Jump to content

Incapable of finding and removing virus


Recommended Posts

Hello all seeking to help,

In advance I'd like to state that I am greatly appreciative of all willing to help someone such as myself.

Here is the breakdown of the issue that I have found to date on my system.

I am certain that my computer has become infected by what I am not specifically sure.

However I can literate a few of the symptoms I have viewed:

- The infection has caused the Generic Host Process for Win32 Services to crash upon start up

- System recovery has become a beachhead for the infection. It will not complete when run and simply reverts to a point after the problem occurred, further it refuses to start in safemode.

- Windows Malicious software removal tool is prevented from launching

- Malawarebytes software is prevented from launching

- Some hijacking of IE has been observed

- Avast's updates have stopped and software continues to believe virus definitions are current.

Further attempts to use boot disc antivirus scanners such as Kaspersky and BitDefender fail due to their inability to mount my raid0 system.

Bellow is the HijackThis log and DDS log for the computer in question. attached is the Attach.zip from DDS and ARK.zip from GMER

Again I appreciate all the help you offer if you require any additional information feel free to email me.

Thanks,

Frank

HijackThis Log

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:26:08 PM, on 1/1/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Safe mode

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: ALOT Toolbar Helper - {14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6} - C:\Program Files\alot\bin\alot.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll

O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [MCStart] "C:\Program Files\Bell Mobility\Mobile Connect Basic\tscui.exe" /s

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [WindowsLivePhone] C:\Program Files\Windows Live\Device Manager\msgrdvmn.exe /AutoRun

O4 - HKLM\..\Run: [LifeChat] "C:\Program Files\Microsoft LifeChat\LifeChat.exe"

O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: NDAS Device Management.lnk = C:\Program Files\NDAS\System\ndasmgmt.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe

O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NDAS Service (ndassvc) - XIMETA, Inc. - C:\Program Files\NDAS\System\ndassvc.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: NovaCore SDK Service (NvtlService) - Unknown owner - C:\Program Files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe

--

End of file - 5953 bytes

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

DDS Log

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

DDS (Ver_10-11-10.01) - NTFSx86 MINIMAL

Run by Administrator at 15:34:46.29 on Thu 01/01/2009

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_21

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1793 [GMT -5:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\Explorer.EXE

G:\2 dds.scr

C:\WINDOWS\system32\svchost.exe -k netsvcs

============== Pseudo HJT Report ===============

BHO: ALOT Toolbar Helper: {14ceeaff-96dd-4101-ae37-d5ecdc23c3f6} - c:\program files\alot\bin\alot.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [ASUSGamerOSD] c:\program files\asus\gamerosd\GamerOSD.exe

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"

mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui

mRun: [skyTel] SkyTel.EXE

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [MCStart] "c:\program files\bell mobility\mobile connect basic\tscui.exe" /s

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [WindowsLivePhone] c:\program files\windows live\device manager\msgrdvmn.exe /AutoRun

mRun: [LifeChat] "c:\program files\microsoft lifechat\LifeChat.exe"

mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ndasde~1.lnk - c:\program files\ndas\system\ndasmgmt.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~4\office12\GR99D3~1.DLL

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: Antiwpa - antiwpa.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath -

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R0 lfsfilt;Lean File Sharing;c:\windows\system32\drivers\lfsfilt.sys [2010-8-29 254440]

R0 lpx;LPX Protocol;c:\windows\system32\drivers\lpx.sys [2007-6-29 62056]

R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-3-19 607576]

R3 ndasbus;NDAS Bus Driver;c:\windows\system32\drivers\ndasbus.sys [2007-6-29 75880]

S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-4-23 165584]

S1 ndasfat;NDAS FAT;c:\windows\system32\drivers\ndasfat.sys [2010-8-29 372584]

S1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [2010-4-23 33824]

S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

S2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-4 14336]

S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-4-23 17744]

S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-23 40384]

S2 NvtlService;NovaCore SDK Service;c:\program files\novatel wireless\novacore\server\NvtlSrvr.exe [2009-3-2 40448]

S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-23 40384]

S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-23 40384]

S3 ndasscsi;NDAS SCSI Miniport Driver;c:\windows\system32\drivers\ndasscsi.sys [2007-6-29 187368]

S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-4 14336]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 TSWLAN;TsWlan Packet Driver;c:\windows\system32\drivers\tswlan.sys --> c:\windows\system32\drivers\TsWlan.sys [?]

S3 xbreader;ActionReplay XBox Driver (xbreader.sys);c:\windows\system32\drivers\xbreader.sys [2010-9-11 19677]

=============== Created Last 30 ================

2010-10-31 00:27:54 -------- d-----w- c:\program files\Lavasoft

2010-10-31 00:27:41 -------- d-----w- c:\program files\common files\Wise Installation Wizard

2010-10-30 23:58:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-10-30 23:58:29 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-10-30 23:58:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-10-30 23:58:29 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-10-30 21:42:28 -------- d-----w- c:\windows\pss

2010-10-26 01:44:23 -------- d-----w- C:\4bb8129d2a117ca0123568e4

2010-10-25 22:31:00 -------- d-----w- c:\program files\BandiMPEG1

2010-10-25 22:22:32 -------- d-----w- C:\spoolerlogs

2010-10-25 22:17:42 -------- d-----w- c:\windows\system32\wbem\repository\FS

2010-10-25 22:17:42 -------- d-----w- c:\windows\system32\wbem\Repository

2010-10-24 22:49:59 -------- d-----w- c:\program files\common files\supportsoft

2010-10-24 22:41:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\SQL Anywhere 10

2010-10-21 00:46:56 -------- d-----w- C:\Nexon

2010-10-18 22:19:27 5376 ----a-w- c:\windows\system32\antiwpa.dll

2010-10-17 04:58:03 -------- d-----w- c:\program files\MySQL

2010-10-17 04:58:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\MySQL

2010-10-11 20:41:46 -------- d-----w- c:\windows\SxsCaPendDel

2010-10-05 22:25:15 679936 ----a-w- c:\windows\system32\D3DX81ab.dll

2010-10-05 22:25:15 1970176 ----a-w- c:\windows\system32\d3dx9.dll

2010-10-05 22:25:14 -------- d-----w- c:\program files\Cheat Engine

2010-10-03 23:26:30 -------- d-----w- c:\docume~1\alluse~1\applic~1\Blizzard

2010-10-03 21:14:10 4194304 ----a-w- c:\windows\system32\cdintf400.dll

2010-10-03 21:11:19 -------- d-----w- c:\program files\Intuit

2010-10-03 21:11:19 -------- d-----w- c:\program files\common files\Intuit

2010-10-03 21:11:19 -------- d-----w- c:\docume~1\alluse~1\applic~1\Intuit

2010-10-03 21:10:59 -------- d-----w- c:\docume~1\alluse~1\applic~1\SQL Anywhere 11

2010-10-03 21:10:59 -------- d-----w- c:\docume~1\alluse~1\applic~1\COMMON FILES

2010-10-03 21:09:55 -------- d-----w- c:\windows\system32\XPSViewer

2010-10-03 21:09:39 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll

2010-10-03 21:09:25 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2010-10-03 21:09:25 117760 ------w- c:\windows\system32\prntvpt.dll

2010-10-03 21:09:24 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2010-10-03 21:09:24 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

2010-10-03 21:09:24 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2010-10-03 21:09:24 575488 ------w- c:\windows\system32\xpsshhdr.dll

2010-10-03 21:09:24 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2010-10-03 21:09:24 1676288 ------w- c:\windows\system32\xpssvcs.dll

2010-10-03 21:09:24 -------- d-----w- C:\9870d19142bee16be2

2010-10-03 21:07:08 -------- d-----w- c:\program files\MSXML 4.0

2010-10-03 21:05:14 -------- d-----w- c:\windows\Intuit

2010-09-27 23:57:22 -------- d-----w- c:\program files\common files\Akamai

2010-09-27 23:57:12 -------- d-----w- c:\program files\History Channel Games

2010-09-25 18:32:03 218624 ----a-w- c:\windows\system32\uxtheme.dll.backup

2010-09-25 18:25:20 221184 ----a-w- c:\windows\system32\wmpns.dll

2010-09-25 18:19:32 -------- d-----w- c:\windows\ServicePackFiles

2010-09-25 18:19:25 294912 ------w- c:\program files\windows media player\dlimport.exe

2010-09-25 18:19:23 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe

2010-09-25 18:17:51 19569 ----a-w- c:\windows\002625_.tmp

2010-09-25 18:16:56 -------- dc-h--w- C:\$ntservicepackuninstall$

2010-09-25 18:16:54 -------- d-----w- c:\windows\EHome

2010-09-25 18:09:04 -------- d-----w- c:\program files\uPlayer

2010-09-25 18:07:05 -------- d-----w- c:\program files\alot

2010-09-21 23:55:09 -------- d-----w- c:\program files\GRETECH

2010-09-19 01:37:52 -------- d-----w- c:\docume~1\alluse~1\applic~1\Age of Empires 3

2010-09-19 01:35:37 34304 ------r- c:\program files\microsoft games\age of empires iii\SetupENU2.dll

2010-09-18 20:33:43 -------- d-----w- c:\program files\Microsoft Games

2010-09-18 20:28:02 -------- d-----w- c:\program files\DAEMON Tools Lite

2010-09-13 23:14:11 -------- d-----w- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation

2010-09-13 23:14:08 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin

2010-09-13 23:14:06 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin

2010-09-13 23:14:06 1 ----a-w- c:\windows\system32\nvdrssel.bin

2010-09-13 23:14:03 -------- d-----w- c:\program files\NVIDIA Corporation

2010-09-13 23:13:39 61440 ----a-w- c:\windows\system32\OpenCL.dll

2010-09-13 23:13:38 4595712 ----a-w- c:\windows\system32\nvcuda.dll

2010-09-13 23:13:38 2914408 ----a-w- c:\windows\system32\nvcuvid.dll

2010-09-13 23:13:38 2506344 ----a-w- c:\windows\system32\nvcuvenc.dll

2010-09-13 23:13:37 2195030 ----a-w- c:\windows\system32\nvdata.bin

2010-09-13 23:13:37 10260480 ----a-w- c:\windows\system32\nvcompiler.dll

2010-09-13 23:13:31 -------- d-----w- C:\NVIDIA

2010-09-13 23:10:30 -------- d-----w- c:\program files\SystemRequirementsLab

2010-09-12 19:09:40 -------- d-----w- c:\program files\Steam

2010-09-12 00:44:24 -------- d-----w- C:\ContentShare

2010-09-11 20:58:32 -------- d--h--w- c:\windows\msdownld.tmp

2010-09-11 20:58:26 -------- d-----w- c:\windows\Logs

2010-09-11 20:58:13 -------- d-----w- c:\program files\XBMC

2010-09-11 20:11:54 19677 ----a-w- c:\windows\system32\drivers\xbreader.sys

2010-09-11 20:11:54 -------- d-----w- c:\program files\Datel

2010-09-06 02:30:21 -------- d-----w- c:\program files\common files\Blizzard Entertainment

2010-09-06 00:06:05 3661128 ----a-w- c:\windows\system32\GameMon.des

2010-09-06 00:05:51 5174 ----a-w- c:\windows\system32\nppt9x.vxd

2010-09-06 00:05:51 4682 ----a-w- c:\windows\system32\npptNT2.sys

2010-09-06 00:05:36 -------- d-----w- c:\program files\common files\INCA Shared

2010-09-05 23:23:40 -------- d-----w- C:\gPotato

2010-09-05 22:53:16 60032 ----a-w- c:\windows\system32\drivers\usbaudio.sys

2010-09-03 03:26:23 38848 ----a-w- c:\windows\avastSS.scr

2010-09-02 02:00:41 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll

2010-09-02 02:00:41 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe

2010-09-02 01:20:20 -------- d-----w- c:\program files\VideoLAN

2010-08-29 20:33:55 -------- d-----w- c:\program files\uTorrent

2010-08-29 19:05:36 372584 ----a-w- c:\windows\system32\drivers\ndasfat.sys

2010-08-29 19:05:36 254440 ----a-w- c:\windows\system32\drivers\lfsfilt.sys

2010-08-29 19:05:27 -------- d-----w- c:\program files\NDAS

2010-08-29 18:56:24 -------- d-----w- c:\windows\system32\LogFiles

2010-08-27 13:26:55 33104 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\msonpppr.dll

2010-08-27 13:26:55 32592 ----a-w- c:\windows\system32\msonpmon.dll

2010-08-27 13:00:04 -------- d-----w- c:\program files\Nero

2010-08-27 13:00:04 -------- d-----w- c:\docume~1\alluse~1\applic~1\Nero

2010-08-27 12:59:53 47616 ----a-w- c:\program files\windows media player\msoobci.dll

2010-08-27 12:59:52 819200 ----a-w- c:\program files\windows media player\wmsetsdk.exe

2010-08-27 12:59:41 -------- d-----w- c:\windows\RegisteredPackages

2010-07-17 23:01:10 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-07-17 23:01:10 423656 ----a-w- c:\windows\system32\deployJava1.dll

2010-07-17 23:01:10 423656 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll

2010-07-12 00:07:05 -------- d-----w- c:\program files\Ted Nugent Wild Hunting Adventure

2010-07-09 20:24:26 81920 ----a-w- c:\windows\system32\nvwddi.dll

2010-07-09 20:24:18 277608 ----a-w- c:\windows\system32\nvmccs.dll

2010-07-09 20:24:18 110696 ----a-w- c:\windows\system32\nvmctray.dll

2010-07-09 20:24:16 155752 ----a-w- c:\windows\system32\nvsvc32.exe

2010-07-09 20:24:16 145000 ----a-w- c:\windows\system32\nvcolor.exe

2010-07-09 20:24:16 13923432 ----a-w- c:\windows\system32\nvcpl.dll

2010-07-06 18:56:45 1409 ----a-w- c:\windows\mostyser.for

2010-07-06 18:56:45 1409 ----a-w- c:\windows\mosty.for

2010-07-06 18:56:45 1409 ----a-w- c:\windows\mostxser.for

2010-07-06 18:56:45 1409 ----a-w- c:\windows\mostx.for

2010-07-06 18:56:45 1409 ----a-w- c:\windows\mostserf.for

2010-07-06 18:56:45 1409 ----a-w- c:\windows\most.for

2010-07-06 18:56:45 1409 ----a-w- c:\windows\cyrillic.for

2010-07-06 18:56:24 -------- d-----w- c:\program files\Compton's Home Library

2010-07-06 18:56:13 306688 ----a-w- c:\windows\IsUninst.exe

2010-06-26 13:51:05 -------- d-----w- c:\program files\Stardock Games

2010-06-14 14:27:09 -------- d-----w- c:\windows\Downloaded Installations

2010-06-14 14:26:56 -------- d-----w- c:\program files\Novatel Wireless

2010-06-14 14:26:53 -------- d-----w- c:\program files\Bell Mobility

2010-06-14 14:26:53 -------- d-----w- c:\docume~1\alluse~1\applic~1\Bell

2010-05-16 16:36:37 -------- d-----w- c:\program files\Bonjour

2010-05-16 16:32:07 -------- d-----w- c:\program files\common files\Macrovision Shared

2010-05-15 19:04:33 -------- d-----w- c:\windows\SHELLNEW

2010-05-14 18:24:55 -------- d-----w- c:\program files\Maxis

2010-04-23 21:11:16 -------- d-----w- c:\docume~1\alluse~1\applic~1\Nexon

2010-04-23 21:10:45 33824 ----a-w- c:\windows\system32\drivers\oreans32.sys

2010-04-23 20:55:30 443752 ----a-w- c:\windows\system32\d3dx10_34.dll

2010-04-23 20:55:30 3497832 ----a-w- c:\windows\system32\d3dx9_34.dll

2010-04-23 20:55:30 266088 ----a-w- c:\windows\system32\xactengine2_8.dll

2010-04-23 20:55:30 17928 ----a-w- c:\windows\system32\X3DAudio1_2.dll

2010-04-23 20:55:30 1124720 ----a-w- c:\windows\system32\D3DCompiler_34.dll

2010-04-23 20:30:44 -------- d-----w- c:\program files\Combat Arms

2010-04-23 20:30:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\NexonUS

2010-04-23 20:08:19 81768 ----a-w- c:\windows\system32\xinput1_3.dll

2010-04-23 20:08:19 443752 ----a-w- c:\windows\system32\d3dx10_33.dll

2010-04-23 20:08:19 261480 ----a-w- c:\windows\system32\xactengine2_7.dll

2010-04-23 20:08:19 1123696 ----a-w- c:\windows\system32\D3DCompiler_33.dll

2010-04-23 20:08:18 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll

2010-04-23 20:08:17 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll

2010-04-23 20:08:17 255848 ----a-w- c:\windows\system32\xactengine2_6.dll

2010-04-23 20:08:17 251672 ----a-w- c:\windows\system32\xactengine2_5.dll

2010-04-23 20:08:17 237848 ----a-w- c:\windows\system32\xactengine2_4.dll

2010-04-23 20:08:17 15128 ----a-w- c:\windows\system32\x3daudio1_1.dll

2010-04-23 20:08:16 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll

2010-04-23 19:53:52 -------- d-----w- c:\docume~1\alluse~1\applic~1\PMB Files

2010-04-23 19:53:28 -------- d-----w- c:\program files\Pando Networks

2010-04-23 19:47:21 -------- d-----w- c:\program files\Firaxis Games

2010-04-23 19:45:51 -------- d-----w- c:\program files\DAEMON Tools Toolbar

2010-04-23 19:42:22 -------- d-----w- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite

2010-04-23 19:41:44 697328 ----a-w- c:\windows\system32\drivers\sptd.sys

2010-04-23 19:40:04 -------- d-----w- c:\docume~1\alluse~1\applic~1\DAEMON Tools Pro

2010-04-23 19:28:39 -------- d-----w- c:\windows\system32\Lang

2010-04-23 19:23:38 6272 ----a-w- c:\windows\system32\drivers\splitter.sys

2010-04-23 19:23:37 83072 ----a-w- c:\windows\system32\drivers\wdmaud.sys

2010-04-23 19:23:37 52864 ----a-w- c:\windows\system32\drivers\dmusic.sys

2010-04-23 19:23:32 56576 ----a-w- c:\windows\system32\drivers\swmidi.sys

2010-04-23 19:23:31 2944 ----a-w- c:\windows\system32\drivers\drmkaud.sys

2010-04-23 19:23:31 172416 ----a-w- c:\windows\system32\drivers\kmixer.sys

2010-04-23 19:23:31 142592 ----a-w- c:\windows\system32\drivers\aec.sys

2010-04-23 19:23:30 60800 ----a-w- c:\windows\system32\drivers\sysaudio.sys

2010-04-23 19:21:28 49152 ------r- c:\windows\system32\ChCfg.exe

2010-04-23 19:21:09 -------- d-----w- c:\windows\system32\RTCOM

2010-04-23 19:21:08 60160 ----a-w- c:\windows\system32\drivers\drmk.sys

2010-04-23 19:09:34 77312 ----a-w- c:\windows\system32\ztvunace26.dll

2010-04-23 19:09:34 69632 ----a-w- c:\windows\system32\ztvcabinet.dll

2010-04-23 19:09:34 162304 ----a-w- c:\windows\system32\ztvunrar36.dll

2010-04-23 19:09:33 -------- d-----w- c:\program files\TUGZip

2010-04-23 19:04:14 -------- d-----w- c:\program files\Microsoft

2010-04-23 19:04:01 -------- d-----w- c:\program files\Windows Live SkyDrive

2010-04-23 18:59:56 -------- d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software

2010-04-23 18:59:46 -------- d-----w- c:\program files\common files\Windows Live

2010-04-23 18:34:02 9216 ----a-w- c:\windows\system32\drivers\videX32.sys

2010-04-23 18:33:39 -------- d-----w- c:\program files\VIA

2010-04-23 18:33:38 331184 ------w- c:\windows\system32\difxapi.dll

2010-04-23 18:33:19 10288 ----a-w- c:\windows\system32\drivers\ASUSHWIO.SYS

2010-04-23 18:31:26 -------- d-----w- c:\windows\system32\ReinstallBackups

2010-04-23 18:31:09 -------- d-----w- c:\program files\Microsoft IntelliPoint

2010-04-23 18:25:25 12288 ----a-w- c:\windows\system32\drivers\EIO.sys

2010-04-23 18:23:21 604776 ----a-w- c:\windows\system32\nvudisp.exe

2010-04-23 18:23:21 -------- d-----w- c:\windows\nview

2010-04-23 18:22:34 604776 ----a-w- c:\windows\system32\NVUNINST.EXE

2010-04-23 18:22:32 729088 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iKernel.dll

2010-04-23 18:22:32 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\ctor.dll

2010-04-23 18:22:32 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\DotNetInstaller.exe

2010-04-23 18:22:32 32768 ----a-w- c:\program files\common files\installshield\professional\runtime\Objectps.dll

2010-04-23 18:22:32 266240 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iscript.dll

2010-04-23 18:22:32 192512 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iuser.dll

2010-04-23 18:22:25 311428 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\setup.dll

2010-04-23 18:22:25 188548 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iGdi.dll

2010-04-23 00:51:27 -------- d-s---w- c:\windows\system32\Microsoft

==================== Find3M ====================

2010-09-25 18:32:03 218624 ----a-w- c:\windows\system32\uxtheme.dll

2010-07-09 22:38:00 6343040 ----a-w- c:\windows\system32\nv4_disp.dll

2010-07-09 22:38:00 236136 ----a-w- c:\windows\system32\nvcodins.dll

2010-07-09 22:38:00 236136 ----a-w- c:\windows\system32\nvcod.dll

2010-07-09 22:38:00 1388544 ----a-w- c:\windows\system32\nvapi.dll

2010-07-09 22:38:00 13549568 ----a-w- c:\windows\system32\nvoglnt.dll

2010-06-02 08:55:30 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll

2010-06-02 08:55:30 527192 ----a-w- c:\windows\system32\XAudio2_7.dll

2010-06-02 08:55:30 239960 ----a-w- c:\windows\system32\xactengine3_7.dll

2010-05-26 15:41:02 470880 ----a-w- c:\windows\system32\d3dx10_43.dll

2010-05-26 15:41:02 248672 ----a-w- c:\windows\system32\d3dx11_43.dll

2010-05-26 15:41:02 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll

2010-05-26 15:41:02 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll

2010-05-26 15:41:02 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll

2010-02-04 14:01:14 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll

2010-02-04 14:01:14 528216 ----a-w- c:\windows\system32\XAudio2_6.dll

2010-02-04 14:01:14 238936 ----a-w- c:\windows\system32\xactengine3_6.dll

2010-02-04 14:01:14 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll

2009-09-04 21:44:40 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll

2009-09-04 21:44:40 515416 ----a-w- c:\windows\system32\XAudio2_5.dll

2009-09-04 21:44:40 238936 ----a-w- c:\windows\system32\xactengine3_5.dll

2009-09-04 21:29:34 453456 ----a-w- c:\windows\system32\d3dx10_42.dll

2009-09-04 21:29:34 235344 ----a-w- c:\windows\system32\d3dx11_42.dll

2009-09-04 21:29:32 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll

2009-09-04 21:29:32 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll

2009-09-04 21:29:30 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll

2009-07-26 20:44:56 48448 ----a-w- c:\windows\system32\sirenacm.dll

2009-07-09 01:03:02 58880 ----a-w- c:\windows\system32\bdmpegv.dll

2009-07-09 01:03:02 58368 ----a-w- c:\windows\system32\bdmpega.acm

2009-03-16 18:18:32 517448 ----a-w- c:\windows\system32\XAudio2_4.dll

2009-03-16 18:18:32 235352 ----a-w- c:\windows\system32\xactengine3_4.dll

2009-03-16 18:18:32 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll

2009-03-09 19:27:22 453456 ----a-w- c:\windows\system32\d3dx10_41.dll

2009-03-09 19:27:22 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll

2009-03-09 19:27:22 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll

2008-10-27 14:04:18 514384 ----a-w- c:\windows\system32\XAudio2_3.dll

2008-10-27 14:04:16 235856 ----a-w- c:\windows\system32\xactengine3_3.dll

2008-10-27 14:04:16 23376 ----a-w- c:\windows\system32\X3DAudio1_5.dll

2008-10-27 14:04:14 70992 ----a-w- c:\windows\system32\XAPOFX1_2.dll

2008-10-10 08:52:38 452440 ----a-w- c:\windows\system32\d3dx10_40.dll

2008-10-10 08:52:38 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll

2008-10-10 08:52:38 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: VIA_____ rev.____ -> Harddisk0\DR0 -> \Device\Scsi\viamraid1

device: opened successfully

user: MBR read successfully

Disk trace:

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A74EEC5]<<

_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x8934a872; SUB DWORD [EBP-0x4], 0x8934a12e; PUSH EDI; CALL 0xffffffffffffdf33; }

1 nt!IofCallDriver[0x804E1397] -> \Device\Harddisk0\DR0[0x8A7D7030]

3 CLASSPNP[0xF7657FD7] -> nt!IofCallDriver[0x804E1397] -> [0x8A722220]

[0x8A9AD628] -> IRP_MJ_CREATE -> 0x8A74EEC5

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }

detected disk devices:

\Device\Scsi\viamraid1Port2Path0Target0Lun0 -> \??\SCSI#Disk&Ven_VIA&Prod_SATA_RAID_0&Rev_#4&dacd72&0&000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

============= FINISH: 15:36:39.35 ===============

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

ARK.zip

Attach.zip

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Link to post
Share on other sites

Completed TDSSKiller as requested and log file is attached.

some symptoms including the immediate crashing of Generic Host Process for Win32 Services remain.

However I am now capable of running antivirus software and will continue trouble shoot.

Thank you for your assistance if you have any further suggestions I would again be grateful.

TDSSKiller.2.4.8.0_01.01.2009_18.15.50_log.txt

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.