Malware Defender Problems

cassiusregicide · January 4, 2010

Hi, I got attacked by malware defender and have tried to get rid of it with mbam. It has gotten rid of everything except for rootkit.tdss and trojan.dnschanger. Mbam tells me it has been properly removed, but when I restart the computer they return.

mbam log:

Malwarebytes' Anti-Malware 1.42

Database version: 3443

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

1/4/2010 2:54:55 PM

mbam-log-2010-01-04 (14-54-47).txt

Scan type: Quick Scan

Objects scanned: 117546

Time elapsed: 5 minute(s), 57 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\krl32mainweq.dll (Trojan.DNSChanger) -> No action taken.

DDS/GMER log:

DDS (Ver_09-12-01.01) - NTFSx86

Run by Cassiusregicide at 12:38:48.03 on Mon 01/04/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.607 [GMT -6:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\David's Programs\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\OA012Mon.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\WSED\WSED.exe

C:\Program Files\Battery Meter\BTMeter.exe

C:\Program Files\CapsLKNotify\CapsLKNotify.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\David's Programs\Itunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\Dell Support Center\gs_agent\dsc.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Documents and Settings\Cassiusregicide\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.live.com

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [settdebugx.exe] c:\docume~1\cassiu~1\locals~1\temp\settdebugx.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [OA012Mon] c:\windows\OA012Mon.exe

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [WSED] c:\program files\wsed\WSED.exe

mRun: [<NO NAME>]

mRun: [bTMeter] c:\program files\battery meter\BTMeter.exe

mRun: [CapsLKNotify] c:\program files\capslknotify\CapsLKNotify.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\david's programs\itunes\iTunesHelper.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

IE: E&xport to Microsoft Excel - c:\david'~1\micros~1\office12\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\david'~1\micros~1\office12\REFIEBAR.DLL

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

Notify: igfxcui - igfxdev.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\cassiu~1\applic~1\mozilla\firefox\profiles\iti6fa44.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\david's programs\itunes\mozilla plugins\npitunes.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\david's programs\firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [2009-8-19 14248]

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-1-4 207792]

R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-1-4 112592]

R2 StarWindServiceAE;StarWind AE Service;c:\david's programs\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-28 275968]

R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2009-8-19 143840]

R3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [2009-8-20 135168]

R3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [2009-8-20 133632]

R3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [2009-8-20 272032]

R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-8-20 162816]

S0 goidu;goidu;c:\windows\system32\drivers\lair.sys --> c:\windows\system32\drivers\lair.sys [?]

S0 tmxxrug;tmxxrug;c:\windows\system32\drivers\exmu.sys --> c:\windows\system32\drivers\exmu.sys [?]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-8-20 1684736]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-1-4 359624]

S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-1-4 1141712]

=============== Created Last 30 ================

2010-01-04 18:33:40 20 ----a-w- c:\documents and settings\cassiusregicide\defogger_reenable

2010-01-04 17:44:54 767952 ----a-w- c:\windows\BDTSupport.dll

2010-01-04 17:44:53 882 ----a-w- c:\windows\RegSDImport.xml

2010-01-04 17:44:53 880 ----a-w- c:\windows\RegISSImport.xml

2010-01-04 17:44:53 165840 ----a-w- c:\windows\PCTBDRes.dll

2010-01-04 17:44:53 1640400 ----a-w- c:\windows\PCTBDCore.dll

2010-01-04 17:44:53 149456 ----a-w- c:\windows\SGDetectionTool.dll

2010-01-04 17:44:53 131 ----a-w- c:\windows\IDB.zip

2010-01-04 17:44:53 1152444 ----a-w- c:\windows\UDB.zip

2010-01-04 17:42:34 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat

2010-01-04 17:42:34 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2010-01-04 17:42:25 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2010-01-04 17:42:25 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat

2010-01-04 17:42:25 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat

2010-01-04 17:42:25 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2010-01-04 17:42:14 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat

2010-01-04 17:42:14 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2010-01-04 17:42:04 0 d-----w- c:\program files\common files\PC Tools

2010-01-04 17:42:03 0 d-----w- c:\program files\Spyware Doctor

2010-01-04 17:42:03 0 d-----w- c:\docume~1\cassiu~1\applic~1\PC Tools

2010-01-04 17:42:03 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools

2010-01-04 16:03:00 54016 ----a-w- c:\windows\system32\drivers\tsbahhmn.sys

2010-01-01 18:26:48 0 d--h--w- C:\$AVG

2010-01-01 18:18:32 54016 ----a-w- c:\windows\system32\drivers\ysbptais.sys

2010-01-01 17:59:53 54016 ----a-w- c:\windows\system32\drivers\jrofov.sys

2010-01-01 17:59:53 54016 ----a-w- c:\windows\system32\drivers\jrofov(2).sys

2009-12-28 08:25:44 0 d-----w- c:\docume~1\cassiu~1\applic~1\Malwarebytes

2009-12-28 08:22:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-28 08:22:36 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-28 08:22:36 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-12-28 08:22:36 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-12-28 07:27:19 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9

2009-12-28 07:26:57 0 d-----w- c:\windows\SxsCaPendDel

2009-12-28 06:02:48 202 ----a-w- c:\windows\system32\srcr.dat

2009-12-12 19:51:04 0 d-----w- C:\Xeen

==================== Find3M ====================

2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll

2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll

2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll

2009-08-20 04:41:33 75 --sh--r- c:\windows\CT4CET.bin

============= FINISH: 12:40:13.67 ===============

Attach.zip

miekiemoes · January 5, 2010

Hi,

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------

Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..

This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

cassiusregicide · January 5, 2010

combofix ran without any problems. Here is the log:

ComboFix 10-01-04.01 - Cassiusregicide 01/05/2010 11:01:57.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.718 [GMT -6:00]

Running from: c:\documents and settings\Cassiusregicide\Desktop\Combo-Fix.exe

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk

C:\install.exe

c:\windows\system32\drivers\H8SRTwrxuoxskcp.sys

c:\windows\system32\H8SRTivnsoqodgi.dll

c:\windows\system32\H8SRTnxjapjdxlr.dat

c:\windows\system32\H8SRTpaedwqtuij.dll

c:\windows\system32\H8SRTpiemxbfoaf.dll

c:\windows\system32\krl32mainweq.dll

c:\windows\system32\srcr.dat

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_H8SRTd.sys

-------\Legacy_H8SRTd.sys

((((((((((((((((((((((((( Files Created from 2009-12-05 to 2010-01-05 )))))))))))))))))))))))))))))))

.

2010-01-04 17:51 . 2010-01-04 17:51 -------- d-----w- c:\documents and settings\Cassiusregicide\Local Settings\Application Data\Threat Expert

2010-01-04 17:44 . 2009-11-10 16:26 767952 ----a-w- c:\windows\BDTSupport.dll

2010-01-04 17:44 . 2009-11-10 16:28 149456 ----a-w- c:\windows\SGDetectionTool.dll

2010-01-04 17:44 . 2009-11-10 16:28 165840 ----a-w- c:\windows\PCTBDRes.dll

2010-01-04 17:44 . 2009-11-10 16:28 1640400 ----a-w- c:\windows\PCTBDCore.dll

2010-01-04 17:44 . 2009-10-28 07:36 1152444 ----a-w- c:\windows\UDB.zip

2010-01-04 17:44 . 2008-11-26 18:08 131 ----a-w- c:\windows\IDB.zip

2010-01-04 17:42 . 2009-10-30 17:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2010-01-04 17:42 . 2009-11-09 17:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2010-01-04 17:42 . 2009-10-06 22:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2010-01-04 17:42 . 2009-09-03 15:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2010-01-04 17:42 . 2010-01-04 17:45 -------- d-----w- c:\program files\Common Files\PC Tools

2010-01-04 17:42 . 2010-01-04 18:00 -------- d-----w- c:\program files\Spyware Doctor

2010-01-04 17:42 . 2010-01-04 17:42 -------- d-----w- c:\documents and settings\Cassiusregicide\Application Data\PC Tools

2010-01-04 17:42 . 2010-01-04 17:42 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2010-01-04 17:41 . 2010-01-05 17:12 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-01-04 17:34 . 2010-01-04 17:34 5061520 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-01-04 16:03 . 2010-01-04 16:03 54016 ----a-w- c:\windows\system32\drivers\tsbahhmn.sys

2010-01-02 15:25 . 2010-01-01 18:26 4043032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe

2010-01-02 15:25 . 2010-01-01 18:26 3776280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe

2010-01-02 15:25 . 2010-01-01 18:26 2033432 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe

2010-01-02 15:25 . 2010-01-01 18:26 2352920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgresf.dll

2010-01-02 15:25 . 2010-01-01 18:26 916248 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcfgx.dll

2010-01-02 15:25 . 2010-01-01 18:26 3967256 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll

2010-01-01 18:26 . 2010-01-01 18:26 -------- d-----w- C:\$AVG

2010-01-01 18:18 . 2010-01-01 18:18 54016 ----a-w- c:\windows\system32\drivers\ysbptais.sys

2010-01-01 17:59 . 2010-01-01 17:59 54016 ----a-w- c:\windows\system32\drivers\jrofov.sys

2010-01-01 17:59 . 2010-01-01 17:59 54016 ----a-w- c:\windows\system32\drivers\jrofov(2).sys

2010-01-01 16:51 . 2010-01-01 16:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-12-28 08:25 . 2009-12-28 08:25 -------- d-----w- c:\documents and settings\Cassiusregicide\Application Data\Malwarebytes

2009-12-28 08:22 . 2009-12-03 22:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-28 08:22 . 2009-12-28 08:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-12-28 08:22 . 2009-12-28 08:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-12-28 08:22 . 2009-12-03 22:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-28 07:27 . 2010-01-04 17:00 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2009-12-28 07:26 . 2010-01-04 16:03 -------- d-----w- c:\windows\SxsCaPendDel

2009-12-28 06:02 . 2009-12-28 06:02 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-12-12 19:51 . 2009-12-12 19:51 -------- d-----w- c:\documents and settings\Cassiusregicide\Local Settings\Application Data\DOSBox

2009-12-12 19:51 . 2009-12-12 22:34 -------- d-----w- C:\Xeen

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-01-02 21:39 . 2009-10-07 12:04 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-12-27 03:55 . 2009-09-05 06:58 -------- d-----w- c:\documents and settings\Cassiusregicide\Application Data\vlc

2009-12-16 03:55 . 2009-09-06 06:11 -------- d-----w- c:\documents and settings\Cassiusregicide\Application Data\uTorrent

2009-12-06 15:47 . 2009-08-20 04:48 -------- d-----w- c:\program files\Microsoft Silverlight

2009-12-06 06:46 . 2009-09-23 19:06 -------- d-----w- c:\documents and settings\Cassiusregicide\Application Data\Apple Computer

2009-12-06 06:46 . 2009-09-04 19:04 69744 ----a-w- c:\documents and settings\Cassiusregicide\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-12-03 03:50 . 2009-12-03 03:50 -------- d-----w- c:\program files\Unitronics

2009-12-03 03:50 . 2009-12-03 03:50 -------- d-----w- c:\program files\Common Files\Unitronics

2009-12-03 03:50 . 2009-08-20 04:31 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-12-03 03:50 . 2009-08-20 04:31 -------- d-----w- c:\program files\Common Files\InstallShield

2009-11-16 04:23 . 2009-11-16 04:23 -------- d-----w- c:\documents and settings\Cassiusregicide\Application Data\runic games

2009-10-29 07:45 . 2008-04-25 20:33 916480 ----a-w- c:\windows\system32\wininet.dll

2009-10-21 05:38 . 2008-04-25 20:33 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38 . 2008-04-25 20:33 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-20 16:20 . 2008-04-14 00:23 265728 ----a-w- c:\windows\system32\drivers\http.sys

2009-10-13 10:30 . 2008-04-25 20:33 270336 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:38 . 2008-04-25 20:33 149504 ----a-w- c:\windows\system32\rastls.dll

2009-10-12 13:38 . 2008-04-25 20:33 79872 ----a-w- c:\windows\system32\raschap.dll

2009-08-20 04:41 . 2009-08-20 04:41 75 --sh--r- c:\windows\CT4CET.bin

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-15 1434920]

"RTHDCPL"="RTHDCPL.EXE" [2009-03-15 17529856]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-15 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-15 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-15 137752]

"OA012Mon"="c:\windows\OA012Mon.exe" [2009-05-11 24576]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-01-06 2289664]

"WSED"="c:\program files\WSED\WSED.exe" [2009-03-31 251176]

"BTMeter"="c:\program files\Battery Meter\BTMeter.exe" [2008-11-05 623912]

"CapsLKNotify"="c:\program files\CapsLKNotify\CapsLKNotify.exe" [2009-02-23 320808]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]

"iTunesHelper"="c:\david's programs\Itunes\iTunesHelper.exe" [2009-09-09 305440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Dell Video Chat\\DellVideoChat.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\David's Games\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=

"c:\\David's Games\\World of Warcraft\\Launcher.exe"=

"c:\\David's Games\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=

"c:\\David's Programs\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\David's Programs\\Itunes\\iTunes.exe"=

"c:\\David's Games\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=

"c:\\David's Programs\\UTorrent\\uTorrent.exe"=

"c:\\Temp Downloads\\utorrent.exe"=

"c:\\David's Games\\Steam\\Steam.exe"=

"c:\\David's Games\\Steam\\steamapps\\common\\torchlight\\Torchlight.exe"=

R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [8/19/2009 10:31 PM 14248]

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [1/4/2010 11:42 AM 207792]

R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [1/4/2010 11:44 AM 112592]

R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [8/19/2009 10:40 PM 143840]

R3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [8/20/2009 1:08 AM 135168]

R3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [8/20/2009 1:08 AM 133632]

R3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [8/20/2009 1:08 AM 272032]

R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [8/20/2009 1:07 AM 162816]

S0 goidu;goidu;c:\windows\system32\drivers\lair.sys --> c:\windows\system32\drivers\lair.sys [?]

S0 tmxxrug;tmxxrug;c:\windows\system32\drivers\exmu.sys --> c:\windows\system32\drivers\exmu.sys [?]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/20/2009 1:07 AM 1684736]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [1/4/2010 11:42 AM 359624]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/5/2009 9:03 PM 717296]

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\david'~1\MICROS~1\Office12\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

FF - ProfilePath - c:\documents and settings\Cassiusregicide\Application Data\Mozilla\Firefox\Profiles\iti6fa44.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\david's programs\Itunes\Mozilla Plugins\npitunes.dll

FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-01-05 11:12

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(916)

c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2972)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\WLTRYSVC.EXE

c:\windows\System32\bcmwltry.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files\Dell Support Center\bin\sprtsvc.exe

c:\david's programs\Alcohol 120\StarWind\StarWindServiceAE.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\SearchIndexer.exe

c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

c:\windows\system32\wscntfy.exe

c:\windows\RTHDCPL.EXE

c:\windows\system32\igfxsrvc.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\SearchProtocolHost.exe

c:\windows\system32\SearchFilterHost.exe

.

**************************************************************************

.

Completion time: 2010-01-05 11:17:34 - machine was rebooted

ComboFix-quarantined-files.txt 2010-01-05 17:17

Pre-Run: 49,847,013,376 bytes free

Post-Run: 50,320,154,624 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 154941FEA86448E4E97674603B8A30AA

miekiemoes · January 5, 2010

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\system32\drivers\ysbptais.sys
c:\windows\system32\drivers\jrofov.sys
c:\windows\system32\drivers\jrofov(2).sys
Driver::
goidu
tmxxrug

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

cassiusregicide · January 5, 2010

Here is the new combofix log:

ComboFix 10-01-04.01 - Cassiusregicide 01/05/2010 12:18:37.2.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.561 [GMT -6:00]

Running from: c:\documents and settings\Cassiusregicide\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Cassiusregicide\Desktop\CFScript.txt

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

FILE ::

"c:\windows\system32\drivers\jrofov(2).sys"

"c:\windows\system32\drivers\jrofov.sys"

"c:\windows\system32\drivers\ysbptais.sys"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\drivers\jrofov(2).sys

c:\windows\system32\drivers\jrofov.sys

c:\windows\system32\Drivers\tsbahhmn.sys

c:\windows\system32\drivers\ysbptais.sys

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_goidu

-------\Service_tmxxrug