Sign in to follow this  
bowiebolan

Cannot remove win32.backdoor.sinowal

Recommended Posts

Hi

 

How do I remove win32.backdoor.sinowal?

Read in an archived thread that someone fixed it with Combofix.

 

I downloaded Combofix, and HijackThis.

After running the Combofix, win32.backdoor.sinowal is still there B)

I have no clue what to do with HijackThis.

Here's the Combofix and HijackThis logs:

 

ComboFix 08-10-10.09 - Eier 2008-10-11 18:41:00.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1044.18.547 [GMT 2:00]

Running from: C:\Documents and Settings\Eier\Skrivebord\ComboFix.exe

.

 

((((((((((((((((((((((((( Files Created from 2008-09-11 to 2008-10-11 )))))))))))))))))))))))))))))))

.

 

2008-10-11 18:19 . 2008-10-11 18:19 <DIR> d-------- C:\Programfiler\Trend Micro

2008-10-11 18:18 . 2008-10-11 18:37 <DIR> dr-h----- C:\Documents and Settings\Eier\Siste

2008-10-11 00:07 . 2008-10-11 00:50 <DIR> d-------- C:\Documents and Settings\Eier\Programdata\vlc

2008-10-05 18:59 . 2008-07-18 22:08 25,800 --a------ C:\WINDOWS\system32\wuapi.dll.mui

2008-09-16 19:59 . 2008-09-16 19:59 <DIR> d-------- C:\Programfiler\LSoft Technologies Inc

2008-09-13 16:04 . 2008-09-23 20:55 <DIR> d-------- C:\Programfiler\mIRC

2008-09-13 16:04 . 2008-09-23 20:57 <DIR> d-------- C:\Documents and Settings\Eier\Programdata\mIRC

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-10-11 16:07 --------- d-----w C:\Programfiler\SpeedFan

2008-10-11 16:07 --------- d-----w C:\Documents and Settings\All Users\Programdata\HDD Thermometer

2008-10-11 14:15 --------- d-----w C:\Documents and Settings\Eier\Programdata\uTorrent

2008-10-11 14:15 --------- d-----w C:\Documents and Settings\Eier\Programdata\DVD Flick

2008-10-11 12:27 --------- d-----w C:\Programfiler\Epoq Design

2008-10-08 17:36 --------- d-----w C:\Programfiler\Opera

2008-10-06 14:58 --------- d-----w C:\Programfiler\DVDlabPro

2008-10-05 16:33 --------- d-----w C:\Documents and Settings\Eier\Programdata\Vso

2008-10-04 23:46 --------- d-----w C:\Programfiler\Microsoft Picture It! PhotoPub

2008-10-01 21:39 --------- d---a-w C:\Documents and Settings\All Users\Programdata\TEMP

2008-09-29 13:24 10,488 -c--a-w C:\Documents and Settings\Eier\Programdata\wklnhst.dat

2008-09-28 15:05 --------- d-----w C:\Programfiler\IKEA HomePlanner

2008-09-26 19:25 --------- d-----w C:\Documents and Settings\Eier\Programdata\ImgBurn

2008-09-26 14:37 --------- d-----w C:\Documents and Settings\All Users\Programdata\CanonIJPLM

2008-09-16 17:59 --------- d--h--w C:\Programfiler\InstallShield Installation Information

2008-09-12 15:42 --------- d-----w C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy

2008-09-07 22:28 --------- d-----w C:\Programfiler\Spybot - Search & Destroy

2008-09-06 19:32 --------- d-----w C:\Documents and Settings\Eier\Programdata\gtk-2.0

2008-09-05 20:37 --------- d-----w C:\Documents and Settings\Eier\Programdata\Creative ASR2

2008-09-03 18:21 --------- d-----w C:\Programfiler\Microsoft Silverlight

2008-09-03 17:32 --------- d-----w C:\Documents and Settings\Eier\Programdata\wsInspector

2008-09-02 10:48 19,512 ----a-w C:\WINDOWS\system32\drivers\nvcw32mf.sys

2008-08-31 19:29 --------- d-----w C:\Documents and Settings\Eier\Programdata\Registry Booster

2008-08-30 15:44 --------- d-----w C:\Programfiler\Fellesfiler\Wise Installation Wizard

2008-08-26 16:07 --------- d-----w C:\Programfiler\Photosynth

2008-07-21 15:52 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE

2008-07-21 15:52 249,856 ------w C:\WINDOWS\Setup1.exe

2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll

2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe

2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll

2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll

2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll

2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll

2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll

2008-05-19 19:10 125,288 ----a-w C:\Documents and Settings\Eier\Programdata\GDIPFONTCACHEV1.DAT

2007-04-26 16:27 166,958 ----a-w C:\Documents and Settings\Eier\channels.dat

2007-03-13 22:03 87,608 ----a-w C:\Documents and Settings\Eier\Programdata\ezpinst.exe

2007-03-13 22:03 47,360 ----a-w C:\Documents and Settings\Eier\Programdata\pcouffin.sys

2005-05-13 15:12 217,073 --sha-r C:\WINDOWS\meta4.exe

2005-07-14 10:31 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll

2005-06-26 13:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll

2005-06-21 20:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll

2006-05-03 10:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll

2004-01-24 22:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll

2006-05-26 23:35 848 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys

2007-02-21 11:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll

2007-12-17 13:43 27,648 --sh--w C:\WINDOWS\system32\Smab0.dll

2005-02-28 11:16 240,128 --sha-r C:\WINDOWS\system32\x.264.exe

2004-01-24 22:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll

2008-05-06 21:51 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Lokale innstillinger\Logg\History.IE5\MSHist012008050620080507\index.dat

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpeedStartup"="C:\Programfiler\Speed Startup\speedstartup.exe" [2006-07-28 2209280]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"GrpConv"="grpconv -o" [X]

"SpeedStartup"="C:\Programfiler\Speed Startup\speedstartup.exe" [2006-07-28 2209280]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"CMSRegOW.exe"="C:\Programfiler\InstallShield Installation Information\{56F3E1FF-54FE-4384-A153-6CCABA097814}\CMSRegOW.exe" [2003-06-16 57344]

"SetDefaultMidi"="MIDIDEF.EXE" [2006-08-11 C:\WINDOWS\MIDIDEF.EXE]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.I420"= i420vfw.dll

"VIDC.HFYU"= huffyuv.dll

"vidc.yv12"= yv12vfw.dll

"MSVideo"= CSvidcap.dll

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^BTTray.lnk]

backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Microsoft Office.lnk]

backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Eier^Start-meny^Programmer^Oppstart^Yahoo! Widget Engine.lnk]

backup=C:\WINDOWS\pss\Yahoo! Widget Engine.lnkStartup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Home Theater SchSvr

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

C:\WINDOWS\system32\dumprep 0 -k [X]

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STYLEXP

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinCinemaMgr

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]

--a--c--- 2003-08-12 21:10 335872 C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

--a------ 2006-11-16 20:04 139264 C:\Programfiler\Fellesfiler\Ahead\Lib\NMBgMonitor.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]

--a------ 2007-04-03 18:50 1603152 C:\Programfiler\Canon\MyPrinter\BJMYPRT.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]

--a------ 2007-05-14 18:01 644696 C:\Programfiler\Canon\SolutionMenu\CNSLMAIN.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]

--a------ 2002-09-30 01:00 45056 C:\Programfiler\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]

--a------ 2002-10-29 09:18 49152 C:\Programfiler\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2005-02-16 23:11 49152 C:\Programfiler\HP\HP Software Update\hpwuSchd2.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaFace Integration]

--a--c--- 2005-09-05 06:55 53248 C:\Programfiler\Fellowes\MediaFACE 4.0\SetHook.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2006-01-12 16:40 155648 C:\Programfiler\Fellesfiler\Ahead\Lib\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OPSE reminder]

--a------ 2003-07-07 09:29 729088 C:\Programfiler\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2006-01-08 00:24 155648 C:\Programfiler\QuickTime\qttask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedStartup]

--a------ 2006-07-28 13:04 2209280 C:\Programfiler\Speed Startup\speedstartup.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler]

--a------ 2005-04-18 11:16 73728 C:\Programfiler\Logitech\Profiler\LWEMon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sunkist2k]

--a--c--- 2003-08-14 20:11 139264 C:\Programfiler\Multimedia Card Reader\shwicon2k.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]

--a------ 2008-05-02 06:15 15872 C:\Programfiler\Unlocker\UnlockerAssistant.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]

--a------ 2003-08-19 02:01 110592 C:\Programfiler\Fellesfiler\Sonic\Update Manager\sgtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]

--------- 2008-04-14 18:23 110592 C:\WINDOWS\system32\bthprops.cpl

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"AdobeActiveFileMonitor6.0"=2 (0x2)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"C:\\Programfiler\\TmSunrise\\TmSunrise.exe"=

"C:\\Programfiler\\Utorrent\\utorrent.exe"=

"C:\\Programfiler\\WinMX\\WinMX.exe"=

"C:\\Programfiler\\limewire\\LimeWire.exe"=

"C:\\WINDOWS\\system32\\sessmgr.exe"=

"C:\\Programfiler\\mIRC\\mirc.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Programfiler\\Soulseek-Test\\slsk.exe"=

"C:\\Programfiler\\TrackMania United\\TmUnited.exe"=

"C:\\Programfiler\\Opera\\Opera.exe"=

"C:\\Programfiler\\Fellesfiler\\Ahead\\Nero Web\\SetupX.exe"=

"C:\\Programfiler\\CyberLink\\PowerDVD\\PowerDVD.exe"=

"C:\\WINDOWS\\system32\\mmc.exe"=

"C:\\Programfiler\\TmUnitedForever\\TmForever.exe"=

"C:\\WINDOWS\\system32\\dpvsetup.exe"=

"%windir%\\system32\\sessmgr.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"56971:TCP"= 56971:TCP:uTorrent

 

R0 immplmnb;immplmnb;C:\WINDOWS\system32\drivers\szwzqxdq.dat [ ]

R1 Pivot;Pivot;C:\WINDOWS\system32\drivers\pivot.sys [2007-02-09 17465]

R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Programfiler\CyberLink\PowerDVD\000.fcl [2006-11-02 17:51 13560]

R2 Ndiskio;Ndiskio;C:\Norman\Nse\bin\NDISKIO.SYS [2007-01-02 20448]

R3 Cap7134;ASUS TV7134 WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2003-05-09 331392]

R3 NvcMFlt;NvcMFlt;C:\WINDOWS\system32\DRIVERS\nvcw32mf.sys [2008-09-02 19512]

R3 PhTVTune;ASUS WDM TV Tuner;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2003-04-28 24192]

S2 IJPLMSVC;PIXMA Extended Survey Program;C:\Programfiler\Canon\IJPLM\IJPLMSVC.EXE [2007-04-13 101528]

S3 nvcoas;Norman Virus Control on-access component;C:\Norman\Nvc\bin\nvcoas.exe [2008-04-29 183352]

S3 pivotmou;Pivot Mouse/Pointers Filter Driver;C:\WINDOWS\system32\drivers\pivotmou.sys [2007-02-09 11323]

S4 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;C:\Programfiler\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-11 124832]

.

Contents of the 'Scheduled Tasks' folder

 

2008-10-10 C:\WINDOWS\Tasks\Internet Explorer.job

- C:\PROGRA~1\INTERN~1\iexplore.exe [2008-06-23 11:23]

.

- - - - ORPHANS REMOVED - - - -

 

HKLM-RunOnce-<NO NAME> - (no file)

 

 

.

------- Supplementary Scan -------

.

R0 -: HKCU-Main,Start Page = hxxp://www.p4.no/player/player.aspx?channel=1

O8 -: &Define - file://C:\Programfiler\IEToys\Webster.htm

O8 -: &Delete Images - file://C:\Programfiler\IEToys\CleanDom.htm

O8 -: &MSN - file://C:\Programfiler\IEToys\MSN.htm

O8 -: Copy Location - file://C:\Programfiler\IEToys\CopyLocation.htm

O8 -: Easy-WebPrint Add To Print List - C:\Programfiler\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 -: Easy-WebPrint High Speed Print - C:\Programfiler\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 -: Easy-WebPrint Preview - C:\Programfiler\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 -: Easy-WebPrint Print - C:\Programfiler\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O8 -: Encyclopedia &Lookup - file://C:\Programfiler\IEToys\WebEncyc.htm

O8 -: HTML So&urce - file://C:\Programfiler\IEToys\HTMLSrc.htm

O8 -: I&mage List - file://C:\Programfiler\IEToys\ImageList.htm

O8 -: Linkif&y && Open - file://C:\Programfiler\IEToys\Linkify.htm

O8 -: Open with ScanSoft PDF Converter 4.0 - C:\Programfiler\ScanSoft\PDF Professional 4.0\cnvres_eng.dll /100

O8 -: Send To &Bluetooth - C:\Programfiler\Belkin\Bluetooth Software\btsendto_ie_ctx.htm

 

O16 -: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab

C:\WINDOWS\Downloaded Program Files\ewidoOnlineScan.dll

 

O16 -: {2EF3FB47-7B1E-4536-BA4D-51427BD45DFA} - hxxp://no.pixaco.com/static/download/pixacodndupload.cab

C:\WINDOWS\Downloaded Program Files\PIXACODnDUpload.inf

C:\WINDOWS\Downloaded Program Files\tra2_3_0.rc

C:\WINDOWS\Downloaded Program Files\PIXACODnDUpload.ocx

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-11 18:44:21

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\system\ControlSet005\Services\immplmnb]

"ImagePath"="system32\drivers\szwzqxdq.dat"

 

[HKEY_LOCAL_MACHINE\system\ControlSet005\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]

"ImagePath"="\??\C:\Programfiler\CyberLink\PowerDVD\000.fcl"

.

Completion time: 2008-10-11 18:47:27

ComboFix-quarantined-files.txt 2008-10-11 16:46:52

 

Pre-Run: 70 533 312 512 byte ledig

Post-Run: 70,702,911,488 byte ledig

 

216 --- E O F --- 2008-01-09 14:09:29

 

 

 

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:54:40, on 11.10.2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Norman\Npm\bin\ELOGSVC.EXE

C:\Norman\Npm\Bin\Zanda.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programfiler\Belkin\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\System32\CTSvcCDA.EXE

C:\Programfiler\Fellesfiler\Portrait Displays\Shared\DTSRVC.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\Canon\IJPLM\IJPLMSVC.EXE

C:\WINDOWS\system32\oodag.exe

C:\Programfiler\Dantz\Retrospect\retrorun.exe

C:\WINDOWS\System32\svchost.exe

C:\Norman\Npm\bin\NJEEVES.EXE

C:\Norman\Nvc\bin\nvcoas.exe

C:\WINDOWS\Explorer.EXE

c:\windows\system\hpsysdrv.exe

C:\HP\KBD\KBD.EXE

C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe

C:\Programfiler\HDD Thermometer\HDD Thermometer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Norman\Npm\bin\ZLH.EXE

C:\Norman\Nvc\bin\cclaw.exe

C:\Programfiler\SpeedFan\speedfan.exe

C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.p4.no/player/player.aspx?channel=1

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Programfiler\Desktop Sidebar\sbhelp.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programfiler\Canon\Easy-WebPrint\Toolband.dll

O4 - HKLM\..\Run: [speedStartup] C:\Programfiler\Speed Startup\speedstartup.exe bootup

O4 - HKLM\..\RunOnce: [speedStartup] C:\Programfiler\Speed Startup\speedstartup.exe runonce

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETTVERKSTJENESTE')

O4 - HKUS\S-1-5-18\..\RunOnce: [setDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [setDefaultMidi] MIDIDEF.EXE (User 'Default user')

O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')

O8 - Extra context menu item: &Define - file://C:\Programfiler\IEToys\Webster.htm

O8 - Extra context menu item: &Delete Images - file://C:\Programfiler\IEToys\CleanDom.htm

O8 - Extra context menu item: &MSN - file://C:\Programfiler\IEToys\MSN.htm

O8 - Extra context menu item: Copy Location - file://C:\Programfiler\IEToys\CopyLocation.htm

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Programfiler\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Programfiler\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Programfiler\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Programfiler\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O8 - Extra context menu item: Encyclopedia &Lookup - file://C:\Programfiler\IEToys\WebEncyc.htm

O8 - Extra context menu item: HTML So&urce - file://C:\Programfiler\IEToys\HTMLSrc.htm

O8 - Extra context menu item: I&mage List - file://C:\Programfiler\IEToys\ImageList.htm

O8 - Extra context menu item: Linkif&y && Open - file://C:\Programfiler\IEToys\Linkify.htm

O8 - Extra context menu item: Open with ScanSoft PDF Converter 4.0 - res://C:\Programfiler\ScanSoft\PDF Professional 4.0\cnvres_eng.dll /100

O8 - Extra context menu item: Send To &Bluetooth - C:\Programfiler\Belkin\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Programfiler\Desktop Sidebar\sbhelp.dll

O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Programfiler\Desktop Sidebar\sbhelp.dll

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programfiler\Belkin\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programfiler\Belkin\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab

O16 - DPF: {2EF3FB47-7B1E-4536-BA4D-51427BD45DFA} - http://no.pixaco.com/static/download/pixacodndupload.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Programfiler\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1197127500218

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driveragent.com/files/driveragent.cab

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programfiler\Belkin\Bluetooth Software\bin\btwdins.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE

O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Programfiler\Fellesfiler\Portrait Displays\Shared\DTSRVC.exe

O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programfiler\Fellesfiler\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Programfiler\Canon\IJPLM\IJPLMSVC.EXE

O23 - Service: NBService - Nero AG - C:\Programfiler\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: Norman NJeeves - Norman ASA - C:\Norman\Npm\bin\NJEEVES.EXE

O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe

O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe

O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Programfiler\Dantz\Retrospect\retrorun.exe

 

--

End of file - 8960 bytes

Share this post


Link to post
Share on other sites

Hi bowiebolan

 

You shouldn't run ComboFix without supervision. Wrongly used it may cause mess in your system.

 

 

Start hjt, do a system scan, check (if found):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

Close browsers and fix checked.

 

 

 

Open notepad and copy/paste the text in the quotebox below into it:

 

Driver::
immplmnb

File::
C:\WINDOWS\system32\drivers\szwzqxdq.dat

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

 

 

Save this as

CFScript

 

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

 

CFScriptB-4.gif

 

Refering to the picture above, drag CFScript into ComboFix.exe

Then post the resultant log.

 

 

Combofix should never take more that 20 minutes including the reboot if malware is detected.

If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

If that happened we want to know, and also what process you had to end.

 

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

 

Updating Java:

  • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
  • Scroll down to where it says
    The J2SE Runtime Environment (JRE) allows end-users to run Java applications.
     
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
     
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.

Uninstall old Adobe Reader and get the latest one here or get Foxit Reader here.

 

 

 

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

 

Double-click ATF Cleaner.exe to open it

 

Under Main choose:

Windows Temp

Current User Temp

All Users Temp

Cookies

Temporary Internet Files

Prefetch

Java Cache

*The other boxes are optional*

Then click the Empty Selected button.

 

If you use Firefox:

Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

 

If you use Opera:

Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

 

Click Exit on the Main menu to close the program.

 

 

Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.

 

 

Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.

Share this post


Link to post
Share on other sites

Oops :D I thought I could use ComboFix since I had the same problem.

 

Anyway, I've done everything you told me to.

Here's the logs:

 

ComboFix 08-10-10.09 - Eier 2008-10-12 15:28:22.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1044.18.612 [GMT 2:00]

Running from: C:\Documents and Settings\Eier\Skrivebord\ComboFix.exe

Command switches used :: C:\Documents and Settings\Eier\Skrivebord\CFScript.txt

* Created a new restore point

 

FILE ::

C:\WINDOWS\system32\drivers\szwzqxdq.dat

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_IMMPLMNB

-------\Service_immplmnb

 

 

((((((((((((((((((((((((( Files Created from 2008-09-12 to 2008-10-12 )))))))))))))))))))))))))))))))

.

 

2008-10-12 15:16 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl

2008-10-12 15:15 . 2008-10-12 15:15 <DIR> d-------- C:\Programfiler\Fellesfiler\Java

2008-10-12 14:59 . 2008-10-12 15:25 <DIR> dr-h----- C:\Documents and Settings\Eier\Siste

2008-10-11 18:19 . 2008-10-11 18:19 <DIR> d-------- C:\Programfiler\Trend Micro

2008-10-11 00:07 . 2008-10-11 00:50 <DIR> d-------- C:\Documents and Settings\Eier\Programdata\vlc

2008-10-05 18:59 . 2008-07-18 22:08 25,800 --a------ C:\WINDOWS\system32\wuapi.dll.mui

2008-09-16 19:59 . 2008-09-16 19:59 <DIR> d-------- C:\Programfiler\LSoft Technologies Inc

2008-09-13 16:04 . 2008-09-23 20:55 <DIR> d-------- C:\Programfiler\mIRC

2008-09-13 16:04 . 2008-09-23 20:57 <DIR> d-------- C:\Documents and Settings\Eier\Programdata\mIRC

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-10-12 13:16 --------- d-----w C:\Programfiler\Java

2008-10-12 13:09 --------- d-----w C:\Programfiler\SpeedFan

2008-10-12 13:08 --------- d-----w C:\Documents and Settings\All Users\Programdata\HDD Thermometer

2008-10-12 12:59 --------- d-----w C:\Documents and Settings\Eier\Programdata\ImgBurn

2008-10-12 12:59 --------- d-----w C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy

2008-10-11 17:44 --------- d-----w C:\Programfiler\Spybot - Search & Destroy

2008-10-11 14:15 --------- d-----w C:\Documents and Settings\Eier\Programdata\uTorrent

2008-10-11 14:15 --------- d-----w C:\Documents and Settings\Eier\Programdata\DVD Flick

2008-10-11 12:27 --------- d-----w C:\Programfiler\Epoq Design

2008-10-08 17:36 --------- d-----w C:\Programfiler\Opera

2008-10-06 14:58 --------- d-----w C:\Programfiler\DVDlabPro

2008-10-05 16:33 --------- d-----w C:\Documents and Settings\Eier\Programdata\Vso

2008-10-04 23:46 --------- d-----w C:\Programfiler\Microsoft Picture It! PhotoPub

2008-10-01 21:39 --------- d---a-w C:\Documents and Settings\All Users\Programdata\TEMP

2008-09-29 13:24 10,488 -c--a-w C:\Documents and Settings\Eier\Programdata\wklnhst.dat

2008-09-28 15:05 --------- d-----w C:\Programfiler\IKEA HomePlanner

2008-09-26 14:37 --------- d-----w C:\Documents and Settings\All Users\Programdata\CanonIJPLM

2008-09-16 17:59 --------- d--h--w C:\Programfiler\InstallShield Installation Information

2008-09-06 19:32 --------- d-----w C:\Documents and Settings\Eier\Programdata\gtk-2.0

2008-09-05 20:37 --------- d-----w C:\Documents and Settings\Eier\Programdata\Creative ASR2

2008-09-03 18:21 --------- d-----w C:\Programfiler\Microsoft Silverlight

2008-09-03 17:32 --------- d-----w C:\Documents and Settings\Eier\Programdata\wsInspector

2008-09-02 10:48 19,512 ----a-w C:\WINDOWS\system32\drivers\nvcw32mf.sys

2008-08-31 19:29 --------- d-----w C:\Documents and Settings\Eier\Programdata\Registry Booster

2008-08-30 15:44 --------- d-----w C:\Programfiler\Fellesfiler\Wise Installation Wizard

2008-08-26 16:07 --------- d-----w C:\Programfiler\Photosynth

2008-07-21 15:52 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE

2008-07-21 15:52 249,856 ------w C:\WINDOWS\Setup1.exe

2008-05-19 19:10 125,288 ----a-w C:\Documents and Settings\Eier\Programdata\GDIPFONTCACHEV1.DAT

2007-04-26 16:27 166,958 ----a-w C:\Documents and Settings\Eier\channels.dat

2007-03-13 22:03 87,608 ----a-w C:\Documents and Settings\Eier\Programdata\ezpinst.exe

2007-03-13 22:03 47,360 ----a-w C:\Documents and Settings\Eier\Programdata\pcouffin.sys

2005-05-13 15:12 217,073 --sha-r C:\WINDOWS\meta4.exe

2005-07-14 10:31 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll

2005-06-26 13:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll

2005-06-21 20:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll

2006-05-03 10:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll

2004-01-24 22:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll

2006-05-26 23:35 848 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys

2007-02-21 11:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll

2007-12-17 13:43 27,648 --sh--w C:\WINDOWS\system32\Smab0.dll

2005-02-28 11:16 240,128 --sha-r C:\WINDOWS\system32\x.264.exe

2004-01-24 22:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll

2008-05-06 21:51 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Lokale innstillinger\Logg\History.IE5\MSHist012008050620080507\index.dat

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpeedStartup"="C:\Programfiler\Speed Startup\speedstartup.exe" [2006-07-28 2209280]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"SpeedStartup"="C:\Programfiler\Speed Startup\speedstartup.exe" [2006-07-28 2209280]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"CMSRegOW.exe"="C:\Programfiler\InstallShield Installation Information\{56F3E1FF-54FE-4384-A153-6CCABA097814}\CMSRegOW.exe" [2003-06-16 57344]

"SetDefaultMidi"="MIDIDEF.EXE" [2006-08-11 C:\WINDOWS\MIDIDEF.EXE]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.I420"= i420vfw.dll

"VIDC.HFYU"= huffyuv.dll

"vidc.yv12"= yv12vfw.dll

"MSVideo"= CSvidcap.dll

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^BTTray.lnk]

backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Microsoft Office.lnk]

backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Eier^Start-meny^Programmer^Oppstart^Yahoo! Widget Engine.lnk]

backup=C:\WINDOWS\pss\Yahoo! Widget Engine.lnkStartup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Home Theater SchSvr

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STYLEXP

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinCinemaMgr

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]

--a--c--- 2003-08-12 21:10 335872 C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

--a------ 2006-11-16 20:04 139264 C:\Programfiler\Fellesfiler\Ahead\Lib\NMBgMonitor.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]

--a------ 2007-04-03 18:50 1603152 C:\Programfiler\Canon\MyPrinter\BJMYPRT.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]

--a------ 2007-05-14 18:01 644696 C:\Programfiler\Canon\SolutionMenu\CNSLMAIN.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]

--a------ 2002-09-30 01:00 45056 C:\Programfiler\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]

--a------ 2002-10-29 09:18 49152 C:\Programfiler\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2005-02-16 23:11 49152 C:\Programfiler\HP\HP Software Update\hpwuSchd2.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaFace Integration]

--a--c--- 2005-09-05 06:55 53248 C:\Programfiler\Fellowes\MediaFACE 4.0\SetHook.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2006-01-12 16:40 155648 C:\Programfiler\Fellesfiler\Ahead\Lib\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OPSE reminder]

--a------ 2003-07-07 09:29 729088 C:\Programfiler\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2006-01-08 00:24 155648 C:\Programfiler\QuickTime\qttask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedStartup]

--a------ 2006-07-28 13:04 2209280 C:\Programfiler\Speed Startup\speedstartup.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler]

--a------ 2005-04-18 11:16 73728 C:\Programfiler\Logitech\Profiler\LWEMon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sunkist2k]

--a--c--- 2003-08-14 20:11 139264 C:\Programfiler\Multimedia Card Reader\shwicon2k.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]

--a------ 2008-05-02 06:15 15872 C:\Programfiler\Unlocker\UnlockerAssistant.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]

--a------ 2003-08-19 02:01 110592 C:\Programfiler\Fellesfiler\Sonic\Update Manager\sgtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]

--------- 2008-04-14 18:23 110592 C:\WINDOWS\system32\bthprops.cpl

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"AdobeActiveFileMonitor6.0"=2 (0x2)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"C:\\Programfiler\\TmSunrise\\TmSunrise.exe"=

"C:\\Programfiler\\Utorrent\\utorrent.exe"=

"C:\\Programfiler\\WinMX\\WinMX.exe"=

"C:\\Programfiler\\limewire\\LimeWire.exe"=

"C:\\WINDOWS\\system32\\sessmgr.exe"=

"C:\\Programfiler\\mIRC\\mirc.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Programfiler\\Soulseek-Test\\slsk.exe"=

"C:\\Programfiler\\TrackMania United\\TmUnited.exe"=

"C:\\Programfiler\\Opera\\Opera.exe"=

"C:\\Programfiler\\Fellesfiler\\Ahead\\Nero Web\\SetupX.exe"=

"C:\\Programfiler\\CyberLink\\PowerDVD\\PowerDVD.exe"=

"C:\\WINDOWS\\system32\\mmc.exe"=

"C:\\Programfiler\\TmUnitedForever\\TmForever.exe"=

"C:\\WINDOWS\\system32\\dpvsetup.exe"=

"%windir%\\system32\\sessmgr.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"56971:TCP"= 56971:TCP:uTorrent

 

R1 Pivot;Pivot;C:\WINDOWS\system32\drivers\pivot.sys [2007-02-09 17465]

R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Programfiler\CyberLink\PowerDVD\000.fcl [2006-11-02 17:51 13560]

R2 IJPLMSVC;PIXMA Extended Survey Program;C:\Programfiler\Canon\IJPLM\IJPLMSVC.EXE [2007-04-13 101528]

R2 Ndiskio;Ndiskio;C:\Norman\Nse\bin\NDISKIO.SYS [2007-01-02 20448]

R3 Cap7134;ASUS TV7134 WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2003-05-09 331392]

R3 NvcMFlt;NvcMFlt;C:\WINDOWS\system32\DRIVERS\nvcw32mf.sys [2008-09-02 19512]

R3 nvcoas;Norman Virus Control on-access component;C:\Norman\Nvc\bin\nvcoas.exe [2008-04-29 183352]

R3 PhTVTune;ASUS WDM TV Tuner;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2003-04-28 24192]

S3 pivotmou;Pivot Mouse/Pointers Filter Driver;C:\WINDOWS\system32\drivers\pivotmou.sys [2007-02-09 11323]

S4 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;C:\Programfiler\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-11 124832]

.

Contents of the 'Scheduled Tasks' folder

 

2008-10-10 C:\WINDOWS\Tasks\Internet Explorer.job

- C:\PROGRA~1\INTERN~1\iexplore.exe [2008-06-23 11:23]

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-12 15:33:56

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]

"ImagePath"="\??\C:\Programfiler\CyberLink\PowerDVD\000.fcl"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

PROCESS: C:\WINDOWS\explorer.exe

-> ?:\WINDOWS\System32\CSCDLL.dll

.

------------------------ Other Running Processes ------------------------

.

C:\WINDOWS\system32\ati2evxx.exe

C:\Norman\npm\bin\elogsvc.exe

C:\Norman\npm\bin\Zanda.exe

C:\WINDOWS\system32\ati2evxx.exe

C:\Programfiler\Belkin\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\system32\CTSVCCDA.EXE

C:\Programfiler\Fellesfiler\Portrait Displays\Shared\DTSRVC.exe

C:\WINDOWS\system32\oodag.exe

C:\Programfiler\Dantz\Retrospect\retrorun.exe

C:\Norman\npm\bin\Njeeves.exe

C:\WINDOWS\system\hpsysdrv.exe

C:\hp\KBD\kbd.exe

C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe

C:\Programfiler\HDD Thermometer\HDD Thermometer.exe

C:\Norman\npm\bin\Zlh.exe

C:\Norman\NVC\Bin\CClaw.exe

.

**************************************************************************

.

Completion time: 2008-10-12 15:43:06 - machine was rebooted

ComboFix-quarantined-files.txt 2008-10-12 13:43:01

ComboFix2.txt 2008-10-11 16:47:28

 

Pre-Run: 70 519 459 840 byte ledig

Post-Run: 70,433,751,040 byte ledig

 

217 --- E O F --- 2008-01-09 14:09:29

 

 

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7 REPORT

Sunday, October 12, 2008

Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

Kaspersky Online Scanner 7 version: 7.0.25.0

Program database last update: Sunday, October 12, 2008 14:09:40

Records in database: 1307159

--------------------------------------------------------------------------------

 

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

 

Scan area - My Computer:

A:\

C:\

D:\

E:\

F:\

G:\

H:\

I:\

J:\

 

Scan statistics:

Files scanned: 142856

Threat name: 0

Infected objects: 0

Suspicious objects: 0

Duration of the scan: 02:42:09

 

No malware has been detected. The scan area is clean.

 

The selected area was scanned.

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:47:58, on 12.10.2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Norman\Npm\bin\ELOGSVC.EXE

C:\WINDOWS\system32\Ati2evxx.exe

C:\Norman\Npm\Bin\Zanda.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programfiler\Belkin\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\System32\CTSvcCDA.EXE

C:\Programfiler\Fellesfiler\Portrait Displays\Shared\DTSRVC.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\Canon\IJPLM\IJPLMSVC.EXE

C:\WINDOWS\system32\oodag.exe

C:\Programfiler\Dantz\Retrospect\retrorun.exe

C:\WINDOWS\System32\rsvp.exe

C:\WINDOWS\System32\svchost.exe

C:\Norman\Npm\bin\NJEEVES.EXE

C:\WINDOWS\Explorer.EXE

C:\Norman\Nvc\bin\nvcoas.exe

C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe

c:\windows\system\hpsysdrv.exe

C:\HP\KBD\KBD.EXE

C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe

C:\Programfiler\HDD Thermometer\HDD Thermometer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Norman\Npm\bin\ZLH.EXE

C:\Norman\Nvc\bin\cclaw.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Programfiler\SpeedFan\speedfan.exe

C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://chello.no/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Programfiler\Desktop Sidebar\sbhelp.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programfiler\Canon\Easy-WebPrint\Toolband.dll

O4 - HKLM\..\Run: [speedStartup] C:\Programfiler\Speed Startup\speedstartup.exe bootup

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\RunOnce: [speedStartup] C:\Programfiler\Speed Startup\speedstartup.exe runonce

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETTVERKSTJENESTE')

O4 - HKUS\S-1-5-18\..\RunOnce: [setDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [setDefaultMidi] MIDIDEF.EXE (User 'Default user')

O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')

O8 - Extra context menu item: &Define - file://C:\Programfiler\IEToys\Webster.htm

O8 - Extra context menu item: &Delete Images - file://C:\Programfiler\IEToys\CleanDom.htm

O8 - Extra context menu item: &MSN - file://C:\Programfiler\IEToys\MSN.htm

O8 - Extra context menu item: Copy Location - file://C:\Programfiler\IEToys\CopyLocation.htm

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Programfiler\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Programfiler\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Programfiler\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Programfiler\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O8 - Extra context menu item: Encyclopedia &Lookup - file://C:\Programfiler\IEToys\WebEncyc.htm

O8 - Extra context menu item: HTML So&urce - file://C:\Programfiler\IEToys\HTMLSrc.htm

O8 - Extra context menu item: I&mage List - file://C:\Programfiler\IEToys\ImageList.htm

O8 - Extra context menu item: Linkif&y && Open - file://C:\Programfiler\IEToys\Linkify.htm

O8 - Extra context menu item: Open with ScanSoft PDF Converter 4.0 - res://C:\Programfiler\ScanSoft\PDF Professional 4.0\cnvres_eng.dll /100

O8 - Extra context menu item: Send To &Bluetooth - C:\Programfiler\Belkin\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Programfiler\Desktop Sidebar\sbhelp.dll

O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Programfiler\Desktop Sidebar\sbhelp.dll

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programfiler\Belkin\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programfiler\Belkin\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab

O16 - DPF: {2EF3FB47-7B1E-4536-BA4D-51427BD45DFA} - http://no.pixaco.com/static/download/pixacodndupload.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Programfiler\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1197127500218

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driveragent.com/files/driveragent.cab

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programfiler\Belkin\Bluetooth Software\bin\btwdins.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE

O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Programfiler\Fellesfiler\Portrait Displays\Shared\DTSRVC.exe

O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programfiler\Fellesfiler\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Programfiler\Canon\IJPLM\IJPLMSVC.EXE

O23 - Service: NBService - Nero AG - C:\Programfiler\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: Norman NJeeves - Norman ASA - C:\Norman\Npm\bin\NJEEVES.EXE

O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe

O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe

O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Programfiler\Dantz\Retrospect\retrorun.exe

 

--

End of file - 8969 bytes

 

 

 

The last thing I did before posting here was checking AdAware again, but it still finds win32.backdoor.sinowal B)

So, what do i do now?

Thanks for helping :)

Share this post


Link to post
Share on other sites

Hi

 

Could you post that Adaware finding? B)

Share this post


Link to post
Share on other sites

No, just the finding showing the infection.

Share this post


Link to post
Share on other sites

Like this?

 

Startet skanning av register

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Win32.Backdoor.Sinowal Objektet ble gjenkjent

Type : Regkey

Data :

Trusselvurdering : 10

Kategori : Malware

Kommentar :

Rootkey : HKEY_LOCAL_MACHINE

Objekt : system\currentcontrolset\enum\root\legacy_{def85c80-216a-43ab-af70-1665edbe2780}

Share this post


Link to post
Share on other sites

Hi

 

Yes, that's what I meant :)

 

 

Download GMER and save it your desktop:

  • Extract it to your desktop and double-click GMER.exe
  • Click rootkit-tab and then scan.
  • Don't check
    Show All
    box while scanning in progress!
  • When scanning is ready, click Copy.
  • This copies log to clipboard
  • Post log in your reply.

Share this post


Link to post
Share on other sites

Ok, here's the log:

 

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2008-10-13 17:50:28

Windows 5.1.2600 Service Pack 3

 

 

---- System - GMER 1.0.14 ----

 

SSDT sptd.sys ZwCreateKey [0xF739BB3A]

SSDT sptd.sys ZwEnumerateKey [0xF739BC7E]

SSDT sptd.sys ZwEnumerateValueKey [0xF739BFF6]

SSDT sptd.sys ZwOpenKey [0xF739BA18]

SSDT sptd.sys ZwQueryKey [0xF739C0C0]

SSDT sptd.sys ZwQueryValueKey [0xF739BF58]

SSDT sptd.sys ZwSetValueKey [0xF739C148]

 

INT 0x01 \SystemRoot\System32\DRIVERS\ati2mtag.sys (ATI Radeon WindowsNT Miniport Driver/ATI Technologies Inc.) F619D541

INT 0x03 \SystemRoot\System32\DRIVERS\ati2mtag.sys (ATI Radeon WindowsNT Miniport Driver/ATI Technologies Inc.) F619D5E7

 

---- Kernel code sections - GMER 1.0.14 ----

 

? C:\WINDOWS\system32\drivers\sptd.sys Prosessen får ikke tilgang til filen fordi den brukes av en annen prosess.

? C:\WINDOWS\System32\Drivers\SPTD7453.SYS Prosessen får ikke tilgang til filen fordi den brukes av en annen prosess.

 

---- Kernel IAT/EAT - GMER 1.0.14 ----

 

IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F73A4DB2] sptd.sys

IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F73BA71E] sptd.sys

IAT ftdisk.sys[ntoskrnl.exe!IoGetAttachedDeviceReference] [F73A53B2] sptd.sys

IAT ftdisk.sys[ntoskrnl.exe!IoGetDeviceObjectPointer] [F73A52B6] sptd.sys

IAT ftdisk.sys[ntoskrnl.exe!IofCallDriver] [F73A5482] sptd.sys

IAT PartMgr.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F73BA032] sptd.sys

IAT PartMgr.sys[ntoskrnl.exe!IoDetachDevice] [F73A4F6E] sptd.sys

IAT atapi.sys[ntoskrnl.exe!IofCompleteRequest] [F73B9C76] sptd.sys

IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [F73A4E06] sptd.sys

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7397A32] sptd.sys

IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F7397B6E] sptd.sys

IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F7397AF6] sptd.sys

IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F73986CC] sptd.sys

IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F73985A2] sptd.sys

IAT disk.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F73BA864] sptd.sys

IAT \WINDOWS\System32\DRIVERS\CLASSPNP.SYS[ntoskrnl.exe!IoDetachDevice] [F73A9F78] sptd.sys

IAT \SystemRoot\System32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!IofCompleteRequest] [F73B9C76] sptd.sys

IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F73BA864] sptd.sys

IAT \SystemRoot\System32\DRIVERS\rdbss.sys[ntoskrnl.exe!IofCallDriver] [F7397020] sptd.sys

IAT \SystemRoot\System32\DRIVERS\mrxsmb.sys[ntoskrnl.exe!IofCallDriver] [F7397020] sptd.sys

 

---- Devices - GMER 1.0.14 ----

 

Device \FileSystem\Ntfs \Ntfs 8738A5D0

Device \FileSystem\Fastfat \FatCdrom 86E5F8B0

Device \Driver\USBSTOR \Device00008e 86F340E8

Device \Driver\USBSTOR \Device00008e sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\USBSTOR \Device00008f 86F340E8

Device \Driver\USBSTOR \Device00008f sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\NetBT \Device\NetBT_Tcpip_{63470DD6-E0F0-4EED-8021-37A7EB12FCBC} 873550E8

Device \Driver\Ftdisk \Device\HarddiskVolume1 8738AC78

Device \Driver\Ftdisk \Device\HarddiskVolume2 8738AC78

Device \Driver\Cdrom \Device\CdRom0 86ECF0E8

Device \FileSystem\Rdbss \Device\FsWrap 86F190E8

Device \Driver\Cdrom \Device\CdRom1 86ECF0E8

Device \Driver\atapi \Device\Ide\IdePort0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\atapi \Device\Ide\IdePort1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\atapi \Device\Ide\IdePort2 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\atapi \Device\Ide\IdePort3 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-1b sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-13 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\USBSTOR \Device000090 86F340E8

Device \Driver\USBSTOR \Device000090 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\NetBT \Device\NetBt_Wins_Export 873550E8

Device \Driver\NetBT \Device\NetbiosSmb 873550E8

Device \Driver\USBSTOR \Device000089 86F340E8

Device \Driver\USBSTOR \Device000089 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\Disk \Device\Harddisk0\DR0 8738A808

Device \Driver\Disk \Device\Harddisk1\DR3 8738A808

Device \Driver\Disk \Device\Harddisk1\DP(1)0-0+7 8738A808

Device \Driver\Disk \Device\Harddisk2\DR4 8738A808

Device \Driver\Disk \Device\Harddisk2\DP(1)0-0+8 8738A808

Device \Driver\Disk \Device\Harddisk3\DR5 8738A808

Device \Driver\Disk \Device\Harddisk3\DP(1)0-0+9 8738A808

Device \Driver\Disk \Device\Harddisk4\DP(1)0-0+a 8738A808

Device \Driver\Disk \Device\Harddisk4\DR6 8738A808

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 86F77880

Device \FileSystem\MRxSmb \Device\LanmanRedirector 86F77880

Device \FileSystem\Npfs \Device\NamedPipe 86F16BC0

Device \Driver\Ftdisk \Device\FtControl 8738AC78

Device \FileSystem\Msfs \Device\Mailslot 86E5E900

Device \Driver\USBSTOR \Device00008d 86F340E8

Device \Driver\USBSTOR \Device00008d sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \FileSystem\Fastfat \Fat 86E5F8B0

 

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

 

Device \FileSystem\Cdfs \Cdfs 86EE4C80

 

---- Registry - GMER 1.0.14 ----

 

Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys0a3a575837

Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\[email protected] 0x6D 0x13 0x74 0x76 ...

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\CfgD79C293C1ED61418462E24595C90D04

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\[email protected] 0

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\[email protected] 0xE6 0xB1 0xA9 0x76 ...

Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys0a3a575837

Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\[email protected] 0x6D 0x13 0x74 0x76 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\CfgD79C293C1ED61418462E24595C90D04

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\[email protected] 0

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\[email protected] 0xE6 0xB1 0xA9 0x76 ...

Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys0a3a575837

Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\[email protected] 0x6D 0x13 0x74 0x76 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\CfgD79C293C1ED61418462E24595C90D04

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\[email protected] 0

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\[email protected] 0xE6 0xB1 0xA9 0x76 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys0a3a575837

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\[email protected] 0x6D 0x13 0x74 0x76 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] -70556022

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] -369950323

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] 1255105973

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\CfgD79C293C1ED61418462E24595C90D04

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] 0xE6 0xB1 0xA9 0x76 ...

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\[email protected] DD01ABA758D288EA263E8FA21256F05BE2D1238869EB2A4A15BC54B9C7C7D4AC6F3EE4E53212C326A3644210497B3ED38528289F0AE508AAFB1812846B1ABF5B402006E9C48F0FD06DD024F506C01F3BE2BF8D214211EAA875F616120748DB326C71CD9682133430D52D50A27F1DC98DA246EBE3AEB6189C9DA516E1BA8B1801A5C12EB5B167EE2E40EB1647C20FE86D7DFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C8EDD5E5BE2F6E6678EDD5E5BE2F6E6675D575E7D6A3B9808A2D97226D213B555426CEF1C7CD60DB64E2A4D22FBEC4EA70BAA6826E945AD6674B25C1D96EA1781F63BFAE7DADE693444020F8D6F1087C7AEF3AEC2532C6C4A18DB1DC0C336D807726BBE7240FA0D5AC78E9BE823C594D3648D70A3C5F01D247605D02C3AC565DDDAA75BFC919EB7886255FC382BEDECFCB4FBBFB22686121A3850B14DD2B50BC21ECED498B4B44E2EDF121F52A0E0B1896C7814AC5FCCC368CC9361E465963706E873122C1719D851CFB5546420E822541E6E4821DE1C4CDEE5576287D1EBFD0CAEDB6272A61E068B86E2D26C4A4226CA9EFE987515BE6A60F8DB9BA1FAAD984CA781F47BD887260A1DF0323FC49F46F0867FA9E2F8758164C00F596F474962D3CE95DD28A30F2D8D6EEBF18436A830DAB3F68075037197F43B194A82A11DD

 

---- Disk sectors - GMER 1.0.14 ----

 

Disk \Device\Harddisk0\DR0 sector 61: malicious code @ sector 0x12a14c00 size 0x1e4

Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

 

---- EOF - GMER 1.0.14 ----

Share this post


Link to post
Share on other sites

Hi

 

Assuming that you have recovery console installed:

 

1. Reboot and select recovery console option.

2. When prompted, type your administrator password to log on.

3. Once logged in, type the drive that contains Windows (c:) in the command prompt that appears, then press Enter.

4. Type the following, then press Enter:

fixmbr c:

(Note: Infected drive is the bootable drive which the malware infects. If no device is specified, the Master Boot Record will be written in the primary boot drive.)

 

Reboot back into normal mode.

 

1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.

2. In the left panel, double-click the following:

HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>enum>root

3. In the right panel, locate and delete the entry:

legacy_{def85c80-216a-43ab-af70-1665edbe2780}

4. Close Registry Editor.

 

If you have trouble deleting a key, click once on the legacy_{def85c80-216a-43ab-af70-1665edbe2780} to highlight it and click on the Permission menu option under Edit. Uncheck Allow inheritible permissions and press copy. Click on everyone and put a checkmark in full control, press apply and ok and attempt to delete the key again.

 

Run GMER and post back its log.

Share this post


Link to post
Share on other sites

Hi

 

Let's see if it's installed or not (just looked at your combofix log earlier and it didn't say anything about recovery console missing). ;)

 

Show hidden files

-----------------

* Click Start.

* Open My Computer.

* Select the Tools menu and click Folder Options.

* Select the View Tab.

* Under the Hidden files and folders heading select Show hidden files and folders.

* Uncheck the Hide protected operating system files (recommended) option.

* Click Yes to confirm.

* Click OK.

 

Open c:\Boot.ini file with notepad and post back its contents.

Share this post


Link to post
Share on other sites

[boot loader]

timeout=3

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn/NOGUIBOOT

C:\CMDCONS\BOOTSECT.DAT="Gjenopprettingskonsoll for Microsoft Windows XP" /cmdcons

Share this post


Link to post
Share on other sites

Hi

 

Seems to be installed.

 

When system reboots select Gjenopprettingskonsoll for Microsoft Windows XP -option

Share this post


Link to post
Share on other sites

Ok, not sure if I've done this first part correct.

(Sorry for being so stupid ;) )

 

I selected the recovery console, but I didn't have to log on(?)

 

Then I had to choose between these:

 

1: D:\MiniNT

2. D:\I386

3. C:\Windows

 

I choose 3 and enter, was it right to type 3 on the keyboard? (Or should I have typed C:\Windows?)

 

Then this come up, C:\WINDOWS> and I typed fixmbr c: and enter

Then C:\WINDOWS shows up again

 

Rebooted and started Reg editor.

Couldn't delete it at first, but unchecked allow inheritible permissions, and deleted it.

 

Here's the gmer log:

 

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2008-10-14 18:05:35

Windows 5.1.2600 Service Pack 3

 

 

---- System - GMER 1.0.14 ----

 

SSDT sptd.sys ZwCreateKey [0xF739BB3A]

SSDT sptd.sys ZwEnumerateKey [0xF739BC7E]

SSDT sptd.sys ZwEnumerateValueKey [0xF739BFF6]

SSDT sptd.sys ZwOpenKey [0xF739BA18]

SSDT sptd.sys ZwQueryKey [0xF739C0C0]

SSDT sptd.sys ZwQueryValueKey [0xF739BF58]

SSDT sptd.sys ZwSetValueKey [0xF739C148]

 

INT 0x01 \SystemRoot\System32\DRIVERS\ati2mtag.sys (ATI Radeon WindowsNT Miniport Driver/ATI Technologies Inc.) F668B541

INT 0x03 \SystemRoot\System32\DRIVERS\ati2mtag.sys (ATI Radeon WindowsNT Miniport Driver/ATI Technologies Inc.) F668B5E7

 

---- Kernel code sections - GMER 1.0.14 ----

 

? C:\WINDOWS\system32\drivers\sptd.sys Prosessen får ikke tilgang til filen fordi den brukes av en annen prosess.

? C:\WINDOWS\System32\Drivers\SPTD7453.SYS Prosessen får ikke tilgang til filen fordi den brukes av en annen prosess.

 

---- Kernel IAT/EAT - GMER 1.0.14 ----

 

IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F73A4DB2] sptd.sys

IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F73BA71E] sptd.sys

IAT ftdisk.sys[ntoskrnl.exe!IoGetAttachedDeviceReference] [F73A53B2] sptd.sys

IAT ftdisk.sys[ntoskrnl.exe!IoGetDeviceObjectPointer] [F73A52B6] sptd.sys

IAT ftdisk.sys[ntoskrnl.exe!IofCallDriver] [F73A5482] sptd.sys

IAT PartMgr.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F73BA032] sptd.sys

IAT PartMgr.sys[ntoskrnl.exe!IoDetachDevice] [F73A4F6E] sptd.sys

IAT atapi.sys[ntoskrnl.exe!IofCompleteRequest] [F73B9C76] sptd.sys

IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [F73A4E06] sptd.sys

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7397A32] sptd.sys

IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F7397B6E] sptd.sys

IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F7397AF6] sptd.sys

IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F73986CC] sptd.sys

IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F73985A2] sptd.sys

IAT disk.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F73BA864] sptd.sys

IAT \WINDOWS\System32\DRIVERS\CLASSPNP.SYS[ntoskrnl.exe!IoDetachDevice] [F73A9F78] sptd.sys

IAT \SystemRoot\System32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!IofCompleteRequest] [F73B9C76] sptd.sys

IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F73BA864] sptd.sys

IAT \SystemRoot\System32\DRIVERS\rdbss.sys[ntoskrnl.exe!IofCallDriver] [F7397020] sptd.sys

IAT \SystemRoot\System32\DRIVERS\mrxsmb.sys[ntoskrnl.exe!IofCallDriver] [F7397020] sptd.sys

 

---- Devices - GMER 1.0.14 ----

 

Device \FileSystem\Ntfs \Ntfs 8738A398

Device \FileSystem\Fastfat \FatCdrom 86DE9228

Device \Driver\USBSTOR \Device00008e 8726FC58

Device \Driver\USBSTOR \Device00008e sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\USBSTOR \Device00008f 8726FC58

Device \Driver\USBSTOR \Device00008f sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\NetBT \Device\NetBT_Tcpip_{63470DD6-E0F0-4EED-8021-37A7EB12FCBC} 863EB9C0

Device \Driver\Ftdisk \Device\HarddiskVolume1 8738AA40

Device \Driver\Ftdisk \Device\HarddiskVolume2 8738AA40

Device \Driver\Cdrom \Device\CdRom0 86EC0A90

Device \FileSystem\Rdbss \Device\FsWrap 86DF5308

Device \Driver\Cdrom \Device\CdRom1 86EC0A90

Device \Driver\atapi \Device\Ide\IdePort0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\atapi \Device\Ide\IdePort1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\atapi \Device\Ide\IdePort2 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\atapi \Device\Ide\IdePort3 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-1b sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-13 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\USBSTOR \Device000090 8726FC58

Device \Driver\USBSTOR \Device000090 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\NetBT \Device\NetBt_Wins_Export 863EB9C0

Device \Driver\USBSTOR \Device000091 8726FC58

Device \Driver\USBSTOR \Device000091 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \Driver\NetBT \Device\NetbiosSmb 863EB9C0

Device \Driver\Disk \Device\Harddisk0\DR0 8738A5D0

Device \Driver\Disk \Device\Harddisk1\DR3 8738A5D0

Device \Driver\Disk \Device\Harddisk1\DP(1)0-0+7 8738A5D0

Device \Driver\Disk \Device\Harddisk2\DR4 8738A5D0

Device \Driver\Disk \Device\Harddisk2\DP(1)0-0+8 8738A5D0

Device \Driver\Disk \Device\Harddisk3\DR5 8738A5D0

Device \Driver\Disk \Device\Harddisk3\DP(1)0-0+9 8738A5D0

Device \Driver\Disk \Device\Harddisk4\DP(1)0-0+a 8738A5D0

Device \Driver\Disk \Device\Harddisk4\DR6 8738A5D0

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 86E04EB0

Device \FileSystem\MRxSmb \Device\LanmanRedirector 86E04EB0

Device \FileSystem\Npfs \Device\NamedPipe 86E3F298

Device \Driver\Ftdisk \Device\FtControl 8738AA40

Device \Driver\USBSTOR \Device00008a 8726FC58

Device \Driver\USBSTOR \Device00008a sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device \FileSystem\Msfs \Device\Mailslot 86E33610

Device \FileSystem\Fastfat \Fat 86DE9228

 

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

 

Device \FileSystem\Cdfs \Cdfs 86E396A0

 

---- Registry - GMER 1.0.14 ----

 

Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys0a3a575837

Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\[email protected] 0x6D 0x13 0x74 0x76 ...

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\CfgD79C293C1ED61418462E24595C90D04

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\[email protected] 0

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\[email protected] 0xE6 0xB1 0xA9 0x76 ...

Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys0a3a575837

Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\[email protected] 0x6D 0x13 0x74 0x76 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\CfgD79C293C1ED61418462E24595C90D04

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\[email protected] 0

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\[email protected] 0xE6 0xB1 0xA9 0x76 ...

Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys0a3a575837

Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\[email protected] 0x6D 0x13 0x74 0x76 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\CfgD79C293C1ED61418462E24595C90D04

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\[email protected] 0

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\[email protected] 0xE6 0xB1 0xA9 0x76 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys0a3a575837

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\[email protected] 0x6D 0x13 0x74 0x76 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] -70556022

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] -369950323

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] 1255105973

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\CfgD79C293C1ED61418462E24595C90D04

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] 0xE6 0xB1 0xA9 0x76 ...

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\[email protected] DD01ABA758D288EA263E8FA21256F05BE2D1238869EB2A4A15BC54B9C7C7D4AC6F3EE4E53212C326A3644210497B3ED38528289F0AE508AAFB1812846B1ABF5B402006E9C48F0FD06DD024F506C01F3BE2BF8D214211EAA875F616120748DB326C71CD9682133430D52D50A27F1DC98DA246EBE3AEB6189C9DA516E1BA8B1801A5C12EB5B167EE2E40EB1647C20FE86D7DFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C8EDD5E5BE2F6E6678EDD5E5BE2F6E6675D575E7D6A3B9808A2D97226D213B555426CEF1C7CD60DB64E2A4D22FBEC4EA70BAA6826E945AD6674B25C1D96EA1781F63BFAE7DADE693444020F8D6F1087C7AEF3AEC2532C6C4A18DB1DC0C336D807726BBE7240FA0D5AC78E9BE823C594D3648D70A3C5F01D247605D02C3AC565DDDAA75BFC919EB7886255FC382BEDECFCB4FBBFB22686121A3850B14DD2B50BC21ECED498B4B44E2EDF121F52A0E0B1896C7814AC5FCCC368CC9361E465963706E873122C1719D851CFB5546420E822541E6E4821DE1C4CDEE5576287D1EBFD0CAEDB6272A61E068B86E2D26C4A4226CA9EFE987515BE6A60F8DB9BA1FAAD984CA781F47BD887260A1DF0323FC49F46F0867FA9E2F8758164C00F596F474962D3CE95DD28A30F2D8D6EEBF18436A830DAB3F68075037197F43B194A82A11DD

 

---- Disk sectors - GMER 1.0.14 ----

 

Disk \Device\Harddisk0\DR0 sector 61: malicious code @ sector 0x12a14c00 size 0x1e4

Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

 

---- EOF - GMER 1.0.14 ----

Share this post


Link to post
Share on other sites
---- Disk sectors - GMER 1.0.14 ----

 

Disk \Device\Harddisk0\DR0 sector 61: malicious code @ sector 0x12a14c00 size 0x1e4

Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

Those may be harmless leftovers but better make sure ;)

 

We need to run a system scan with Dr. Web CureIt

  1. Please download DrWeb-CureIt & save it to your desktop.
    DO NOT perform a scan yet.
  2. Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". Do not select "Safe Mode with Networking" or "Safe Mode with Command Prompt".
  3. Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  4. Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  5. Once the short scan has finished, Click Options > Change settings
  6. Choose the "Scan tab" and UNcheck "Heuristic analysis"
  7. Back at the main window, click "Complete Scan"
  8. Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  9. When done, a message will be displayed at the bottom advising if any viruses were found.
  10. Click "Yes to all" if it asks if you want to cure/move the file.
  11. When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  12. Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  13. Save the DrWeb.csv report to your desktop.
  14. Exit Dr.Web Cureit when done.
  15. Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  16. After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

In your next reply, please include the following:

  • Dr.Web's Log

 

Does Adaware still find Sinowal?

Share this post


Link to post
Share on other sites

Hi

 

Good to hear that ;) Anyway, please run dr Web since it's related to that MBR thing that GMER found. That way I'll know if there's need to have further actions.

Share this post


Link to post
Share on other sites

Ok, was going to do the Dr. Web thing, but.......

I can't start in Safe Mode! :)

 

When i select Safe Mode I then have to select to start Windows XP Home Edition or the Recovery console thing.

I select Windows XP and this is what my screen shows then:

 

bilde6le1.th.jpgthpix.gif

 

What does this mean?

 

(sorry about the quality, it's taken with my old mobilephone)

Share this post


Link to post
Share on other sites

Hi

 

Unfortunately can't make a thing out of that picture :) What should there be? I see a couple of circles only.

 

Did you try again after that?

Share this post


Link to post
Share on other sites

I tried 3 times and the only thing that shows on my screen is what you see in that picture.

The upper part of the screen is blue, and the lower part is the circles.

Share this post


Link to post
Share on other sites

Hi

 

Please try running Dr Web in normal mode. Do you recall using safe mode lately before this moment? If yes did it work properly that time?

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this