TechSpot

[A] Trojan infection rootkit.zero.access

By keiichan1
Mar 28, 2012
  1. Hello! This is my first post, and I'm a complete noob towards anything electric^^;

    My AVG scanned two trojans, rootkit.zero.access and zeroaccess.s on my windows XP

    I tried the general removal tools such as spybot etc, and AVG. these programs can't seem to get rid of it.
    Please help!
    I followed the 5 steps and I'll post the logs here.

    Malware bytes did not detect anything.

    PS the random questions are really hard sometimes O_o (so ashamed)

    Thank you again :)
     
  2. keiichan1

    keiichan1 TS Rookie Topic Starter

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-03-28 13:32:37
    Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 FUJITSU_ rev.0081
    Running: 7h69ordb.exe; Driver: C:\Users\Allan\AppData\Local\Temp\pxdorpog.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeKey [0x9D9C9004]
    SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeMultipleKeys [0x9D9C90D4]
    SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0x9D9C8D76]
    SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0x9D9C8E1E]
    SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0x9D9C8EBA]
    SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0x9D9C8F56]

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwSaveKey + 13C1 832933D9 1 Byte [06]
    .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 832CCD52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
    .text ntkrnlpa.exe!KeRemoveQueueEx + 1357 832D404C 8 Bytes [04, 90, 9C, 9D, D4, 90, 9C, ...] {ADD AL, 0x90; PUSHF ; POPF ; AAM 0x90; PUSHF ; POPF }
    .text ntkrnlpa.exe!KeRemoveQueueEx + 139F 832D4094 4 Bytes [76, 8D, 9C, 9D] {JBE 0xffffffffffffff8f; PUSHF ; POPF }
    .text ntkrnlpa.exe!KeRemoveQueueEx + 166F 832D4364 8 Bytes [1E, 8E, 9C, 9D, BA, 8E, 9C, ...] {PUSH DS; MOV DS, [EBP+EBX*4-0x62637146]}
    .text ntkrnlpa.exe!KeRemoveQueueEx + 16E3 832D43D8 4 Bytes [56, 8F, 9C, 9D]
    .text sptd.sys 8908C001 31 Bytes [17, 22, 83, 34, B2, 22, 83, ...]
    .text sptd.sys 8908C024 257 Bytes [50, 17, 2F, 83, 05, 50, 37, ...]
    .text sptd.sys 8908C126 95 Bytes [29, 83, 11, EC, 2E, 83, CE, ...]
    .text sptd.sys 8908C186 70 Bytes [29, 83, 4E, C4, 2C, 83, E0, ...]
    .text sptd.sys 8908C1D4 4 Bytes [27, 39, 4F, 4E] {DAA ; CMP [EDI+0x4e], ECX}
    .text ...
    .sptd2 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd2" section [0x891381AA]
    ? C:\Windows\System32\Drivers\sptd.sys Het proces heeft geen toegang tot het bestand omdat het door een ander
    proces wordt gebruikt.
    PAGE ataport.SYS!DllUnload + 1 89215AD7 4 Bytes JMP 852251C9
    .text USBPORT.SYS!DllUnload 8ED6CDB9 5 Bytes JMP 86D2D410
    ? C:\Users\Allan\AppData\Local\Temp\catchme.sys Het systeem kan het opgegeven bestand niet vinden. !
    ? C:\Windows\system32\Drivers\PROCEXP113.SYS Het systeem kan het opgegeven bestand niet vinden. !

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8908D70C] \SystemRoot\System32\Drivers\sptd.sys
    IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8908DEEE] \SystemRoot\System32\Drivers\sptd.sys
    IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [8908E20E] \SystemRoot\System32\Drivers\sptd.sys
    IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8908E0CC] \SystemRoot\System32\Drivers\sptd.sys
    IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8908D8F0] \SystemRoot\System32\Drivers\sptd.sys

    ---- Devices - GMER 1.0.15 ----

    Device 8522F1E8
    Device Ntfs.sys (NT-bestandssysteemstuurprogramma/Microsoft Corporation)

    AttachedDevice avgidsfilterx.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

    Device 86BA61E8
    Device udfs.sys (UDF File System Driver/Microsoft Corporation)

    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework-runtime/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework-runtime/Microsoft Corporation)

    Device \Driver\usbuhci \Device\USBPDO-0 86D2F1E8
    Device \Driver\usbuhci \Device\USBPDO-1 86D2F1E8
    Device \Driver\usbehci \Device\USBPDO-2 86D38430
    Device \Driver\usbuhci \Device\USBPDO-3 86D2F1E8
    Device \Driver\usbuhci \Device\USBPDO-4 86D2F1E8

    AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device \Driver\usbuhci \Device\USBPDO-5 86D2F1E8
    Device \Driver\usbehci \Device\USBPDO-6 86D38430

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

    Device \Driver\cdrom \Device\CdRom0 86B65430
    Device \Driver\PCI_PNP2148 \Device\00000059 sptd.sys
    Device \Driver\PCI_PNP2148 \Device\00000059 sptd.sys
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 8522C1E8
    Device \Driver\iaStor \Device\Ide\iaStor0 [8935C390] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort0 8522C1E8
    Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [8935C390] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\cdrom \Device\CdRom1 86B65430
    Device \Driver\BTHUSB \Device\00000075 bthport.sys (Bluetooth-busstuurprogramma/Microsoft Corporation)
    Device \Driver\BTHUSB \Device\00000077 bthport.sys (Bluetooth-busstuurprogramma/Microsoft Corporation)
    Device \Driver\ACPI_HAL \Device\0000004e halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

    AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device \Driver\usbuhci \Device\USBFDO-0 86D2F1E8
    Device \Driver\usbuhci \Device\USBFDO-1 86D2F1E8
    Device \Driver\usbehci \Device\USBFDO-2 86D38430
    Device \Driver\usbuhci \Device\USBFDO-3 86D2F1E8
    Device \Driver\usbuhci \Device\USBFDO-4 86D2F1E8
    Device \Driver\usbuhci \Device\USBFDO-5 86D2F1E8
    Device \Driver\usbehci \Device\USBFDO-6 86D38430
    Device \Driver\a46hloue \Device\Scsi\a46hloue1Port2Path0Target0Lun0 86CD11E8
    Device \Driver\a46hloue \Device\Scsi\a46hloue1 86CD11E8
    Device \Driver\00000630 \GLOBAL??\7a918d23 86CA7880

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\001c26d5e383 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
    Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x9C 0xC9 0xB1 0x62 ...
    Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
    Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
    Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDA 0x84 0x4B 0x44 ...
    Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x5F 0x48 0xFA 0xA1 ...
    Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xDE 0xE8 0xED 0x9F ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001c26d5e383
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 2
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x9C 0xC9 0xB1 0x62 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xFF 0x85 0x4A 0xC7 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x5F 0x48 0xFA 0xA1 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xC3 0x20 0x6D 0x91 ...
    Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\001c26d5e383 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
    Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x9C 0xC9 0xB1 0x62 ...
    Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
    Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xFF 0x85 0x4A 0xC7 ...
    Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x5F 0x48 0xFA 0xA1 ...
    Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xC3 0x20 0x6D 0x91 ...
    Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers\981F31F5-31A1-4EF5-B5AE-1E624FCFA82A@IPAddress 127.0.0.1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Superfetch@VirtualStoreSize 1040

    ---- EOF - GMER 1.0.15 ----
     
  3. keiichan1

    keiichan1 TS Rookie Topic Starter

    THis is the DSS log

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
    Run by Allan at 13:33:36 on 2012-03-28
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.32.1043.18.2014.1001 [GMT 2:00]
    .
    AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\ibmpmsvc.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe
    C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Windows\system32\AEADISRV.EXE
    C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe
    C:\Program Files\Nitro PDF\Reader 2\NitroPDFReaderDriverService2.exe
    C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe
    C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe
    C:\Windows\system32\Dwm.exe
    C:\Program Files\LENOVO\HOTKEY\tposdsvc.exe
    C:\Windows\system32\taskhost.exe
    C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
    C:\Program Files\Lenovo\Zoom\TpScrex.exe
    C:\Windows\system32\svchost.exe -k bthsvcs
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\explorer.exe
    C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
    C:\Program Files\ThinkPad\Bluetooth Software\BtStackServer.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Program Files\AVG Secure Search\vprot.exe
    C:\Program Files\AVG\AVG2012\avgwdsvc.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\AVG\AVG2012\avgtray.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.be/
    uInternet Settings,ProxyServer = http=127.0.0.1:56485
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AVG Do-Not-Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - c:\program files\avg\avg2012\avgdtiex.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
    BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.2.0.3\AVG Secure Search_toolbar.dll
    BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.2.0.3\AVG Secure Search_toolbar.dll
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
    mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Afbeelding verzenden naar &Bluetooth-apparaat... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
    IE: E&xporteren naar Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: Pagina verzenden naar &Bluetooth-apparaat... - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    IE: {DA58ACA7-18A6-403A-93DA-6E4172D43709} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\avg\avg2012\avgdtiex.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{1A24EB47-F347-4B1E-B12F-758B964E2219} : DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{1A24EB47-F347-4B1E-B12F-758B964E2219}\2626F68723D226364636 : DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{1A24EB47-F347-4B1E-B12F-758B964E2219}\3516D6E65647B2 : DhcpNameServer = 195.130.131.3 195.130.130.131
    TCP: Interfaces\{1A24EB47-F347-4B1E-B12F-758B964E2219}\4756C656E65647D22383341433 : DhcpNameServer = 195.130.130.131 195.130.131.131
    TCP: Interfaces\{1A24EB47-F347-4B1E-B12F-758B964E2219}\64F4E4F52454C4741434F4D4 : DhcpNameServer = 195.238.2.22 195.238.2.21
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\10.2.0\ViProtocol.dll
    Notify: psfus - c:\program files\thinkvantage fingerprint software\psqlpwd.dll
    LSA: Notification Packages = scecli c:\program files\thinkvantage fingerprint software\psqlpwd.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\allan\appdata\roaming\mozilla\firefox\profiles\vfdkukfx.default\
    FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.groupon.be
    FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B1b53b458-fcef-4c31-8656-0b9e3424ef7a%7D&mid=3c743414b9ff47d1866fd15560310a70-2e6a920ce435be2d3de1acc173fe350ba13a45d4&ds=AVG&v=10.2.0.3&lang=nl&pr=fr&d=2012-03-27%2021%3A42%3A07&sap=ku&q=
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 56485
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\nitro pdf\reader 2\npdf.dll
    FF - plugin: c:\program files\nitro pdf\reader 2\npnitromozilla.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2012-1-31 31952]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2012-2-22 235216]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-12-23 41040]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2012-2-22 299472]
    R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2011-5-25 13680]
    R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2012-2-14 193288]
    R2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\lenovo\virtscrl\lvvsst.exe [2011-5-25 93032]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-3-28 652360]
    R2 NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2;c:\program files\nitro pdf\reader 2\NitroPDFReaderDriverService2.exe [2011-10-25 196904]
    R2 smihlp;SMI Helper Driver (smihlp);c:\program files\thinkvantage fingerprint software\smihlp.sys [2009-3-13 12560]
    R2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\lenovo\hotkey\tphkload.exe [2011-5-25 99328]
    R2 TPHKSVC;Weergave op scherm;c:\program files\lenovo\hotkey\TPHKSVC.exe [2011-5-25 64440]
    R2 vToolbarUpdater10.2.0;vToolbarUpdater10.2.0;c:\program files\common files\avg secure search\vtoolbarupdater\10.2.0\ToolbarUpdater.exe [2012-3-27 918880]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 139856]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [2011-12-23 24144]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 17232]
    R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2011-5-25 45736]
    R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2011-5-25 29472]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-3-28 20464]
    R3 netw5v32;Stuurprogramma voor Intel(R) Wireless WiFi Link 5000 Series-adapter 32-bits Windows Vista;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
    R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-14 207360]
    R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-14 980992]
    R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-14 661504]
    S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\avgidsehx.sys [2011-12-23 22992]
    S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\avgidsagent.exe [2012-2-14 5104992]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update-service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-11-16 136176]
    S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\lenovo\hotkey\micmute.exe [2011-5-25 45496]
    S2 veteboot;Acsvc;c:\windows\system32\svchost.exe -k netsvcs [2009-7-14 20992]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
    S3 gupdatem;Google Update-service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-11-16 136176]
    S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-5-25 15872]
    S3 Samsung UPD Service;Samsung UPD Service;c:\windows\system32\SUPDSvc.exe [2011-5-27 131888]
    S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-5-25 52224]
    S3 WatAdminSvc;Windows Activation Technologies-service;c:\windows\system32\wat\WatAdminSvc.exe [2011-5-25 1343400]
    .
    =============== Created Last 30 ================
    .
    2012-03-28 10:23:15 -------- d-----w- c:\users\allan\appdata\roaming\Malwarebytes
    2012-03-28 10:22:58 -------- d-----w- c:\programdata\Malwarebytes
    2012-03-28 10:22:57 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-03-28 10:22:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-03-28 09:17:12 -------- d-----w- c:\users\allan\appdata\roaming\AVG2012
    2012-03-28 09:16:20 -------- d-----w- c:\program files\AVG Secure Search
    2012-03-28 09:15:25 -------- d-----w- c:\programdata\AVG2012
    2012-03-28 09:14:48 -------- d-----w- c:\program files\AVG
    2012-03-28 09:11:27 -------- d-sh--w- C:\$RECYCLE.BIN
    2012-03-28 09:11:24 -------- d-----w- c:\users\allan\appdata\local\temp
    2012-03-27 19:42:05 -------- d-----w- c:\programdata\AVG Secure Search
    2012-03-27 19:42:03 -------- d-----w- c:\program files\common files\AVG Secure Search
    2012-03-27 19:04:10 98816 ----a-w- c:\windows\sed.exe
    2012-03-27 19:04:10 518144 ----a-w- c:\windows\SWREG.exe
    2012-03-27 19:04:10 256000 ----a-w- c:\windows\PEV.exe
    2012-03-27 19:04:10 208896 ----a-w- c:\windows\MBR.exe
    2012-03-27 17:08:38 -------- d-----w- c:\program files\Audacity
    2012-03-19 10:47:59 592824 ----a-w- c:\program files\mozilla firefox\gkmedias.dll
    2012-03-19 10:47:59 44472 ----a-w- c:\program files\mozilla firefox\mozglue.dll
    2012-03-14 16:31:11 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2012-03-14 16:31:10 3913584 ----a-w- c:\windows\system32\ntoskrnl.exe
    2012-03-14 14:37:52 2343424 ----a-w- c:\windows\system32\win32k.sys
    2012-03-14 14:37:50 1077248 ----a-w- c:\windows\system32\DWrite.dll
    2012-03-14 14:37:31 919040 ----a-w- c:\windows\system32\rdpcorets.dll
    2012-03-14 14:37:30 826880 ----a-w- c:\windows\system32\rdpcore.dll
    2012-03-14 14:37:30 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
    2012-03-14 14:37:30 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-03-14 14:37:29 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
    2012-03-14 14:37:28 58880 ----a-w- c:\windows\system32\rdpwsx.dll
    2012-03-14 14:37:28 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
    .
    ==================== Find3M ====================
    .
    2012-03-27 15:53:48 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-02-22 03:25:52 299472 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2012-02-22 03:25:32 235216 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2012-01-31 02:46:50 31952 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
    2012-01-05 07:24:29 428088 ----a-w- c:\windows\system32\drivers\sptd.sys
    2012-01-04 08:58:41 442880 ----a-w- c:\windows\system32\ntshrui.dll
    2011-12-30 05:27:56 478720 ----a-w- c:\windows\system32\timedate.cpl
    .
    ============= FINISH: 13:34:53,62 ===============

    and the attach:

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Ultimate
    Boot Device: \Device\HarddiskVolume1
    Install Date: 25/05/2011 15:05:40
    System Uptime: 28/03/2012 11:00:57 (2 hours ago)
    .
    Motherboard: LENOVO | | 64608RG
    Processor: Intel(R) Core(TM)2 Duo CPU T7500 @ 2.20GHz | None | 792/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 112 GiB total, 2,581 GiB free.
    D: is CDROM (UDF)
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {53d29ef7-377c-4d14-864b-eb3a85769359}
    Description: TouchChip Fingerprint Coprocessor (WBF advanced mode)
    Device ID: USB\VID_0483&PID_2016\5&295BD535&0&2
    Manufacturer: UPEK
    Name: TouchChip Fingerprint Coprocessor (WBF advanced mode)
    PNP Device ID: USB\VID_0483&PID_2016\5&295BD535&0&2
    Service: WUDFRd
    .
    ==== System Restore Points ===================
    .
    No restore point in system.
    .
    ==== Installed Programs ======================
    .
    Update for Microsoft Office 2007 (KB2508958)
    AC3Filter (remove only)
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader X (10.1.2)
    Apple Application Support
    Apple Software Update
    µTorrent
    Audacity 2.0
    AVG 2012
    BS.Player FREE
    DAEMON Tools Lite
    Google Chrome
    Google Update Helper
    Hamster Lite Archiver 2.0.0.16
    Java Auto Updater
    Java(TM) 6 Update 29
    Lenovo Auto Scroll Utility
    Lenovo System Interface Driver
    Malwarebytes Anti-Malware versie 1.60.1.1000
    Microsoft .NET Framework 4 Client Profile
    Microsoft Office 2007 Service Pack 3 (SP3)
    Microsoft Office Access MUI (Dutch) 2007
    Microsoft Office Excel MUI (Dutch) 2007
    Microsoft Office InfoPath MUI (Dutch) 2007
    Microsoft Office Outlook MUI (Dutch) 2007
    Microsoft Office PowerPoint MUI (Dutch) 2007
    Microsoft Office Professional Plus 2007
    Microsoft Office Proof (Dutch) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (German) 2007
    Microsoft Office Proofing (Dutch) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    Microsoft Office Publisher MUI (Dutch) 2007
    Microsoft Office Shared MUI (Dutch) 2007
    Microsoft Office Word MUI (Dutch) 2007
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Mistral
    Mozilla Firefox 11.0 (x86 nl)
    Nitro PDF Reader 2
    NVIDIA Drivers
    NVIDIA nView Desktop Manager
    ParetoLogic Data Recovery
    QuickTime
    Recuva
    RICOH R5C83x/84x Flash Media Controller Driver Ver.3.54.02
    Samsung Universal Print Driver
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
    Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
    Skype Click to Call
    Skype™ 5.5
    SoundMAX
    ThinkPad Bluetooth with Enhanced Data Rate Software
    ThinkPad FullScreen Magnifier
    ThinkPad Hotkey Features Integration Setup
    ThinkPad Power Management Driver
    ThinkPad UltraNav-hulpprogramma
    ThinkPad UltraNav Driver
    ThinkVantage Fingerprint Software
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2597970) 32-Bit Edition
    Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
    Update voor Microsoft Office Excel 2007 Help (KB963678)
    Update voor Microsoft Office Powerpoint 2007 Help (KB963669)
    Update voor Microsoft Office Word 2007 Help (KB963665)
    VLC media player 1.1.11
    Weergave op scherm
    Windows Driver Package - Broadcom (BTHUSB) Bluetooth (04/08/2010 6.3.5.430)
    Windows Driver Package - Broadcom HIDClass (07/28/2009 6.2.0.9800)
    YouTube Downloader 2.7.4
    .
    ==== End Of File ===========================
     
  4. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ===================================================================

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...