1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Inactive Error Stating Validation Required

Discussion in 'Malware and Virus Removal Archive' started by oldmanjim, 2012/11/04.

Page 1 of 3
  1. 2012/11/04
    oldmanjim

    oldmanjim Inactive Thread Starter

    Joined:
    2012/11/04
    Messages:
    55
    Likes Received:
    0
    [Inactive] Error Stating Validation Required

    Hi broni, I'm new but one of my co-works has used your site for the last year. I previously posted in the window xp forum. I am having an issue and mr. bill told me to post here.

    I tried to download gmer but the page never opened. I will post the next set of logs in my post.

    11/4/2012 7:28:24 PM
    mbam-log-2012-11-04 (19-28-24).txt

    Scan type: Full scan (C:\|)
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 205508
    Time elapsed: 58 minute(s), 37 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 2
    C:\System Volume Information\_restore{6B5F3D5A-60B5-4662-9B4A-19EDB9E32B33}\RP300\A0025055.DLL (Adware.AskSBAR) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{6B5F3D5A-60B5-4662-9B4A-19EDB9E32B33}\RP300\A0025081.dll (Adware.AskSBAR) -> Quarantined and deleted successfully.

    (end)
     
    oldmanjim,
    #1
  2. 2012/11/05
    Admin.

    Admin. Administrator Administrator Staff

    Joined:
    2001/12/30
    Messages:
    6,687
    Likes Received:
    107
    Keep on posting the other logs required.

    Read this post as indicated at the top of this forum & follow the instructions.
     
    Admin.,
    #2


  3. to hide this advert.

  4. 2012/11/07
    oldmanjim

    oldmanjim Inactive Thread Starter

    Joined:
    2012/11/04
    Messages:
    55
    Likes Received:
    0
    sorry admin, it only let me post the once until a mod allowed me to continue.

    DDS (Ver_2012-10-19.01) - NTFS_x86
    Internet Explorer: 6.0.2600.0000
    Run by Jim at 21:09:30 on 2012-11-04
    Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.479.158 [GMT -8:00]
    .
    .
    ============== Running Processes ================
    .
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\WgaTray.exe
    C:\WINDOWS\System32\SiSAudUt.exe
    C:\WINDOWS\System32\sistray.EXE
    C:\WINDOWS\System32\khooker.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\UStorSrv.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\Program Files\AVAST Software\Avast\AvastUI.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\System32\svchost.exe -k NetworkService
    C:\WINDOWS\System32\svchost.exe -k LocalService
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://yahoo.com/
    uSearch Bar = hxxp://www.google.com/ie
    uSearch Page = hxxp://www.google.com
    mDefault_Search_URL = hxxp://www.google.com/ie
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/ie
    BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.7529.1424\swg.dll
    TB: Yahoo! Companion: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\ycomp5_5_7_0.dll
    TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - c:\windows\system32\BROWSEUI.DLL
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
    uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10l_ActiveX.exe -update activex
    mRun: [SSC_UserPrompt] "c:\program files\common files\symantec shared\security center\UsrPrmpt.exe "
    mRun: [SiS7012Utility] "c:\windows\system32\SiSAudUt.exe" -wdm
    mRun: [SiS Tray] c:\windows\system32\sistray.EXE
    mRun: [SiS KHooker] c:\windows\system32\khooker.exe
    mRun: [POINTER] point32.exe
    mRun: [Microsoft Works Update Detection] "c:\program files\common files\microsoft shared\works shared\WkUFind.exe "
    mRun: [Homeland Network] "c:\program files\homelandnetwork\HomelandNetwork.exe "
    mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe "
    mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
    mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "c:\documents and settings\all users\application data\malwarebytes\malwarebytes' anti-malware\cleanup.dll ",ProcessCleanupScript
    dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
    StartupFolder: c:\documents and settings\jim\start menu\programs\startup\Reboot.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
    DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1199238910254
    DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37611.3868981482
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    TCP: NameServer = 192.168.1.254
    TCP: Interfaces\{3D5E0CD4-4DBF-4EFB-899C-5F921C40B54D} : DHCPNameServer = 192.168.1.254
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-11-4 361032]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-11-4 44808]
    R2 ousbehci;%OWC_USBEHCD.DeviceDesc%;c:\windows\system32\drivers\ousbehci.sys [2002-4-12 29568]
    R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-12-3 1252232]
    R3 EnEDev;EnE Device Service;c:\windows\system32\drivers\EnEDev.sys [2002-4-12 6101]
    R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [2002-4-12 42752]
    R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [2002-4-12 166656]
    R3 WBFIRDMA;Winbond Infrared Device Driver;c:\windows\system32\drivers\wbfirdma.sys [2002-4-12 35871]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-11-4 136176]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-11-4 136176]
    .
    =============== Created Last 30 ================
    .
    2012-11-05 04:54:05 54016 ----a-w- c:\windows\system32\drivers\gvetityn.sys
    2012-11-05 04:24:08 -------- d-----w- c:\program files\SIW 2011 Home Edition
    2012-11-05 03:51:35 41224 ----a-w- c:\windows\avastSS.scr
    2012-11-05 03:48:14 -------- d-----w- c:\program files\AVAST Software
    2012-11-05 03:48:14 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
    2012-11-05 03:26:01 -------- d-----w- c:\documents and settings\jim\application data\Malwarebytes
    2012-11-05 03:25:51 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2012-11-05 03:25:50 20552 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-11-05 03:25:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    .
    ==================== Find3M ====================
    .
    2001-08-23 12:00:00 94784 --sh--w- c:\windows\twain.dll
    2001-08-23 12:00:00 46592 --sh--w- c:\windows\twain_32.dll
    2001-08-23 12:00:00 995383 --sh--w- c:\windows\system32\mfc42.dll
    2001-08-23 12:00:00 50688 --sh--w- c:\windows\system32\msvcirt.dll
    2001-08-23 12:00:00 401462 --sh--w- c:\windows\system32\msvcp60.dll
    2001-08-23 12:00:00 322560 --sh--w- c:\windows\system32\msvcrt.dll
    2001-08-23 12:00:00 569344 --sh--w- c:\windows\system32\oleaut32.dll
    2001-08-23 12:00:00 106496 --sh--w- c:\windows\system32\olepro32.dll
    2001-08-23 12:00:00 9728 --sh--w- c:\windows\system32\regsvr32.exe
    .
    ============= FINISH: 21:10:16.23 ===============


    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-10-19.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 4/12/2002 10:23:17 AM
    System Uptime: 11/4/2012 11:17:46 AM (10 hours ago)
    .
    Motherboard: | | Ref.NO:A928-020411-OT-01-00-FF-FF$
    Processor: Intel(R) Pentium(R) 4 CPU 2.40GHz | Slot-1 | 2395/100mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 37 GiB total, 20.852 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP293: 11/2/2008 2:30:26 PM - System Checkpoint
    RP294: 11/6/2008 5:53:42 PM - System Checkpoint
    RP295: 1/30/2011 5:04:22 PM - Removed Apple Software Update
    RP296: 1/30/2011 5:13:53 PM - Removed AVG 7.5
    RP297: 1/30/2011 5:25:00 PM - Installed AVG 7.5
    RP298: 1/30/2011 5:23:40 PM - Removed LiveUpdate Notice (Symantec Corporation)
    RP299: 1/30/2011 5:27:31 PM - Removed QuickTime
    RP300: 1/30/2011 5:30:45 PM - Removed Microsoft Digital Image Pro 7.0
    RP301: 1/30/2011 6:42:40 PM - Software Distribution Service 3.0
    RP302: 1/30/2011 6:45:44 PM - Software Distribution Service 3.0
    RP303: 1/30/2011 8:19:23 PM - Installed Windows XP WgaNotify.
    RP304: 4/16/2011 3:00:08 PM - Software Distribution Service 3.0
    RP305: 11/4/2012 7:48:13 PM - avast! Free Antivirus Setup
    .
    ==== Installed Programs ======================
    .
    Ad-Aware SE Personal
    Adobe Acrobat 4.0
    Adobe Download Manager 2.0 (Remove Only)
    Adobe Flash Player 10 ActiveX
    Adobe Reader 7.0
    Adobe® Photoshop® Album Starter Edition 3.0
    avast! Free Antivirus
    Conexant 56K Modem
    Google Toolbar for Internet Explorer
    Google Update Helper
    HijackThis 1.99.0
    Homeland Network
    Learn Microsoft® Windows XP
    Malwarebytes Anti-Malware version 1.65.1.1000
    MediaLoads
    Microsoft Data Access Components KB870669
    Microsoft IntelliPoint 4.1
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Nero - Burning Rom
    Outlook Express Q837009
    Security Update for CAPICOM (KB931906)
    SiS 650
    SiS Audio Driver
    SIW 2011 Home Edition
    SUPERAntiSpyware
    Symantec KB-DocID:2003093015493306
    U-Storage Service
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Installer 3.1 (KB893803)
    Windows Media Player Hotfix [See wm828026 for more information]
    Windows XP Application Compatibility Update[Q319580]
    Windows XP Hotfix - KB821557
    Windows XP Hotfix - KB823182
    Windows XP Hotfix - KB823559
    Windows XP Hotfix - KB824105
    Windows XP Hotfix - KB824141
    Windows XP Hotfix - KB824146
    Windows XP Hotfix - KB825119
    Windows XP Hotfix - KB828028
    Windows XP Hotfix - KB828035
    Windows XP Hotfix - KB828741
    Windows XP Hotfix - KB833987
    Windows XP Hotfix - KB834707
    Windows XP Hotfix - KB835732
    Windows XP Hotfix - KB837001
    Windows XP Hotfix - KB840374
    Windows XP Hotfix - KB840987
    Windows XP Hotfix - KB841356
    Windows XP Hotfix - KB841533
    Windows XP Hotfix - KB842773
    Windows XP Hotfix - KB873376
    Windows XP Hotfix - KB887822
    Windows XP Hotfix (SP1) [See Q309521 for more information]
    Windows XP Hotfix (SP1) [See Q311889 for more information]
    Windows XP Hotfix (SP1) [See Q311967 for more information]
    Windows XP Hotfix (SP1) [See Q313450 for more information]
    Windows XP Hotfix (SP1) [See Q314147 for more information]
    Windows XP Hotfix (SP1) [See Q314862 for more information]
    Windows XP Hotfix (SP1) [See Q315000 for more information]
    Windows XP Hotfix (SP1) [See Q315403 for more information]
    Windows XP Hotfix (SP1) [See Q317277 for more information]
    Windows XP Hotfix (SP1) [See Q318138 for more information]
    Windows XP Hotfix (SP1) [See Q323172 for more information]
    Windows XP Hotfix (SP1) [See Q324096 for more information]
    Windows XP Hotfix (SP1) [See Q324380 for more information]
    Windows XP Hotfix (SP1) [See Q326830 for more information]
    Windows XP Hotfix (SP1) [See Q328940 for more information]
    Windows XP Hotfix (SP1) [See Q329048 for more information]
    Windows XP Hotfix (SP1) [See Q329390 for more information]
    Windows XP Hotfix (SP1) [See Q329441 for more information]
    Windows XP Hotfix (SP1) [See Q329834 for more information]
    Windows XP Hotfix (SP1) Q328310
    Windows XP Hotfix (SP1) Q329170
    Windows XP Hotfix (SP1) Q331953
    Windows XP Hotfix (SP1) Q810577
    Windows XP Hotfix (SP1) Q810833
    Windows XP Hotfix (SP1) Q811493
    Windows XP Hotfix (SP1) Q815021
    Windows XP Hotfix (SP1) Q817606
    Windows XP Hotfix (SP1) Q819696
    Windows XP Hotfix (SP2) [See Q329115 for more information]
    Yahoo! Toolbar
    .
    ==== End Of File ===========================
     
    oldmanjim,
    #3
  5. 2012/11/07
    oldmanjim

    oldmanjim Inactive Thread Starter

    Joined:
    2012/11/04
    Messages:
    55
    Likes Received:
    0
    i'm going to run gmer in safe mode because I can't get it to run completely without an error.
     
    oldmanjim,
    #4
  6. 2012/11/08
    oldmanjim

    oldmanjim Inactive Thread Starter

    Joined:
    2012/11/04
    Messages:
    55
    Likes Received:
    0
    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-11-04 21:02:44
    -----------------------------
    21:02:44.568 OS Version: Windows 5.1.2600
    21:02:44.568 Number of processors: 1 586 0x204
    21:02:44.568 ComputerName: WINDOWSXP UserName: Jim
    21:02:46.952 Initialize success
    21:02:49.495 AVAST engine defs: 12110401
    21:02:53.181 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    21:02:53.181 Disk 0 Vendor: IC25N040ATCS04-0 CA4OA71A Size: 38154MB BusType: 3
    21:02:53.221 Disk 0 MBR read successfully
    21:02:53.221 Disk 0 MBR scan
    21:02:53.361 Disk 0 Windows XP default MBR code
    21:02:53.361 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 38146 MB offset 63
    21:02:53.371 Disk 0 scanning sectors +78124095
    21:02:53.471 Disk 0 scanning C:\WINDOWS\System32\drivers
    21:03:11.937 Service scanning
    21:03:34.750 Modules scanning
    21:03:46.357 Disk 0 trace - called modules:
    21:03:46.387 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
    21:03:46.387 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84fa78a0]
    21:03:46.718 3 CLASSPNP.SYS[f7878ceb] -> nt!IofCallDriver -> \Device\00000056[0x84f66f18]
    21:03:46.718 5 ACPI.sys[f77c111b] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x84fa9030]
    21:03:47.108 AVAST engine scan C:\WINDOWS
    21:03:56.512 AVAST engine scan C:\WINDOWS\system32
    21:05:13.612 File: C:\WINDOWS\system32\ntvdm.exe **INFECTED** Win32:Malware-gen
    21:06:03.704 AVAST engine scan C:\WINDOWS\system32\drivers
    21:06:17.825 AVAST engine scan C:\Documents and Settings\Jim
    21:08:47.430 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Jim\My Documents\Downloads\MBR.dat "
    21:08:47.440 The log file has been saved successfully to "C:\Documents and Settings\Jim\My Documents\Downloads\aswMBR.txt "
     
    oldmanjim,
    #5
  7. 2012/11/08
    oldmanjim

    oldmanjim Inactive Thread Starter

    Joined:
    2012/11/04
    Messages:
    55
    Likes Received:
    0
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-11-07 23:09:00
    Windows 5.1.2600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 IC25N040ATCS04-0 rev.CA4OA71A
    Running: 61rlkzbc.exe; Driver: C:\DOCUME~1\Jim\LOCALS~1\Temp\uwldypob.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xEF95BC22]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwClose [0xEF968878]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateKey [0xEF968970]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0xEF95BFA6]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteKey [0xEF968704]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteValueKey [0xEF96860C]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDuplicateObject [0xEF967CC0]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xEF95BCEA]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0xEF95A3EC]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenKey [0xEF9681A4]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenProcess [0xEF967BC4]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenThread [0xEF967C42]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xEF95BE4A]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwQueryValueKey [0xEF968242]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xEF9687D2]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRestoreKey [0xEF968AAA]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwSetValueKey [0xEF968440]
    SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEFA37620]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwUnloadDriver [0xEF95A41C]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0xEF95BD96]

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xEF974E56]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntoskrnl.exe!ZwCallbackReturn + 2128 804F73F4 4 Bytes JMP E8EF95BC
    PAGE ntoskrnl.exe!ObMakeTemporaryObject 80590930 5 Bytes JMP EF971CF6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE ntoskrnl.exe!ObInsertObject 805969F0 5 Bytes JMP EF973810 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE ntoskrnl.exe!ZwCreateProcessEx 805A4516 7 Bytes JMP EF974E5A \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\Explorer.EXE[172] kernel32.dll!GetBinaryTypeW + 80 77E9E4BA 1 Byte [62]
    .text C:\WINDOWS\System32\WgaTray.exe[300] kernel32.dll!GetBinaryTypeW + 80 77E9E4BA 1 Byte [62]
    .text C:\Documents and Settings\Jim\Desktop\61rlkzbc.exe[416] ntdll.dll!LdrLoadDll 77F56EA1 5 Bytes JMP 003701F8
    .text C:\Documents and Settings\Jim\Desktop\61rlkzbc.exe[416] ntdll.dll!LdrUnloadDll 77F607D6 5 Bytes JMP 003703FC
    .text C:\Documents and Settings\Jim\Desktop\61rlkzbc.exe[416] KERNEL32.dll!GetBinaryTypeW + 80 77E9E4BA 1 Byte [62]
    .text C:\Documents and Settings\Jim\Desktop\61rlkzbc.exe[416] USER32.dll!UnhookWindowsHookEx 77D4659A 5 Bytes JMP 003C0A08
    .text C:\Documents and Settings\Jim\Desktop\61rlkzbc.exe[416] USER32.dll!SetWindowsHookExA 77D48A34 5 Bytes JMP 003C0600
    .text C:\Documents and Settings\Jim\Desktop\61rlkzbc.exe[416] USER32.dll!SetWindowsHookExW 77D6731B 5 Bytes JMP 003C0804
    .text C:\Documents and Settings\Jim\Desktop\61rlkzbc.exe[416] USER32.dll!SetWinEventHook 77D80D24 5 Bytes JMP 003C01F8
    .text C:\Documents and Settings\Jim\Desktop\61rlkzbc.exe[416] USER32.dll!UnhookWinEvent 77D8A7E0 5 Bytes JMP 003C03FC
    .text C:\Documents and Settings\Jim\Desktop\61rlkzbc.exe[416] ADVAPI32.dll!SetServiceObjectSecurity 77E2BB58 5 Bytes JMP 003B1014
    .text C:\Documents and Settings\Jim\Desktop\61rlkzbc.exe[416] ADVAPI32.dll!ChangeServiceConfigA 77E2BC20 5 Bytes JMP 003B0804
    .text C:\Documents and Settings\Jim\Desktop\61rlkzbc.exe[416] ADVAPI32.dll!ChangeServiceConfigW 77E2BD97 5 Bytes JMP 003B0A08
    .text C:\Documents and Settings\Jim\Desktop\61rlkzbc.exe[416] ADVAPI32.dll!ChangeServiceConfig2A 77E2BE75 5 Bytes JMP 003B0C0C
    .text C:\Documents and Settings\Jim\Desktop\61rlkzbc.exe[416] ADVAPI32.dll!ChangeServiceConfig2W 77E2BEE0 5 Bytes JMP 003B0E10
    .text C:\Documents and Settings\Jim\Desktop\61rlkzbc.exe[416] ADVAPI32.dll!CreateServiceA 77E2BF4B 5 Bytes JMP 003B01F8
    .text C:\Documents and Settings\Jim\Desktop\61rlkzbc.exe[416] ADVAPI32.dll!CreateServiceW 77E2C0C8 5 Bytes JMP 003B03FC
    .text C:\Documents and Settings\Jim\Desktop\61rlkzbc.exe[416] ADVAPI32.dll!DeleteService 77E2C1B3 5 Bytes JMP 003B0600
    .text C:\WINDOWS\system32\csrss.exe[588] KERNEL32.dll!GetBinaryTypeW + 80 77E9E4BA 1 Byte [62]
    .text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!GetBinaryTypeW + 80 77E9E4BA 1 Byte [62]
    .text C:\WINDOWS\system32\services.exe[656] kernel32.dll!GetBinaryTypeW + 80 77E9E4BA 1 Byte [62]
    .text C:\WINDOWS\system32\lsass.exe[668] kernel32.dll!GetBinaryTypeW + 80 77E9E4BA 1 Byte [62]
    .text C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe[720] kernel32.dll!GetBinaryTypeW + 80 77E9E4BA 1 Byte [62]
    .text ...
    .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1320] kernel32.dll!SetUnhandledExceptionFilter 77E99287 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
    .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1320] kernel32.dll!GetBinaryTypeW + 80 77E9E4BA 1 Byte [62]
    .text C:\WINDOWS\system32\spoolsv.exe[1364] kernel32.dll!GetBinaryTypeW + 80 77E9E4BA 1 Byte [62]
    .text C:\WINDOWS\System32\svchost.exe[1604] kernel32.dll!GetBinaryTypeW + 80 77E9E4BA 1 Byte [62]
    .text C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe[1616] kernel32.dll!GetBinaryTypeW + 80 77E9E4BA 1 Byte [62]
    .text C:\WINDOWS\system32\UStorSrv.exe[1672] kernel32.dll!GetBinaryTypeW + 80 77E9E4BA 1 Byte [62]
    .text C:\Program Files\Internet Explorer\iexplore.exe[3800] ntdll.dll!LdrLoadDll 77F56EA1 5 Bytes JMP 003701F8
    .text C:\Program Files\Internet Explorer\iexplore.exe[3800] ntdll.dll!LdrUnloadDll 77F607D6 5 Bytes JMP 003703FC
    .text C:\Program Files\Internet Explorer\iexplore.exe[3800] KERNEL32.dll!GetBinaryTypeW + 80 77E9E4BA 1 Byte [62]
    .text C:\Program Files\Internet Explorer\iexplore.exe[3800] USER32.dll!UnhookWindowsHookEx 77D4659A 5 Bytes JMP 03CF0A08
    .text C:\Program Files\Internet Explorer\iexplore.exe[3800] USER32.dll!SetWindowsHookExA 77D48A34 5 Bytes JMP 03CF0600
    .text C:\Program Files\Internet Explorer\iexplore.exe[3800] USER32.dll!SetWindowsHookExW 77D6731B 5 Bytes JMP 03CF0804
    .text C:\Program Files\Internet Explorer\iexplore.exe[3800] USER32.dll!SetWinEventHook 77D80D24 5 Bytes JMP 03CF01F8
    .text C:\Program Files\Internet Explorer\iexplore.exe[3800] USER32.dll!UnhookWinEvent 77D8A7E0 5 Bytes JMP 03CF03FC
    .text C:\Program Files\Internet Explorer\iexplore.exe[3800] ADVAPI32.dll!SetServiceObjectSecurity 77E2BB58 5 Bytes JMP 009A1014
    .text C:\Program Files\Internet Explorer\iexplore.exe[3800] ADVAPI32.dll!ChangeServiceConfigA 77E2BC20 5 Bytes JMP 009A0804
    .text C:\Program Files\Internet Explorer\iexplore.exe[3800] ADVAPI32.dll!ChangeServiceConfigW 77E2BD97 5 Bytes JMP 009A0A08
    .text C:\Program Files\Internet Explorer\iexplore.exe[3800] ADVAPI32.dll!ChangeServiceConfig2A 77E2BE75 5 Bytes JMP 009A0C0C
    .text C:\Program Files\Internet Explorer\iexplore.exe[3800] ADVAPI32.dll!ChangeServiceConfig2W 77E2BEE0 5 Bytes JMP 009A0E10
    .text C:\Program Files\Internet Explorer\iexplore.exe[3800] ADVAPI32.dll!CreateServiceA 77E2BF4B 5 Bytes JMP 009A01F8
    .text C:\Program Files\Internet Explorer\iexplore.exe[3800] ADVAPI32.dll!CreateServiceW 77E2C0C8 5 Bytes JMP 009A03FC
    .text C:\Program Files\Internet Explorer\iexplore.exe[3800] ADVAPI32.dll!DeleteService 77E2C1B3 5 Bytes JMP 009A0600

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\WINDOWS\system32\services.exe[656] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00510002
    IAT C:\WINDOWS\system32\services.exe[656] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00510000
    IAT C:\Program Files\AVAST Software\Avast\avastUI.exe[1108] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [64C8F6D0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software)
    IAT C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1320] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [64C8F6D0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software)

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

    Device \FileSystem\Fastfat \FatCdrom aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

    Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

    ---- Files - GMER 1.0.15 ----

    File C:\Documents and Settings\Jim\Local Settings\Temporary Internet Files\Content.IE5\9KTPFD13\trans[1].gif 44 bytes
    File C:\Documents and Settings\Jim\Local Settings\Temporary Internet Files\Content.IE5\NCG41DFM\smartphone.png.pagespeed.ce.R07PkK73c-[1].png 954 bytes

    ---- EOF - GMER 1.0.15 ----
     
    oldmanjim,
    #6
  8. 2012/11/08
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ============================================

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

    ==============================

    • Download RogueKiller on the desktop
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again
     
    broni,
    #7
  9. 2012/11/11
    oldmanjim

    oldmanjim Inactive Thread Starter

    Joined:
    2012/11/04
    Messages:
    55
    Likes Received:
    0
    please forgive my tardiness.. working alot... just to let you know windows and adobe updated just before i could run tdsskiller.. it ran windows xp serivce pack 2 update
     
    oldmanjim,
    #8
  10. 2012/11/11
    oldmanjim

    oldmanjim Inactive Thread Starter

    Joined:
    2012/11/04
    Messages:
    55
    Likes Received:
    0
    the windows update failed saying something about a production key or validation key not being correct.

    Tdsskiller and roguekill both won't run, I click on them and they do not start. Should i run these in safe mode?
     
    oldmanjim,
    #9
  11. 2012/11/12
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Yes you can.
     
    broni,
    #10
  12. 2012/11/14
    oldmanjim

    oldmanjim Inactive Thread Starter

    Joined:
    2012/11/04
    Messages:
    55
    Likes Received:
    0
    Broni, I tried to run these two in safe mode an neither started. What can I do next?
     
    oldmanjim,
    #11
  13. 2012/11/14
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Create new restore point before proceeding with the next step....
    How to:
    - Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
    - Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
    - XP: http://support.microsoft.com/kb/948247

    ==============================

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      If the connection is not there use restore point you created prior to running Combofix.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results ". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion ", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try the following...

    Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Download Rkill (courtesy of BleepingComputer.com) to your desktop.
    There are 2 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
    iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

    Restart computer in safe mode

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    When the scan is done Notepad will open with rKill.txt log.
    NOTE. rKill.txt log will also be present on your desktop.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
     
    broni,
    #12
  14. 2012/11/16
    oldmanjim

    oldmanjim Inactive Thread Starter

    Joined:
    2012/11/04
    Messages:
    55
    Likes Received:
    0
    ComboFix 12-11-16.02 - Jim 04/11/2002 1:29.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.479.256 [GMT -7:00]
    Running from: c:\documents and settings\Jim\Desktop\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\autorun.inf
    c:\documents and settings\All Users\Application Data\QTSBandwidthCache
    c:\documents and settings\Jim\Application Data\AdobeDLM.log
    c:\documents and settings\Jim\WINDOWS
    c:\program files\ahead\Nero\CDCopy.dll
    c:\program files\ahead\Nero\cdr100.dll
    c:\program files\ahead\Nero\cdr50s.dll
    c:\program files\ahead\Nero\CDROM.dll
    c:\program files\ahead\Nero\cdu920.dll
    c:\program files\ahead\Nero\cr2200cs.dll
    c:\program files\ahead\Nero\DVDR.dll
    c:\program files\ahead\Nero\Dws114x.dll
    c:\program files\ahead\Nero\Equalize.dll
    c:\program files\ahead\Nero\GENCUSH.dll
    c:\program files\ahead\Nero\Generatr.dll
    c:\program files\ahead\Nero\geniso.dll
    c:\program files\ahead\Nero\GenPCHy.dll
    c:\program files\ahead\Nero\GenUDF.dll
    c:\program files\ahead\Nero\image.dll
    c:\program files\ahead\Nero\ImageGen.dll
    c:\program files\ahead\Nero\ims.dll
    c:\program files\ahead\Nero\ISOFS.dll
    c:\program files\ahead\Nero\MMC.dll
    c:\program files\ahead\Nero\NeMP3Dmo.dll
    c:\program files\ahead\Nero\NeMP3Hlp.dll
    c:\program files\ahead\Nero\NeroDb.dll
    c:\program files\ahead\Nero\NeroErr.dll
    c:\program files\ahead\Nero\neroscsi.dll
    c:\program files\ahead\Nero\NeRSDB.dll
    c:\program files\ahead\Nero\newtrf.dll
    c:\program files\ahead\Nero\ro1420c.dll
    c:\program files\ahead\Nero\UDFImporter.dll
    c:\program files\ahead\Nero\VMPEGEnc.dll
    c:\windows\help\wmplayer.bak
    c:\windows\Readme.txt
    c:\windows\system32\dllcache\wmpvis.dll
    .
    Infected copy of c:\windows\system32\msgsvc.dll was found and disinfected
    Restored copy from - c:\windows\SoftwareDistribution\Download\0f8b18aa20fa96676204a1511bfe7d2b\msgsvc.dll
    .
    c:\windows\system32\drivers\usbehci.sys was missing
    Restored copy from - c:\windows\SoftwareDistribution\Download\0f8b18aa20fa96676204a1511bfe7d2b\usbehci.sys
    .
    c:\windows\system32\drivers\intelppm.sys was missing
    Restored copy from - c:\windows\SoftwareDistribution\Download\0f8b18aa20fa96676204a1511bfe7d2b\intelppm.sys
    .
    .
    ((((((((((((((((((((((((( Files Created from 2002-03-11 to 2002-04-11 )))))))))))))))))))))))))))))))
    .
    .
    2008-02-19 03:21 . 2008-02-19 03:21 0 ----a-w- C:\LOG2E.tmp
    2008-01-09 04:31 . 2008-11-09 19:00 -------- d-----r- C:\$VAULT$.AVG
    2007-07-09 00:12 . 2007-07-09 00:35 -------- d-----w- C:\Software
    2005-12-01 01:40 . 2005-12-01 01:40 11817800 ----a-w- C:\GoogleEarth.exe
    2005-10-09 13:48 . 2005-10-09 13:48 2080964 ----a-w- C:\Imation Disk Manager IV.exe
    2005-02-07 02:36 . 2007-07-08 14:18 -------- d-----w- C:\Garmin
    2004-12-24 17:57 . 2004-12-24 18:05 20798256 ----a-w- C:\AdbeRdr70_enu_full.exe
    2004-12-24 17:54 . 2004-12-24 17:57 6811904 ----a-w- C:\psa2011se_us.exe
    2004-12-24 17:54 . 2004-12-24 17:54 494704 ----a-w- C:\ytb01_efgsip.exe
    2002-12-21 17:30 . 2003-06-06 03:17 -------- d-----w- C:\WUTemp
    2002-12-01 15:20 . 2002-12-04 03:24 -------- d-----w- C:\My Music
    2002-09-28 15:14 . 2002-09-28 15:14 -------- d-----w- C:\SIERRA
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-08-07 03:24 . 2007-07-03 02:25 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
    2009-08-07 03:24 . 2004-08-28 19:25 327896 ----a-w- c:\windows\system32\wucltui.dll
    2009-08-07 03:24 . 2004-08-28 19:25 209632 ----a-w- c:\windows\system32\wuweb.dll
    2009-08-07 03:24 . 2007-07-03 02:25 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
    2009-08-07 03:24 . 2005-05-26 11:16 44768 ----a-w- c:\windows\system32\wups2.dll
    2009-08-07 03:24 . 2004-08-28 19:25 35552 ----a-w- c:\windows\system32\wups.dll
    2009-08-07 03:24 . 2004-08-28 19:25 217816 ----a-w- c:\windows\system32\wuaucpl.cpl
    2009-08-07 03:24 . 2007-07-03 02:25 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
    2009-08-07 03:24 . 2002-04-13 00:15 53472 ----a-w- c:\windows\system32\wuauclt.exe
    2009-08-07 03:24 . 2001-08-23 12:00 96480 ----a-w- c:\windows\system32\cdm.dll
    2009-08-07 03:24 . 2007-07-03 02:25 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
    2009-08-07 03:23 . 2004-08-28 19:25 575704 ----a-w- c:\windows\system32\wuapi.dll
    2009-08-07 03:23 . 2008-01-09 03:24 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
    2009-08-07 03:23 . 2008-01-09 03:24 274288 ----a-w- c:\windows\system32\mucltui.dll
    2009-08-07 03:23 . 2007-07-31 03:18 215920 ----a-w- c:\windows\system32\muweb.dll
    2009-08-07 03:23 . 2002-04-13 00:15 1929952 ----a-w- c:\windows\system32\wuaueng.dll
    2006-10-20 07:10 . 2007-10-03 00:52 80024 ----a-w- c:\windows\system32\PICSDK.dll
    2006-10-20 07:10 . 2007-10-03 00:52 501912 ----a-w- c:\windows\system32\PICSDK2.dll
    2006-10-20 07:10 . 2007-10-03 00:52 108704 ----a-w- c:\windows\system32\PICEntry.dll
    2005-05-26 11:16 . 2004-08-28 19:25 194328 ----a-w- c:\windows\system32\wuaueng1.dll
    2005-05-26 11:16 . 2004-08-28 19:25 172312 ----a-w- c:\windows\system32\wuauclt1.exe
    2005-05-03 20:58 . 2001-08-23 12:00 884736 ----a-w- c:\windows\system32\msimsg.dll
    2005-05-03 20:58 . 2001-08-23 12:00 78848 ----a-w- c:\windows\system32\msiexec.exe
    2005-05-03 20:58 . 2001-08-23 12:00 2890240 ----a-w- c:\windows\system32\msi.dll
    2005-05-03 20:58 . 2001-08-23 12:00 271360 ----a-w- c:\windows\system32\msihnd.dll
    2005-05-03 20:58 . 2001-08-23 12:00 15360 ----a-w- c:\windows\system32\msisip.dll
    2004-09-20 08:29 . 2008-11-09 20:14 139264 ----a-w- c:\windows\system32\UStorSrv.exe
    2004-09-20 08:13 . 2008-11-09 20:14 139264 ----a-w- c:\windows\system32\OPDSL.DLL
    2004-08-21 07:47 . 2004-08-21 07:47 316928 ----a-w- c:\windows\system32\zipfldr.dll
    2004-08-20 21:41 . 2004-08-20 21:41 37376 ----a-w- c:\windows\system32\ntlanman.dll
    2004-08-20 21:41 . 2004-08-20 21:41 15872 ----a-w- c:\windows\system32\linkinfo.dll
    2004-08-11 09:22 . 2004-08-11 09:22 828152 ----a-w- c:\windows\system32\wmv9dmod.dll
    2004-08-04 07:56 . 2004-01-25 03:22 33792 ----a-w- c:\windows\system32\msgsvc.dll
    2004-08-04 00:54 . 2001-08-23 12:00 1648384 ----a-w- c:\windows\system32\win32k.sys
    2004-07-29 06:19 . 2004-07-29 06:19 30720 ----a-w- c:\windows\system32\xpsp1hfm.exe
    2004-07-20 00:19 . 2006-01-02 02:27 285696 ----a-w- c:\windows\system32\kstvtune.ax
    2004-07-09 12:27 . 2006-01-02 02:27 470528 ----a-w- c:\windows\system32\qdvd.dll
    2004-07-09 12:27 . 2006-01-02 02:27 316928 ----a-w- c:\windows\system32\qdv.dll
    2004-07-09 12:26 . 2006-01-02 02:27 47104 ----a-w- c:\windows\system32\wstdecod.dll
    2004-07-09 12:26 . 2006-01-02 02:27 27648 ----a-w- c:\windows\system32\vbisurf.ax
    2004-07-09 12:26 . 2006-01-02 02:27 354816 ----a-w- c:\windows\system32\psisdecd.dll
    2004-07-09 12:26 . 2006-01-02 02:27 30208 ----a-w- c:\windows\system32\psisrndr.ax
    2004-07-09 12:26 . 2006-01-02 02:27 226304 ----a-w- c:\windows\system32\kswdmcap.ax
    2004-07-09 12:26 . 2006-01-02 02:27 57856 ----a-w- c:\windows\system32\mpeg2data.ax
    2004-07-09 12:26 . 2006-01-02 02:27 52224 ----a-w- c:\windows\system32\msdvbnp.ax
    2004-07-09 12:26 . 2006-01-02 02:27 39424 ----a-w- c:\windows\system32\ksxbar.ax
    2004-07-09 12:26 . 2006-01-02 02:27 16896 ----a-w- c:\windows\system32\msyuv.dll
    2004-07-09 12:26 . 2006-01-02 02:27 1230336 ----a-w- c:\windows\system32\msvidctl.dll
    2004-07-01 22:08 . 2004-08-28 19:28 331776 ----a-w- c:\windows\system32\winhttp.dll
    2004-07-01 22:08 . 2004-08-28 19:28 17408 ----a-w- c:\windows\system32\qmgrprxy.dll
    2004-07-01 22:08 . 2002-01-22 21:51 361984 ----a-w- c:\windows\system32\qmgr.dll
    2004-06-30 23:59 . 2004-08-28 19:28 158720 ------w- c:\windows\system32\xpob2res.dll
    2004-06-17 17:55 . 2004-06-17 17:55 23040 ----a-w- c:\windows\system32\vdmdbg.dll
    2004-06-17 17:55 . 2004-06-17 17:55 13312 ----a-w- c:\windows\system32\ntvdmd.dll
    2004-06-17 17:55 . 2001-08-23 12:00 528896 ----a-w- c:\windows\system32\user32.dll
    2004-06-17 17:55 . 2001-08-23 12:00 48128 ----a-w- c:\windows\system32\basesrv.dll
    2004-06-17 17:55 . 2001-08-23 12:00 272896 ----a-w- c:\windows\system32\winsrv.dll
    2004-06-17 17:55 . 2001-08-23 12:00 241664 ----a-w- c:\windows\system32\gdi32.dll
    2004-06-17 17:00 . 2001-08-17 13:48 1903872 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2004-06-17 17:00 . 2001-08-23 12:00 1881856 ----a-w- c:\windows\system32\ntoskrnl.exe
    2004-06-17 00:22 . 2004-06-17 00:22 16384 ----a-w- c:\windows\system32\nddenb32.dll
    2004-06-16 19:30 . 2004-06-16 19:30 107008 ----a-w- c:\windows\system32\netdde.exe
    2004-06-14 18:27 . 2001-08-23 12:00 395264 ----a-w- c:\windows\system32\ntvdm.exe
    2004-06-05 02:21 . 2004-06-05 02:21 245760 ----a-w- c:\windows\system32\wow32.dll
    2004-05-12 22:15 . 2001-08-23 12:00 430592 ----a-w- c:\windows\system32\winlogon.exe
    2004-05-12 16:49 . 2005-02-07 02:36 1089536 ------w- c:\windows\system32\ROBOEX32.DLL
    2004-04-09 19:56 . 2004-04-09 19:56 726528 ----a-w- c:\windows\pchealth\HELPCTR\Binaries\helpctr.exe
    2004-03-30 01:25 . 2001-08-23 12:00 136704 ----a-w- c:\windows\system32\schannel.dll
    2004-03-30 01:25 . 2004-06-11 04:36 550400 ----a-w- c:\windows\system32\rtcdll.dll
    2004-03-30 01:25 . 2001-08-23 12:00 969216 ----a-w- c:\windows\system32\msgina.dll
    2004-03-30 01:25 . 2001-08-23 12:00 51712 ----a-w- c:\windows\system32\msasn1.dll
    2004-03-30 01:25 . 2004-06-11 04:36 36864 ----a-w- c:\windows\system32\mf3216.dll
    2004-03-30 00:25 . 2001-08-23 12:00 648192 ----a-w- c:\windows\system32\lsasrv.dll
    2004-03-16 18:44 . 2004-06-11 04:34 30749 ----a-w- c:\windows\system32\vbajet32.dll
    2004-03-16 18:44 . 2004-06-11 04:34 1507356 ----a-w- c:\windows\system32\msjet40.dll
    2004-03-09 01:58 . 2004-12-11 17:10 646656 ----a-w- c:\windows\system32\sxs.dll
    2004-03-06 02:05 . 2004-06-11 04:35 97280 ----a-w- c:\windows\system32\txflog.dll
    2004-03-06 02:05 . 2004-06-11 04:35 214528 ----a-w- c:\windows\system32\rpcss.dll
    2004-03-06 02:05 . 2004-06-11 04:35 442880 ----a-w- c:\windows\system32\rpcrt4.dll
    2004-03-06 02:05 . 2004-06-11 04:35 1105408 ----a-w- c:\windows\system32\ole32.dll
    2004-03-06 02:05 . 2004-06-11 04:35 82432 ----a-w- c:\windows\system32\mtxoci.dll
    2004-03-06 02:05 . 2004-06-11 04:35 64512 ----a-w- c:\windows\system32\mtxclu.dll
    2004-03-06 02:05 . 2004-06-11 04:35 150528 ----a-w- c:\windows\system32\msdtcuiu.dll
    2004-03-06 02:05 . 2004-06-11 04:35 977920 ----a-w- c:\windows\system32\msdtctm.dll
    2004-03-06 02:05 . 2004-06-11 04:35 365568 ----a-w- c:\windows\system32\msdtcprx.dll
    2004-03-01 18:55 . 2004-06-11 04:34 348189 ----a-w- c:\windows\system32\msxbde40.dll
    2004-03-01 18:55 . 2004-06-11 04:34 614431 ----a-w- c:\windows\system32\mswstr10.dll
    2004-03-01 18:55 . 2004-06-11 04:34 831519 ----a-w- c:\windows\system32\mswdat10.dll
    2004-03-01 18:55 . 2004-06-11 04:34 552989 ----a-w- c:\windows\system32\msrepl40.dll
    2004-03-01 18:55 . 2004-06-11 04:34 258077 ----a-w- c:\windows\system32\mstext40.dll
    2004-03-01 18:55 . 2004-06-11 04:34 315423 ----a-w- c:\windows\system32\msrd3x40.dll
    2004-03-01 18:55 . 2004-06-11 04:34 421919 ----a-w- c:\windows\system32\msrd2x40.dll
    2004-03-01 18:55 . 2004-06-11 04:34 348189 ----a-w- c:\windows\system32\mspbde40.dll
    2004-03-01 18:55 . 2004-06-11 04:34 213023 ----a-w- c:\windows\system32\msltus40.dll
    2004-03-01 18:55 . 2004-06-11 04:34 241693 ----a-w- c:\windows\system32\msjtes40.dll
    2004-03-01 18:55 . 2004-06-11 04:34 53279 ----a-w- c:\windows\system32\msjter40.dll
    2004-03-01 18:55 . 2004-06-11 04:34 151583 ----a-w- c:\windows\system32\msjint40.dll
    2004-03-01 18:55 . 2004-06-11 04:34 319517 ----a-w- c:\windows\system32\msexcl40.dll
    2004-03-01 18:55 . 2004-06-11 04:34 512029 ----a-w- c:\windows\system32\msexch40.dll
    2004-03-01 18:52 . 2004-06-11 04:34 358976 ----a-w- c:\windows\system32\msjetoledb40.dll
    2001-08-23 12:00 94784 --sh--w- c:\windows\twain.dll
    2001-08-23 12:00 46592 --sh--w- c:\windows\twain_32.dll
    2001-08-23 12:00 995383 --sh--w- c:\windows\system32\mfc42.dll
    2001-08-23 12:00 50688 --sh--w- c:\windows\system32\msvcirt.dll
    2001-08-23 12:00 401462 --sh--w- c:\windows\system32\msvcp60.dll
    2001-08-23 12:00 322560 --sh--w- c:\windows\system32\msvcrt.dll
    2001-08-23 12:00 569344 --sh--w- c:\windows\system32\oleaut32.dll
    2001-08-23 12:00 106496 --sh--w- c:\windows\system32\olepro32.dll
    2001-08-23 12:00 9728 --sh--w- c:\windows\system32\regsvr32.exe
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [7] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\0f8b18aa20fa96676204a1511bfe7d2b\wscntfy.exe
    [7] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\wscntfy.exe
    .
    [7] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\0f8b18aa20fa96676204a1511bfe7d2b\xmlprov.dll
    [7] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\xmlprov.dll
    .
    [7] 2004-08-04 . D67BDBBDA86CC9AEEBBAF3217C1717D8 . 1689088 . . [5.03.2600.2180] . . c:\windows\SoftwareDistribution\Download\0f8b18aa20fa96676204a1511bfe7d2b\d3d9.dll
    [7] 2004-08-04 . D67BDBBDA86CC9AEEBBAF3217C1717D8 . 1689088 . . [5.03.2600.2180] . . c:\windows\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\d3d9.dll
    [-] 2004-07-09 12:27 . 0E51BD586D186F61A9E4453DB8AEC774 . 1703936 . . [5.3.0000001.0904 built by: private/Lab06_dev(DXBLD00)] . . c:\windows\system32\d3d9.dll
    .
    c:\windows\System32\wscntfy.exe ... is missing !!
    c:\windows\System32\xmlprov.dll ... is missing !!
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware "= "c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-01-13 2424560]
    "swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-11-05 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SiS7012Utility "= "c:\windows\System32\SiSAudUt.exe" [2002-01-22 290816]
    "SiS Tray "= "c:\windows\System32\sistray.EXE" [2001-12-24 327680]
    "SiS KHooker "= "c:\windows\System32\khooker.exe" [2002-01-25 290816]
    "Adobe Photo Downloader "= "c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
    "avast "= "c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]
    .
    c:\documents and settings\Jim\Start Menu\Programs\Startup\
    Reboot.exe [2002-3-20 382464]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/4/2012 8:58 PM 361032]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
    R2 ousbehci;%OWC_USBEHCD.DeviceDesc%;c:\windows\system32\drivers\ousbehci.sys [4/12/2002 4:25 PM 29568]
    R3 EnEDev;EnE Device Service;c:\windows\system32\drivers\EnEDev.sys [4/12/2002 5:32 PM 6101]
    R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [4/12/2002 4:25 PM 42752]
    R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [4/12/2002 5:41 PM 166656]
    R3 WBFIRDMA;Winbond Infrared Device Driver;c:\windows\system32\drivers\wbfirdma.sys [4/12/2002 10:10 AM 35871]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - ALG
    *NewlyCreated* - IPNAT
    *NewlyCreated* - WS2IFSL
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2002-04-11 c:\windows\Tasks\avast! Emergency Update.job
    - c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2012-11-05 22:50]
    .
    2002-04-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-11-05 03:58]
    .
    2012-11-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-11-05 03:58]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://yahoo.com/
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    TCP: DhcpNameServer = 192.168.1.254
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-SSC_UserPrompt - c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    HKLM-Run-POINTER - point32.exe
    HKLM-Run-Microsoft Works Update Detection - c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    HKLM-Run-Homeland Network - c:\program files\HomelandNetwork\HomelandNetwork.exe
    HKU-Default-Run-ALUAlert - c:\program files\Symantec\LiveUpdate\ALUNotify.exe
    SafeBoot-svcWRSSSDK
    AddRemove-HijackThis - d:\spyware_tools_2005\HijackThis.exe
    AddRemove-Homeland Network - c:\program files\HomelandNetwork\HomelandNetwork.exe
    AddRemove-MediaLoads - c:\program files\MediaLoads\v1\ml.exe
    AddRemove-U-Storage Service - c:\docume~1\Jim\LOCALS~1\Temp\U-Storage.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2002-04-11 01:51
    Windows 5.1.2600 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(608)
    c:\windows\system32\ODBC32.dll
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    - - - - - - - > 'lsass.exe'(668)
    c:\windows\system32\RASAPI32.dll
    c:\windows\System32\dssenh.dll
    .
    - - - - - - - > 'explorer.exe'(1768)
    c:\windows\system32\RASAPI32.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\windows\System32\WgaTray.exe
    c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    c:\windows\system32\UStorSrv.exe
    c:\program files\Microsoft Hardware\Mouse\point32.exe
    .
    **************************************************************************
    .
    Completion time: 2002-04-11 02:00:07 - machine was rebooted
    ComboFix-quarantined-files.txt 2002-04-11 09:00
    .
    Pre-Run: 21,068,922,880 bytes free
    Post-Run: 21,406,085,120 bytes free
    .
    WinXP_EN_PRO_BF.EXE
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug= "do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /fastdetect
    .
    - - End Of File - - EF0E9A0D441C7FF81DFA7ED3EF2FAEA6


    Broni, avast popped after the reboot with rootkit information filename svc:catchme>c:\doc-1\jum\locals-1\...\catchme.ys

    it ask me what actions to take.. what should i do? i haven't ran rkill yet..

    I'll wait for your reply to move forward
     
    oldmanjim,
    #13
  15. 2012/11/16
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    That's false positive. Do nothing about it.

    Please post new aswMBR log.

    See if RogueKiller will run now.

    Then...

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    64-bit users go HERE
    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box and paste it into the main textfield:
      Code:
      :filefind
ntvdm.exe
xmlprov.dll
wscntfy.exe
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
    broni,
    #14
  16. 2012/11/16
    oldmanjim

    oldmanjim Inactive Thread Starter

    Joined:
    2012/11/04
    Messages:
    55
    Likes Received:
    0
    aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
    Run date: 2002-04-11 03:25:47
    -----------------------------
    03:25:47.357 OS Version: Windows 5.1.2600
    03:25:47.357 Number of processors: 1 586 0x204
    03:25:47.387 ComputerName: WINDOWSXP UserName: Jim
    03:25:48.529 Initialize success
    03:25:49.190 AVAST engine defs: 12111600
    03:25:51.804 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    03:25:51.804 Disk 0 Vendor: IC25N040ATCS04-0 CA4OA71A Size: 38154MB BusType: 3
    03:25:51.834 Disk 0 MBR read successfully
    03:25:51.834 Disk 0 MBR scan
    03:25:51.834 Disk 0 Windows XP default MBR code
    03:25:51.844 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 38146 MB offset 63
    03:25:51.854 Disk 0 scanning sectors +78124095
    03:25:51.974 Disk 0 scanning C:\WINDOWS\System32\drivers
    03:26:17.311 Service scanning
    03:26:49.016 Modules scanning
    03:27:30.826 Disk 0 trace - called modules:
    03:27:30.846 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
    03:27:30.846 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84fe1030]
    03:27:31.177 3 CLASSPNP.SYS[f7878ceb] -> nt!IofCallDriver -> \Device\0000005b[0x84fd5f18]
    03:27:31.177 5 ACPI.sys[f77c111b] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x84fe23f0]
    03:27:32.058 AVAST engine scan C:\WINDOWS
    03:27:48.412 AVAST engine scan C:\WINDOWS\system32
    03:30:37.314 File: C:\WINDOWS\system32\ntvdm.exe **INFECTED** Win32:Malware-gen
    03:32:25.310 AVAST engine scan C:\WINDOWS\system32\drivers
    03:32:53.090 AVAST engine scan C:\Documents and Settings\Jim
    03:35:19.480 AVAST engine scan C:\Documents and Settings\All Users
    03:39:00.868 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Jim\Desktop\MBR.dat "
    03:39:00.878 The log file has been saved successfully to "C:\Documents and Settings\Jim\Desktop\aswMBR.txt "
     
    oldmanjim,
    #15
  17. 2012/11/16
    oldmanjim

    oldmanjim Inactive Thread Starter

    Joined:
    2012/11/04
    Messages:
    55
    Likes Received:
    0
    roguekiller still won't run
     
    oldmanjim,
    #16
  18. 2012/11/16
    oldmanjim

    oldmanjim Inactive Thread Starter

    Joined:
    2012/11/04
    Messages:
    55
    Likes Received:
    0
    SystemLook 30.07.11 by jpshortstuff
    Log created at 03:42 on 11/04/2002 by Jim
    Administrator - Elevation successful

    No Context: Code:

    ========== filefind ==========

    Searching for "ntvdm.exe "
    C:\WINDOWS\$hf_mig$\KB840987\SP1QFE\ntvdm.exe --a---- 396288 bytes [01:14 12/06/2004] [01:14 12/06/2004] 56318298C39D671D71E854874AC8FEFC
    C:\WINDOWS\$NtUninstallKB840987$\ntvdm.exe -----c- 395776 bytes [23:38 17/10/2004] [12:00 23/08/2001] DE167DCDF81675A589FACE70AF113D42
    C:\WINDOWS\LastGood\System32\ntvdm.exe --a---- 395776 bytes [23:38 17/10/2004] [12:00 23/08/2001] DE167DCDF81675A589FACE70AF113D42
    C:\WINDOWS\LastGood\System32\dllcache\ntvdm.exe --a---- 395776 bytes [23:38 17/10/2004] [12:00 23/08/2001] DE167DCDF81675A589FACE70AF113D42
    C:\WINDOWS\SoftwareDistribution\Download\0f8b18aa20fa96676204a1511bfe7d2b\ntvdm.exe --a---- 419840 bytes [04:33 12/11/2012] [07:56 04/08/2004] 0738F4B53D967E46CC5E51F84BC1EB39
    C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\ntvdm.exe --a---- 419840 bytes [07:56 04/08/2004] [07:56 04/08/2004] 0738F4B53D967E46CC5E51F84BC1EB39
    C:\WINDOWS\system32\ntvdm.exe --a---- 395264 bytes [12:00 23/08/2001] [18:27 14/06/2004] 751DED615BC10D3BA718B41C5CDCB93B
    C:\WINDOWS\system32\dllcache\ntvdm.exe --a--c- 395264 bytes [18:27 14/06/2004] [18:27 14/06/2004] 751DED615BC10D3BA718B41C5CDCB93B

    Searching for "xmlprov.dll "
    C:\WINDOWS\SoftwareDistribution\Download\0f8b18aa20fa96676204a1511bfe7d2b\xmlprov.dll --a---- 129536 bytes [04:37 12/11/2012] [07:56 04/08/2004] EEF46DAB68229A14DA3D8E73C99E2959
    C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\xmlprov.dll --a---- 129536 bytes [07:56 04/08/2004] [07:56 04/08/2004] EEF46DAB68229A14DA3D8E73C99E2959

    Searching for "wscntfy.exe "
    C:\WINDOWS\SoftwareDistribution\Download\0f8b18aa20fa96676204a1511bfe7d2b\wscntfy.exe --a---- 13824 bytes [04:36 12/11/2012] [07:56 04/08/2004] 49911DD39E023BB6C45E4E436CFBD297
    C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\wscntfy.exe --a---- 13824 bytes [07:56 04/08/2004] [07:56 04/08/2004] 49911DD39E023BB6C45E4E436CFBD297

    -= EOF =-
     
    oldmanjim,
    #17
  19. 2012/11/16
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders, UN-check Hide protected operating system files.
    NOTE. Make sure to reverse the above changes, when done with this step.
    Upload following files to http://www.virustotal.com/ for security check:
    - C:\WINDOWS\system32\ntvdm.exe
    IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
    Post scan results.
     
    broni,
    #18
  20. 2012/11/20
    oldmanjim

    oldmanjim Inactive Thread Starter

    Joined:
    2012/11/04
    Messages:
    55
    Likes Received:
    0
    tried to check that file but that site wants me to update to a higher windows... I tried to update to windows 8 but of course as i try to do that i get errors because i'm on service pack 1.. please advise me on what to try next
     
    oldmanjim,
    #19
  21. 2012/11/20
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Impossible.

    Upload the file(s) here: http://uploadmb.com/
    Copy the link inside the Direct Link box and post it in your next reply.
     
    broni,
    #20
Page 1 of 3

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...