Malware/Virus Infection: AntiVirus Doctor & other possibly dangerous malware/viruses

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

donizettirules

Thread Starter
Joined
Sep 19, 2007
Messages
48
Hello all! I'm posting here because I'm trying to take care of my brother's laptop. On Friday (Christmas Eve) he let me know that he'd gotten what appeared to be a malware and or virus attack which appeared initially as a fake anti virus scan ("AntiVirusDoctor") -generating numerous pop-ups and so forth. This was an older Dell (running Windows XP) of his that he'd had to switch to as his newer one is out of service for the moment-so the usual security software he uses and such had either not been reinstalled or not updated for a very long time with the exception of AviraAntivirus (it had just updated itself an hour or so before hand). Avira's gaurd seemed to have caught about 20-30 files trying to come in -almost all of these were tojan's. He'd started it's scan and had found 3 or 4 infections but I suggested he stop the scan and reboot into safe mode so he could run it from there. Meanwhile I went back to my computer and downloaded the newest version of Malwarebytes and after running his Avira again in safe mode ran a full-system scan on his computer in Malwarebytes. This found around 250 or so more infections. I saved the log files from the two malwarebytes scans I ran (I'd forgotten to ensure that all the files had been selected for removal the first time round & when I saw this immediately rescanned and then removed them). I’ve a decent amount of experience in dealing with computers but not so much as to feel entirely confident in attempting anything major without expert guidance. I had a VERY severe infection that hit my laptop about 2 years ago and left it dead in the water for 8 months so I'd like to do my best in helping him clean everything up as much as possible.

Now I want to see what if any remnants of this infection are left on the computer. I looked up information on a few of the file names that stood out to me and am concerned about several of them in particular, especially as I was noting in amongst the many files names what appeared to be not just browser Hijackers but e-mail Hijackers and such, files to grant access to IE’s license stuff, and files that looked as though they were meant to self repair etc. I’ve a bad feeling that there could be a rootkit or two in there –all in all it just looked like a rather nasty piece of work he got hit with. some of the names that popped for me were

AntiVirusDoctor
Vundo
Hiloti
WhiteSmoke


…and several others. there were tons of stuff under the names "mywebsearch" and "funwebproducts" and their supposed "toolbars" etc.


What I'm posting below: (all done in safe mode without networking because we didn’t seem to have full control over the wireless connection –didn’t seem to be able to disable it, etc- and I didn’t want to risk giving any bad programs access to the internet –please let me know if that was wrong of me? :( )

HijackThis Log


2 Malwarebyte Logs

Events logged by from the Avira’s “Guard”


I also tried to run DDS.rsc but it feels that there is a script blocker running. The thing is- I don’t know what the script blocker could be as I’m in safe mode without networking, so Avira’s guard and thus its script blocker is not running. Also my brother does not have Norton on his computer. (though once in the distant past he did… but I didn’t see any remnants from Norton or semantic that were immediately obvious.)

I also have run GMER however when the scan is done the computer freezes/crashes when I try to save the log file. I’ve tried rebooting (again into safe mode) and rescanning before hitting “copy” so I could try pasting it into a .txt file, but after telling me that the data was copied the clipboard it freezes/crashes again when I try to click anywhere outside the program, even if I try just hitting the windows button.
 

donizettirules

Thread Starter
Joined
Sep 19, 2007
Messages
48
HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:15:06 AM, on 12/27/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17093)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=Z007&form=ZGAPHP
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8074
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [\\TOUCAN\EPSON Stylus CX6000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIA.EXE /FU "C:\DOCUME~1\Owner\LOCALS~1\Temp\E_S47.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [csspatch700upd.exe] C:\Documents and Settings\Owner\Application Data\DEAAF4D5BA2C3083007362A2A66E412C\csspatch700upd.exe
O4 - HKCU\..\Run: [fqdjxwmc] C:\DOCUME~1\Owner\LOCALS~1\Temp\oveorascu\svbxxrvlajb.exe
O4 - HKUS\S-1-5-21-436374069-1580436667-725345543-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-436374069-1580436667-725345543-1003\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (User '?')
O4 - HKUS\S-1-5-21-436374069-1580436667-725345543-1003\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent (User '?')
O4 - HKUS\S-1-5-21-436374069-1580436667-725345543-1003\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun (User '?')
O4 - HKUS\S-1-5-21-436374069-1580436667-725345543-1003\..\Run: [csspatch700upd.exe] C:\Documents and Settings\Owner\Application Data\DEAAF4D5BA2C3083007362A2A66E412C\csspatch700upd.exe (User '?')
O4 - HKUS\S-1-5-21-436374069-1580436667-725345543-1003\..\Run: [fqdjxwmc] C:\DOCUME~1\Owner\LOCALS~1\Temp\oveorascu\svbxxrvlajb.exe (User '?')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Adventures%20of%20Robinson%20Crusoe/Images/stg_drm.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1228158528984
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Adventures%20of%20Robinson%20Crusoe/Images/armhelper.ocx
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BackupService - ArcSoft, Inc. - C:\Documents and Settings\Owner\Application Data\HP SimpleSave Application\uUACTokenSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8630 bytes
__

Malwarebytes log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:15:06 AM, on 12/27/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17093)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=Z007&form=ZGAPHP
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8074
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [\\TOUCAN\EPSON Stylus CX6000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIA.EXE /FU "C:\DOCUME~1\Owner\LOCALS~1\Temp\E_S47.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [csspatch700upd.exe] C:\Documents and Settings\Owner\Application Data\DEAAF4D5BA2C3083007362A2A66E412C\csspatch700upd.exe
O4 - HKCU\..\Run: [fqdjxwmc] C:\DOCUME~1\Owner\LOCALS~1\Temp\oveorascu\svbxxrvlajb.exe
O4 - HKUS\S-1-5-21-436374069-1580436667-725345543-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-436374069-1580436667-725345543-1003\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (User '?')
O4 - HKUS\S-1-5-21-436374069-1580436667-725345543-1003\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent (User '?')
O4 - HKUS\S-1-5-21-436374069-1580436667-725345543-1003\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun (User '?')
O4 - HKUS\S-1-5-21-436374069-1580436667-725345543-1003\..\Run: [csspatch700upd.exe] C:\Documents and Settings\Owner\Application Data\DEAAF4D5BA2C3083007362A2A66E412C\csspatch700upd.exe (User '?')
O4 - HKUS\S-1-5-21-436374069-1580436667-725345543-1003\..\Run: [fqdjxwmc] C:\DOCUME~1\Owner\LOCALS~1\Temp\oveorascu\svbxxrvlajb.exe (User '?')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Adventures%20of%20Robinson%20Crusoe/Images/stg_drm.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1228158528984
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Adventures%20of%20Robinson%20Crusoe/Images/armhelper.ocx
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BackupService - ArcSoft, Inc. - C:\Documents and Settings\Owner\Application Data\HP SimpleSave Application\uUACTokenSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8630 bytes

2nd Malwarebytes log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5363

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.13

12/25/2010 1:48:42 PM
mbam-log-2010-12-25 (13-48-42).txt

Scan type: Full scan (C:\|)
Objects scanned: 285336
Time elapsed: 1 hour(s), 54 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 43

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Owner\local settings\Temp\nsjB2.tmp\whitesmoketoolbar.exe (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\nswB5.tmp\whitesmoketoolbar.exe (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\nsxB8.tmp\whitesmoketoolbar.exe (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\temporary internet files\Content.IE5\5HOAHSU9\whitesmoketoolbar[1].exe (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001027.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001028.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001029.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001030.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001031.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001032.exe (Rootkit.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001033.exe (Rootkit.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001034.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001035.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001036.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001037.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001038.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001039.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001040.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001041.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001042.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001043.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001044.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001045.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001046.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001049.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001050.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001051.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001052.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001053.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001054.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001055.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001056.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001057.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001058.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001059.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001060.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001061.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001063.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001069.SCR (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001070.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001071.EXE (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001072.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\f3PSSavr.scr (PUP.FunWebProducts) -> Quarantined and deleted successfully.

Event Log for Avira AntiVir (p.s. all the files found and quarantined by Avira were deleted)

Virus or unwanted program 'TR/Crypt.ZPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\Owner\Local Settings\Temp\wxipr.exe.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\Owner\Local Settings\Temp\wawd.exe.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\Owner\Local Settings\Temp\wawd.exe.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.ZPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\5HOAHSU9\iztbjhowu[1].htm.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\5HOAHSU9\izgowq[1].htm.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.ZPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\Owner\Local Settings\Temp\wxipr.exe.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.ZPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\Owner\Local Settings\Temp\wxipr.exe.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.ZPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\V2QETOUN\iztbjhowu[1].htm.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\5HOAHSU9\izgowq[2].htm.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\Owner\Local Settings\Temp\wawd.exe.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OW7A79LB\izgowq[2].htm.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.ZPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OW7A79LB\iztbjhowu[1].htm.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.ZPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OW7A79LB\iztbjhowu[1].htm.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.ZPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\Owner\Local Settings\Temp\wxipr.exe.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.ZPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\V2QETOUN\iztbjhowu[2].htm.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.ZPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\Owner\Local Settings\Temp\wxipr.exe.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.ZPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OW7A79LB\iztbjhowu[2].htm.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.ZPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OW7A79LB\iztbjhowu[2].htm.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\Owner\Local Settings\Temp\wawd.exe.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OW7A79LB\izgowq[1].htm.
Action performed: Deny access

Virus or unwanted program 'TR/Crypt.ZPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\Owner\Local Settings\Temp\wxipr.exe.
Action performed: Deny access

The file 'C:\Documents and Settings\Owner\Application Data\DEAAF4D5BA2C3083007362A2A66E412C\csspatch700upd.exe'
contained a virus or unwanted program 'TR/Crypt.XPACK.Gen2' [trojan]
Action(s) taken:

The file 'C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\V2QETOUN\csspatch700upd[1].exe'
contained a virus or unwanted program 'TR/Crypt.XPACK.Gen2' [trojan]
Action(s) taken:
The file was moved to '4d884285.qua'!

The file 'C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0OX1X0WM\iztbjhowu[1].htm'
contained a virus or unwanted program 'TR/Crypt.ZPACK.Gen' [trojan]
Action(s) taken:
The file was moved to '4d89428c.qua'!

Any help you guys are able to offer would be greatly appreciated! :D
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,467
Hiya donizettirules,

I'm kevinf80 and I will be helping with any malware issues you may have with your system.
  • Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher. I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.
  • Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
  • Either print or Save to Notepad all instructions and please follow them carefully, if there's something you don't understand or that will not work please let me know and we will go through it together.
  • Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin.
  • If you do not reply within 72 hours the thread will be closed, if you need more time let me know. Likewise if I do not respond within 48 hours feel free to PM me.
  • If you have any P2P applications installed such as BitTorrent, uTorrent, Limewire etc etc, please uninstall them before we begin.
  • If you are using Cracked or Illegal software your thread will be locked and all help will cease.

Please proceed as follows, try from Normal mode :-

Step 1

Download
TFC to your desktop, from either of the following links
Link 1
Link 2
  • Make sure any open work is saved. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

Step 2

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

Combofix

Don`t forget Combofix must be saved to your desktop. <--Very important

Before saving to the Desktop rename Combofix to Gotcha.exe as follows:



Ensure you have disabledyour Firewall and all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <---Very important

Please include the C:\ComboFix.txt in your next reply for further review.

Examples of how to disable realtime protection available at the following link :-

Disable realtime protection

Note: Do not click combofix's window with your mouse while it's running. That action may cause it to stall.

*EXTRA NOTES*
  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log from Combofix in next reply,

Kevin
 

donizettirules

Thread Starter
Joined
Sep 19, 2007
Messages
48
Hey Kevin! thanks for getting back to me so quickly :)

I've just tried to boot into the normal mode to begin the steps you suggested and almost immediately was presented with a false security warning and the "the little red shield" (that I assume is meant to mimic window's security warnings) that appears in the bottom right of the task bar started multiplying (i.e. it started lining them up next to each other...)

I've shut the computer back down.

should I try again in safe mode? safe mode with networking? or???

this is the so called "security warning" I received:

"Application can not be executed. the file control.exe is infected. do you want to activate your antivirus software now?"

(earlier this morning there was 1 time when I didn't hit the F8 button quickly enough and the OS loaded and I received the same "warning" though I could swear it was another .exe file name it gave me then...)

also the avira antivirus scan started after a couple minutes though I had not instructed it do so. In fact I've never seen that program start running a file scan without permission before, even when it's guard had detected a possible virus- so I have no idea what that was about?! (do you know if that is normal behavior for avira or not?)
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,467
Just leave Combofix for now....

Please proceed as follows :-

Re-boot your PC and continuously tap the F8 key until you see the Windows Advanced Menu. From the available options select Safe mode with Networking Then proceed as follows :-

Step 1

Please download Rkill and save to your Desktop.
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If you get an alert from the rogue application that RKill is a threat, leave that alert open and re-run RKill again.

Step 2

If you`ve already got MB just update it, ignore the installation instructions.

Please download Malwarebytes Anti-Malware and save it to your desktop.
Alernative D/L mirror
Alternative D/L mirror

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Re-boot to Normal mode and run Malwarebytes again as previously instructed. Post both logs from Malwarebytes in your reply..

Kevin
 

donizettirules

Thread Starter
Joined
Sep 19, 2007
Messages
48
I downloaded the Rkill to a zip drive and copied it to the infected PC's desktop and ran it from there. this was the log produced:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 12/27/2010 at 17:15:59.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\Owner\Application Data\U3\4318430C67923056\LaunchPad.exe


Rkill completed on 12/27/2010 at 17:16:07.

(the LaunchPad.exe is normal I think as I had just ejected a zipdrive that had been running with this)


When I tried to update the Malwarebytes however that was when I realized that the safe mode with networking wasn't actually connected to the internet... :eek:

thus my next question...

I have a wireless network so in order to access the internet in "safe more with networking" do I have to hook the laptop up to the router with an Ethernet cable? or should I still be able to connect wirelessly?
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,467
It should connect ok by wireless, if not hook it up. If you have to re-boot you will need to run RKill again before M/Bytes....
 

donizettirules

Thread Starter
Joined
Sep 19, 2007
Messages
48
thanks, I rebooted into safe mode with networking again and ran Rkill. I connected to the router and that seemed to work so I updated M/Bytes on the infected PC and ran the "quick scan."
It apparently only too less then 4 minutes, and found 5 infections which I had it remove. It then requested that it be allowed to reboot the computer in order to finish disinfecting it. I let it reboot into the normal mode and ran a new &#8220;quick scan.&#8221; This took 7-8 minutes, and didn&#8217;t find any more infected files. (I guess I&#8217;m use to seeing the quick scan on M/Bytes take a little longer then that so I wasn&#8217;t sure if I should be suspicious of how short the two scans were&#8230;) anyway the two respective M/Bytes logs are below.

---
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5405

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.13

12/27/2010 6:17:15 PM
mbam-log-2010-12-27 (18-17-15).txt

Scan type: Quick scan
Objects scanned: 156712
Time elapsed: 3 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqdjxwmc (Trojan.FakeAlert) -> Value: fqdjxwmc -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Owner\local settings\Temp\oveorascu\svbxxrvlajb.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\dkikqtl.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\temporary internet files\Content.IE5\5HOAHSU9\mmaucwe[1].htm (Adware.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\temporary internet files\Content.IE5\OW7A79LB\cptrlg[1].htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.

---
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5405

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

12/27/2010 6:29:55 PM
mbam-log-2010-12-27 (18-29-55).txt

Scan type: Quick scan
Objects scanned: 156694
Time elapsed: 7 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,467
Well you`ve nailed the rogue that time for sure, how is the system responding? any issues?

We need to see some additional information about what is happening in your machine.*
Please perform the following scan:
  • Download DDS by sUBs from one of the following links.* Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool.* *
  • When done, DDS will open two (2) logs
    * * * * *1. DDS.txt
    * * * * *2. Attach.txt
  • Save both reports to your desktop.
  • The instructions here ask you to attach the Attach.txt.

    *
  • Instead of attaching, please copy/past both logs into your next reply.
  • Close the program window, and delete the program from your desktop.
Please note:* You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.*
Information on A/V control HERE

Post the two DDS logs,

Kevin
 

donizettirules

Thread Starter
Joined
Sep 19, 2007
Messages
48
OK I've done as you instructed. Here is the DDS.txt followed by the Attach.txt

DDS (Ver_10-12-12.02) - NTFSx86
Run by Owner at 18:55:28.54 on Mon 12/27/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.1052 [GMT -5:00]

AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Documents and Settings\Owner\Application Data\HP SimpleSave Application\uUACTokenSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bing.com/?pc=Z007&form=ZGAPHP
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:8074
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit=userinit.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [csspatch700upd.exe] c:\documents and settings\owner\application data\deaaf4d5ba2c3083007362a2a66e412c\csspatch700upd.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [\\TOUCAN\EPSON Stylus CX6000 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatibia.exe /fu "c:\docume~1\owner\locals~1\temp\E_S47.tmp" /EF "HKLM"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
IE: &Search
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Adventures%20of%20Robinson%20Crusoe/Images/stg_drm.ocx
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1228158528984
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Adventures%20of%20Robinson%20Crusoe/Images/armhelper.ocx
Notify: AtiExtEvent - Ati2evxx.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\nd2ox1zq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.whitesmokestart.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z007&form=ZGAADF&q=
FF - prefs.js: browser.search.selectedEngine - Bing
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMyWebS.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npzylomgamesplayer.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-6-22 11608]
R1 Ext2fs;Ext2fs;c:\windows\system32\drivers\ext2fs.sys [2008-12-1 181120]
R1 IfsMount;IfsMount;c:\windows\system32\drivers\ifsmount.sys [2008-12-1 51072]
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [2010-12-22 33824]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-6-22 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-6-22 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-6-22 56816]
R2 BackupService;BackupService;c:\documents and settings\owner\application data\hp simplesave application\uUACTokenSvc.exe [2010-11-29 83512]
S0 beqqbjfy;beqqbjfy;c:\windows\system32\drivers\oynulj.sys --> c:\windows\system32\drivers\oynulj.sys [?]
S0 mfehf;mfehf;c:\windows\system32\drivers\lnylx.sys --> c:\windows\system32\drivers\lnylx.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-7 136176]
S3 FXDRV;FXDRV;\??\d:\fxdrv.sys --> d:\Fxdrv.sys [?]

=============== Created Last 30 ================

2010-12-27 15:40:04 -------- d-----w- C:\HijackThis
2010-12-25 00:17:57 3022 ----a-w- c:\windows\ohozomopajeboy.dll
2010-12-25 00:12:20 108032 --sha-r- c:\windows\system32\WMNetmgr4.dll
2010-12-25 00:11:01 -------- d-----w- c:\docume~1\owner\applic~1\DEAAF4D5BA2C3083007362A2A66E412C
2010-12-22 19:32:26 -------- d-----w- C:\Expat Shield
2010-12-22 16:11:24 0 ----a-w- c:\windows\system32\ASPRTMM3.DLL
2010-12-22 16:11:22 33824 ----a-w- c:\windows\system32\drivers\oreans32.sys
2010-12-21 20:57:16 -------- d-----w- c:\program files\common files\FontLab
2010-12-21 20:57:14 -------- d-----w- c:\program files\FontLab
2010-12-17 17:40:40 -------- d-----w- c:\windows\SQLTools9_KB970892_ENU
2010-12-17 17:38:54 -------- d-----w- c:\windows\SQL9_KB970892_ENU
2010-12-16 23:13:44 -------- d-----w- c:\program files\Ten-Tec
2010-12-16 23:07:15 -------- d-----w- C:\ERGO4_AUDIO
2010-12-16 23:02:21 -------- d-----w- c:\program files\common files\Borland Shared
2010-12-16 23:02:18 -------- d-----w- c:\program files\CreativeExpress
2010-12-16 22:39:16 -------- d-----w- c:\program files\N3OEA
2010-12-16 22:38:32 -------- d-----w- c:\program files\Business Objects
2010-12-16 22:35:53 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\Microsoft Help
2010-12-16 22:30:49 -------- d-----w- c:\program files\MSXML 6.0
2010-12-16 22:29:23 -------- d-----w- c:\program files\Microsoft SQL Server
2010-12-16 22:04:29 -------- d-----w- c:\program files\Microsoft Speech SDK 5.1
2010-12-16 15:36:59 -------- d-----w- c:\program files\Alinco DX-R8 Clone Utility
2010-12-16 01:27:03 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-16 01:25:52 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2010-12-15 19:46:54 90112 ----a-w- c:\windows\system32\WRG303API.dll
2010-12-15 19:46:49 38784 ----a-w- c:\windows\system32\drivers\WRG303_XP32.sys
2010-12-15 19:46:49 -------- d-----w- c:\program files\WiNRADiO
2010-12-14 20:37:39 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\ESRI
2010-12-14 20:37:15 -------- d-----w- c:\docume~1\owner\applic~1\esri
2010-12-14 20:37:10 -------- d-----w- c:\program files\ESRI
2010-12-14 20:35:43 -------- d-----w- c:\program files\Explorer
2010-12-14 20:35:43 -------- d-----w- c:\program files\common files\ArcGIS
2010-12-14 20:15:09 -------- d-----w- c:\docume~1\owner\applic~1\MapWindow
2010-12-14 20:14:57 653120 ----a-w- c:\windows\system32\msvcr90.dll
2010-12-14 20:14:57 569664 ----a-w- c:\windows\system32\msvcp90.dll
2010-12-14 20:14:37 -------- d-----w- c:\program files\MapWindow
2010-12-14 19:48:01 -------- d-----w- c:\windows\Downloaded Installations
2010-12-14 19:47:18 -------- d-----w- c:\program files\CASA-UCL
2010-12-14 19:42:18 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\IsolatedStorage
2010-12-14 19:41:21 -------- d-----w- c:\program files\DDTI
2010-12-11 00:04:54 -------- d-----w- c:\program files\Audacity
2010-12-02 15:19:36 215920 ----a-w- c:\windows\system32\muweb.dll
2010-12-02 15:19:35 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-12-02 15:19:35 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-12-01 13:25:41 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-12-01 13:25:41 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-12-01 13:25:29 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-12-01 13:25:08 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-12-01 13:24:44 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-12-01 13:21:38 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-11-30 00:21:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\HPSS
2010-11-30 00:21:38 -------- d-----w- c:\docume~1\owner\applic~1\HP SimpleSave Application
2010-11-30 00:21:30 -------- d-----w- c:\docume~1\owner\applic~1\HPSS

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-12 18:46:58 4280320 ----a-w- c:\windows\system32\GPhotos.scr
2010-11-06 00:34:12 832512 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:34:11 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-11-06 00:34:11 1830912 ------w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:34:11 17408 ----a-w- c:\windows\system32\corpol.dll
2010-11-03 12:25:53 389120 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_MK1652GSX rev.LV010A -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8996B555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x899717b0]; MOV EAX, [0x8997182c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x89A49AB8]
3 CLASSPNP[0xBA118FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x89986BB8]
\Driver\atapi[0x89A1B2A0] -> IRP_MJ_CREATE -> 0x8996B555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK1652GSX_______________________LV010A__#5&19c84639&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8996B39B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 18:58:08.92 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 12/1/2008 1:14:19 PM
System Uptime: 12/27/2010 6:18:59 PM (0 hours ago)

Motherboard: Dell Inc. | | 0XD720
Processor: Genuine Intel(R) CPU T1350 @ 1.86GHz | Microprocessor | 1862/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 149 GiB total, 101.128 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Base System Device
Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_01BD1028&REV_01\4&2FE911E8&0&0AF0
Manufacturer:
Name: Base System Device
PNP Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_01BD1028&REV_01\4&2FE911E8&0&0AF0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Base System Device
Device ID: PCI\VEN_1180&DEV_0592&SUBSYS_01BD1028&REV_0A\4&2FE911E8&0&0BF0
Manufacturer:
Name: Base System Device
PNP Device ID: PCI\VEN_1180&DEV_0592&SUBSYS_01BD1028&REV_0A\4&2FE911E8&0&0BF0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Base System Device
Device ID: PCI\VEN_1180&DEV_0852&SUBSYS_01BD1028&REV_05\4&2FE911E8&0&0CF0
Manufacturer:
Name: Base System Device
PNP Device ID: PCI\VEN_1180&DEV_0852&SUBSYS_01BD1028&REV_05\4&2FE911E8&0&0CF0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SM Bus Controller
Device ID: PCI\VEN_8086&DEV_27DA&SUBSYS_01BD1028&REV_01\3&61AAA01&0&FB
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_8086&DEV_27DA&SUBSYS_01BD1028&REV_01\3&61AAA01&0&FB
Service:

==== System Restore Points ===================

RP1: 12/24/2010 7:18:02 PM - System Checkpoint
RP2: 12/27/2010 6:49:07 PM - System Checkpoint

==== Installed Programs ======================

AccuGlobe 2007
Acrobat.com
Ad-Aware
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.1
Alinco DX-R8 Clone Utility
Apple Mobile Device Support
Apple Software Update
ArcGIS Explorer
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Audacity 1.2.6
Avira AntiVir Personal - Free Antivirus
Bonjour
Broadcom 440x 10/100 Integrated Controller
CCleaner
Chinese (Simplified) Language Support
Chinese Simplified Fonts Support For Adobe Reader 9
Compatibility Pack for the 2007 Office system
Conexant HDA D110 MDC V.92 Modem
Crystal Reports Basic Runtime for Visual Studio 2008
DAEMON Tools Toolbar
Dell Wireless WLAN Card
Empire: Total War Demo
ERGO4
Ext2 IFS 1.11a for Windows XP
FontLab Studio 5
GDR 4053 for SQL Server Database Services 2005 ENU (KB970892)
GDR 4053 for SQL Server Tools and Workstation Components 2005 ENU (KB970892)
getPlus(R) for Adobe
GMapCreator
Google Chrome
Google Earth
Google Talk (remove only)
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
iTunes
Java Advanced Imaging 1.1.3 for JRE
Java(TM) 6 Update 12
Malwarebytes' Anti-Malware
MapWindow GIS
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Flight Simulator X
Microsoft Flight Simulator X Service Pack 1
Microsoft Flight Simulator X Service Pack 2
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Standard Edition 2003
Microsoft Silverlight
Microsoft Speech SDK 5.1
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Management Studio Express
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft WinUsb 1.0
Move Media Player
Mozilla Firefox (3.0.19)
Mozilla Thunderbird (3.1.7)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser
MSXML4 Parser
MyFonts Order M2575337
Paint.NET v3.36
PC Wizard 2008.1.871
PCFriendly
Picasa 3
PrimoPDF
PrimoPDF -- brought to you by Nitro PDF Software
project dogwaffle
QuickTime
RX320
Safari
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB2416400)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Shortwave Log
SigmaTel Audio
Spelling Dictionaries Support For Adobe Reader 9
Spybot - Search & Destroy
Steam
System Requirements Lab
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB955759)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Ventrilo Client
WebFldrs XP
Windows Easy Transfer
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows XP Service Pack 3
WiNRADiO G303 Standard
Yahoo! Toolbar
Zune Desktop Theme

==== Event Viewer Messages From Past Week ========

12/27/2010 5:06:48 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: avgio avipbb Fips intelppm oreans32 ssmdrv
12/27/2010 10:29:26 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
12/25/2010 12:35:00 PM, error: Service Control Manager [7034] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s).
12/24/2010 8:21:22 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
12/24/2010 8:16:54 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avgio avipbb Fips intelppm IPSec MRxSmb NetBIOS NetBT oreans32 RasAcd Rdbss ssmdrv Tcpip Tcpip6
12/24/2010 8:16:54 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
12/24/2010 8:16:54 PM, error: Service Control Manager [7001] - The IPv6 Helper Service service depends on the Microsoft IPv6 Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/24/2010 8:16:54 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/24/2010 8:16:54 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/24/2010 8:16:54 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
12/24/2010 8:16:54 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/24/2010 8:16:54 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/24/2010 8:16:03 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/24/2010 8:05:59 PM, error: Service Control Manager [7034] - The BackupService service terminated unexpectedly. It has done this 1 time(s).
12/24/2010 10:30:59 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
12/22/2010 3:17:40 PM, error: Service Control Manager [7034] - The Expat Shield Routing Service service terminated unexpectedly. It has done this 1 time(s).
12/20/2010 11:15:22 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Internet Explorer 8 for Windows XP.

==== End Of File ===========================
 

donizettirules

Thread Starter
Joined
Sep 19, 2007
Messages
48
I also tried running the GMER scan again and the intitial scan (which I assume is scanning for those places it should go on to scan if and when you hit the scan button)

I've posted the log below as it look the same as it did when I ran it earlier today. I haven't gone on to run the actual longer scan this evening. it was after trying to run that this morning that the computer was freezing up in safe mode. The only concern I really had was the "sector 63: rootkit-like behavior" --though I realize that the program is prone to false positives I just thought it best to post it as well.

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2010-12-27 19:06:53
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 TOSHIBA_MK1652GSX rev.LV010A
Running: tmxunfzb.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fglcikob.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

---- System - GMER 1.0.15 ----

SSDT spgz.sys ZwEnumerateKey [0xB9EC5CA4]
SSDT spgz.sys ZwEnumerateValueKey [0xB9EC6032]

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8996B39B
Device \Driver\atapi \Device\Ide\IdePort0 [B9E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8996B39B
Device \Driver\atapi \Device\Ide\IdePort1 [B9E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 8996B39B
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [B9E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\agnr2grl \Device\Scsi\agnr2grl1Port2Path0Target0Lun0 8963E500
Device \Driver\agnr2grl \Device\Scsi\agnr2grl1 8963E500
Device \FileSystem\Ntfs \Ntfs 89A6A1F8
Device \FileSystem\Fastfat \Fat 8852A1F8

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK1652GSX_______________________LV010A__#5&19c84639&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- EOF - GMER 1.0.15 ----
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,467
Still quite a bit going on with your system, lets give Combofix a try :-

We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

Combofix

Don`t forget Combofix must be saved to your desktop. <--Very important

Before saving to the Desktop re-name to Gotcha.exe as follows:



Ensure you have disabledyour Firewall and all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <---Very important

Please include the C:\ComboFix.txt in your next reply for further review.

Examples of how to disable realtime protection available at the following link :-

Disable realtime protection

Note: Do not click combofix's window with your mouse while it's running. That action may cause it to stall.

*EXTRA NOTES*
  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in your reply,

Kevin
 

donizettirules

Thread Starter
Joined
Sep 19, 2007
Messages
48
ok I've followed your instructions and ran the ComboFix. However when I came back from dinner I found the following message:

The Machine does not have the 'Microsoft Windows recovery console'
installed. Alternatively, an existing installation of the recovery console
may be present but needs updating.

Without it, ComboFix shall not attempt the fixing of some serious infections.

Click 'Yes' to have ComboFix download/install it.

NOTE: this requires an active internet connection​

behind the message (in the ComboFix Window) -after saying "ComboFix is preparing to run" it then says: "Attempting to create a System Restore point."

So I'm not sure if the scan actually ran or not or if the message appeared when it first started to scan or afterwords, etc. I know you'd had me disconnect from the internet before running the program so should I reconnect at this time and allow combofix to download/install the windows recovery console and then disconnect again before re-scanning? and if I should do this should I also reactivate the firewall and/or anti virus protection for the time that I am connected to the internet? (I would I assume disable all this again before rerunning ComboFix...)

NOTE: I've been responding from my laptop which is clean, it's my brother's old Dell that is infected. Having had to go back to this older now that his newer laptop is on the fritz means that the infected computer is running the XP OS and also has a lot of stuff that hasn't been updated for probably two years now. :/
 

donizettirules

Thread Starter
Joined
Sep 19, 2007
Messages
48
lol -ok I only just noted you're over in the UK so I'll go ahead and download the windows recovery console and such... I hope you don't get this till the morning! (i.e. get some sleep.) I'm half british myself so I'm used to calculating when family members and such over there are and are not awake, lol.

thank you so much for all your help so far and I'll get back to you with the ComboFix logs! :)
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,467
I don`t recall telling you to disconnect before running Combofix, After Combofix has done its initial checks it will disconnect itself from the internet, Yep make sure you have a connection then run CF
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top