lesser-equity

Magazine
Go Back   Computer Juice > Computer Software > Virus, Spyware & Security
Reload this Page

Win32:Alureon-BH [RTK] Rootkit gingersonny

Register Site Spy Member List Donate Search Today's Posts Mark Forums Read Forum Rules


Register


Reply
Page 3 of 4 12 3 4
 
Thread Tools
  #21  
Old 26th Jun 2009, 15:24
New Member Group
  
OK I downloaded and ran the program as instructed, I clicked on Start, then OK to the information screen, then an error message came up saying 'ft666.exe has stopped working. A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available ---> Close Program'

I tried again with the same result
  #22  
Old 26th Jun 2009, 15:29
Moderator Group
  
Can you burn a CD?

Avira AntiVir Rescue System

1. Download the Avira AntiVir Rescue System
- If you need a free burning application, CDBurnerXP works on all operating systems from Microsoft Windows 2000 SP4 onwards.
2. Place a blank CD in your burner and double-click on the downloaded file.
3. The program will automatically burn the CD for you.
4. Place the burned CD into the affected computer and start the computer with the CD in the CD tray.
5. On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.
6. Click on the Configuration button.

- Select Scan all files
- Select Try to repair infected files and Rename files, if they cannot be removed
- Select Scan for dialers
- Select Scan for joke programs (Jokes)
- Select Scan for games
- Select Scan for spyware (SPR)

7. Click on Virus scanner
8. Click on Start scanner at the bottom of the screen.

9. Let Avira finish it's scan and then remove any threats found and then exit out of the scanner.
10. Take the CD out of the CD/DVD tray and then restart the computer.

If needed see this Tutorial for the Avira Rescue CD
__________________
  #23  
Old 26th Jun 2009, 18:22
New Member Group
  
Okay I did the scan with Avira, took over 2 hours but it found 15 malicious files (including the Trojan in the SKYNETxxxxxxxxxxxxxxxxxxxxxx.dll's that have been giving me so much bother) but it couldn't remove them so it renamed them. I restarted the computer and I've been able to log into my full Normal Mode again now, but I'm not gonna count my chickens just yet as this happened before, then next restart it got bad again...but it SEEMS like it's working properly again now. I shall keep you informed, I might be back if the same symptoms occur soon!

What does renaming the malicious objects actually do by the way?
  #24  
Old 26th Jun 2009, 18:46
New Member Group
  
Also, if everything really is fixed, thank you so much for all your help, you really are a lifesaver!
  #25  
Old 26th Jun 2009, 19:00
Moderator Group
  
We need to try ComboFix again. I trust Avira but there is a possibility that there is still something left.

Since you are in Normal Mode it should go all the way to completion this time.
__________________
  #26  
Old 26th Jun 2009, 19:05
New Member Group
  
will try that now, thanks
  #27  
Old 26th Jun 2009, 19:39
New Member Group
  
OK I've done the Combofix scan, from the log file it looks like a very good call to run...

ComboFix 09-06-26.02 - Sonny 27/06/2009 3:10.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.3070.1978 [GMT 1:00]
Running from: c:\users\Sonny\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\INSTALL.LOG
c:\windows\system32\drivers\msqpdxpkjrfbfi.sys
c:\windows\system32\drivers\SKYNETihqierfr.sys
c:\windows\system32\drivers\SKYNETihqierfr.sys.XXX
c:\windows\system32\msqpdxwcqbnxmp.dll
c:\windows\system32\SKYNETbsipncsk.dll.XXX
c:\windows\system32\SKYNETnorsrtqp.dat
c:\windows\system32\SKYNETribpjyxr.dll
c:\windows\system32\SKYNETtbummnny.dat
D:\Desktop.ini
D:\resycled

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_msqpdxserv.sys
-------\Service_SKYNETlxmtxobe


((((((((((((((((((((((((( Files Created from 2009-05-27 to 2009-06-27 )))))))))))))))))))))))))))))))
.

2009-06-27 01:31 . 2009-06-27 01:31 -------- d-----w- c:\program files\CDBurnerXP
2009-06-26 19:51 . 2009-06-26 19:51 -------- d-----w- c:\program files\Trend Micro
2009-06-26 17:18 . 2009-06-26 19:49 117760 ----a-w- c:\users\Sonny\AppData\Roaming\SUPERAntiSpyware.co m\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-26 17:18 . 2009-06-26 17:18 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2009-06-26 17:18 . 2009-06-26 17:18 -------- d-----w- c:\users\Sonny\AppData\Roaming\SUPERAntiSpyware.co m
2009-06-26 17:18 . 2009-06-26 17:18 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-26 17:11 . 2009-06-26 17:11 -------- d-----w- c:\program files\CCleaner
2009-06-25 13:46 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-06-25 13:46 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-06-25 13:46 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-06-25 13:46 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-06-25 13:46 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-06-25 13:45 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-06-25 13:45 . 2009-02-05 20:06 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2009-06-25 13:45 . 2009-06-25 13:45 -------- d-----w- c:\program files\Alwil Software
2009-06-24 15:11 . 2009-06-25 13:35 -------- d-sh--w- c:\users\Sonny\AppData\Roaming\lowsec
2009-06-14 02:21 . 2009-04-30 12:37 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-06-14 02:21 . 2009-04-30 12:37 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-06-12 15:12 . 2009-06-12 15:12 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-06-11 23:13 . 2009-06-11 23:13 -------- d-----w- C:\wing2
2009-06-11 18:04 . 2009-04-21 11:55 2033152 ----a-w- c:\windows\system32\win32k.sys
2009-06-10 12:36 . 2009-06-10 12:36 -------- d-----w- c:\windows\Start Menu
2009-06-10 12:36 . 2009-06-10 12:36 -------- d-----w- c:\program files\Origin Systems
2009-06-08 18:01 . 2009-06-08 18:01 26624 ----a-r- c:\users\Sonny\AppData\Roaming\Microsoft\Installer \{6910C412-A523-493C-BC22-0213CD7F4F3A}\Icon6910C412.exe
2009-06-08 17:55 . 2009-06-08 18:01 -------- d-----w- c:\program files\Industry Giant 2
2009-06-03 18:08 . 2009-06-03 18:08 390664 ----a-w- c:\users\Sonny\AppData\Roaming\Real\RealPlayer\Upd ate\RealPlayer11.exe
2009-06-03 18:08 . 2009-06-03 18:08 390664 ----a-w- c:\users\Sonny\AppData\Roaming\Real\Update\temp\~U pg6\RealPlayer11.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-06-27 02:27 . 2008-02-21 18:00 -------- d-----w- c:\progra~2\Kontiki
2009-06-27 02:26 . 2007-11-30 13:00 -------- d-----w- c:\program files\Steam
2009-06-27 01:15 . 2007-11-30 13:10 -------- d-----w- c:\program files\Common Files\Steam
2009-06-27 01:14 . 2007-11-28 07:21 -------- d-----w- c:\users\Sonny\AppData\Roaming\Skype
2009-06-27 00:23 . 2008-11-11 12:06 -------- d-----w- c:\program files\Conquer 2.0
2009-06-26 23:57 . 2009-05-02 16:03 -------- d-----w- c:\program files\17funtv
2009-06-26 21:39 . 2008-11-11 22:09 1356 ----a-w- c:\users\Sonny\AppData\Local\d3d9caps.dat
2009-06-26 17:17 . 2008-03-15 22:58 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-26 16:33 . 2009-03-22 15:23 -------- d-----w- c:\users\Sonny\AppData\Roaming\Spotify
2009-06-26 15:29 . 2009-01-13 16:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-25 13:36 . 2008-06-12 17:55 -------- d-----w- c:\users\Sonny\AppData\Roaming\skypePM
2009-06-25 13:35 . 2007-08-27 18:18 -------- d-----w- c:\program files\ATI
2009-06-25 13:34 . 2007-08-27 18:42 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-25 13:32 . 2007-11-25 13:14 -------- d-----w- c:\program files\Symantec
2009-06-25 13:31 . 2009-01-13 16:05 -------- d-----w- c:\progra~2\NortonInstaller
2009-06-25 12:39 . 2007-12-03 23:04 -------- d-----w- c:\users\Sonny\AppData\Roaming\Free Download Manager
2009-06-22 13:16 . 2009-05-08 22:39 -------- d-----w- c:\users\Sonny\AppData\Roaming\dvdcss
2009-06-21 11:02 . 2007-11-25 14:40 -------- d-----w- c:\users\Sonny\AppData\Roaming\uTorrent
2009-06-17 10:27 . 2009-01-13 16:54 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 10:27 . 2009-01-13 16:54 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-12 12:47 . 2008-05-24 00:19 1878984 ----a-w- c:\users\Sonny\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-06-12 12:36 . 2008-11-11 00:36 -------- d-----w- c:\users\Sonny\AppData\Roaming\Xfire
2009-06-12 02:07 . 2007-11-25 22:34 -------- d-----w- c:\progra~2\Microsoft Help
2009-05-22 10:06 . 2009-05-22 10:06 -------- d-----w- c:\program files\GameTap Web Player
2009-05-22 10:05 . 2009-05-22 10:05 -------- d-----w- c:\progra~2\GameTap Web Player
2009-05-15 23:19 . 2009-05-15 23:18 227 ----a-w- c:\windows\PowerReg.dat
2009-05-15 23:18 . 2009-05-15 23:18 -------- d-----w- c:\program files\Hasbro Interactive
2009-05-14 19:21 . 2009-05-14 19:21 390664 ----a-w- c:\users\Sonny\AppData\Roaming\Real\Update\temp\~U pg5\RealPlayer11.exe
2009-05-14 02:00 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-05-12 19:06 . 2009-05-12 19:06 -------- d-----w- c:\users\Sonny\AppData\Roaming\BBCiPlayerDesktop.6 1DB7A798358575D6A969CCD73DDBBD723A6DA9D.1
2009-05-12 19:06 . 2009-05-12 19:06 -------- d-----w- c:\program files\BBC iPlayer Desktop
2009-05-12 19:06 . 2009-05-12 19:06 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-05-12 19:04 . 2009-05-12 19:06 38208 ----a-w- c:\users\Sonny\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinsta ller.exe
2009-05-07 19:12 . 2009-05-07 19:12 -------- d-----w- c:\users\Sonny\AppData\Roaming\StreamTorrent
2009-05-07 19:12 . 2009-05-07 19:12 -------- d-----w- c:\program files\StreamTorrent 1.0
2009-05-05 18:05 . 2009-05-22 10:05 462848 ----a-w- c:\users\Sonny\AppData\Roaming\Mozilla\Firefox\Pro files\364tu6n5.default\extensions\GameTap@gametap. com\plugins\npGameTapWebUpdater.dll
2009-05-05 10:29 . 2009-05-05 10:29 -------- d-----w- c:\progra~2\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-05 10:29 . 2008-01-27 12:22 -------- d-----w- c:\program files\iTunes
2009-05-05 10:29 . 2009-05-05 10:29 -------- d-----w- c:\program files\iPod
2009-05-05 10:29 . 2008-01-27 12:19 -------- d-----w- c:\program files\Common Files\Apple
2009-05-02 16:06 . 2009-01-06 20:38 -------- d-----w- c:\progra~2\Yahoo! Companion
2009-05-02 16:05 . 2009-05-02 16:05 -------- d-----w- c:\program files\afreeca
2009-05-02 16:03 . 2009-05-02 16:03 964608 ----a-w- c:\windows\system32\mfc70u.dll
2009-05-02 16:03 . 2009-05-02 16:03 974848 ----a-w- c:\windows\system32\mfc70.dll
2009-05-02 12:00 . 2009-05-02 12:00 -------- d-----w- c:\program files\FilmOn HDi Player
2009-05-01 23:30 . 2009-05-01 23:06 -------- d-----w- c:\users\Sonny\AppData\Roaming\vlc
2009-05-01 19:21 . 2009-05-01 19:21 390664 ----a-w- c:\users\Sonny\AppData\Roaming\Real\Update\temp\~U pg4\RealPlayer11.exe
2009-05-01 18:52 . 2009-05-01 18:52 200704 ----a-w- c:\users\Sonny\AppData\Roaming\Microsoft\Windows\. autobahn\libwin32sparsefileutil.dll
2009-05-01 18:42 . 2009-05-01 18:42 65536 ----a-w- c:\users\Sonny\AppData\Roaming\Microsoft\Windows\. autobahn\libwin32proxyconfig.dll
2009-05-01 18:35 . 2009-05-01 18:35 -------- d-----w- c:\program files\VideoLAN
2009-04-24 16:05 . 2009-06-11 18:03 827904 ----a-w- c:\windows\system32\wininet.dll
2009-04-24 16:02 . 2009-06-11 18:03 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-24 13:44 . 2009-06-11 18:03 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-04-23 12:43 . 2009-06-11 18:03 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-23 12:42 . 2009-06-11 18:03 636928 ----a-w- c:\windows\system32\localspl.dll
2009-04-21 23:20 . 2009-04-21 23:20 14311680 ----a-w- c:\windows\system32\xlive.dll
2009-04-21 23:20 . 2009-04-21 23:20 13642496 ----a-w- c:\windows\system32\xlivefnt.dll
2009-04-14 18:45 . 2009-04-14 18:45 390664 ----a-w- c:\users\Sonny\AppData\Roaming\Real\Update\temp\~U pg3\RealPlayer11.exe
2009-04-05 18:14 . 2009-04-05 18:14 390664 ----a-w- c:\users\Sonny\AppData\Roaming\Real\Update\temp\~U pg2\RealPlayer11.exe
2007-08-27 19:04 . 2007-08-27 18:59 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-05-30 21718312]
"Steam"="c:\program files\steam\steam.exe" [2009-06-12 1217784]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-01-25 1032376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"CCUTRAYICON"="FactoryMode" [X]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-06-15 178968]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-12-01 185896]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"4oD"="c:\program files\Kontiki\KHost.exe" [2008-01-25 1032376]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp. exe" [2009-02-05 81000]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-10-25 4702208]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Users^Sonny^AppData^Roamin g^Microsoft^Windows^Start Menu^Programs^Startup^MLB.TV NexDef Plug-in.lnk]
path=c:\users\Sonny\AppData\Roaming\Microsoft\Wind ows\Start Menu\Programs\Startup\MLB.TV NexDef Plug-in.lnk
backup=c:\windows\pss\MLB.TV NexDef Plug-in.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\FirewallRules]
"{4C4014C1-27B1-467C-98D3-799AC31D5B51}"= UDP:c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{79F368E5-FE8C-4215-9C4C-754C21268CAC}"= TCP:c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{46F6F60D-41AD-4363-A915-0BEADE87E1CB}"= UDP:c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel(R) Viiv(TM) Media Server
"{F4DBEF40-7A53-4A13-8347-AA0C75E0C7BD}"= TCP:c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel(R) Viiv(TM) Media Server
"{ABD225DD-EEF2-45CF-8EFB-B522F3CBF299}"= UDP:c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel(R) Remoting Service
"{B47A9E37-5E9D-4313-A196-426A8E38AE29}"= TCP:c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel(R) Remoting Service
"{3F1E1399-E49A-4B7F-93AE-8D1D3930E7D9}"= TCP:9442:127.0.0.1:Intel(R) Viiv(TM) Media Server Discovery
"{DEAD0B7C-CF4B-438C-BBE2-F79A1ECCDD78}"= TCP:1900:LocalSubnet:LocalSubnet:Intel(R) Viiv(TM) Media Server UPnP Discovery
"{F06D5818-10C7-4DF0-829B-648B414B2E5B}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{7F8FAE90-A884-4555-B4D8-8CF8CA5BBD0C}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5467AFE3-F953-4F29-8B8F-DA4B3E528DAD}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{A8E48632-E180-41E3-894A-66349381ED0B}"= UDP:c:\program files\Sports Interactive\Football Manager 2008\fm.exe:Football Manager 2008
"{9F73BA3B-CE06-4A99-BAA3-4900491B93BD}"= TCP:c:\program files\Sports Interactive\Football Manager 2008\fm.exe:Football Manager 2008
"{962389EB-D55D-4031-AA11-1174E49A90CD}"= UDP:c:\program files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:Sid Meier's Civilization 4
"{7C8F2072-A43E-464C-90D6-97A366632A41}"= TCP:c:\program files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:Sid Meier's Civilization 4
"{D27B8BAF-087E-4CED-B130-9FF9F236141A}"= UDP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{7BEEF3D7-1F71-4193-BDF3-EA77ED2DDFEC}"= TCP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{4F12753C-3831-4DA1-B792-A98E1EFE239C}"= UDP:c:\windows\System32\PnkBstrB.exe:PnkBstrB
"{8FD0E812-B954-4BA8-85A5-2688388D24B9}"= TCP:c:\windows\System32\PnkBstrB.exe:PnkBstrB
"{1470DDFA-234A-49A2-90DE-FB55AD9B85C6}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{6288AF73-6AAB-47C4-B4E5-464EBB33EF9A}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{70959E7C-137B-44C1-BCF7-FE390787902B}"= UDP:c:\program files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (CLI)
"{16D01517-C1EE-4A5C-A30B-4554297C2D8C}"= TCP:c:\program files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (CLI)
"{75747680-91B9-4690-A017-6C4FC18B8862}"= UDP:c:\program files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\dedicated\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (SRV)
"{6FDBCD87-251A-4950-9F27-091A2CDCEA36}"= TCP:c:\program files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\dedicated\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (SRV)
"{B28D0F67-3FB9-41DA-9C6D-D71781FA88B9}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{1C0E9353-2038-4683-9E3E-F666A0463BFF}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{1A5C61E3-42CE-4511-BE4A-B27E50033C0B}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{AA5B617F-2680-49EB-8F84-D9E7D5D20A82}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{5C6F218D-BEA9-42A5-A123-4D8FD1E1E898}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{4B4D057B-190D-4051-AF1F-CAE88EF2E6E6}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{A97C4594-FF66-4887-8795-65F4BBB518B2}"= UDP:c:\program files\Sports Interactive\Football Manager 2008\fm.exe:Football Manager 2008
"{B93FE2DB-4405-4DE3-B693-D4D97C2D3FE4}"= TCP:c:\program files\Sports Interactive\Football Manager 2008\fm.exe:Football Manager 2008
"{7F87C278-69BD-4878-A4CE-021740A142B7}"= UDP:c:\program files\Sony Ericsson\Sony Ericsson Media Manager 1.0\MediaManager.exe:Sony Ericsson Media Manager 1.0
"{D7834371-1358-4356-8C41-0E4322BFB1E8}"= TCP:c:\program files\Sony Ericsson\Sony Ericsson Media Manager 1.0\MediaManager.exe:Sony Ericsson Media Manager 1.0
"{051E377A-6EFC-49A2-B4E8-DA4C7BF71FEB}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{847B2104-943C-4FD9-BE3B-F24D6ED7919A}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{B74D2573-3686-40AB-8034-81B49B37F5F3}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{7C779745-AAC6-48B1-BE3A-828E9454F601}"= UDP:c:\program files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM)
"{0566220F-3E06-4500-B058-38F9F17BD6F5}"= TCP:c:\program files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM)
"{0CF43C6A-CCED-4F76-81F6-7E4200D97F29}"= UDP:c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe:Rockstar Games Social Club
"{0CD94EF6-BF57-4691-A7A1-A645CBA54239}"= TCP:c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe:Rockstar Games Social Club
"{6AA66BCB-49AB-4E45-A54D-9C50855BACBB}"= UDP:c:\program files\Rockstar Games\Grand Theft Auto IV\LaunchGTAIV.exe:Grand Theft Auto IV
"{7C0E4493-A9BD-41C3-843E-904E3BDF967C}"= TCP:c:\program files\Rockstar Games\Grand Theft Auto IV\LaunchGTAIV.exe:Grand Theft Auto IV
"TCP Query User{9509E4BE-9FE0-4DA0-8C6E-27645CE96B9C}c:\\program files\\electronic arts\\eadm\\core.exe"= UDP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager
"UDP Query User{5C198D81-918D-44CA-BBEB-7E9BAA4D974C}c:\\program files\\electronic arts\\eadm\\core.exe"= TCP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager
"TCP Query User{E51343DB-6E70-4356-841C-FC375DA00BED}c:\\program files\\tvants\\tvants.exe"= UDP:c:\program files\tvants\tvants.exe:TVAnts
"UDP Query User{F113A65D-35A7-4040-BC66-5E6C0F2B92C7}c:\\program files\\tvants\\tvants.exe"= TCP:c:\program files\tvants\tvants.exe:TVAnts
"TCP Query User{8AA0C86B-DD03-4CCB-85D5-5B2E51D7CE73}c:\\program files\\sopcast\\sopcast.exe"= UDP:c:\program files\sopcast\sopcast.exe:SopCast Main Application
"UDP Query User{62621C6E-1212-4F2B-AC89-26400B3EDCA0}c:\\program files\\sopcast\\sopcast.exe"= TCP:c:\program files\sopcast\sopcast.exe:SopCast Main Application
"TCP Query User{22770C07-EB47-40AC-B26A-E1B0FC1E3F6B}c:\\program files\\sopcast\\adv\\sopadver.exe"= UDP:c:\program files\sopcast\adv\sopadver.exe:SopCast Adver
"UDP Query User{82CBA932-0A86-456F-BE72-A46BD86529B4}c:\\program files\\sopcast\\adv\\sopadver.exe"= TCP:c:\program files\sopcast\adv\sopadver.exe:SopCast Adver
"TCP Query User{70293647-6472-4B77-8CBA-38662F84C7A1}c:\\program files\\electronic arts\\eadm\\core.exe"= UDP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager
"UDP Query User{C78587A5-9BF9-41DF-B927-F58A1FB7A8BB}c:\\program files\\electronic arts\\eadm\\core.exe"= TCP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager
"TCP Query User{91A14F95-ACC9-4D17-87E0-8C29F318A2C3}c:\\program files\\rockstar games\\grand theft auto iv\\gtaiv.exe"= UDP:c:\program files\rockstar games\grand theft auto iv\gtaiv.exe:Grand Theft Auto IV
"UDP Query User{4247A571-3C9A-42B8-B784-EDA18BA5AB24}c:\\program files\\rockstar games\\grand theft auto iv\\gtaiv.exe"= TCP:c:\program files\rockstar games\grand theft auto iv\gtaiv.exe:Grand Theft Auto IV
"TCP Query User{7E7B9039-EFF6-4687-A5C3-5E75166DF8DD}c:\\program files\\steam\\steamapps\\ginger_sonny\\counter-strike source\\hl2.exe"= UDP:c:\program files\steam\steamapps\ginger_sonny\counter-strike source\hl2.exe:hl2
"UDP Query User{216C0474-9657-4FA4-BFEC-509A789D857F}c:\\program files\\steam\\steamapps\\ginger_sonny\\counter-strike source\\hl2.exe"= TCP:c:\program files\steam\steamapps\ginger_sonny\counter-strike source\hl2.exe:hl2
"TCP Query User{5E2DA332-2AAF-4F97-9FDA-4FFBFC84A2ED}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{D86C3FBF-E689-4407-870F-765297B1EC2E}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"{21E61A90-23A6-4105-9948-D2DC916D8443}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{21FC4E83-2820-44A7-8E05-B351A8E36244}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{490B92CF-4F04-4A28-8760-24CC196EAFB1}"= UDP:c:\program files\Norton Internet Security\Engine\16.0.0.125\uiStub.exe:Norton Internet Security
"{5530C24F-D37F-4C83-84B1-726E5C374263}"= TCP:c:\program files\Norton Internet Security\Engine\16.0.0.125\uiStub.exe:Norton Internet Security
"{357B78B5-6EF5-4D52-9996-050703729A71}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{35BAF180-C0CB-4B4A-B323-C6946F6C63D9}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{4AB99F05-A454-46DB-B0C8-D33437058329}"= UDP:c:\program files\Spotify\spotify.exe:Spotify
"{753B1B01-F98F-4A9B-B0DE-EF394487E0F8}"= TCP:c:\program files\Spotify\spotify.exe:Spotify
"{1B1BAE39-DB17-4B80-8876-2D1382FF1342}"= UDP:c:\program files\Steam\steamapps\common\left 4 dead\left4dead.exe:Left 4 Dead
"{B04B8E02-55EC-4D7D-855A-2C8C749C624C}"= TCP:c:\program files\Steam\steamapps\common\left 4 dead\left4dead.exe:Left 4 Dead

R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [25/06/2009 14:46 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23/06/2009 11:01 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [23/06/2009 11:01 72944]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswF sBlk.sys [25/06/2009 14:46 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\as wMonFlt.sys [25/06/2009 14:45 51792]
R2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.e xe [03/09/2006 18:32 208896]
R2 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fb_inet_server.exe [19/02/2008 21:42 2707456]
S2 IntelDHSvcConf;Intel DH Service;c:\program files\Intel\IntelDH\Intel Media Server\tools\IntelDHSvcConf.exe [10/05/2006 17:13 29696]
S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\System32\drivers\netr28u.sys [15/08/2007 23:49 552448]
S3 netr73;Belkin Wireless G Plus MIMO USB Network Adapter Driver for Vista;c:\windows\System32\drivers\netr73.sys [12/11/2007 11:03 468480]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [23/06/2009 11:01 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.vistaforums.com/Forum/Topic13079-9-3.aspx
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=74&bd=Presario &pf=desktop
uInternet Settings,ProxyServer = 83.218.164.193:8080
uInternet Settings,ProxyOverride = <local>;*.local
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: {{FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - c:\program files\Free Download Manager\FUM\fumiebtn.dll
DPF: {15AB0590-D322-4440-B129-BFC893FB3CC2} - hxxp://live.17funtv.com:8057/AFCStarter_17funtv.cab
DPF: {4E218431-2F07-40BD-A9D3-035324C1F13F} - hxxp://webserver.dyyno.com/DyynoClient/DyynoCAB.CAB
DPF: {7E3C8EE9-0EA1-4ACA-A8A2-87B76A3A6BC4} - hxxp://afocx.17funtv.com:9091/AFC_TW/OpenTV_17FunTV.cab
DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} - hxxp://archives.gametap.com/static/cab_headless/GameTapWebUpdater.cab
FF - ProfilePath - c:\users\Sonny\AppData\Roaming\Mozilla\Firefox\Pro files\364tu6n5.default\
FF - plugin: c:\program files\Dyyno\Dyyno Player\npvlc.dll
FF - plugin: c:\program files\GameTap Web Player\bin\release\npGameTapWebPlayer.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npff_gdm.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\users\Sonny\AppData\Local\Google\Update\1.2.145 .5\npGoogleOneClick8.dll
FF - plugin: c:\users\Sonny\AppData\Roaming\Mozilla\Firefox\Pro files\364tu6n5.default\extensions\firefox@tvunetwo rks.com\plugins\npTVUAx.dll
FF - plugin: c:\users\Sonny\AppData\Roaming\Mozilla\Firefox\Pro files\364tu6n5.default\extensions\GameTap@gametap. com\plugins\npGameTapWebUpdater.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-27 03:26
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2058655337-1634534433-331944777-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:76,01,39,d2,ba,40,63,79,53,a1,75,83,b2,16 ,32,ad,73,ee,9c,b7,73,ef,a8,
3f,cc,b6,26,0c,39,00,df,e9,e7,ad,62,23,4d,96,13,10 ,27,5b,8a,37,74,cb,92,69,\
"??"=hex:75,f9,11,0d,bb,7b,d0,45,f7,62,8f,eb,9f,d7 ,26,84

[HKEY_USERS\S-1-5-21-2058655337-1634534433-331944777-1001\Software\SecuROM\License information*]
"datasecu"=hex:a9,70,81,99,0a,07,33,ee,6a,73,81,c7 ,98,95,c4,f0,8c,01,19,21,84,
e4,3e,32,9a,82,d2,fd,98,c4,9b,6a,a2,68,83,0a,59,d2 ,6a,32,7f,97,5a,30,16,27,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6 ,71,e2,54,98

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2544)
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Intel\IntelDH\CCU\AlertService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\System32\PnkBstrA.exe
c:\windows\System32\WUDFHost.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Alwil Software\Avast4\ashDisp.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
.
************************************************** ************************
.
Completion time: 2009-06-27 3:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-27 02:32

Pre-Run: 73,353,170,944 bytes free
Post-Run: 73,464,762,368 bytes free

345 --- E O F --- 2009-06-18 23:34
  #28  
Old 26th Jun 2009, 19:52
Moderator Group
  
Do you have an antivirus installed and running? I can see that Avast was installed but I don't see it in the Security Center.
__________________
  #29  
Old 27th Jun 2009, 03:07
New Member Group
  
I disabled it for the ComboFix scan i turned it back on as soon as it finished...
  #30  
Old 27th Jun 2009, 10:13
Moderator Group
  
Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:
KillAll::

RegNull::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

DirLook::
c:\users\Sonny\AppData\Roaming\lowsec
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
__________________
Reply
Page 3 of 4 12 3 4

Register
Thread Tools



Arabic Bulgarian Chinese (Simplified) Chinese (Traditional) Croatian Czech Danish Dutch English Finnish French German Greek Hebrew Hungarian Italian Japanese Korean Latvian Lithuanian Norwegian Polish Portuguese Romanian Russian Serbian Slovak Spanish Swedish Thai Turkish Ukrainian

Copyright ©2006 - 2009 Computer Juice.
Contact - Privacy - Sitemap - Top

Powered by vBulletin® Copyright ©2000 - 2009 Jelsoft Enterprises Ltd. SEO by vBSEO ©2009, Crawlability, Inc.