Inactive [InActive] Possibly the worst attack I have ever had

I have been told that it would be a good idea to come here for a bit of expert help on a massive malware/virus attack I have experienced.

Unfortunately while browsing the internet on someone elses computer I visited a severely dangerous site, and have infected the computer to the high heavens (they had no preventative measures in place, but I still feel responsible).

So heres the deal:

I reinstalled windows, and with the new install ran NOD32 which picked up a few viruses and removed them, on restarted I had problems with explorer.exe running aswell as regedit.exe being disabled.

So I'm now at a point where both are enabled, however explorer is restarting over and over again - I did a search but thought it might be better to post my own circumstances. Unfortunately the malware is preventing me from installing HijackThis (with this I could probably resolve the issue, but without I'm stuffed).

Any help on this would be great.

All the best,
Matt.

 

Welcome to WindowsBBS Matt

Please download DDS and save it to your desktop.

• Disable any script blocking protection
• Double click dds.scr to run the tool.
• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt
• Save both reports to your desktop.

Please include the contents of the following in your next reply:

DDS.txt

I may ask for the Attach.txt log later, so keep it handy.

 

The link provided ( http://download.bleepingcomputer.com/sUBs/dds.scr )

Brings the following error:

Connection Interrupted

The connection to the server was reset while the page was loading.

The network link was interrupted while negotiating a connection. Please try again.

Thanks, Matt.

 

Lets see if this works. Download RootRepeal to your Desktop.

• Extract the compressed file to it's own folder.
• Open the folder and doubleclick on RootRepeal.exe to run it.
• Click on the Report tab, and then click on: Scan
• A window opens asking what to include in the scan.
• Check the following boxes then click OK:
  • Drivers
  • Files
  • Processes
  • SSDT
  • Stealth Objects
  • Hidden Services
• You will then be asked which drive to scan.
• Check C: (or the drive your operating system is installed on, if not C)
• Click OK once again.

The tool will begin scanning and may take a while to complete, so please be patient.

When the scan finishes, click on: Save Report
Name the log RootRepeal.txt and save it to your Documents folder (it should default there).

Post the contents of the report in a reply here.

 

Okay after trying hard I finally got the report you were looking for (there was a couple of errors that came up something about CHKDSK, and not being able to save).

ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time: 2009/01/14 18:45
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_nvata.sys
Image Path: D:\WINDOWS\System32\Drivers\dump_nvata.sys
Address: 0xB97DC000 Size: 106496 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: D:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBADC0000 Size: 8192 File Visible: No
Status: -

Name: PCI_PNP8166
Image Path: \Driver\PCI_PNP8166
Address: 0x00000000 Size: 0 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: D:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB8ACB000 Size: 45056 File Visible: No
Status: -

Name: spov.sys
Image Path: spov.sys
Address: 0xBA6A7000 Size: 1048576 File Visible: No
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No
Status: -

Name: TDSSpplt.sys
Image Path: D:\WINDOWS\system32\drivers\TDSSpplt.sys
Address: 0xB9A5D000 Size: 73728 File Visible: -
Status: Hidden from Windows API!

Hidden/Locked Files
-------------------
Path: D:\meshes\Weapons\RD
Status: Locked to the Windows API!

Path: D:\meshes\Weapons\realumbra
Status: Locked to the Windows API!

SSDT
-------------------
#: 035 Function Name: NtCreateEvent
Status: Hooked by "D:\WINDOWS\System32\drivers\e910c845.sys" at address 0xba9f1215

#: 041 Function Name: NtCreateKey
Status: Hooked by "D:\WINDOWS\System32\drivers\e910c845.sys" at address 0xba9ef305

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spov.sys" at address 0xba6c6ca2

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spov.sys" at address 0xba6c7030

#: 119 Function Name: NtOpenKey
Status: Hooked by "D:\WINDOWS\System32\drivers\e910c845.sys" at address 0xba9ef3b9

#: 160 Function Name: NtQueryKey
Status: Hooked by "spov.sys" at address 0xba6c7108

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spov.sys" at address 0xba6c6f88

#: 247 Function Name: NtSetValueKey
Status: Hooked by "spov.sys" at address 0xba6c719a

Stealth Objects
-------------------
Object: Hidden Module [Name: TDSSnrse.dll]
Process: winlogon.exe (PID: 912) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSnrse.dll]
Process: services.exe (PID: 956) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSnrse.dll]
Process: lsass.exe (PID: 972) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSoity.dll]
Process: svchost.exe (PID: 1128) Address: 0x00870000 Size: 81920

Object: Hidden Module [Name: TDSSnrse.dll]
Process: svchost.exe (PID: 1128) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSnrse.dll]
Process: svchost.exe (PID: 1416) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSnrse.dll]
Process: spoolsv.exe (PID: 1788) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSnrse.dll]
Process: RTHDCPL.EXE (PID: 324) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSnrse.dll]
Process: egui.exe (PID: 400) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSnrse.dll]
Process: winlogin.exe (PID: 412) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSnrse.dll]
Process: winlogin.exe (PID: 420) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSnrse.dll]
Process: csrssc.exe (PID: 432) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSnrse.dll]
Process: msmsgs.exe (PID: 460) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSnrse.dll]
Process: ekrn.exe (PID: 632) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSnrse.dll]
Process: WinRAR.exe (PID: 3372) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSnrse.dll]
Process: RootRepeal.exe (PID: 3396) Address: 0x10000000 Size: 126976

Object: Hidden Code [ETHREAD: 0x8a08e248]
Process: System Address: 0xb9a5fd66 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8a3051f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8a3051f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8a3051f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a3051f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a3051f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a3051f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8a3051f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a3051f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a3051f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a3051f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a3051f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a3051f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a3051f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a3051f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a3051f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8a3051f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a3051f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a3051f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a3051f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a3051f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8a3051f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_CREATE]
Process: System Address: 0x8a3061f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a3061f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_CLOSE]
Process: System Address: 0x8a3061f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_READ]
Process: System Address: 0x8a3061f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_WRITE]
Process: System Address: 0x8a3061f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a3061f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a3061f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a3061f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_SET_EA]
Process: System Address: 0x8a3061f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a3061f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a3061f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a3061f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a3061f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a3061f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a3061f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a3061f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a3061f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a3061f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_CLEANUP]
Process: System Address: 0x8a3061f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a3061f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a3061f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a3061f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_POWER]
Process: System Address: 0x8a3061f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a3061f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a3061f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a3061f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a3061f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_PNP]
Process: System Address: 0x8a3061f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8a0f71f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8a0f71f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8a0f71f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8a0f71f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a0f71f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a0f71f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a0f71f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a0f71f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8a0f71f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a0f71f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8a0f71f8 Size: -

Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE]
Process: System Address: 0x8a0fa1f8 Size: -

Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE]
Process: System Address: 0x8a0fa1f8 Size: -

Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a0fa1f8 Size: -

Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a0fa1f8 Size: -

Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER]
Process: System Address: 0x8a0fa1f8 Size: -

Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a0fa1f8 Size: -

Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP]
Process: System Address: 0x8a0fa1f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8a3071f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8a3071f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8a3071f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a3071f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a3071f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a3071f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a3071f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8a3071f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8a3071f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a3071f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8a3071f8 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x8a0dd1f8 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x8a0dd1f8 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a0dd1f8 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a0dd1f8 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x8a0dd1f8 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x8a0dd1f8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x8a0f83e8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x8a0f83e8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a0f83e8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a0f83e8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x8a0f83e8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a0f83e8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x8a0f83e8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x88f8c1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x88f8c1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x88f8c1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x88f8c1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x88f8c1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x88f8c1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x88f8c1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x88f8c1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x88f8c1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x88f8c1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x88f8c1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x88f8c1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x88f8c1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x88f8c1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x88f8c1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x88f8c1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x88f8c1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x88f8c1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x88f8c1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x88f8c1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x88f8c1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x88f8c1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x88f8c1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x88f8c1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x88f8c1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x88f8c1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x88f8c1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x88f8c1f8 Size: -

Object: Hidden Code [Driver: Cdfs؅ఉ瑎捦܉@考, IRP_MJ_CREATE]
Process: System Address: 0x8a1e61f8 Size: -

Object: Hidden Code [Driver: Cdfs؅ఉ瑎捦܉@考, IRP_MJ_CLOSE]
Process: System Address: 0x8a1e61f8 Size: -

Object: Hidden Code [Driver: Cdfs؅ఉ瑎捦܉@考, IRP_MJ_READ]
Process: System Address: 0x8a1e61f8 Size: -

Object: Hidden Code [Driver: Cdfs؅ఉ瑎捦܉@考, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a1e61f8 Size: -

Object: Hidden Code [Driver: Cdfs؅ఉ瑎捦܉@考, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a1e61f8 Size: -

Object: Hidden Code [Driver: Cdfs؅ఉ瑎捦܉@考, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a1e61f8 Size: -

Object: Hidden Code [Driver: Cdfs؅ఉ瑎捦܉@考, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a1e61f8 Size: -

Object: Hidden Code [Driver: Cdfs؅ఉ瑎捦܉@考, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a1e61f8 Size: -

Object: Hidden Code [Driver: Cdfs؅ఉ瑎捦܉@考, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a1e61f8 Size: -

Object: Hidden Code [Driver: Cdfs؅ఉ瑎捦܉@考, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a1e61f8 Size: -

Object: Hidden Code [Driver: Cdfs؅ఉ瑎捦܉@考, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a1e61f8 Size: -

Object: Hidden Code [Driver: Cdfs؅ఉ瑎捦܉@考, IRP_MJ_CLEANUP]
Process: System Address: 0x8a1e61f8 Size: -

Object: Hidden Code [Driver: Cdfs؅ఉ瑎捦܉@考, IRP_MJ_PNP]
Process: System Address: 0x8a1e61f8 Size: -

Hidden Services
-------------------
Service Name: e910c845
Image Path: D:\WINDOWS\System32\drivers\e910c845.sys

Service Name: TDSSserv.sys
Image Path: D:\WINDOWS\system32\drivers\TDSSpplt.sys

 

Also I was able to install HijackThis and this is the report;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:03:42 PM, on 1/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\RTHDCPL.EXE
D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
D:\WINDOWS\TEMP\winlogin.exe
D:\WINDOWS\TEMP\winlogin.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
D:\Program Files\WinRAR\WinRAR.exe
D:\DOCUME~1\Matt\LOCALS~1\Temp\csrssc.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\system32\taskmgr.exe
D:\WINDOWS\system32\imapi.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - D:\WINDOWS\system32\hGvVOGYs.dll
O2 - BHO: D:\WINDOWS\system32\hgfdge4unjdfdg.dll - {c5bf49a2-94f3-42bd-f434-3604812c8955} - D:\WINDOWS\system32\hgfdge4unjdfdg.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [egui] "D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [jsf8uiw3jnjgffght] D:\WINDOWS\TEMP\winlogin.exe
O4 - HKCU\..\Run: [jsf8uiw3jnjgffght] D:\WINDOWS\TEMP\winlogin.exe
O4 - HKCU\..\Run: [tezrtsjhfr84iusjfo84f] D:\DOCUME~1\Matt\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: hGvVOGYs - D:\WINDOWS\SYSTEM32\hGvVOGYs.dll
O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - D:\WINDOWS\system32\hgfdge4unjdfdg.dll
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

--
End of file - 2650 bytes

 

Going to show my ignorance here, but since it's technically on-topic...

The only malware I've personally encountered that stays after a reinstall is something that corrupts the MBR. What kind of malware can survive a format of the HD and a reinstall of the OS?

I've found one or two references on google, but it's people on message boards complaining of a lingering infection, rather than a rundown of threats likely to cause the problem. Anyone have a reference handy?

 

Just a quick update:

I have now got a stableish system running (explorer etc. is fine as is regedit) I downloaded RegCure to see if there was any Registry problems and it seems there is - however I cannot finish the scan without the blue SOD, which makes me think some of my memory must be corrupt.

Anyways, here is an updated scan from HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:53:37 AM, on 1/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\RTHDCPL.EXE
D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Adobe\Adobe Photoshop CS3\Photoshop.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Adobe\Adobe Illustrator CS3\Support Files\Contents\Windows\Illustrator.exe
D:\Program Files\Trillian\trillian.exe
D:\WINDOWS\system32\wpabaln.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - D:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [egui] "D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe "
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] D:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: append to existing pdf - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: convert link target to adobe pdf - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: convert link target to existing pdf - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: convert selected links to adobe pdf - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: convert selected links to existing pdf - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: convert selection to adobe pdf - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: convert selection to existing pdf - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: convert to adobe pdf - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O23 - Service: Adobe Version Cue CS3 (adobe version cue cs3) - Adobe Systems Incorporated - D:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (bonjour service) - Apple Computer, Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service (flexnet licensing service) - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4705 bytes

Also, I have tried reinstalling Firefox, but I still cannot browse the internet without it denying me certain pages such as searches in google etc.

Any more help would be greatly appreciated.

All the best, Matt.

 

Please do not run any other tools (eg; RegCure, etc) unless instructed until we get your infections cleaned up. That could cause unexpected and possibly unwanted (harmful) changes. Thanks


Run RootRepeal again and select the Drivers tab, then click Scan.
Locate the following file in the list.

D:\WINDOWS\system32\drivers\TDSSpplt.sys

Click the entry once to select it, then right click and select Dump File.
Right click again and select Force Delete.
Reboot the machine when done.

After reboot run another RootRepeal scan with the Drivers tab selected.
If the above file remains, select it, right click on it and select Wipe File, then reboot once more.

When the file is absent in the Drivers scan, see if you can download and run ComboFix as outlined below.


Download ComboFix by sUBs from here, saving the file to your desktop.


Disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

• Close all open programs and windows
• Double click ComboFix.exe and follow the prompts.
• It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

**NOTE - I recommend you allow the Recovery Console to be downloaded and installed if or when prompted.

 

Okay I have tried to get rid of the file you told me, by trying both methods - neither has worked and when I used 'Wipe File' the computer crashes every time.

It took me 30 minutes to get logged into windows there, it seems to freeze on the 'welcome' screen and also sometimes just a black screen then the mouse / keyboard stops responding.

Any other suggestions?

 

Click here to download a renamed ComboFix and select Save.
Save it to your desktop and run it as described above.

Edit: link removed

 

Thanks so much for the link.

Here is the completed log file:

ComboFix 09-01-13.04 - Matt 2009-01-15 2:31:48.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2814.2484 [GMT 0:00]
Running from: d:\documents and settings\Matt\Desktop\panthro.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
d:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
d:\program files\Microsoft Common
d:\temp\1cb
d:\temp\1cb\syscheck.log
d:\windows\system32\axygyaem.dll
d:\windows\system32\bbgoaqtp.dll
d:\windows\system32\drivers\TDSSpplt.sys
d:\windows\system32\fMnWxGgh.ini
d:\windows\system32\fMnWxGgh.ini2
d:\windows\system32\hgGxWnMf.dll
d:\windows\system32\hGvVOGYs.dll
d:\windows\system32\lsqbcl.dll
d:\windows\system32\meaygyxa.ini
d:\windows\system32\mmjjknug.dll
d:\windows\system32\msqacjjo.dll
d:\windows\system32\nyqwyl.dll
d:\windows\system32\rbvnqyfu.ini
d:\windows\system32\TDSSciou.log
d:\windows\system32\TDSSfpmp.dll
d:\windows\system32\TDSSlbqp.dll
d:\windows\system32\TDSSmqxt.dat
d:\windows\system32\TDSSnmxh.log
d:\windows\system32\TDSSnrse.dll
d:\windows\system32\TDSSoiqh.dll
d:\windows\system32\TDSSoity.dll
d:\windows\system32\TDSSosvn.dll
d:\windows\system32\TDSSsbhc.log
d:\windows\system32\ufyqnvbr.dll
d:\windows\system32\wurimyps.dll

----- BITS: Possible infected sites -----

hxxp://joeblack.fileave.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-12-15 to 2009-01-15 )))))))))))))))))))))))))))))))
.

2009-01-15 00:12 . 2009-01-15 00:12 <DIR> d-------- d:\program files\RegCure
2009-01-15 00:00 . 2009-01-15 00:00 <DIR> d---s---- d:\documents and settings\Matt\UserData
2009-01-14 21:55 . 2008-04-14 05:41 79,360 --a------ d:\windows\system32\CNBJMON2.DLL
2009-01-14 21:55 . 2001-07-21 18:52 33,489 --a------ d:\windows\system32\CNBJHLP2.HLP
2009-01-14 21:55 . 2001-07-21 18:52 1,075 --a------ d:\windows\system32\CNBJHLP2.CNT
2009-01-14 19:43 . 2009-01-14 19:43 <DIR> d-------- d:\documents and settings\All Users\Application Data\FLEXnet
2009-01-14 19:35 . 2009-01-14 19:35 <DIR> d-------- d:\program files\Common Files\Control Panels
2009-01-14 19:33 . 2009-01-14 19:33 <DIR> d-------- d:\documents and settings\All Users\Application Data\ALM
2009-01-14 19:26 . 2009-01-14 19:26 <DIR> d-------- d:\program files\QuickTime
2009-01-14 19:22 . 2007-02-20 16:04 2,463,976 --a------ d:\windows\system32\NPSWF32.dll
2009-01-14 19:22 . 2007-02-20 16:04 190,696 --a------ d:\windows\system32\NPSWF32_FlashUtil.exe
2009-01-14 19:18 . 2009-01-14 19:18 <DIR> d-------- d:\program files\Bonjour
2009-01-14 19:15 . 2009-01-14 19:15 <DIR> d-------- d:\program files\Common Files\Macrovision Shared
2009-01-14 19:14 . 2009-01-14 19:36 <DIR> d-------- d:\program files\Common Files\Adobe
2009-01-14 19:11 . 2008-12-26 00:08 206,755 --a------ d:\windows\system32\nvapps.nvb
2009-01-14 19:08 . 2009-01-14 19:08 <DIR> d-------- d:\windows\system32\AGEIA
2009-01-14 19:08 . 2009-01-14 19:08 <DIR> d-------- d:\program files\Common Files\Wise Installation Wizard
2009-01-14 19:08 . 2009-01-14 19:08 <DIR> d-------- d:\program files\AGEIA Technologies
2009-01-14 19:07 . 2009-01-14 19:13 <DIR> d-------- d:\windows\nview
2009-01-14 19:07 . 2008-12-26 00:08 453,152 --a------ d:\windows\system32\nvudisp.exe
2009-01-14 19:07 . 2009-01-15 02:38 200,790 --a------ d:\windows\system32\nvapps.xml
2009-01-14 19:07 . 2008-12-26 00:08 18,725 --a------ d:\windows\system32\nvdisp.nvu
2009-01-14 19:03 . 2009-01-14 19:03 <DIR> d-------- d:\program files\Trend Micro
2009-01-14 18:39 . 2009-01-14 18:39 <DIR> d-------- D:\ebc005cadc6a5060eb122d4d
2009-01-14 01:28 . 2009-01-14 01:28 <DIR> d-------- d:\windows\system32\Lang
2009-01-14 01:28 . 2009-01-14 01:28 940,794 --a------ d:\windows\system32\LoopyMusic.wav
2009-01-14 01:28 . 2009-01-14 01:28 146,650 --a------ d:\windows\system32\BuzzingBee.wav
2009-01-14 00:00 . 2009-01-15 02:38 100,588 --a------ d:\windows\system32\drivers\e910c845.sys
2009-01-13 23:59 . 2009-01-13 23:59 46,592 --a------ d:\windows\system32\gebcaAss.dll
2009-01-13 23:59 . 2008-03-03 14:25 5,702 --ah----- d:\windows\nod32restoretemdono.reg
2009-01-13 23:59 . 2008-03-03 18:21 568 --ah----- d:\windows\nod32fixtemdono.reg
2009-01-13 23:58 . 2009-01-14 19:12 664 --a------ d:\windows\system32\d3d9caps.dat
2009-01-13 23:55 . 2009-01-15 01:26 <DIR> d-------- d:\program files\Trillian
2009-01-13 23:55 . 2009-01-13 23:55 <DIR> d-------- d:\program files\ESET
2009-01-13 23:55 . 2009-01-13 23:55 <DIR> d-------- d:\documents and settings\Matt\Application Data\DAEMON Tools Lite
2009-01-13 23:55 . 2009-01-13 23:55 <DIR> d-------- d:\documents and settings\All Users\Application Data\ESET
2009-01-13 23:54 . 2009-01-13 23:55 <DIR> d-------- d:\windows\system32\RTCOM
2009-01-13 23:53 . 2009-01-13 23:53 <DIR> d-------- d:\program files\Realtek
2009-01-13 23:53 . 2009-01-13 23:53 <DIR> d--h----- d:\program files\InstallShield Installation Information
2009-01-13 23:53 . 2006-09-12 23:58 16,264,192 -r------- d:\windows\RTHDCPL.exe
2009-01-13 23:53 . 2006-05-04 23:26 2,808,832 -r------- d:\windows\alcwzrd.exe
2009-01-13 23:53 . 2006-09-12 22:12 2,155,008 -r------- d:\windows\MicCal.exe
2009-01-13 23:53 . 2006-09-12 21:34 499,712 -r------- d:\windows\RtlExUpd.dll
2009-01-13 23:53 . 2005-09-21 17:25 299,008 -ra------ d:\windows\system32\ALSndMgr.Cpl
2009-01-13 23:53 . 2005-05-04 01:43 69,632 -r------- d:\windows\Alcmtr.exe
2009-01-13 23:51 . 2009-01-13 23:51 0 --a------ d:\windows\nsreg.dat
2009-01-10 19:59 . 2009-01-10 19:59 <DIR> d-------- d:\temp\tmp90

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-13 23:55 717,296 ----a-w d:\windows\system32\drivers\sptd.sys
2009-01-13 22:48 --------- d-----w d:\program files\Common Files\InstallShield
2009-01-13 22:34 --------- d-----w d:\program files\microsoft frontpage
2008-12-23 21:58 453,152 ----a-w d:\windows\system32\NVUNINST.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "d:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui "= "d:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 1443072]
"NvCplDaemon "= "d:\windows\system32\NvCpl.dll" [2008-12-26 13680640]
"NvMediaCenter "= "d:\windows\system32\NvMcTray.dll" [2008-12-26 86016]
"Acrobat Assistant 8.0 "= "d:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 624248]
"Adobe_ID0EYTHM "= "d:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1884160]
"RTHDCPL "= "RTHDCPL.EXE" [2006-09-12 d:\windows\RTHDCPL.exe]
"nwiz "= "nwiz.exe" [2008-12-26 d:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 d:\windows\system32\hgGxWnMf

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"%windir%\\system32\\sessmgr.exe "=
"d:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"d:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe "=
"d:\\Program Files\\Trillian\\trillian.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list]
"3703:TCP "= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP "= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP "= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP "= 50901:TCP:Adobe Version Cue CS3 Server

R1 epfwtdir;epfwtdir;d:\windows\system32\drivers\epfwtdir.sys [2008-02-20 33800]
R4 ekrn;Eset Service;d:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-02-20 472320]
S4 NOD32FiXTemDono;Eset Nod32 Boot;d:\windows\system32\regedt32.exe [2008-04-14 3584]
.
Contents of the 'Scheduled Tasks' folder

2009-01-15 d:\windows\Tasks\dthaatom.job
- d:\windows\system32\rundll32.exe [2008-04-14 12:00]

2009-01-15 d:\windows\Tasks\RegCure Program Check.job
- d:\program files\RegCure\RegCure.exe [2008-11-27 18:55]

2009-01-15 d:\windows\Tasks\RegCure.job
- d:\program files\RegCure\RegCure.exe [2008-11-27 18:55]
.
- - - - ORPHANS REMOVED - - - -

BHO-{451fecae-1aa6-4533-b7b2-65fdf65b6bf4} - d:\windows\system32\hgGxWnMf.dll
BHO-{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - d:\windows\system32\hGvVOGYs.dll
BHO-{de1a3416-6d14-4ad1-ad32-40aea690a933} - d:\windows\system32\nyqwyl.dll
ShellExecuteHooks-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - d:\windows\system32\hGvVOGYs.dll


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: append to existing pdf - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: convert link target to adobe pdf - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: convert link target to existing pdf - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: convert selected links to adobe pdf - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: convert selected links to existing pdf - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: convert selection to adobe pdf - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: convert selection to existing pdf - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: convert to adobe pdf - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
FF - ProfilePath - d:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\nxk3814t.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-15 02:38:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\controlset005\Services\e910c845]
"ImagePath "= "\SystemRoot\System32\drivers\e910c845.sys "
.
------------------------ Other Running Processes ------------------------
.
d:\program files\Bonjour\mDNSResponder.exe
d:\windows\system32\nvsvc32.exe
d:\windows\system32\wscntfy.exe
d:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
d:\windows\system32\wpabaln.exe
.
**************************************************************************
.
Completion time: 2009-01-15 2:43:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-15 02:43:32

Pre-Run: 165,366,611,968 bytes free
Post-Run: 166,112,022,528 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(1)partition(1)\WINDOWS
[operating systems]
d:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(3)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
196

 

First, highlight and copy the contents of the code box below.

Code:

reg save  "HKLM\System\controlset003"  "D:\CCS3.hiv "
exit
cls

Click Start>Run and type cmd then hit enter to open a command window.
Right click in the command window and select paste.
The command window will close on it's own.
This will create a file in drive root named CCS3.hiv
I have instructed ComboFix to remove and upload that file.



Now once again, disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

Collect::[22]
D:\CCS3.hiv
Suspect::[22]
d:\windows\system32\drivers\e910c845.sys
d:\windows\system32\gebcaAss.dll
File::
d:\windows\Tasks\dthaatom.job
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
 "Authentication Packages "=hex(7):6d,73,76,31,5f,30,00,00

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log here.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.


Please note that I have instructed CFScript to collect some files for analysis. This means that when ComboFix finishes, you will be prompted to allow ComboFix to upload a zip file that was created. The zip contains the aforementioned files. If the upload fails you will be be presented with instructions for uploading it manually. Please do so.

Thanks!

 

I followed the above correctly:

ComboFix 09-01-13.04 - Matt 2009-01-15 18:34:09.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2814.2413 [GMT 0:00]
Running from: d:\documents and settings\Matt\Desktop\panthro.exe
Command switches used :: d:\documents and settings\Matt\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
d:\windows\Tasks\dthaatom.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\CCS3.hiv
d:\windows\Tasks\dthaatom.job

.
((((((((((((((((((((((((( Files Created from 2008-12-15 to 2009-01-15 )))))))))))))))))))))))))))))))
.

2009-01-15 00:12 . 2009-01-15 00:12 <DIR> d-------- d:\program files\RegCure
2009-01-15 00:00 . 2009-01-15 00:00 <DIR> d---s---- d:\documents and settings\Matt\UserData
2009-01-14 21:55 . 2008-04-14 05:41 79,360 --a------ d:\windows\system32\CNBJMON2.DLL
2009-01-14 21:55 . 2001-07-21 18:52 33,489 --a------ d:\windows\system32\CNBJHLP2.HLP
2009-01-14 21:55 . 2001-07-21 18:52 1,075 --a------ d:\windows\system32\CNBJHLP2.CNT
2009-01-14 19:43 . 2009-01-14 19:43 <DIR> d-------- d:\documents and settings\All Users\Application Data\FLEXnet
2009-01-14 19:35 . 2009-01-14 19:35 <DIR> d-------- d:\program files\Common Files\Control Panels
2009-01-14 19:33 . 2009-01-14 19:33 <DIR> d-------- d:\documents and settings\All Users\Application Data\ALM
2009-01-14 19:26 . 2009-01-14 19:26 <DIR> d-------- d:\program files\QuickTime
2009-01-14 19:22 . 2007-02-20 16:04 2,463,976 --a------ d:\windows\system32\NPSWF32.dll
2009-01-14 19:22 . 2007-02-20 16:04 190,696 --a------ d:\windows\system32\NPSWF32_FlashUtil.exe
2009-01-14 19:18 . 2009-01-14 19:18 <DIR> d-------- d:\program files\Bonjour
2009-01-14 19:15 . 2009-01-14 19:15 <DIR> d-------- d:\program files\Common Files\Macrovision Shared
2009-01-14 19:14 . 2009-01-14 19:36 <DIR> d-------- d:\program files\Common Files\Adobe
2009-01-14 19:11 . 2008-12-26 00:08 206,755 --a------ d:\windows\system32\nvapps.nvb
2009-01-14 19:08 . 2009-01-14 19:08 <DIR> d-------- d:\windows\system32\AGEIA
2009-01-14 19:08 . 2009-01-14 19:08 <DIR> d-------- d:\program files\Common Files\Wise Installation Wizard
2009-01-14 19:08 . 2009-01-14 19:08 <DIR> d-------- d:\program files\AGEIA Technologies
2009-01-14 19:07 . 2009-01-14 19:13 <DIR> d-------- d:\windows\nview
2009-01-14 19:07 . 2008-12-26 00:08 453,152 --a------ d:\windows\system32\nvudisp.exe
2009-01-14 19:07 . 2009-01-15 04:16 200,790 --a------ d:\windows\system32\nvapps.xml
2009-01-14 19:07 . 2008-12-26 00:08 18,725 --a------ d:\windows\system32\nvdisp.nvu
2009-01-14 19:03 . 2009-01-14 19:03 <DIR> d-------- d:\program files\Trend Micro
2009-01-14 18:39 . 2009-01-14 18:39 <DIR> d-------- D:\ebc005cadc6a5060eb122d4d
2009-01-14 01:28 . 2009-01-14 01:28 <DIR> d-------- d:\windows\system32\Lang
2009-01-14 01:28 . 2009-01-14 01:28 940,794 --a------ d:\windows\system32\LoopyMusic.wav
2009-01-14 01:28 . 2009-01-14 01:28 146,650 --a------ d:\windows\system32\BuzzingBee.wav
2009-01-14 00:00 . 2009-01-15 18:36 100,588 --a------ d:\windows\system32\drivers\e910c845.sys
2009-01-13 23:59 . 2008-03-03 14:25 5,702 --ah----- d:\windows\nod32restoretemdono.reg
2009-01-13 23:59 . 2008-03-03 18:21 568 --ah----- d:\windows\nod32fixtemdono.reg
2009-01-13 23:58 . 2009-01-14 19:12 664 --a------ d:\windows\system32\d3d9caps.dat
2009-01-13 23:55 . 2009-01-15 01:26 <DIR> d-------- d:\program files\Trillian
2009-01-13 23:55 . 2009-01-13 23:55 <DIR> d-------- d:\program files\ESET
2009-01-13 23:55 . 2009-01-13 23:55 <DIR> d-------- d:\documents and settings\Matt\Application Data\DAEMON Tools Lite
2009-01-13 23:55 . 2009-01-13 23:55 <DIR> d-------- d:\documents and settings\All Users\Application Data\ESET
2009-01-13 23:54 . 2009-01-13 23:55 <DIR> d-------- d:\windows\system32\RTCOM
2009-01-13 23:53 . 2009-01-13 23:53 <DIR> d-------- d:\program files\Realtek
2009-01-13 23:53 . 2009-01-13 23:53 <DIR> d--h----- d:\program files\InstallShield Installation Information
2009-01-13 23:53 . 2006-09-12 23:58 16,264,192 -r------- d:\windows\RTHDCPL.exe
2009-01-13 23:53 . 2006-05-04 23:26 2,808,832 -r------- d:\windows\alcwzrd.exe
2009-01-13 23:53 . 2006-09-12 22:12 2,155,008 -r------- d:\windows\MicCal.exe
2009-01-13 23:53 . 2006-09-12 21:34 499,712 -r------- d:\windows\RtlExUpd.dll
2009-01-13 23:53 . 2005-09-21 17:25 299,008 -ra------ d:\windows\system32\ALSndMgr.Cpl
2009-01-13 23:53 . 2005-05-04 01:43 69,632 -r------- d:\windows\Alcmtr.exe
2009-01-13 23:51 . 2009-01-13 23:51 0 --a------ d:\windows\nsreg.dat
2009-01-10 19:59 . 2009-01-10 19:59 <DIR> d-------- d:\temp\tmp90

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-13 23:55 717,296 ----a-w d:\windows\system32\drivers\sptd.sys
2009-01-13 22:48 --------- d-----w d:\program files\Common Files\InstallShield
2009-01-13 22:34 --------- d-----w d:\program files\microsoft frontpage
2008-12-23 21:58 453,152 ----a-w d:\windows\system32\NVUNINST.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "d:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui "= "d:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 1443072]
"NvCplDaemon "= "d:\windows\system32\NvCpl.dll" [2008-12-26 13680640]
"NvMediaCenter "= "d:\windows\system32\NvMcTray.dll" [2008-12-26 86016]
"Acrobat Assistant 8.0 "= "d:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 624248]
"Adobe_ID0EYTHM "= "d:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1884160]
"RTHDCPL "= "RTHDCPL.EXE" [2006-09-12 d:\windows\RTHDCPL.exe]
"nwiz "= "nwiz.exe" [2008-12-26 d:\windows\system32\nwiz.exe]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"%windir%\\system32\\sessmgr.exe "=
"d:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"d:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe "=
"d:\\Program Files\\Trillian\\trillian.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list]
"3703:TCP "= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP "= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP "= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP "= 50901:TCP:Adobe Version Cue CS3 Server

R1 epfwtdir;epfwtdir;d:\windows\system32\drivers\epfwtdir.sys [2008-02-20 33800]
R4 ekrn;Eset Service;d:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-02-20 472320]
S4 NOD32FiXTemDono;Eset Nod32 Boot;d:\windows\system32\regedt32.exe [2008-04-14 3584]
.
Contents of the 'Scheduled Tasks' folder

2009-01-15 d:\windows\Tasks\RegCure Program Check.job
- d:\program files\RegCure\RegCure.exe [2008-11-27 18:55]

2009-01-15 d:\windows\Tasks\RegCure.job
- d:\program files\RegCure\RegCure.exe [2008-11-27 18:55]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: append to existing pdf - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: convert link target to adobe pdf - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: convert link target to existing pdf - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: convert selected links to adobe pdf - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: convert selected links to existing pdf - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: convert selection to adobe pdf - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: convert selection to existing pdf - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: convert to adobe pdf - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
FF - ProfilePath - d:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\nxk3814t.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-15 18:36:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\controlset005\Services\e910c845]
"ImagePath "= "\SystemRoot\System32\drivers\e910c845.sys "
.
Completion time: 2009-01-15 18:40:29
ComboFix-quarantined-files.txt 2009-01-15 18:40:27
ComboFix2.txt 2009-01-15 02:43:35

Pre-Run: 166,091,149,312 bytes free
Post-Run: 166,080,598,016 bytes free

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
139

 

Highlight and copy the contents of the code box below.

Code:

cd %systemroot%
@swreg save HKLM\System\controlset001 D:\CCS1.hiv
@swreg save HKLM\System\controlset002 D:\CCS2.hiv
@swreg ACL HKLM\System\CurrentControlSet\e910c845 /OA
@swreg ACL HKLM\System\CurrentControlSet\e910c845 /GE:F
@swreg add HKLM\System\CurrentControlSet\e910c845 /v Start /t REG_SZ /d 0 /f
exit
cls

Click Start>Run and type cmd then hit enter to open a command window. Right click in the command window and select paste. The command window will close on it's own.


Restart the machine.

Please upload the following files to my submission channel for analysis. Leave a link back to this topic.

D:\CCS1.hiv
D:\CCS2.hiv
D:\windows\system32\drivers\e910c845.sys

Thanks!