Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

My PC is full of Trojans... :( [Closed]

Started by AlexIT , Oct 30 2009 03:52 AM

  • This topic is locked This topic is locked

#16
AlexIT
Posted 13 November 2009 - 04:51 AM

AlexIT

    Member

  • Topic Starter
  • Member
  • PipPip
  • 76 posts
When I dragged script to ComboFix it said me that a new update of ComboFix is available, it asked me if I want to download it, i clicked "No".

When my PC was rebooting, it was blocked on standart xp blue screen while turning off, so after ~10 mins I turned it off manualy and than turned it on, after xp loading my KAV opened automatically, so I closed it immediatly, while ComboFix was running, here is the log:

ComboFix 09-11-09.02 - AlexIT 13.11.2009 11:21.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.7.1049.18.1022.584 [GMT 1:00]
Running from: d:\documents and settings\AlexIT\Рабочий стол\ComboFix.exe
Command switches used :: d:\documents and settings\AlexIT\Рабочий стол\CFScript.txt
AV: Антивирусная защита Касперского для Я.Онлайн *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
d:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://soft.export.yandex.ru
hxxp://download.yandex.ru
.
--------------- FCopy ---------------

d:\windows\ERDNT\cache\atapi.sys --> d:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2009-10-13 to 2009-11-13 )))))))))))))))))))))))))))))))
.

2009-11-11 08:57 . 2009-11-11 08:57 -------- d-----w- d:\documents and settings\AlexIT\Application Data\Malwarebytes
2009-11-11 08:57 . 2009-09-10 13:54 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2009-11-11 08:57 . 2009-11-11 08:57 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2009-11-11 08:57 . 2009-11-11 08:57 -------- d-----w- d:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-11 08:57 . 2009-09-10 13:53 19160 ----a-w- d:\windows\system32\drivers\mbam.sys
2009-11-06 19:44 . 2009-11-06 19:44 -------- d-----w- d:\documents and settings\AlexIT\Tracing
2009-11-06 19:37 . 2009-11-06 19:37 -------- d-----w- d:\program files\Microsoft
2009-11-06 19:36 . 2009-11-06 19:36 -------- d-----w- d:\program files\Windows Live SkyDrive
2009-11-06 19:31 . 2009-11-06 19:31 -------- d-----w- d:\program files\Common Files\Windows Live
2009-10-29 21:04 . 2009-10-29 21:04 -------- d-----w- d:\documents and settings\AlexIT\Application Data\edu-media
2009-10-29 20:52 . 2009-10-29 20:52 -------- d-----w- d:\program files\Образование-Медиа
2009-10-28 17:32 . 2009-10-28 17:32 -------- d-----w- d:\documents and settings\AlexIT\.thumbnails
2009-10-28 14:58 . 2009-10-28 14:58 -------- d-----w- d:\documents and settings\AlexIT\Local Settings\Application Data\Opera
2009-10-28 14:58 . 2009-10-28 14:58 -------- d-----w- d:\program files\Opera
2009-10-27 17:06 . 2009-10-27 17:06 -------- d-----w- d:\program files\Paint.NET
2009-10-27 17:05 . 2009-10-28 17:30 -------- d-----w- d:\documents and settings\AlexIT\Local Settings\Application Data\Paint.NET
2009-10-27 17:04 . 2009-10-27 17:04 -------- d-----w- d:\program files\Free Image Editor
2009-10-27 16:48 . 2009-10-28 17:37 -------- d-----w- d:\documents and settings\AlexIT\Application Data\gtk-2.0
2009-10-27 16:46 . 2009-10-29 15:10 -------- d-----w- d:\documents and settings\AlexIT\.gimp-2.6
2009-10-27 16:43 . 2009-10-27 16:44 -------- d-----w- d:\program files\GIMP-2.0
2009-10-21 22:58 . 2009-10-21 22:59 -------- d-----w- d:\documents and settings\AlexIT\Local Settings\Application Data\Ephox
2009-10-20 23:22 . 2009-10-20 23:22 152576 ----a-w- d:\documents and settings\AlexIT\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2009-10-15 19:26 . 2009-10-15 19:26 -------- d-----w- d:\program files\DigiNotifier
2009-10-15 17:54 . 2009-10-15 17:55 -------- d-----w- d:\program files\XML Notepad 2007

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-13 10:43 . 2008-10-30 03:03 50208 --sha-w- d:\windows\system32\drivers\fidbox.dat
2009-11-13 10:42 . 2008-10-30 03:03 32 --sha-w- d:\windows\system32\drivers\fidbox.idx
2009-11-13 10:42 . 2008-10-30 03:03 -------- d-----w- d:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-11-13 10:39 . 2008-10-30 03:03 2635552 --sha-w- d:\windows\system32\drivers\fidbox2.dat
2009-11-13 10:28 . 2008-10-30 03:03 250196 --sha-w- d:\windows\system32\drivers\fidbox2.idx
2009-11-13 10:16 . 2008-10-30 12:48 -------- d---a-w- d:\documents and settings\All Users\Application Data\TEMP
2009-11-12 21:20 . 2008-11-05 20:25 -------- d-----w- d:\documents and settings\AlexIT\Application Data\Skype
2009-11-12 20:39 . 2008-11-22 22:08 -------- d-----w- d:\documents and settings\All Users\Application Data\Google Updater
2009-11-12 18:05 . 2008-11-05 20:26 -------- d-----w- d:\documents and settings\AlexIT\Application Data\skypePM
2009-11-10 16:06 . 2009-11-10 14:59 9876743 ----a-w- d:\program files\edcast.log
2009-11-06 19:44 . 2008-10-30 00:54 89968 ----a-w- d:\documents and settings\AlexIT\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-06 19:36 . 2008-12-12 19:25 -------- d-----w- d:\program files\Windows Live
2009-10-30 22:15 . 2001-10-20 13:00 74560 ----a-w- d:\windows\system32\perfc019.dat
2009-10-30 22:15 . 2001-10-20 13:00 441244 ----a-w- d:\windows\system32\perfh019.dat
2009-10-29 21:30 . 2008-10-30 04:02 -------- d-----w- d:\program files\FlashGet
2009-10-21 13:07 . 2008-10-30 02:39 -------- d-----w- d:\program files\Common Files\Adobe
2009-10-21 09:51 . 2008-11-07 23:37 -------- d-----w- d:\program files\Microsoft Silverlight
2009-10-20 23:24 . 2008-10-30 02:42 -------- d-----w- d:\program files\Java
2009-10-14 14:35 . 2008-10-30 03:03 95259 ----a-w- d:\windows\system32\drivers\klick.dat
2009-10-14 14:35 . 2008-10-30 03:03 108059 ----a-w- d:\windows\system32\drivers\klin.dat
2009-10-13 09:47 . 2009-10-13 09:47 -------- d-----w- d:\program files\Viewpoint
2009-10-13 09:46 . 2008-10-30 01:51 -------- d--h--w- d:\program files\InstallShield Installation Information
2009-10-12 19:06 . 2008-10-30 12:47 -------- d-----w- d:\program files\WebMoney
2009-10-08 10:37 . 2009-05-15 17:13 -------- d-----w- d:\program files\Warcraft III
2009-10-07 14:44 . 2009-10-07 14:43 -------- d-----w- d:\documents and settings\AlexIT\Application Data\Easy Thumbnails
2009-10-07 14:43 . 2009-10-07 14:43 -------- d-----w- d:\program files\Easy Thumbnails
2009-09-28 20:37 . 2009-09-28 20:37 -------- d-----w- d:\program files\Air Mouse
2009-09-28 11:14 . 2009-09-28 11:14 325 ----a-w- d:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP7\Data\Updater\Temporary Files\temporaryFolder\bases\av\avc\i386\ForDiff\daily.avc.scr
2009-09-25 18:51 . 2008-10-31 16:59 -------- d-----w- d:\program files\WebcamMax
2009-09-16 11:28 . 2009-09-16 11:28 98304 ----a-w- d:\windows\system32\CmdLineExt.dll
2009-09-15 18:06 . 2009-09-15 17:49 -------- d-----w- d:\program files\GTA-ViceCity
2009-09-05 14:47 . 2009-09-05 14:47 349 ----a-w- d:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP7\Data\Updater\Temporary Files\temporaryFolder\bases\av\avc\i386\ForDiff\daily-ec.avc.com
2009-08-26 07:12 . 2009-08-26 07:12 152576 ----a-w- d:\documents and settings\AlexIT\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-20 11:56 . 2008-12-14 22:46 68556 ---ha-w- d:\windows\system32\mlfcache.dat
2009-08-19 21:46 . 2009-08-19 21:46 38208 ----a-w- d:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-08-19 21:46 . 2009-05-19 08:31 38208 ----a-w- d:\documents and settings\AlexIT\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-11-11_08.49.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-13 10:38 . 2009-11-13 10:38 16384 d:\windows\temp\Perflib_Perfdata_2bc.dat
+ 2004-08-03 18:59 . 2004-08-03 18:59 95360 d:\windows\system32\dllcache\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YandexOnline"="d:\program files\Yandex\Online\online.exe" [2009-06-22 2558728]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="d:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]
"ISUSPM"="d:\documents and settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-29 222128]
"Google Update"="d:\documents and settings\AlexIT\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-03-04 133104]
"Yupdate!"="d:\program files\Common Files\Yandex\Yupdate\yupdate.exe" [2008-09-01 479496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OpenDNS Update"="d:\program files\OpenDNS U" [X]
"IMJPMIG8.1"="d:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"PHIME2002ASync"="d:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="d:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"wmagent.exe"="d:\program files\WebMoney Agent\wmagent.exe" [2009-06-16 209376]
"NeroFilterCheck"="d:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="d:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-06-01 1629744]
"InCD"="d:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-06-01 1057328]
"BCD3000"="d:\windows\system32\bcd3kcpan.exe" [2008-11-21 552960]
"QuickTime Task"="d:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"DigiNotifier"="d:\program files\DigiNotifier\DigiNotifier.exe" [2008-12-04 83479]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"nwiz"="nwiz.exe" - d:\windows\system32\nwiz.exe [2008-10-07 1630208]
"RTHDCPL"="RTHDCPL.EXE" - d:\windows\RTHDCPL.EXE [2008-10-09 17021440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\CTFMON.EXE" [2004-08-17 15360]

d:\documents and settings\AlexIT\ѓ« ў­®Ґ ¬Ґ­о\Џа®Ја ¬¬л\Ђўв®§ Јаг§Є \
Adobe Gamma.lnk - d:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Create virtual drive for Denwer.lnk - c:\webservers\denwer\Boot.exe [2008-10-30 6656]

d:\documents and settings\All Users\ѓ« ў­®Ґ ¬Ґ­о\Џа®Ја ¬¬л\Ђўв®§ Јаг§Є \
Air Mouse.lnk - d:\program files\Air Mouse\Air Mouse\Air Mouse.exe [2009-2-16 269824]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Kaspersky Lab\\Kaspersky AV for Yandex Online\\avp.exe"=
"d:\\Program Files\\FlashGet\\flashget.exe"=
"d:\\Program Files\\WinSCP\\WinSCP.exe"=
"d:\\Program Files\\WebMoney\\WebMoney.exe"=
"c:\\WebServers\\usr\\local\\apache\\bin\\httpd.exe"=
"d:\\Program Files\\QIP\\qip.exe"=
"d:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"d:\\WINDOWS\\system32\\dpvsetup.exe"=
"d:\\Program Files\\Radio Toolbox\\rtb.exe"=
"d:\\Program Files\\Valve\\hl.exe"=
"d:\\Program Files\\Reallusion\\CrazyTalk for Skype\\CT4Skype.exe"=
"d:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"d:\\Program Files\\ICQ6.5\\ICQ.exe"=
"d:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"=
"d:\\Program Files\\NetDragon\\91 Mobile\\iPhone\\iPhone PC Suite.exe"=
"d:\\Downloads\\stalker-dream-16oct04\\XR_3DA.exe"=
"d:\\Program Files\\eMule\\emule.exe"=
"d:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"d:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"d:\\Program Files\\Air Mouse\\Air Mouse\\Air Mouse.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 CAMTHWDM;WebcamMax, WDM Video Capture;d:\windows\system32\drivers\CAMTHWDM.sys [31.10.2008 17:51 1053056]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;d:\windows\system32\drivers\klim5.sys [13.12.2007 14:28 24592]
S3 BCD3000;Behringer BCD3000 V1.1.2.0;d:\windows\system32\drivers\BCD3000.SYS [24.07.2008 13:18 42496]
S3 BCD3000WDM;Behringer BCD3000WDM V1.1.2.0;d:\windows\system32\drivers\BCD3000WDM.SYS [24.07.2008 13:18 21600]
S3 NPF;NetGroup Packet Filter Driver;d:\windows\system32\drivers\npf.sys [06.11.2007 21:22 34064]
S3 PAC207;Trust WB-1400T Webcam;d:\windows\system32\drivers\PFC027.sys [24.02.2005 12:29 162176]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"d:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-11-06 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-11-13 d:\windows\Tasks\Google Software Updater.job
- d:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-22 02:46]

2009-11-12 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-73586283-436374069-682003330-1003Core.job
- d:\documents and settings\AlexIT\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-04 21:48]

2009-11-13 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-73586283-436374069-682003330-1003UA.job
- d:\documents and settings\AlexIT\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-04 21:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.km.ru
uInternet Settings,ProxyOverride = *.local
IE: &Закачать все при помощи FlashGet - d:\program files\FlashGet\jc_all.htm
IE: &Закачать при помощи FlashGet - d:\program files\FlashGet\jc_link.htm
IE: E&sporta in Microsoft Excel - d:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Закачать ВСЕ при помощи Download Master - d:\program files\Download Master\dmieall.htm
IE: Закачать при помощи Download Master - d:\program files\Download Master\dmie.htm
IE: Передать на удаленную закачку DM - d:\program files\Download Master\remdown.htm
IE: {{8DAE90AD-4583-4977-9DD4-4360F7A45C74} - d:\program files\Download Master\dmaster.exe
TCP: {5E2249A1-468F-4FD3-BEFA-17F775E724B2} = 208.67.222.222,208.67.220.220
DPF: {463ED66E-431B-11D2-ADB0-0080C83DA4EB} - hxxps://w3s.webmoney.ru/WMAcceptor.dll
FF - ProfilePath - d:\documents and settings\AlexIT\Application Data\Mozilla\Firefox\Profiles\fpf36mpe.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ru/
FF - plugin: d:\documents and settings\AlexIT\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: d:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: d:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: d:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npdm.dll

---- FIREFOX POLICIES ----
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-13 11:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1240)
d:\windows\system32\klogon.dll

- - - - - - - > 'explorer.exe'(1916)
d:\program files\Kaspersky Lab\Kaspersky AV for Yandex Online\scrchpg.dll
d:\program files\Common Files\Microsoft Shared\OFFICE11\MSOXEV.DLL
d:\windows\system32\msi.dll
d:\windows\system32\WPDShServiceObj.dll
d:\program files\WinSCP\DragExt.dll
d:\windows\system32\PortableDeviceTypes.dll
d:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
d:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
d:\program files\Bonjour\mDNSResponder.exe
d:\program files\Nero\Nero 7\InCD\InCDsrv.exe
d:\program files\Java\jre6\bin\jqs.exe
d:\program files\Common Files\LightScribe\LSSrvc.exe
d:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
d:\windows\system32\nvsvc32.exe
d:\windows\System32\PAStiSvc.exe
d:\windows\system32\WgaTray.exe
d:\windows\system32\wscntfy.exe
d:\windows\system32\RUNDLL32.EXE
d:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
d:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
d:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-11-13 11:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-13 10:45
ComboFix2.txt 2009-11-11 08:52

Pre-Run: 5 177 982 976 байт свободно
Post-Run: 5 152 735 232 байт свободно

- - End Of File - - 4E2CD6AFAA623B638B18C581A87E489E
  • 0

Advertisements

#17
emeraldnzl
Posted 13 November 2009 - 05:32 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts

When I dragged script to ComboFix it said me that a new update of ComboFix is available, it asked me if I want to download it, i clicked "No".


Yes, if that happens you should allow it to update.

Not to worry though, looks like we fixed that particular problem.

Now

Please download RootRepeal.zip and unzip it to your Desktop.
  • Double click RootRepeal.exe to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
  • Click the OK button
  • In the next dialog, select all drives showing
  • Click OK to start the scan

    Note: The scan can take some time. DO NOT run any other programs while the scan is running

  • When the scan is complete, the Save Report button will become available
  • Click this and save the report to your Desktop as RootRepeal.txt
  • Go to File, then Exit to close the program
Post the contents of RootRepeal.txt in your next reply.

Next

You have used Malwarebytes before. If you still have it on your machine please update and run. Post the scan report back here.

If you no-longer have Malwarebytes please download from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

So when you return please post
  • RootRepeal.txt
  • MBAM log
  • 0

#18
AlexIT
Posted 16 November 2009 - 04:52 AM

AlexIT

    Member

  • Topic Starter
  • Member
  • PipPip
  • 76 posts
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/16 11:04
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: D:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF242C000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: D:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B24000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP2790
Image Path: \Driver\PCI_PNP2790
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: D:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB94B9000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spqu.sys
Image Path: spqu.sys
Address: 0xF740F000 Size: 1048576 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWZ\system32\eventcls.dll
Status: Locked to the Windows API!

Path: C:\WINDOWZ\system32\eventvwr.msc
Status: Locked to the Windows API!

Path: C:\WINDOWZ\system32\ir32_32.dll
Status: Locked to the Windows API!

Path: C:\WINDOWZ\system32\msisam11.dll
Status: Locked to the Windows API!

Path: C:\WINDOWZ\Help\rsopsnp.chm
Status: Locked to the Windows API!

Path: C:\WINDOWZ\inf\mdmintel.inf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Alex.ALEXIT\Local Settings\Apps\2.0\HZKO8J06.HPT\WKCBTZY4.R21\manifests\iPhoneBrowser.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Alex.ALEXIT\Local Settings\Apps\2.0\HZKO8J06.HPT\WKCBTZY4.R21\manifests\iPhoneBrowser.exe.manifest
Status: Locked to the Windows API!

Path: d:\windows\system32\drivers\fidbox.dat
Status: Size mismatch (API: 53792, Raw: 52000)

Path: d:\documents and settings\alexit\local settings\temp\etilqs_lqf4geogufgnhvcly5g3
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: Volume G:\
Status: MBR Rootkit Detected!

Path: Volume G:\, Sector 59
Status: Sector mismatch

Path: Volume G:\, Sector 60
Status: Sector mismatch

Path: Volume G:\, Sector 61
Status: Sector mismatch

Path: Volume G:\, Sector 62
Status: Sector mismatch

Path: G:\SCUOLA
Status: Visible to the Windows API, but not on disk.

Path: G:\System Volume Information
Status: Visible to the Windows API, but not on disk.

Path: G:\Movies
Status: Visible to the Windows API, but not on disk.

Path: G:\Recycled
Status: Visible to the Windows API, but not on disk.

Path: G:\OLD.PC
Status: Visible to the Windows API, but not on disk.

Path: G:\z
Status: Visible to the Windows API, but not on disk.

Path: G:\wd
Status: Visible to the Windows API, but not on disk.

Path: G:\Downloads
Status: Visible to the Windows API, but not on disk.

Path: G:\FORMATTED_HD_D
Status: Visible to the Windows API, but not on disk.

Path: G:\FORMATTED_HD_C
Status: Visible to the Windows API, but not on disk.

Path: G:\share
Status: Visible to the Windows API, but not on disk.

Path: G:\iTunes8Setup.exe
Status: Visible to the Windows API, but not on disk.

Path: G:\treeinfo.wc
Status: Visible to the Windows API, but not on disk.

Path: G:\PHOTOS
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "D:\WINDOWS\system32\drivers\klif.sys" at address 0xf24ad300

#: 031 Function Name: NtConnectPort
Status: Hooked by "D:\WINDOWS\system32\drivers\klif.sys" at address 0xf24ab3b0

#: 041 Function Name: NtCreateKey
Status: Hooked by "D:\WINDOWS\system32\drivers\klif.sys" at address 0xf249e7f0

#: 047 Function Name: NtCreateProcess
Status: Hooked by "D:\WINDOWS\system32\drivers\klif.sys" at address 0xf24ad030

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "D:\WINDOWS\system32\drivers\klif.sys" at address 0xf24ad1a0

#: 050 Function Name: NtCreateSection
Status: Hooked by "D:\WINDOWS\system32\drivers\klif.sys" at address 0xf24ade00

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "D:\WINDOWS\system32\drivers\klif.sys" at address 0xf24ad8d0

#: 053 Function Name: NtCreateThread
Status: Hooked by "D:\WINDOWS\system32\drivers\klif.sys" at address 0xf24ae740

#: 063 Function Name: NtDeleteKey
Status: Hooked by "D:\WINDOWS\system32\drivers\klif.sys" at address 0xf249e8f0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "D:\WINDOWS\system32\drivers\klif.sys" at address 0xf249e970

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "D:\WINDOWS\system32\drivers\klif.sys" at address 0xf24ad4a0

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "D:\WINDOWS\system32\drivers\klif.sys" at address 0xf249ea00

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "D:\WINDOWS\system32\drivers\klif.sys" at address 0xf249eab0

#: 079 Function Name: NtFlushKey
Status: Hooked by "D:\WINDOWS\system32\drivers\klif.sys" at address 0xf249eb60

#: 092 Function Name: NtInitializeRegistry
Status: Hooked by "D:\WINDOWS\system32\drivers\klif.sys" at address 0xf249ebe0

#: 097 Function Name: NtLoadDriver
Status: Hooked by "D:\WINDOWS\system32\drivers\klif.sys" at address 0xf24aaf60

#: 098 Function Name: NtLoadKey
Status: Hooked by "D:\WINDOWS\system32\drivers\klif.sys" at address 0xf249f5e0

#: 099 Function Name: NtLoadKey2
Status: Hooked by "D:\WINDOWS\system32\drivers\klif.sys" at address 0xf249ec00

#: 111 Function Name: NtNotifyChangeKey
Status: Hooked by "D:\WINDOWS\system32\drivers\klif.sys" at address 0xf249ecd0

#: 116 Function Name: NtOpenFile
Status: Hooked by "kl1.sys" at address 0xf7224020

#: 119 Function Name: NtOpenKey
Status: Hooked by "D:\WINDOWS\system32\drivers\klif.sys" at address 0xf249edb0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "D:\WINDOWS\system32\drivers\klif.sys" at address 0xf24ace20

#: 125 Function Name: NtOpenSection
Status: Hooked by "D:\WINDOWS\system32\drivers\klif.sys" at address 0xf24adc30

#: 160 Function Name: NtQueryKey
Status: Hooked by "D:\WINDOWS\system32\drivers\klif.sys" at address 0xf249ee80

#: 161 Function Name: NtQueryMultipleValueKey
Status: Hooked by "D:\WINDOWS\system32\drivers\klif.sys" at address 0xf249ef30

#: 173 Function Name: NtQuerySystemInformation
Status: Hooked by "D:\WINDOWS\system32\drivers\klif.sys" at address 0xf24ae3f0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "D:\WINDOWS\system32\drivers\klif.sys" at address 0xf249efe0

#: 193 Function Name: NtReplaceKey
Status: Hooked by "D:\WINDOWS\system32\drivers\klif.sys" at address 0xf249f090

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "D:\WINDOWS\system32\drivers\klif.sys" at address 0xf24ab990

#: 204 Function Name: NtRestoreKey
Status: Hooked by "D:\WINDOWS\system32\drivers\klif.sys" at address 0xf249f120

#: 206 Function Name: NtResumeThread
Status: Hooked by "D:\WINDOWS\system32\drivers\klif.sys" at address 0xf24ae6f0

#: 207 Function Name: NtSaveKey
Status: Hooked by "D:\WINDOWS\system32\drivers\klif.sys" at address 0xf249f320

#: 213 Function Name: NtSetContextThread
Status: Hooked by "D:\WINDOWS\system32\drivers\klif.sys" at address 0xf24aea70

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "D:\WINDOWS\system32\drivers\klif.sys" at address 0xf24af090

#: 226 Function Name: NtSetInformationKey
Status: Hooked by "D:\WINDOWS\system32\drivers\klif.sys" at address 0xf249f3b0

#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "D:\WINDOWS\system32\drivers\klif.sys" at address 0xf24a9b00

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "D:\WINDOWS\system32\drivers\klif.sys" at address 0xf24adab0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "D:\WINDOWS\system32\drivers\klif.sys" at address 0xf249f450

#: 254 Function Name: NtSuspendThread
Status: Hooked by "D:\WINDOWS\system32\drivers\klif.sys" at address 0xf24ae6a0

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "D:\WINDOWS\system32\drivers\klif.sys" at address 0xf24ab270

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "D:\WINDOWS\system32\drivers\klif.sys" at address 0xf24ae290

#: 263 Function Name: NtUnloadKey
Status: Hooked by "D:\WINDOWS\system32\drivers\klif.sys" at address 0xf249f5a0

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "D:\WINDOWS\system32\drivers\klif.sys" at address 0xf24ad360

Stealth Objects
-------------------
Object: Hidden Code [ETHREAD: 0x85f60908]
Process: System Address: 0x85e51000 Size: 87

Object: Hidden Code [ETHREAD: 0x86090da8]
Process: System Address: 0x85e51000 Size: 87

Object: Hidden Code [ETHREAD: 0x8638fda8]
Process: System Address: 0x85e1e7e0 Size: 87

Object: Hidden Code [ETHREAD: 0x860f3760]
Process: System Address: 0x85e1e7e0 Size: 87

Object: Hidden Code [ETHREAD: 0x86061da8]
Process: System Address: 0x85e207d0 Size: 2097

Object: Hidden Code [ETHREAD: 0x86056da8]
Process: System Address: 0x85e207d0 Size: 2097

Object: Hidden Code [ETHREAD: 0x85fc5508]
Process: System Address: 0x85e207d0 Size: 2097

Object: Hidden Code [ETHREAD: 0x86041da8]
Process: System Address: 0x85e1e7e0 Size: 87

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x867d71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x867d71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x867d71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x867d71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x867d71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x867d71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x867d71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x867d71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x867d71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x867d71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x867d71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x867d71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x867d71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x867d71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x867d71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x867d71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x867d71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x867d71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x867d71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x867d71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x867d71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x867d71f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x863c1500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x863c1500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x863c1500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x863c1500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x863c1500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x863c1500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x863c1500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x863c1500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x863c1500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x863c1500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x863c1500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x863c1500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x863c1500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x863c1500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x863c1500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x863c1500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x863c1500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x863c1500 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x867d81f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x867d81f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x867d81f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x867d81f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x867d81f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x867d81f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x867d81f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x867681f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x867681f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x867681f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x867681f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x867681f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x867681f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x867681f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x867681f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x867681f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x867681f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x867681f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_CREATE]
Process: System Address: 0x85cd31f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_CLOSE]
Process: System Address: 0x85cd31f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_READ]
Process: System Address: 0x85cd31f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_WRITE]
Process: System Address: 0x85cd31f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85cd31f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85cd31f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_POWER]
Process: System Address: 0x85cd31f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85cd31f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_PNP]
Process: System Address: 0x85cd31f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x865451f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x865451f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x865451f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x865451f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x865451f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x865451f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x865451f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x867d91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x867d91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x867d91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x867d91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x867d91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x867d91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x867d91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x867d91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x867d91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x867d91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x867d91f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x85e7f1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x85e7f1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85e7f1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85e7f1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x85e7f1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x85e7f1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x865181f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x865181f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x865181f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x865181f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x865181f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x865181f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x865181f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x85df01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x85df01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x85df01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x85df01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x85df01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x85df01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x85df01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x85df01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x85df01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x85df01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x85df01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x85df01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x85df01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x85df01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85df01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85df01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x85df01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x85df01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x85df01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x85df01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x85df01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x85df01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x85df01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85df01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x85df01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x85df01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x85df01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x85df01f8 Size: 121

==EOF==
  • 0

#19
AlexIT
Posted 16 November 2009 - 04:52 AM

AlexIT

    Member

  • Topic Starter
  • Member
  • PipPip
  • 76 posts
Malwarebytes' Anti-Malware 1.41
Database version: 3178
Windows 5.1.2600 Service Pack 2

16.11.2009 11:51:10
mbam-log-2009-11-16 (11-51-10).txt

Scan type: Quick Scan
Objects scanned: 99860
Time elapsed: 3 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#20
emeraldnzl
Posted 16 November 2009 - 12:22 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hmm... RootRepeal is still seeing that rootkit.

Let's see if this will help.

Download Sophos Anti-Rootkit & save it to your desktop after filling out the questionaire and reading the EULA.

Note: You will need to enter your name, e-mail address and location in order to access the download page.
  • Double-click sarsfx.exe to extract the files.
  • Click the Accept button at the EULA, then Install to the default directory
  • At the next prompt, click Yes to start the program
  • Make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click the "Start Scan" button.
  • Allow the program to scan your computer - please be patient as it may take some time
  • Once the scan has completed a window will pop-up with the results of the scan - click OK to this
  • In the main window, you will see each of the entries found by the scan (if any)
    • If the scanner generated any warning messages, please click on each warning and copy and paste the text of it into this thread for me to review
    • Once you have posted any warning messages here, you can close the scanner and wait for me to get back to you
  • If you have not had any warnings, any entries which can be cleaned up by the scanner will have a box with a green checkmark in it next to the entry
  • To clean up these entries click on the Clean up checked items button
  • If you accidentally check a file NOT recommended for clean up, you will get a warning message and if necessary can re-select the entries you want to clean up
  • Once you have cleaned the selected files, you will be prompted to re-boot your computer - please do so
Next

Kaspersky on line scanner is very thorough. It can take a long time and for periods may seem not to be working. Just be patient and let it do its job.

Kaspersky works with Internet Explorer and Firefox 3. It uses Java Runtime Environment (JRE) .

Go to Kaspersky website and perform an online antivirus scan.

Note: you will need to turn off your security programs to allow Kaspersky to do its job.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start dowanloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Copy and paste that information in your next post.
  • 0

#21
AlexIT
Posted 17 November 2009 - 05:34 AM

AlexIT

    Member

  • Topic Starter
  • Member
  • PipPip
  • 76 posts
Area: Local hard drives
Description: Unknown hidden file
Location: C:\WINDOWZ\system32\msisam11.dll
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

Area: Local hard drives
Description: Unknown hidden file
Location: C:\WINDOWZ\system32\eventcls.dll
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

Area: Local hard drives
Description: Unknown hidden file
Location: C:\WINDOWZ\system32\eventvwr.msc
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

Area: Local hard drives
Description: Unknown hidden file
Location: C:\WINDOWZ\system32\ir32_32.dll
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

Area: Local hard drives
Description: Unknown hidden file
Location: C:\WINDOWZ\inf\mdmintel.inf
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

Area: Local hard drives
Description: Unknown hidden file
Location: C:\WINDOWZ\Help\rsopsnp.chm
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

Area: Local hard drives
Description: Unknown hidden file
Location: D:\WINDOWS\system32\drivers\sptd.sys
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

Area: Local hard drives
Description: Unknown hidden file
Location: D:\Documents and Settings\AlexIT\Local Settings\Application Data\Mozilla\Firefox\Profiles\fpf36mpe.default\Cache\15D7646Dd01
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

Area: Local hard drives
Description: Unknown hidden file
Location: D:\Documents and Settings\AlexIT\Local Settings\Application Data\Mozilla\Firefox\Profiles\fpf36mpe.default\Cache\2B351A5Dd01
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)
  • 0

#22
AlexIT
Posted 17 November 2009 - 03:18 PM

AlexIT

    Member

  • Topic Starter
  • Member
  • PipPip
  • 76 posts
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, November 17, 2009
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, November 17, 2009 09:12:32
Records in database: 3228283
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
G:\

Scan statistics:
Objects scanned: 392993
Threats found: 6
Infected objects found: 13
Suspicious objects found: 0
Scan duration: 09:16:25


File name / Threat / Threats count
\Device\Harddisk1\DR4/\Device\Harddisk1\DR4 Infected: Backdoor.Win32.Sinowal.kv 1
D:\Program Files\Cain\Abel.exe Infected: not-a-virus:PSWTool.Win32.Cain.284 1
D:\Program Files\Cain\Cain.exe Infected: not-a-virus:PSWTool.Win32.Cain.s 1
D:\Program Files\eLecta Live\kbdhook.dll Infected: not-a-virus:PSWTool.Win32.OpenPass.b 1
D:\System Volume Information\_restore{85FC2819-A332-44F7-A1BA-A547C185B600}\RP245\A0038757.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 1
D:\System Volume Information\_restore{85FC2819-A332-44F7-A1BA-A547C185B600}\RP250\A0039141.exe Infected: not-a-virus:PSWTool.Win32.OpenPass.b 1
G:\System Volume Information\_restore{85FC2819-A332-44F7-A1BA-A547C185B600}\RP268\A0041821.dll Infected: Trojan.Win32.Agent.csig 1
G:\OLD.PC\Oldest.PC\SanRadio\SanRadio_mIRC.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 1
G:\OLD.PC\Oldest.PC\SanRadio\SanRadio_mIRC.rar Infected: not-a-virus:Client-IRC.Win32.mIRC.614 1
G:\OLD.PC\Oldest.PC\SanRadio\old_backup_4\html\files\SanRadio_mIRC.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 1
G:\OLD.PC\Oldest.PC\SanRadio\old_backup_3\files\SanRadio_mIRC.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 1
G:\OLD.PC\Oldest.PC\SanRadio\old_backup_1\files\SanRadio_mIRC.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 1
G:\OLD.PC\Oldest.PC\SanRadio\latest_backup\html\files\SanRadio_mIRC.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 1

Selected area has been scanned.
  • 0

#23
emeraldnzl
Posted 17 November 2009 - 07:07 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello AlexIT,

I think all those found by Kaspersky are false positives. The same with the Sophos one.

My thinking is that we are just about there with your machine but before we go to cleaning away the tools we have been using please tell me how your computer is now.
  • 0

#24
AlexIT
Posted 18 November 2009 - 03:53 AM

AlexIT

    Member

  • Topic Starter
  • Member
  • PipPip
  • 76 posts
My KAV is still finding
\Device\Harddisk1\DR4/\Device\Harddisk1\DR4 Infected: Backdoor.Win32.Sinowal.kv 1
after every reboot...
  • 0

#25
emeraldnzl
Posted 18 November 2009 - 03:59 AM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts

\Device\Harddisk1\DR4/\Device\Harddisk1\DR4 Infected: Backdoor.Win32.Sinowal.kv 1


My understanding is that this is a removable harddisk. My thought was that Kaspersky was finding it infected because of the number allocated but maybe I am wrong.

Do this:

Download Flash_Disinfector.exe by sUBs from here and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you run it. Don't delete this folder...it will help protect your drives from future infection.

Come back and tell me if that has made a difference.
  • 0

Advertisements

#26
AlexIT
Posted 18 November 2009 - 05:34 AM

AlexIT

    Member

  • Topic Starter
  • Member
  • PipPip
  • 76 posts
It's still there.... :)
  • 0

#27
emeraldnzl
Posted 18 November 2009 - 01:07 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Well I may have this wrong but:

I think DR4 means DRIVE, REMOVABLE, and then the number your system has assigned that removable drive. I think it is the USB host controller ID assigned by Windows during setup....if you switch your thumbdrive/or similar to another usb port, the number will change.

So... do you have a removable drive or some such attached to your machine? If so why don't we try removing it/them one by one and seeing if at each step the alert disappears. In this way we may be able to isolate which drive is causing the problem.
  • 0

#28
AlexIT
Posted 18 November 2009 - 03:46 PM

AlexIT

    Member

  • Topic Starter
  • Member
  • PipPip
  • 76 posts
It's a G:\ drive.
It's an USB 1TB external hard-drive of Western Digital.
  • 0

#29
emeraldnzl
Posted 18 November 2009 - 03:52 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
I take it that one was attached to your machine and turned on when you scanned with Flash Drive Disinfector?

Also was it attached and turned on when we ran ComboFix?

Out of interest what do you have on that drive?
  • 0

#30
AlexIT
Posted 18 November 2009 - 04:16 PM

AlexIT

    Member

  • Topic Starter
  • Member
  • PipPip
  • 76 posts
Yes, it was always attached!
Movies in .avi, music in mp3, photos, archives of web projects...
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP