TR/Rootkit.Gen2

View previous topic View next topic Go down

TR/Rootkit.Gen2

Post by Zetkin on Wed Feb 22, 2012 12:44 pm

I hope someone can help me get rid of Rootkit.Gen2 which is making my laptop almost unuseable. Any advice gratefully received.

Should I attach the OTL.txt log here?

Zetkin
Novice
Novice

Posts Posts : 5
Joined Joined : 2012-02-22
OS OS : Windows XP
Points Points : 17573
# Likes # Likes : 0

View user profile

Back to top Go down

Re: TR/Rootkit.Gen2

Post by Superdave on Wed Feb 22, 2012 2:34 pm

Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*****************************************************************

Please download [You must be registered and logged in to see this link.] ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it



Click the "Scan" button to start scan

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives



On completion of the scan click save log, save it to your desktop and post in your next reply

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-01-31
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83201
# Likes # Likes : 0

View user profile

Back to top Go down

Re: TR/Rootkit.Gen2

Post by Zetkin on Wed Feb 22, 2012 3:03 pm

Hi Dave,
Thank you SO much for replying - I'm not a techie at all and didn't know where to turn! Very many thanks.
Here's the log of the scan

aswMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software
Run date: 2012-02-21 17:34:34
-----------------------------
17:34:34.828 OS Version: Windows 5.1.2600 Service Pack 3
17:34:34.828 Number of processors: 1 586 0xE08
17:34:34.828 ComputerName: PC194765792715 UserName: Joyce Sullivan
17:34:39.625 Initialize success
17:35:52.765 AVAST engine download error: 0
17:36:52.109 The log file has been saved successfully to "C:\Documents and Settings\Joyce Sullivan\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software
Run date: 2012-02-21 17:34:34
-----------------------------
17:34:34.828 OS Version: Windows 5.1.2600 Service Pack 3
17:34:34.828 Number of processors: 1 586 0xE08
17:34:34.828 ComputerName: PC194765792715 UserName: Joyce Sullivan
17:34:39.625 Initialize success
17:35:52.765 AVAST engine download error: 0
17:36:52.109 The log file has been saved successfully to "C:\Documents and Settings\Joyce Sullivan\Desktop\aswMBR.txt"
18:00:40.750 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
18:00:40.765 Disk 0 Vendor: Size: 0MB BusType: 0
18:00:40.812 Disk 0 MBR read successfully
18:00:40.828 Disk 0 MBR scan
18:00:40.828 Disk 0 unknown MBR code
18:00:40.843 Disk 0 MBR hidden
18:00:40.859 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 68378 MB offset 63
18:00:40.890 Disk 0 Partition 2 00 0C FAT32 LBA RECOVERY 7930 MB offset 140054670
18:00:40.937 Disk 0 scanning C:\WINDOWS\system32\drivers
18:00:53.046 Service scanning
18:01:18.515 Modules scanning
18:01:33.437 Disk 0 trace - called modules:
18:01:34.015 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
18:01:34.031 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f12ab8]
18:01:34.046 3 CLASSPNP.SYS[f76defd7] -> nt!IofCallDriver -> \Device\0000008e[0x86f15900]
18:01:34.062 5 ACPI.sys[f7555620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x86fce030]
18:01:34.078 Scan finished successfully
18:01:50.984 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Joyce Sullivan\Desktop\MBR.dat"
18:01:51.015 The log file has been saved successfully to "C:\Documents and Settings\Joyce Sullivan\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software
Run date: 2012-02-21 17:34:34
-----------------------------
17:34:34.828 OS Version: Windows 5.1.2600 Service Pack 3
17:34:34.828 Number of processors: 1 586 0xE08
17:34:34.828 ComputerName: PC194765792715 UserName: Joyce Sullivan
17:34:39.625 Initialize success
17:35:52.765 AVAST engine download error: 0
17:36:52.109 The log file has been saved successfully to "C:\Documents and Settings\Joyce Sullivan\Desktop\aswMBR.txt"
18:00:40.750 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
18:00:40.765 Disk 0 Vendor: Size: 0MB BusType: 0
18:00:40.812 Disk 0 MBR read successfully
18:00:40.828 Disk 0 MBR scan
18:00:40.828 Disk 0 unknown MBR code
18:00:40.843 Disk 0 MBR hidden
18:00:40.859 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 68378 MB offset 63
18:00:40.890 Disk 0 Partition 2 00 0C FAT32 LBA RECOVERY 7930 MB offset 140054670
18:00:40.937 Disk 0 scanning C:\WINDOWS\system32\drivers
18:00:53.046 Service scanning
18:01:18.515 Modules scanning
18:01:33.437 Disk 0 trace - called modules:
18:01:34.015 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
18:01:34.031 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f12ab8]
18:01:34.046 3 CLASSPNP.SYS[f76defd7] -> nt!IofCallDriver -> \Device\0000008e[0x86f15900]
18:01:34.062 5 ACPI.sys[f7555620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x86fce030]
18:01:34.078 Scan finished successfully
18:01:50.984 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Joyce Sullivan\Desktop\MBR.dat"
18:01:51.015 The log file has been saved successfully to "C:\Documents and Settings\Joyce Sullivan\Desktop\aswMBR.txt"
18:14:52.109 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Joyce Sullivan\Desktop\MBR.dat"
18:14:52.125 The log file has been saved successfully to "C:\Documents and Settings\Joyce Sullivan\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software
Run date: 2012-02-21 19:59:43
-----------------------------
19:59:43.578 OS Version: Windows 5.1.2600 Service Pack 3
19:59:43.578 Number of processors: 1 586 0xE08
19:59:43.578 ComputerName: PC194765792715 UserName: Joyce Sullivan
19:59:50.640 Initialize success
20:00:52.656 AVAST engine download error: 0
20:01:01.906 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
20:01:01.921 Disk 0 Vendor: Size: 0MB BusType: 0
20:01:01.968 Disk 0 MBR read successfully
20:01:01.968 Disk 0 MBR scan
20:01:01.984 Disk 0 unknown MBR code
20:01:01.984 Disk 0 MBR hidden
20:01:02.000 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 68378 MB offset 63
20:01:02.046 Disk 0 Partition 2 00 0C FAT32 LBA RECOVERY 7930 MB offset 140054670
20:01:02.093 Disk 0 scanning C:\WINDOWS\system32\drivers
20:01:14.671 Service scanning
20:01:41.484 Modules scanning
20:01:55.406 Disk 0 trace - called modules:
20:01:55.421 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
20:01:55.421 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f12ab8]
20:01:55.421 3 CLASSPNP.SYS[f76defd7] -> nt!IofCallDriver -> \Device\0000008e[0x86f15900]
20:01:55.421 5 ACPI.sys[f7555620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x86fce030]
20:01:55.421 Scan finished successfully
20:02:48.453 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Joyce Sullivan\Desktop\MBR.dat"
20:02:48.515 The log file has been saved successfully to "C:\Documents and Settings\Joyce Sullivan\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software
Run date: 2012-02-21 19:59:43
-----------------------------
19:59:43.578 OS Version: Windows 5.1.2600 Service Pack 3
19:59:43.578 Number of processors: 1 586 0xE08
19:59:43.578 ComputerName: PC194765792715 UserName: Joyce Sullivan
19:59:50.640 Initialize success
20:00:52.656 AVAST engine download error: 0
20:01:01.906 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
20:01:01.921 Disk 0 Vendor: Size: 0MB BusType: 0
20:01:01.968 Disk 0 MBR read successfully
20:01:01.968 Disk 0 MBR scan
20:01:01.984 Disk 0 unknown MBR code
20:01:01.984 Disk 0 MBR hidden
20:01:02.000 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 68378 MB offset 63
20:01:02.046 Disk 0 Partition 2 00 0C FAT32 LBA RECOVERY 7930 MB offset 140054670
20:01:02.093 Disk 0 scanning C:\WINDOWS\system32\drivers
20:01:14.671 Service scanning
20:01:41.484 Modules scanning
20:01:55.406 Disk 0 trace - called modules:
20:01:55.421 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
20:01:55.421 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f12ab8]
20:01:55.421 3 CLASSPNP.SYS[f76defd7] -> nt!IofCallDriver -> \Device\0000008e[0x86f15900]
20:01:55.421 5 ACPI.sys[f7555620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x86fce030]
20:01:55.421 Scan finished successfully
20:02:48.453 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Joyce Sullivan\Desktop\MBR.dat"
20:02:48.515 The log file has been saved successfully to "C:\Documents and Settings\Joyce Sullivan\Desktop\aswMBR.txt"
20:03:40.390 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Joyce Sullivan\Desktop\MBR.dat"
20:03:40.406 The log file has been saved successfully to "C:\Documents and Settings\Joyce Sullivan\Desktop\aswMBR.txt"



Zetkin
Novice
Novice

Posts Posts : 5
Joined Joined : 2012-02-22
OS OS : Windows XP
Points Points : 17573
# Likes # Likes : 0

View user profile

Back to top Go down

Re: TR/Rootkit.Gen2

Post by Zetkin on Wed Feb 22, 2012 4:00 pm

Hi,

Should I send the OTL.txt as well? Wasn't sure if it was attached with my first post.
Thanks.
Z

Zetkin
Novice
Novice

Posts Posts : 5
Joined Joined : 2012-02-22
OS OS : Windows XP
Points Points : 17573
# Likes # Likes : 0

View user profile

Back to top Go down

Re: TR/Rootkit.Gen2

Post by Superdave on Wed Feb 22, 2012 8:41 pm

Should I send the OTL.txt as well? Wasn't sure if it was attached with my first post.
Not at this time. If I need it, I'll let you know.

AVENGER

  • Download The Avenger by Swandog46 from [You must be registered and logged in to see this link.].
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Click the Execute button.
  • You will be asked No script has been entered. Do you want to execute a rootkit scan only?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.

*********************************************************
Please download MBRCheck.exe by a_d_13 from one of the links provided below and save it to your desktop.

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

•Double-click on MBRCheck.exe to run it.

•It will open a black window...please do not fix anything (if it gives you an option).

•When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.

•A log named MBRCheck_date_time.txt (i.e. MBRCheck_07.21.10_10.22.51.txt) will appear on the desktop.
•Please copy and paste the contents of that log in your next reply.

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-01-31
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83201
# Likes # Likes : 0

View user profile

Back to top Go down

Re: TR/Rootkit.Gen2

Post by Zetkin on Thu Feb 23, 2012 10:17 am

Here are the results:

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished! Terminate.


MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 142):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D1000 \WINDOWS\system32\hal.dll
0xF7B7E000 \WINDOWS\system32\KDCOM.DLL
0xF7A8E000 \WINDOWS\system32\BOOTVID.dll
0xF767E000 lkwrvad.sys
0xF754F000 ACPI.sys
0xF7B80000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF753E000 pci.sys
0xF768E000 isapnp.sys
0xF7A92000 compbatt.sys
0xF7A96000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF78FE000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7B82000 intelide.sys
0xF76BE000 MountMgr.sys
0xF7501000 ftdisk.sys
0xF7B88000 dmload.sys
0xF74DB000 dmio.sys
0xF7A9A000 ACPIEC.sys
0xF7C47000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF7906000 PartMgr.sys
0xF76CE000 VolSnap.sys
0xF74C3000 atapi.sys
0xF73ED000 iaStor.sys
0xF76DE000 disk.sys
0xF76EE000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF73CD000 fltmgr.sys
0xF73BB000 sr.sys
0xF790E000 PxHelp20.sys
0xF73A4000 KSecDD.sys
0xF7317000 Ntfs.sys
0xF72EA000 NDIS.sys
0xF72D0000 Mup.sys
0xF7916000 avgrkx86.sys
0xF7A9E000 AVGIDSEH.Sys
0xF77BE000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xBA7C0000 \SystemRoot\system32\DRIVERS\cpqbttn.sys
0xF77CE000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF79FE000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA7BC000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xB95ED000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xB95D9000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB95B1000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB9453000 \SystemRoot\system32\DRIVERS\w39n51.sys
0xF7A06000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB942F000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7A0E000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB941B000 \SystemRoot\system32\DRIVERS\Rtnicxp.sys
0xBA7B8000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF77DE000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7A16000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB93EB000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF7BB8000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7A1E000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF77EE000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF77FE000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF780E000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB93C8000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7D14000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB9FFF000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA7B4000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB93B1000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB9FEF000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB9FDF000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7A26000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB93A0000 \SystemRoot\system32\DRIVERS\psched.sys
0xB9FCF000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7A2E000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7A36000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB9370000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF777E000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7BBA000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB9312000 \SystemRoot\system32\DRIVERS\update.sys
0xF7B42000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7B46000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xF784E000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF773E000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xA8B16000 \SystemRoot\system32\drivers\CHDAud.sys
0xA8AF2000 \SystemRoot\system32\drivers\portcls.sys
0xF774E000 \SystemRoot\system32\drivers\drmk.sys
0xA8AC0000 \SystemRoot\system32\DRIVERS\HSFHWAZL.sys
0xA89C3000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
0xA8913000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF792E000 \SystemRoot\System32\Drivers\Modem.SYS
0xBA7C4000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xA5C3D000 \SystemRoot\system32\DRIVERS\avgmfx86.sys
0xF7C3C000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xA1BC8000 \SystemRoot\System32\Drivers\Null.SYS
0xF7C3E000 \SystemRoot\System32\Drivers\Beep.SYS
0xA6B2C000 \SystemRoot\System32\drivers\vga.sys
0xF7C40000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7C42000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF798E000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF797E000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7B4A000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA0422000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA03C9000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA0382000 \SystemRoot\system32\DRIVERS\avgtdix.sys
0xA176D000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA1352000 \SystemRoot\system32\DRIVERS\usbprint.sys
0x9A65F000 \SystemRoot\system32\DRIVERS\netbt.sys
0x9A5E0000 \SystemRoot\System32\vsdatant.sys
0x9C98F000 \SystemRoot\System32\drivers\ws2ifsl.sys
0x9A5BE000 \SystemRoot\System32\drivers\afd.sys
0x9CDB1000 \SystemRoot\system32\DRIVERS\netbios.sys
0x9DE45000 \SystemRoot\system32\DRIVERS\eabfiltr.sys
0x9C871000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0x9A593000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x9A523000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x9CDA1000 \SystemRoot\System32\Drivers\Fips.SYS
0x9CD91000 \SystemRoot\system32\DRIVERS\avkmgr.sys
0x9A4FE000 \SystemRoot\system32\DRIVERS\avipbb.sys
0x9A4C7000 \SystemRoot\system32\DRIVERS\avgldx86.sys
0x9A4A3000 \SystemRoot\System32\Drivers\Fastfat.SYS
0x9A3CD000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xBA7CC000 \SystemRoot\System32\drivers\Dxapi.sys
0x9E619000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xA11C1000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF021000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF043000 \SystemRoot\System32\ialmdev5.DLL
0xBF07E000 \SystemRoot\System32\ialmdd5.DLL
0xBF16E000 \SystemRoot\System32\ATMFD.DLL
0x9A3B4000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0xA6B3C000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xA7E96000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x9E2A7000 \??\C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys
0x9A26F000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0x9A2A0000 \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys
0x9A0EE000 \SystemRoot\System32\Drivers\HTTP.sys
0x9A21B000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0x9A00F000 \??\C:\WINDOWS\system32\drivers\mqac.sys
0x99F67000 \SystemRoot\system32\DRIVERS\srv.sys
0x99E3A000 \SystemRoot\system32\drivers\wdmaud.sys
0x9A046000 \SystemRoot\system32\drivers\sysaudio.sys
0x99B32000 \??\C:\WINDOWS\system32\drivers\RMCast.sys
0x9E506000 \SystemRoot\system32\DRIVERS\AVGIDSFilter.Sys
0x99670000 \SystemRoot\system32\DRIVERS\AVGIDSDriver.Sys
0x992B1000 \SystemRoot\System32\Drivers\Cdfs.SYS
0x97B22000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 88):
0 System Idle Process
4 System
668 C:\WINDOWS\system32\smss.exe
716 C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
748 C:\Program Files\AVG\AVG2012\avgcsrvx.exe
944 csrss.exe
976 C:\WINDOWS\system32\winlogon.exe
1032 C:\WINDOWS\system32\services.exe
1044 C:\WINDOWS\system32\lsass.exe
1208 C:\WINDOWS\system32\svchost.exe
1288 svchost.exe
1384 C:\WINDOWS\system32\svchost.exe
1500 svchost.exe
1612 svchost.exe
1684 C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
2036 C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe
212 C:\WINDOWS\system32\spoolsv.exe
236 C:\Program Files\Avira\AntiVir Desktop\sched.exe
336 svchost.exe
420 msdtc.exe
604 C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe
392 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
932 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1224 C:\Program Files\AVG\AVG2012\avgwdsvc.exe
1240 C:\Program Files\Bonjour\mDNSResponder.exe
1320 C:\WINDOWS\ehome\ehrecvr.exe
1516 C:\WINDOWS\ehome\ehSched.exe
436 C:\WINDOWS\system32\svchost.exe
456 C:\WINDOWS\system32\svchost.exe
712 C:\Program Files\Kontiki\KService.exe
1708 C:\Program Files\AVG\AVG2012\avgnsx.exe
2084 C:\WINDOWS\system32\svchost.exe
2404 C:\WINDOWS\explorer.exe
2500 C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
2536 C:\WINDOWS\system32\svchost.exe
2868 C:\Program Files\TalkTalk\bin\sprtsvc.exe
2952 svchost.exe
2964 C:\WINDOWS\system32\svchost.exe
3068 C:\Program Files\Common Files\SupportSoft\bin\tgsrvc.exe
3204 C:\Program Files\Microsoft Forefront UAG\Endpoint Components\3.1.0\uagqecsvc.exe
3328 C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe
3552 mcrdsvc.exe
3608 C:\WINDOWS\system32\mqsvc.exe
3748 C:\WINDOWS\system32\notepad.exe
3788 C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
4036 C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
1940 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
2736 C:\WINDOWS\system32\mqtgsvc.exe
3424 C:\WINDOWS\ehome\ehtray.exe
3920 C:\Program Files\Avira\AntiVir Desktop\avwebgrd.exe
4080 C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
1464 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
2664 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
2876 wmiprvse.exe
2684 C:\WINDOWS\system32\dllhost.exe
3548 C:\WINDOWS\ehome\ehmsas.exe
1428 C:\Program Files\HP\QuickPlay\QPService.exe
2440 C:\Program Files\Outlook Express\msimn.exe
4264 C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
4504 C:\WINDOWS\system32\hkcmd.exe
4556 C:\WINDOWS\system32\igfxpers.exe
4760 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I0T1.EXE
4852 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
4992 C:\WINDOWS\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
5008 C:\Program Files\AVG\AVG2012\avgtray.exe
5504 C:\Program Files\iTunes\iTunesHelper.exe
5640 C:\Program Files\AVG Secure Search\vprot.exe
5712 C:\WINDOWS\system32\spool\drivers\w32x86\3\CNAP2LAK.EXE
6036 C:\Program Files\Ask.com\Updater\Updater.exe
6060 C:\WINDOWS\system32\spool\drivers\w32x86\3\CNAP2RPK.EXE
6092 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
6084 C:\WINDOWS\system32\spool\drivers\w32x86\3\CNABCSWK.EXE
1348 C:\Program Files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe
4120 C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
3836 C:\Program Files\Kontiki\KHost.exe
4440 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
4644 C:\WINDOWS\system32\ctfmon.exe
1868 C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe
5336 C:\Program Files\iPod\bin\iPodService.exe
5840 C:\Program Files\Internet Explorer\iexplore.exe
4308 C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
5392 C:\Program Files\Internet Explorer\iexplore.exe
2452 C:\Program Files\Real\RealPlayer\Update\realsched.exe
2716 C:\Program Files\Real\RealPlayer\realplay.exe
2076 C:\Program Files\Real\RealPlayer\realplay.exe
4844 C:\Program Files\Real\RealUpgrade\realupgrade.exe
2732 C:\Documents and Settings\Joyce Sullivan\Desktop\MBRCheck.exe
5888 C:\Program Files\Real\RealPlayer\realplay.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000010`b2211c00 (FAT32)

PhysicalDrive0 Model Number: FUJITSUMHV2080BHPL, Rev: 892C

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: D0919EC9044E217466E4B6B4F0D4E99E29BDE3F9


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice:

Done!

Zetkin
Novice
Novice

Posts Posts : 5
Joined Joined : 2012-02-22
OS OS : Windows XP
Points Points : 17573
# Likes # Likes : 0

View user profile

Back to top Go down

Re: TR/Rootkit.Gen2

Post by Superdave on Thu Feb 23, 2012 1:48 pm

Download Combofix from any of the links below, and save it to your desktop.

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

To prevent your anti-virus application interfering with ComboFix we need to disable it. See [URL="http://www.pchelpforum.com/anti-virus/110194-how-disable-your-security-applications.html"]here[/URL] for a tutorial regarding how to do so if you are unsure.

  • Close any open windows and double click ComboFix.exe to run it.

    You will see the following image:



Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-01-31
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83201
# Likes # Likes : 0

View user profile

Back to top Go down

Re: TR/Rootkit.Gen2

Post by Zetkin on Fri Feb 24, 2012 5:38 am

The first scam took about two hours but then seemed to freeze so I rebooted and tried again. This is teh report:

ComboFix 12-02-23.01 - Joyce Sullivan 22/02/2012 22:29:27.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1014.394 [GMT 0:00]
Running from: c:\documents and settings\Joyce Sullivan\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: ZoneAlarm Free Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\JOYCES~1\LOCALS~1\Temp\1.tmp\F_IN_BOX.dll
c:\documents and settings\Joyce Sullivan\Local Settings\Temp\1.tmp\F_IN_BOX.dll
D:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2012-01-22 to 2012-02-22 )))))))))))))))))))))))))))))))
.
.
2012-02-21 13:20 . 2012-02-21 13:20 -------- d-----w- c:\program files\Conduit
2012-02-21 13:20 . 2012-02-21 14:32 -------- d-----w- c:\documents and settings\Joyce Sullivan\Local Settings\Application Data\ZoneAlarm_Security
2012-02-21 13:20 . 2012-02-21 14:32 -------- d-----w- c:\documents and settings\Joyce Sullivan\Local Settings\Application Data\Conduit
2012-02-21 13:20 . 2012-02-21 13:20 -------- d-----w- c:\program files\ZoneAlarm_Security
2012-02-21 13:19 . 2012-02-21 13:19 -------- d-----w- c:\documents and settings\All Users\Application Data\CheckPoint
2012-02-21 12:58 . 2012-02-21 13:19 -------- d-----w- c:\program files\CheckPoint
2012-02-17 19:25 . 2012-02-17 19:25 -------- d-----w- c:\documents and settings\Joyce Sullivan\Application Data\Sonic
2012-02-15 21:43 . 2012-02-15 21:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Affinegy
2012-02-15 21:39 . 2010-08-22 21:01 27072 ----a-w- c:\windows\system32\drivers\AFGSp50.sys
2012-02-15 21:14 . 2012-02-15 21:14 -------- d-----w- c:\program files\Belkin
2012-02-15 02:44 . 2012-02-15 02:44 -------- d-----w- c:\program files\BBC iPlayer Desktop
2012-02-15 02:40 . 2012-02-15 02:40 -------- d-----w- c:\program files\Common Files\Adobe AIR
2012-01-26 19:33 . 2012-01-26 19:33 -------- d-----w- c:\windows\system32\wbem\Repository
2012-01-26 19:17 . 2012-01-26 19:17 -------- d-sh--w- c:\documents and settings\LocalService\Temporary Internet Files
2012-01-26 19:17 . 2012-01-26 19:17 -------- d-sh--w- c:\documents and settings\LocalService\History
2012-01-26 14:16 . 2008-04-13 19:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-01-26 14:16 . 2008-04-13 19:40 62976 ----a-w- c:\windows\system32\dllcache\cdrom.sys
2012-01-25 19:45 . 2012-01-29 12:59 -------- d-----w- c:\program files\AVG Secure Search
2012-01-25 19:40 . 2012-01-25 19:40 -------- d-----w- c:\documents and settings\Joyce Sullivan\Application Data\AVG2012
2012-01-25 19:37 . 2012-01-25 20:05 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2012-01-25 13:41 . 2012-01-25 13:41 -------- d-----w- c:\documents and settings\Joyce Sullivan\Application Data\AskToolbar
2012-01-25 13:33 . 2012-01-25 13:33 -------- d-----w- c:\documents and settings\Joyce Sullivan\Application Data\Avira
2012-01-25 13:31 . 2012-01-25 13:32 -------- d-----w- c:\program files\Ask.com
2012-01-25 13:31 . 2012-02-22 20:06 -------- d-----w- c:\documents and settings\Joyce Sullivan\Local Settings\Application Data\AskToolbar
2012-01-25 13:29 . 2012-02-14 15:40 137416 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-01-25 13:29 . 2011-09-15 23:55 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-01-25 13:29 . 2011-09-15 23:55 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-01-25 13:29 . 2012-01-25 13:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2012-01-25 13:29 . 2012-01-25 13:29 -------- d-----w- c:\program files\Avira
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-15 02:04 . 2012-01-23 21:58 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-26 13:33 . 2011-11-26 13:33 644400 ----a-w- c:\windows\system32\mscomct2.ocx
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\prxtbZone.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
2011-05-09 09:49 176936 ----a-w- c:\program files\ZoneAlarm_Security\prxtbZone.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-01-29 12:59 1811296 ----a-w- c:\program files\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2012-01-04 20:20 1514152 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll" [2012-01-29 1811296]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-01-04 1514152]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\prxtbZone.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-01-04 1514152]
"{91DA5E8A-3318-4F8C-B67E-5964DE3AB546}"= "c:\program files\ZoneAlarm_Security\prxtbZone.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-12-16 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-11 36975]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 61952]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-06-23 102400]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]
"RemotePARL"="c:\windows\RemoteParlPC.exe" [2003-07-02 53248]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2009-07-31 1626112]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-01-29 273544]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-01-29 939872]
"CNAP2 Launcher"="c:\windows\System32\spool\DRIVERS\W32X86\3\CNAP2LAK.EXE" [2010-01-11 226784]
"ROC_roc_dec12"="c:\program files\AVG Secure Search\ROC_roc_dec12.exe" [2012-01-29 928096]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2012-01-04 1391272]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-09-23 258512]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2010-09-14 1501080]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2011-11-03 738944]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2011-12-18 73360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
USB Wireless Client Utility.lnk - c:\program files\Wireless USB\Installer\WINXP\USB Wireless Client Utility.exe [2010-4-22 598016]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^FF32CFF4-033D-320F-DE8A-53A0ABA4E87D.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\FF32CFF4-033D-320F-DE8A-53A0ABA4E87D.lnk
backup=c:\windows\pss\FF32CFF4-033D-320F-DE8A-53A0ABA4E87D.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\TalkTalk\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\tgsrvc.exe"=
"c:\\Program Files\\TalkTalk\\agent\\bin\\bcont_nm.exe"=
"c:\\Program Files\\TalkTalk\\bin\\sprtcmd.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"1039:TCP"= 1039:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [13/09/2010 15:27 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [07/09/2010 02:48 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [07/09/2010 02:48 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [07/09/2010 02:49 295248]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [25/01/2012 13:29 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [25/01/2012 13:29 86224]
R2 AntiVirWebService;Avira Web Protection;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [25/01/2012 13:29 463824]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [12/10/2011 06:25 4433248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [02/08/2011 06:09 192776]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [03/11/2011 14:44 27016]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [03/11/2011 14:44 497280]
R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\TalkTalk\bin\sprtsvc.exe [12/10/2007 07:33 202016]
R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\Common Files\SupportSoft\bin\tgsrvc.exe [02/08/2007 12:42 148768]
R2 uagqecsvc;Microsoft Forefront UAG Quarantine Enforcement Client;c:\program files\Microsoft Forefront UAG\Endpoint Components\3.1.0\uagqecsvc.exe [13/05/2010 08:52 149904]
R2 vToolbarUpdater;vToolbarUpdater;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe [18/01/2012 10:22 909152]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [19/08/2010 20:42 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [19/08/2010 20:42 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [19/08/2010 20:42 16720]
S1 3b259;xf9poa4vaz.exe;\??\c:\windows\system32\drivers\3b259.sys --> c:\windows\system32\drivers\3b259.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [07/02/2010 12:49 135664]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [12/05/2011 17:17 167264]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [07/02/2010 12:49 135664]
S3 icsak;icsak;\??\c:\program files\CheckPoint\ZAForceField\AK\icsak.sys --> c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPService REG_MULTI_SZ HPSLPSVC
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
2012-02-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 12:49]
.
2012-02-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 12:49]
.
2012-02-22 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2434607776-1918843750-2018744573-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 14:25]
.
2012-02-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2434607776-1918843750-2018744573-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 14:25]
.
2012-02-22 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2012-01-04 20:20]
.
2012-02-22 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2010-05-20 16:21]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &AOL Toolbar Search - c:\program files\aol\aol talktalk toolbar 5.0\resources\en-GB\local\search.html
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
TCP: DhcpNameServer = 192.168.2.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\10.0.6\ViProtocol.dll
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
HKCU-Run-SmileyApp - c:\program files\DoubleD\GamingHarbor Toolbar\4.2.2.21960\stbapp.exe
HKLM-Run-EPSON Stylus C46 Series - c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE
HKLM-Run-EPSON Stylus C46 Series (Copy 1) - c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE
HKLM-Run-xf9poa4vaz - c:\documents and settings\All Users\xf9poa4vaz.exe
Notify-TPSvc - TPSvc.dll
AddRemove-docXConverter3_is1 - c:\program files\docXConverter3\unins000.exe
AddRemove-{16B6279B-9FF5-41fb-8BF9-404324F5DD1F}}_is1 - c:\program files\Media Access Startup\1.5.6.910\unins000.exe
AddRemove-{1B602410-D983-4947-98FE-EE749073D15E} - c:\documents and settings\All Users\Application Data\{F14A989E-0102-460B-ADB5-BC208314A307}\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2012-02-22 22:58
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????]??????`?@?????L?@
.
scanning hidden files ...
.
.
c:\docume~1\JOYCES~1\LOCALS~1\Temp\isw_acc_80100000 0 bytes
c:\docume~1\JOYCES~1\LOCALS~1\Temp\~DFC86F.tmp 32768 bytes
.
scan completed successfully
hidden files: 2
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(968)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'lsass.exe'(1028)
c:\program files\Avira\AntiVir Desktop\avsda.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'explorer.exe'(4152)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG2012\avgrsx.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\program files\CheckPoint\ZoneAlarm\vsmon.exe
c:\windows\system32\msdtc.exe
c:\program files\Belkin\Router Setup and Monitor\BelkinService.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Kontiki\KService.exe
c:\program files\AVG\AVG2012\avgnsx.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\mqsvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\mqtgsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehmsas.exe
c:\progra~1\hpq\Shared\HPQTOA~1.EXE
c:\program files\real\realplayer\RealPlay.exe
c:\windows\System32\spool\DRIVERS\W32X86\3\CNAP2RPK.EXE
c:\windows\System32\spool\DRIVERS\W32X86\3\CNABCSWK.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\Belkin\Router Setup and Monitor\BelkinSetup.exe
.
**************************************************************************
.
Completion time: 2012-02-22 23:10:38 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-22 23:10
.
Pre-Run: 38,681,346,048 bytes free
Post-Run: 39,410,593,792 bytes free
.
- - End Of File - - E621470CA9A254BC280B00B1E253C148


My PC seems to be working better and I can even get onto the internet without any problems. Does this mean it's finally cured?

Zetkin
Novice
Novice

Posts Posts : 5
Joined Joined : 2012-02-22
OS OS : Windows XP
Points Points : 17573
# Likes # Likes : 0

View user profile

Back to top Go down

Re: TR/Rootkit.Gen2

Post by Superdave on Fri Feb 24, 2012 2:08 pm

Hello Joyce. The log shows that you have two AV programs on your computer; AVG Anti-Virus Free Edition 2012 and AV: Avira Desktop. You need to be sure that only one of these is enabled at any time. Two or more AV's or Firewalls can cause conflicts.

I strongly recommend that you remove Ask from your computer because it;

•Promotes its toolbars on sites targeted to kids.

•Promotes its toolbars through ads that appear to be part of other companies' sites.

•Promotes its toolbars through other companies' spyware.

•Installs without any disclosure whatsoever and without any consent whatsoever.

•Solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.

•Makes confusing changes to users' browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit.

See [You must be registered and logged in to see this link.] for more info.

If you choose to follow my recommendation then please go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

AskBarDis or anything related to Ask

Then please find and delete this folder in bold (if present):
C:\Program Files\AskBarDis. or anything related to Ask.
****************************************************
My PC seems to be working better and I can even get onto the internet without any problems. Does this mean it's finally cured?.
A couple more scans if you please.

Please [You must be registered and logged in to see this link.]
If you have Windows 7 installation disc, just insert a DVD to the drive, restart computer and it should load automatically (option two presented in the article).
It's possible also that your computer has a pre-installed recovery partition instead - in such a case use a method one (by pressing F8 before Windows starts loading)...
NOTE. If none of the above apply you can create System Repair Disc (link in "Option two") and boot from it.

On the System Recovery Options menu you will get the following options:


  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt


Choose Command Prompt
You should see X:\SOURCES>...

Execute the following commands in bold.
Press Enter after every one of them.

bootrec /fixmbr (<--- there is a "space" after "bootrec")

bootrec /fixboot (<--- there is a "space" after "bootrec")

exit

Restart computer.
Now run another scan with MBRCheck.exe. Instructions are in a previous post.

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-01-31
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83201
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum