DDS/GMER log files

[booch11]

antispyware soft was loaded via facebook email.

running ms essentials and mbam at the time.

i booted into ubuntu and ran klam.

it detected and removed a few things.

rebooted to xp pro -- still no functionality.

could not boot into safe mode. (f8 function still does not work).

googled antispyware soft and found some instructions

renamed hijackthis to ieexplore.exe and removed several 04 ssdt setting (memory is fuzzy on the actual items removed -- something like that though) and removed one item with a proxy address.

removed several reg items.

removed several items in app data.

regained control of my system.

manually rebooted into safe mode via msconfig.

ran mbam and spybot -- destroyed/removed some other things.

ran trend micro rootkit remover -- results showed no rootkits.

need to load mbam manually (does not appear in list of startup items -- i probably removed them by accident via hijack this.

when i load mbam, website blocking continually gives me "blocked malicious site w. address" notification.

googled it and came across yourt forum page with gmer and dds instructions.

and well, here i am.

appreciate the help.

)best i can tell, this appeared after opening an infected email message from facebook (person who sent it posted that she was infected).

whoops.) i did run mbam immediately but it detected nothing. virus appeared about a week later).

ark.txt:

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-05-28 12:50:30

Windows 5.1.2600 Service Pack 3

Running: fx3q8wbh.exe; Driver: C:\DOCUME~1\Tom\LOCALS~1\Temp\pwtiypob.sys

---- System - GMER 1.0.15 ----

SSDT spfj.sys ZwCreateKey [0xF74D70E0]

SSDT spfj.sys ZwEnumerateKey [0xF74F5CA2]

SSDT spfj.sys ZwEnumerateValueKey [0xF74F6030]

SSDT spfj.sys ZwOpenKey [0xF74D70C0]

SSDT spfj.sys ZwQueryKey [0xF74F6108]

SSDT spfj.sys ZwQueryValueKey [0xF74F5F88]

SSDT spfj.sys ZwSetValueKey [0xF74F619A]

INT 0x62 ? 8A965BF8

INT 0x73 ? 8A7C3F00

INT 0x83 ? 8A965BF8

INT 0xB4 ? 8A7C3F00

---- Kernel code sections - GMER 1.0.15 ----

? spfj.sys The system cannot find the file specified. !

.text USBPORT.SYS!DllUnload BAE7D8AC 5 Bytes JMP 8A7C34E0

---- User code sections - GMER 1.0.15 ----

.text C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1148] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 17, 00]

.text C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1148] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]

.text C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1148] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]

.text C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1148] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 17, 00]

.text C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1148] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]

.text C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1148] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 17, 00]

.text C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1148] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]

.text C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1148] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 17, 00]

.text C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1148] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]

.text C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1148] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90ED1A

.text C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1148] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]

.text C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1148] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 17, 00]

.text C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1148] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]

.text C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1148] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 17, 00]

.text C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1148] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]

.text C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1148] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 17, 00]

.text C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1148] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]

.text C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1148] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90ED8B

.text C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1148] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]

.text C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1148] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 17, 00]

.text C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1148] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]

.text C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1148] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EEB9

.text C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1148] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]

.text C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1148] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 17, 00]

.text C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1148] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]

.text C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1148] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 17, 00]

.text C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1148] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]

.text C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1148] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]

.text C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1148] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 17, 00]

.text C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1148] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A9641F8

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\usbohci \Device\USBPDO-0 8A88B500

Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A8F41F8

Device \Driver\dmio \Device\DmControl\DmConfig 8A8F41F8

Device \Driver\dmio \Device\DmControl\DmPnP 8A8F41F8

Device \Driver\dmio \Device\DmControl\DmInfo 8A8F41F8

Device \Driver\usbehci \Device\USBPDO-1 8A70F500

Device \Driver\usbohci \Device\USBPDO-2 8A88B500

Device \Driver\usbehci \Device\USBPDO-3 8A70F500

Device \Driver\NetBT \Device\NetBT_Tcpip_{73F1B19D-A311-431A-A6C9-D6B6493E2D2D} 896691F8

Device \Driver\Ftdisk \Device\HarddiskVolume1 8A9661F8

Device \Driver\Cdrom \Device\CdRom0 8A8191F8

Device \Driver\Ftdisk \Device\HarddiskVolume2 8A9661F8

Device \Driver\Ftdisk \Device\HarddiskVolume3 8A9661F8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi \Device\Ide\IdePort0 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi \Device\Ide\IdePort1 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi \Device\Ide\IdePort2 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi \Device\Ide\IdePort3 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\Ftdisk \Device\HarddiskVolume4 8A9661F8

Device \Driver\NetBT \Device\NetBt_Wins_Export 896691F8

Device \Driver\NetBT \Device\NetBT_Tcpip_{40371CF0-4585-47EF-89C6-F6A70AAD52C9} 896691F8

Device \Driver\NetBT \Device\NetbiosSmb 896691F8

Device \Driver\usbohci \Device\USBFDO-0 8A88B500

Device \Driver\usbehci \Device\USBFDO-1 8A70F500

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 896901F8

Device \Driver\usbohci \Device\USBFDO-2 8A88B500

Device \FileSystem\MRxSmb \Device\LanmanRedirector 896901F8

Device \Driver\usbehci \Device\USBFDO-3 8A70F500

Device \Driver\Ftdisk \Device\FtControl 8A9661F8

Device \FileSystem\Cdfs \Cdfs 89638500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792

---- EOF - GMER 1.0.15 ----

*************************************************************

mbam log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

5/28/2010 10:49:04 AM

mbam-log-2010-05-28 (10-49-04).txt

Scan type: Full scan (C:\|)

Objects scanned: 188954

Time elapsed: 1 hour(s), 18 minute(s), 52 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

*********************

thanks

DDS.txt

mbam_log_2010_05_28__10_49_04_.txt

Attach.rar

[Maurice Naggar]

Hello,

Your topic was first posted more than 2 weeks ago. Please advise if the system has the same issues or if the malware issues have been resolved. If the malware issues are not resolved AND you require guided help, then, please generate a new DDS log and post that, along with appropriate detail, into a new reply here.

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!