Caught Malware Defender. "Removed" It, can't seem

View previous topic View next topic Go down

Caught Malware Defender. "Removed" It, can't seem to do much else.

Post by saintxaero on Tue Jan 12, 2010 5:03 am

My laptop caught malware defender while symantec antivirus was supposed to be on watch. I've tried installing malware bytes and avg to no avail. I can't seem to find any trace of the viruses now, but internet explorer and firefox won't run and I can't do a restore to a previous date.

List of issues include:
I can't install or run anything like avg or malware bytes.
I should also probably mention that I get the message "the system administrator has set policies to prevent installation in safe mode" whenever something tries to install.
I can't run firefox or IE in anything but safe mode.
My google searches continually get hijacked.
System Restore won't even run

I've looked on these forums already for people with similar issues, but I any of the fixes that were suggested to them don't seem to work for me.

I'll post my hijackthis log. Which was run in regular mode rather than safe mode.

//Hijack log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:45:03 PM, on 1/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\User\LOCALS~1\Temp\settdebugx.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Documents and Settings\User\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Documents and Settings\User\Local Settings\Apps\2.0\J20C2LXC.9HK\VZNNJJ5Z.CHB\curs..tion_eee711038731a406_000 4.0000_1430d96b300c8988\CurseClient.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\User\My Documents\Downloads\TOOLZ\HijackThis.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar1.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Program Files\FileZilla Server\FileZilla Server Interface.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [settdebugx.exe] C:\DOCUME~1\User\LOCALS~1\Temp\settdebugx.exe
O4 - HKLM\..\Policies\Explorer\Run: [RTHDBPL] C:\DOCUME~1\User\LOCALS~1\Temp\ioxesnet.tmp
O4 - Startup: CurseClientStartup.ccip
O4 - Startup: Dropbox.lnk = C:\Documents and Settings\User\Application Data\Dropbox\bin\Dropbox.exe
O4 - Startup: HOTLLAMA Update Check.lnk = C:\Program Files\HOTLLAMA MEDIA\Player\WiseUpdt.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - [You must be registered and logged in to see this link.]
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Turbine Message Service - Live (LiveTurbineMessageService) - Unknown owner - C:\Program Files\Turbine\Turbine Download Manager\TurbineMessageService.exe (file missing)
O23 - Service: Turbine Network Service - Live (LiveTurbineNetworkService) - Unknown owner - C:\Program Files\Turbine\Turbine Download Manager\TurbineNetworkService.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8960 bytes

saintxaero
Novice
Novice

Posts Posts : 5
Joined Joined : 2010-01-12
OS OS : Win 7, XP Pro
Points Points : 25263
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Caught Malware Defender. "Removed" It, can't seem

Post by Dr Jay on Tue Jan 12, 2010 6:38 am

Please download [You must be registered and logged in to see this link.], and save to your Desktop.
  • Double-click on Cheetah-Anti-Rogue.zip, and extract the file to your Desktop.
  • Double-click on Cheetah-Anti-Rogue.cmd to start.
  • It will finish quickly and launch a log.
  • Post the contents of it in your next reply.


==

Download [You must be registered and logged in to see this link.] to your desktop

  • A window will pop up, Press 2 and then Enter. A scan will start, let it run uninterrupted. It should only take a few minutes.
  • A log will appear when it is finished, it will also be saved in the same location as LockSearch, which should be on your desktop. Post the contents of the log in your reply


==

Please make sure the Cheetah and LockSearch logs are included in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13719
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302143
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Caught Malware Defender. "Removed" It, can't seem

Post by saintxaero on Tue Jan 12, 2010 7:57 am

Cheetah Anti-Rogue v1.0.30
by DragonMaster Jay

Microsoft Windows XP [Version 5.1.2600]
Tue 01/12/2010 2:53:18.81


-- Known infection --

C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#jambocast.com\settings.sol (Trj.FakeAlert)
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#macromedia.com\settings.sol (Trj.FakeAlert)
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol (Trj.FakeAlert)


Extra message: Detection only.


EOF




LockSearch by jpshortstuff (05.11.09.1)
Log created at 02:53 on 12/01/2010 (Administrator)
Scanning C:\


C:\pagefile.sys
-------------------------

-=E.O.F=-

I was able to get malware bytes installed and running.

Malwarebytes' Anti-Malware 1.44
Database version: 3544
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 6.0.2900.5512

1/12/2010 2:56:50 AM
mbam-log-2010-01-12 (02-56-50).txt

Scan type: Quick Scan
Objects scanned: 5166
Time elapsed: 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\H8SRTedksouefea.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\H8SRTedksouefea.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
^^^^Can't seem to ever delete that file on reboot.

saintxaero
Novice
Novice

Posts Posts : 5
Joined Joined : 2010-01-12
OS OS : Win 7, XP Pro
Points Points : 25263
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Caught Malware Defender. "Removed" It, can't seem

Post by Dr Jay on Tue Jan 12, 2010 10:05 am

Please download the [You must be registered and logged in to see this link.]. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13719
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302143
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Caught Malware Defender. "Removed" It, can't seem

Post by saintxaero on Tue Jan 12, 2010 5:53 pm

GMER 1.0.15.15281 - [You must be registered and logged in to see this link.]
Rootkit scan 2010-01-12 12:52:07
Windows 5.1.2600 Service Pack 3
Running: gmer1.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kwdirfog.sys


---- System - GMER 1.0.15 ----

Code 826A7E38 ZwEnumerateKey
Code 826A78B8 ZwFlushInstructionCache
Code 826A7E6E IofCallDriver
Code 826A80AE IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 826A7E73
.text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 826A80B3
PAGE ntoskrnl.exe!ZwFlushInstructionCache 8056E42A 5 Bytes JMP 826A78BC
PAGE ntoskrnl.exe!ZwEnumerateKey 805735A4 5 Bytes JMP 826A7E3C
init C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS entry point in "init" section [0xF8946192]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[608] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA000A
.text C:\WINDOWS\system32\services.exe[848] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0073000A
.text C:\WINDOWS\system32\lsass.exe[860] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007A000A
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1736] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008B000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1828] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 02A0000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1828] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 028F000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1828] WS2_32.dll!send 71AB4C27 5 Bytes JMP 02A1000A
.text C:\Documents and Settings\Administrator\Desktop\gmer1.exe[5220] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AC000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- Modules - GMER 1.0.15 ----

Module \systemroot\system32\drivers\H8SRTaljfccrvqt.sys (*** hȋdden *** ) F7E6E000-F7E8B000 (118784 bytes)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\H8SRTedksouefea.dll (*** hȋdden *** ) @ C:\WINDOWS\system32\winlogon.exe [804] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTedksouefea.dll (*** hȋdden *** ) @ C:\WINDOWS\system32\svchost.exe [1472] 0x00720000
Library \\?\globalroot\systemroot\system32\H8SRTedksouefea.dll (*** hȋdden *** ) @ C:\WINDOWS\system32\svchost.exe [1644] 0x00720000
Library \\?\globalroot\systemroot\system32\H8SRTedksouefea.dll (*** hȋdden *** ) @ C:\WINDOWS\system32\svchost.exe [1724] 0x00720000
Library \\?\globalroot\systemroot\system32\H8SRTedksouefea.dll (*** hȋdden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [1828] 0x007E0000
Library \\?\globalroot\systemroot\system32\H8SRTedksouefea.dll (*** hȋdden *** ) @ C:\WINDOWS\system32\svchost.exe [1844] 0x00720000
Library \\?\globalroot\systemroot\system32\H8SRTedksouefea.dll (*** hȋdden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [4984] 0x00B80000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\H8SRTaljfccrvqt.sys (*** hȋdden *** ) [SYSTEM] H8SRTd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTaljfccrvqt.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTaljfccrvqt.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTuwbcdhvecs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRThlfnioxpoo.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTapwmhvoxug.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtmsg \\?\globalroot\systemroot\system32\H8SRTedksouefea.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTpibdyvipam.dll
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTaljfccrvqt.sys
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTaljfccrvqt.sys
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTuwbcdhvecs.dll
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRThlfnioxpoo.dat
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTapwmhvoxug.dll
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@h8srtmsg \\?\globalroot\systemroot\system32\H8SRTedksouefea.dll
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTpibdyvipam.dll

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Administrator\Local Settings\Temp\MPSampleSubmit\h8srtedksouefea.dll.xor 16896 bytes
File C:\Documents and Settings\Administrator\Local Settings\Temp\h8srtmainqt.dll 16651 bytes
File C:\Documents and Settings\User\Local Settings\Temp\H8SRT41ee.tmp 343040 bytes executable
File C:\Documents and Settings\User\Local Settings\Temp\h8srtmainqt.dll 0 bytes
File C:\WINDOWS\system32\H8SRTapwmhvoxug.dll 36864 bytes executable
File C:\WINDOWS\system32\H8SRTedksouefea.dll 16896 bytes executable
File C:\WINDOWS\system32\H8SRThlfnioxpoo.dat 245 bytes
File C:\WINDOWS\system32\h8srtkrl32mainweq.dll 934 bytes
File C:\WINDOWS\system32\H8SRTpibdyvipam.dll 40960 bytes executable
File C:\WINDOWS\system32\h8srtshsyst.dll 3668 bytes
File C:\WINDOWS\system32\H8SRTuwbcdhvecs.dll 23552 bytes executable
File C:\WINDOWS\system32\drivers\H8SRTaljfccrvqt.sys 40960 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\Temp\H8SRT3718.tmp 246 bytes
File C:\WINDOWS\Temp\H8SRT37c4.tmp 246 bytes
File C:\WINDOWS\Temp\H8SRT4b1d.tmp 245 bytes
File C:\WINDOWS\Temp\H8SRT842f.tmp 246 bytes

---- EOF - GMER 1.0.15 ----

saintxaero
Novice
Novice

Posts Posts : 5
Joined Joined : 2010-01-12
OS OS : Win 7, XP Pro
Points Points : 25263
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Caught Malware Defender. "Removed" It, can't seem

Post by Dr Jay on Wed Jan 13, 2010 3:56 am

Alright, time to trash that rootkit.

Please visit this webpage for instructions for downloading and running ComboFix:

[You must be registered and logged in to see this link.]

Post the log from ComboFix when you've accomplished that.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13719
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302143
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Caught Malware Defender. "Removed" It, can't seem

Post by saintxaero on Wed Jan 13, 2010 6:43 am

ComboFix 10-01-12.04 - User 01/13/2010 0:57.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.97 [GMT -5:00]
Running from: c:\documents and settings\User\My Documents\Downloads\TOOLZ\ComboFix3.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
c:\documents and settings\User\Application Data\SystemProc
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
c:\recycler\S-1-5-21-1708537768-602609370-725345543-500
c:\recycler\S-1-5-21-2982139171-3159628302-454236622-500
c:\windows\run.log
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\drivers\H8SRTufpckvwfkx.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\H8SRTapwmhvoxug.dll
c:\windows\system32\H8SRThlfnioxpoo.dat
c:\windows\system32\H8SRTivcotlirdt.dll
c:\windows\system32\H8SRTjpjcttwvxw.dat
c:\windows\system32\H8SRTkereosbtys.dll
c:\windows\system32\h8srtkrl32mainweq.dll
c:\windows\system32\H8SRTpibdyvipam.dll
c:\windows\system32\h8srtshsyst.dll
c:\windows\system32\H8SRTuwbcdhvecs.dll
c:\windows\system32\H8SRTxdaejijikb.dll
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_H8SRTd.sys
-------\Legacy_H8SRTd.sys


((((((((((((((((((((((((( Files Created from 2009-12-13 to 2010-01-13 )))))))))))))))))))))))))))))))
.

2010-01-13 01:44 . 2010-01-13 05:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-12 05:12 . 2010-01-12 05:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar
2010-01-12 04:49 . 2010-01-12 04:49 -------- d-----w- C:\$AVG
2010-01-12 03:43 . 2010-01-12 03:43 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-12 03:43 . 2010-01-12 03:43 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-12 03:43 . 2010-01-12 03:43 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-12 03:43 . 2010-01-12 03:43 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-01-12 03:42 . 2010-01-12 03:43 -------- d-----w- c:\windows\system32\drivers\Avg
2010-01-12 03:42 . 2010-01-12 03:42 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-01-12 03:29 . 2010-01-12 03:29 -------- d-----w- c:\program files\AVG
2010-01-12 03:29 . 2010-01-12 03:42 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-01-12 02:26 . 2010-01-12 02:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-11 21:05 . 2010-01-11 21:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Notepad++
2010-01-11 09:00 . 2010-01-11 09:04 -------- d-----w- c:\program files\Windows Live Safety Center
2010-01-11 07:39 . 2010-01-12 08:09 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-11 06:31 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-11 06:31 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-10 01:58 . 2010-01-10 01:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\AdobeUM
2010-01-10 01:58 . 2010-01-10 01:58 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-01-02 18:54 . 2010-01-02 18:54 -------- d-----w- c:\windows\system32\wbem\Repository
2010-01-02 18:52 . 2010-01-02 18:52 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2009-12-26 14:48 . 2010-01-02 18:51 -------- d-----w- c:\program files\PopCap Games
2009-12-26 14:48 . 2009-12-27 20:42 17 ----a-w- c:\windows\popcinfot.dat
2009-12-26 14:48 . 2009-12-26 14:48 0 ----a-w- c:\windows\popcreg.dat
2009-12-24 15:35 . 2010-01-02 18:52 -------- d-----w- c:\program files\Winamp
2009-12-24 15:35 . 2010-01-02 18:52 -------- d-----w- c:\documents and settings\User\Application Data\Winamp
2009-12-24 05:38 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv(2).dll
2009-12-19 14:36 . 2009-12-19 14:36 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2009-12-19 14:36 . 2010-01-12 05:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-19 14:36 . 2009-12-19 14:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-19 14:14 . 2009-12-19 14:14 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-12-18 01:24 . 2009-12-18 01:24 -------- d-----w- c:\program files\Sling Media
2009-12-18 01:24 . 2009-12-18 01:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Sling Media
2009-12-18 00:51 . 2010-01-02 18:53 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Super Internet TV
2009-12-17 21:58 . 2010-01-02 18:53 -------- d-----w- c:\documents and settings\User\Application Data\Tor
2009-12-17 21:58 . 2010-01-02 18:53 -------- d-----w- c:\documents and settings\User\Application Data\Vidalia
2009-12-17 01:30 . 2010-01-02 18:51 174384 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-13 06:21 . 2009-11-15 03:06 -------- d-----w- c:\documents and settings\User\Application Data\Dropbox
2010-01-13 06:19 . 2009-02-16 20:48 -------- d-----w- c:\program files\Steam
2010-01-13 06:17 . 2009-08-04 06:26 -------- d-----w- c:\program files\DNA
2010-01-13 06:17 . 2009-08-04 06:26 -------- d-----w- c:\documents and settings\User\Application Data\DNA
2010-01-12 05:41 . 2009-08-11 22:44 -------- d-----w- c:\documents and settings\User\Application Data\uTorrent
2010-01-12 05:38 . 2009-10-07 22:09 -------- d-----w- c:\documents and settings\User\Application Data\Skype
2010-01-12 05:37 . 2009-10-07 22:13 -------- d-----w- c:\documents and settings\User\Application Data\skypePM
2010-01-11 20:09 . 2007-02-24 12:44 -------- d-----w- c:\program files\MSECache
2010-01-11 01:51 . 2004-08-04 00:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-10 01:59 . 2006-01-06 13:21 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-03 22:50 . 2009-09-08 00:47 -------- d-----w- c:\documents and settings\User\Application Data\vlc
2010-01-02 18:56 . 2006-01-05 13:00 -------- d-----w- c:\program files\Symantec AntiVirus
2010-01-02 18:53 . 2009-12-11 05:24 -------- d-----w- c:\program files\Kyodai Mahjongg 2006
2010-01-02 18:52 . 2005-06-12 22:34 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-21 14:08 . 2009-11-23 06:44 -------- d-----w- c:\documents and settings\User\Application Data\FileZilla
2009-12-19 14:15 . 2009-09-16 00:03 -------- d-----w- c:\program files\Pando Networks
2009-12-18 08:35 . 2006-05-30 13:56 81952 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-06 08:42 . 2009-12-06 08:42 -------- d-----w- c:\documents and settings\User\Application Data\PDF Writer
2009-12-06 08:42 . 2009-12-06 08:42 -------- d-----w- c:\documents and settings\All Users\Application Data\PDF Writer
2009-12-06 08:36 . 2009-12-06 08:36 -------- d-----w- c:\program files\Common Files\Bullzip
2009-12-06 08:36 . 2009-12-06 08:36 -------- d-----w- c:\program files\Bullzip
2009-12-06 06:36 . 2009-11-27 07:54 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-12-06 06:21 . 2009-12-06 06:21 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-12-06 06:15 . 2009-12-06 06:15 -------- d-----w- c:\program files\Microsoft.NET
2009-12-06 06:11 . 2009-11-27 20:51 -------- d-----w- c:\program files\World of Warcraft
2009-12-05 08:18 . 2009-10-22 05:03 -------- d-----w- c:\documents and settings\User\Application Data\mIRC
2009-11-29 23:04 . 2009-10-22 05:03 -------- d-----w- c:\program files\mIRC
2009-11-28 19:37 . 2009-12-06 08:36 6144 ----a-w- c:\windows\system32\BioPdf.PdfWriter.Lib.dll
2009-11-27 07:56 . 2009-11-27 07:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard
2009-11-27 07:41 . 2008-12-25 03:35 -------- d-----w- c:\program files\Songbird
2009-11-25 07:58 . 2009-11-25 07:58 -------- d-----w- c:\program files\WinPcap
2009-11-25 06:07 . 2009-11-25 06:07 -------- d-----w- c:\program files\SystemRequirementsLab
2009-11-25 06:05 . 2009-11-25 06:05 -------- d-----w- c:\documents and settings\User\Application Data\SystemRequirementsLab
2009-11-23 06:42 . 2009-11-23 06:42 -------- d-----w- c:\program files\FileZilla FTP Client
2009-11-14 09:39 . 2009-11-14 02:07 -------- d-----w- c:\documents and settings\User\Application Data\Notepad++
2009-10-29 05:38 . 2004-08-04 08:00 667136 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 08:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 08:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 18:19 . 2009-10-20 18:19 281104 ----a-w- c:\windows\system32\wpcap.dll
2009-10-20 18:19 . 2009-10-20 18:19 100880 ----a-w- c:\windows\system32\Packet.dll
2009-10-20 18:19 . 2009-10-20 18:19 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2009-10-20 18:19 . 2009-10-20 18:19 53299 ----a-w- c:\windows\system32\pthreadVC.dll
2009-10-20 16:20 . 2004-08-04 08:00 265728 ------w- c:\windows\system32\drivers\http.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-09-09 03:08 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 18:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar1.dll" [2008-09-09 279944]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar1.dll" [2008-09-09 279944]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-25 133104]
"Steam"="c:\program files\Steam\Steam.exe" [2009-11-02 1217808]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-14 323392]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-01-12 289584]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2009-10-09 25623336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-11-19 233534]
"hpWirelessAssistant"="c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe" [2004-12-09 790528]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2004-12-08 184320]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-06-24 85696]
"FileZilla Server Interface"="c:\program files\FileZilla Server\FileZilla Server Interface.exe" [2009-09-06 1230336]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-01-12 2033432]

c:\documents and settings\User\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2009-11-27 0]
Dropbox.lnk - c:\documents and settings\User\Application Data\Dropbox\bin\Dropbox.exe [2009-10-8 26805255]
HOTLLAMA Update Check.lnk - c:\program files\HOTLLAMA MEDIA\Player\WiseUpdt.exe [2009-2-18 162834]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2006-1-4 184320]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-01-12 03:43 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2005-04-13 10:12 88209 ----a-w- c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-08-03 08:05 122939 ------w- c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2004-12-21 12:11 126976 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2004-12-21 12:16 155648 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Documents and Settings\\User\\Local Settings\\Apps\\2.0\\J20C2LXC.9HK\\VZNNJJ5Z.CHB\\curs..tion_eee711038731a406_0004.0000_1430d96b300c8988\\CurseClient.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57191:TCP"= 57191:TCP:Pando Media Booster
"57191:UDP"= 57191:UDP:Pando Media Booster

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/11/2010 10:43 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/11/2010 10:43 PM 360584]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 1:19 PM 50704]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [5/3/2004 11:26 AM 80384]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [9/2/2004 7:30 AM 32640]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [1/11/2010 1:31 AM 38224]
S3 EraserUtilDrvI9;EraserUtilDrvI9;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI9.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI9.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBAMSWISSARMY
.
Contents of the 'Scheduled Tasks' folder

2010-01-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1437970859-1425490318-3432832720-1006Core.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-25 02:43]

2010-01-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1437970859-1425490318-3432832720-1006UA.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-25 02:43]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: aim.com\aimexpress
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\h9ttewtf.default\
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\User\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
pref(dom.disable_open_during_load, false);.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - c:\documents and settings\Administrator\My Documents\Downloads\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-01-13 01:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????4?9?0?3??????? ?4?B?????????????hLC? ??????

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1437970859-1425490318-3432832720-1006\Software\SecuROM\License information*]
"datasecu"=hex:9a,63,8b,c1,4f,e9,7f,11,4f,47,6b,16,be,35,bc,07,70,53,87,7a,8d,
aa,69,06,5a,67,1d,e4,2b,fe,db,38,51,2d,89,0c,bd,b4,35,59,71,f5,56,e1,00,97,\
"rkeysecu"=hex:45,b4,81,7b,5e,75,5f,bf,34,4a,1b,21,93,e2,74,ed
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1240)
c:\program files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
c:\windows\system32\dla\tfswshx.dll
c:\windows\system32\tfswapi.dll
c:\windows\system32\dla\tfswcres.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\windows\System32\SCardSvr.exe
c:\program files\AVG\AVG9\avgwdsvc.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\FileZilla Server\FileZilla Server.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wdfmgr.exe
c:\program files\HPQ\SHARED\HPQWMI.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2010-01-13 01:35:56 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-13 06:35

Pre-Run: 11,872,395,264 bytes free
Post-Run: 13,455,474,688 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - FCEA1FF29CA43923FEAE201927BE8497

It looks like that root kit was taken out back and beaten with a hose. Thanks a lot for the help, you've saved me a lot of headaches and have taught me a lot in the process.

saintxaero
Novice
Novice

Posts Posts : 5
Joined Joined : 2010-01-12
OS OS : Win 7, XP Pro
Points Points : 25263
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Caught Malware Defender. "Removed" It, can't seem

Post by Dr Jay on Wed Jan 13, 2010 7:22 am

Open a run line by clicking start -> run

Copy and paste the following bolded text into the Open: box and click OK

cmd /k cd\ && dir c:\atapi.sys /a /s > atapi.txt && notepad atapi.txt


Paste back the contents of the atapi.txt


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13719
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302143
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Caught Malware Defender. "Removed" It, can't seem

Post by saintxaero on Wed Jan 13, 2010 10:09 am

Volume in drive C has no label.
Volume Serial Number is 6C5E-4848

Directory of c:\WINDOWS\$NtServicePackUninstall$

08/04/2004 12:59 AM 95,360 atapi.sys
1 File(s) 95,360 bytes

Directory of c:\WINDOWS\ERDNT\cache

01/10/2010 08:51 PM 96,512 atapi.sys
1 File(s) 96,512 bytes

Directory of c:\WINDOWS\ServicePackFiles\i386

04/13/2008 01:40 PM 96,512 atapi.sys
1 File(s) 96,512 bytes

Directory of c:\WINDOWS\system32\dllcache

01/10/2010 08:51 PM 96,512 atapi.sys
1 File(s) 96,512 bytes

Directory of c:\WINDOWS\system32\drivers

01/10/2010 08:51 PM 96,512 atapi.sys
1 File(s) 96,512 bytes

Directory of c:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\i386

08/03/2004 07:59 PM 95,360 atapi.sys
1 File(s) 95,360 bytes

Total Files Listed:
6 File(s) 576,768 bytes
0 Dir(s) 13,338,521,600 bytes free

saintxaero
Novice
Novice

Posts Posts : 5
Joined Joined : 2010-01-12
OS OS : Win 7, XP Pro
Points Points : 25263
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Caught Malware Defender. "Removed" It, can't seem

Post by Dr Jay on Wed Jan 13, 2010 1:02 pm

Please go [You must be registered and logged in to see this link.]. Copy and paste the following file path in to the box.

c:\windows\system32\drivers\atapi.sys

Then click submit.

Please post the results (URL) to your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13719
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302143
# Likes # Likes : 10

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum