Jump to content

Browser redirect/svchost.exe error


Nick603
 Share

Recommended Posts

Ok, here is the DDS.txt:

DDS (Ver_10-11-10.01) - NTFSx86

Run by Nicholas at 19:07:51.81 on Wed 11/17/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.590 [GMT -8:00]

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\AskBarDis\bar\bin\AskService.exe

C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Blaze Media Pro\NMSAccess32.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\WINDOWS\System32\mshta.exe

C:\WINDOWS\System32\mshta.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\System32\mshta.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\Documents and Settings\Nicholas\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uSearch Bar = hxxp://www.comcast.net/toolbar2.0/search/

uInternet Settings,ProxyOverride = *.local

mSearchAssistant = hxxp://www.comcast.net/toolbar2.0/search/

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~1\COMCAS~1.DLL

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~1\COMCAS~1.DLL

TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork

uRun: [Google Update] "c:\documents and settings\nicholas\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

mRun: [soundMan] SOUNDMAN.EXE

mRun: [RegistryMechanic]

mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

StartupFolder: c:\documents and settings\nicholas\start menu\programs\startup\PowerReg Scheduler.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Notification Packages = scecli c:\windows\system32\giyesewu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nicholas\applic~1\mozilla\firefox\profiles\kv5unkxg.default\

FF - plugin: c:\documents and settings\nicholas\application data\mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\nicholas\application data\mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: c:\documents and settings\nicholas\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\download manager\npfpdlm.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

and the Gmer.txt:

GMER 1.0.15.15530 - http://www.gmer.net

Rootkit scan 2010-11-17 19:32:37

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 Maxtor_6L200R0 rev.BAH41E00

Running: 75x7bvmk.exe; Driver: C:\DOCUME~1\Nicholas\LOCALS~1\Temp\kxrdypod.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwClose [0xAD21ACF0]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateKey [0xAD21ABAC]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteKey [0xAD21B160]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteValueKey [0xAD21B08A]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDuplicateObject [0xAD21A782]

SSDT spzs.sys ZwEnumerateKey [0xB7EC5CA4]

SSDT spzs.sys ZwEnumerateValueKey [0xB7EC6032]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenKey [0xAD21AC86]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenProcess [0xAD21A6C2]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenThread [0xAD21A726]

SSDT spzs.sys ZwQueryKey [0xB7EC610A]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwQueryValueKey [0xAD21ADA6]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xAD21B22E]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRestoreKey [0xAD21AD66]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwSetValueKey [0xAD21AEE6]

INT 0x62 ? 8A51CBF8

INT 0x82 ? 8A51CBF8

INT 0xA4 ? 8A326F00

INT 0xA4 ? 8A326F00

INT 0xA4 ? 8A326F00

INT 0xA4 ? 8A326F00

INT 0xA4 ? 8A326F00

INT 0xA4 ? 8A326F00

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xAD227BAE]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0xAD2279D2]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0xAD227B0C]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ZwLoadDriver 805795FA 7 Bytes JMP AD227B10 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

PAGE ntkrnlpa.exe!NtCreateSection 805A075C 7 Bytes JMP AD2279D6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805B1CE0 5 Bytes JMP AD2235D4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

PAGE ntkrnlpa.exe!ObInsertObject 805B8B58 5 Bytes JMP AD224FFA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C73EA 7 Bytes JMP AD227BB2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

? spzs.sys The system cannot find the file specified. !

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB5E253A0, 0x59FFE5, 0xE8000020]

.text USBPORT.SYS!DllUnload B5DE28AC 5 Bytes JMP 8A3264E0

.text axmeybf7.SYS B5982386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]

.text axmeybf7.SYS B59823AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]

.text axmeybf7.SYS B59823C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}

.text axmeybf7.SYS B59823C9 1 Byte [30]

.text axmeybf7.SYS B59823C9 11 Bytes [30, 00, 00, 00, 5C, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESP; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}

.text ...

? C:\DOCUME~1\Nicholas\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[1648] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BD000A

.text C:\WINDOWS\Explorer.EXE[1648] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BE000A

.text C:\WINDOWS\Explorer.EXE[1648] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B7000C

.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1768] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }

.text C:\WINDOWS\system32\svchost.exe[2336] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00EB000A

.text C:\WINDOWS\system32\svchost.exe[2336] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00EC000A

.text C:\WINDOWS\system32\svchost.exe[2336] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00EA000C

.text C:\WINDOWS\system32\svchost.exe[2336] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0088000A

.text C:\WINDOWS\system32\svchost.exe[2336] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00FD000A

.text C:\Program Files\Mozilla Firefox\firefox.exe[2916] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0139000A

.text C:\Program Files\Mozilla Firefox\firefox.exe[2916] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 013A000A

.text C:\Program Files\Mozilla Firefox\firefox.exe[2916] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0138000C

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

Device \FileSystem\Ntfs \Ntfs 8A51B1F8

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\usbuhci \Device\USBPDO-0 8A2FB500

Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A4AF1F8

Device \Driver\dmio \Device\DmControl\DmConfig 8A4AF1F8

Device \Driver\dmio \Device\DmControl\DmPnP 8A4AF1F8

Device \Driver\dmio \Device\DmControl\DmInfo 8A4AF1F8

Device \Driver\usbuhci \Device\USBPDO-1 8A2FB500

Device \Driver\usbuhci \Device\USBPDO-2 8A2FB500

Device \Driver\usbuhci \Device\USBPDO-3 8A2FB500

Device \Driver\usbehci \Device\USBPDO-4 8A339500

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\sptd \Device\956636132 spzs.sys

Device \Driver\Ftdisk \Device\HarddiskVolume1 8A51D1F8

Device \Driver\NetBT \Device\NetBT_Tcpip_{5AA68985-96D6-4A66-8F7E-7D48F4B62945} 8A1CB500

Device \Driver\Ftdisk \Device\HarddiskVolume2 8A51D1F8

Device \Driver\Cdrom \Device\CdRom0 8A3381F8

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A3E9292

Device \Driver\atapi \Device\Ide\IdePort0 [b7DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A3E9292

Device \Driver\atapi \Device\Ide\IdePort1 [b7DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-c 8A3E9292

Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [b7DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-18 8A3E9292

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 [b7DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T1L0-20 8A3E9292

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 [b7DFBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\Ftdisk \Device\HarddiskVolume3 8A51D1F8

Device \Driver\Cdrom \Device\CdRom1 8A3381F8

Device \Driver\Cdrom \Device\CdRom2 8A3381F8

Device \Driver\NetBT \Device\NetBt_Wins_Export 8A1CB500

Device \Driver\PCI_PNP1132 \Device\0000004a spzs.sys

Device \Driver\NetBT \Device\NetbiosSmb 8A1CB500

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\usbuhci \Device\USBFDO-0 8A2FB500

Device \Driver\usbuhci \Device\USBFDO-1 8A2FB500

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A285500

Device \Driver\usbuhci \Device\USBFDO-2 8A2FB500

Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A285500

Device \Driver\usbuhci \Device\USBFDO-3 8A2FB500

Device \Driver\usbehci \Device\USBFDO-4 8A339500

Device \Driver\Ftdisk \Device\FtControl 8A51D1F8

Device \Driver\axmeybf7 \Device\Scsi\axmeybf71Port2Path0Target0Lun0 8A2221F8

Device \Driver\axmeybf7 \Device\Scsi\axmeybf71 8A2221F8

Device \FileSystem\Cdfs \Cdfs 8A0BE500

Device \Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskMaxtor_6L200R0__________________________BAH41E00#354c36303648483220

2020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x91 0x37 0xCD 0x20 ...

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xAE 0x57 0xB4 0x5F ...

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x19 0x30 0xBB 0x9A ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x91 0x37 0xCD 0x20 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xAE 0x57 0xB4 0x5F ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x19 0x30 0xBB 0x9A ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x91 0x37 0xCD 0x20 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xAE 0x57 0xB4 0x5F ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x19 0x30 0xBB 0x9A ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x91 0x37 0xCD 0x20 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xAE 0x57 0xB4 0x5F ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x19 0x30 0xBB 0x9A ...

Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x91 0x37 0xCD 0x20 ...

Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xAE 0x57 0xB4 0x5F ...

Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x19 0x30 0xBB 0x9A ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!

Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;

Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;

Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

Disk \Device\Harddisk0\DR0 sectors 398296832 (+255): rootkit-like behavior;

---- EOF - GMER 1.0.15 ----

and attached is the Attach.txt

Thank you for your help

Attach.txt

Link to post
Share on other sites

Hi,

Part of the DDS.txt log was cut off - can you post that again for me please?

Oh sorry, here's the whole thing:

DDS (Ver_10-11-10.01) - NTFSx86

Run by Nicholas at 19:07:51.81 on Wed 11/17/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.590 [GMT -8:00]

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\AskBarDis\bar\bin\AskService.exe

C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Blaze Media Pro\NMSAccess32.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\WINDOWS\System32\mshta.exe

C:\WINDOWS\System32\mshta.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\System32\mshta.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\Documents and Settings\Nicholas\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uSearch Bar = hxxp://www.comcast.net/toolbar2.0/search/

uInternet Settings,ProxyOverride = *.local

mSearchAssistant = hxxp://www.comcast.net/toolbar2.0/search/

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~1\COMCAS~1.DLL

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~1\COMCAS~1.DLL

TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork

uRun: [Google Update] "c:\documents and settings\nicholas\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

mRun: [soundMan] SOUNDMAN.EXE

mRun: [RegistryMechanic]

mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

StartupFolder: c:\documents and settings\nicholas\start menu\programs\startup\PowerReg Scheduler.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Notification Packages = scecli c:\windows\system32\giyesewu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nicholas\applic~1\mozilla\firefox\profiles\kv5unkxg.default\

FF - plugin: c:\documents and settings\nicholas\application data\mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\nicholas\application data\mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: c:\documents and settings\nicholas\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\download manager\npfpdlm.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-8 165584]

R2 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2009-2-3 464264]

R2 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2009-2-3 234888]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-8 17744]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-8 40384]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-2-1 24652]

R3 StixKB;Stix Virtual Keybord Driver;c:\windows\system32\drivers\StixKB.sys [2008-6-3 6656]

S2 Ca536av;FashionCam Video Camera Device;c:\windows\system32\drivers\Ca536av.sys [2008-6-25 514859]

S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-8 40384]

S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-8 40384]

=============== Created Last 30 ================

2010-11-17 23:53:14 54016 ----a-w- c:\windows\system32\drivers\yqapibf.sys

2010-11-17 23:34:50 -------- d-----w- c:\docume~1\nicholas\applic~1\Malwarebytes

2010-11-17 23:34:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-17 23:34:39 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-11-17 23:34:38 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-17 23:34:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-11-17 22:16:25 341 ----a-w- c:\docume~1\nicholas\applic~1\scgdfgasfbh.bat

2010-11-12 20:38:53 49904 ----a-r- c:\windows\system32\drivers\BVRPMPR5.SYS

2010-11-12 20:37:36 -------- d-----w- C:\Netgear

==================== Find3M ====================

2010-09-18 19:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-15 11:50:37 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-09-15 09:29:49 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-07 15:12:17 38848 ----a-w- c:\windows\avastSS.scr

2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys

2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll

2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll

2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll

2010-08-20 20:35:06 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin

2010-08-20 20:35:06 1 ----a-w- c:\windows\system32\nvdrssel.bin

2010-08-20 20:34:54 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: Maxtor_6L200R0 rev.BAH41E00 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-4

device: opened successfully

user: MBR read successfully

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A3E9446]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a3ef504]; MOV EAX, [0x8a3ef580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8A3F8AB8]

3 CLASSPNP[0xB80E8FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000074[0x8A50CF18]

5 ACPI[0xB7E66620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8A3FA940]

\Driver\atapi[0x8A463A50] -> IRP_MJ_CREATE -> 0x8A3E9446

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [bP+0x0], CL; INC BP; }

detected disk devices:

\Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskMaxtor_6L200R0__________________________BAH41E00#354c36303648483220

2020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

\Driver\atapi DriverStartIo -> 0x8A3E9292

user != kernel MBR !!!

sectors 398297086 (+255): user != kernel

Warning: possible TDL4 rootkit infection !

TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 19:09:23.04 ===============

Link to post
Share on other sites

Nick603:

icon11.gif Download ComboFix from one of the following locations:

Link 1

Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link

  • Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

  • Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please include the following in your next post:

  • ComboFix log

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Moved from PM:

ComboFix 10-11-24.01 - Nicholas 11/24/2010 12:32:40.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.807 [GMT -8:00]

Running from: c:\documents and settings\Nicholas\Desktop\ComboFix.exe

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Nicholas\Application Data\install

c:\documents and settings\Nicholas\Application Data\scgdfgasfbh.bat

c:\windows\system32\3564404.dll

c:\windows\system32\Memman.vxd

c:\windows\system32\skinboxer43.dll

c:\windows\Tasks\At1.job

c:\windows\Tasks\At10.job

c:\windows\Tasks\At11.job

c:\windows\Tasks\At12.job

c:\windows\Tasks\At13.job

c:\windows\Tasks\At14.job

c:\windows\Tasks\At15.job

c:\windows\Tasks\At16.job

c:\windows\Tasks\At17.job

c:\windows\Tasks\At18.job

c:\windows\Tasks\At19.job

c:\windows\Tasks\At2.job

c:\windows\Tasks\At20.job

c:\windows\Tasks\At21.job

c:\windows\Tasks\At22.job

c:\windows\Tasks\At23.job

c:\windows\Tasks\At24.job

c:\windows\Tasks\At3.job

c:\windows\Tasks\At4.job

c:\windows\Tasks\At5.job

c:\windows\Tasks\At6.job

c:\windows\Tasks\At7.job

c:\windows\Tasks\At8.job

c:\windows\Tasks\At9.job

.

\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_SSHNAS

((((((((((((((((((((((((( Files Created from 2010-10-24 to 2010-11-24 )))))))))))))))))))))))))))))))

.

2010-11-18 08:02 . 2010-11-18 08:02 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2010-11-17 23:53 . 2010-11-17 23:53 54016 ----a-w- c:\windows\system32\drivers\yqapibf.sys

2010-11-17 23:34 . 2010-11-17 23:34 -------- d-----w- c:\documents and settings\Nicholas\Application Data\Malwarebytes

2010-11-17 23:34 . 2010-04-29 23:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-17 23:34 . 2010-11-17 23:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-11-17 23:34 . 2010-11-17 23:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-11-17 23:34 . 2010-04-29 23:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-12 20:38 . 2009-08-19 21:49 49904 ----a-r- c:\windows\system32\drivers\BVRPMPR5.SYS

2010-11-12 20:37 . 2010-11-12 20:47 -------- d-----w- C:\Netgear

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-24 19:54 . 2007-12-24 05:25 196608 ----a-w- c:\windows\system32\drivers\nStandard.bin

2010-09-18 19:23 . 2004-08-04 08:56 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2004-08-04 08:56 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2002-08-29 21:00 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2002-08-29 21:00 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-15 11:50 . 2010-04-26 05:27 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-09-15 09:29 . 2010-04-26 05:27 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-09-10 05:58 . 2004-08-04 08:56 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58 . 2004-08-04 08:56 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-10 05:58 . 2004-08-04 08:56 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-07 15:12 . 2010-08-08 22:51 38848 ----a-w- c:\windows\avastSS.scr

2010-09-07 15:11 . 2010-06-09 05:37 167592 ----a-w- c:\windows\system32\aswBoot.exe

2010-09-07 14:52 . 2010-06-09 05:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2010-09-07 14:52 . 2010-06-09 05:37 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys

2010-09-07 14:47 . 2010-06-09 05:37 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2010-09-07 14:47 . 2010-06-09 05:37 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2010-09-07 14:47 . 2010-06-09 05:37 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys

2010-09-07 14:47 . 2010-06-09 05:37 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2010-09-07 14:46 . 2010-06-09 05:37 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2010-09-01 11:51 . 2004-08-04 08:56 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-08-31 13:42 . 2004-08-04 07:17 1852800 ----a-w- c:\windows\system32\win32k.sys

2010-08-27 08:02 . 2004-08-04 08:56 119808 ----a-w- c:\windows\system32\t2embed.dll

2010-08-27 05:57 . 2004-08-04 08:56 99840 ----a-w- c:\windows\system32\srvsvc.dll

.

------- Sigcheck -------

[7] 2010-08-17 . 258DD5D4283FD9F9A7166BE9AE45CE73 . 58880 . . [5.1.2600.6024] . . c:\windows\$hf_mig$\KB2347290\SP3QFE\spoolsv.exe

[7] 2010-08-17 . 60784F891563FB1B767F70117FC2428F . 58880 . . [5.1.2600.6024] . . c:\windows\system32\dllcache\spoolsv.exe

[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB2347290$\spoolsv.exe

[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\spoolsv.exe

[-] 2005-06-11 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe

[-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\$NtServicePackUninstall$\spoolsv.exe

[7] 2004-08-04 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB896423$\spoolsv.exe

c:\windows\System32\spoolsv.exe ... is missing !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-12-10 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-12-10 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-05-15 1103216]

"Google Update"="c:\documents and settings\Nicholas\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-06-05 136176]

"Aim"="c:\program files\AIM\aim.exe" [2010-09-16 4425048]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2009-01-31 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="SOUNDMAN.EXE" [2007-12-24 577536]

"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]

c:\documents and settings\Nicholas\Start Menu\Programs\Startup\

PowerReg Scheduler.exe [2007-12-23 225280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk

backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]

2009-04-23 13:51 691656 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-07-21 22:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]

2010-04-29 23:59 5248312 ----a-w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Diablo II\\Diablo II.exe"=

"c:\\Program Files\\Guild Wars\\Gw.exe"=

"c:\\Documents and Settings\\Nicholas\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Vuze\\Azureus.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/28/2009 5:21 PM 721904]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/8/2010 9:37 PM 165584]

R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [2/3/2009 7:21 PM 464264]

R2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [2/3/2009 7:21 PM 234888]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/8/2010 9:37 PM 17744]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/1/2008 12:40 PM 24652]

R3 StixKB;Stix Virtual Keybord Driver;c:\windows\system32\drivers\StixKB.sys [6/3/2008 12:00 PM 6656]

S2 Ca536av;FashionCam Video Camera Device;c:\windows\system32\drivers\Ca536av.sys [6/25/2008 12:00 AM 514859]

.

Contents of the 'Scheduled Tasks' folder

2010-11-03 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-11-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1708537768-839522115-1003Core1cb712ca81541fa.job

- c:\documents and settings\Nicholas\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-05 10:44]

2010-11-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1708537768-839522115-1003UA.job

- c:\documents and settings\Nicholas\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-05 10:44]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

FF - ProfilePath - c:\documents and settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\kv5unkxg.default\

FF - plugin: c:\documents and settings\Nicholas\Application Data\Mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\Nicholas\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: c:\documents and settings\Nicholas\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\Download Manager\npfpdlm.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-RegistryMechanic - (no file)

SafeBoot-mcmscsvc

SafeBoot-MCODS

MSConfigStartUp-Stix+Sphere - c:\program files\GoLive2\Golive2 Sphere\StixTM.exe

AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe

AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-11-24 12:54

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1720)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\btncopy.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\program files\Alwil Software\Avast5\AvastSvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Blaze Media Pro\NMSAccess32.exe

c:\windows\SOUNDMAN.EXE

c:\windows\system32\RUNDLL32.EXE

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\program files\Windows Media Player\WMPNetwk.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2010-11-24 13:02:39 - machine was rebooted

ComboFix-quarantined-files.txt 2010-11-24 21:02

Pre-Run: 3,255,226,368 bytes free

Post-Run: 3,620,208,640 bytes free

Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5

- - End Of File - - E5EB9247655A886FEFC209A34E4B1026

Link to post
Share on other sites

Nick603:

icon11.gif Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above http://

http://forums.malwarebytes.org/index.php?showtopic=67966
Collect::
c:\windows\system32\drivers\yqapibf.sys
FCopy::
c:\windows\system32\dllcache\spoolsv.exe | c:\windows\System32\spoolsv.exe
FixCSet::

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Please include the following in your next post:

  • ComboFix log

Link to post
Share on other sites

ComboFix 10-11-24.01 - Nicholas 11/25/2010 0:39.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.812 [GMT -8:00]

Running from: c:\documents and settings\Nicholas\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Nicholas\Desktop\CFScript.txt

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

file zipped: c:\windows\system32\drivers\yqapibf.sys

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\drivers\yqapibf.sys

.

--------------- FCopy ---------------

c:\windows\system32\dllcache\spoolsv.exe --> c:\windows\System32\spoolsv.exe

.

((((((((((((((((((((((((( Files Created from 2010-10-25 to 2010-11-25 )))))))))))))))))))))))))))))))

.

2010-11-25 08:39 . 2010-08-17 13:17 58880 -c--a-w- c:\windows\system32\dllcache\spoolsv.exe

2010-11-25 08:39 . 2010-08-17 13:17 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-11-18 08:02 . 2010-11-18 08:02 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2010-11-17 23:34 . 2010-11-17 23:34 -------- d-----w- c:\documents and settings\Nicholas\Application Data\Malwarebytes

2010-11-17 23:34 . 2010-04-29 23:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-17 23:34 . 2010-11-17 23:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-11-17 23:34 . 2010-11-17 23:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-11-17 23:34 . 2010-04-29 23:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-12 20:38 . 2009-08-19 21:49 49904 ----a-r- c:\windows\system32\drivers\BVRPMPR5.SYS

2010-11-12 20:37 . 2010-11-12 20:47 -------- d-----w- C:\Netgear

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-24 19:54 . 2007-12-24 05:25 196608 ----a-w- c:\windows\system32\drivers\nStandard.bin

2010-09-18 19:23 . 2004-08-04 08:56 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2004-08-04 08:56 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2002-08-29 21:00 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2002-08-29 21:00 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-15 11:50 . 2010-04-26 05:27 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-09-15 09:29 . 2010-04-26 05:27 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-09-10 05:58 . 2004-08-04 08:56 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58 . 2004-08-04 08:56 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-10 05:58 . 2004-08-04 08:56 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-07 15:12 . 2010-08-08 22:51 38848 ----a-w- c:\windows\avastSS.scr

2010-09-07 15:11 . 2010-06-09 05:37 167592 ----a-w- c:\windows\system32\aswBoot.exe

2010-09-07 14:52 . 2010-06-09 05:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2010-09-07 14:52 . 2010-06-09 05:37 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys

2010-09-07 14:47 . 2010-06-09 05:37 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2010-09-07 14:47 . 2010-06-09 05:37 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2010-09-07 14:47 . 2010-06-09 05:37 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys

2010-09-07 14:47 . 2010-06-09 05:37 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2010-09-07 14:46 . 2010-06-09 05:37 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2010-09-01 11:51 . 2004-08-04 08:56 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-08-31 13:42 . 2004-08-04 07:17 1852800 ----a-w- c:\windows\system32\win32k.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-12-10 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-12-10 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-05-15 1103216]

"Google Update"="c:\documents and settings\Nicholas\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-06-05 136176]

"Aim"="c:\program files\AIM\aim.exe" [2010-09-16 4425048]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2009-01-31 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="SOUNDMAN.EXE" [2007-12-24 577536]

"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]

c:\documents and settings\Nicholas\Start Menu\Programs\Startup\

PowerReg Scheduler.exe [2007-12-23 225280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk

backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]

2009-04-23 13:51 691656 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-07-21 22:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]

2010-04-29 23:59 5248312 ----a-w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Diablo II\\Diablo II.exe"=

"c:\\Program Files\\Guild Wars\\Gw.exe"=

"c:\\Documents and Settings\\Nicholas\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Vuze\\Azureus.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/28/2009 5:21 PM 721904]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/8/2010 9:37 PM 165584]

R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [2/3/2009 7:21 PM 464264]

R2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [2/3/2009 7:21 PM 234888]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/8/2010 9:37 PM 17744]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/1/2008 12:40 PM 24652]

R3 StixKB;Stix Virtual Keybord Driver;c:\windows\system32\drivers\StixKB.sys [6/3/2008 12:00 PM 6656]

S2 Ca536av;FashionCam Video Camera Device;c:\windows\system32\drivers\Ca536av.sys [6/25/2008 12:00 AM 514859]

.

Contents of the 'Scheduled Tasks' folder

2010-11-03 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-11-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1708537768-839522115-1003Core1cb712ca81541fa.job

- c:\documents and settings\Nicholas\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-05 10:44]

2010-11-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1708537768-839522115-1003UA.job

- c:\documents and settings\Nicholas\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-05 10:44]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

FF - ProfilePath - c:\documents and settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\kv5unkxg.default\

FF - plugin: c:\documents and settings\Nicholas\Application Data\Mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\Nicholas\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: c:\documents and settings\Nicholas\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\Download Manager\npfpdlm.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-11-25 00:54

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3856)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\btncopy.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\program files\Alwil Software\Avast5\AvastSvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\windows\SOUNDMAN.EXE

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

c:\windows\system32\RUNDLL32.EXE

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Blaze Media Pro\NMSAccess32.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\program files\Windows Media Player\WMPNetwk.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2010-11-25 01:00:26 - machine was rebooted

ComboFix-quarantined-files.txt 2010-11-25 09:00

ComboFix2.txt 2010-11-24 21:02

Pre-Run: 3,590,471,680 bytes free

Post-Run: 3,561,132,032 bytes free

- - End Of File - - 7F139D9A0FF589B2AB87FDF19CCAF855

Link to post
Share on other sites

Nick603:

How is your computer running now? Please do this next:

report.gifP2P - I see you have P2P software (Vuze) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to malware infections. Please see this post for more information. I recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs. If you choose to keep these applications, please do not use them until our fixes at MBAM are complete.

icon11.gif You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

icon11.gif Please run ESET Online Scanner

  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes click the Details tab.
  • Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.

Please include the following in your next post:

  • MBAM log
  • ESET log

Link to post
Share on other sites

Hello, here is the MBAM log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 5189

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

11/25/2010 11:45:05 AM

mbam-log-2010-11-25 (11-45-05).txt

Scan type: Quick scan

Objects scanned: 137549

Time elapsed: 11 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

My computer seems to be running as it used to, haven't noticed anymore redirects or problems. I ran MBAM and as you can see there were no detected infections. Should I still download and install the ESET scanner? As per your note about P2P, I do have Vuze installed but rarely ever use it, so that is a fairly minimal risk of infection for me.

Link to post
Share on other sites

C:\Documents and Settings\Nicholas\Start Menu\Programs\Startup\PowerReg Scheduler.exe Win32/PowerReg application

C:\Qoobox\Quarantine\MBR_HardDisk0.mbr Win32/Olmarik.ADA trojan

C:\System Volume Information\_restore{F7807C32-5CC0-4EE5-80BB-56265112DE94}\RP711\A0086395.exe a variant of Win32/Adware.FakeAntiSpy.S application

There was no "Details" tab, but here is what it found.

Link to post
Share on other sites

Nick603:

That "PowerReg Scheduler.exe" that ESET detected gets mixed reviews - IT's used by legitimate software to remind you to register, but many feel that it also sends information back to the company about your computer. Either way, it isn't needed. If you wish to remove it do this:

Click Start > Run or Press Windows Key + R and copy/paste the following single-line command into the Run box and click OK:

cmd /c del /f/a/q "C:\Documents and Settings\Nicholas\Start Menu\Programs\Startup\PowerReg Scheduler.exe"

Those other detections are in the ComboFix quarantine or the system restore cache. Those get cleared when we uninstall ComboFix. All I have left for you are another update and some very important cleanup:

icon11.gif Your Adobe reader needs to be updated. Please visit Adobe's site and grab the newest version.

icon11.gif Uninstall ComboFix

  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall

Combofix_uninstall_image.jpg

icon11.gif Delete the following tools along with any other logs you saved from our work:

  • DDS
  • GMER

icon11.gif Download TFC to your desktop

  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean

icon11.gif Finally, I'd like to make a couple of suggestions to help you stay clean in the future:

  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated. Scan with them at least weekly.
  • Avoid using P2P programs. Refer back to my earlier post for more information.
  • Please visit this General Computer Security Forum and review http://www.techsupportforum.com/security-c...-do-i-need.html for some helpful information.

Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.