51:44 | 000,167,864 | ---- | C] (Webroot) -- C:\Documents and Settings\peace love\Desktop\Copy of antizeroaccess.exe
[2011/09/12 00:38:35 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2011/09/12 00:15:24 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2011/09/12 00:14:41 | 012,549,808 | ---- | C] (SUPERAntiSpyware.com) -- C:\Documents and Settings\peace love\Desktop\SUpare.exe
[2011/09/11 18:38:50 | 000,423,288 | ---- | C] (Sysinternals) -- C:\WINDOWS\handle.exe
[2011/09/11 17:54:59 | 000,028,552 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys
[2011/09/11 17:38:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\peace love\Local Settings\Application Data\{C4B91F02-C7EC-4CC0-B05A-DDD2B5953755}
[2011/09/11 17:33:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\peace love\Desktop\GooredFix Backups
[2011/09/11 15:05:23 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/09/11 15:00:49 | 000,000,000 | --SD | C] -- C:\32788R22FWJFW
[2011/09/10 18:03:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\peace love\Desktop\passiveincome
[2011/08/18 12:58:16 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\peace love\Recent
[2009/01/08 04:47:05 | 015,523,560 | ---- | C] (Macrovision Corporation) -- C:\Program Files\U1 Setup.exe
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/09/15 15:56:41 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Pqejo.bin
[2011/09/15 15:55:59 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/09/15 15:55:31 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/09/15 15:55:31 | 000,000,000 | ---- | M] () -- C:\WINDOWS\3712659677
[2011/09/15 15:53:48 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2011/09/15 11:32:02 | 000,000,894 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/09/15 11:11:00 | 000,000,254 | ---- | M] () -- C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
[2011/09/14 20:42:06 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Opirohugewu.dat
[2011/09/14 20:41:28 | 000,000,890 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/09/14 17:35:34 | 086,089,044 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2011/09/14 17:01:31 | 000,150,392 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\WINDOWS\junction.exe
[2011/09/14 16:55:22 | 000,457,036 | ---- | M] () -- C:\Documents and Settings\peace love\Desktop\GrantPerms.exe
[2011/09/12 17:26:08 | 000,048,016 | -HS- | M] () -- C:\WINDOWS\System32\c_36935.nl_
[2011/09/12 02:00:17 | 000,001,678 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/09/12 01:58:07 | 000,010,752 | ---- | M] (PrevX Research) -- C:\WINDOWS\System32\drivers\ZeroAccess.vir
[2011/09/12 01:53:44 | 000,748,643 | ---- | M] () -- C:\Documents and Settings\peace love\Desktop\explorer.exe
[2011/09/12 01:12:08 | 000,442,140 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/09/12 01:12:08 | 000,071,910 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/09/12 00:54:35 | 000,243,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2011/09/12 00:46:46 | 000,128,016 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\11091301.sys
[2011/09/12 00:28:36 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\SBRC.dat
[2011/09/12 00:28:36 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\SBFC.dat
[2011/09/12 00:14:13 | 012,549,808 | ---- | M] (SUPERAntiSpyware.com) -- C:\Documents and Settings\peace love\Desktop\SUpare.exe
[2011/09/11 18:20:40 | 000,167,864 | ---- | M] (Webroot) -- C:\Documents and Settings\peace love\Desktop\Copy of antizeroaccess.exe
[2011/09/11 14:59:08 | 004,202,662 | R--- | M] () -- C:\Documents and Settings\peace love\Desktop\ComboFix.exe
[2011/09/11 13:03:03 | 000,000,000 | -HS- | M] () -- C:\WINDOWS\{2521BB91-29B1-4d7e-9137-AC9875D77735}
[2011/09/07 18:01:57 | 000,002,440 | ---- | M] () -- C:\Documents and Settings\peace love\Desktop\New OpenDocument Text (3).odt
[2011/08/18 02:30:40 | 000,000,104 | ---- | M] () -- C:\Documents and Settings\peace love\My Documents\My Bluetooth Places.lnk
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/09/12 02:00:17 | 000,001,678 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/09/12 01:54:00 | 000,748,643 | ---- | C] () -- C:\Documents and Settings\peace love\Desktop\explorer.exe
[2011/09/12 00:28:36 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\SBRC.dat
[2011/09/12 00:28:36 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\SBFC.dat
[2011/09/11 18:38:52 | 000,520,496 | ---- | C] () -- C:\WINDOWS\Listdlls.exe
[2011/09/11 17:29:50 | 000,048,016 | -HS- | C] () -- C:\WINDOWS\System32\c_36935.nl_
[2011/09/11 14:59:07 | 004,202,662 | R--- | C] () -- C:\Documents and Settings\peace love\Desktop\ComboFix.exe
[2011/09/11 13:03:42 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Pqejo.bin
[2011/09/11 13:03:41 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Opirohugewu.dat
[2011/09/11 13:03:03 | 000,000,000 | -HS- | C] () -- C:\WINDOWS\{2521BB91-29B1-4d7e-9137-AC9875D77735}
[2011/09/11 13:01:11 | 000,000,000 | ---- | C] () -- C:\WINDOWS\3712659677
[2011/09/07 18:01:57 | 000,002,440 | ---- | C] () -- C:\Documents and Settings\peace love\Desktop\New OpenDocument Text (3).odt
[2011/08/23 01:09:46 | 000,457,036 | ---- | C] () -- C:\Documents and Settings\peace love\Desktop\GrantPerms.exe
[2011/08/18 02:30:40 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\peace love\My Documents\My Bluetooth Places.lnk
[2011/08/10 22:43:35 | 000,023,624 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2011/08/10 22:07:03 | 000,014,610 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\q5fueb4sop1sxo8lldd35yh1w8m57ec0mth7i36523
[2011/08/10 22:07:03 | 000,014,610 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\q5fueb4sop1sxo8lldd35yh1w8m57ec0mth7i36523
[2011/08/10 03:13:49 | 000,012,466 | -HS- | C] () -- C:\Documents and Settings\peace love\Local Settings\Application Data\hvq883m3mcm4yn8x451qii88k4cj4r67m8d3v
[2011/08/10 03:13:49 | 000,012,466 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\hvq883m3mcm4yn8x451qii88k4cj4r67m8d3v
[2011/03/19 03:05:22 | 000,830,680 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/02/11 18:51:41 | 000,000,032 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ezsid.dat
[2009/11/19 22:16:14 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\peace love\Local Settings\Application Data\housecall.guid.cache
[2009/09/14 20:34:10 | 000,030,048 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE
[2009/08/04 13:26:47 | 000,008,704 | ---- | C] () -- C:\Documents and Settings\peace love\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/04/14 06:24:23 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/04/14 06:17:42 | 000,000,133 | ---- | C] () -- C:\Documents and Settings\peace love\Local Settings\Application Data\fusioncache.dat
[2009/01/09 02:50:28 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/01/09 02:45:25 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/01/09 01:31:17 | 000,005,312 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2009/01/09 01:31:09 | 000,258,048 | ---- | C] () -- C:\WINDOWS\ezamupag.dll
[2009/01/09 01:31:07 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2009/01/09 01:31:06 | 000,442,140 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2009/01/09 01:31:06 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2009/01/09 01:31:06 | 000,071,910 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2009/01/09 01:31:06 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2009/01/09 01:31:05 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2009/01/09 01:31:05 | 000,004,562 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2009/01/09 01:31:05 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2009/01/09 01:31:03 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2009/01/09 01:31:03 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2009/01/09 01:31:01 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2009/01/09 01:30:59 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2009/01/08 18:38:45 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/01/08 18:37:48 | 000,191,384 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/01/08 06:15:39 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/01/08 05:12:53 | 000,000,520 | ---- | C] () -- C:\WINDOWS\System32\drivers\SamSfPa.dat
[2009/01/08 04:50:39 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2009/01/08 04:50:39 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2009/01/08 04:50:39 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2009/01/08 04:50:39 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2009/01/08 04:50:39 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2009/01/08 04:50:39 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2009/01/08 04:37:43 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4906.dll
[2008/11/14 19:12:56 | 000,012,208 | ---- | C] () -- C:\WINDOWS\AsTrayLang.ini
[2008/09/02 08:25:26 | 002,854,912 | ---- | C] () -- C:\WINDOWS\System32\btwicons.dll
[2008/08/27 23:10:24 | 000,000,173 | ---- | C] () -- C:\WINDOWS\explorer.exe.config
[2008/07/30 20:31:52 | 000,021,864 | ---- | C] () -- C:\WINDOWS\AsAcpiSvrLang.ini
[2001/11/14 14:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

========== LOP Check ==========

[2009/12/20 01:12:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2011/03/14 23:10:21 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2011/08/10 22:54:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/04/27 03:29:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MGS
[2011/09/12 00:24:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCPitstop
[2009/12/11 19:45:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PlotSoft
[2009/12/31 16:25:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2011/08/22 14:43:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\peace love\Application Data\FileZilla
[2010/04/19 17:10:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\peace love\Application Data\inkscape
[2009/11/17 02:57:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\peace love\Application Data\mirkes.de
[2009/05/18 14:39:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\peace love\Application Data\OpenOffice.org
[2009/01/08 05:38:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\peace love\Application Data\StarOffice8
[2009/11/29 01:03:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\peace love\Application Data\VTExtra
[2011/09/15 11:11:00 | 000,000,254 | ---- | M] () -- C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 816 bytes -> C:\WINDOWS\3712659677:575649058.exe

< End of report >

Edited by antidotepls, 15 September 2011 - 02:13 PM.

  • 0

#6
antidotepls

antidotepls

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I'm also concerned about those O1 HOSTS files in the report, they look nasty.
  • 0

#7
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,797 posts
  • MVP
The hosts file are harmless. They are to prevent you from going to ugly sites. Installed by Spybot S&D or similar.

This is what I see that is obviously malware in your OTL log:

PRC - File not found -- C:\WINDOWS\3712659677:575649058.exe

MOD - [2008/06/20 12:02:47 | 000,245,248 | ---- | M] () -- \\?\globalroot\systemroot\system32\mswsock.dll
MOD - [2008/04/14 08:00:00 | 000,258,048 | ---- | M] () -- C:\WINDOWS\ezamupag.dll


[2011/09/11 17:38:21 | 000,000,000 | ---D | M] (XULRunner) -- C:\DOCUMENTS AND SETTINGS\PEACE LOVE\LOCAL SETTINGS\APPLICATION DATA\{C4B91F02-C7EC-4CC0-B05A-DDD2B5953755}
O4 - HKLM..\Run: [Lbusasufoli] C:\WINDOWS\ezamupag.dll ()
O4 - HKCU..\Run: [Qkohologocelo] C:\WINDOWS\duitshsn.dll (Development Company, L.P.)
[2011/09/15 15:56:41 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Pqejo.bin
[2011/09/15 15:55:31 | 000,000,000 | ---- | M] () -- C:\WINDOWS\3712659677
[2011/09/14 20:42:06 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Opirohugewu.dat
[2011/09/12 17:26:08 | 000,048,016 | -HS- | M] () -- C:\WINDOWS\System32\c_36935.nl_
[2011/09/11 13:03:03 | 000,000,000 | -HS- | M] () -- C:\WINDOWS\{2521BB91-29B1-4d7e-9137-AC9875D77735}
[2011/08/10 22:07:03 | 000,014,610 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\q5fueb4sop1sxo8lldd35yh1w8m57ec0mth7i36523
[2011/08/10 22:07:03 | 000,014,610 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\q5fueb4sop1sxo8lldd35yh1w8m57ec0mth7i36523
[2011/08/10 03:13:49 | 000,012,466 | -HS- | C] () -- C:\Documents and Settings\peace love\Local Settings\Application Data\hvq883m3mcm4yn8x451qii88k4cj4r67m8d3v
[2011/08/10 03:13:49 | 000,012,466 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\hvq883m3mcm4yn8x451qii88k4cj4r67m8d3v
@Alternate Data Stream - 816 bytes -> C:\WINDOWS\3712659677:575649058.exe

You are right the Alternate Data Stream is part of Zero Access.

In addition to what we can see there is usually a folder called something like:

C:\WINDOWS\$NtUninstallKB51577$
c:\windows\$NtUninstall{RandomNumbers}$

Problem is there are usually a lot of similar folders on most PCs. These are folders that windows uses to store old files when you get an update so that you can back out the update if it doesn't work.

Here is what is usually inside the folder that ZA uses:

c:\windows\$NtUninstallKB57869$
c:\windows\$NtUninstallKB57869$\3768571335
c:\windows\$NtUninstallKB57869$\4202620812\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
c:\windows\$NtUninstallKB57869$\4202620812\L\odetmngk
c:\windows\$NtUninstallKB57869$\4202620812\loader(2).tlb
c:\windows\$NtUninstallKB57869$\4202620812\loader(3).tlb
c:\windows\$NtUninstallKB57869$\4202620812\loader(4).tlb
c:\windows\$NtUninstallKB57869$\4202620812\loader(5).tlb
c:\windows\$NtUninstallKB57869$\4202620812\loader(6).tlb
c:\windows\$NtUninstallKB57869$\4202620812\loader(7).tlb
c:\windows\$NtUninstallKB57869$\4202620812\loader(8).tlb
c:\windows\$NtUninstallKB57869$\4202620812\loader.tlb
c:\windows\$NtUninstallKB57869$\4202620812\U\@00000001
c:\windows\$NtUninstallKB57869$\4202620812\U\@000000c0
c:\windows\$NtUninstallKB57869$\4202620812\U\@000000cb
c:\windows\$NtUninstallKB57869$\4202620812\U\@000000cf
c:\windows\$NtUninstallKB57869$\4202620812\U\@80000000
c:\windows\$NtUninstallKB57869$\4202620812\U\@800000c0
c:\windows\$NtUninstallKB57869$\4202620812\U\@800000cb
c:\windows\$NtUninstallKB57869$\4202620812\U\@800000cf


Perhaps if you search for loader*.tlb you might find the folder. Would have to search all files and folders including system and hidden folders.

Perhaps you could boot into Safe Mode, Command Prompt and delete each file or folder?

IF you can kill off enough then perhaps Combofix will run.

Some commands you will need in Command Prompt:

cd \windows

(changes the directory to \windows)

del 3712659677

or

del \windows\3712659677

(Will try to delete the file)

rmdir /s C:\DOCUMENTS AND SETTINGS\PEACE LOVE\LOCAL SETTINGS\APPLICATION DATA\{C4B91F02-C7EC-4CC0-B05A-DDD2B5953755}

(will try to remove the directory {C4B91F02-C7EC-4CC0-B05A-DDD2B5953755} and all subdirectories and files.)

attrib -r -s -h *.*

(will remove the hidden, read only and system attributes from all files in the current directory. Makes it easier to delete a file if you get an error message like read only file or file not found).

After you delete as many as you can then try OTL quickscan again and let's see what it looks like.

Ron
  • 0

#8
antidotepls

antidotepls

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
ok, slightly lost on the last set of instructions. couldn't locate any loader*.tlb files

used cmd prompt, got into windows dir and deleted 3712659677 (or i think it did; i didn't get a message saying whether it was successful or not)

when i tried the rmdir line it said Are You Sure? and when i picked yes, it couldn't find the file, then would ask me Are You Sure? for the next thing up the line (application data, then local settings, etc). I said NO to the other prompts
  • 0

#9
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,797 posts
  • MVP
Probably best to cd to the folder above it:

cd C:\DOCUMENTS AND SETTINGS\PEACE LOVE\LOCAL SETTINGS\APPLICATION DATA\

rmdir /s {C4B91F02-C7EC-4CC0-B05A-DDD2B5953755}

That way you have less chance of a typo.


You may have better luck searching in Command Prompt:

Start off in \windows

cd  \windows

dir  /a  /s  loader*.tlb


(Lots of times malware will stealth itself in Windows but not bother hiding in DOS)

When you delete a file like our friend 3712659677 one way to make sure its gone and come come back is:

mkdir \windows\3712659677

This creates a directory of the same name which prevents the same named file from coming back. Of course if the malware is smart it can create the file 3712659678 or 3712659677a but most of them aren't set up for that.
  • 0

#10
antidotepls

antidotepls

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
ok when i searched for loader*.tlb this time via cmd prompt, the results said volume in drive c has no label, gave a serial number, then the next line said file not found. Then i made the directory with mkdir \windows\3712659677.
  • 0

Advertisements


#11
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,797 posts
  • MVP
Were you able to remove any of these other files:

C:\WINDOWS\ezamupag.dll
C:\WINDOWS\duitshsn.dll
C:\WINDOWS\Pqejo.bin
C:\WINDOWS\Opirohugewu.dat
C:\WINDOWS\System32\c_36935.nl_
C:\WINDOWS\{2521BB91-29B1-4d7e-9137-AC9875D77735}
C:\Documents and Settings\NetworkService\Local Settings\Application Data\q5fueb4sop1sxo8lldd35yh1w8m57ec0mth7i36523
C:\Documents and Settings\All Users\Application Data\q5fueb4sop1sxo8lldd35yh1w8m57ec0mth7i36523
C:\Documents and Settings\peace love\Local Settings\Application Data\hvq883m3mcm4yn8x451qii88k4cj4r67m8d3v
C:\Documents and Settings\All Users\Application Data\hvq883m3mcm4yn8x451qii88k4cj4r67m8d3v

The examples I gave were just examples. Didn't try to give you commands for all of them. But if you need them:

cd  \windows
del  ezamupag.dll 
del  duitshsn.dll 
del  Pqejo.bin
del  Opirohugewu.dat
del  {2521BB91-29B1-4d7e-9137-AC9875D77735}

cd  \WINDOWS\System32
del  c_36935.nl_

cd  \Documents and Settings\NetworkService\Local Settings\Application Data
del  q5fueb*

cd  \Documents and Settings\All Users\Application Data
del  q5fueb*

cd  \Documents and Settings\peace love\Local Settings\Application Data
del  hvq883m*

cd \Documents and Settings\All Users\Application Data
del  hvq883m*


  • 0

#12
antidotepls

antidotepls

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts

Were you able to remove any of these other files:


cd  \windows
COULDNT FIND del  ezamupag.dll 
COULDNT FIND del  duitshsn.dll 
YES del  Pqejo.bin
YES del  Opirohugewu.dat
COULDNT FIND del  {2521BB91-29B1-4d7e-9137-AC9875D77735}

cd  \WINDOWS\System32
COULDNT FIND del  c_36935.nl_

cd  \Documents and Settings\NetworkService\Local Settings\Application Data
COULDNT FIND del  q5fueb*

cd  \Documents and Settings\All Users\Application Data
COULDNT FIND del  q5fueb*

cd  \Documents and Settings\peace love\Local Settings\Application Data
COULDNT FIND del  hvq883m*

cd \Documents and Settings\All Users\Application Data
COULDNT FIND del  hvq883m*


  • 0

#13
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,797 posts
  • MVP
run

attrib -r -h -s *.*

then the

del command

don't forget to cd to the correct folder first.

Ron
  • 0

#14
antidotepls

antidotepls

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
are you saying do this for the ones that it couldn't find above?

run

attrib -r -h -s *.*

then the

del command

don't forget to cd to the correct folder first.

Ron


  • 0

#15
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,797 posts
  • MVP
Yes. The files have the H and S attributes set which makes them hard to delete. IF you run the attrib -r -h -s *.* command (May also need to run attrib -r -h -s * if the file doesn't have an extension)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP