Solved: Computer possible infected with sdra64.exe virus

triton12 · 18-Feb-2010, 11:37 PM #1

I am experiencing a several slow computer when on the internet or off the internet. Malware bytes didn't find anything. I noticed the sdra64 on the hijack this log. Also I can't get rid of the ask.com toolbar even though I removed it via add/remove programs. I was installed on my computer when I downloade formatfactory, which I have since gotten rid of. Thanks in advance.

Below is my hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:36:25 PM, on 2/18/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BitDefender\BitDefender 2010\seccenter.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\svchost.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://northernvirginia.cox.net/cci/home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2010\IEToolbar.dll
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2010\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe"
O4 - HKUS\S-1-5-18\..\Run: [userinit] C:\WINDOWS\system32\sdra64.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [userinit] C:\WINDOWS\system32\sdra64.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/actives.../as2stubie.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
--
End of file - 7347 bytes

triton12 · 21-Feb-2010, 06:57 PM #2

Is some still available to help me with this? I just want to make sure it dosen't get overlooked I will continue to be patient.

Thanks guys

triton12 · 28-Feb-2010, 01:04 PM #3

Bump

triton12 · 01-Mar-2010, 10:42 PM #4

Bump.

Thanks

triton12 · 03-Mar-2010, 10:03 AM #5

Bump

NeonFx · 04-Mar-2010, 02:03 AM #6

Hello there

Welcome to the TSG Forums.
My name is NeonFx. I'll be glad to help you with your computer problems. Logs can take some time to research, so please be patient with me.

Please note the following:

The fixes are specific to your problem and should only be used on this machine.
Please continue to review my answers until I tell you your machine appears to be clean. Absence of symptoms does not necessarily mean that the system is completely clean.
It's often worth reading through these instructions and printing them for ease of reference. I may ask you to boot into Safe Mode where you will be unable to follow my instructions online.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

Sorry for taking so long to get to you.

Step 1

Download OTS to your Desktop

Close ALL OTHER PROGRAMS.
Double-click on OTS.exe to start the program.
Check the box that says Scan All Users
Under Basic Scans please change the radio button under Registry from Safe List to All.
Under Additional Scans check the following:
- Reg - Desktop Components
- Reg - Disabled MS Config Items
- Reg - NetSvcs
- Reg - Shell Spawning
- Reg - Uninstall List
- File - Lop Check
- File - Purity Scan
- Evnt - EvtViewer (last 10)
Please paste the contents of the following codebox into the Custom Scans box at the bottom

Code:

%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav

Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post. To do so click on the blue "Reply" button or "Go Advanced" and click on the "Manage Attachments" button

Step 2

GMER Rootkit Scanner
Please download GMER from one of the following locations and save it to your desktop:

Main Mirror
This version will download a randomly named file (Recommended)
Zipped Mirror
This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

Disconnect from the Internet and close all running programs. Make sure you disable your security programs as well, as they may interfere with the program.
Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.
Exit GMER and re-enable your security programs when done.

triton12 · 04-Mar-2010, 10:18 PM #7

Thanks so much NeonFX, I did want to make you aware of one quick note I did a normal run of Combofix earlier this week and it removed a file called, c:\windows\AegisP.inf

But that didn't help at all.

Attached is the first log you request from the OTS scan, it was too long to put into the body.

Thanks

NeonFx · 04-Mar-2010, 10:33 PM #8

Along with the results from GMER, please attach C:\ComboFix.txt and C:\QooBox\ComboFix-Quarantined-Files.txt for me.

triton12 · 04-Mar-2010, 10:58 PM #9

NeonFX, the GMER scan stopped running and froze completely. I waited about 15 minutes and nothing happened, no file movment or anything. So I did a hard reset of the computer, and tried again. This time after about 1 minute after I pressed scanned I got a blue screen that says the problem is caused by the following file: pftoipob.sys PAGE_FAULT_IN_NONPAGED_AREA. Let me know what you would like for me to do next.

I will post the combofix log in a sec.

Thanks

NeonFx · 04-Mar-2010, 11:07 PM **#10**

Try running GMER without the "Files" checkmark checked.

triton12 · 04-Mar-2010, 11:25 PM **#11**

Here is the combofix txt:

ComboFix 10-03-02.08 - Chaddrick Johnson 03/03/2010 11:14:07.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.94 [GMT -5:00]
Running from: c:\documents and settings\Chaddrick Johnson\Desktop\ComboFix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\AegisP.inf
.
((((((((((((((((((((((((( Files Created from 2010-02-03 to 2010-03-03 )))))))))))))))))))))))))))))))
.
2010-02-19 03:06 . 2010-02-19 03:06 -------- d-----w- c:\documents and settings\Chaddrick Johnson\Application Data\Windows Search
2010-02-05 04:21 . 2010-02-05 04:21 -------- d-sh--w- c:\documents and settings\Guest\PrivacIE
2010-02-05 03:58 . 2010-02-05 03:58 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Google
2010-02-05 03:57 . 2010-02-05 03:57 -------- d-----w- c:\documents and settings\Guest\Application Data\Windows Desktop Search
2010-02-05 03:56 . 2010-02-05 03:56 -------- d-----w- c:\documents and settings\Guest\Application Data\BitDefender
2010-02-05 03:14 . 2010-02-05 03:14 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2010-02-05 03:12 . 2010-02-05 03:12 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-02-04 07:37 . 2010-02-04 07:37 -------- d-----w- c:\program files\Common Files\Windows Live
2010-02-04 06:02 . 2010-02-04 06:36 -------- dc-h--w- c:\windows\ie8
2010-02-04 05:06 . 2010-02-05 03:12 -------- d-----w- c:\program files\Microsoft
2010-02-04 04:08 . 2010-02-04 04:09 -------- d-----w- c:\windows\system32\XPSViewer
2010-02-04 04:06 . 2010-02-04 04:06 -------- d-----w- c:\program files\MSBuild
2010-02-04 04:04 . 2010-02-04 04:04 -------- d-----w- c:\program files\Reference Assemblies
2010-02-04 03:58 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-02-04 03:54 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-02-04 03:54 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-02-04 03:54 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-02-04 03:54 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-02-04 03:54 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-02-04 03:54 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-02-04 03:54 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-02-04 03:54 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2010-02-04 03:54 . 2010-02-04 03:59 -------- d-----w- C:\a38af7b2ade0444f90610445
2010-02-04 03:27 . 2010-02-04 05:57 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-02-04 03:20 . 2010-02-04 03:20 -------- d-----w- c:\documents and settings\Chaddrick Johnson\Application Data\Windows Desktop Search
2010-02-04 03:18 . 2010-02-05 09:18 -------- d-----w- c:\program files\Windows Desktop Search
2010-02-04 03:15 . 2008-03-07 17:02 29696 ------w- c:\windows\system32\dllcache\mimefilt.dll
2010-02-04 03:15 . 2008-03-07 17:02 98304 ------w- c:\windows\system32\dllcache\nlhtml.dll
2010-02-04 03:15 . 2008-03-07 17:02 192000 ------w- c:\windows\system32\dllcache\offfilt.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-09 23:44 . 2009-12-07 23:49 106464 ----a-w- c:\windows\system32\drivers\bdhv.sys
2010-02-09 23:44 . 2009-12-07 23:46 153448 ----a-w- c:\windows\system32\drivers\bdfm.sys
2010-02-04 07:36 . 2006-05-03 03:26 70560 -c--a-w- c:\documents and settings\Chaddrick Johnson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-31 22:16 . 2010-01-31 05:24 132 ----a-w- c:\windows\system32\rezumatenoi.dat
2010-01-31 05:03 . 2010-01-31 05:03 0 ----a-w- C:\pcwords2.dat
2010-01-31 05:03 . 2010-01-31 05:03 0 ----a-w- C:\pcwords.dat
2010-01-31 04:54 . 2010-01-31 04:49 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2010-01-31 04:51 . 2010-01-31 04:49 -------- d-----w- c:\documents and settings\Chaddrick Johnson\Application Data\BitDefender
2010-01-31 04:50 . 2010-01-31 04:22 -------- d-----w- c:\program files\Common Files\BitDefender
2010-01-31 04:49 . 2010-01-31 04:49 -------- d-----w- c:\program files\BitDefender
2010-01-31 04:39 . 2008-05-25 00:00 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-01-22 22:33 . 2008-12-07 14:30 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-14 02:11 . 2010-01-14 02:08 -------- d-----w- c:\documents and settings\Guest\Application Data\Canon
2010-01-14 02:10 . 2010-01-14 02:10 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonIJScan
2010-01-01 15:57 . 2009-10-02 04:09 54116 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-31 16:50 . 2006-04-28 12:47 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2004-08-11 22:11 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-11 22:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 01:26 . 2009-12-14 01:26 127325 ----a-w- c:\documents and settings\Chaddrick Johnson\Application Data\Move Networks\uninstall.exe
2009-12-14 01:26 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\Chaddrick Johnson\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-12-08 19:26 . 2004-08-11 22:00 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-04 03:59 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2006-04-28 12:47 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-29 22:22 . 2006-05-07 05:11 88 --sh--r- c:\windows\system32\C37E08EF72.sys
2009-11-29 22:23 . 2006-05-07 05:11 6580 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-10-09 333120]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-12-12 722256]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2010\IEShow.exe" [2009-10-19 71152]
"BDAgent"="c:\program files\BitDefender\BitDefender 2010\bdagent.exe" [2010-01-31 1120704]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-4-28 24576]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ lsdelete
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawser vice]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Chaddrick Johnson^Start Menu^Programs^Startup^Scheduler.lnk]
path=c:\documents and settings\Chaddrick Johnson\Start Menu\Programs\Startup\Scheduler.lnk
backup=c:\windows\pss\Scheduler.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 19:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2005-05-31 09:33 122941 ----a-w- c:\windows\system32\dla\tfswctrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2005-11-17 02:35 397312 ----a-w- c:\windows\stsystra.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [1/11/2009 7:35 PM 28544]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [12/7/2009 6:46 PM 153448]
S2 apjcfmuixdjjexx;apjcfmuixdjjexx;\??\c:\windows\system32\drivers\khpjzg.sys --> c:\windows\system32\drivers\khpjzg.sys [?]
S2 DellBIOS;DellBIOS;\??\c:\windows\DellBIOS.Sys --> c:\windows\DellBIOS.Sys [?]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe [10/19/2009 4:06 PM 183880]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - 5ECB38E0
*Deregistered* - 5ecb38e0
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder
2009-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://northernvirginia.cox.net/cci/home
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Chaddrick Johnson\Application Data\Mozilla\Firefox\Profiles\ogs28x6e.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US

fficial
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-Easy Dock - (no file)
SafeBoot-mcmscsvc
SafeBoot-MCODS
MSConfigStartUp-Yahoo! Pager - c:\program files\Yahoo!\Messenger\YahooMessenger.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb

**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-03 11:25
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(936)
c:\windows\system32\igfxdev.dll
.
Completion time: 2010-03-03 11:33:03
ComboFix-quarantined-files.txt 2010-03-03 16:32
ComboFix2.txt 2009-01-12 00:22
Pre-Run: 2,410,102,784 bytes free
Post-Run: 2,564,898,816 bytes free
- - End Of File - - AF91D70085796C7B15C0A4F44BAE2846

triton12 · 04-Mar-2010, 11:26 PM **#12**

Here is the quarantine combofix txt:

2010-03-03 16:31:38 . 2010-03-03 16:31:38 912 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-WebCyberCoach_wtrb.reg.dat
2010-03-03 16:31:13 . 2010-03-03 16:31:13 656 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Yahoo! Pager.reg.dat
2010-03-03 16:31:11 . 2010-03-03 16:31:11 534 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-MCODS.reg.dat
2010-03-03 16:31:11 . 2010-03-03 16:31:11 546 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-mcmscsvc.reg.dat
2010-03-03 16:30:56 . 2010-03-03 16:30:56 96 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Easy Dock.reg.dat
2009-01-12 00:20:46 . 2009-01-12 00:20:46 135 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-%PROVIDERID%.reg.dat
2009-01-12 00:19:51 . 2010-03-03 16:22:24 8,426 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-01-12 00:14:09 . 2010-03-03 16:10:02 109 ----a-w- C:\Qoobox\Quarantine\catchme.log
2008-06-15 02:39:13 . 2008-07-15 01:08:31 13,984 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\AegisP.inf.vir

triton12 · 04-Mar-2010, 11:39 PM **#13**

NeonFX, I tried to run it without the files box checked. It went longer, but crashed out with the same error as before. Please let me know what you would like to try next.

Thanks

NeonFx · 05-Mar-2010, 01:00 AM **#14**

Try the following instead:

Download RootRepeal from one of the following locations and save it to your desktop:

Link 1
Link 2
Link 3

Double click to start the program
Click on the Report tab at the bottom of the program window
Click the button
In the Select Scan dialog, check:
- Shadow SSDT
Click the OK button
In the next dialog, select all drives showing
Click OK to start the scan
Note: The scan can take some time. DO NOT run any other programs while the scan is running
When the scan is complete, click the button and save the report to your Desktop as RootRepeal.txt
Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

triton12 · 06-Mar-2010, 12:22 AM **#15**

Here is the RootRepeal log, thanks.

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/03/05 22:54
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA93F5000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xA9B5C000 Size: 8192 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA88B0000 Size: 49152 File Visible: No Signed: -
Status: -
Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!
Path: c:\documents and settings\chaddrick johnson\local settings\temp\~df6345.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)
Path: c:\documents and settings\chaddrick johnson\local settings\temp\~df8525.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)
Path: c:\documents and settings\chaddrick johnson\local settings\temp\~dfd2d0.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)
SSDT
-------------------
#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xa8a22884
#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xa8a22bf0
#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xa8a23da0
#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xa8a235b6
#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xa8a2420a
#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xa8a22d3a
#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xa8a22dbc
#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xa8a233da
#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xa8a22486
#: 066 Function Name: NtDeviceIoControlFile
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xa8a2430a
#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xa8a269f4
#: 084 Function Name: NtFsControlFile
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xa8a2444e
#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xa8a24d92
#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xa8a234ca
#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xa8a26746
#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xa8a232fa
#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xa8a26874
#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xa8a22782
#: 180 Function Name: NtQueueApcThread
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xa8a22c92
#: 199 Function Name: NtRequestPort
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xa8a23e30
#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xa8a23bec
#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xa8a23fba
#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xa8a22576
#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xa8a22988
#: 253 Function Name: NtSuspendProcess
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xa8a226e4
#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xa8a22646
#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xa8a22b4e
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xa8a266b6
#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xa8a26b02
#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xa8a22384
Shadow SSDT
-------------------
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xa8a2216c
#: 347 Function Name: NtUserDdeSetQualityOfService
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xa8a22100
#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xa8a220be
#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xa8a21f80
#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xa8a21f3a
#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xa8a21cbc
#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xa8a21b46
#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xa8a21b9a
#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xa8a21d1a
#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xa8a21b0c
#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xa8a21498
#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xa8a217c6
==EOF==

Tag Cloud
access acer asus bios bsod computer crash desktop driver drivers error ethernet excel freeze gaming hard drive hardware hdmi internet laptop malware memory modem monitor motherboard network printer problem ram registry router security slow software sound toshiba trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!