1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Do I still have the "Desktop Security" bug?

Discussion in 'Malware and Virus Removal Archive' started by jpChris, 2010/09/24.

Page 1 of 3
  1. 2010/09/24
    jpChris

    jpChris Inactive Thread Starter

    Joined:
    2003/09/21
    Messages:
    1,062
    Likes Received:
    9
    [Resolved] Do I still have the "Desktop Security" bug?

    Hi all,

    The subject says it all and I was instructed by wildfire to run DDS and post the logs here to be sure my system is clean.

    *************************************
    Attach.txt scan:

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 5/3/2010 11:04:33 AM
    System Uptime: 9/24/2010 10:07:58 AM (1 hours ago)

    Motherboard: Gigabyte Technology Co., Ltd. | | M68M-S2
    Processor: AMD Athlon(tm) II X2 245 Processor | Socket M2 | 2913/200mhz
    Processor: AMD Athlon(tm) II X2 245 Processor | Socket M2 | 2913/200mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 7 GiB total, 4.271 GiB free.
    D: is FIXED (NTFS) - 20 GiB total, 16.077 GiB free.
    E: is FIXED (NTFS) - 84 GiB total, 73.759 GiB free.
    F: is CDROM ()
    G: is FIXED (NTFS) - 8 GiB total, 4.584 GiB free.
    H: is FIXED (NTFS) - 25 GiB total, 21.45 GiB free.
    I: is FIXED (NTFS) - 43 GiB total, 32.839 GiB free.

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description:
    Device ID: PCI\VEN_10DE&DEV_03EB&SUBSYS_0C111458&REV_A2\3&2411E6FE&0&09
    Manufacturer:
    Name:
    PNP Device ID: PCI\VEN_10DE&DEV_03EB&SUBSYS_0C111458&REV_A2\3&2411E6FE&0&09
    Service:

    Class GUID: {4D36E97D-E325-11CE-BFC1-08002BE10318}
    Description:
    Device ID: ROOT\SYSTEM\0003
    Manufacturer:
    Name:
    PNP Device ID: ROOT\SYSTEM\0003
    Service:

    ==== System Restore Points ===================

    RP1: 9/23/2010 8:29:03 PM - System Checkpoint

    ==== Installed Programs ======================

    Adobe Flash Player 10 ActiveX
    Adobe Reader 7.1.0
    Adobe Shockwave Player 11.5
    Audacity 1.2.6
    AusLogics Disk Defrag
    avast! Free Antivirus
    Avery Wizard 1.1 for Microsoft Word 97
    Belarc Advisor 7.2
    BootSkin
    C-Media WDM Audio Driver
    CCleaner (remove only)
    CDBurnerXP
    Chess Giants
    Cloaker (remove only)
    Defraggler (remove only)
    EasyCleaner
    EPSON CardMonitor
    EPSON PhotoStarter3.0
    EPSON Print CD
    EPSON Printer Software
    EPSON SPR300 Reference Guide
    ERUNT 1.1j
    High Definition Audio Driver Package - KB888111
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Windows XP (KB915865)
    ImgBurn (Remove Only)
    Internet Explorer Q903235
    Jasc Paint Shop Pro 8
    Java Auto Updater
    Java(TM) 6 Update 20
    jv16 PowerTools 1.3
    MaxBlast 4
    Merriam-Webster 3.0
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Data Access Components KB870669
    Microsoft Golf CD-ROM Version 2.0
    Microsoft IntelliType Pro 5.2
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Excel Viewer 2003
    Microsoft PowerPoint Viewer 97
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Word 97
    Move Media Player
    MSConfig CleanUp 1.2
    MSXML 6.0 Parser (KB933579)
    NTREGOPT 1.1j
    NVIDIA Display Control Panel
    NVIDIA Drivers
    NVIDIA nView Desktop Manager
    NVIDIA PhysX
    Quicken WillMaker Plus 2004
    RealPlayer
    Realtek High Definition Audio Driver
    Rhapsody Player Engine
    SeaMonkey (1.1.18)
    Smart Cleaner
    Spybot - Search & Destroy
    SUPERAntiSpyware Free Edition
    TBS WMP Plug-in
    TUGZip 3.5
    Tweak UI
    Ulead Photo Explorer 8.5 SE
    ViewSonic Monitor Drivers
    WebFldrs XP
    Windows Genuine Advantage v1.3.0254.0
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Installer 3.1 (KB893803)
    Windows Installer Clean Up
    Windows Internet Explorer 7
    Windows Media Format Runtime
    Windows Media Player 10
    WinJack '97
    WinPatrol 2009
    XXClone ver 0.58.0

    ==== Event Viewer Messages From Past Week ========

    9/23/2010 8:20:53 AM, error: Service Control Manager [7000] - The PfModNT service failed to start due to the following error: The system cannot find the file specified.
    9/23/2010 8:20:53 AM, error: Service Control Manager [7000] - The MCSTRM service failed to start due to the following error: The system cannot find the file specified.
    9/23/2010 12:57:20 PM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: The specified driver is invalid.
    9/23/2010 12:48:19 PM, error: Service Control Manager [7001] - The TCP/IP Protocol Driver service depends on the IPSEC driver service which failed to start because of the following error: The specified driver is invalid.
    9/23/2010 12:48:19 PM, error: Service Control Manager [7001] - The Network Location Awareness (NLA) service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: The dependency service or group failed to start.
    9/23/2010 12:48:19 PM, error: Service Control Manager [7001] - The aswRdr service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: The dependency service or group failed to start.
    9/23/2010 12:48:19 PM, error: Service Control Manager [7000] - The IPSEC driver service failed to start due to the following error: The specified driver is invalid.
    9/23/2010 12:48:17 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IPSec Tcpip
    9/23/2010 12:42:08 PM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: This operation returned because the timeout period expired.
    9/23/2010 12:38:09 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 aswSP aswTdi BANTExt Fips IPSec Processor SASDIFSV SASKUTIL Tcpip
    9/23/2010 12:38:09 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    9/23/2010 12:35:23 PM, error: NetBT [4311] - Initialization failed because the driver device could not be created.
    9/23/2010 11:40:43 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AFD aswSP aswTdi BANTExt Fips IPSec MRxSmb NetBIOS NetBT Processor RasAcd Rdbss SASDIFSV SASKUTIL Tcpip
    9/23/2010 11:40:43 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
    9/23/2010 11:40:43 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    9/23/2010 11:40:43 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    9/23/2010 11:40:43 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    9/23/2010 11:39:36 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    9/23/2010 11:39:25 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments " " in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    9/23/2010 1:32:51 PM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: The system cannot find the file specified.
    9/23/2010 1:19:10 PM, information: Windows File Protection [64017] - Windows File Protection file scan completed successfully.
    9/23/2010 1:16:10 PM, error: Service Control Manager [7001] - The Network Location Awareness (NLA) service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: The specified driver is invalid.
    9/23/2010 1:16:10 PM, error: Service Control Manager [7000] - The TCP/IP Protocol Driver service failed to start due to the following error: The specified driver is invalid.
    9/23/2010 1:11:53 PM, information: Windows File Protection [64016] - Windows File Protection file scan was started.

    ==== End Of File ===========================

    DDS.txt Scan


    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Administrator at 11:10:01.12 on Fri 09/24/2010
    Internet Explorer: 7.0.5730.13
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1685 [GMT -7:00]

    AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

    ============== Running Processes ===============

    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    D:\ANTIVI~1\avastUI.exe
    D:\Program Files\Office\MSOFFICE.EXE
    C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Show Desktop.exe
    D:\AntiVirus\AvastSvc.exe
    C:\WINDOWS\System32\vssvc.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\Documents and Settings\Administrator\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uWindow Title =
    mWindow Title =
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - d:\adobereader\activex\AcroIEHelper.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - d:\realplayer\rpbrowserrecordplugin.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\spybot\SDHelper.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe "
    mRun: [avast5] d:\antivi~1\avastUI.exe /nogui
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRunServices: [LldE] c:\docume~1\admini~1\locals~1\temp\LldE.exe
    StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\micros~1.lnk - d:\program files\office\MSOFFICE.EXE
    StartupFolder: c:\documents and settings\administrator\start menu\programs\startup\Show Desktop.exe
    uPolicies-explorer: NoRecentDocsNetHood = 01000000
    uPolicies-explorer: NoSMMyDocs = 01000000
    uPolicies-explorer: NoSMMyPictures = 01000000
    uPolicies-explorer: HideClock = 0 (0x0)
    IE: &Search
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\spybot\SDHelper.dll
    Trusted Zone: abc.com\www
    Trusted Zone: cbs.com\www
    Trusted Zone: go.com\abc
    Trusted Zone: nbc.com\www
    DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
    Notify: !SASWinLogon - d:\spysuper\SASWINLO.dll
    Notify: AtiExtEvent - Ati2evxx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - d:\spysuper\SASSEH.DLL
    Hosts: 127.0.0.1 www.spywareinfo.com

    ============= SERVICES / DRIVERS ===============

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-30 165456]
    R1 SASDIFSV;SASDIFSV;d:\spysuper\sasdifsv.sys [2009-11-23 9968]
    R1 SASKUTIL;SASKUTIL;d:\spysuper\SASKUTIL.SYS [2009-11-23 74480]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-30 17744]
    R2 avast! Antivirus;avast! Antivirus;d:\antivirus\AvastSvc.exe [2010-6-30 40384]
    R3 avast! Mail Scanner;avast! Mail Scanner;d:\antivirus\AvastSvc.exe [2010-6-30 40384]
    R3 avast! Web Scanner;avast! Web Scanner;d:\antivirus\AvastSvc.exe [2010-6-30 40384]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-5-3 1691480]
    S3 HBJGJE;HBJGJE;c:\docume~1\admini~1\locals~1\temp\hbjgje.exe --> c:\docume~1\admini~1\locals~1\temp\HBJGJE.exe [?]
    S3 ID;ID;c:\docume~1\admini~1\locals~1\temp\id.exe --> c:\docume~1\admini~1\locals~1\temp\ID.exe [?]
    S3 PCAlertDriver;PCAlertDriver;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
    S3 SASENUM;SASENUM;d:\spysuper\SASENUM.SYS [2009-11-23 7408]

    =============== Created Last 30 ================


    ==================== Find3M ====================

    2010-06-28 20:57:33 38848 ----a-w- c:\windows\avastSS.scr

    ============= FINISH: 11:10:13.81 ===============

    Well, hows it look?
     
    jpChris,
    #1
  2. 2010/09/24
    wildfire

    wildfire Getting Old

    Joined:
    2008/04/21
    Messages:
    4,649
    Likes Received:
    124
    Broni, follow up from this thread, initially it looked suspect hence my referral.

    Chris, ignore the other thread for now and let Broni work his magic, I'll wait on the other side. ;)
     
    wildfire,
    #2


  3. to hide this advert.

  4. 2010/09/24
    jpChris

    jpChris Inactive Thread Starter

    Joined:
    2003/09/21
    Messages:
    1,062
    Likes Received:
    9
    Okey Dokey!
     
    jpChris,
    #3
  5. 2010/09/24
    Admin.

    Admin. Administrator Administrator Staff

    Joined:
    2001/12/30
    Messages:
    6,687
    Likes Received:
    107
    I'm no security expert, but I'm willing to bet something your infected with something
     
    Admin.,
    #4
  6. 2010/09/24
    jpChris

    jpChris Inactive Thread Starter

    Joined:
    2003/09/21
    Messages:
    1,062
    Likes Received:
    9
    Hi Arie,

    As soon as I saw those listings I checked all Temp folders and did a search. The only one that showed up was the "LldE.exe" and that was in the Prefetch folder. :confused:

    However, the "HBJGJE" did show up in the registry, but it pointed to the local temp folder and there's noting in there. Plus, I don't want to start deleting stuff willy-nilly.

    And, when I searched the Google, my post here was the only result.

    Again: :confused:
     
    Last edited: 2010/09/24
    jpChris,
    #5
  7. 2010/09/24
    Admin.

    Admin. Administrator Administrator Staff

    Joined:
    2001/12/30
    Messages:
    6,687
    Likes Received:
    107
    That's a BIG tell-tale... But lets wait for the expert.
     
    Admin.,
    #6
  8. 2010/09/24
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Thanks wildfire :)

    jpChris
    Your computer is definitely infected.

    STEP 1. Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/mbam.php to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform Quick Scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt


    STEP 2. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    Do NOT use the computer while GMER is running!
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log to your next reply.

    IMPORTANT! If for some reason GMER refuses to run, try again.
    If it still fails, try to UN-check "Devices" in right pane.
    If still no joy, try to run it from Safe Mode.


    STEP 3. Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.



    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #7
  9. 2010/09/24
    jpChris

    jpChris Inactive Thread Starter

    Joined:
    2003/09/21
    Messages:
    1,062
    Likes Received:
    9
    Hi broni,

    Will do — and thanks. I'll run the progs tomorrow. Also, of all places I found Desktop Security when I clicked to customize the Taskbar!
     
    Last edited: 2010/09/24
    jpChris,
    #8
  10. 2010/09/24
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I'll be around :)
     
    broni,
    #9
  11. 2010/09/25
    jpChris

    jpChris Inactive Thread Starter

    Joined:
    2003/09/21
    Messages:
    1,062
    Likes Received:
    9
    Hi broni,

    Here's the MBAM log:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4693

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 7.0.5730.13

    9/25/2010 11:59:17 AM
    mbam-log-2010-09-25 (11-59-17).txt

    Scan type: Quick scan
    Objects scanned: 140206
    Time elapsed: 2 minute(s), 46 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 2
    Registry Values Infected: 0
    Registry Data Items Infected: 4
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    So, this scan looks to have successfully "cleaned" a couple of bugs. However, when I rebooted after this scan there's now a shield in the sys tray with an "X" in the middle and it says, "Windows Security Alerts ".

    What's that all about???
     
    Last edited: 2010/09/25
    jpChris,
    #10
  12. 2010/09/25
    jpChris

    jpChris Inactive Thread Starter

    Joined:
    2003/09/21
    Messages:
    1,062
    Likes Received:
    9
    GMER & MBRCheck logs

    Hi broni,

    Here's the results of the next two scans:

    GMER.LOG

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-09-25 12:25:35
    Windows 5.1.2600 Service Pack 2
    Running: colzbumb.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pgtdypow.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB2DF3CD2]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB2DF3B8E]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xB2DF4142]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB2DF406C]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB2DF3764]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB2DF3C68]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB2DF36A4]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB2DF3708]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB2DF3D88]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xB2DF4210]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB2DF3D48]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB2DF3EC8]

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xB2E00B9C]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xB2E009C0]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xB2E00AFA]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

    ---- Kernel code sections - GMER 1.0.15 ----

    PAGE ntkrnlpa.exe!ZwLoadDriver 80582DFE 7 Bytes JMP B2E00AFE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
    PAGE ntkrnlpa.exe!NtCreateSection 805A9DEE 7 Bytes JMP B2E009C4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
    PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BAEDA 5 Bytes JMP B2DFC5B4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
    PAGE ntkrnlpa.exe!ObInsertObject 805C1810 5 Bytes JMP B2DFDF6C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
    PAGE ntkrnlpa.exe!ZwCreateProcessEx 805CF966 7 Bytes JMP B2E00BA0 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
    ? htsivu.sys The system cannot find the file specified. !
    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB610E380, 0x566465, 0xE8000020]

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT \WINDOWS\system32\ntkrnlpa.exe[BOOTVID.dll!VidInitialize] [B7F403EC] vidstub.sys
    IAT \WINDOWS\system32\ntkrnlpa.exe[BOOTVID.dll!VidDisplayString] [B7F403F2] vidstub.sys
    IAT \WINDOWS\system32\ntkrnlpa.exe[BOOTVID.dll!VidSetTextColor] [B7F40426] vidstub.sys
    IAT \WINDOWS\system32\ntkrnlpa.exe[BOOTVID.dll!VidSolidColorFill] [B7F40E6A] vidstub.sys
    IAT \WINDOWS\system32\ntkrnlpa.exe[BOOTVID.dll!VidBitBlt] [B7F40F3E] vidstub.sys
    IAT \WINDOWS\system32\ntkrnlpa.exe[BOOTVID.dll!VidBufferToScreenBlt] [B7F40F60] vidstub.sys
    IAT \WINDOWS\system32\ntkrnlpa.exe[BOOTVID.dll!VidScreenToBufferBlt] [B7F40F88] vidstub.sys
    IAT \WINDOWS\system32\ntkrnlpa.exe[BOOTVID.dll!VidResetDisplay] [B7F40E22] vidstub.sys
    IAT \WINDOWS\system32\ntkrnlpa.exe[BOOTVID.dll!VidCleanUp] [B7F403E6] vidstub.sys
    IAT \WINDOWS\system32\ntkrnlpa.exe[BOOTVID.dll!VidSetScrollRegion] [B7F40E4C] vidstub.sys

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\WINDOWS\system32\services.exe[736] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00370002
    IAT C:\WINDOWS\system32\services.exe[736] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00370000

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    ---- EOF - GMER 1.0.15 ----
    *******************************************

    MBRCheck Log

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 2 (build 2600)
    Logical Drives Mask: 0x000003fd

    Kernel Drivers (total 120):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806E2000 \WINDOWS\system32\hal.dll
    0xB85A8000 \WINDOWS\system32\KDCOM.DLL
    0xB84B8000 \WINDOWS\system32\BOOTVID.dll
    0xB80A8000 htsivu.sys
    0xB7F79000 ACPI.sys
    0xB85AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xB7F68000 pci.sys
    0xB80B8000 isapnp.sys
    0xB7F40000 vidstub.sys
    0xB8670000 pciide.sys
    0xB8328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xB80C8000 MountMgr.sys
    0xB7F21000 ftdisk.sys
    0xB85AC000 dmload.sys
    0xB7EFB000 dmio.sys
    0xB8330000 PartMgr.sys
    0xB80D8000 VolSnap.sys
    0xB7EE3000 atapi.sys
    0xB80E8000 disk.sys
    0xB80F8000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
    0xB7EC4000 fltmgr.sys
    0xB7EB2000 sr.sys
    0xB7E9B000 KSecDD.sys
    0xB7E0E000 Ntfs.sys
    0xB7DE1000 NDIS.sys
    0xB7DC6000 Mup.sys
    0xB8671000 giveio.sys
    0xB82D8000 \SystemRoot\System32\DRIVERS\processr.sys
    0xB8410000 \SystemRoot\System32\DRIVERS\fdc.sys
    0xB82E8000 \SystemRoot\System32\DRIVERS\serial.sys
    0xB8588000 \SystemRoot\System32\DRIVERS\serenum.sys
    0xB6BCF000 \SystemRoot\System32\DRIVERS\parport.sys
    0xB82F8000 \SystemRoot\System32\DRIVERS\i8042prt.sys
    0xB8418000 \SystemRoot\System32\DRIVERS\mouclass.sys
    0xB8420000 \SystemRoot\System32\DRIVERS\kbdclass.sys
    0xB8428000 \SystemRoot\system32\DRIVERS\usbohci.sys
    0xB6BAC000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xB8430000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xB6B42000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xB8438000 \SystemRoot\system32\DRIVERS\nvnetbus.sys
    0xB8308000 \SystemRoot\System32\DRIVERS\imapi.sys
    0xB8318000 \SystemRoot\System32\DRIVERS\cdrom.sys
    0xB8128000 \SystemRoot\System32\DRIVERS\redbook.sys
    0xB6B1F000 \SystemRoot\System32\DRIVERS\ks.sys
    0xB610E000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
    0xB60FA000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xB86E4000 \SystemRoot\System32\DRIVERS\audstub.sys
    0xB8138000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
    0xB8594000 \SystemRoot\System32\DRIVERS\ndistapi.sys
    0xB60E3000 \SystemRoot\System32\DRIVERS\ndiswan.sys
    0xB8148000 \SystemRoot\System32\DRIVERS\raspppoe.sys
    0xB8158000 \SystemRoot\System32\DRIVERS\raspptp.sys
    0xB8448000 \SystemRoot\System32\DRIVERS\TDI.SYS
    0xB60D2000 \SystemRoot\System32\DRIVERS\psched.sys
    0xB8168000 \SystemRoot\System32\DRIVERS\msgpc.sys
    0xB8450000 \SystemRoot\System32\DRIVERS\ptilink.sys
    0xB8458000 \SystemRoot\System32\DRIVERS\raspti.sys
    0xB5EC2000 \SystemRoot\System32\DRIVERS\rdpdr.sys
    0xB8178000 \SystemRoot\System32\DRIVERS\termdd.sys
    0xB85E8000 \SystemRoot\System32\DRIVERS\swenum.sys
    0xB5E8E000 \SystemRoot\System32\DRIVERS\update.sys
    0xB7D9A000 \SystemRoot\System32\DRIVERS\mssmbios.sys
    0xB81A8000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xB8490000 \SystemRoot\System32\DRIVERS\flpydisk.sys
    0xB3923000 \SystemRoot\system32\DRIVERS\NVENETFD.sys
    0xB38F0000 \SystemRoot\system32\DRIVERS\NVNRM.SYS
    0xB81C8000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xB85F4000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xB32D3000 \SystemRoot\system32\drivers\RtkHDAud.sys
    0xB321A000 \SystemRoot\system32\drivers\portcls.sys
    0xB81E8000 \SystemRoot\system32\drivers\drmk.sys
    0xB85FE000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xB873F000 \SystemRoot\System32\Drivers\Null.SYS
    0xB8600000 \SystemRoot\System32\Drivers\Beep.SYS
    0xB84A8000 \SystemRoot\System32\drivers\vga.sys
    0xB8602000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xB8604000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xB84B0000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xB8348000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xB8580000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0xB2F95000 \SystemRoot\System32\DRIVERS\ipsec.sys
    0xB2F3D000 \SystemRoot\System32\DRIVERS\tcpip.sys
    0xB8228000 \SystemRoot\System32\Drivers\aswTdi.SYS
    0xB2F1C000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xB2EF4000 \SystemRoot\System32\DRIVERS\netbt.sys
    0xB8238000 \SystemRoot\System32\DRIVERS\wanarp.sys
    0xB2ED2000 \SystemRoot\System32\drivers\afd.sys
    0xB8248000 \SystemRoot\System32\DRIVERS\netbios.sys
    0xB2EAD000 \??\D:\SpySuper\SASKUTIL.sys
    0xB8378000 \??\D:\SpySuper\SASDIFSV.SYS
    0xB2E81000 \SystemRoot\System32\DRIVERS\rdbss.sys
    0xB2E12000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
    0xB8268000 \SystemRoot\System32\Drivers\Fips.SYS
    0xB8790000 \SystemRoot\System32\Drivers\BANTExt.sys
    0xB2DEB000 \SystemRoot\System32\Drivers\aswSP.SYS
    0xB8388000 \SystemRoot\System32\Drivers\Aavmker4.SYS
    0xB8398000 \SystemRoot\System32\DRIVERS\usbccgp.sys
    0xB83A8000 \SystemRoot\System32\DRIVERS\USBSTOR.SYS
    0xB83B8000 \SystemRoot\System32\DRIVERS\usbprint.sys
    0xB8288000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xB83E0000 \SystemRoot\System32\watchdog.sys
    0xB38D4000 \SystemRoot\System32\drivers\Dxapi.sys
    0xBD000000 \SystemRoot\System32\drivers\dxg.sys
    0xB86FC000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBD012000 \SystemRoot\System32\nv4_disp.dll
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xB2FE0000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
    0xB2866000 \SystemRoot\system32\drivers\wdmaud.sys
    0xB29E3000 \SystemRoot\system32\drivers\sysaudio.sys
    0xB25BC000 \SystemRoot\System32\DRIVERS\mrxdav.sys
    0xB85CC000 \SystemRoot\System32\Drivers\ParVdm.SYS
    0xB25A5000 \SystemRoot\System32\Drivers\aswMon2.SYS
    0xB249D000 \??\C:\WINDOWS\System32\drivers\tmcomm.sys
    0xB23D2000 \SystemRoot\System32\DRIVERS\srv.sys
    0xB8390000 \SystemRoot\System32\Drivers\aswRdr.SYS
    0xB1EE9000 \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pgtdypow.sys
    0xB1EBF000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 24):
    0 System Idle Process
    4 System
    612 C:\WINDOWS\system32\smss.exe
    668 csrss.exe
    692 C:\WINDOWS\system32\winlogon.exe
    736 C:\WINDOWS\system32\services.exe
    748 C:\WINDOWS\system32\lsass.exe
    920 C:\WINDOWS\system32\nvsvc32.exe
    952 C:\WINDOWS\system32\svchost.exe
    996 svchost.exe
    1092 C:\WINDOWS\system32\svchost.exe
    1144 svchost.exe
    1252 svchost.exe
    1316 C:\WINDOWS\system32\spoolsv.exe
    1652 C:\WINDOWS\explorer.exe
    1756 C:\Program Files\Microsoft IntelliType Pro\type32.exe
    1772 D:\ANTIVI~1\AvastUI.exe
    284 D:\Program Files\Office\MSOFFICE.EXE
    1588 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Show Desktop.exe
    1672 D:\AntiVirus\AvastSvc.exe
    128 C:\WINDOWS\system32\vssvc.exe
    2136 C:\WINDOWS\system32\wscntfy.exe
    2152 alg.exe
    3104 C:\Documents and Settings\Administrator\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000001`dff8a400 (NTFS)
    \\.\E: --> \\.\PhysicalDrive0 at offset 0x00000006`e1088e00 (NTFS)
    \\.\G: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
    \\.\H: --> \\.\PhysicalDrive1 at offset 0x00000002`00542800 (NTFS)
    \\.\I: --> \\.\PhysicalDrive1 at offset 0x00000008`408da800 (NTFS)

    PhysicalDrive0 Model Number: MAXTORSTM3120814A, Rev: 3.AAJ
    PhysicalDrive1 Model Number: Maxtor6Y080L0, Rev: YAR41BW0

    Size Device Name MBR Status
    --------------------------------------------
    111 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
    76 GB \\.\PhysicalDrive1 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!
     
    jpChris,
    #11
  13. 2010/09/25
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Good :)

    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    [color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • [color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #12
  14. 2010/09/25
    jpChris

    jpChris Inactive Thread Starter

    Joined:
    2003/09/21
    Messages:
    1,062
    Likes Received:
    9
    Hi broni,

    Do you see a problem with the above? Or, are we just being safe?

    Anyway, I D\Led Combofix and will run it tomorrow.

    Should\can I delete\remove DDS, MBAM, GMER, MBRCheck and their logs now?
     
    jpChris,
    #13
  15. 2010/09/25
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    We'll deal with cleaning tools at the end.
    Leave them alone for now.

    I'll wait for your Combofix log.
     
    broni,
    #14
  16. 2010/09/25
    jpChris

    jpChris Inactive Thread Starter

    Joined:
    2003/09/21
    Messages:
    1,062
    Likes Received:
    9
    OK, and thanks. I'll post tomorrow AM.
     
    jpChris,
    #15
  17. 2010/09/25
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    No problem :)
     
    broni,
    #16
  18. 2010/09/25
    jpChris

    jpChris Inactive Thread Starter

    Joined:
    2003/09/21
    Messages:
    1,062
    Likes Received:
    9
    Do my logs look OK so far?
     
    jpChris,
    #17
  19. 2010/09/25
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    MBAM removed some, GMER and MBRCheck logs look fine.
     
    broni,
    #18
  20. 2010/09/25
    jpChris

    jpChris Inactive Thread Starter

    Joined:
    2003/09/21
    Messages:
    1,062
    Likes Received:
    9
    OK, thanks, again. Have a good evening, broni! See you on the CRT tomorrow.
     
    jpChris,
    #19
  21. 2010/09/25
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    See you :)
     
    broni,
    #20
Page 1 of 3

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...