Jump to content

Recommended Posts

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6706

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/28/2011 5:04:44 PM

mbam-log-2011-05-28 (17-04-44).txt

Scan type: Quick scan

Objects scanned: 193856

Time elapsed: 34 minute(s), 5 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

.

DDS (Ver_11-05-19.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_25

Run by Courtney at 16:00:11 on 2011-05-28

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.404 [GMT -8:00]

.

AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\spoolsv.exe

c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe

C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG10\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\IObit\Advanced SystemCare 4\PMonitor.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Canon\MyPrinter\BJMyPrt.exe

C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe

C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe

C:\Program Files\Logitech\QuickCam10\QuickCam10.exe

C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\AVG\AVG10\avgtray.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Logitech\QuickCam10\COCIManager.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\AVG\AVG10\avgui.exe

C:\Documents and Settings\Courtney\My Documents\Downloads\dds.scr

C:\WINDOWS\system32\WSCRIPT.exe

.

============== Pseudo HJT Report ===============

.

uInternet Connection Wizard,ShellNext = hxxp://help.eskanos.com/

uInternet Settings,ProxyOverride = *.local

mURLSearchHooks: H - No File

mWinlogon: UIHost=c:\windows\system32\logonui.exe

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTo1.dll

TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngin0.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

uRun: [OpAgent] "OpAgent.exe" /agent

uRun: [HYXiCY] control.exe "c:\program files\gpnozipt86melt\HYXiCY.cpl",0,0

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Advanced SystemCare 4] "c:\program files\iobit\advanced systemcare 4\ASCTray.exe"

mRun: [AGRSMMSG] AGRSMMSG.exe

mRun: [srmclean] c:\cpqs\scom\srmclean.exe

mRun: [setRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe

mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon

mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [CarboniteSetupLite] "c:\program files\carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=900

mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"

mRun: [LogitechCommunicationsManager] "c:\program files\common files\logitech\lcommgr\Communications_Helper.exe"

mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam10\QuickCam10.exe" /hide

mRun: [LVCOMSX] "c:\program files\common files\logitech\lcommgr\LVComSX.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [scanSoft OmniPage 16-reminder] "c:\program files\scansoft\omnipage16\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\omnipage 16\ereg\Ereg.ini"

mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe

mRun: [iObit Malware Fighter] "c:\program files\iobit\iobit malware fighter\IMF.exe" /autostart

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html

IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB}

IE: {925DAB62-F9AC-4221-806A-057BFB1014AA}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1297992104109

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1297992396796

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {ACF93F61-9F60-4C1E-A015-E3B3812BD58C} - hxxp://papervision/CABS/PVDMDocView400.cab

DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SSODL: samubiviz - {c499dffc-32a0-4e7b-82de-6bf76482f92e} -

STS: {c499dffc-32a0-4e7b-82de-6bf76482f92e}: tokatiluy

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\courtney\application data\mozilla\firefox\profiles\8xdpdupr.default\

FF - prefs.js: browser.startup.homepage - hxxp://google.com

FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cc6f594&v=6.103.018.001&i=26&tp=ab&iy=b&ychte=us&lng=en-US&q=

FF - prefs.js: network.proxy.type - 1

FF - component: c:\documents and settings\courtney\application data\mozilla\firefox\profiles\8xdpdupr.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - component: c:\documents and settings\courtney\application data\mozilla\firefox\profiles\8xdpdupr.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll

FF - component: c:\documents and settings\courtney\application data\mozilla\firefox\profiles\8xdpdupr.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components\RadioWMPCoreGecko19.dll

FF - component: c:\documents and settings\courtney\application data\mozilla\firefox\profiles\8xdpdupr.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll

FF - component: c:\documents and settings\courtney\application data\mozilla\firefox\profiles\8xdpdupr.default\extensions\toolbar@ask.com\chrome\content\AudioService.dll

FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll

FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll

FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll

FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

.

---- FIREFOX POLICIES ----

FF - user.js: browser.cache.memory.capacity - 16000

FF - user.js: browser.chrome.favicons - false

FF - user.js: browser.display.show_image_placeholders - true

FF - user.js: browser.turbo.enabled - true

FF - user.js: browser.urlbar.autocomplete.enabled - true

FF - user.js: browser.urlbar.autofill - true

FF - user.js: content.max.tokenizing.time - 3000000

FF - user.js: content.maxtextrun - 4095

FF - user.js: content.notify.backoffcount - 5

FF - user.js: content.notify.interval - 1000000

FF - user.js: content.notify.ontimer - true

FF - user.js: content.switch.threshold - 1000000

FF - user.js: dom.disable_window_status_change - true

FF - user.js: network.http.max-connections - 48

FF - user.js: network.http.max-connections-per-server - 16

FF - user.js: network.http.max-persistent-connections-per-proxy - 16

FF - user.js: network.http.max-persistent-connections-per-server - 8

FF - user.js: network.http.pipelining - true

FF - user.js: network.http.pipelining.firstrequest - true

FF - user.js: network.http.pipelining.maxrequests - 8

FF - user.js: network.http.proxy.pipelining - true

FF - user.js: network.http.request.max-start-delay - 0

FF - user.js: nglayout.initialpaint.delay - 1000

FF - user.js: plugin.expose_full_path - true

FF - user.js: ui.submenuDelay - 0

FF - user.js: yahoo.homepage.dontask - true

.

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]

R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-5 297168]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-4-14 134480]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 27216]

R3 RegFilter;RegFilter;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\RegFilter.sys [2011-5-20 30368]

R3 UrlFilter;UrlFilter;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\UrlFilter.sys [2011-5-20 16080]

S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]

S1 31d508d4;31d508d4;c:\windows\system32\drivers\31d508d4.sys [2009-8-24 0]

S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]

S3 EraserUtilDrv10710;EraserUtilDrv10710;\??\c:\program files\common files\symantec shared\eengine\eraserutildrv10710.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrv10710.sys [?]

S4 FileMonitor;FileMonitor;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\FileMonitor.sys [2011-5-20 239472]

.

=============== Created Last 30 ================

.

2011-05-28 07:04:53 53248 ----a-w- c:\windows\_detmp.2

2011-05-28 06:47:17 -------- d-----w- c:\documents and settings\courtney\local settings\application data\VS Revo Group

2011-05-28 03:27:30 258048 ----a-w- c:\windows\system32\igfxrsky.lrc

2011-05-28 03:27:30 253952 ----a-w- c:\windows\system32\igfxrslv.lrc

2011-05-28 03:27:30 1481884 ----a-w- c:\windows\system32\igkrng400.bin

2011-05-28 03:27:30 147456 ----a-w- c:\windows\system32\igfxCoIn_v5016.dll

2011-05-28 03:24:34 -------- d-----w- c:\program files\SystemRequirementsLab

2011-05-28 03:11:14 -------- d-----w- c:\program files\uTorrent

2011-05-28 03:10:28 -------- d-----w- c:\documents and settings\courtney\application data\uTorrent

2011-05-28 01:01:59 53248 ----a-w- c:\windows\system32\CSVer.dll

2011-05-28 01:01:22 -------- d-----w- C:\Intel

2011-05-21 23:12:22 -------- d-----w- c:\windows\system32\drivers\AVG

2011-05-21 22:59:23 50176 ----a-w- c:\windows\system32\proquota.exe

2011-05-21 22:59:23 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe

2011-05-21 22:35:11 -------- d-sha-r- C:\cmdcons

2011-05-21 22:31:09 98816 ----a-w- c:\windows\sed.exe

2011-05-21 22:31:09 89088 ----a-w- c:\windows\MBR.exe

2011-05-21 22:31:09 256512 ----a-w- c:\windows\PEV.exe

2011-05-21 22:31:09 161792 ----a-w- c:\windows\SWREG.exe

2011-05-21 22:30:50 -------- d-----w- C:\ComboFix

2011-05-21 22:26:40 -------- d-----w- c:\documents and settings\all users\application data\AVG10

2011-05-21 21:08:34 -------- d-----w- c:\program files\CCleaner

2011-05-21 20:41:43 8192 ----a-w- c:\windows\Rpoint.exe

2011-05-21 20:29:05 724992 ----a-w- c:\windows\iun6002.exe

2011-05-21 20:20:58 -------- d--h--w- c:\documents and settings\all users\application data\Common Files

2011-05-21 19:50:43 -------- d-----w- C:\$AVG

2011-05-21 19:43:30 -------- d-----w- c:\documents and settings\all users\application data\MFAData

2011-05-21 05:05:04 388096 ----a-r- c:\documents and settings\courtney\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-05-21 05:05:02 -------- d-----w- c:\program files\Trend Micro

2011-05-21 04:56:54 -------- d-sh--w- c:\documents and settings\courtney\IECompatCache

2011-05-21 03:02:47 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-05-20 23:57:15 -------- d-----w- c:\documents and settings\courtney\local settings\application data\Scansoft

2011-05-20 23:57:03 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-05-20 23:34:18 -------- d-----w- c:\program files\gpnOZIPT86mELT

2011-05-20 23:34:12 -------- d-----w- c:\documents and settings\courtney\application data\paywin

2011-05-20 23:09:02 -------- d-----w- c:\program files\Trojanhorsecrypticctc Removal Tool

2011-05-19 23:57:40 -------- d-----w- c:\documents and settings\courtney\application data\AVG10

2011-05-18 20:35:08 -------- d-----w- c:\documents and settings\courtney\application data\Zeon

2011-05-18 20:31:02 -------- d-----w- c:\program files\common files\ScanSoft Shared

2011-05-18 20:30:55 -------- d-----w- c:\documents and settings\all users\application data\Zeon

2011-05-18 19:52:36 -------- d-----w- c:\program files\MagicISO

2011-05-18 18:56:38 -------- d-----w- c:\documents and settings\courtney\application data\Spesoft Image Converter

2011-05-18 18:46:27 -------- d-----w- c:\program files\gs

2011-05-15 02:04:26 -------- d-----w- c:\documents and settings\all users\application data\MSScanAppDataDir

.

==================== Find3M ====================

.

2011-04-15 05:28:42 134480 ----a-w- c:\windows\system32\drivers\AVGIDSDriver.sys

2011-04-14 13:07:59 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-04-14 10:40:22 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-04-07 00:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll

2011-04-07 00:20:16 197920 ----a-w- c:\windows\system32\dnssdX.dll

2011-04-07 00:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe

2011-04-05 08:59:56 297168 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2011-03-17 00:03:20 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys

2010-02-27 00:29:26 33344864 ----a-w- c:\program files\qc1150_x64.exe

2010-02-27 00:28:25 402510 ----a-w- c:\program files\qc1150.exe

2009-09-25 00:53:50 13064 ----a-w- c:\program files\common files\alofizawa.vbs

2009-01-31 05:33:11 201384 ----a-w- c:\program files\GoogleToolbarInstaller_download_signed.exe

2009-01-29 03:58:28 7518240 ----a-w- c:\program files\Firefox Setup 3.0.5.exe

2009-01-29 01:46:48 16056345 ----a-w- c:\program files\apex-video-converter-free.exe

2009-01-29 01:27:36 270128 ----a-w- c:\program files\utorrent-1.8.2.upx.exe

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: WDC_WD800JD-60LSA5 rev.10.01E03 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x872F26F0]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x872f8a10]; MOV EAX, [0x872f8a8c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x87381AB8]

3 CLASSPNP[0xF75FCFD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000066[0x873868D0]

5 ACPI[0xF7493620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x873C7D98]

\Driver\atapi[0x87371A08] -> IRP_MJ_CREATE -> 0x872F26F0

error: Read A device attached to the system is not functioning.

kernel: MBR read successfully

_asm { XOR DI, DI; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV DS, BX; MOV ES, BX; MOV SI, 0x200; MOV CX, SI; CLD ; REP MOVSB ; JMP FAR 0x7a0:0xa3; }

detected disk devices:

detected hooks:

\Driver\atapi DriverStartIo -> 0x872F253B

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

.

============= FINISH: 16:02:21.15 ===============

ark.rar

Link to post
Share on other sites

Hello and :welcome:

Unfortunately you have a nasty rootkit on board. Please read the following first.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Link to post
Share on other sites

Hello and :welcome:

Unfortunately you have a nasty rootkit on board. Please read the following first.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Ok thanks for your help! I've decided to go ahead and reinstall XP to be sure its completely clean.

Link to post
Share on other sites

Hi, please let me know if you need any help with that. Below I'll include some general prevention advice.

Please read these advices, in order to prevent reinfecting your PC:

  1. Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.