Jump to content

Under control or not? Trojan: Java/Rowindal.A + Exploit: Java/CVE-2010-0094.AA


Recommended Posts

Hello sandflea15

Welcome to Malwarebytes.

=====================

One or more of the identified infections is a backdoor trojan or rootkit.

This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you still want to clean it please do the following

===================

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

========

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

ATTN: kahdah

1) I did download and run TDSSKiller, and that log is included below.

2) a. I did download and run ComboFIX, and the "window" indicates that it has run though all steps (50 or 51)

b. then the program appears to be running...the screen flashes something about the log....and the computer crashes.

3) I ran ComboFix twice...same crash.

I did a search for "COMBOFIX.txt" file....no file with that name found, nor any "*.txt" files at the time ComboFix was running.

Suggestions for addressing the lack of ComboFix log ?

Thanks - SandFlea

Here is the TDSSKiller log...

= = = = = = = = = = = =

2010/11/04 12:16:00.0500 TDSS rootkit removing tool 2.4.6.0 Nov 3 2010 10:11:43

2010/11/04 12:16:00.0500 ================================================================================

2010/11/04 12:16:00.0500 SystemInfo:

2010/11/04 12:16:00.0500

2010/11/04 12:16:00.0500 OS Version: 5.1.2600 ServicePack: 3.0

2010/11/04 12:16:00.0500 Product type: Workstation

2010/11/04 12:16:00.0500 ComputerName: REG-LAPTOP08

2010/11/04 12:16:00.0500 UserName: REG

2010/11/04 12:16:00.0500 Windows directory: C:\WINDOWS

2010/11/04 12:16:00.0500 System windows directory: C:\WINDOWS

2010/11/04 12:16:00.0500 Processor architecture: Intel x86

2010/11/04 12:16:00.0500 Number of processors: 2

2010/11/04 12:16:00.0500 Page size: 0x1000

2010/11/04 12:16:00.0515 Boot type: Normal boot

2010/11/04 12:16:00.0515 ================================================================================

2010/11/04 12:16:01.0125 Initialize success

2010/11/04 12:16:04.0234 ================================================================================

2010/11/04 12:16:04.0234 Scan started

2010/11/04 12:16:04.0234 Mode: Manual;

2010/11/04 12:16:04.0234 ================================================================================

2010/11/04 12:16:05.0109 Aavmker4 (8d488938e2f7048906f1fbd3af394887) C:\WINDOWS\system32\drivers\Aavmker4.sys

2010/11/04 12:16:05.0203 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS

2010/11/04 12:16:05.0250 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/11/04 12:16:05.0296 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/11/04 12:16:05.0343 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys

2010/11/04 12:16:05.0359 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/11/04 12:16:05.0390 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/11/04 12:16:05.0421 AFS2K (0ebb674888cbdefd5773341c16dd6a07) C:\WINDOWS\system32\drivers\AFS2K.sys

2010/11/04 12:16:05.0453 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

2010/11/04 12:16:05.0468 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys

2010/11/04 12:16:05.0484 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys

2010/11/04 12:16:05.0500 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys

2010/11/04 12:16:05.0531 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys

2010/11/04 12:16:05.0546 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys

2010/11/04 12:16:05.0609 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys

2010/11/04 12:16:05.0625 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys

2010/11/04 12:16:05.0656 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys

2010/11/04 12:16:05.0687 ApfiltrService (090880e9bf20f928bc341f96d27c019e) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys

2010/11/04 12:16:05.0734 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS

2010/11/04 12:16:05.0765 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys

2010/11/04 12:16:05.0812 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys

2010/11/04 12:16:05.0875 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys

2010/11/04 12:16:06.0234 aswFsBlk (a0d86b8ac93ef95620420c7a24ac5344) C:\WINDOWS\system32\drivers\aswFsBlk.sys

2010/11/04 12:16:06.0281 aswMon2 (7d880c76a285a41284d862e2d798ec0d) C:\WINDOWS\system32\drivers\aswMon2.sys

2010/11/04 12:16:06.0312 aswRdr (69823954bbd461a73d69774928c9737e) C:\WINDOWS\system32\drivers\aswRdr.sys

2010/11/04 12:16:06.0375 aswSP (7ecc2776638b04553f9a85bd684c3abf) C:\WINDOWS\system32\drivers\aswSP.sys

2010/11/04 12:16:06.0406 aswTdi (095ed820a926aa8189180b305e1bcfc9) C:\WINDOWS\system32\drivers\aswTdi.sys

2010/11/04 12:16:06.0453 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/11/04 12:16:06.0484 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/11/04 12:16:06.0562 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/11/04 12:16:06.0578 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/11/04 12:16:06.0640 b57w2k (c0acd392ece55784884cc208aafa06ce) C:\WINDOWS\system32\DRIVERS\b57xp32.sys

2010/11/04 12:16:06.0718 BASFND (3d87b0484be1093c6614062701f375c5) C:\Program Files\Broadcom\ASFIPMon\BASFND.sys

2010/11/04 12:16:06.0781 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/11/04 12:16:06.0843 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys

2010/11/04 12:16:06.0859 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/11/04 12:16:06.0890 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys

2010/11/04 12:16:06.0921 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/11/04 12:16:06.0953 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/11/04 12:16:06.0984 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/11/04 12:16:07.0046 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2010/11/04 12:16:07.0078 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys

2010/11/04 12:16:07.0109 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2010/11/04 12:16:07.0140 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys

2010/11/04 12:16:07.0187 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys

2010/11/04 12:16:07.0203 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys

2010/11/04 12:16:07.0250 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/11/04 12:16:07.0312 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/11/04 12:16:07.0343 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/11/04 12:16:07.0375 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/11/04 12:16:07.0406 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/11/04 12:16:07.0453 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys

2010/11/04 12:16:07.0468 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/11/04 12:16:07.0500 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys

2010/11/04 12:16:07.0562 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/11/04 12:16:07.0593 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2010/11/04 12:16:07.0640 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/11/04 12:16:07.0656 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2010/11/04 12:16:07.0703 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/11/04 12:16:07.0734 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/11/04 12:16:07.0750 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/11/04 12:16:07.0796 GEARAspiWDM (5dc17164f66380cbfefd895c18467773) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys

2010/11/04 12:16:07.0828 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/11/04 12:16:07.0859 guardian2 (c0bdab85f3e8b2138c513255e2bcc4d8) C:\WINDOWS\system32\Drivers\oz776.sys

2010/11/04 12:16:07.0921 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2010/11/04 12:16:07.0953 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/11/04 12:16:08.0000 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys

2010/11/04 12:16:08.0046 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys

2010/11/04 12:16:08.0078 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

2010/11/04 12:16:08.0093 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys

2010/11/04 12:16:08.0156 HSF_DPV (e8ec1767ea315a39a0dd8989952ca0e9) C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys

2010/11/04 12:16:08.0265 HSXHWAZL (61478fa42ee04562e7f11f4dca87e9c8) C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys

2010/11/04 12:16:08.0312 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/11/04 12:16:08.0359 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys

2010/11/04 12:16:08.0375 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys

2010/11/04 12:16:08.0406 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/11/04 12:16:08.0437 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/11/04 12:16:08.0468 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys

2010/11/04 12:16:08.0500 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2010/11/04 12:16:08.0546 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/11/04 12:16:08.0562 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/11/04 12:16:08.0593 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/11/04 12:16:08.0609 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/11/04 12:16:08.0656 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/11/04 12:16:08.0687 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/11/04 12:16:08.0718 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/11/04 12:16:08.0750 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/11/04 12:16:08.0781 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/11/04 12:16:08.0812 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/11/04 12:16:08.0859 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/11/04 12:16:08.0953 Lavasoft Kernexplorer (32da3fde01f1bb080c2e69521dd8881e) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys

2010/11/04 12:16:09.0015 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys

2010/11/04 12:16:09.0093 LHidFlt2 (3c357dfdbbf2b4b01aa4b9c8a26e4416) C:\WINDOWS\system32\DRIVERS\LHidFlt2.Sys

2010/11/04 12:16:09.0109 LHidUsb (ffb851b1b2f6596b7d3182b977a85206) C:\WINDOWS\system32\Drivers\LHidUsb.Sys

2010/11/04 12:16:09.0140 LMouFlt2 (aef09673376a4d93c09e8341854f1bf4) C:\WINDOWS\system32\DRIVERS\LMouFlt2.Sys

2010/11/04 12:16:09.0187 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

2010/11/04 12:16:09.0234 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/11/04 12:16:09.0281 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/11/04 12:16:09.0312 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/11/04 12:16:09.0343 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/11/04 12:16:09.0406 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/11/04 12:16:09.0453 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys

2010/11/04 12:16:09.0468 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/11/04 12:16:09.0531 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/11/04 12:16:09.0562 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/11/04 12:16:09.0593 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/11/04 12:16:09.0609 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/11/04 12:16:09.0656 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/11/04 12:16:09.0703 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/11/04 12:16:09.0718 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/11/04 12:16:09.0765 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/11/04 12:16:09.0781 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/11/04 12:16:09.0812 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/11/04 12:16:09.0828 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/11/04 12:16:09.0843 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/11/04 12:16:09.0890 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/11/04 12:16:09.0906 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/11/04 12:16:10.0187 NETw3x32 (71371ed9086a3d65f43967c89634e9a9) C:\WINDOWS\system32\DRIVERS\NETw3x32.sys

2010/11/04 12:16:11.0500 NETw5x32 (91f027c242d3ff6e5c09f92a0518297f) C:\WINDOWS\system32\DRIVERS\NETw5x32.sys

2010/11/04 12:16:12.0984 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/11/04 12:16:13.0390 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/11/04 12:16:14.0046 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/11/04 12:16:15.0890 nv (c116d2b008a1640c4484a1dcd1abe12c) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2010/11/04 12:16:17.0828 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/11/04 12:16:18.0031 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/11/04 12:16:18.0187 omci (b17228142cec9b3c222239fd935a37ca) C:\WINDOWS\system32\DRIVERS\omci.sys

2010/11/04 12:16:18.0328 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/11/04 12:16:18.0453 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/11/04 12:16:18.0609 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/11/04 12:16:18.0937 pavboot (3adb8bd6154a3ef87496e8fce9c22493) C:\WINDOWS\system32\drivers\pavboot.sys

2010/11/04 12:16:19.0203 PBADRV (e3e6e724d6a82ab6a2afbcb21180ffce) C:\WINDOWS\system32\DRIVERS\PBADRV.sys

2010/11/04 12:16:19.0343 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/11/04 12:16:19.0593 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/11/04 12:16:19.0859 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

2010/11/04 12:16:20.0218 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys

2010/11/04 12:16:20.0234 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys

2010/11/04 12:16:20.0312 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/11/04 12:16:20.0359 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/11/04 12:16:20.0421 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/11/04 12:16:20.0484 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys

2010/11/04 12:16:20.0531 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys

2010/11/04 12:16:20.0562 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys

2010/11/04 12:16:20.0609 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys

2010/11/04 12:16:20.0671 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys

2010/11/04 12:16:20.0703 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/11/04 12:16:20.0750 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/11/04 12:16:20.0859 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/11/04 12:16:20.0890 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/11/04 12:16:20.0953 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/11/04 12:16:21.0046 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/11/04 12:16:21.0078 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2010/11/04 12:16:21.0125 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/11/04 12:16:21.0203 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/11/04 12:16:21.0390 s24trans (96b4494d4734970f47c566e098c4f527) C:\WINDOWS\system32\DRIVERS\s24trans.sys

2010/11/04 12:16:21.0468 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/11/04 12:16:21.0531 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/11/04 12:16:21.0562 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/11/04 12:16:21.0625 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/11/04 12:16:21.0703 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys

2010/11/04 12:16:21.0796 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys

2010/11/04 12:16:21.0921 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/11/04 12:16:22.0062 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/11/04 12:16:22.0171 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/11/04 12:16:22.0453 STHDA (951801dfb54d86f611f0af47825476f9) C:\WINDOWS\system32\drivers\sthda.sys

2010/11/04 12:16:22.0765 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/11/04 12:16:22.0796 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/11/04 12:16:22.0859 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys

2010/11/04 12:16:22.0906 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys

2010/11/04 12:16:22.0937 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys

2010/11/04 12:16:22.0968 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys

2010/11/04 12:16:23.0015 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/11/04 12:16:23.0093 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/11/04 12:16:23.0140 TcUsb (125f5adc14839b4afd31cc581629d2b3) C:\WINDOWS\system32\Drivers\tcusb.sys

2010/11/04 12:16:23.0203 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/11/04 12:16:23.0234 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/11/04 12:16:23.0265 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/11/04 12:16:23.0343 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys

2010/11/04 12:16:23.0375 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/11/04 12:16:23.0421 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys

2010/11/04 12:16:23.0484 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/11/04 12:16:23.0593 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/11/04 12:16:23.0640 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/11/04 12:16:23.0671 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/11/04 12:16:23.0718 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2010/11/04 12:16:23.0781 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/11/04 12:16:23.0796 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/11/04 12:16:23.0843 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/11/04 12:16:23.0906 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/11/04 12:16:23.0953 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys

2010/11/04 12:16:24.0000 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

2010/11/04 12:16:24.0031 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/11/04 12:16:24.0109 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/11/04 12:16:24.0171 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/11/04 12:16:24.0281 winachsf (ba6b6fb242a6ba4068c8b763063beb63) C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys

2010/11/04 12:16:24.0437 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys

2010/11/04 12:16:24.0531 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

2010/11/04 12:16:24.0578 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2010/11/04 12:16:24.0656 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)

2010/11/04 12:16:24.0656 ================================================================================

2010/11/04 12:16:24.0656 Scan finished

2010/11/04 12:16:24.0656 ================================================================================

2010/11/04 12:16:24.0671 Detected object count: 1

2010/11/04 12:16:49.0218 \HardDisk0 - will be cured after reboot

2010/11/04 12:16:49.0218 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure

2010/11/04 12:17:11.0265 Deinitialize success

Link to post
Share on other sites

See if there is a log provided as this name C:\Qoobox\ComboFix-quarantined-files.txt

If there is post it please.

Kahdah,

I did a search using "*.txt" on the entire computer, and the only "txt" message with the phrase "combo" that was created today (since I downloaded) is as follows...

ComboFix 10-11-03.04 - REG 11/04/2010 12:55:02.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.443 [GMT -4:00]

Running from: C:\Documents and Settings\REG\Desktop\ComboFix.exe

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

Not sure if this is what you are referring to, or not. If not, any other suggestions appreciated.

Also, may be a dumb question, but can I run TDSSkiller, TDS, GMER, etc. on an external drive to where I backed up all files prior to running all of these programs ?

Thanks for your continued assistance.... SandFlea

Link to post
Share on other sites

Please run gmer once more and post that log.

Kahdah,

I tried COMBOfix again this morning...same crash happened. Here is the GMER log from this morning.

GMER 1.0.15.15477 - http://www.gmer.net

Rootkit scan 2010-11-05 06:46:57

Windows 5.1.2600 Service Pack 3

Running: gmer.exe; Driver: C:\DOCUME~1\REG\LOCALS~1\Temp\pwdoykoc.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwClose [0xF2C68CF0]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateKey [0xF2C68BAC]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteKey [0xF2C69160]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteValueKey [0xF2C6908A]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDuplicateObject [0xF2C68782]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenKey [0xF2C68C86]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenProcess [0xF2C686C2]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenThread [0xF2C68726]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwQueryValueKey [0xF2C68DA6]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xF2C6922E]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRestoreKey [0xF2C68D66]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwSetValueKey [0xF2C68EE6]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xF2C75BAE]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0xF2C759D2]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0xF2C75B0C]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF64BC380, 0x37DE8D, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[116] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 00336DCE C:\WINDOWS\system32\wxvault.dll

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[116] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 003372BA C:\WINDOWS\system32\wxvault.dll

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[116] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 00335BBB C:\WINDOWS\system32\wxvault.dll

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[116] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 0033737D C:\WINDOWS\system32\wxvault.dll

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[116] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 0033724D C:\WINDOWS\system32\wxvault.dll

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[116] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 00335AF1 C:\WINDOWS\system32\wxvault.dll

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[116] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 003373E3 C:\WINDOWS\system32\wxvault.dll

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[116] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 00336C79 C:\WINDOWS\system32\wxvault.dll

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[116] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 0033595F C:\WINDOWS\system32\wxvault.dll

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[116] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 003361DA C:\WINDOWS\system32\wxvault.dll

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[116] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 003365B6 C:\WINDOWS\system32\wxvault.dll

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[116] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 00336AEA C:\WINDOWS\system32\wxvault.dll

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[116] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 0033633F C:\WINDOWS\system32\wxvault.dll

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[116] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 00336261 C:\WINDOWS\system32\wxvault.dll

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[116] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 003362BB C:\WINDOWS\system32\wxvault.dll

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[116] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00336035 C:\WINDOWS\system32\wxvault.dll

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[116] kernel32.dll!GetFileSizeEx 7C810AA9 1 Byte [E9]

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[116] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 003366AD C:\WINDOWS\system32\wxvault.dll

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[116] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 00336A54 C:\WINDOWS\system32\wxvault.dll

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[116] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 003359B9 C:\WINDOWS\system32\wxvault.dll

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[116] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 003364E4 C:\WINDOWS\system32\wxvault.dll

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[116] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 00336EA5 C:\WINDOWS\system32\wxvault.dll

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[116] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 00336F53 C:\WINDOWS\system32\wxvault.dll

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[116] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 00336725 C:\WINDOWS\system32\wxvault.dll

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[116] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 00337202 C:\WINDOWS\system32\wxvault.dll

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[116] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 00335C61 C:\WINDOWS\system32\wxvault.dll

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[116] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 00335BDA C:\WINDOWS\system32\wxvault.dll

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[116] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 0033718A C:\WINDOWS\system32\wxvault.dll

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[116] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 00336BE5 C:\WINDOWS\system32\wxvault.dll

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[116] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 0033644C C:\WINDOWS\system32\wxvault.dll

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[116] kernel32.dll!GetOverlappedResult 7C8315CC 1 Byte [E9]

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[116] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 003369D0 C:\WINDOWS\system32\wxvault.dll

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[116] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 00336135 C:\WINDOWS\system32\wxvault.dll

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[116] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 00337001 C:\WINDOWS\system32\wxvault.dll

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[116] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 00336D63 C:\WINDOWS\system32\wxvault.dll

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[116] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 00335E5A C:\WINDOWS\system32\wxvault.dll

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[116] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 00336E31 C:\WINDOWS\system32\wxvault.dll

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[116] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 00335F4C C:\WINDOWS\system32\wxvault.dll

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[116] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 00335A83 C:\WINDOWS\system32\wxvault.dll

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[116] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 00337108 C:\WINDOWS\system32\wxvault.dll

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[116] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 00337236 C:\WINDOWS\system32\wxvault.dll

.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[116] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 003371E7 C:\WINDOWS\system32\wxvault.dll

.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1604] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \FileSystem\Fastfat \Fat B9001D20

Device \FileSystem\Fastfat \Fat B8FFE7B4

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@RequireSignedAppInit_DLLs 1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs C:\WINDOWS\system32\wxvault.dll

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Ok Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

=====

* Go here to run an online scannner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Link to post
Share on other sites

Please manually delete this file that is merely a Java exploit.

C:\Documents & Settings\NetworkService\application data\sun\java\deployment\cache\6.0\31\73769d5f-704d95b

You will have to show hidden files and folders to see it.

After that run dds once more and post only the dds.txt that opens.

Let me know of any remaining issues please.

Link to post
Share on other sites

Please manually delete this file that is merely a Java exploit.

C:\Documents & Settings\NetworkService\application data\sun\java\deployment\cache\6.0\31\73769d5f-704d95b

You will have to show hidden files and folders to see it.

After that run dds once more and post only the dds.txt that opens.

Let me know of any remaining issues please.

Well Kahdah,

I am really scratching my head over this one

Link to post
Share on other sites

Use it like normal and let me know how things are running.

Also that was the attach.txt not the DDS.txt please attach the other.

Hi Kahdah,

Well, everything appears to be running without any of those problems, I re-booted a couple of times, and performed a search in the "deployment\cache" folders but did not find anything with "73769d5f

Link to post
Share on other sites

No those are not active malware files they don't show in any scan usually the antivirus removes them it is nothing but some leftovers no need to worry.

Please do the following.

Download OTL to your desktop.

Open OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :Files
    C:\Documents and Settings\NetworkService\application data\sun\java\deployment\cache\6.0\31\*
    :Commands
    [emptytemp]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • It will produce a log for you on reboot, please post that log in your next reply.

Link to post
Share on other sites

[*]It will produce a log for you on reboot, please post that log in your next reply.

Hi Kahdah,

I downloaded the OTL program, and ran it. The log is posted below. Are there any issues of which I should be aware ?

:P Regards - SandFlea

(here is the txt log)...

All processes killed

Error: Unable to interpret <CODE> in the current context!

========== FILES ==========

C:\Documents and Settings\NetworkService\application data\sun\java\deployment\cache\6.0\31\73769d5f-704d95b7 moved successfully.

C:\Documents and Settings\NetworkService\application data\sun\java\deployment\cache\6.0\31\73769d5f-704d95b7.idx moved successfully.

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 0 bytes

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Flash cache emptied: 41 bytes

User: LocalService

->Temp folder emptied: 66016 bytes

->Flash cache emptied: 4112 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Java cache emptied: 2187489 bytes

->Flash cache emptied: 97604 bytes

User: REG

->Temp folder emptied: 2505837 bytes

->Temporary Internet Files folder emptied: 73369454 bytes

->Java cache emptied: 123380 bytes

->Apple Safari cache emptied: 964608 bytes

->Flash cache emptied: 4339 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 49635 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 134830740 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 204.00 mb

OTL by OldTimer - Version 3.2.17.3 log created on 11082010_161504

Files\Folders moved on Reboot...

File\Folder C:\Documents and Settings\REG\Local Settings\Temp\Perflib_Perfdata_568.dat not found!

Registry entries deleted on Reboot...

Link to post
Share on other sites

Looks like that took care of it.

:lol: Hi Kahdah,

Been out all day, or would have responded sooner. I will address the removals and replacement this evening.

Your post anticipated my thoughts. I would appreciate (if you are allowed to comment) your brief thoughts on the following

Link to post
Share on other sites

Honestly the av's are all one in the same to me some do a little better than others but you can get infected no matter what you have.

Security essentials does not provide a firewall Windows does and really I have not seen the need to have a heavy duty firewall simply because once you are infected it is too late and by that time what does the firewall do? nothing but alert you of something trying to call home.

Keep the system running light don't overburden it with unnecessary software that really is only minor prevention.

I personally use Kaspersky since I do a lot of malware testing I feel that this is the most reliable product on the market it has behavioral detection that has been a proven reliable asset to have.

Mbam over superantispyware simply because detection rate is higher and also if you use the paid for version of mbam then the protection module as well would greatly decrease the infection ratio.

Nothing is 100% effective against malware anything we can come up with to prevent malware the malware writers will exploit it.

It is simply a big cat and mouse game.

One day hopefully that will not be the case but as it is right now this is the case.

Hope that helps without being too grim just being honest.

Link to post
Share on other sites

Honestly the av's are all one in the same to me some do a little better than others but you can get infected no matter what you have.

Hope that helps without being too grim just being honest.

Hey Kahdah,

Honesty is always valued over the alternative.

I made a small donation for your much appreciated expertise. Would have been a larger donation, but have been out of work since mid-August.

That's it for now...and I hope that we never have to chat again under these circumstances.

Regards - SandFlea

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.