PDA

View Full Version : Malware, Sound bites, no SBSD, no volume restore, Oh My!


sksballs
2009-12-11, 02:02
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/12/10 10:59
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xECD05000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8A74000 Size: 8192 File Visible: No Signed: -
Status: -

Name: H8SRTyiewqmdjok.sys
Image Path: C:\WINDOWS\system32\drivers\H8SRTyiewqmdjok.sys
Address: 0xEEEA5000 Size: 114688 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEE7B4000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\SYSTEM32\h8srtcfg.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\SYSTEM32\H8SRTenohyluubx.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\SYSTEM32\H8SRTprkvyblmfw.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\SYSTEM32\H8SRTrhnknxixxi.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\H8SRT50d2.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\H8SRTda99.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\SYSTEM32\DRIVERS\H8SRTyiewqmdjok.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jessica Smilowitz\Local Settings\Temp\H8SRT7838.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jessica Smilowitz\Application Data\Apple Computer\iTunes\iTunesPrefs.xml
Status: Visible to the Windows API, but not on disk.

Path: E:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.IE5\0PKT2NOX\-*/

Status: Locked to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: H8SRTenohyluubx.dll]
Process: svchost.exe (PID: 924) Address: 0x10000000 Size: 65536

Object: Hidden Module [Name: H8SRTprkvyblmfw.dll]
Process: Explorer.EXE (PID: 1252) Address: 0x10000000 Size: 106496

Hidden Services
-------------------
Service Name: H8SRTd.sys
Image Path: C:\WINDOWS\system32\drivers\H8SRTyiewqmdjok.sys

==EOF==

Logfile of RunAlyzer 2.0.0. Copyright © 2000-2007 Safer Networking Limited. All rights reserved.
Scan saved at 12/10/2009 10:54:35 AM
Platform: Windows XP (Build: 2600) Service Pack 3 (5.1.2600)

Running processes:
[System]
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Tremd Micro\hijackthis\TrendMicro\HiJackThis\HiJackThis.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Safer Networking\RunAlyzer\RunAlyzer.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O20 - Winlogon Notify: dimsntfy = %SystemRoot%\System32\dimsntfy.dll
O20 - Winlogon Notify: igfxcui = igfxdev.dll
O20 - Winlogon Notify: sclgntfy = sclgntfy.dll
O4 - HKCU\..\Run: [Google Update] C:\Documents and Settings\Jessica Smilowitz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy1\TeaTimer.exe
O4 - HKCU\..\Run: [richtx64.exe] C:\DOCUME~1\JESSIC~1\LOCALS~1\Temp\richtx64.exe
O4 - HKCU\..\Run: [AntiMalware] C:\Program Files\AntiMalware\antimalware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O20 - Winlogon Notify: sclgntfy = sclgntfy.dll
O20 - Winlogon Notify: igfxcui = igfxdev.dll
O20 - Winlogon Notify: dimsntfy = %SystemRoot%\System32\dimsntfy.dll
O23 - Service: Microsoft ACPI Driver (ACPI) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\ACPI.sys
O23 - Service: Microsoft Kernel Acoustic Echo Canceller (aec) - /owner unsupported/ - C:\WINDOWS\system32\drivers\aec.sys
O23 - Service: AFS2k (AFS2K) - /owner unsupported/ -
O23 - Service: Intel AGP Bus Filter (agp440) - /owner unsupported/ - \SystemRoot\System32\DRIVERS\agp440.sys
O23 - Service: Compaq AGP Bus Filter (agpCPQ) - /owner unsupported/ - \SystemRoot\System32\DRIVERS\agpCPQ.sys
O23 - Service: ALI AGP Bus Filter (alim1541) - /owner unsupported/ - \SystemRoot\System32\DRIVERS\alim1541.sys
O23 - Service: AMD AGP Bus Filter Driver (amdagp) - /owner unsupported/ - \SystemRoot\System32\DRIVERS\amdagp.sys
O23 - Service: AOL Connectivity Service (AOL ACS) - /owner unsupported/ - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device (Apple Mobile Device) - /owner unsupported/ - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - /owner unsupported/ - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
O23 - Service: RAS Asynchronous Media Driver (AsyncMac) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\asyncmac.sys
O23 - Service: Standard IDE/ESDI Hard Disk Controller (atapi) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\atapi.sys
O23 - Service: ATM ARP Client Protocol (Atmarpc) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\atmarpc.sys
O23 - Service: BCM42RLY (BCM42RLY) - /owner unsupported/ - C:\WINDOWS\System32\BCM42RLY.SYS
O23 - Service: Bonjour Service (Bonjour Service) - /owner unsupported/ - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Closed Caption Decoder (CCDECODE) - /owner unsupported/ - C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
O23 - Service: CD-ROM Driver (Cdrom) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\cdrom.sys
O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 (clr_optimization_v2.0.50727_32) - /owner unsupported/ - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
O23 - Service: Disk Driver (Disk) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\disk.sys
O23 - Service: Logical Disk Manager Driver (dmio) - /owner unsupported/ - C:\WINDOWS\System32\drivers\dmio.sys
O23 - Service: Microsoft Kernel DLS Syntheiszer (DMusic) - /owner unsupported/ - C:\WINDOWS\system32\drivers\DMusic.sys
O23 - Service: Microsoft Kernel DRM Audio Descrambler (drmkaud) - /owner unsupported/ - C:\WINDOWS\system32\drivers\drmkaud.sys
O23 - Service: dvd43llh (dvd43llh) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\dvd43llh.sys
O23 - Service: GoProto Protocol Driver for LELA (elagopro) - /owner unsupported/ - C:\WINDOWS\system32\DRIVERS\elagopro.sys
O23 - Service: UniDriver for LELA (elaunidr) - /owner unsupported/ - C:\WINDOWS\system32\DRIVERS\elaunidr.sys
O23 - Service: Event Log (Eventlog) - /owner unsupported/ - C:\WINDOWS\system32\services.exe
O23 - Service: Floppy Disk Controller Driver (Fdc) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\fdc.sys
O23 - Service: UVC Filter Service (FilterService) - /owner unsupported/ - C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
O23 - Service: FlipShare Service (FlipShare Service) - /owner unsupported/ - C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
O23 - Service: Floppy Disk Driver (Flpydisk) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\flpydisk.sys
O23 - Service: Windows Presentation Foundation Font Cache 3.0.0.0 (FontCache3.0.0.0) - /owner unsupported/ - C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
O23 - Service: Game Port Enumerator (gameenum) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\gameenum.sys
O23 - Service: GEAR ASPI Filter Driver (GEARAspiWDM) - /owner unsupported/ - C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys
O23 - Service: getPlus(R) Helper (getPlus(R) Helper) - /owner unsupported/ - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Generic Packet Classifier (Gpc) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\msgpc.sys
O23 - Service: GTNDIS5 NDIS Protocol Driver (GTNDIS5) - /owner unsupported/ - C:\WINDOWS\system32\GTNDIS5.SYS
O23 - Service: Google Update Service (gupdate1c9d330b96e804c) (gupdate1c9d330b96e804c) - /owner unsupported/ - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - /owner unsupported/ - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HTTP (HTTP) - /owner unsupported/ - C:\WINDOWS\System32\Drivers\HTTP.sys
O23 - Service: i8042 Keyboard and PS/2 Mouse Port Driver (i8042prt) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\i8042prt.sys
O23 - Service: Windows CardSpace (idsvc) - /owner unsupported/ - C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
O23 - Service: CD-Burning Filter Driver (Imapi) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\imapi.sys
O23 - Service: Intel Processor Driver (intelppm) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\intelppm.sys
O23 - Service: IPv6 Windows Firewall Driver (ip6fw) - /owner unsupported/ - C:\WINDOWS\system32\drivers\ip6fw.sys
O23 - Service: IP in IP Tunnel Driver (IpInIp) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\ipinip.sys
O23 - Service: IP Network Address Translator (IpNat) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\ipnat.sys
O23 - Service: iPod Service (iPod Service) - /owner unsupported/ - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPSEC driver (IPSec) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\ipsec.sys
O23 - Service: IR Enumerator Service (IRENUM) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\irenum.sys
O23 - Service: PnP ISA/EISA Bus Driver (isapnp) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\isapnp.sys
O23 - Service: Keyboard Class Driver (Kbdclass) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\kbdclass.sys
O23 - Service: Microsoft Kernel Wave Audio Mixer (kmixer) - /owner unsupported/ - C:\WINDOWS\system32\drivers\kmixer.sys
O23 - Service: LVPr2Mon Driver (LVPr2Mon) - /owner unsupported/ - C:\WINDOWS\system32\Drivers\LVPr2Mon.sys
O23 - Service: Process Monitor (LVPrcSrv) - /owner unsupported/ - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Logitech RightSound Filter Driver (LVRS) - /owner unsupported/ - C:\WINDOWS\system32\DRIVERS\lvrs.sys
O23 - Service: Logitech USB Monitor Filter (LVUSBSta) - /owner unsupported/ - C:\WINDOWS\system32\DRIVERS\LVUSBSta.sys
O23 - Service: Logitech QuickCam S5500(UVC) (LVUVC) - /owner unsupported/ - C:\WINDOWS\system32\DRIVERS\lvuvc.sys
O23 - Service: MBackMonitor (MBackMonitor) - /owner unsupported/ - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service (McAfee SiteAdvisor Service) - /owner unsupported/ - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - /owner unsupported/ - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - /owner unsupported/ - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - /owner unsupported/ - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - /owner unsupported/ - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - /owner unsupported/ - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - /owner unsupported/ - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Inc. mfeavfk (mfeavfk) - /owner unsupported/ - C:\WINDOWS\system32\drivers\mfeavfk.sys
O23 - Service: McAfee Inc. mfebopk (mfebopk) - /owner unsupported/ - C:\WINDOWS\system32\drivers\mfebopk.sys
O23 - Service: McAfee Inc. mfehidk (mfehidk) - /owner unsupported/ - C:\WINDOWS\system32\drivers\mfehidk.sys
O23 - Service: McAfee Inc. mferkdk (mferkdk) - /owner unsupported/ - C:\WINDOWS\system32\drivers\mferkdk.sys
O23 - Service: McAfee Inc. mfesmfk (mfesmfk) - /owner unsupported/ - C:\WINDOWS\system32\drivers\mfesmfk.sys
O23 - Service: Mouse Class Driver (Mouclass) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\mouclass.sys
O23 - Service: MPFP (MPFP) - /owner unsupported/ - C:\WINDOWS\System32\Drivers\Mpfp.sys
O23 - Service: McAfee Personal Firewall Service (MpfService) - /owner unsupported/ - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: WebDav Client Redirector (MRxDAV) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\mrxdav.sys
O23 - Service: MRXSMB (MRxSmb) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - /owner unsupported/ - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Microsoft Streaming Clock Proxy (MSPCLOCK) - /owner unsupported/ - C:\WINDOWS\system32\drivers\MSPCLOCK.sys
O23 - Service: Microsoft Streaming Quality Manager Proxy (MSPQM) - /owner unsupported/ - C:\WINDOWS\system32\drivers\MSPQM.sys
O23 - Service: Microsoft System Management BIOS Driver (mssmbios) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\mssmbios.sys
O23 - Service: Microsoft Streaming Tee/Sink-to-Sink Converter (MSTEE) - /owner unsupported/ - C:\WINDOWS\system32\drivers\MSTEE.sys
O23 - Service: NABTS/FEC VBI Codec (NABTSFEC) - /owner unsupported/ - C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
O23 - Service: Microsoft TV/Video Connection (NdisIP) - /owner unsupported/ - C:\WINDOWS\system32\DRIVERS\NdisIP.sys
O23 - Service: Remote Access NDIS TAPI Driver (NdisTapi) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\ndistapi.sys
O23 - Service: NDIS Usermode I/O Protocol (Ndisuio) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\ndisuio.sys
O23 - Service: Remote Access NDIS WAN Driver (NdisWan) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\ndiswan.sys
O23 - Service: NetBIOS Interface (NetBIOS) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\netbios.sys
O23 - Service: NetBios over Tcpip (NetBT) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\netbt.sys
O23 - Service: Net.Tcp Port Sharing Service (NetTcpPortSharing) - /owner unsupported/ - C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
O23 - Service: Network Monitor Driver (nm) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\NMnt.sys
O23 - Service: NWLink IPX/SPX/NetBIOS Compatible Transport Protocol (NwlnkIpx) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\nwlnkipx.sys
O23 - Service: Creative SB Live! Series (WDM) (P16X) - /owner unsupported/ - C:\WINDOWS\system32\drivers\P16X.sys
O23 - Service: Intel PentiumIII Processor Driver (P3) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\p3.sys
O23 - Service: Parallel port driver (Parport) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\parport.sys
O23 - Service: PCI Bus Driver (PCI) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\pci.sys
O23 - Service: Plug and Play (PlugPlay) - /owner unsupported/ - C:\WINDOWS\system32\services.exe
O23 - Service: WAN Miniport (PPTP) (PptpMiniport) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\raspptp.sys
O23 - Service: Processor Driver (Processor) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\processr.sys
O23 - Service: QoS Packet Scheduler (PSched) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\psched.sys
O23 - Service: WAN Miniport (L2TP) (Rasl2tp) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
O23 - Service: Remote Access PPPOE Driver (RasPppoe) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\raspppoe.sys
O23 - Service: Terminal Server Device Redirector Driver (rdpdr) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\rdpdr.sys
O23 - Service: Digital CD Audio Playback Filter Driver (redbook) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\redbook.sys
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - /owner unsupported/ - C:\WINDOWS\system32\svchost -k rpcss
O23 - Service: Linksys Wireless-G PCI Adapter Driver(RT61) (RT61) - /owner unsupported/ - C:\WINDOWS\system32\DRIVERS\RT61.sys
O23 - Service: Serenum Filter Driver (serenum) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\serenum.sys
O23 - Service: Serial port driver (Serial) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\serial.sys
O23 - Service: SIS AGP Bus Filter (sisagp) - /owner unsupported/ - \SystemRoot\System32\DRIVERS\sisagp.sys
O23 - Service: BDA Slip De-Framer (SLIP) - /owner unsupported/ - C:\WINDOWS\system32\DRIVERS\SLIP.sys
O23 - Service: Microsoft Kernel Audio Splitter (splitter) - /owner unsupported/ - C:\WINDOWS\system32\drivers\splitter.sys
O23 - Service: System Restore Filter Driver (sr) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\sr.sys
O23 - Service: Srv (Srv) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\srv.sys
O23 - Service: BDA IPSink (streamip) - /owner unsupported/ - C:\WINDOWS\system32\DRIVERS\StreamIP.sys
O23 - Service: Software Bus Driver (swenum) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\swenum.sys
O23 - Service: Microsoft Kernel GS Wavetable Synthesizer (swmidi) - /owner unsupported/ - C:\WINDOWS\system32\drivers\swmidi.sys
O23 - Service: Microsoft Kernel System Audio Device (sysaudio) - /owner unsupported/ - C:\WINDOWS\system32\drivers\sysaudio.sys
O23 - Service: TCP/IP Protocol Driver (Tcpip) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\tcpip.sys
O23 - Service: Microsoft IPv6 Protocol Driver (Tcpip6) - /owner unsupported/ - C:\WINDOWS\system32\DRIVERS\tcpip6.sys
O23 - Service: Terminal Device Driver (TermDD) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\termdd.sys
O23 - Service: Microsoft Tun Miniport Adapter Driver (tunmp) - /owner unsupported/ - C:\WINDOWS\system32\DRIVERS\tunmp.sys
O23 - Service: Microcode Update Driver (Update) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\update.sys
O23 - Service: USB Audio Driver (WDM) (usbaudio) - /owner unsupported/ - C:\WINDOWS\system32\drivers\usbaudio.sys
O23 - Service: Microsoft USB Generic Parent Driver (usbccgp) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\usbccgp.sys
O23 - Service: Microsoft USB 2.0 Enhanced Host Controller Miniport Driver (usbehci) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\usbehci.sys
O23 - Service: Microsoft USB Standard Hub Driver (usbhub) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\usbhub.sys
O23 - Service: Microsoft USB PRINTER Class (usbprint) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\usbprint.sys
O23 - Service: USB Scanner Driver (usbscan) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\usbscan.sys
O23 - Service: USB Mass Storage Driver (USBSTOR) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS
O23 - Service: Microsoft USB Universal Host Controller Miniport Driver (usbuhci) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\usbuhci.sys
O23 - Service: USB Video Device (WDM) (usbvideo) - /owner unsupported/ - C:\WINDOWS\System32\Drivers\usbvideo.sys
O23 - Service: VIA AGP Bus Filter (viaagp) - /owner unsupported/ - \SystemRoot\System32\DRIVERS\viaagp.sys
O23 - Service: Viewpoint Manager Service (Viewpoint Manager Service) - /owner unsupported/ - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Remote Access IP ARP Driver (Wanarp) - /owner unsupported/ - C:\WINDOWS\System32\DRIVERS\wanarp.sys
O23 - Service: Microsoft WINMM WDM Audio Compatibility Driver (wdmaud) - /owner unsupported/ - C:\WINDOWS\system32\drivers\wdmaud.sys
O23 - Service: World Standard Teletext Codec (WSTCODEC) - /owner unsupported/ - C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O16 - DPF: {226ACC34-3194-70E2-5AE7-864FCFE9E80D} () - http://zone.msn.com/bingame/mosi/default/msi.1.0.0.9.cab
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} () - http://zone.msn.com/bingame/trix/default/TriJinx.1.0.0.87.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} () - http://zone.msn.com/bingame/rtlw/default/ReflexiveWebGameLoader.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} () - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} () - http://zone.msn.com/bingame/dsh2/default/DinerDash2.1.0.0.68.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} () - http://zone.msn.com/bingame/amad/default/atomaders.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} () - http://sympatico.zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} () - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} () - http://zone.msn.com/bingame/fotg/default/ddfotg.1.0.0.37.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} () -
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} () - http://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0) - http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} () - http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} () - http://www.shockwave.com/content/feedingfrenzy/sis/SproutLauncher.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} () - http://zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} () - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} () - http://zone.msn.com/bingame/swet/default/Sweetopia.1.0.0.46.cab

Thanks for the help in advance
sksballs
2009-12-13, 04:51
This is the email help I got after uninstalling spybot. They really helped get everything fixed. I don't think I can delete threads but this one has been answered

thanks again



Team Spybot



Thanks for all the help. Changing the SpybotSD.exe to Explorer.exe worked. I ran the TED sbi and it found 11 problems. I fixed them with spybot and rebooted. When windows loaded I noticed about a dozen cmd prompts open and close and when I ran spybot TED again the entrys were back. I cleaned it again with spybot then ran combofix (this time it worked...before it wouldn't open) for some reason Mcafee came on (guess I didn't disable it properly) I continued anyway and combofix set a restore point and restarted. After combofix finished I ran Spybot again and everything was ok. I rebooted again and ran spybot again still no problems. I updated all my software and still no problems. This is great thank you so much!!!



Two questions

1. should I/ could I change the SpybotSD.exe (currently Explorer.exe) back to Spybot.exe?

2. Should I/ could I leave the TED .sbi file in the spybot includes folder?



3. I know I said 2 but, I included my new hjt log and combofix log. Is there anything else in them that I need to fix or worry about?



Thanks again for all your help



Kevin



> Date: Fri, 11 Dec 2009 17:20:21 +0100
> From: detections@spybot.info
> > Subject: Re: Other reason (see below) (Ticket: 140402623)
>
> Hello Kevin >
> you are infected with a TDSS rootkit, the H8SRT* variant.
>
> 1) Please go to your Spybot folder:
> C:\Programms\Spybot - Search & Destroy
>
> Do you have any .scr file in that folder?
> Please try to start it by doubleclicking. If this is not working please
> rename the SpybotSD.exe to Explorer.exe, firefox.exe or iexplore.exe
> (in this order)
>
> Attached you'll find a special detection file, which has only been
> created to fix your infection. Please close Spybot-S&D and copy the
> attached file into the "Includes" folder of Spybot-Search & Destroy.
> Usually it is located at:
> C:\Program Files\Spybot - Search & Destroy\includes
> Subsequent please run Spybot - Search & Destroy and switch to the
> Advanced mode via the menu item Mode.
> Now choose "Settings" - "File Sets" from the navigation bar on the left.
>
> Please have a look if only the new TED sbi is marked, if so just start a
> scan and fix the problems found by Spybot-Search & Destroy. Reboot
> immediately after scan and scan again.
>
> Please do not forget to reactivate every SBI file thereafter, because
> Spybot will only scan with the signatures of checked SBI files.
>
> 2) if Step 1 fails please run exeHelper to reset policies, userinit and
> shell values
>
> * Here is the direct download link:
> http://www.raktor.net/exeHelper/exeHelper.com
>
> * Double-click on exeHelper.com to run the fix.
> A black command window should pop up. Press any key to close once the
> fix is completed.
>
> * Copy and paste the contents of log.txt (Will be created in the
> directory where you ran exeHelper.com)
>
> * If the window shows a "Error deleting file" message, please re-run the
> program before saving a log.
>
> 3) Please use the tool: ComboFix (by sUBs) after reading and
> understanding the guide:
>
> You will find a ComboFix guide here:
> http://www.bleepingcomputer.com/combofix/how-to-use-combofix
>
> * Here is the direct download link:
> http://download.bleepingcomputer.com/sUBs/ComboFix.exe
>
> * Please sent the ComboFix log.
>
> Kind regards,
> Roberto, Team Spybot.
>
>
> > Sandra,
> >
> >
> >
> > Thank you for the help. I ran all of the things you suggested and created the logs. Renaming the Spybot.exe didn't work but the other porgrams found some issues. here are the logs. the requested files.cab is too big for this email account. I can send it from my wifes account if you need it.
> >
> >
> >
> > Thanks again,
> >
> >
> >
> > Kevin
> >
> >> From: software@spybot.info
> >>> >> Subject: Re: Other reason (see below) (Ticket: 140402623)
> >> Date: Wed, 9 Dec 2009 16:32:36 -0600
> >>
> >> Hello,
> >>
> >> 1. Please try to rename the SpybotSD.exe into iexplore.exe or firefox.exe and try to run it.
> >>
> >> * Using Windows Explorer navigate to:
> >> o C:Program FilesSpybot - Search & Destroy
> >> * In the Tools menu select Folder Options
> >> * In the Folder Options dialog select the View tab.
> >> * Uncheck the following option:
> >> o Hide protected operating system file (Recommended)
> >> * Click the Apply button.
> >> * Click the OK button.
> >> * The SpybotSD.exe should be visible now.
> >> * Rightclick the file and choose rename.
> >> * Give it a different name like iexplore.exe or firefox.exe and try again to run it.
> >>
> >> 2. If this does not help you might be infected with a Rootkit. We need some logs now to locate the infection that is mostly hidden deep in your system.
> >>
> >> Please download our RunAlyzer from our homepage:
> >> http://www.safer-networking.de/en/download/index.html
> >>
> >> Now, run the RunAlyzer and choose "Logs" from the menu bar above.
> >> Now create a "SBSD log" and a "hjt log" and choose "Save".
> >> You can save the files to your desktop.
> >> Please attach these files to your e-mail.
> >>
> >> 3. Please download our RootAlyzer. Here is the direct download link: http://www.spybotupdates.biz/files/rootalyz-0.3.4.47.zip
> >>
> >> Please set your computer to show all files.
> >> * Double-click My Computer.
> >> * Click the Tools menu, and then click Folder Options.
> >> * Click the View tab.
> >> * Clear "Hide file extensions for known file types."
> >> * Under the "Hidden files" folder, select "Show hidden files and folders."
> >> * Clear "Hide protected operating system files."
> >> * Click Apply, and then click OK.
> >>
> >> Please select the tab 'deep scan' and let it fully scan your Pc. The scan will take a moment, please be patient. After the scan is done please click on 'pack suspicious files' which is located right at the bottom. This will create a .cab file on your desktop which contains the log and the suspicious files the scan has found. Please attach this .cab file to your next mail.
> >>
> >> 4. Please also download GMER: www.gmer.net and let it do a full scan on your pc. Subsequent you will be allowed to save the log created during the scan. Please also send us this log.
> >>
> >> 5. Please also try this tool: RootRepeal
> >> * Here is also the direct download link: http://ad13.geekstogo.com/RootRepeal.zip
> >> * Unzip the file to the folder
> >> * Start RootRepeal.exe
> >> * Select "Report" tab
> >> * Click "Scan" button
> >> * Select following scan options: Drivers, Files, Processes, Stealth Objects, Hidden Services
> >> * Click "OK" button
> >> * Select your hard drive with the installed operating System and click "OK" button
> >> * Save Report via Clipboard or click "Save Report Button" to save a text file
> >>
> >> Thanks! ;)
> >>
> >> --
> >> Best regards,
> >> Sandra
> >> Team Spybot
> >>
> >> Please give us your feedback: this mail was
> >> helpful http://feedback.spybot.info/index.php?h=0MjI3Njg2OjE0MDQwMjYyMzoy
> >> partly helpful http://feedback.spybot.info/index.php?h=0MjI3Njg2OjE0MDQwMjYyMzox
> >> not helpful http://feedback.spybot.info/index.php?h=0MjI3Njg2OjE0MDQwMjYyMzow
> >>
> >>
> >> ----------------------------------------------------------
> >> Spybot-Search & Destroy Home: http://www.spybot.info
> >> Spybot-Search & Destroy Forum: http://forums.spybot.info
> >> ..........................................................
> >> All incoming and outgoing mails are scanned
> >> using an up-to-date anti-virus application.
> >> ----------------------------------------------------------
> >>
> >>
> >>> --------------------------------------------------
> >>> Original Message:
> >>> --------------------------------------------------
> >>>
> >>> Spybot-S&D release: Not specified.
> >>> Windows-Version: Windows XP (Build: 2600)
> >>> > >>>
> >>> I picked up some sort of malware or virius that has disabled spybot from opening.
> >>> It also disabled mcafee and the windows volume restore. Have any ideas?
> >>> > >>>
> >>>
> >>>
> >
> > _________________________________________________________________