Jump to content

Explorer Crashes after Antispyware Soft infection

dbb
 Share

Recommended Posts

dbb

dbb

Posted
Posted

Initial post explaining problem: http://forums.malwarebytes.org/index.php?showtopic=50639

Here are the requested logs.

Thank You!!

========

MBAM Log 1:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

5/14/2010 8:50:43 AM

mbam-log-2010-05-14 (08-50-43).txt

Scan type: Quick scan

Objects scanned: 113577

Time elapsed: 3 minute(s), 8 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

========

MBAM Log 2:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4110

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

5/17/2010 5:29:44 PM

mbam-log-2010-05-17 (17-29-44).txt

Scan type: Quick scan

Objects scanned: 116694

Time elapsed: 3 minute(s), 14 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

G:\TEMP\10C.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.

G:\TEMP\c42908b1.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

======

DDS Log:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Don at 18:31:21.42 on Mon 05/17/2010

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_16

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2538 [GMT -4:00]

AV: Sunbelt VIPRE *On-access scanning enabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

svchost.exe

svchost.exe

C:\WINDOWS\SYSTEM32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Creative\Shared Files\CTAudSvc.exe

D:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe

D:\Program Files\Logitech\iTouch\iTouch.exe

C:\WINDOWS\system32\CTHELPER.EXE

D:\Program Files\Creative\Surround Mixer\CTSysVol.exe

D:\Program Files\FarStone\VirtualDrive\VDTask.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

D:\Program Files\Belkin\Nostromo\nost_LM.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Folding@home\Folding@home-x86\Folding@home.exe

svchost.exe

C:\Documents and Settings\Don\Application Data\Folding@home-x86\FahCore_78.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\WINDOWS\system32\PnkBstrA.exe

D:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe

D:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

D:\Program Files\Raxco\PerfectDisk\PDSched.exe

D:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

D:\PROGRA~1\FOXITS~1\FOXITR~1\FOXITR~1.EXE

C:\Documents and Settings\Don\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

BHO: IE7Pro BHO: {00011268-e188-40df-a514-835fcd78b1bf} - d:\program files\iepro\iepro.dll

BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - d:\program files\iepro\IEProRecorder.dll

uRun: [TClockEx] d:\program files\tclockex\TCLOCKEX.EXE

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [Ai Nap] "d:\program files\asus\ai suite\ainap\AiNap.exe"

mRun: [QFan Help] "d:\program files\asus\ai suite\qfan3\QFanHelp.exe"

mRun: [Cpu Level Up help] d:\program files\asus\ai suite\CpuLevelUpHelp.exe

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [zBrowser Launcher] d:\program files\logitech\itouch\iTouch.exe

mRun: [CTHelper] CTHELPER.EXE

mRun: [CTSysVol] d:\program files\creative\surround mixer\CTSysVol.exe /r

mRun: [VirtualDrive] "d:\program files\farstone\virtualdrive\VDTask.exe" /AutoRestore

mRun: [<NO NAME>]

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [sBAMTray] "d:\program files\sunbelt software\vipre\SBAMTray.exe"

mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe

StartupFolder: c:\docume~1\don\startm~1\programs\startup\foldin~1.lnk - c:\docume~1\don\applic~1\microsoft\installer\{6b755ec3-c709-4f5c-bc58-bc0d3967b6b6}\_2377D972A0372FCB34E3F7.exe

StartupFolder: c:\docume~1\don\startm~1\programs\startup\shortc~1.lnk - d:\program files\deskview.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nostro~1.lnk - c:\windows\installer\{548c7b77-8b04-427e-acd0-d0e6e6e59bcf}\NewShortcut2_548C7B778B04427EACD0D0E6E6E59BCF.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\taskma~1.lnk - c:\windows\system32\taskmgr.exe

IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html

IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html

IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html

IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {000002a3-84fe-43f1-b958-f2c3ca804f1a} - {CD275D4E-791A-4993-9D4D-6A071EDD2709} - d:\program files\iepro\iepro.dll

IE: {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - {B119EB0C-C021-46CF-85B0-34A760E0D5FE} - d:\program files\iepro\iepro.dll

Trusted Zone: centralink.org\www

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231219257375

DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab

DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.21.0.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab

Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\don\applic~1\mozilla\firefox\profiles\7eliypcl.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

FF - component: c:\documents and settings\don\application data\mozilla\firefox\profiles\7eliypcl.default\extensions\{7e7165e2-0767-448c-852f-5fa8714f2c37}\components\PlainOldFavorites.dll

FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll

FF - plugin: c:\documents and settings\don\application data\mozilla\firefox\profiles\7eliypcl.default\extensions\battlefieldheroespatcher@ea.com\platform\winnt_x86-msvc\plugins\npBFHUpdater.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: d:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-1-29 28552]

R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2010-4-14 13400]

R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2009-10-14 95024]

R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2009-10-2 203056]

R2 PDSched;PDScheduler;d:\program files\raxco\perfectdisk\PDSched.exe [2005-11-29 241731]

R2 SBAMSvc;VIPRE Antivirus;d:\program files\sunbelt software\vipre\SBAMSvc.exe [2010-2-21 2726000]

R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2010-4-14 69720]

R2 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys [2010-4-13 85080]

R2 SBPIMSvc;SB Recovery Service;d:\program files\sunbelt software\vipre\SBPIMSvc.exe [2010-2-21 181584]

R3 ArcCD;ArcCD Filter Driver Service;c:\windows\system32\drivers\ArcCD.sys [2010-4-16 36224]

R3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [2009-4-6 23040]

R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2009-3-4 99352]

R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2009-3-4 555032]

R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2009-3-4 566296]

R4 ArcUdfs;ArcUdfs FileSystem Driver Service;c:\windows\system32\drivers\ArcUdfs.sys [2010-4-16 134912]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-8-26 133104]

S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2009-3-4 99352]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-4-7 79360]

S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2009-3-4 555032]

S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2009-3-4 100888]

S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2009-3-4 100888]

S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2009-3-4 566296]

=============== Created Last 30 ================

2010-05-17 21:36:48 0 ----a-w- c:\documents and settings\don\defogger_reenable

2010-05-17 21:25:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-17 21:25:32 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-17 12:47:56 771581 -c--a-w- c:\windows\system32\dllcache\winacisa.sys

2010-05-17 12:46:59 794399 -c--a-w- c:\windows\system32\dllcache\usr1806v.sys

2010-05-17 12:45:57 31744 -c--a-w- c:\windows\system32\dllcache\tp4.dll

2010-05-17 12:44:59 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys

2010-05-17 12:43:58 28672 -c--a-w- c:\windows\system32\dllcache\sma0w.dll

2010-05-17 12:42:59 23936 -c--a-w- c:\windows\system32\dllcache\sccmusbm.sys

2010-05-17 12:41:59 714762 -c--a-w- c:\windows\system32\dllcache\r2mdmkxx.sys

2010-05-17 12:40:58 86016 -c--a-w- c:\windows\system32\dllcache\pctspk.exe

2010-05-17 12:39:57 87040 -c--a-w- c:\windows\system32\dllcache\nm6wdm.sys

2010-05-17 12:38:56 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys

2010-05-17 12:37:59 26442 -c--a-w- c:\windows\system32\dllcache\lanepic5.sys

2010-05-17 12:36:58 154496 -c--a-w- c:\windows\system32\dllcache\icam4usb.sys

2010-05-17 12:35:59 165888 -c--a-w- c:\windows\system32\dllcache\hpgt53.dll

2010-05-17 12:34:58 7040 -c--a-w- c:\windows\system32\dllcache\exabyte2.sys

2010-05-17 12:33:59 37962 -c--a-w- c:\windows\system32\dllcache\divaprop.dll

2010-05-17 12:32:59 21530 -c--a-w- c:\windows\system32\dllcache\ce2n5.sys

2010-05-17 12:31:59 24576 -c--a-w- c:\windows\system32\dllcache\agcgauge.ax

2010-05-17 12:21:57 0 d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2010-02-22 01:39:16 27984 ----a-w- c:\windows\system32\sbbd.exe

2006-05-03 10:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll

2007-02-21 11:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll

2008-03-16 13:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll

============= FINISH: 18:33:03.53 ===============

Attach.zip

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Hello dbb! Welcome to MalwareBytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.

Step 1:

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply
    Then look for the following Java folders and if found delete them.
    C:\Program Files\Java
    C:\Program Files\Common Files\Java
    C:\Windows\Sun
    C:\Documents and Settings\All Users\Application Data\Java
    C:\Documents and Settings\All Users\Application Data\Sun\Java
    C:\Documents and Settings\username\Application Data\Java
    C:\Documents and Settings\username\Application Data\Sun\Java

Step 2:

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

In your next reply, please include these log(s) in this sequence:

  1. JavaRa log
  2. ComboFix log

Link to post
Share on other sites
dbb

dbb

Posted
  • Author
Posted

Hello Borislav!!

Thank you for the help!

Here are the requested logs, gathered after removing java.

=======

JavaRA log

JavaRa 1.15 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Tue May 18 17:23:12 2010

------------------------------------

Finished reporting.

=========

Combofix log

ComboFix 10-05-17.01 - Don 05/18/2010 17:39:57.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2958 [GMT -4:00]

Running from: c:\documents and settings\Don\Desktop\Combo-Fix.exe

AV: Sunbelt VIPRE *On-access scanning enabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}

.

((((((((((((((((((((((((( Files Created from 2010-04-18 to 2010-05-18 )))))))))))))))))))))))))))))))

.

2010-05-17 21:25 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-17 21:25 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-17 21:20 . 2010-05-17 21:22 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp

2010-05-17 12:47 . 2001-08-17 17:28 771581 -c--a-w- c:\windows\system32\dllcache\winacisa.sys

2010-05-17 12:46 . 2001-08-17 17:28 794399 -c--a-w- c:\windows\system32\dllcache\usr1806v.sys

2010-05-17 12:45 . 2001-08-18 02:36 31744 -c--a-w- c:\windows\system32\dllcache\tp4.dll

2010-05-17 12:44 . 2008-04-14 04:16 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys

2010-05-17 12:43 . 2001-08-18 02:36 28672 -c--a-w- c:\windows\system32\dllcache\sma0w.dll

2010-05-17 12:42 . 2001-08-17 17:51 23936 -c--a-w- c:\windows\system32\dllcache\sccmusbm.sys

2010-05-17 12:41 . 2001-08-17 17:28 714762 -c--a-w- c:\windows\system32\dllcache\r2mdmkxx.sys

2010-05-17 12:40 . 2001-08-18 02:36 86016 -c--a-w- c:\windows\system32\dllcache\pctspk.exe

2010-05-17 12:39 . 2001-08-17 16:20 87040 -c--a-w- c:\windows\system32\dllcache\nm6wdm.sys

2010-05-17 12:38 . 2001-08-17 18:02 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys

2010-05-17 12:37 . 2001-08-17 16:12 26442 -c--a-w- c:\windows\system32\dllcache\lanepic5.sys

2010-05-17 12:36 . 2001-08-17 18:06 154496 -c--a-w- c:\windows\system32\dllcache\icam4usb.sys

2010-05-17 12:35 . 2001-08-18 02:36 165888 -c--a-w- c:\windows\system32\dllcache\hpgt53.dll

2010-05-17 12:34 . 2001-08-17 17:52 7040 -c--a-w- c:\windows\system32\dllcache\exabyte2.sys

2010-05-17 12:33 . 2001-08-18 02:36 37962 -c--a-w- c:\windows\system32\dllcache\divaprop.dll

2010-05-17 12:32 . 2001-08-17 16:13 21530 -c--a-w- c:\windows\system32\dllcache\ce2n5.sys

2010-05-17 12:31 . 2008-04-14 09:41 3775 -c--a-w- c:\windows\system32\dllcache\adv11nt5.dll

2010-05-17 12:21 . 2010-05-17 12:21 -------- d-----w- c:\windows\system32\wbem\Repository

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-17 21:23 . 2009-08-27 03:00 -------- d-----w- c:\program files\Google

2010-05-17 12:21 . 2010-01-29 04:25 -------- d-----w- c:\program files\Panda Security

2010-05-09 15:27 . 2009-01-06 05:43 -------- d-----w- c:\documents and settings\Don\Application Data\Folding@home-x86

2010-04-18 01:52 . 2010-01-30 18:55 1 ----a-w- c:\documents and settings\Don\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys

2010-04-17 02:38 . 2009-05-24 23:21 -------- d-----w- c:\documents and settings\Don\Application Data\FileZilla

2010-04-17 01:39 . 2010-04-17 01:27 -------- d-----w- c:\documents and settings\Don\Application Data\ArcSoft

2010-04-17 01:38 . 2010-04-17 01:28 -------- d--h--w- c:\documents and settings\All Users\Application Data\ArcSoft

2010-04-17 01:33 . 2009-01-06 04:14 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-04-17 01:28 . 2010-04-17 01:28 -------- d-----w- c:\program files\Common Files\ArcSoft

2010-04-13 22:37 . 2010-04-13 22:37 -------- d-----w- c:\documents and settings\Don\Application Data\GrabPro

2010-04-13 22:33 . 2010-04-13 22:33 -------- d-----w- c:\documents and settings\LocalService\Application Data\MiniDm

2010-04-13 22:33 . 2010-04-13 22:33 -------- d-----w- c:\documents and settings\LocalService\Application Data\IEPro

2010-03-19 01:16 . 2010-03-19 01:16 1656832 ----a-w- c:\documents and settings\Don\Application Data\Folding@home-x86\FahCore_a0.exe

2010-03-19 01:16 . 2010-03-19 01:16 1382280 ----a-w- c:\documents and settings\Don\Application Data\Folding@home-x86\libfftw3f-3.dll

2010-02-22 01:39 . 2010-02-22 01:39 27984 ----a-w- c:\windows\system32\sbbd.exe

2010-02-22 00:30 . 2010-04-13 22:34 85080 ----a-w- c:\windows\system32\drivers\sbhips.sys

2006-05-03 10:06 . 2009-09-10 04:29 163328 --sh--r- c:\windows\system32\flvDX.dll

2007-02-21 11:47 . 2009-09-10 04:29 31232 --sh--r- c:\windows\system32\msfDX.dll

2008-03-16 13:30 . 2009-09-10 04:29 216064 --sh--r- c:\windows\system32\nbDX.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TClockEx"="d:\program files\TClockEx\TCLOCKEX.EXE" [2000-03-09 89088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]

"Ai Nap"="d:\program files\ASUS\AI Suite\AiNap\AiNap.exe" [2008-05-26 1423360]

"QFan Help"="d:\program files\ASUS\AI Suite\QFan3\QFanHelp.exe" [2008-05-06 594432]

"Cpu Level Up help"="d:\program files\ASUS\AI Suite\CpuLevelUpHelp.exe" [2007-12-01 881152]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"zBrowser Launcher"="d:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]

"CTHelper"="CTHELPER.EXE" [2009-03-04 19456]

"CTSysVol"="d:\program files\Creative\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]

"VirtualDrive"="d:\program files\FarStone\VirtualDrive\VDTask.exe" [2008-11-06 166416]

"SBAMTray"="d:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2010-02-22 1291600]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]

c:\documents and settings\Don\Start Menu\Programs\Startup\

Folding@home.lnk - c:\documents and settings\Don\Application Data\Microsoft\Installer\{6B755EC3-C709-4F5C-BC58-BC0D3967B6B6}\_2377D972A0372FCB34E3F7.exe [2009-1-6 98477]

Shortcut to deskview.lnk - d:\program files\deskview.exe [2009-1-9 36864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Nostromo Loadout Manager.lnk - c:\windows\Installer\{548C7B77-8B04-427E-ACD0-D0E6E6E59BCF}\NewShortcut2_548C7B778B04427EACD0D0E6E6E59BCF.exe [2009-4-6 45056]

Task Manager.lnk - c:\windows\system32\taskmgr.exe [2008-4-14 135680]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"e:\\Program Files\\EA GAMES\\Battlefield 2 Demo\\BF2.exe"=

"e:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=

"c:\\Documents and Settings\\Don\\Desktop\\WallWatcher\\WallWatcher.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"e:\\Program Files\\Codemasters\\DiRT Demo\\DiRTDemo.exe"=

"d:\\Program Files\\IEPro\\MiniDM.exe"=

"e:\\Makena\\There\\ThereClient\\There.exe"=

"e:\\Program Files\\EA GAMES\\Need For Speed Underground\\Speed.exe"=

"e:\\Program Files\\EA GAMES\\Battlefield Vietnam\\bfvietnam.exe"=

"e:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"21:TCP"= 21:TCP:FTP

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [1/29/2010 12:25 AM 28552]

R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [4/14/2010 5:57 PM 13400]

R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [10/14/2009 3:39 AM 95024]

R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [10/2/2009 7:50 PM 203056]

R2 PDSched;PDScheduler;d:\program files\Raxco\PerfectDisk\PDSched.exe [11/29/2005 11:16 AM 241731]

R2 SBAMSvc;VIPRE Antivirus;d:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [2/21/2010 9:40 PM 2726000]

R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [4/14/2010 5:59 PM 69720]

R2 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys [4/13/2010 6:34 PM 85080]

R2 SBPIMSvc;SB Recovery Service;d:\program files\Sunbelt Software\VIPRE\SBPIMSvc.exe [2/21/2010 9:39 PM 181584]

R3 ArcCD;ArcCD Filter Driver Service;c:\windows\system32\drivers\ArcCD.sys [4/16/2010 9:28 PM 36224]

R3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [4/6/2009 10:24 PM 23040]

R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [3/4/2009 2:42 PM 99352]

R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [3/4/2009 2:42 PM 555032]

R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [3/4/2009 2:42 PM 566296]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/26/2009 11:00 PM 133104]

S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [3/4/2009 2:42 PM 99352]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [4/7/2009 7:01 PM 79360]

S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [3/4/2009 2:42 PM 555032]

S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [3/4/2009 2:42 PM 100888]

S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [3/4/2009 2:42 PM 100888]

S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [3/4/2009 2:42 PM 566296]

S4 ArcUdfs;ArcUdfs FileSystem Driver Service;c:\windows\system32\drivers\ArcUdfs.sys [4/16/2010 9:28 PM 134912]

--- Other Services/Drivers In Memory ---

*Deregistered* - ArcRec

.

Contents of the 'Scheduled Tasks' folder

2010-05-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-27 03:00]

2010-05-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-27 03:00]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

Trusted Zone: centralink.org\www

DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.21.0.cab

FF - ProfilePath - c:\documents and settings\Don\Application Data\Mozilla\Firefox\Profiles\7eliypcl.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

FF - component: c:\documents and settings\Don\Application Data\Mozilla\Firefox\Profiles\7eliypcl.default\extensions\{7E7165E2-0767-448c-852F-5FA8714F2C37}\components\PlainOldFavorites.dll

FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll

FF - plugin: c:\documents and settings\Don\Application Data\Mozilla\Firefox\Profiles\7eliypcl.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: d:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe

AddRemove-WZCLINE - d:\program files\WinZip\winzip32

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-18 17:48

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CTHelper = CTHELPER.EXE?

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89D81CEC]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28

\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8

\Driver\atapi -> atapi.sys @ 0xb9f11852

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

NDIS: Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xb9ddfbb0

PacketIndicateHandler -> NDIS.sys @ 0xb9deca21

SendHandler -> NDIS.sys @ 0xb9dca87b

user & kernel MBR OK

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(776)

c:\windows\system32\WININET.dll

.

Completion time: 2010-05-18 17:52:06

ComboFix-quarantined-files.txt 2010-05-18 21:51

Pre-Run: 22,031,122,432 bytes free

Post-Run: 22,482,903,040 bytes free

- - End Of File - - FD78B0290260FFF2AF8136618A327C81

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Step 1:

Please upload this file in www.virustotal.com and post the resault in your next reply:

c:\windows\system32\sbbd.exe

Step 2:

Please read the following through carefully so that you understand what to do.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. (If Vista, click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quotation marks) Then press Ctrl+Shift+Enter.)
    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • It may ask you to reboot the computer to complete the process. Allow it to do so.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Link to post
Share on other sites
dbb

dbb

Posted
  • Author
Posted

Hello.

Here are the results:

Thank You!

VirusTotal - sbbd.exe file

================

Antivirus Version Last Update Result

a-squared 4.5.0.50 2010.05.10 -

AhnLab-V3 2010.05.19.03 2010.05.19 -

AntiVir 8.2.1.242 2010.05.19 -

Antiy-AVL 2.0.3.7 2010.05.19 -

Authentium 5.2.0.5 2010.05.19 -

Avast 4.8.1351.0 2010.05.19 -

Avast5 5.0.332.0 2010.05.19 -

AVG 9.0.0.787 2010.05.19 -

BitDefender 7.2 2010.05.19 -

CAT-QuickHeal 10.00 2010.05.19 -

ClamAV 0.96.0.3-git 2010.05.19 -

Comodo 4887 2010.05.19 -

DrWeb 5.0.2.03300 2010.05.19 -

eSafe 7.0.17.0 2010.05.17 -

eTrust-Vet 35.2.7498 2010.05.19 -

F-Prot 4.5.1.85 2010.05.19 -

F-Secure 9.0.15370.0 2010.05.19 -

Fortinet 4.1.133.0 2010.05.19 -

GData 21 2010.05.19 -

Ikarus T3.1.1.84.0 2010.05.19 -

Jiangmin 13.0.900 2010.05.19 -

Kaspersky 7.0.0.125 2010.05.19 -

McAfee 5.400.0.1158 2010.05.19 -

McAfee-GW-Edition 2010.1 2010.05.19 -

Microsoft 1.5802 2010.05.18 -

NOD32 5130 2010.05.19 -

Norman 6.04.12 2010.05.19 -

nProtect 2010-05-19.02 2010.05.19 -

PCTools 7.0.3.5 2010.05.19 -

Prevx 3.0 2010.05.19 -

Rising 22.48.02.04 2010.05.19 -

Sophos 4.53.0 2010.05.19 -

Sunbelt 6324 2010.05.19 -

Symantec 20101.1.0.89 2010.05.19 -

TheHacker 6.5.2.0.283 2010.05.19 -

TrendMicro 9.120.0.1004 2010.05.19 -

TrendMicro-HouseCall 9.120.0.1004 2010.05.19 -

VBA32 3.12.12.5 2010.05.19 -

ViRobot 2010.5.19.2324 2010.05.19 -

VirusBuster 5.0.27.0 2010.05.19 -

Additional information

File size: 27984 bytes

MD5...: 45b665c80211599db14b96acbd73ace6

SHA1..: fc09ca713cef953cbf888fb2d72e512de9b8eb4f

SHA256: 2e9a21222e326cf2f8ea9de7e3f67325c45d39fc6b813c0158684f6cb87c1b9b

ssdeep: 384:c3OtQBmj5vO3AqJYHVcuFdeIIzMueE1piAYp7DaYJLFCwebC51o:nQGtquHe

tIIAueyif7vLIwebCro

PEiD..: -

PEInfo: PE Structure information

( base data )

entrypointaddress.: 0x2fa6

timedatestamp.....: 0x4b81e99a (Mon Feb 22 02:19:06 2010)

machinetype.......: 0x14c (I386)

( 4 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0x4590 0x4600 5.87 928b778a324155f0b6320c7217fcc0ea

.data 0x6000 0x24a8 0x200 0.59 7777dadd8eb2518d59f74aba105e6366

.rsrc 0x9000 0x548 0x600 3.83 42b504aecff60111635c734643941c63

.reloc 0xa000 0x490 0x600 3.44 6d4a516806942dcb8243cdee99023013

( 1 imports )

> ntdll.dll: memcpy, RtlFreeHeap, RtlQueryRegistryValues, RtlAllocateHeap, memset, ZwClose, _snwprintf, ZwCreateFile, RtlUnicodeStringToInteger, _wcsupr, ZwSetValueKey, ZwCreateKey, RtlInitUnicodeString, NtTerminateProcess, RtlDestroyHeap, RtlCreateHeap, memmove, RtlFreeAnsiString, ZwWriteFile, RtlUnicodeStringToAnsiString, RtlCompareUnicodeString, RtlUpcaseUnicodeChar, ZwReadFile, ZwQueryInformationFile, ZwSetInformationFile, ZwDeleteFile, NtDisplayString, ZwQueryValueKey, RtlAppendUnicodeToString, ZwDeviceIoControlFile, ZwLoadDriver, RtlAdjustPrivilege, RtlUnwind

( 0 exports )

RDS...: NSRL Reference Data Set

-

pdfid.: -

trid..: Win32 Executable Generic (68.0%)

Generic Win/DOS Executable (15.9%)

DOS Executable Generic (15.9%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

sigcheck:

publisher....: Sunbelt Software

copyright....: Copyright © 2002-2010 Sunbelt Software. All rights reserved.

product......: Sunbelt AntiMalware Common SDK Merge Module

description..: Boot Delete Utility

original name: SBBD.exe

internal name: SBBD.exe

file version.: 4.0.3248

comments.....: n/a

signers......: Sunbelt Software, Inc.

VeriSign Class 3 Code Signing 2009-2 CA

Class 3 Public Primary Certification Authority

signing date.: 4:39 AM 2/22/2010

verified.....: -

TDSS KILLER Log file

==============

17:31:04:953 0800 TDSS rootkit removing tool 2.3.0.0 May 12 2010 18:11:17

17:31:04:953 0800 ================================================================================

17:31:04:953 0800 SystemInfo:

17:31:04:953 0800 OS Version: 5.1.2600 ServicePack: 3.0

17:31:04:953 0800 Product type: Workstation

17:31:04:953 0800 ComputerName: CHAOS

17:31:04:953 0800 UserName: Don

17:31:04:953 0800 Windows directory: C:\WINDOWS

17:31:04:953 0800 Processor architecture: Intel x86

17:31:04:953 0800 Number of processors: 2

17:31:04:953 0800 Page size: 0x1000

17:31:04:953 0800 Boot type: Safe boot with network

17:31:04:953 0800 ================================================================================

17:31:04:984 0800 UnloadDriverW: NtUnloadDriver error 2

17:31:04:984 0800 ForceUnloadDriverW: UnloadDriverW(klmd23) error 2

17:31:05:015 0800 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system

17:31:05:015 0800 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

17:31:05:015 0800 wfopen_ex: Trying to KLMD file open

17:31:05:015 0800 wfopen_ex: File opened ok (Flags 2)

17:31:05:015 0800 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software

17:31:05:015 0800 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

17:31:05:015 0800 wfopen_ex: Trying to KLMD file open

17:31:05:015 0800 wfopen_ex: File opened ok (Flags 2)

17:31:05:015 0800 KLAVA engine initialized

17:31:05:359 0800 Initialize success

17:31:05:359 0800

17:31:05:359 0800 Scanning Services ...

17:31:05:671 0800 Raw services enum returned 355 services

17:31:05:687 0800

17:31:05:687 0800 Scanning Drivers ...

17:31:05:984 0800 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

17:31:06:015 0800 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

17:31:06:046 0800 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

17:31:06:078 0800 Afc (fe3ea6e9afc1a78e6edca121e006afb7) C:\WINDOWS\system32\drivers\Afc.sys

17:31:06:125 0800 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

17:31:06:171 0800 ArcCD (a82f1a1b09593c73efd02a59dc94920c) C:\WINDOWS\system32\drivers\ArcCD.sys

17:31:06:171 0800 ArcRec (1af9061b61741a912368ab4dc309d25e) C:\WINDOWS\system32\drivers\ArcRec.sys

17:31:06:187 0800 ArcUdfs (3ee9e41102a2c6b8f7dbad5d44abda05) C:\WINDOWS\system32\drivers\ArcUdfs.sys

17:31:06:234 0800 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

17:31:06:281 0800 AsIO (2b4e66fac6503494a2c6f32bb6ab3826) C:\WINDOWS\system32\drivers\AsIO.sys

17:31:06:281 0800 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

17:31:06:312 0800 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

17:31:06:406 0800 ati2mtag (15b2fe76e2eceb98c49ed52311a6f26f) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

17:31:06:453 0800 AtiHdmiService (dc6957811ff95f2dd3004361b20d8d3f) C:\WINDOWS\system32\drivers\AtiHdmi.sys

17:31:06:484 0800 ATITool (0e4bb35c5305099ac82053ac992e3e0e) C:\WINDOWS\system32\DRIVERS\ATITool.sys

17:31:06:515 0800 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

17:31:06:546 0800 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

17:31:06:562 0800 bcgame (a840dcce93c91fc4f69c04a42cd7a180) C:\WINDOWS\system32\drivers\bcgame.sys

17:31:06:593 0800 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

17:31:06:625 0800 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

17:31:06:640 0800 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

17:31:06:640 0800 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

17:31:06:703 0800 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

17:31:06:734 0800 COMMONFX (22f8692fd3e017ead334945b3199b0e3) C:\WINDOWS\system32\drivers\COMMONFX.SYS

17:31:06:750 0800 COMMONFX.SYS (22f8692fd3e017ead334945b3199b0e3) C:\WINDOWS\System32\drivers\COMMONFX.SYS

17:31:06:765 0800 ctac32k (aa7e939bc07965a807c6ac2f1d4d22b7) C:\WINDOWS\system32\drivers\ctac32k.sys

17:31:06:796 0800 ctaud2k (79e7abbf928d8a8002ebba0985905dc1) C:\WINDOWS\system32\drivers\ctaud2k.sys

17:31:06:812 0800 CTAUDFX (6d98048890b44191e0daed4639a9f18c) C:\WINDOWS\system32\drivers\CTAUDFX.SYS

17:31:06:812 0800 CTAUDFX.SYS (6d98048890b44191e0daed4639a9f18c) C:\WINDOWS\System32\drivers\CTAUDFX.SYS

17:31:06:843 0800 ctdvda2k (a216c8698c4406a031af6f867afe4f92) C:\WINDOWS\system32\drivers\ctdvda2k.sys

17:31:06:859 0800 CTERFXFX (5192225e2adfd36d0fc7d61b8e0bae87) C:\WINDOWS\system32\drivers\CTERFXFX.SYS

17:31:06:859 0800 CTERFXFX.SYS (5192225e2adfd36d0fc7d61b8e0bae87) C:\WINDOWS\System32\drivers\CTERFXFX.SYS

17:31:06:875 0800 ctprxy2k (ce3395b054b641e454c8861020ff1d82) C:\WINDOWS\system32\drivers\ctprxy2k.sys

17:31:06:890 0800 CTSBLFX (8750c640d3068861117fa9166b8aecde) C:\WINDOWS\system32\drivers\CTSBLFX.SYS

17:31:06:921 0800 CTSBLFX.SYS (8750c640d3068861117fa9166b8aecde) C:\WINDOWS\System32\drivers\CTSBLFX.SYS

17:31:06:937 0800 ctsfm2k (01b9017d05d82b6fbcd5cecce93f3aa7) C:\WINDOWS\system32\drivers\ctsfm2k.sys

17:31:06:953 0800 Defrag32 (e511e32308414829d38a4ecc3dd66aa1) C:\WINDOWS\system32\drivers\Defrag32.sys

17:31:06:953 0800 Defrag32b (48ba6646b3a17f0e7ffdeb020309846f) C:\WINDOWS\system32\drivers\Defrag32b.sys

17:31:06:984 0800 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

17:31:07:015 0800 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

17:31:07:062 0800 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

17:31:07:078 0800 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

17:31:07:093 0800 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

17:31:07:125 0800 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

17:31:07:140 0800 emupia (71b09041642de925e6150eb525dcc3bf) C:\WINDOWS\system32\drivers\emupia2k.sys

17:31:07:171 0800 ENTECH (16ebd8bf1d5090923694cc972c7ce1b4) C:\WINDOWS\system32\DRIVERS\ENTECH.sys

17:31:07:218 0800 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

17:31:07:234 0800 fcdabus (985709505c80b88c1b41908c0075ca0d) C:\WINDOWS\system32\DRIVERS\fcdabus.sys

17:31:07:250 0800 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

17:31:07:265 0800 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

17:31:07:281 0800 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

17:31:07:328 0800 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys

17:31:07:343 0800 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

17:31:07:375 0800 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

17:31:07:421 0800 FVXSCSI (8e2be5233c88a50ee69442b4a4937fce) C:\WINDOWS\system32\DRIVERS\fvxscsi.sys

17:31:07:437 0800 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys

17:31:07:468 0800 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

17:31:07:515 0800 ha10kx2k (2e37c43fb534f1d85dcf552d5b2af9ba) C:\WINDOWS\system32\drivers\ha10kx2k.sys

17:31:07:531 0800 hap16v2k (607b73dc2a69a98c7f10b5702d947319) C:\WINDOWS\system32\drivers\hap16v2k.sys

17:31:07:546 0800 hap17v2k (f674eeaa2d1ed14606aedfed65c34893) C:\WINDOWS\system32\drivers\hap17v2k.sys

17:31:07:578 0800 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

17:31:07:593 0800 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

17:31:07:625 0800 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys

17:31:07:656 0800 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

17:31:07:671 0800 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

17:31:07:718 0800 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

17:31:07:734 0800 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys

17:31:07:765 0800 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

17:31:07:781 0800 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

17:31:07:796 0800 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

17:31:07:828 0800 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

17:31:07:859 0800 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

17:31:07:875 0800 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

17:31:07:906 0800 itchfltr (8f1ba487b35f0c8f637e05113aa815f8) C:\WINDOWS\system32\DRIVERS\itchfltr.sys

17:31:07:937 0800 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

17:31:07:968 0800 kbdhid (bb6275fcada09e6f2eff467c746733e1) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

17:31:07:968 0800 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\kbdhid.sys. Real md5: bb6275fcada09e6f2eff467c746733e1, Fake md5: 9ef487a186dea361aa06913a75b3fa99

17:31:07:968 0800 File "C:\WINDOWS\system32\DRIVERS\kbdhid.sys" infected by TDSS rootkit ... 17:31:08:718 0800 Backup copy found, using it..

17:31:08:718 0800 will be cured on next reboot

17:31:08:828 0800 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

17:31:08:843 0800 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

17:31:08:875 0800 LwUsbHid (066ed0baa4faeb1475b9f06b8c319fc6) C:\WINDOWS\system32\DRIVERS\LwUsbHid.sys

17:31:08:906 0800 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

17:31:08:937 0800 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

17:31:08:968 0800 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

17:31:09:000 0800 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

17:31:09:015 0800 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

17:31:09:031 0800 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

17:31:09:062 0800 MRxSmb (60ae98742484e7ab80c3c1450e708148) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

17:31:09:078 0800 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

17:31:09:093 0800 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

17:31:09:109 0800 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

17:31:09:125 0800 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

17:31:09:140 0800 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

17:31:09:171 0800 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys

17:31:09:203 0800 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

17:31:09:234 0800 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

17:31:09:250 0800 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

17:31:09:265 0800 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

17:31:09:265 0800 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

17:31:09:281 0800 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

17:31:09:312 0800 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

17:31:09:343 0800 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

17:31:09:359 0800 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

17:31:09:375 0800 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

17:31:09:390 0800 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

17:31:09:421 0800 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

17:31:09:453 0800 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

17:31:09:453 0800 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

17:31:09:484 0800 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

17:31:09:515 0800 ossrv (e852a590216f0da2b94df5a937585554) C:\WINDOWS\system32\drivers\ctoss2k.sys

17:31:09:546 0800 PalmUSBD (f49e3b9fb2dd84fca2f6310a147c43fe) C:\WINDOWS\system32\drivers\PalmUSBD.sys

17:31:09:578 0800 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys

17:31:09:593 0800 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

17:31:09:609 0800 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

17:31:09:640 0800 pavboot (3adb8bd6154a3ef87496e8fce9c22493) C:\WINDOWS\system32\drivers\pavboot.sys

17:31:09:656 0800 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

17:31:09:687 0800 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

17:31:09:718 0800 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

17:31:09:765 0800 PfModNT (e4b7b7c29d7bf6b8f262231213d2504a) C:\WINDOWS\system32\drivers\PfModNT.sys

17:31:09:812 0800 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

17:31:09:812 0800 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

17:31:09:828 0800 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

17:31:09:843 0800 PxHelp20 (b572ed0c3e6165643fa116af20425a54) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys

17:31:09:890 0800 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

17:31:09:906 0800 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

17:31:09:906 0800 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

17:31:09:906 0800 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

17:31:09:953 0800 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

17:31:09:984 0800 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

17:31:10:000 0800 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

17:31:10:015 0800 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

17:31:10:062 0800 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

17:31:10:078 0800 RTLE8023xp (89619ef503f949fae09252a8b883ee11) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys

17:31:10:093 0800 sbaphd (ac62ea25bea53ced3ba537324c5714d4) C:\WINDOWS\system32\drivers\sbaphd.sys

17:31:10:125 0800 sbapifs (9215ce4563c5d1e402c85e5cfbf51488) C:\WINDOWS\system32\drivers\sbapifs.sys

17:31:10:171 0800 sbhips (fef084bbf0a59081b6a0d119290a0b58) C:\WINDOWS\system32\drivers\sbhips.sys

17:31:10:203 0800 SBRE (06cf3163f98aa1b8b6812b7d2d60941a) C:\WINDOWS\system32\drivers\SBREdrv.sys

17:31:10:265 0800 sbtis (cf0ae6434a4c37a1232cfd71a31813b4) C:\WINDOWS\system32\drivers\sbtis.sys

17:31:10:296 0800 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

17:31:10:328 0800 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

17:31:10:359 0800 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

17:31:10:375 0800 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

17:31:10:406 0800 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

17:31:10:437 0800 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

17:31:10:484 0800 Srv (3bb03f2ba89d2be417206c373d2af17c) C:\WINDOWS\system32\DRIVERS\srv.sys

17:31:10:484 0800 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

17:31:10:500 0800 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

17:31:10:531 0800 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

17:31:10:593 0800 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

17:31:10:625 0800 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

17:31:10:625 0800 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

17:31:10:656 0800 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

17:31:10:687 0800 truecrypt (db0815523ac07445a2f09dcd2acea8c3) C:\WINDOWS\system32\drivers\truecrypt.sys

17:31:10:718 0800 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

17:31:10:750 0800 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

17:31:10:796 0800 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

17:31:10:828 0800 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

17:31:10:828 0800 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

17:31:10:859 0800 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

17:31:10:875 0800 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

17:31:10:890 0800 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

17:31:10:921 0800 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

17:31:10:953 0800 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

17:31:10:968 0800 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

17:31:10:984 0800 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

17:31:11:015 0800 WmBEnum (1abfd1399436e81c9d857f5fc76eaf98) C:\WINDOWS\system32\drivers\WmBEnum.sys

17:31:11:015 0800 WmVirHid (a40d2dd0f019423ef6c363f1295eb38d) C:\WINDOWS\system32\drivers\WmVirHid.sys

17:31:11:031 0800 WmXlCore (2bf505424f469155cd90d7b3301d7adc) C:\WINDOWS\system32\drivers\WmXlCore.sys

17:31:11:031 0800 Reboot required for cure complete..

17:31:11:062 0800 Cure on reboot scheduled successfully

17:31:11:062 0800

17:31:11:062 0800 Completed

17:31:11:062 0800

17:31:11:062 0800 Results:

17:31:11:062 0800 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

17:31:11:062 0800 File objects infected / cured / cured on reboot: 1 / 0 / 1

17:31:11:062 0800

17:31:11:062 0800 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system

17:31:11:062 0800 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software

17:31:11:062 0800 UnloadDriverW: NtUnloadDriver error 1

17:31:11:062 0800 KLMD(ARK) unloaded successfully

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Thanks!

Please delete your copy of ComboFix and then:

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites
dbb

dbb

Posted
  • Author
Posted

Hello Borislav ,

The Explorer crashes have stopped since running the tdsskiller.

I deleted the existing combo-fix.exe from the desktop and downloaded a fresh version as instructed.

Below is the log file..

Thank you VERY much !!!

ComboFix 10-05-20.04 - Don 05/20/2010 16:50:22.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2970 [GMT -4:00]

Running from: c:\documents and settings\Don\Desktop\Combo-Fix.exe

AV: Sunbelt VIPRE *On-access scanning disabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2010-04-20 to 2010-05-20 )))))))))))))))))))))))))))))))

.

2010-05-17 21:25 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-17 21:25 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-17 21:20 . 2010-05-17 21:22 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp

2010-05-17 12:47 . 2001-08-17 17:28 771581 -c--a-w- c:\windows\system32\dllcache\winacisa.sys

2010-05-17 12:46 . 2001-08-17 17:28 794399 -c--a-w- c:\windows\system32\dllcache\usr1806v.sys

2010-05-17 12:45 . 2001-08-18 02:36 31744 -c--a-w- c:\windows\system32\dllcache\tp4.dll

2010-05-17 12:44 . 2008-04-14 04:16 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys

2010-05-17 12:43 . 2001-08-18 02:36 28672 -c--a-w- c:\windows\system32\dllcache\sma0w.dll

2010-05-17 12:42 . 2001-08-17 17:51 23936 -c--a-w- c:\windows\system32\dllcache\sccmusbm.sys

2010-05-17 12:41 . 2001-08-17 17:28 714762 -c--a-w- c:\windows\system32\dllcache\r2mdmkxx.sys

2010-05-17 12:40 . 2001-08-18 02:36 86016 -c--a-w- c:\windows\system32\dllcache\pctspk.exe

2010-05-17 12:39 . 2001-08-17 16:20 87040 -c--a-w- c:\windows\system32\dllcache\nm6wdm.sys

2010-05-17 12:38 . 2001-08-17 18:02 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys

2010-05-17 12:37 . 2001-08-17 16:12 26442 -c--a-w- c:\windows\system32\dllcache\lanepic5.sys

2010-05-17 12:36 . 2001-08-17 18:06 154496 -c--a-w- c:\windows\system32\dllcache\icam4usb.sys

2010-05-17 12:35 . 2001-08-18 02:36 165888 -c--a-w- c:\windows\system32\dllcache\hpgt53.dll

2010-05-17 12:34 . 2001-08-17 17:52 7040 -c--a-w- c:\windows\system32\dllcache\exabyte2.sys

2010-05-17 12:33 . 2001-08-18 02:36 37962 -c--a-w- c:\windows\system32\dllcache\divaprop.dll

2010-05-17 12:32 . 2001-08-17 16:13 21530 -c--a-w- c:\windows\system32\dllcache\ce2n5.sys

2010-05-17 12:31 . 2008-04-14 09:41 3775 -c--a-w- c:\windows\system32\dllcache\adv11nt5.dll

2010-05-17 12:21 . 2010-05-17 12:21 -------- d-----w- c:\windows\system32\wbem\Repository

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-19 21:32 . 2009-04-07 02:24 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2010-05-18 22:03 . 2009-01-06 05:43 -------- d-----w- c:\documents and settings\Don\Application Data\Folding@home-x86

2010-05-17 21:23 . 2009-08-27 03:00 -------- d-----w- c:\program files\Google

2010-05-17 12:21 . 2010-01-29 04:25 -------- d-----w- c:\program files\Panda Security

2010-04-18 01:52 . 2010-01-30 18:55 1 ----a-w- c:\documents and settings\Don\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys

2010-04-17 02:38 . 2009-05-24 23:21 -------- d-----w- c:\documents and settings\Don\Application Data\FileZilla

2010-04-17 01:39 . 2010-04-17 01:27 -------- d-----w- c:\documents and settings\Don\Application Data\ArcSoft

2010-04-17 01:38 . 2010-04-17 01:28 -------- d--h--w- c:\documents and settings\All Users\Application Data\ArcSoft

2010-04-17 01:33 . 2009-01-06 04:14 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-04-17 01:28 . 2010-04-17 01:28 -------- d-----w- c:\program files\Common Files\ArcSoft

2010-04-13 22:37 . 2010-04-13 22:37 -------- d-----w- c:\documents and settings\Don\Application Data\GrabPro

2010-04-13 22:33 . 2010-04-13 22:33 -------- d-----w- c:\documents and settings\LocalService\Application Data\MiniDm

2010-04-13 22:33 . 2010-04-13 22:33 -------- d-----w- c:\documents and settings\LocalService\Application Data\IEPro

2010-03-19 01:16 . 2010-03-19 01:16 1656832 ----a-w- c:\documents and settings\Don\Application Data\Folding@home-x86\FahCore_a0.exe

2010-03-19 01:16 . 2010-03-19 01:16 1382280 ----a-w- c:\documents and settings\Don\Application Data\Folding@home-x86\libfftw3f-3.dll

2010-02-22 01:39 . 2010-02-22 01:39 27984 ----a-w- c:\windows\system32\sbbd.exe

2010-02-22 00:30 . 2010-04-13 22:34 85080 ----a-w- c:\windows\system32\drivers\sbhips.sys

2006-05-03 10:06 . 2009-09-10 04:29 163328 --sh--r- c:\windows\system32\flvDX.dll

2007-02-21 11:47 . 2009-09-10 04:29 31232 --sh--r- c:\windows\system32\msfDX.dll

2008-03-16 13:30 . 2009-09-10 04:29 216064 --sh--r- c:\windows\system32\nbDX.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TClockEx"="d:\program files\TClockEx\TCLOCKEX.EXE" [2000-03-09 89088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]

"Ai Nap"="d:\program files\ASUS\AI Suite\AiNap\AiNap.exe" [2008-05-26 1423360]

"QFan Help"="d:\program files\ASUS\AI Suite\QFan3\QFanHelp.exe" [2008-05-06 594432]

"Cpu Level Up help"="d:\program files\ASUS\AI Suite\CpuLevelUpHelp.exe" [2007-12-01 881152]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"zBrowser Launcher"="d:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]

"CTHelper"="CTHELPER.EXE" [2009-03-04 19456]

"CTSysVol"="d:\program files\Creative\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]

"VirtualDrive"="d:\program files\FarStone\VirtualDrive\VDTask.exe" [2008-11-06 166416]

"SBAMTray"="d:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2010-02-22 1291600]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]

c:\documents and settings\Don\Start Menu\Programs\Startup\

Folding@home.lnk - c:\documents and settings\Don\Application Data\Microsoft\Installer\{6B755EC3-C709-4F5C-BC58-BC0D3967B6B6}\_2377D972A0372FCB34E3F7.exe [2009-1-6 98477]

Shortcut to deskview.lnk - d:\program files\deskview.exe [2009-1-9 36864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Nostromo Loadout Manager.lnk - c:\windows\Installer\{548C7B77-8B04-427E-ACD0-D0E6E6E59BCF}\NewShortcut2_548C7B778B04427EACD0D0E6E6E59BCF.exe [2009-4-6 45056]

Task Manager.lnk - c:\windows\system32\taskmgr.exe [2008-4-14 135680]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"e:\\Program Files\\EA GAMES\\Battlefield 2 Demo\\BF2.exe"=

"e:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"e:\\Program Files\\Codemasters\\DiRT Demo\\DiRTDemo.exe"=

"d:\\Program Files\\IEPro\\MiniDM.exe"=

"e:\\Makena\\There\\ThereClient\\There.exe"=

"e:\\Program Files\\EA GAMES\\Need For Speed Underground\\Speed.exe"=

"e:\\Program Files\\EA GAMES\\Battlefield Vietnam\\bfvietnam.exe"=

"e:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"21:TCP"= 21:TCP:FTP

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [1/29/2010 12:25 AM 28552]

R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [4/14/2010 5:57 PM 13400]

R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [10/14/2009 3:39 AM 95024]

R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [10/2/2009 7:50 PM 203056]

R2 PDSched;PDScheduler;d:\program files\Raxco\PerfectDisk\PDSched.exe [11/29/2005 11:16 AM 241731]

R2 SBAMSvc;VIPRE Antivirus;d:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [2/21/2010 9:40 PM 2726000]

R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [4/14/2010 5:59 PM 69720]

R2 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys [4/13/2010 6:34 PM 85080]

R2 SBPIMSvc;SB Recovery Service;d:\program files\Sunbelt Software\VIPRE\SBPIMSvc.exe [2/21/2010 9:39 PM 181584]

R3 ArcCD;ArcCD Filter Driver Service;c:\windows\system32\drivers\ArcCD.sys [4/16/2010 9:28 PM 36224]

R3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [4/6/2009 10:24 PM 23040]

R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [3/4/2009 2:42 PM 99352]

R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [3/4/2009 2:42 PM 555032]

R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [3/4/2009 2:42 PM 566296]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/26/2009 11:00 PM 133104]

S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [3/4/2009 2:42 PM 99352]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [4/7/2009 7:01 PM 79360]

S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [3/4/2009 2:42 PM 555032]

S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [3/4/2009 2:42 PM 100888]

S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [3/4/2009 2:42 PM 100888]

S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [3/4/2009 2:42 PM 566296]

S4 ArcUdfs;ArcUdfs FileSystem Driver Service;c:\windows\system32\drivers\ArcUdfs.sys [4/16/2010 9:28 PM 134912]

--- Other Services/Drivers In Memory ---

*Deregistered* - ArcRec

.

Contents of the 'Scheduled Tasks' folder

2010-05-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-27 03:00]

2010-05-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-27 03:00]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

Trusted Zone: centralink.org\www

DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.21.0.cab

FF - ProfilePath - c:\documents and settings\Don\Application Data\Mozilla\Firefox\Profiles\7eliypcl.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

FF - component: c:\documents and settings\Don\Application Data\Mozilla\Firefox\Profiles\7eliypcl.default\extensions\{7E7165E2-0767-448c-852F-5FA8714F2C37}\components\PlainOldFavorites.dll

FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-20 16:55

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CTHelper = CTHELPER.EXE?

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)

c:\windows\system32\Ati2evxx.dll

.

Completion time: 2010-05-20 16:57:33

ComboFix-quarantined-files.txt 2010-05-20 20:57

Pre-Run: 22,414,708,736 bytes free

Post-Run: 22,440,030,208 bytes free

- - End Of File - - 136F2CE4D9753AEF9272A9A4FB3223CF

Link to post
Share on other sites
dbb

dbb

Posted
  • Author
Posted

No explorer crashes, and the Nostromo software is working again.

It seems to be working as it should!!

Thank You!!! :)

I was a little surprised that combofix indicated it detected rootkit activity after the tdsskiller cleanup.

I hope that was just doing housekeeping and not detecting something active lingering.

These three files, listed in the "Find3M Report" section of the conbofix report, do not exist.

2006-05-03 10:06 . 2009-09-10 04:29 163328 --sh--r- c:\windows\system32\flvDX.dll

2007-02-21 11:47 . 2009-09-10 04:29 31232 --sh--r- c:\windows\system32\msfDX.dll

2008-03-16 13:30 . 2009-09-10 04:29 216064 --sh--r- c:\windows\system32\nbDX.dll

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Good! :)

Don't worry about these files, because they are legitimate.

Last steps:

Step 1:

* Go to start > run and copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Step 2:

Please manually delete TDSSKiller, JavaRa, DDS and GMER.

Step 3:

Please download and install the latest version of Java from:

www.java.com/en

Step 4:

Some malware preventions:

http://miekiemoes.blogspot.com/2008/02/how...nt-malware.html

Safe surfing! :)

Link to post
Share on other sites
dbb

dbb

Posted
  • Author
Posted

I've uninstalled Combofix, and deleted the others from the desktop. (don't see GMER)

I also ran Defogger and re-enabled Virtual CD.

The computer seems to working normally now.

Thank You VERY much!!

I wonder if the TDSS rootkit was installed by the AntispywareSoft, the rkill utility that I initially ran to get rid of AntispywareSoft, or if it was already there, and the AntispywareSoft infection caused the explorer problem, allowing us to find the rootkit.... ?

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

I'm not sure that I understood you correctly.

What allowed us to discover the problem was ComboFix.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89D81CEC]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28

\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8

\Driver\atapi -> atapi.sys @ 0xb9f11852

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

NDIS: Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xb9ddfbb0

PacketIndicateHandler -> NDIS.sys @ 0xb9deca21

SendHandler -> NDIS.sys @ 0xb9dca87b

user & kernel MBR OK

Next I used TDSSKiller to remove it:

17:31:07:968 0800 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\kbdhid.sys. Real md5: bb6275fcada09e6f2eff467c746733e1, Fake md5: 9ef487a186dea361aa06913a75b3fa99

17:31:07:968 0800 File "C:\WINDOWS\system32\DRIVERS\kbdhid.sys" infected by TDSS rootkit ... 17:31:08:718 0800 Backup copy found, using it..

17:31:08:718 0800 will be cured on next reboot

That's all!

Link to post
Share on other sites
dbb

dbb

Posted
  • Author
Posted

Sorry.. I didn't word that very well..

It appears that the rootkit was causing the explorer crashes, as the crashes were resolved after removing the rootkit.

I've not read anything online that that indicates that Antispyware Soft installs the rootkit.

I was trying to figure out whether the rootkit was installed by Antispyware Soft, the rkill utility I used initially, or if the rootkit was present prior to the Antispyware Soft infection, and removing Antispyware Soft then caused the rootkit to begin crashing Explorer..

I hope that makes more sense. :D

In any case, Thank You very much for the assistance!!!

I'm disappointed that Viper allowed these pests in the first place. :D

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept