Jump to content

Recommended Posts

Several days ago I began observing several bad behaviors on my WinXP PC:

1. Frequent Just-In-Time Debugger pop-ups; when I went into the debugger I found svchost.exe was the culprit. I turned off the option for it to enter the debugger, then I saw svchost.exe run at 100% CPU for several minutes after startup, then frequently it would crash -- after the crash some basic system functions would be degraded (services or apps could not start, other PCs could not see the shared printer attached to this PC, etc).

2. AVG reported finding and removing several malware files "on open":

Trojan horse Generic22.VEB C:\Windows\Temp\ID30501.exe 5/3/11

Malware Win32.Agent.myjs C:\Windows\System32\ITLPFW32.DLL moments later

Malware Unknown C:\Windows\Temp\CQPF\SETUP.EXE 5 minutes later

Malware Unknown C:\Windows\Temp\EXPLORER.EXE 5/4/11

Malware Win32\Unruy.h C:\Windows\Temp\HCFG\SETUP.EXE 5/5/11

Malware Win32\Unruy.h C:\Windows\Temp\GHEA\SETUP.EXE 5/6/11

In my first malwarebytes scan, it found only 1 unrelated file. I began thinking that some malware was hiding in svchost, downloading SETUP.EXE files periodically.

Found by Hitman Pro 3.5:

C:\Windows\Temp\lnxa\setup.exe Trojan 5/6/11 PM

I have run malwarebytes 3 times now, I will attach the logs. Each time it was "unlucky" and did not catch anything, but I wonder if these SETUP.EXE's are just symptoms of a deeper problem?

DDS seems to think it found something, see below. I will attach the other files. Note, when I tried to run GMER, it found something, but after running for a while it crashed. I captured a screen shot, that was the best I could do. I can try again if you need me to.

Please advise on possible next steps, or if you need more info. Also I would be interested in knowing whether a System Restore would be advisable as a remedy, or it would just muddy the waters?

Thanks,

OldGuyFromBay

DOS.txt:

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by Lee at 22:29:17.03 on Fri 05/06/2011

Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_03

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.262 [GMT -7:00]

.

.

============== Running Processes ===============

.

C:\PROGRA~1\AVG\AVG10\avgchsvx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

C:\Program Files\AVG\AVG10\avgwdsvc.exe

C:\Program Files\Memeo\AutoBackup\MemeoService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

svchost.exe

C:\Program Files\AVG\AVG10\avgnsx.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\MozyHome\mozybackup.exe

C:\WINDOWS\system32\oodag.exe

C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

C:\WINDOWS\system32\UStorSrv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE

C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

C:\Program Files\Common Files\AOL\1176958551\ee\AOLSoftware.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe

C:\WINDOWS\vVX1000.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe

C:\Program Files\AVG\AVG10\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Common Files\SupportSoft\bin\bcont.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe

C:\Program Files\MozyHome\mozystat.exe

C:\Program Files\Accessories\Util\Printkey.exe

C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe

C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\PROGRA~1\AVG\AVG10\avgrsx.exe

C:\Program Files\AVG\AVG10\avgcsrvx.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Common Files\AOL\1176958551\ee\aolsoftware.exe

C:\Documents and Settings\Lee\My Documents\Downloads\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.yahoo.com/

uSearch Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com

uDefault_Page_URL = hxxp://www.dell4me.com/myway

uSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

uDefault_Search_URL = hxxp://www.google.com/ie

mSearch Page =

mStart Page = hxxp://www.yahoo.com

mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html

uInternet Settings,ProxyOverride = 127.0.0.1;*.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mURLSearchHooks: AOL Toolbar Search Class: {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - c:\program files\aol toolbar\aoltb.dll

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll

BHO: AOL Toolbar Loader: {3ef64538-8b54-4573-b48f-4d34b0238ab2} - c:\program files\aol toolbar\aoltb.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll

TB: AOL Toolbar: {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - c:\program files\aol toolbar\aoltb.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File

TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File

EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [Desktop Software] "c:\program files\common files\supportsoft\bin\bcont.exe" /ini "c:\program files\comcastui\desktop software\uinstaller.ini" /fromrun /starthidden

mRun: [iomega Drive Icons] c:\program files\iomega\driveicons\ImgIcon.exe

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [Deskup] c:\program files\iomega\driveicons\deskup.exe /IMGSTART

mRun: [CTSysVol] c:\program files\creative\sbaudigy2\surround mixer\CTSysVol.exe

mRun: [CTHelper] CTHELPER.EXE

mRun: [CTDVDDet] c:\program files\creative\sbaudigy2\dvdaudio\CTDVDDet.EXE

mRun: [AsioReg] REGSVR32.EXE /S CTASIO.DLL

mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe

mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe

mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"

mRun: [HostManager] c:\program files\common files\aol\1176958551\ee\AOLSoftware.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"

mRun: [stxTrayMenu] "c:\program files\seagate\systemtray\StxMenuMgr.exe"

mRun: [VX1000] c:\windows\vVX1000.exe

mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe

mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\1.0.150\SSScheduler.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\printkey.lnk - c:\program files\accessories\util\Printkey.exe

IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll

IE: {2499216C-4BA5-11D5-BD9C-000103C116D5} - {2499216C-4BA5-11D5-BD9C-000103C116D5} - c:\program files\yahoo!\common\ylogin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL

Trusted Zone: ivyfamily.org\www

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxps://support.dell.com/systemprofiler/SysPro.CAB

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} - c:\program files\yahoo!\common\yucconfig.dll

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll

DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} - hxxp://www.symantec.com/techsupp/activedata/nprdtinf.cab

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1267253753140

DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1267253743078

DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {8D619C19-0202-464A-9FA8-C8110D86B0A3} - hxxp://projectpoint.buzzsaw.com/!/download/ProjectPoint-SL-EN.exe

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab

DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://download.yahoo.com/dl/installs/ymail/ymmapi.dll

DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxps://www-secure.symantec.com/techsupp/activedata/SymAData.cab

DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - hxxp://photos.yahoo.com/ocx/us/yexplorer1_9us.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - hxxps://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?326

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Authentication Packages = msv1_0 relog_ap

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\docume~1\lee\applic~1\mozilla\firefox\profiles\85wdv9nk.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll

FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll

FF - plugin: c:\documents and settings\lee\application data\facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.50917.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

.

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-1-19 64288]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]

R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]

R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]

R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]

S2 gupdate1c9f5ac902bf630;Google Update Service (gupdate1c9f5ac902bf630);c:\program files\google\update\GoogleUpdate.exe [2009-6-25 133104]

S2 itlperf;Intel CPU;c:\windows\system32\svchost.exe -k itlsvc [2002-8-29 14336]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-6-25 133104]

S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2010-2-25 17480]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]

S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [2008-2-17 31872]

.

=============== Created Last 30 ================

.

2011-05-03 08:45:59 0 ----a-w- c:\documents and settings\lee\ntuser.tmp

.

==================== Find3M ====================

.

2011-02-23 07:33:43 11447056 ----a-w- c:\documents and settings\all users\Tempmozy-autoupdate-c0261ff8012aad585d55140a9b6ddcb9.exe

2011-02-12 08:21:57 11444496 ----a-w- c:\documents and settings\all users\Tempmozy-update-1f7fe3012a1778a4fc7c5075f2f61812.exe

2011-02-07 01:51:27 134464 ----a-w- c:\windows\system32\LnkProtect.dll

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: WDC_WD800BB-75FJA1 rev.14.03G14 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys iomdisk.sys hal.dll >>UNKNOWN [0x8736D4F0]<<

c:\windows\system32\drivers\iomdisk.sys Iomega Corporation Microsoft® Windows NT® Operating System

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x873737d0]; MOV EAX, [0x8737384c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x873DAAB8]

3 CLASSPNP[0xF769805B] -> nt!IofCallDriver[0x804E37D5] -> [0x8737DD78]

5 iomdisk[0xF78E7BC3] -> nt!IofCallDriver[0x804E37D5] -> [0x873D5D98]

\Driver\atapi[0x8737F2A0] -> IRP_MJ_CREATE -> 0x8736D4F0

error: Read A device attached to the system is not functioning.

kernel: MBR read successfully

_asm { CLI ; MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; STI ; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62f; }

detected disk devices:

detected hooks:

\Driver\atapi DriverStartIo -> 0x8736D33B

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

.

============= FINISH: 22:39:40.25 ===============

Attach.txt

post-79788-0-88510700-1304754175.jpg

mbamlogs.zip

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Next, pPlease update MBAM, run a Quick Scan, and post its log.

Link to post
Share on other sites

OK, I followed the instructions and here are the results -- generally positive but with a couple of concerns.

I downloaded & ran TDSSKiller, and it found & cured a rootkit. Hooray! I will attach the log.

Then I updated & re-ran malwarebytes. It found 3 issues, all were complaints that MSFT Security Center was disabled. I did not take any action, I would like to hear your advice, is this a normal side-effect of an adventure such as the one I've had, or something else to be concerned about? These issues did not show up when I ran malwarebytes a few days ago.

Also I noticed something odd about Task Manager -- I will attach a screen shot -- The tasks owned by me (Lee) correctly show my user name, and a few of the SYSTEM tasks show SYSTEM, but all the others have blank user names. I have never seen this before and I don't know what it may mean. This was not true before I ran TDSSKiller.

In general, though, I am happy to report that the bad symptoms I've been seeing in the last few days (svchost being very busy and/or crashing; frequent malware reports; some services not running properly) -- Thanks so much for your help!

I have not yet run DeFogger a second time to re-enable the emulation drivers, please advise on this also.

TDSSKiller.2.5.0.0_09.05.2011_21.39.58_log.txt

mbam-log-2011-05-09 (22-22-37).txt

post-79788-0-02123700-1305006245.jpg

Link to post
Share on other sites

A minor correction, I meant to write my sentence like this:

In general, though, I am happy to report that the bad symptoms I've been seeing in the last few days (svchost being very busy and/or crashing; frequent malware reports; some services not running properly) are now gone -- Thanks so much for your help!

In general, though, I am happy to report that the bad symptoms I've been seeing in the last few days (svchost being very busy and/or crashing; frequent malware reports; some services not running properly) -- Thanks so much for your help!

Link to post
Share on other sites

Hi,

Update MBAM, run a Quick Scan, and post MBAM's log directly into your reply instead of attaching it. Then I'll know exactly what you're referring to.

Here you go

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6559

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.11

5/11/2011 11:19:36 PM

mbam-log-2011-05-11 (23-19-29).txt

Scan type: Quick scan

Objects scanned: 231451

Time elapsed: 14 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.