TechSpot

Browser slow downs, rootkit detected

Inactive
By qsceszwsxasd
Mar 21, 2011
Topic Status:
Not open for further replies.
  1. I've had problems with pages loading slowly that I wasn't sure if it was the ISP or something else, so I ran a bunch of scanners to find nothing. However, running ComboFix detected a rootkit activity which got me worrying.

    I recently reformatted my computer after AVG's shield started giving warnings about Win32/Heur. Various scanners couldn't find anything then, either.

    MBM LOG:

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6126

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    3/21/2011 10:15:48 PM
    mbam-log-2011-03-21 (22-15-48).txt

    Scan type: Quick scan
    Objects scanned: 135629
    Time elapsed: 2 minute(s), 45 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    GMER LOG:

    GMER 1.0.15.15570 - http://www.gmer.net
    Rootkit quick scan 2011-03-21 22:18:56
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3250823NS rev.5.00
    Running: ckb0nmko.exe; Driver: C:\DOCUME~1\username\LOCALS~1\Temp\uxtdypog.sys


    ---- System - GMER 1.0.15 ----

    SSDT sptd.sys ZwEnumerateKey [0xF75380EE]
    SSDT sptd.sys ZwEnumerateValueKey [0xF753847C]

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort0 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort1 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort2 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort3 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\JRAID \Device\Scsi\JRAID1Port4Path0Target0Lun0 8A16E1E8
    Device \Driver\JRAID \Device\Scsi\JRAID1 8A16E1E8
    Device \Driver\an8gi89l \Device\Scsi\an8gi89l1Port5Path0Target0Lun0 89FDD1E8
    Device \Driver\an8gi89l \Device\Scsi\an8gi89l1 89FDD1E8
    Device \FileSystem\Ntfs \Ntfs 8A19C1E8

    ---- EOF - GMER 1.0.15 ----

    DDS LOG:

    DDS (Ver_11-03-05.01) - NTFSx86
    Run by username at 22:19:51.60 on Mon 03/21/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3007.2612 [GMT -4:00]
    .
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Real\RealPlayer\update\realsched.exe
    C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Documents and Settings\username\Desktop\dds.scr
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://start.facemoods.com/?a=ddr
    uDefault_Search_URL = hxxp://www.google.com/
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
    BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
    uRun: [Gadwin PrintScreen] c:\program files\gadwin systems\printscreen\PrintScreen.exe /nosplash
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
    mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
    mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
    mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
    mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
    dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
    uPolicies-explorer: NoResolveTrack = 1 (0x1)
    uPolicies-explorer: NoInstrumentation = 1 (0x1)
    uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
    uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
    mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
    dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
    dPolicies-explorer: NoResolveTrack = 1 (0x1)
    dPolicies-explorer: NoInstrumentation = 1 (0x1)
    dPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
    dPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    Trusted Zone: google.ca\www
    Trusted Zone: leagueoflegends.com\www
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    Notify: AtiExtEvent - Ati2evxx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SecurityProviders: schannel.dll, credssp.dll, digest.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\docume~1\username\applic~1\mozilla\firefox\profiles\tzjge6wq.default\
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
    FF - plugin: c:\documents and settings\username\application data\mozilla\firefox\profiles\tzjge6wq.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
    FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
    FF - plugin: c:\program files\veetle\player\npvlc.dll
    FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
    FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
    FF - Ext: Linkification: {35106bca-6c78-48c7-ac28-56df30b51d2a} - %profile%\extensions\{35106bca-6c78-48c7-ac28-56df30b51d2a}
    FF - Ext: Password Exporter: {B17C1C5A-04B1-11DB-9804-B622A1EF5492} - %profile%\extensions\{B17C1C5A-04B1-11DB-9804-B622A1EF5492}
    FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
    FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\html5video
    FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\divx\divx plus web player\firefox\wpa
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    .
    ============= SERVICES / DRIVERS ===============
    .
    R3 appliandMP;appliandMP;c:\windows\system32\drivers\appliand.sys [2010-6-24 28256]
    R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [2011-3-17 35840]
    R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [2010-10-13 101904]
    S3 appliand;Applian Network Service;c:\windows\system32\drivers\appliand.sys [2010-6-24 28256]
    .
    =============== Created Last 30 ================
    .
    2011-03-22 02:10:34 -------- d-----w- c:\docume~1\username\applic~1\Malwarebytes
    2011-03-22 02:10:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-22 02:10:30 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2011-03-22 02:10:27 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-03-22 02:10:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-03-22 02:06:51 -------- d-----w- c:\windows\system32\xircom
    2011-03-22 02:06:51 -------- d-----w- c:\windows\system32\wbem\snmp
    2011-03-22 02:06:51 -------- d-----w- c:\windows\srchasst
    2011-03-22 01:45:27 -------- d-sha-r- C:\cmdcons
    2011-03-22 01:44:43 98816 ----a-w- c:\windows\sed.exe
    2011-03-22 01:44:43 89088 ----a-w- c:\windows\MBR.exe
    2011-03-22 01:44:43 256512 ----a-w- c:\windows\PEV.exe
    2011-03-22 01:44:43 161792 ----a-w- c:\windows\SWREG.exe
    2011-03-21 00:59:06 823296 ----a-w- c:\windows\j3dcore-d3d.dll
    2011-03-21 00:59:06 49152 ----a-w- c:\windows\j3dcore-ogl-chk.dll
    2011-03-21 00:59:06 40960 ----a-w- c:\windows\j3dcore-ogl-cg.dll
    2011-03-21 00:59:06 163840 ----a-w- c:\windows\j3dcore-ogl.dll
    2011-03-21 00:58:56 -------- d-----w- c:\docume~1\username\locals~1\applic~1\{3225C812-5FB8-41CE-B15F-997F80151000}
    2011-03-21 00:51:52 -------- d-----w- c:\docume~1\username\applic~1\updatetool
    2011-03-21 00:50:50 -------- d-----w- C:\glassfish3
    2011-03-20 02:05:34 -------- d-----w- c:\program files\SopCast
    2011-03-20 02:02:53 -------- d-----w- c:\windows\system32\TVUAx
    2011-03-20 02:01:00 -------- d-----w- c:\program files\Veetle
    2011-03-19 04:46:15 -------- d-----w- c:\docume~1\username\applic~1\.minecraft
    2011-03-17 20:58:03 -------- d-----w- c:\docume~1\username\applic~1\Ubisoft
    2011-03-17 20:47:53 189248 ----a-w- c:\windows\system32\PnkBstrB.exe
    2011-03-17 20:47:52 75136 ----a-w- c:\windows\system32\PnkBstrA.exe
    2011-03-17 20:47:52 -------- d-----w- c:\docume~1\username\applic~1\PunkBuster
    2011-03-17 20:25:31 -------- d-----w- c:\docume~1\username\applic~1\LolClient
    2011-03-17 20:13:00 -------- d-----w- c:\windows\Logs
    2011-03-17 20:07:09 -------- d-----w- c:\docume~1\username\locals~1\applic~1\Temp
    2011-03-17 19:49:48 -------- d-----w- c:\docume~1\username\locals~1\applic~1\PMB Files
    2011-03-17 19:49:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\PMB Files
    2011-03-17 19:49:32 -------- d-----w- c:\program files\Pando Networks
    2011-03-17 17:52:54 -------- d-----w- c:\docume~1\username\locals~1\applic~1\Jaksta_Technologies_Pty_L
    2011-03-17 17:50:58 -------- d-----w- c:\windows\system32\LogFiles
    2011-03-17 17:50:44 -------- d-----w- c:\docume~1\username\applic~1\Replay Media Catcher 4
    2011-03-17 17:50:40 -------- d-----w- c:\program files\Applian Technologies
    2011-03-17 17:29:54 -------- d-----w- c:\program files\VideoLAN
    2011-03-17 17:23:12 -------- d-----w- c:\program files\Audacity 1.3 Beta (Unicode)
    2011-03-17 17:22:22 -------- d-----w- c:\program files\IrfanView
    2011-03-17 17:14:13 11776 ----a-w- c:\program files\mozilla firefox\plugins\nprjplug.dll
    2011-03-17 17:14:07 -------- d-----w- c:\program files\common files\xing shared
    2011-03-17 17:14:04 150712 ----a-w- c:\program files\mozilla firefox\plugins\nppl3260.dll
    2011-03-17 17:14:03 100864 ----a-w- c:\program files\mozilla firefox\plugins\nprpjplug.dll
    2011-03-17 17:03:22 -------- d-----w- c:\program files\Steam
    2011-03-17 17:01:23 165376 ----a-w- c:\windows\system32\unrar.dll
    2011-03-17 17:01:22 -------- d-----w- c:\program files\K-Lite Codec Pack
    2011-03-17 16:58:58 -------- d-----w- c:\docume~1\username\locals~1\applic~1\Apple Computer
    2011-03-17 16:42:48 -------- d-----w- c:\program files\JDownloader
    2011-03-17 16:39:44 -------- d-----w- c:\program files\GRETECH
    2011-03-17 16:39:19 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    2011-03-17 16:33:00 -------- d-----w- c:\program files\Gadwin Systems
    2011-03-17 16:27:49 -------- d-----w- c:\program files\common files\DivX Shared
    2011-03-17 16:27:37 -------- d-----w- c:\program files\DivX
    2011-03-17 16:20:40 -------- d-----w- c:\docume~1\alluse~1\applic~1\DivX
    2011-03-17 16:19:54 -------- d-----w- c:\program files\DAEMON Tools Lite
    2011-03-17 16:19:39 -------- d-----w- c:\docume~1\username\applic~1\DAEMON Tools Lite
    2011-03-17 16:19:39 -------- d-----w- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
    2011-03-17 16:14:37 -------- d-----w- c:\program files\BitComet
    2011-03-17 16:14:37 -------- d-----w- c:\docume~1\username\applic~1\BitComet
    2011-03-17 16:13:37 -------- d-----w- c:\program files\CDisplay
    2011-03-17 15:53:31 -------- d-----w- c:\docume~1\username\locals~1\applic~1\Adobe
    2011-03-17 15:52:30 497664 ----a-w- c:\windows\system32\ac3filter.acm
    2011-03-17 15:52:29 -------- d-----w- c:\program files\AC3Filter
    2011-03-17 15:38:26 8704 ----a-w- c:\windows\system32\kbdjpn.dll
    2011-03-17 15:38:26 8192 ----a-w- c:\windows\system32\kbdkor.dll
    2011-03-17 15:38:26 6144 ----a-w- c:\windows\system32\kbd106.dll
    2011-03-17 15:38:26 6144 ----a-w- c:\windows\system32\kbd101c.dll
    2011-03-17 15:38:26 6144 ----a-w- c:\windows\system32\kbd101b.dll
    2011-03-17 15:38:26 5632 ----a-w- c:\windows\system32\kbd103.dll
    2011-03-17 15:27:26 -------- d-sh--w- c:\documents and settings\username\IECompatCache
    2011-03-17 09:23:15 -------- d-----w- c:\program files\ATI
    2011-03-17 09:22:55 -------- d-----w- c:\program files\ATI Technologies
    2011-03-17 09:21:54 -------- d-----w- c:\program files\common files\Hewlett-Packard
    2011-03-17 09:21:24 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
    2011-03-17 09:21:18 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
    2011-03-17 09:19:41 1953792 ----a-w- c:\windows\system32\xRaidSetup.exe
    2011-03-17 09:19:41 143360 ----a-w- c:\windows\system32\xRaidAPI.dll
    2011-03-17 09:19:39 -------- d-----w- c:\windows\RaidTool
    2011-03-17 09:18:25 6912 ----a-w- c:\windows\system32\drivers\JGOGO.sys
    2011-03-17 09:18:25 46208 ----a-w- c:\windows\system32\drivers\jraid.sys
    2011-03-17 09:18:07 -------- d-----w- c:\windows\system32\Attansic
    2011-03-17 09:18:05 57344 ----a-w- c:\program files\common files\installshield\professional\runtime\0700\intel32\ctor.dll
    2011-03-17 09:18:05 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\0700\intel32\DotNetInstaller.exe
    2011-03-17 09:18:05 237568 ----a-w- c:\program files\common files\installshield\professional\runtime\0700\intel32\iscript.dll
    2011-03-17 09:18:05 151552 ----a-w- c:\program files\common files\installshield\professional\runtime\0700\intel32\iuser.dll
    2011-03-17 09:18:05 -------- d-----w- c:\program files\Attansic
    2011-03-17 09:18:04 634880 ----a-w- c:\program files\common files\installshield\professional\runtime\0700\intel32\iKernel.dll
    2011-03-17 09:18:04 270468 ----a-w- c:\program files\common files\installshield\professional\runtime\0700\intel32\Setup.dll
    2011-03-17 09:18:04 159876 ----a-w- c:\program files\common files\installshield\professional\runtime\0700\intel32\IGdi.dll
    2011-03-17 09:15:27 -------- d-----w- c:\windows\system32\ReinstallBackups
    2011-03-17 09:15:25 53248 ----a-w- c:\windows\system32\CSVer.dll
    .
    ==================== Find3M ====================
    .
    2011-03-17 17:14:01 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2011-03-17 01:34:57 0 ----a-w- c:\windows\ativpsrm.bin
    2011-02-03 01:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-02-02 23:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
    .
    ============= FINISH: 22:20:07.14 ===============
     
  2. Broni

    Broni Malware Annihilator Posts: 46,860   +254

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =========================================================================

    Most likely, you wasted your time.
    AVG has been plagued lately with that kind of false positives.

    Now....
    1. Attach.txt part of DDS is missing. Please, post it.
    2. I don't see any AV program running.
    Please, install one of these:
    - Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
    - Avira free antivirus: http://www.free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html
    Update, run full scan, report on any findings.

    ======================================================================

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    ========================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  3. qsceszwsxasd

    qsceszwsxasd TS Rookie Topic Starter

    I forgot to add that ComboFix was detecting rootkit activity along with AVG detecting Win32/Heur pre-reformat.

    DDS Attach:

    DDS (Ver_11-03-05.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 3/16/2011 7:55:21 PM
    System Uptime: 3/21/2011 10:11:47 PM (0 hours ago)
    .
    Motherboard: ASUSTeK Computer INC. | | P5B-E
    Processor: Intel(R) Pentium(R) D CPU 3.40GHz | Socket 775 | 3410/200mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 116 GiB total, 99.454 GiB free.
    D: is FIXED (NTFS) - 116 GiB total, 114.028 GiB free.
    E: is CDROM ()
    F: is FIXED (NTFS) - 466 GiB total, 328.824 GiB free.
    G: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description:
    Device ID: ACPI\ATK0110\1010110
    Manufacturer:
    Name:
    PNP Device ID: ACPI\ATK0110\1010110
    Service:
    .
    ==== System Restore Points ===================
    .
    No restore point in system.
    .
    ==== Installed Programs ======================
    .
    7-Zip 9.20
    AC3Filter 1.63b
    Adobe AIR
    Adobe Flash Player 10 Plugin
    Adobe Reader X (10.0.1)
    AiO_Scan
    Apple Application Support
    Apple Software Update
    Assassin's Creed Brotherhood
    ATI Catalyst Install Manager
    Attansic Giga Ethernet Utility
    Attansic L1 Gigabit Ethernet Driver
    Audacity 1.3.12 (Unicode)
    BitComet 1.26
    DAEMON Tools Lite
    DivX Setup
    Gadwin PrintScreen
    GOM Player
    HP Image Zone 4.7
    HP PSC & OfficeJet 4.7
    IrfanView (remove only)
    Java 3D 1.5.1
    Java Auto Updater
    Java(TM) 6 Update 24
    JDownloader
    JMB36X Raid Configurer
    K-Lite Codec Pack 7.0.0 (Basic)
    League of Legends
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2005 Redistributable - SP1 x86 8.0.59193
    Microsoft Visual C++ 2008 Redistributable - SP1 x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    Mozilla Firefox (3.6.15)
    Pando Media Booster
    PunkBuster Services
    QFolder
    QuickTime
    RealNetworks - Microsoft Visual C++ 2008 Runtime
    RealPlayer
    RealUpgrade 1.1
    Replay Media Catcher 4
    Scan
    Security Update for CAPICOM (KB931906)
    SopCast 3.3.2
    SoundMAX
    Steam
    Ubisoft Game Launcher
    Unlocker 1.9.0
    VC80CRTRedist - 8.0.50727.4053
    Veetle TV 0.9.18
    VLC media player 1.1.7
    WebFldrs XP
    WinRAR archiver
    .
    ==== Event Viewer Messages From Past Week ========
    .
    3/16/2011 7:58:20 PM, information: Windows File Protection [64032] - Windows File Protection is not active on this system.
    .
    ==== End Of File ===========================

    Avira Scan:

    Avira AntiVir Personal
    Report file date: Tuesday, March 22, 2011 12:35

    Scanning for 2521106 virus strains and unwanted programs.

    The program is running as an unrestricted full version.
    Online services are available:

    Licensee : Avira AntiVir Personal - FREE Antivirus
    Serial number : 0000149996-ADJIE-0000001
    Platform : Windows XP
    Windows version : (Service Pack 3) [5.1.2600]
    Boot mode : Normally booted
    Username : SYSTEM
    Computer name : USER

    Version information:
    BUILD.DAT : 10.0.0.635 31822 Bytes 3/7/2011 12:15:00
    AVSCAN.EXE : 10.0.3.5 435368 Bytes 3/4/2011 18:36:52
    AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 16:57:04
    LUKE.DLL : 10.0.3.2 104296 Bytes 3/4/2011 18:36:59
    LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 03:40:49
    VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 13:05:36
    VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 18:37:07
    VBASE002.VDF : 7.11.3.0 1950720 Bytes 2/9/2011 18:37:08
    VBASE003.VDF : 7.11.3.1 2048 Bytes 2/9/2011 18:37:08
    VBASE004.VDF : 7.11.3.2 2048 Bytes 2/9/2011 18:37:08
    VBASE005.VDF : 7.11.3.3 2048 Bytes 2/9/2011 18:37:08
    VBASE006.VDF : 7.11.3.4 2048 Bytes 2/9/2011 18:37:08
    VBASE007.VDF : 7.11.3.5 2048 Bytes 2/9/2011 18:37:08
    VBASE008.VDF : 7.11.3.6 2048 Bytes 2/9/2011 18:37:08
    VBASE009.VDF : 7.11.3.7 2048 Bytes 2/9/2011 18:37:08
    VBASE010.VDF : 7.11.3.8 2048 Bytes 2/9/2011 18:37:08
    VBASE011.VDF : 7.11.3.9 2048 Bytes 2/9/2011 18:37:09
    VBASE012.VDF : 7.11.3.10 2048 Bytes 2/9/2011 18:37:09
    VBASE013.VDF : 7.11.3.59 157184 Bytes 2/14/2011 18:37:09
    VBASE014.VDF : 7.11.3.97 120320 Bytes 2/16/2011 18:37:09
    VBASE015.VDF : 7.11.3.148 128000 Bytes 2/19/2011 18:37:09
    VBASE016.VDF : 7.11.3.183 140288 Bytes 2/22/2011 18:37:09
    VBASE017.VDF : 7.11.3.216 124416 Bytes 2/24/2011 22:02:23
    VBASE018.VDF : 7.11.3.251 159232 Bytes 2/28/2011 20:08:03
    VBASE019.VDF : 7.11.4.33 148992 Bytes 3/2/2011 22:30:49
    VBASE020.VDF : 7.11.4.73 150016 Bytes 3/6/2011 20:14:47
    VBASE021.VDF : 7.11.4.108 122880 Bytes 3/8/2011 15:58:46
    VBASE022.VDF : 7.11.4.150 133120 Bytes 3/10/2011 15:58:47
    VBASE023.VDF : 7.11.4.183 122368 Bytes 3/14/2011 15:58:48
    VBASE024.VDF : 7.11.4.228 123392 Bytes 3/16/2011 15:58:49
    VBASE025.VDF : 7.11.5.8 246272 Bytes 3/21/2011 15:58:51
    VBASE026.VDF : 7.11.5.9 2048 Bytes 3/21/2011 15:58:51
    VBASE027.VDF : 7.11.5.10 2048 Bytes 3/21/2011 15:58:51
    VBASE028.VDF : 7.11.5.11 2048 Bytes 3/21/2011 15:58:51
    VBASE029.VDF : 7.11.5.12 2048 Bytes 3/21/2011 15:58:51
    VBASE030.VDF : 7.11.5.13 2048 Bytes 3/21/2011 15:58:52
    VBASE031.VDF : 7.11.5.27 89600 Bytes 3/22/2011 16:35:07
    Engineversion : 8.2.4.188
    AEVDF.DLL : 8.1.2.1 106868 Bytes 3/4/2011 18:36:49
    AESCRIPT.DLL : 8.1.3.57 1261947 Bytes 3/22/2011 15:59:07
    AESCN.DLL : 8.1.7.2 127349 Bytes 3/4/2011 18:36:48
    AESBX.DLL : 8.1.3.2 254324 Bytes 3/4/2011 18:36:48
    AERDL.DLL : 8.1.9.8 639346 Bytes 3/22/2011 15:59:05
    AEPACK.DLL : 8.2.4.12 520567 Bytes 3/22/2011 15:59:03
    AEOFFICE.DLL : 8.1.1.17 205177 Bytes 3/22/2011 15:59:01
    AEHEUR.DLL : 8.1.2.87 3371383 Bytes 3/22/2011 15:59:00
    AEHELP.DLL : 8.1.16.1 246134 Bytes 3/4/2011 18:36:41
    AEGEN.DLL : 8.1.5.3 397684 Bytes 3/22/2011 15:58:54
    AEEMU.DLL : 8.1.3.0 393589 Bytes 3/4/2011 18:36:40
    AECORE.DLL : 8.1.19.2 196983 Bytes 3/4/2011 18:36:40
    AEBB.DLL : 8.1.1.0 53618 Bytes 3/4/2011 18:36:39
    AVWINLL.DLL : 10.0.0.0 19304 Bytes 3/4/2011 18:36:53
    AVPREF.DLL : 10.0.0.0 44904 Bytes 3/4/2011 18:36:52
    AVREP.DLL : 10.0.0.8 62209 Bytes 6/17/2010 18:27:13
    AVREG.DLL : 10.0.3.2 53096 Bytes 3/4/2011 18:36:52
    AVSCPLR.DLL : 10.0.3.2 84328 Bytes 3/4/2011 18:36:53
    AVARKT.DLL : 10.0.22.6 231784 Bytes 3/4/2011 18:36:50
    AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 3/4/2011 18:36:51
    SQLITE3.DLL : 3.6.19.0 355688 Bytes 6/17/2010 18:27:22
    AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/4/2011 18:36:53
    NETNT.DLL : 10.0.0.0 11624 Bytes 6/17/2010 18:27:21
    RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 3/4/2011 18:37:12
    RCTEXT.DLL : 10.0.58.0 97128 Bytes 3/4/2011 18:37:12

    Configuration settings for the scan:
    Jobname.............................: Complete system scan
    Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
    Logging.............................: low
    Primary action......................: interactive
    Secondary action....................: ignore
    Scan master boot sector.............: on
    Scan boot sector....................: on
    Boot sectors........................: C:, D:, F:,
    Process scan........................: on
    Extended process scan...............: on
    Scan registry.......................: on
    Search for rootkits.................: on
    Integrity checking of system files..: off
    Scan all files......................: All files
    Scan archives.......................: on
    Recursion depth.....................: 20
    Smart extensions....................: on
    Macro heuristic.....................: on
    File heuristic......................: medium

    Start of the scan: Tuesday, March 22, 2011 12:35

    Starting search for hidden objects.
    c:\program files\adobe\reader 10.0\reader\acrord32.exe
    c:\program files\adobe\reader 10.0\reader\acrord32.exe
    [NOTE] The process is not visible.
    c:\program files\adobe\reader 10.0\reader\acrord32.exe
    c:\program files\adobe\reader 10.0\reader\acrord32.exe
    c:\program files\adobe\reader 10.0\reader\acrord32.exe
    c:\program files\adobe\reader 10.0\reader\acrord32.exe
    c:\program files\adobe\reader 10.0\reader\acrord32.exe

    The scan of running processes will be started
    Scan process 'rsmsink.exe' - '30' Module(s) have been scanned
    Scan process 'avscan.exe' - '74' Module(s) have been scanned
    Scan process 'GOM.exe' - '101' Module(s) have been scanned
    Scan process 'avcenter.exe' - '68' Module(s) have been scanned
    Scan process 'msdtc.exe' - '46' Module(s) have been scanned
    Scan process 'dllhost.exe' - '65' Module(s) have been scanned
    Scan process 'dllhost.exe' - '47' Module(s) have been scanned
    Scan process 'vssvc.exe' - '50' Module(s) have been scanned
    Scan process 'avgnt.exe' - '56' Module(s) have been scanned
    Scan process 'sched.exe' - '48' Module(s) have been scanned
    Scan process 'avshadow.exe' - '28' Module(s) have been scanned
    Scan process 'avguard.exe' - '56' Module(s) have been scanned
    Scan process 'svchost.exe' - '36' Module(s) have been scanned
    Scan process 'explorer.exe' - '131' Module(s) have been scanned
    Scan process 'ctfmon.exe' - '30' Module(s) have been scanned
    Scan process 'alg.exe' - '35' Module(s) have been scanned
    Scan process 'svchost.exe' - '41' Module(s) have been scanned
    Scan process 'PnkBstrA.exe' - '26' Module(s) have been scanned
    Scan process 'HPZipm12.exe' - '20' Module(s) have been scanned
    Scan process 'jqs.exe' - '35' Module(s) have been scanned
    Scan process 'svchost.exe' - '36' Module(s) have been scanned
    Scan process 'spoolsv.exe' - '53' Module(s) have been scanned
    Scan process 'svchost.exe' - '47' Module(s) have been scanned
    Scan process 'Ati2evxx.exe' - '35' Module(s) have been scanned
    Scan process 'svchost.exe' - '34' Module(s) have been scanned
    Scan process 'svchost.exe' - '158' Module(s) have been scanned
    Scan process 'svchost.exe' - '45' Module(s) have been scanned
    Scan process 'svchost.exe' - '55' Module(s) have been scanned
    Scan process 'Ati2evxx.exe' - '30' Module(s) have been scanned
    Scan process 'lsass.exe' - '66' Module(s) have been scanned
    Scan process 'services.exe' - '40' Module(s) have been scanned
    Scan process 'winlogon.exe' - '81' Module(s) have been scanned
    Scan process 'csrss.exe' - '17' Module(s) have been scanned
    Scan process 'smss.exe' - '2' Module(s) have been scanned

    Starting master boot sector scan:
    Master boot sector HD0
    [INFO] No virus was found!
    Master boot sector HD1
    [INFO] No virus was found!

    Start scanning boot sectors:
    Boot sector 'C:\'
    [INFO] No virus was found!
    Boot sector 'D:\'
    [INFO] No virus was found!
    Boot sector 'F:\'
    [INFO] No virus was found!

    Starting to scan executable files (registry).
    The registry was scanned ( '1650' files ).


    Starting the file scan:

    Begin scan in 'C:\'
    Begin scan in 'D:\'
    Begin scan in 'F:\' <FreeAgent Drive>


    End of the scan: Tuesday, March 22, 2011 12:56
    Used time: 20:31 Minute(s)

    The scan has been done completely.

    8769 Scanned directories
    328391 Files were scanned
    0 Viruses and/or unwanted programs were found
    0 Files were classified as suspicious
    0 files were deleted
    0 Viruses and unwanted programs were repaired
    0 Files were moved to quarantine
    0 Files were renamed
    0 Files cannot be scanned
    328391 Files not concerned
    3710 Archives were scanned
    0 Warnings
    0 Notes
    227775 Objects were scanned with rootkit scan
    6 Hidden objects were found

    MBRCheck:

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000007d

    Kernel Drivers (total 137):
    0x804D7000 \WINDOWS\system32\ntoskrnl.exe
    0x806FF000 \WINDOWS\system32\hal.dll
    0xF7987000 \WINDOWS\system32\KDCOM.DLL
    0xF7897000 \WINDOWS\system32\BOOTVID.dll
    0xF74C6000 sptd.sys
    0xF7989000 \WINDOWS\System32\Drivers\WMILIB.SYS
    0xF74AE000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
    0xF7480000 ACPI.sys
    0xF746F000 pci.sys
    0xF75F7000 ohci1394.sys
    0xF7607000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
    0xF7617000 isapnp.sys
    0xF7A4F000 pciide.sys
    0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xF7627000 MountMgr.sys
    0xF7858000 ftdisk.sys
    0xF798B000 dmload.sys
    0xF7832000 dmio.sys
    0xF770F000 PartMgr.sys
    0xF7637000 VolSnap.sys
    0xF796F000 atapi.sys
    0xF7647000 jraid.sys
    0xBA7EA000 Si3112.sys
    0xF7657000 disk.sys
    0xF7667000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xBA72A000 fltMgr.sys
    0xBA718000 sr.sys
    0xBA701000 KSecDD.sys
    0xBA674000 Ntfs.sys
    0xBA647000 NDIS.sys
    0xBA62D000 Mup.sys
    0xF798D000 JGOGO.sys
    0xF76D7000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xBA029000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
    0xBA015000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xB9FED000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xF7757000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xB9FC9000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF7767000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF76E7000 \SystemRoot\system32\DRIVERS\atl01_xp.sys
    0xF76F7000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xF745F000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xF744F000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xB9F06000 \SystemRoot\system32\DRIVERS\ks.sys
    0xF743F000 \SystemRoot\system32\DRIVERS\nic1394.sys
    0xF742F000 \SystemRoot\system32\DRIVERS\serial.sys
    0xF7937000 \SystemRoot\system32\DRIVERS\serenum.sys
    0xF7787000 \SystemRoot\system32\DRIVERS\fdc.sys
    0xB9ECA000 \SystemRoot\system32\DRIVERS\parport.sys
    0xF741F000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xF7797000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xB9E8D000 \SystemRoot\System32\Drivers\ah3xsqtl.SYS
    0xBA5B6000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF740F000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xBA609000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xB9E76000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF7887000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF7877000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF781F000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xB9E64000 \SystemRoot\system32\DRIVERS\psched.sys
    0xBA7DA000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF774F000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF776F000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xBA7CA000 \SystemRoot\system32\DRIVERS\appliand.sys
    0xB9D94000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    0xBA7BA000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF778F000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF7999000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xB9CE6000 \SystemRoot\system32\DRIVERS\update.sys
    0xBA5E5000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xBA7AA000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xADC80000 \SystemRoot\system32\drivers\AtihdXP3.sys
    0xADC5C000 \SystemRoot\system32\drivers\portcls.sys
    0xBA77A000 \SystemRoot\system32\drivers\drmk.sys
    0xBA76A000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xF79A1000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xADC0E000 \SystemRoot\system32\drivers\ADIHdAud.sys
    0xADBF6000 \SystemRoot\system32\drivers\AEAudio.sys
    0xADB96000 \SystemRoot\system32\drivers\Senfilt.sys
    0xF77CF000 \SystemRoot\system32\DRIVERS\flpydisk.sys
    0xB9EF2000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF7A53000 \SystemRoot\System32\Drivers\Null.SYS
    0xF79A7000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF77E7000 \SystemRoot\System32\drivers\vga.sys
    0xF79AB000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF79AF000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF77F7000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF7807000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xB9EEA000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xADAFB000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xADAA2000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xADA7A000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xADA54000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xBA74A000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xADA0A000 \SystemRoot\System32\drivers\afd.sys
    0xB9FB9000 \SystemRoot\system32\DRIVERS\arp1394.sys
    0xB9FA9000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xAD93F000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xAD8CF000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xB9F99000 \SystemRoot\System32\Drivers\Fips.SYS
    0xF7777000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    0xB9D8C000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0xB9CD2000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xB9F79000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xB9D7C000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xB9CCA000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0xB9F69000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xAD8B7000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF79B7000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xADB52000 \SystemRoot\System32\drivers\Dxapi.sys
    0xB9D54000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF7A61000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\ati2dvag.dll
    0xBF060000 \SystemRoot\System32\ati2cqag.dll
    0xBF108000 \SystemRoot\System32\atikvmag.dll
    0xBF1B1000 \SystemRoot\System32\atiok3x2.dll
    0xBF216000 \SystemRoot\System32\ati3duag.dll
    0xBF9C7000 \SystemRoot\System32\ativvaxx.dll
    0xAAD72000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xAAA38000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xF79EB000 \SystemRoot\System32\Drivers\ParVdm.SYS
    0xAAD1A000 \SystemRoot\System32\Drivers\Aspi32.SYS
    0xAA97C000 \SystemRoot\system32\DRIVERS\srv.sys
    0xAA827000 \SystemRoot\system32\drivers\wdmaud.sys
    0xAA914000 \SystemRoot\system32\drivers\sysaudio.sys
    0xF77D7000 \??\C:\DOCUME~1\username\LOCALS~1\Temp\catchme.sys
    0xF79E3000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
    0xAA3C4000 \SystemRoot\System32\Drivers\HTTP.sys
    0xA9E29000 \SystemRoot\system32\DRIVERS\avipbb.sys
    0xF79C5000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
    0xA9E14000 \SystemRoot\system32\DRIVERS\avgntflt.sys
    0xA9D28000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xA9C5D000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll
    0x10000000 \Program Files\DAEMON Tools Lite\Engine.dll

    Processes (total 31):
    0 System Idle Process
    4 System
    864 C:\WINDOWS\system32\smss.exe
    936 csrss.exe
    968 C:\WINDOWS\system32\winlogon.exe
    1016 C:\WINDOWS\system32\services.exe
    1028 C:\WINDOWS\system32\lsass.exe
    1192 C:\WINDOWS\system32\ati2evxx.exe
    1224 C:\WINDOWS\system32\svchost.exe
    1300 svchost.exe
    1440 C:\WINDOWS\system32\svchost.exe
    1560 svchost.exe
    1692 C:\WINDOWS\system32\ati2evxx.exe
    1712 svchost.exe
    1948 C:\WINDOWS\system32\spoolsv.exe
    2008 svchost.exe
    172 C:\Program Files\Java\jre6\bin\jqs.exe
    232 C:\WINDOWS\system32\HPZipm12.exe
    256 C:\WINDOWS\system32\PnkBstrA.exe
    292 C:\WINDOWS\system32\svchost.exe
    1516 alg.exe
    1648 C:\WINDOWS\system32\ctfmon.exe
    608 C:\WINDOWS\explorer.exe
    1536 C:\WINDOWS\system32\svchost.exe
    2692 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    4020 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    3564 C:\Program Files\Avira\AntiVir Desktop\sched.exe
    2648 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    660 C:\WINDOWS\system32\dllhost.exe
    1576 msdtc.exe
    3512 C:\Documents and Settings\username\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x0000001d`1c073e00 (NTFS)
    \\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

    PhysicalDrive0 Model Number: ST3250823NS, Rev: 5.00
    PhysicalDrive1 Model Number: SeagateFreeAgent, Rev: 102F

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
    465 GB \\.\PhysicalDrive1 RE: Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

    Done!

    ComboFix log:

    ComboFix 11-03-21.02 - username 03/22/2011 13:30:45.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3007.2599 [GMT -4:00]
    Running from: c:\documents and settings\username\Desktop\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-22 to 2011-03-22 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-21 00:50 . 2011-03-21 00:51 -------- d-----w- C:\glassfish3
    2011-03-17 15:26 . 2011-03-22 17:22 -------- d-----w- C:\Downloads
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ------- Sigcheck -------
    .
    [-] 2010-10-13 . 474D3DCCB57DEFCD917311EEC47204B9 . 361600 . . [5.1.2600.6009] . . c:\windows\system32\drivers\tcpip.sys
    .
    .
    c:\windows\System32\wscntfy.exe ... is missing !!
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2011-01-20 1305408]
    "Gadwin PrintScreen"="c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2010-10-14 487424]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-03-16 868352]
    "JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
    "36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-03-21 1953792]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
    "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-02-15 1230704]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-03-17 273544]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "_nltide_3"="advpack.dll" [2009-03-07 128512]
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoResolveTrack"= 1 (0x1)
    "NoRecentDocsNetHood"= 1 (0x1)
    .
    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "ForceClassicControlPanel"= 1 (0x1)
    "NoResolveTrack"= 1 (0x1)
    "NoRecentDocsNetHood"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders schannel.dll, credssp.dll, digest.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\BitComet\\BitComet.exe"=
    "c:\\Program Files\\Steam\\Steam.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    "d:\\Riot Games\\League of Legends\\air\\LolClient.exe"=
    "d:\\Riot Games\\League of Legends\\game\\League of Legends.exe"=
    "c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrA.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrB.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "17698:TCP"= 17698:TCP:BitComet 17698 TCP
    "17698:UDP"= 17698:UDP:BitComet 17698 UDP
    "56872:TCP"= 56872:TCP:pando Media Booster
    "56872:UDP"= 56872:UDP:pando Media Booster
    "8381:TCP"= 8381:TCP:League of Legends Launcher
    "8381:UDP"= 8381:UDP:League of Legends Launcher
    .
    R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/22/2011 11:55 AM 135336]
    R3 appliandMP;appliandMP;c:\windows\system32\drivers\appliand.sys [6/24/2010 1:46 PM 28256]
    R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [3/17/2011 5:17 AM 35840]
    R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [10/13/2010 12:47 AM 101904]
    S3 appliand;Applian Network Service;c:\windows\system32\drivers\appliand.sys [6/24/2010 1:46 PM 28256]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - SSMDRV
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-22 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1614895754-527237240-1417001333-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 18:25]
    .
    2011-03-17 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1614895754-527237240-1417001333-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 18:25]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    uDefault_Search_URL = hxxp://www.google.com/
    Trusted Zone: google.ca\www
    FF - ProfilePath - c:\documents and settings\username\Application Data\Mozilla\Firefox\Profiles\tzjge6wq.default\
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
    FF - Ext: Linkification: {35106bca-6c78-48c7-ac28-56df30b51d2a} - %profile%\extensions\{35106bca-6c78-48c7-ac28-56df30b51d2a}
    FF - Ext: Password Exporter: {B17C1C5A-04B1-11DB-9804-B622A1EF5492} - %profile%\extensions\{B17C1C5A-04B1-11DB-9804-B622A1EF5492}
    FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
    FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\html5video
    FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\DivX\DivX Plus Web Player\firefox\wpa
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-22 13:34
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(972)
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\atiadlxx.dll
    .
    Completion time: 2011-03-22 13:35:25
    ComboFix-quarantined-files.txt 2011-03-22 17:35
    ComboFix2.txt 2011-03-22 02:38
    .
    Pre-Run: 115,048,419,328 bytes free
    Post-Run: 115,398,103,040 bytes free
    .
    - - End Of File - - C32AEA0158291A92D46F52B7DE2E4ADB
     
  4. Broni

    Broni Malware Annihilator Posts: 46,860   +254

    I don't see anything malicious in your logs, but you have a problem with couple of system files.

    What kind of disk did you use to reinstall Windows?
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.