System Check Trojan

By Heavywood ยท 46 replies
Mar 21, 2012
  1. Had this Trojan pop up the other day after running Malwarebytes. Fortunately I was able to find this site. Thanks for all help in advance.

    Ran Avast first off. Ran Malware bytes again:

    Malwarebytes Anti-Malware

    Database version: v2012.03.19.05

    Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
    Internet Explorer 8.0.6001.18702
    Robert Moulton :: GAMER [administrator]

    3/20/2012 5:12:34 PM
    mbam-log-2012-03-20 (17-12-34).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 489890
    Time elapsed: 1 hour(s), 39 minute(s), 31 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 3
    C:\Documents and Settings\Robert Moulton\Desktop\setup_av_free.exe (PUP.BundleInstaller.OI) -> No action taken.
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP112\A0031656.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP112\A0031657.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

  2. Heavywood

    Heavywood TS Rookie Topic Starter Posts: 29

    GMER -
    Rootkit scan 2012-03-21 18:22:59
    Windows 5.1.2600 Service Pack 3
    Running: 4qi37m06.exe; Driver: C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\kxtdqpow.sys

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x38 0x8F 0xBA 0x91 ...
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x38 0x8F 0xBA 0x91 ...

    ---- EOF - GMER 1.0.15 ----
  3. Heavywood

    Heavywood TS Rookie Topic Starter Posts: 29

    I tried running the DDS Script in safe mode, but got a blue screen about a Driver IRQL not less or equal. I'm unsure if that is related or not, but that pops up everytime I'm in standard windows mode.
  4. Broni

    Broni Malware Annihilator Posts: 54,257   +383

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.


    Any particular reason why you try to run all scans from safe mode?

    Your MBAM log says "No action taken".
    Re-run it, fix ALL issues and post new log.
  5. Heavywood

    Heavywood TS Rookie Topic Starter Posts: 29

    I didn't have the program delete the one file because I recognized it as the program I used to download Avast anti virus.

    I'm running all these in safe mode because normal Windows mode is crashing on me after 10-15 minutes with the same error I get when running DDS script.

    I'll run the scan again though and post up results. I suspect whatever I removed is back because my search engine results are being hijacked again.
  6. Broni

    Broni Malware Annihilator Posts: 54,257   +383

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.


    Download Bootkit Remover to your desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
  7. Heavywood

    Heavywood TS Rookie Topic Starter Posts: 29

    I've downloaded both tools, but I'm unable to get aswMBR to open. I've double clicked, hit enter, and tried right clicking and opening. Should I still run the Bootkit program?
  8. Heavywood

    Heavywood TS Rookie Topic Starter Posts: 29

    I ran the bootkit program, I didn't see what harm it would do. Results:

    Bootkit Remover
    (c) 2009 Esage Lab

    Program version:
    OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`02f10c00

    Size Device Name MBR Status
    298 GB \\.\PhysicalDrive0 Controlled by rootkit!

    Boot code on some of your physical disks is hidden by a rootkit.
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]

    Press any key to quit...
  9. Broni

    Broni Malware Annihilator Posts: 54,257   +383

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
  10. Heavywood

    Heavywood TS Rookie Topic Starter Posts: 29

    I've downloaded that program as well, and it won't run either. My system acts like it is trying to open it, but nothing ends up opening.

    I tried in safe mode and normal mode. I've actually veen in normal mode for 20 minues with no crash, though it is pretty slow going.
  11. Broni

    Broni Malware Annihilator Posts: 54,257   +383

    You may be not patient enough but let's check something else....

    Please download and run ListParts by Farbar (for 32-bit system) to your desktop.

    Please download and run ListParts64 by Farbar (for 64-bit system) to your desktop.

    Click on Scan button.

    Scan result will open in Notepad.
    Post it in your next reply.
  12. Heavywood

    Heavywood TS Rookie Topic Starter Posts: 29

    I've run the 32 bit program. Windows told me the 64 bit isn't compatible.

    ListParts by Farbar Version: 12-03-2012 03
    Ran by Robert Moulton (administrator) on 22-03-2012 at 20:17:37
    Windows XP (X86)
    Running From: C:\Documents and Settings\Robert Moulton\Desktop
    Language: 0409

    ========================= Memory info ======================

    Percentage of memory in use: 50%
    Total physical RAM: 1022.09 MB
    Available physical RAM: 510.09 MB
    Total Pagefile: 2457.77 MB
    Available Pagefile: 1743.21 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1991.14 MB

    ======================= Partitions =========================

    1 Drive c: () (Fixed) (Total:293.4 GB) (Free:19.02 GB) NTFS ==>[Drive with boot components (Windows XP)]
    3 Drive e: (ROMETWBI) (CDROM) (Total:0.64 GB) (Free:0 GB) CDFS

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 298 GB 0 B

    Partitions of Disk 0:

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 OEM 47 MB 32 KB
    Partition 2 Primary 293 GB 47 MB
    Partition 3 Unknown 4754 MB 293 GB
    Partition 4 Unknown 2544 KB 298 GB

    Disk: 0
    Partition 1
    Type : DE
    Hidden: Yes
    Active: No

    There is no volume associated with this partition.

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 C NTFS Partition 293 GB Healthy Boot

    Disk: 0
    Partition 3
    Type : DB
    Hidden: Yes
    Active: No

    There is no volume associated with this partition.

    Disk: 0
    Partition 4
    Type : 17 (Suspicious Type)
    Hidden: Yes
    Active: Yes

    There is no volume associated with this partition.

    ****** End Of Log ******
  13. Broni

    Broni Malware Annihilator Posts: 54,257   +383

    It looks like we have a rootkited partition there.

    Proceed with extreme caution!
    Deleting wrong partition will result with your computer being unusable.
    If you have any doubts, ask.


    Download GETxPUD.exe to the desktop of your clean computer

    • Double click on GETxPUD.exe
    • A new folder will appear on the desktop.
    • Open the GETxPUD folder and click on the get&burn.bat
    • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
    • Insert blank CD into your CD drive.
    • Click on Start and follow the prompts to burn the image to a CD.
    • Boot bad computer from the CD
    • Click Menu then Terminal Emulator
    • Type parted /dev/sda set 2 boot on
    • Press Enter
    • Type parted /dev/sda rm 4
    • Press Enter
    • Remove xPUD CD, reboot, run aswMBR and post the log
  14. Heavywood

    Heavywood TS Rookie Topic Starter Posts: 29

    When you say clean computer, does that mean I have to do this on a different computer? I only have this rootkit-ed computer.
  15. Broni

    Broni Malware Annihilator Posts: 54,257   +383

    Go on and use this computer.
  16. Heavywood

    Heavywood TS Rookie Topic Starter Posts: 29

    Ok, wish me luck!
  17. Heavywood

    Heavywood TS Rookie Topic Starter Posts: 29

    Burned the iso to a DVD, booted from the disc, selected English and got an error,

    Cannot display this video mode
    Optimum resolution 1280x1024 60Hz

    Any way to change the resolution? I don't see anything on my monitor settings to change it.
  18. Broni

    Broni Malware Annihilator Posts: 54,257   +383

    I'm not familiar with this error.
    Possibly bad download, or bad burn.
    I'd also suggest CD-R not DVD.
  19. Heavywood

    Heavywood TS Rookie Topic Starter Posts: 29

    I think it is a monitor problem. It showed up where the monitor settings box appears, and had the same text. I'll dig out my user guide to check on switching the settings.
  20. Broni

    Broni Malware Annihilator Posts: 54,257   +383

  21. Heavywood

    Heavywood TS Rookie Topic Starter Posts: 29

    I have tried switching every setting possible, and my monitor still displays the "resolution cannot be displayed" message. I've found many instances with a quick google search of this popping up, but it seems every forum topic that this is brought up at has no conclusion. What I'm seeing shows up in this Dell article under OSD Warning Messages: It's the black box on the left.

    Is there something else I can do to remove this bad partition?
  22. Broni

    Broni Malware Annihilator Posts: 54,257   +383

    Proceed with extreme caution!
    Deleting wrong partition will result with your computer being unusable.
    If you have any doubts, ask.


    Download Download gparted-live-0.11.0-7.iso (119.8 MB)

    Burn it to a CD:

    Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)
    Boot off of the newly created Gparted CD.

    You should be here:
    Press Enter.

    By default, "do not touch keymap" is highlighted. Leave this setting alone and just press ENTER:

    Choose your language and press ENTER. English is default [33]:

    Once again, at this prompt, press ENTER:

    You will now be taken to the main GUI screen below:
    According to your logs, the partition that you want to delete is the small partition of 2544 KB.
    Click on it to highlight it.
    Click the trash can icon to delete and then click Apply.

    You should now be here confirming your actions:

    Now you should be here:

    Is "boot" next to your OS drive?

    If "boot" is NOT next to your OS drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags.

    In the menu that pops up, place a checkmark in boot like the picture below:

    Now double-click the [​IMG] button.

    You should receive a small pop up like this:

    Choose reboot and then press OK.
  23. Heavywood

    Heavywood TS Rookie Topic Starter Posts: 29

    I was able to successfully perform that operation. I can also now run aswMBR. Log is:

    aswMBR version Copyright(c) 2011 AVAST Software
    Run date: 2012-03-25 14:25:43
    14:25:44.546 OS Version: Windows 5.1.2600 Service Pack 3
    14:25:44.546 Number of processors: 2 586 0x407
    14:25:44.562 ComputerName: GAMER UserName:
    14:25:45.750 Initialize success
    14:25:46.671 AVAST engine defs: 12032500
    14:27:19.968 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
    14:27:19.968 Disk 0 Vendor: WDC_WD32 21.0 Size: 305245MB BusType: 3
    14:27:19.984 Disk 0 MBR read successfully
    14:27:19.984 Disk 0 MBR scan
    14:27:20.000 Disk 0 unknown MBR code
    14:27:20.000 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 47 MB offset 63
    14:27:20.000 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 300442 MB offset 96390
    14:27:20.046 Disk 0 Partition 3 00 DB CP/M / CTOS Dell 8.0 4753 MB offset 615401955
    14:27:20.046 Disk 0 scanning sectors +625137345
    14:27:20.125 Disk 0 scanning C:\WINDOWS\system32\drivers
    14:27:37.921 Service scanning
    14:28:03.187 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32
    14:28:07.078 Modules scanning
    14:28:20.312 Module: C:\WINDOWS\System32\DLA\DLADResN.SYS **SUSPICIOUS**
    14:28:22.953 Disk 0 trace - called modules:
    14:28:22.984 ntkrnlpa.exe CLASSPNP.SYS disk.sys sfsync02.sys hal.dll iastor.sys spce.sys >>UNKNOWN [0x87585938]<<
    14:28:22.984 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8750dab8]
    14:28:22.984 3 CLASSPNP.SYS[f7652fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x87544030]
    14:28:24.171 AVAST engine scan C:\WINDOWS
    14:29:27.453 AVAST engine scan C:\WINDOWS\system32
    14:34:47.156 File: C:\WINDOWS\assembly\GAC\GemMaster3\\GemMaster3.dll **HIDDEN**
    14:35:29.609 AVAST engine scan C:\WINDOWS\system32\drivers
    14:36:42.609 AVAST engine scan C:\Documents and Settings\Robert Moulton
    15:16:17.703 AVAST engine scan C:\Documents and Settings\All Users
    15:21:19.312 Scan finished successfully
    15:21:41.031 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Robert Moulton\Desktop\MBR.dat"
    15:21:41.078 The log file has been saved successfully to "C:\Documents and Settings\Robert Moulton\Desktop\aswMBR.txt"
  24. Broni

    Broni Malware Annihilator Posts: 54,257   +383


    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it:
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.

    Make sure, you re-enable your security programs, when you're done with Combofix.


    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  25. Heavywood

    Heavywood TS Rookie Topic Starter Posts: 29

    All done!

    ComboFix 12-03-22.01 - Robert Moulton 03/25/2012 18:20:29.2.2 - x86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.724 [GMT -5:00]
    Running from: c:\documents and settings\Robert Moulton\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    c:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
    ---- Previous Run -------
    c:\documents and settings\All Users\Application Data\~WOhO5XNhVoOkVe
    c:\documents and settings\All Users\Application Data\~WOhO5XNhVoOkVer
    c:\documents and settings\All Users\Application Data\WOhO5XNhVoOkVe
    c:\documents and settings\Robert Moulton\Application Data\inst.exe
    c:\documents and settings\Robert Moulton\Start Menu\Programs\System Check\System Check.lnk
    c:\documents and settings\Robert Moulton\Start Menu\Programs\System Check\Uninstall System Check.lnk
    c:\windows\Downloaded Program Files\popcaploader.inf
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    ((((((((((((((((((((((((( Files Created from 2012-02-25 to 2012-03-25 )))))))))))))))))))))))))))))))
    2012-03-25 22:44 . 2012-03-25 22:44 -------- d-----w- C:\avast! sandbox
    2012-03-25 22:42 . 2012-03-25 22:42 -------- d-----w- c:\windows\LastGood
    2012-03-24 00:24 . 2012-03-24 00:24 -------- d-----w- c:\program files\GUM16.tmp
    2012-03-24 00:24 . 2012-03-24 00:24 3993600 ----a-w- c:\program files\GUT17.tmp
    2012-03-23 23:34 . 2012-03-23 23:34 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY
    2012-03-22 02:50 . 2012-03-22 02:50 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
    2012-03-22 02:50 . 2012-03-22 02:50 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
    2012-03-19 22:44 . 2012-02-23 15:12 337112 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2012-03-19 22:44 . 2012-02-23 15:10 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2012-03-19 22:44 . 2012-02-23 15:10 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2012-03-19 22:44 . 2012-02-23 15:12 610648 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-03-19 22:44 . 2012-02-23 15:10 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2012-03-19 22:44 . 2012-02-23 15:10 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2012-03-19 22:44 . 2012-02-23 15:10 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2012-03-19 22:44 . 2012-02-23 15:07 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2012-03-19 22:43 . 2012-02-23 15:23 41184 ----a-w- c:\windows\avastSS.scr
    2012-03-19 22:43 . 2012-02-23 15:23 201352 ----a-w- c:\windows\system32\aswBoot.exe
    2012-03-19 22:43 . 2012-03-19 22:43 -------- d-----w- c:\program files\AVAST Software
    2012-03-19 22:43 . 2012-03-19 22:43 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
    2012-03-03 21:08 . 2012-03-03 21:08 -------- d-----w- c:\documents and settings\Robert Moulton\Application Data\GRETECH
    2012-03-03 21:06 . 2012-03-03 21:06 -------- d-----w- c:\program files\GRETECH
    2012-02-25 23:33 . 2012-03-22 02:50 19384 ----a-w- c:\program files\Mozilla Firefox\AccessibleMarshal.dll
    2012-02-25 23:33 . 2012-03-22 02:50 97208 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
    2012-02-25 23:33 . 2012-03-22 02:50 125880 ----a-w- c:\program files\Mozilla Firefox\crashreporter.exe
    2012-02-25 23:33 . 2012-02-25 23:33 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    2012-02-24 22:39 . 2011-07-21 21:54 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
    2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
    2012-03-22 02:50 . 2012-02-25 23:33 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    2010-06-29 22:34 . 2008-10-09 21:36 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    *Note* empty entries & legit default entries are not shown
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{96b985b7-3cf9-456a-9db6-791710e60f5f}"= "c:\program files\MyPoints Toolbar 2.0\Helper.dll" [2009-10-25 242688]
    "{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn2\yt.dll" [2012-01-12 1517368]
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-C1EA-F165BB85A330}]
    2007-10-14 22:55 1909248 ----a-w- c:\progra~1\mypoints\mypoints.dll
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{614BDA1F-9BEF-4CD1-BDE4-FA4804929B4A}]
    2009-10-25 01:48 1432576 ----a-w- c:\program files\MyPoints Toolbar 2.0\Toolbar.dll
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2011-08-24 02:20 1515688 ----a-w- c:\program files\\GenericAskToolbar.dll
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{4E7BD74F-2B8D-469E-C1EA-F165BB85A330}"= "c:\progra~1\mypoints\mypoints.dll" [2007-10-14 1909248]
    "{89A2510A-B4B6-4683-BEC9-1B96700BC7F1}"= "c:\program files\MyPoints Toolbar 2.0\Toolbar.dll" [2009-10-25 1432576]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\\GenericAskToolbar.dll" [2011-08-24 1515688]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{4E7BD74F-2B8D-469E-C1EA-F165BB85A330}"= "c:\progra~1\mypoints\mypoints.dll" [2007-10-14 1909248]
    "{89A2510A-B4B6-4683-BEC9-1B96700BC7F1}"= "c:\program files\MyPoints Toolbar 2.0\Toolbar.dll" [2009-10-25 1432576]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\\GenericAskToolbar.dll" [2011-08-24 1515688]
    2012-02-23 15:23 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    "Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2007-08-29 1347584]
    "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
    "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    "CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-09 7110656]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
    "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 98304]
    "CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
    "VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]
    "AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
    "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
    "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 213936]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 86960]
    "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-06-29 30192]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 213936]
    "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
    "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
    "NoteBurner"="c:\program files\NoteBurner\VTBurnerGUI.exe" [BU]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "CTHelper"="CTHELPER.EXE" [2006-12-12 19456]
    "CTxfiHlp"="CTXFIHLP.EXE" [2006-03-02 18944]
    "mcui_exe"="c:\program files\\Agent\mcagent.exe" [2011-07-13 1312384]
    "ApnUpdater"="c:\program files\\Updater\Updater.exe" [2011-08-24 887976]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-02-23 4031368]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-26 282624]
    "SetDefaultMIDI"="MIDIDEF.EXE" [2005-11-08 25600]
    c:\documents and settings\Robert Moulton\Start Menu\Programs\Startup\
    Scheduler.lnk - c:\program files\SpyCatcher\Scheduler daemon.exe [2007-7-20 86133]
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-6-10 113664]
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-7-5 24576]
    McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    SpyCatcher Protector.lnk - c:\program files\SpyCatcher\Protector.exe [2007-7-20 91576]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\e4ff1b2b548]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
    2007-08-14 00:11 24576 ----a-w- c:\program files\Stardock\MyColors\fastload.dll
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
    backup=c:\windows\pss\NkbMonitor.exe.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpyCatcher Protector.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpyCatcher Protector.lnk
    backup=c:\windows\pss\SpyCatcher Protector.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^Robert Moulton^Start Menu^Programs^Startup^MagicDisc.lnk]
    path=c:\documents and settings\Robert Moulton\Start Menu\Programs\Startup\MagicDisc.lnk
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-09-23 10:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTCheck]
    2007-11-06 16:08 397312 ------w- c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
    c:\program files\DAEMON Tools Lite\daemon.exe [BU]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\doubleTwist]
    2010-03-16 00:15 24576 ----a-w- c:\program files\doubleTwist 2.0\DoubleTwist.DeviceHelper.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2006-10-26 00:58 282624 ----a-w- c:\program files\QuickTime\qttask.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyCatcher Reminder]
    2007-07-09 15:56 103864 ----a-w- c:\program files\SpyCatcher\SpyCatcher.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2011-05-31 22:28 273544 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{65BD8956-3DDB-41D2-BE0F-E377D64DF6B1}\Connection]
    "Name"="Local Area Connection 3"
    "EnableFirewall"= 0 (0x0)
    "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
    "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
    "c:\\Program Files\\America Online 9.0\\waol.exe"=
    "c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
    "c:\\Program Files\\Firefly Studios\\Stronghold 2\\Stronghold2.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\LucasArts\\Star Wars Empire at War Forces of Corruption\\swfoc.exe"=
    "c:\\Program Files\\Electronic Arts\\The Lord of the Rings, The Rise of the Witch-king\\game.dat"=
    "c:\\Program Files\\EA GAMES\\The Battle for Middle-earth (tm)\\game.dat"=
    "c:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=
    "c:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=
    "c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
    "c:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
    "c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
    "c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
    "c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
    "c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
    "c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
    "c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
    "c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
    "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\MSN Messenger\\livecall.exe"=
    "c:\\Program Files\\MyPoints Toolbar 2.0\\TroubleShooter.exe"=
    "c:\\Program Files\\MyPoints Toolbar 2.0\\ToolbarUpdate.exe"=
    "c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
    "c:\\Program Files\\THQ\\Company of Heroes\\RelicDownloader\\RelicDownloader.exe"=
    "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "c:\\Program Files\\Java\\jre6\\launch4j-tmp\\Mimo.exe"=
    "c:\\Program Files\\THQ\\Dawn of War - Soulstorm\\Soulstorm.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\common\\empire total war\\Empire.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
    "%windir%\explorer.exe"= %windir%\explorer.exe
    "MenuItemID"= 9C8324D3-5625-4b5a-BA48-F9CF9A3D33DC
    "ActionURL"= misp://mcshlui.dll::config.htm
    "Display"= SecurityCenter
    "Level"= 0 (0x0)
    "MenuItemID"= 941B5D48-6CA4-47c3-AB9F-70B2FBA86921
    "ActionURL"= misp://mcshlui.dll::RecentEvents.htm
    "Display"= View Recent Events
    "Level"= 1 (0x1)
    R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [4/6/2009 7:33 PM 717296]
    R1 SSHDRV65;SSHDRV65;c:\windows\system32\drivers\SSHDRV65.sys [9/8/2006 5:53 PM 120320]
    S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys --> c:\windows\system32\DRIVERS\ntcdrdrv.sys [?]
    S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [3/19/2012 5:44 PM 610648]
    S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/19/2012 5:44 PM 337112]
    S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/19/2012 5:44 PM 20696]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/11/2009 6:54 PM 133104]
    S2 iPodDrv;iPodDrv;c:\windows\system32\drivers\iPodDrv.sys [3/9/2010 11:00 PM 6656]
    S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2/2/2011 9:18 AM 13192]
    S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2/2/2011 9:18 AM 8456]
    S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [7/5/2006 11:31 PM 30192]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/11/2009 6:54 PM 133104]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232]
    S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/16/2005 4:18 AM 14336]
    S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [2/19/2008 5:24 PM 47360]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
    2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
    Contents of the 'Scheduled Tasks' folder
    2012-03-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-11 23:53]
    2012-03-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-11 23:53]
    2012-03-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1103233014-2229641168-2263940352-1005Core.job
    - c:\documents and settings\Robert Moulton\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-27 23:13]
    2012-03-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1103233014-2229641168-2263940352-1005UA.job
    - c:\documents and settings\Robert Moulton\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-27 23:13]
    2012-03-25 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
    - c:\program files\\UpdateTask.exe [2011-08-24 02:20]
    2012-03-17 c:\windows\Tasks\Spybot - Search & Destroy.job
    - c:\progra~1\SPYBOT~1\SpybotSD.exe [2008-06-08 20:31]
    ------- Supplementary Scan -------
    uStart Page = hxxp://
    mSearch Bar = hxxp://*
    uSearchURL,(Default) = hxxp://*
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
    Trusted Zone:\online
    TCP: DhcpNameServer =
    FF - ProfilePath - c:\documents and settings\Robert Moulton\Application Data\Mozilla\Firefox\Profiles\pt8x6cw0.default\
    FF - prefs.js: - Yahoo Search
    FF - prefs.js: browser.startup.homepage - hxxp://
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    - - - - ORPHANS REMOVED - - - -
    Toolbar-{A057A204-BACC-4D26-CEC4-75A487FD6484} - (no file)
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
    Rootkit scan 2012-03-25 18:39
    Windows 5.1.2600 Service Pack 3 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    CTHelper = CTHELPER.EXE?
    CTxfiHlp = CTXFIHLP.EXE?
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    --------------------- LOCKED REGISTRY KEYS ---------------------
    [HKEY_USERS\S-1-5-21-1103233014-2229641168-2263940352-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    [HKEY_USERS\S-1-5-21-1103233014-2229641168-2263940352-1005\Software\SecuROM\License information*]
    --------------------- DLLs Loaded Under Running Processes ---------------------
    - - - - - - - > 'winlogon.exe'(684)
    c:\program files\Stardock\MyColors\fastload.dll
    Completion time: 2012-03-25 18:47:54
    ComboFix-quarantined-files.txt 2012-03-25 23:47
    Pre-Run: 23,855,771,648 bytes free
    Post-Run: 23,821,524,992 bytes free
    - - End Of File - - C6EF183E1EF52268053B7B0A2DF1A607

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...