TechSpot

[A] AVG detects a Trojan in system file; "smb.sys" causing Windows Update to fail

Inactive
By Romeo J. Chacon
Oct 21, 2012
  1. Romeo J. Chacon

    Romeo J. Chacon TS Member Topic Starter Posts: 27

    AntivirusResultUpdate
    Agnitum - 20121021
    AntiVir - 20121022
    Antiy-AVL - 20121022
    Avast Win32:Sirefef-AMS [Rtk] 20121022
    AVG ZeroAccess.IH 20121022
    BitDefender Gen:Variant.Symmi.2296 20121022
    ByteHero - 20121019
    CAT-QuickHeal - 20121022
    ClamAV - 20121022
    Commtouch - 20121022
    Comodo - 20121022
    DrWeb BackDoor.Maxplus 20121022
    Emsisoft Gen:Variant.Symmi.2296 (B) 20121022
    eSafe - 20121017
    ESET-NOD32 Win32/Sirefef.DA 20121022
    F-Prot - 20121022
    F-Secure Gen:Variant.Symmi.2296 20121022
    Fortinet W32/Sirefef.DA!tr 20121022
    GData Gen:Variant.Symmi.2296 20121022
    Ikarus Trojan.ZeroAccess 20121022
    Jiangmin Trojan/Genome.czgd 20121022
    K7AntiVirus - 20121022
    Kaspersky HEUR:Backdoor.Win32.Generic 20121022
    Kingsoft - 20121008
    McAfee - 20121022
    McAfee-GW-Edition Heuristic.BehavesLike.Win32.Suspicious-BAY.K 20121022
    Microsoft - 20121022
    MicroWorld-eScan Gen:Variant.Symmi.2296 20121022
    Norman - 20121022
    nProtect - 20121022
    Panda - 20121022
    PCTools Trojan.Zeroaccess 20121022
    Rising Malware.XPACK!4904 20121022
    Sophos - 20121022
    SUPERAntiSpyware - 20121022
    Symantec Trojan.Zeroaccess!i11 20121022
    TheHacker - 20121021
    TotalDefense - 20121022
    TrendMicro - 20121022
    TrendMicro-HouseCall - 20121022
    VBA32 - 20121022
    VIPRE Lookslike.Win32.Sirefef.t (v) 20121022
    ViRobot - 20121022
     
  2. Romeo J. Chacon

    Romeo J. Chacon TS Member Topic Starter Posts: 27

    Continued...

    ssdeep

    1536:g0TjNxUGKinE0KWfYmsBlgAolx6FuNMvLbYAg:g0TjN6MCIT7NibYB
    TrID

    Win32 Executable Generic (68.0%)
    Generic Win/DOS Executable (15.9%)
    DOS Executable Generic (15.9%)
    Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
    ExifTool

    MIMEType.................: application/octet-stream
    Subsystem................: Native
    MachineType..............: Intel 386 or later, and compatibles
    TimeStamp................: 2012:10:09 21:34:55+01:00
    FileType.................: Win32 DLL
    PEType...................: PE32
    CodeSize.................: 39424
    LinkerVersion............: 6.238
    EntryPoint...............: 0x6077
    InitializedDataSize......: 14848
    SubsystemVersion.........: 5.1
    ImageVersion.............: 0.0
    OSVersion................: 5.1
    UninitializedDataSize....: 0

    Portable Executable structural information

    Compilation timedatestamp.....: 2012-10-09 20:34:55
    Target machine................: 0x14C (Intel 386 or later processors and compatible processors)
    Entry point address...........: 0x00006077

    PE Sections...................:

    Name Virtual Address Virtual Size Raw Size Entropy MD5
    .code 4096 40 512 0.17 2edcb377efa91cd4d13a9e03c2a19235
    .icode 8192 40 512 0.76 303844500971a9544e816b6a8ab3a461
    .text 12288 23080 23552 7.18 4967b97470e20c579600e6b0a33cead6
    .ghfhj 36864 15445 15872 7.13 4bd6360b70af9faeac00d98153378349
    .data 53248 1510 1536 5.83 e6848d5290c317b444960216541f1337
    .jihfd 57344 872 1024 7.09 7025ce1a6319857b2b553c87a3a421b2
    .oiyuh 61440 1760 2048 7.30 1e433ddb5e1078302bcb011bdd56d001
    .vcxv 65536 1320 1536 7.26 99174bb39d99939a9569a3ae0fa89dce
    .oiuhgf 69632 1320 1536 7.28 1c9088b7d3a5ea3193d498e50aca5543
    .ryfg 73728 1760 2048 7.30 4a274483ac8276ad13694e5837414a6e
    .fdsgf 77824 1760 2048 7.29 002837f372a5e7dbef4f0ebe68dbfdb9
    .rsrc 81920 20709 1024 4.85 89b802f65ad45d5db8ccbd2b4d3ec4a5
    .reloc 106496 792 1024 5.37 fff7a42855ede4d409d1f026443b3d43

    PE Imports....................:

    [[ntoskrnl.exe]]
    ZwReadFile, KeInitializeMutex, HalExamineMBR, KeDetachProcess, KeUnstackDetachProcess, RtlUpcaseUnicodeChar, PsGetProcessId, MmFlushImageSection, wcslen, IoGetCurrentProcess, RtlVolumeDeviceToDosName, CcSetReadAheadGranularity, RtlTimeToSecondsSince1980, ExUuidCreate, IoAllocateWorkItem, MmAddVerifierThunks, KeSetTimer, FsRtlLookupLastLargeMcbEntry, IoReadPartitionTable, IoCreateSymbolicLink, FsRtlNotifyUninitializeSync, RtlCompareMemoryUlong, wcsspn, RtlSecondsSince1980ToTime, CcInitializeCacheMap

    PE Resources..................:

    Resource type Number of resources
    RT_MESSAGETABLE 1

    Resource language Number of resources
    ENGLISH US 1

    First seen by VirusTotal

    2012-10-22 20:13:24 UTC ( 2 minutes ago )
    Last seen by VirusTotal

    2012-10-22 20:13:24 UTC ( 2 minutes ago )
    File names (max. 25)

    1. smb.sys
     
  3. Romeo J. Chacon

    Romeo J. Chacon TS Member Topic Starter Posts: 27

    SystemLook 30.07.11 by jpshortstuff
    Log created at 13:19 on 22/10/2012 by Romeo Jr Chacon
    Administrator - Elevation successful
    ========== filefind ==========
    Searching for "smb.sys"
    C:\Windows\System32\drivers\smb.sys--a---- 66560 bytes[20:29 25/09/2012][04:45 11/04/2009] F31D7577BE73DF2B6B512C44E241B284
    C:\Windows\winsxs\x86_microsoft-windows-nbsmb_31bf3856ad364e35_6.0.6001.18000_none_5f6a9133f7f64138\smb.sys--a---- 66560 bytes[02:34 21/01/2008][02:34 21/01/2008] 031E6BCD53C9B2B9ACE111EAFEC347B6
    -= EOF =-
     
  4. Broni

    Broni Malware Annihilator Posts: 47,581   +267

    1. Please open Notepad (Start>All Programs>Accessories>Notepad).

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    FCopy::
    C:\Windows\winsxs\x86_microsoft-windows-nbsmb_31bf3856ad364e35_6.0.6001.18000_none_5f6a9133f7f64138\smb.sys | C:\Windows\System32\drivers\smb.sys
    
    ClearJavaCache::
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  5. Romeo J. Chacon

    Romeo J. Chacon TS Member Topic Starter Posts: 27

    ComboFix 12-10-22.02 - Romeo Jr Chacon 10/22/2012 14:08:06.3.1 - x86
    Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1919.1143 [GMT -7:00]
    Running from: c:\users\Romeo Jr Chacon\Desktop\ComboFix.exe
    Command switches used :: c:\users\Romeo Jr Chacon\Desktop\CFScript.txt
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    --------------- FCopy ---------------
    .
    c:\windows\winsxs\x86_microsoft-windows-nbsmb_31bf3856ad364e35_6.0.6001.18000_none_5f6a9133f7f64138\smb.sys --> c:\windows\System32\drivers\smb.sys
    .
    ((((((((((((((((((((((((( Files Created from 2012-09-22 to 2012-10-22 )))))))))))))))))))))))))))))))
    .
    .
    2012-10-22 21:15 . 2012-10-22 21:15--------d-----w-c:\users\Default\AppData\Local\temp
    2012-10-21 07:20 . 2012-08-23 18:3132120----a-w-c:\windows\system32\TURegOpt.exe
    2012-10-21 07:20 . 2012-08-23 18:3121880----a-w-c:\windows\system32\authuitu.dll
    2012-10-16 19:46 . 2012-10-22 00:43--------d-----w-c:\windows\system32\catroot2
    2012-10-13 15:55 . 2012-10-13 15:55--------d-----w-c:\users\Default\AppData\Roaming\TuneUp Software
    2012-10-12 04:13 . 2012-10-12 06:3373656----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-10-12 04:13 . 2012-10-12 06:33696760----a-w-c:\windows\system32\FlashPlayerApp.exe
    2012-10-12 03:27 . 2012-10-12 03:27--------d-----w-c:\programdata\Norton
    2012-10-11 03:36 . 2012-10-02 19:292557288----a-w-c:\windows\system32\nvsvcr.dll
    2012-10-11 03:32 . 2012-10-02 22:206127464----a-w-c:\windows\system32\nvopencl.dll
    2012-10-11 03:32 . 2012-10-02 22:202574696----a-w-c:\windows\system32\nvcuvid.dll
    2012-10-11 03:32 . 2012-10-02 22:2019906920----a-w-c:\windows\system32\nvoglv32.dll
    2012-10-11 03:32 . 2012-10-02 22:2010837352----a-w-c:\windows\system32\drivers\nvlddmkm.sys
    2012-10-11 03:32 . 2012-10-02 22:201867112----a-w-c:\windows\system32\nvcuvenc.dll
    2012-10-11 03:32 . 2012-10-02 22:207697768----a-w-c:\windows\system32\nvcuda.dll
    2012-10-11 03:32 . 2012-10-02 22:2017559912----a-w-c:\windows\system32\nvcompiler.dll
    2012-10-10 17:48 . 2012-09-13 13:282048----a-w-c:\windows\system32\tzres.dll
    2012-10-10 17:48 . 2012-06-02 00:02985088----a-w-c:\windows\system32\crypt32.dll
    2012-10-10 17:48 . 2012-06-02 00:0298304----a-w-c:\windows\system32\cryptnet.dll
    2012-10-10 17:48 . 2012-06-02 00:02133120----a-w-c:\windows\system32\cryptsvc.dll
    2012-10-10 17:48 . 2012-08-24 15:53172544----a-w-c:\windows\system32\wintrust.dll
    2012-10-10 17:48 . 2012-08-29 11:273602816----a-w-c:\windows\system32\ntkrnlpa.exe
    2012-10-10 17:48 . 2012-08-29 11:273550080----a-w-c:\windows\system32\ntoskrnl.exe
    2012-10-09 19:49 . 2012-10-09 19:49--------d-----w-c:\programdata\stw-audio
    2012-10-07 23:56 . 2012-10-07 23:56--------d-----w-c:\programdata\Leawo
    2012-10-07 23:56 . 2011-03-02 10:43175616----a-w-c:\windows\system32\unrar.dll
    2012-10-05 03:07 . 2012-10-05 03:07--------d-----w-c:\program files\Novation
    2012-10-03 22:21 . 2012-10-05 02:58--------d-----w-c:\program files\Rob Papen
    2012-10-01 22:28 . 2012-10-01 22:28159744----a-w-c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
    2012-10-01 22:28 . 2012-10-01 22:28159744----a-w-c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
    2012-10-01 22:28 . 2012-10-01 22:28159744----a-w-c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
    2012-10-01 22:28 . 2012-10-01 22:28159744----a-w-c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
    2012-10-01 22:28 . 2012-10-01 22:28159744----a-w-c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
    2012-10-01 22:28 . 2012-10-01 22:28159744----a-w-c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
    2012-10-01 22:28 . 2012-10-01 22:28159744----a-w-c:\program files\Internet Explorer\Plugins\npqtplugin.dll
    2012-10-01 22:28 . 2012-10-01 22:28--------d-----w-c:\program files\QuickTime
    2012-10-01 22:26 . 2012-10-01 22:26--------d-----w-c:\program files\NewBlue
    2012-10-01 22:12 . 2011-02-26 23:17506824----a-w-c:\windows\system32\prodad-codec.dll
    2012-10-01 22:11 . 2012-10-01 22:16--------d-----w-c:\programdata\proDAD
    2012-10-01 22:11 . 2012-10-01 22:12--------d-----w-c:\program files\proDAD
    2012-10-01 22:11 . 2003-07-09 16:4345056----a-w-c:\windows\system32\BFXSrcFilter.ax
    2012-10-01 22:11 . 2003-07-01 22:4969632----a-w-c:\windows\system32\MtxPreview.dll
    2012-10-01 22:11 . 2003-07-01 22:4949152----a-w-c:\windows\system32\MtxParhBFXPreview.dll
    2012-10-01 22:11 . 2003-06-26 16:04237568----a-r-c:\windows\system32\qtmlClient.dll
    2012-10-01 22:11 . 2003-01-20 15:0849152----a-w-c:\windows\system32\CvoAPI.dll
    2012-10-01 22:11 . 2012-10-01 22:11--------d-----w-c:\program files\Boris FX, Inc
    2012-10-01 22:06 . 2012-10-01 22:29--------d-----w-c:\programdata\eSellerate
    2012-10-01 22:05 . 2012-10-01 22:06--------d-----w-c:\program files\SmartSound Software
    2012-10-01 22:05 . 2012-10-01 22:06--------d-----w-c:\programdata\SmartSound Software Inc
    2012-10-01 22:04 . 2012-10-01 22:04--------d-----w-c:\programdata\InterVideo
    2012-10-01 22:01 . 2012-10-01 22:01--------d-----w-c:\program files\Windows Media Components
    2012-10-01 02:43 . 2012-10-01 02:45--------d-----w-c:\program files\CCleaner
    2012-09-30 04:47 . 2012-09-30 04:47--------d-----w-c:\program files\Common Files\Wondershare
    2012-09-30 04:46 . 2011-11-17 23:0816640----a-w-c:\windows\system32\drivers\WsAudioDevice_383.sys
    2012-09-30 04:46 . 2012-09-30 04:46--------d-----w-c:\program files\Wondershare
    2012-09-30 03:52 . 2012-09-30 03:52--------d-----w-c:\program files\Common Files\xing shared
    2012-09-30 03:52 . 2012-09-30 03:52--------d-----w-c:\program files\Real
    2012-09-28 22:07 . 2005-05-26 22:342297552----a-w-c:\windows\system32\d3dx9_26.dll
    2012-09-28 22:04 . 2012-10-12 18:40--------d--h--w-c:\windows\msdownld.tmp
    2012-09-28 22:04 . 2012-10-14 02:48--------d-----w-C:\Games
    2012-09-28 21:38 . 2012-09-28 21:38--------d-----w-c:\program files\LUXONIX
    2012-09-28 21:38 . 2005-03-24 15:26491520----a-w-c:\windows\system32\msvcr80.dll
    2012-09-28 21:37 . 2012-09-28 21:372249----a-w-C:\FLVDirect.exe
    2012-09-28 20:55 . 2012-09-28 20:55--------d-----w-c:\program files\IK Multimedia
    2012-09-28 17:38 . 2012-09-28 17:40--------d-----w-c:\programdata\Protexis
    2012-09-28 17:36 . 2012-10-01 22:03--------d-----w-c:\programdata\Corel
    2012-09-28 17:36 . 2012-09-28 17:36--------d-----w-c:\program files\Common Files\Protexis
    2012-09-28 17:35 . 2012-10-01 22:01--------d-----w-c:\program files\Corel
    2012-09-28 16:42 . 2012-09-28 16:44--------d-----w-c:\programdata\regid.1986-12.com.adobe
    2012-09-28 16:37 . 2012-09-28 16:37--------d-----w-c:\program files\Common Files\Adobe AIR
    2012-09-28 14:48 . 2012-09-28 14:48--------d-----w-c:\program files\Edirol
    2012-09-28 14:11 . 2012-09-28 14:11--------d-----w-c:\programdata\4Front
    2012-09-28 14:10 . 2012-09-28 14:11--------d-----w-c:\program files\TruePianos
    2012-09-28 02:42 . 2012-09-28 02:421060864----a-w-c:\windows\system32\mfc71.dll
    2012-09-28 02:42 . 2003-06-20 19:281777664----a-w-c:\windows\system32\gdiplus.dll
    2012-09-27 18:12 . 2012-09-30 03:52499712----a-w-c:\windows\system32\msvcp71.dll
    2012-09-27 18:12 . 2012-09-30 03:52348160----a-w-c:\windows\system32\msvcr71.dll
    2012-09-27 17:38 . 2011-05-23 09:52153088----a-w-c:\windows\system32\xvid.ax
    2012-09-27 17:38 . 2011-05-23 07:46645632----a-w-c:\windows\system32\xvidcore.dll
    2012-09-27 17:38 . 2011-05-30 13:42240640----a-w-c:\windows\system32\xvidvfw.dll
    2012-09-27 17:38 . 2012-09-27 17:38--------d-----w-c:\program files\Xvid
    2012-09-27 17:31 . 2012-09-27 17:31--------dc----w-c:\windows\system32\DRVSTORE
    2012-09-27 17:31 . 2012-08-21 20:0126840----a-w-c:\windows\system32\drivers\GEARAspiWDM.sys
    2012-09-27 17:31 . 2012-09-27 17:31--------d-----w-c:\program files\iPod
    2012-09-27 17:31 . 2012-09-27 17:31--------d-----w-c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
    2012-09-27 17:31 . 2012-09-27 17:31--------d-----w-c:\programdata\Apple Computer
    2012-09-27 17:31 . 2012-09-27 17:31--------d-----w-c:\program files\iTunes
    2012-09-27 17:22 . 2012-09-27 17:22--------d-----w-c:\program files\Apple Software Update
    2012-09-27 17:20 . 2012-09-27 17:20--------d-----w-c:\program files\Bonjour
    2012-09-27 17:20 . 2012-09-27 21:57--------d-----w-c:\program files\Common Files\Apple
    2012-09-27 17:20 . 2012-09-27 17:22--------d-----w-c:\programdata\Apple
    2012-09-27 13:21 . 2012-09-27 13:21--------d-----w-c:\program files\PlatinumHideIP
    2012-09-27 12:57 . 2012-09-27 12:57--------d-----w-c:\programdata\PlatinumHideIP
    2012-09-27 12:06 . 2012-09-27 12:06--------d-----w-c:\program files\PowerISO
    2012-09-27 03:59 . 2012-09-27 03:59--------dc-h--w-c:\programdata\{E26B3878-7CEC-469C-B449-5CAA336DF8CD}
    2012-09-27 03:59 . 2012-09-27 03:59--------d-----w-c:\program files\Common Files\Native Instruments
    2012-09-27 03:59 . 2012-09-27 03:59--------dc-h--w-c:\programdata\{C78336EC-F2EB-4640-99A4-DFE96581B90B}
    2012-09-27 03:59 . 2012-09-29 15:44--------d-----w-c:\program files\Native Instruments
    2012-09-27 03:59 . 2012-09-27 03:59--------d-----w-c:\programdata\Native Instruments
    2012-09-26 20:00 . 2012-09-26 20:00413696----a-w-c:\windows\system32\wrap_oal.dll
    2012-09-26 20:00 . 2012-09-26 20:00110592----a-w-c:\windows\system32\OpenAL32.dll
    2012-09-26 11:26 . 2012-10-01 22:04--------d-----w-c:\program files\Common Files\InstallShield
    2012-09-26 11:15 . 2012-09-26 11:15--------d-----w-c:\program files\ASIO4ALL v2
    2012-09-26 11:15 . 2012-10-09 19:52--------d-----w-c:\program files\VstPlugins
    2012-09-26 11:15 . 2011-10-11 14:451431552----a-w-c:\windows\system32\rewire.dll
    2012-09-26 11:15 . 2009-09-15 09:141554944----a-w-c:\windows\system32\vorbis.acm
    2012-09-26 11:14 . 2012-09-26 11:14--------d-----w-c:\program files\Outsim
    2012-09-26 11:11 . 2012-09-26 11:15--------d-----w-c:\program files\Image-Line
    2012-09-26 02:01 . 2012-09-26 02:01679936----a-w-c:\windows\system32\Fliqlo.scr
    2012-09-26 02:01 . 2012-09-26 02:01--------d-----w-c:\programdata\Screentime
    2012-09-26 01:59 . 2012-09-26 01:59--------d-----w-c:\windows\system32\Macromed
    2012-09-25 22:53 . 2012-09-25 22:54--------d-----w-c:\programdata\WinZip
    2012-09-25 22:41 . 2012-09-25 22:43--------d-----w-c:\programdata\AVG
    2012-09-25 22:41 . 2012-09-25 22:41--------d-sh--w-c:\programdata\{D1D4879F-2279-49C9-AEBF-3B95C84EAA8F}
    2012-09-25 22:31 . 2012-09-25 22:31--------d-----w-C:\$AVG
    2012-09-25 22:29 . 2012-10-22 04:34--------d-----w-c:\program files\AVG
    2012-09-25 22:27 . 2012-09-25 22:27--------d--h--w-c:\programdata\Common Files
    2012-09-25 22:21 . 2012-09-25 22:21--------d-----w-c:\program files\FrostWire 5
    2012-09-25 22:10 . 2012-09-25 22:10--------d-----w-c:\program files\RocketDock
    2012-09-25 22:08 . 2012-10-22 04:34--------d-----w-c:\users\UpdatusUser
    2012-09-25 22:07 . 2012-10-02 19:29645992----a-w-c:\windows\system32\nvvsvc.exe
    2012-09-25 22:07 . 2012-10-02 19:2962312----a-w-c:\windows\system32\nvshext.dll
    2012-09-25 22:07 . 2012-10-02 19:29108392----a-w-c:\windows\system32\nvmctray.dll
    2012-09-25 22:07 . 2012-10-02 19:292853224----a-w-c:\windows\system32\nvsvc.dll
    2012-09-25 22:07 . 2012-10-02 19:283965288----a-w-c:\windows\system32\nvcpl.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-10-02 22:20 . 2012-02-10 05:431009512----a-w-c:\windows\system32\nvdispco32.dll
    2012-10-02 22:20 . 2008-01-21 02:3215309160----a-w-c:\windows\system32\nvd3dum.dll
    2012-09-25 21:21 . 2012-09-25 21:214096----a-w-c:\windows\system32\drivers\en-US\dxgkrnl.sys.mui
    2012-08-24 07:57 . 2012-08-24 07:57113104----a-w-c:\windows\system32\drivers\scdemu.sys
    2012-08-21 20:01 . 2012-08-21 20:01106928----a-w-c:\windows\system32\GEARAspi.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
    "Xvid"="c:\program files\Xvid\CheckUpdate.exe" [2011-01-17 8192]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "P17RunE"="P17RunE.dll" [2008-03-28 14848]
    "VolPanel"="c:\program files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" [2007-03-01 180224]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
    "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-09-20 444904]
    "SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "AdobeCS5.5ServiceManager"="c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
    "Wondershare Helper Compact.exe"="c:\program files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe" [2012-02-28 1679360]
    "TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2012-09-30 296096]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Wireless Connection Manager.lnk - c:\program files\D-Link\DWA-552 revA\wirelesscm.exe [2012-9-25 517440]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "Google Update"="c:\users\Romeo Jr Chacon\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    "WindowsWelcomeCenter"=rundll32.exe oobefldr.dll,ShowWelcomeCenter
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    "UpdReg"=c:\windows\UpdReg.EXE
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
    "TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" -osboot
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
    .
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetworkREG_MULTI_SZ PLA DPS BFE mpssvc
    LocalServiceAndNoImpersonationREG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-10-22 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-12 06:33]
    .
    2012-10-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2321283058-4084574830-2792957718-1000Core.job
    - c:\users\Romeo Jr Chacon\AppData\Local\Google\Update\GoogleUpdate.exe [2012-09-25 21:54]
    .
    2012-10-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2321283058-4084574830-2792957718-1000UA.job
    - c:\users\Romeo Jr Chacon\AppData\Local\Google\Update\GoogleUpdate.exe [2012-09-25 21:54]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyServer = http=;ftp=;https=;
    TCP: DhcpNameServer = 10.0.1.1
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-10-22 14:15
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2012-10-22 14:17:23
    ComboFix-quarantined-files.txt 2012-10-22 21:17
    ComboFix2.txt 2012-10-22 04:53
    .
    Pre-Run: 583,559,942,144 bytes free
    Post-Run: 583,537,700,864 bytes free
    .
    - - End Of File - - E3BA1419E0B18091CBFE81BF2E0D17B8
     
  6. Broni

    Broni Malware Annihilator Posts: 47,581   +267

    You can reinstall AVG now.

    Please post new aswMBR log.
     
  7. Romeo J. Chacon

    Romeo J. Chacon TS Member Topic Starter Posts: 27

    Should I run aswMRB now or after installing AVG?
     
  8. Broni

    Broni Malware Annihilator Posts: 47,581   +267

    AVG first.
     
  9. Romeo J. Chacon

    Romeo J. Chacon TS Member Topic Starter Posts: 27

    Can I download a different Antivirus? Maybe Norton. AVG is acting up and I keep getting the Windows Installer could not be accessed error.
     
  10. Broni

    Broni Malware Annihilator Posts: 47,581   +267

    Romeo J. Chacon likes this.
  11. Romeo J. Chacon

    Romeo J. Chacon TS Member Topic Starter Posts: 27

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-10-21 15:06:43
    -----------------------------
    15:06:43.944 OS Version: Windows 6.0.6002 Service Pack 2
    15:06:43.945 Number of processors: 1 586 0x7F02
    15:06:43.946 ComputerName: STUDIO UserName:
    15:06:45.716 Initialize success
    15:10:57.293 AVAST engine defs: 12102101
    15:11:03.937 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000058
    15:11:03.942 Disk 0 Vendor: WDC_WD75 15.0 Size: 715404MB BusType: 6
    15:11:03.951 Disk 0 MBR read successfully
    15:11:03.956 Disk 0 MBR scan
    15:11:03.962 Disk 0 Windows VISTA default MBR code
    15:11:03.968 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 715402 MB offset 2048
    15:11:04.015 Disk 0 scanning sectors +1465145344
    15:11:04.122 Disk 0 scanning C:\Windows\system32\drivers
    15:11:12.955 File: C:\Windows\system32\drivers\smb.sys **INFECTED** Win32:Sirefef-AMS [Rtk]
    15:11:16.518 Disk 0 trace - called modules:
    15:11:16.534 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys
    15:11:16.539 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84a37a28]
    15:11:16.546 3 CLASSPNP.SYS[875a38b3] -> nt!IofCallDriver -> [0x83b90aa0]
    15:11:16.562 5 acpi.sys[8060f6bc] -> nt!IofCallDriver -> \Device\00000058[0x83b8aa88]
    15:11:18.112 AVAST engine scan C:\Windows
    15:11:21.294 AVAST engine scan C:\Windows\system32
    15:14:57.262 AVAST engine scan C:\Windows\system32\drivers
    15:15:06.426 File: C:\Windows\system32\drivers\smb.sys **INFECTED** Win32:Sirefef-AMS [Rtk]
    15:15:10.430 AVAST engine scan C:\Users\Romeo Jr Chacon
    15:28:38.631 Disk 0 MBR has been saved successfully to "C:\Users\Romeo Jr Chacon\Desktop\MBR.dat"
    15:28:38.633 The log file has been saved successfully to "C:\Users\Romeo Jr Chacon\Desktop\aswMBR.txt"


    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-10-22 15:08:27
    -----------------------------
    15:08:27.234 OS Version: Windows 6.0.6002 Service Pack 2
    15:08:27.234 Number of processors: 1 586 0x7F02
    15:08:27.250 ComputerName: STUDIO UserName:
    15:08:41.290 Initialize success
    15:08:41.415 AVAST engine defs: 12082100
    15:08:53.629 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000053
    15:08:53.629 Disk 0 Vendor: WDC_WD75 15.0 Size: 715404MB BusType: 6
    15:08:53.645 Disk 0 MBR read successfully
    15:08:53.645 Disk 0 MBR scan
    15:08:53.661 Disk 0 Windows VISTA default MBR code
    15:08:53.661 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 715402 MB offset 2048
    15:08:53.661 Disk 0 scanning sectors +1465145344
    15:08:53.739 Disk 0 scanning C:\Windows\system32\drivers
    15:09:00.774 Service scanning
    15:09:14.611 Modules scanning
    15:09:18.823 Disk 0 trace - called modules:
    15:09:18.839 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys
    15:09:18.855 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84430740]
    15:09:18.855 3 CLASSPNP.SYS[86fa48b3] -> nt!IofCallDriver -> [0x83597e00]
    15:09:18.870 5 acpi.sys[806116bc] -> nt!IofCallDriver -> \Device\00000053[0x835a29c0]
    15:09:20.508 AVAST engine scan C:\Windows
    15:09:26.218 AVAST engine scan C:\Windows\system32
    15:11:46.821 AVAST engine scan C:\Windows\system32\drivers
    15:12:01.890 AVAST engine scan C:\Users\Romeo Jr Chacon
    15:18:17.261 Disk 0 MBR has been saved successfully to "C:\Users\Romeo Jr Chacon\Desktop\MBR.dat"
    15:18:17.308 The log file has been saved successfully to "C:\Users\Romeo Jr Chacon\Desktop\aswMBR.txt"
     
     
  12. Broni

    Broni Malware Annihilator Posts: 47,581   +267

    Looks good :)

    Any current issues?

    ==============================

    Download OTL to your Desktop.
    Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  13. Romeo J. Chacon

    Romeo J. Chacon TS Member Topic Starter Posts: 27

    Yes, the file is still infected.
    I ran a complete scan using AVAST and it detected the same infection.

    I'll be posting the OTL log here in a bit.
     
  14. Broni

    Broni Malware Annihilator Posts: 47,581   +267

    Smb.sys?
     
  15. Broni

    Broni Malware Annihilator Posts: 47,581   +267

    Still with me?
     
  16. Broni

    Broni Malware Annihilator Posts: 47,581   +267

    This topic is marked as abandoned and closed due to inactivity.
    This member will NOT be eligible to receive any more help in malware removal forum.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.