Jump to content

Possible rootkit or virus?


Recommended Posts

Hi and thanks for being here.

Avast found a file it said it could not scan today: "C:\WINDOWS\winstart.bat" It said: "Error: File is offline - it is currently not available (42006)." I seached my system (allowing for hidden folders) and it was not there. I searched the Net, but did not get definitive answers, i.e., "could be" rootkit, "could be" legitimate Windows folder, it is supposed to be there, it is not supposed to be there, etc. Microsoft website identified it as a program from an earlier Windows version than mine.

I redid the Malwarebytes scan to reflect the server's regeneration this evening, as below. I was not able to complete the GMER scan after three tries. I disabled my security software first. I had to unplug my computer twice to reboot and retry. The only files it had in the viewing window were Avast program files. Then it hung up, froze. When I tried to just copy that amount, it froze.

Below are the requested DDS and MBAM reports (I see winstart.bat on the DDS):

Malwarebytes' Anti-Malware 1.44

Database version: 3631

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

1/24/2010 7:33:00 PM

mbam-log-2010-01-24 (19-33-00).txt

Scan type: Quick Scan

Objects scanned: 115115

Time elapsed: 4 minute(s), 45 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

-----------

DDS (Ver_09-12-01.01) - NTFSx86

Run by Administrator at 17:59:27.92 on Sun 01/24/2010

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_18

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1316 [GMT -5:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SMINST\Scheduler.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Alwil Software\Avast5\avastUI.exe

C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\1-Click Answers\answers.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\PROGRA~1\1-CLIC~1\agtserv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\PDF Complete\pdfsvc.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Administrator\Desktop\dds program\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

uSearch Bar = hxxp://www.yahoo.com/search/ie.html

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File

BHO: BayScribeObj Class: {5e028439-81c7-4b82-bc74-25156306f532} - c:\program files\bayscribe\bayscribe.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File

uRun: [LightScribe Control Panel] "c:\program files\common files\lightscribe\LightScribeControlPanel.exe" -hidden

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [scheduler] "c:\windows\sminst\Scheduler.exe"

mRun: [RTHDCPL] "c:\windows\RTHDCPL.EXE"

mRun: [Recguard] "c:\windows\sminst\Recguard.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\1-click answers.lnk - c:\program files\1-click answers\answers.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hp digital imaging monitor.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

IE: Answers... - file://c:\program files\1-click answers\html\atiemenu.htm

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

Trusted Zone: bayscribe.com\secure

Trusted Zone: groupee.net\careerstep

Trusted Zone: microsoft.com

Trusted Zone: oaktranscription.com\secure

Trusted Zone: oaktranscription.com\www

Trusted Zone: yahoo.com\att.my

Trusted Zone: yahoo.com\us.mc1804.mail

DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab

DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Pirateville/Images/stg_drm.ocx

DPF: {3B0EA9E6-7003-4B38-B398-9B1B6DF439C5} - hxxp://download1.answers.com/pub/AnswersSetup.cab

DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab

DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Pirateville/Images/armhelper.ocx

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

SEH: {4F07DA45-8170-4859-9B5F-037EF2970034} - No File

LSA: Notification Packages = scecli scecli

mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\06l4gs5y.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.att.net/

FF - component: c:\program files\mozilla firefox\components\FFComm.dll

FF - plugin: c:\documents and settings\all users\application data\realarcade\npraclient.dll

FF - plugin: c:\documents and settings\all users\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll

FF - plugin: c:\program files\common files\motive\npMotive.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npgcplug.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll

FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-1-24 162640]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 74480]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-24 19024]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-24 40384]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-7-15 236368]

R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2008-1-18 540184]

R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-24 40384]

R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-24 40384]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-7-15 19160]

S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]

S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]

S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\173.tmp --> c:\windows\system32\173.tmp [?]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]

S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

=============== Created Last 30 ================

2010-01-24 22:57:35 0 ----a-w- c:\documents and settings\administrator\defogger_reenable

2010-01-24 20:34:01 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2010-01-24 18:56:48 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software

2010-01-24 17:33:44 0 d-----w- c:\windows\system32\wbem\Repository

2010-01-24 17:32:01 0 d-----w- c:\program files\iTunes

2010-01-24 17:32:01 0 d-----w- c:\program files\iPod

2010-01-24 17:31:32 0 d-----w- c:\program files\Windows Desktop Search

2010-01-24 17:31:32 0 d-----w- c:\program files\Uniblue

2010-01-24 17:30:53 0 d-----w- c:\program files\PDF Complete

2010-01-24 17:30:43 0 d-----w- c:\program files\Sophos

2010-01-24 17:30:43 0 d-----w- c:\program files\Panda Security

2010-01-24 17:30:43 0 d-----w- c:\program files\Lavasoft

2010-01-24 17:30:43 0 d-----w- c:\documents and settings\administrator\DoctorWeb

2010-01-24 01:07:22 0 d-----w- c:\program files\Uniblue(2)

2010-01-20 02:21:40 0 d-----w- c:\program files\iPod(2)

2010-01-20 02:21:37 0 d-----w- c:\program files\iTunes(2)

2010-01-18 05:59:19 28288 ----a-w- c:\windows\system32\dllcache\xjis.nls

2010-01-18 05:48:08 83748 ----a-w- c:\windows\system32\dllcache\prcp.nls

2010-01-18 05:48:08 83748 ----a-w- c:\windows\system32\dllcache\prc.nls

2010-01-18 05:42:08 47066 ----a-w- c:\windows\system32\dllcache\ksc.nls

2010-01-18 00:19:59 0 ----a-w- c:\documents and settings\administrator\settings.dat

2010-01-17 04:47:58 0 d-----w- c:\docume~1\alluse~1\applic~1\Macrium

2010-01-17 02:37:52 0 d-----w- c:\docume~1\admini~1\applic~1\Auslogics

2010-01-17 02:37:45 0 d-----w- c:\program files\Auslogics

2010-01-17 01:29:49 0 d-----w- c:\program files\Macrium

2010-01-16 09:18:22 0 d-----w- c:\program files\Defraggler

2010-01-16 05:06:16 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools

2010-01-05 07:10:10 0 d-----w- c:\program files\CCleaner

2010-01-05 06:51:04 0 d-----w- c:\program files\Lunarsoft

2010-01-05 04:16:21 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

2010-01-02 12:20:55 44544 ----a-w- c:\windows\system32\jgaw400.dll

==================== Find3M ====================

2010-01-24 17:38:58 81984 -c--a-w- c:\windows\system32\bdod.bin

2010-01-24 17:38:58 132 ----a-w- C:\httpdwl.dat

2010-01-14 16:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe

2010-01-07 21:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 21:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-31 15:33:06 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2009-12-31 15:33:06 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe

2009-12-18 13:05:43 634648 ------w- c:\windows\system32\dllcache\iexplore.exe

2009-12-18 13:04:09 161792 ------w- c:\windows\system32\dllcache\ieakui.dll

2009-12-17 22:14:00 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-12-07 16:14:32 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-11-19 08:49:01 57236 ---ha-w- c:\windows\system32\mlfcache.dat

2009-10-29 07:46:59 832512 ----a-w- c:\windows\system32\wininet(3).dll

2009-10-29 07:46:59 233472 ----a-w- c:\windows\system32\webcheck(2).dll

2009-10-29 07:46:58 44544 ----a-w- c:\windows\system32\pngfilt(2).dll

2009-10-29 07:46:58 1168384 ----a-w- c:\windows\system32\urlmon(3).dll

2009-10-29 07:46:58 105984 ----a-w- c:\windows\system32\url(3).dll

2009-10-29 07:46:57 477696 ----a-w- c:\windows\system32\mshtmled(2).dll

2009-10-29 07:46:50 124928 ----a-w- c:\windows\system32\advpack(2).dll

2008-04-13 15:52:42 774144 -c--a-w- c:\program files\RngInterstitial.dll

2009-07-27 03:00:34 2 --shatr- c:\windows\winstart.bat

2009-08-08 18:53:29 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

2009-05-19 21:00:46 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009051920090520\index.dat

============= FINISH: 18:00:03.35 ===============

Attach.zip

Link to post
Share on other sites

  • 4 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.