PDA

View Full Version : Trojan and Rootkit problem



Patrick000
2011-01-24, 12:19
Would you help me remove a virus and rootkit?

Two days ago, Internet Explorer crashed and the error was this:
AppName: iexplore.exe AppVer: 6.0.2800.1106 ModName: mshtml.dll ModVer: 6.0.2800.1561 Offset: 00185c12

I ran avast! free anti-virus v5.0.677.

It discovered a trojan which I had avast! remove:

C:\program files\unlocker\ebay-shortcuts_1016.exe

Now I have problems with Internet Explorer and windows explorer.

I have run DDS and GMER.
GMER said it found evidence of possible rootkit activity.
Below is my DDS.txt and GMER log. I also attached the zipped attach.txt.

Thank you for any help you may give me.
**********************************************

DDS (Ver_10-12-12.02) - NTFSx86
Run by Lord at 1:41:35.35 on Tue 01/25/2011
Internet Explorer: 6.0.2800.1106 BrowserJavaVersion: 1.6.0_17
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.510.111 [GMT -8:00]


============== Running Processes ===============

C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\ge security supra\syncservice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\GE Security Supra\ProxyDaemon.exe
C:\SSL\stunnel-4.10.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\System32\dmadmin.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\CAPM1RSK.EXE
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Maxtor\OneTouch\utils\mspm.exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\spool\drivers\w32x86\3\CAPM1LAK.EXE
C:\WINNT\system32\spool\drivers\w32x86\3\CAPM1SWK.EXE
C:\Program Files\GE Security Supra\SyncInfoApp.exe
C:\Program Files\Microsoft Office 2000\Office\1033\MSOFFICE.EXE
C:\WINNT\system32\TASKMGR.EXE
C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office 2000\Office\EXCEL.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Adobe\Acrobat 7.0 Professional\Acrobat\Acrobat.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINNT\system32\msiexec.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - f:\program files\orbitdownloader\orbitcth.dll
BHO: BHO Class: {8b3868b4-eba8-48fa-a19b-e1dfb99066fa} - f:\program files\flashcapture\fcbho.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0 professional\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0 professional\acrobat\AcroIEFavClient.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - f:\program files\orbitdownloader\GrabPro.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0 professional\acrobat\AcroIEFavClient.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\system32\browseui.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NeroFilterCheck] c:\winnt\system32\NeroCheck.exe
mRun: [MaxtorOneTouch] c:\program files\maxtor\onetouch\utils\Onetouch.exe
mRun: [mspm] c:\program files\maxtor\onetouch\utils\mspm.exe
mRun: [RetroExpress] c:\progra~1\retros~1\retros~1.1\RetroExpress.exe /h
mRun: [Dit] Dit.exe
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office 2000\office\1033\MSOFFICE.EXE
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\MYNETW~1.LNK -
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\taskmg~1.lnk - c:\winnt\system32\TASKMGR.EXE
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\autoru~1\teatimer.lnk - c:\program files\spybot - search & destroy\TeaTimer.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\canonp~1.lnk - c:\winnt\system32\spool\drivers\w32x86\3\CAPM1LAK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\displa~1.lnk - c:\program files\ge security supra\SyncInfoApp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\scansn~1.lnk - c:\program files\pfu\scansnap\driver\PfuSsMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adobea~1.lnk - c:\winnt\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\micros~1.lnk - c:\program files\microsoft office 2000\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\scansn~1.lnk - f:\program files\pfu\scansnap\driver\PfuSsMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
uPolicies-system: RunStartupScriptSync = 1 (0x1)
mPolicies-system: RunStartupScriptSync = 1 (0x1)
IE: &Download by Orbit - f:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - f:\program files\orbitdownloader\orbitmxt.dll/204
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0 professional\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0 professional\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0 professional\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0 professional\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0 professional\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0 professional\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0 professional\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0 professional\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Do&wnload selected by Orbit - f:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - f:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Save F&lash with FlashCapture - f:\program files\flashcapture\fciext.dll/FCIEXT.htm
IE: {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - res://f:\program files\flashcapture\fciext.dll/FCIEXT.htm
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: NavLogon - c:\winnt\system32\NavLogon.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\b5wt98kq.default\

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [2009-4-18 64160]
R0 ROFF;ROFF;c:\winnt\system32\drivers\roff.sys [2003-6-9 42455]
R1 aswSP;aswSP;c:\winnt\system32\drivers\aswSP.sys [2010-9-29 165584]
R1 bbcap;bbcap;c:\winnt\system32\drivers\bbcap.sys [2009-7-18 2432]
R2 aswFsBlk;aswFsBlk;c:\winnt\system32\drivers\aswFsBlk.sys [2010-9-29 17744]
R2 aswMon;aswMon;c:\winnt\system32\drivers\aswmon.sys [2010-9-29 94544]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-29 40384]
R2 RapidPortM1;RapidPortM1;c:\winnt\system32\drivers\CAPM1LP.SYS [2006-4-19 22912]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-29 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-29 40384]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\drivers\el90xbc5.sys [2006-3-16 61712]
R4 NAVAPEL;NAVAPEL;\??\c:\program files\navnt\navapel.sys --> c:\program files\navnt\NAVAPEL.SYS [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
S3 MV;MV;c:\docume~1\admini~1\locals~1\temp\mv.exe --> c:\docume~1\admini~1\locals~1\temp\MV.exe [?]
S3 pgusbmme;usb-audio.de MME-Adapter;c:\winnt\system32\drivers\pgusbmm3.sys [2005-7-19 23520]
S3 pgusbwdm;usb-audio.de driver (commercial V2.6.1);c:\winnt\system32\drivers\pgusbwdm.sys [2005-7-19 99200]
S3 SQLAgent$RETSDATA;SQLAgent$RETSDATA;c:\program files\microsoft sql server\mssql$retsdata\binn\sqlagent.exe -i retsdata --> c:\program files\microsoft sql server\mssql$retsdata\binn\sqlagent.EXE -i RETSDATA [?]
S4 MSSQL$RETSDATA;MSSQL$RETSDATA;c:\program files\microsoft sql server\mssql$retsdata\binn\sqlservr.exe -sretsdata --> c:\program files\microsoft sql server\mssql$retsdata\binn\sqlservr.exe -sRETSDATA [?]

=============== Created Last 30 ================

2011-01-25 07:56:15 -------- d-s---w- c:\documents and settings\administrator\UserData
2011-01-20 06:46:15 21872 -c--a-w- c:\winnt\system32\dllcache\usbprint.sys
2011-01-20 06:46:15 21872 ----a-w- c:\winnt\system32\drivers\usbprint.sys

==================== Find3M ====================

2010-12-22 00:07:04 1409 ----a-w- c:\winnt\QTFont.for
2005-05-14 00:12:00 217073 --sha-r- c:\winnt\meta4.exe
2005-10-24 18:13:58 66560 --sha-r- c:\winnt\MOTA113.exe
2005-10-14 04:27:00 422400 --sha-r- c:\winnt\x2.64.exe
2005-10-08 02:14:52 308224 --sha-r- c:\winnt\system32\avisynth.dll
2005-07-14 19:31:20 27648 --sha-r- c:\winnt\system32\AVSredirect.dll
2005-06-22 05:37:42 45568 --sha-r- c:\winnt\system32\cygz.dll
2004-01-25 07:00:00 70656 --sha-r- c:\winnt\system32\i420vfw.dll
2006-04-27 17:24:24 2945024 --sha-r- c:\winnt\system32\Smab.dll
2005-02-28 20:16:22 240128 --sha-r- c:\winnt\system32\x.264.exe
2004-01-25 07:00:00 70656 --sha-r- c:\winnt\system32\yv12vfw.dll

============= FINISH: 1:43:01.26 ===============

****************************************
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-01-25 02:25:51
Windows 5.0.2195 Service Pack 4 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-2 WDC_WD200BB-75CAA0 rev.16.06V16
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\agtdrpow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwClose [0xBB3724B3]
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwCreateKey [0xBB3723B3]
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwDeleteKey [0xBB372502]
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwDeleteValueKey [0xBB372596]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDuplicateObject [0xBBAC3782]
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwFlushKey [0xBB3727DE]
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwOpenKey [0xBB3722E8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenProcess [0xBBAC36C2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenThread [0xBBAC3726]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwQueryValueKey [0xBBAC3DA6]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRestoreKey [0xBBAC3D66]
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwSetValueKey [0xBB3726A5]

---- Kernel code sections - GMER 1.0.15 ----

? C:\Program Files\NavNT\NAVAPEL.SYS The system cannot find the file specified. !
? C:\Program Files\Symantec\SYMEVENT.SYS The system cannot find the file specified. !
? C:\WINNT\system32\Drivers\PROCEXP100.SYS The system cannot find the file specified. !
? C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINNT\explorer.exe[2208] SHELL32.dll!SHFileOperationW 7CF800F5 5 Bytes JMP 10001102 C:\Program Files\Unlocker\UnlockerHook.dll

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device ftdisk.sys (FT Disk Driver/Microsoft Corporation)

AttachedDevice ROFF.sys (Retrospect Open File Filter/Dantz Development Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device Fs_Rec.SYS (File System Recognizer Driver/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----

Library C:\Program (*** hidden *** ) @ C:\Program Files\Microsoft Office\Office10\WINWORD.EXE [2400] 0x049F0000
Library C:\Program (*** hidden *** ) @ C:\Program Files\Microsoft Office\Office10\WINWORD.EXE [2400] 0x04A90000
Library C:\Program (*** hidden *** ) @ C:\Program Files\Microsoft Office\Office10\WINWORD.EXE [2400] 0x05090000
Library C:\Program (*** hidden *** ) @ C:\Program Files\Microsoft Office\Office10\WINWORD.EXE [2400] 0x050A0000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG04.00.00.01SERVER 3A2078B92014A5B4CADFF5E4B7F422A58EEEDB1A75EEBEB580A4C89D2C1C7B102ABC78ECDD962013CBE59E26EB70DFEA8E1E535552F60B784DDE0B7577C557886B98235F8CAD29DF3A807D727AE87D1070ADA394609DD72130848D07A034498C1DF16003817AFD8006F9D0AC5C9AE2FD94948753D8DCD53E9AD922003F3E6DEC667A39D65451C22C26917A4C48F8DBF26440D89BB66599B307183D20B0703ED16ED75AF3633BFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7FD869164D67945D575E7D6A3B9808C038D530D6EB34522E68364DE22E87730B9ED2B760021749823AAEE139CA461B0CDC565E83538613A3279FF9798CAA47CB38BCF643AC09E22170E39BD19DA0947B8F090C49435E58A0189DF6FB07E9880A0A6D9571B98546B0EA04718844F726F5A0200A982A924192153C38355438FA1B33A4F0EFB87F3210AE20CE3AC4E2AE8398A0EF49A1F86748CC12A197444C95B72928DB6A4B321E8193CC12EAB3B9BE0FD590C958552E19F643350B3936A504FDB2BF1DACA899AF2B48250EC1BD1C1BE8897B976385115A37CD41C3D01F02256F6B38ECA919774518CBC50B0AA1EA3FC23B6ECD2F0743E00417D60CBB0AE58EF043627BF77CCF6EB5F351C23032CD5736C2FBD325C1AD96BF1F19177B1499854D7
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1BCB152E-00F5-17FC-ECC3-B84110A75B58}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1BCB152E-00F5-17FC-ECC3-B84110A75B58}@oalkbjgccjpjicbobncekkjgadjllp 0x6A 0x61 0x70 0x64 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1BCB152E-00F5-17FC-ECC3-B84110A75B58}@nablldnnhgnibjndhjbdpmobcifo 0x6A 0x61 0x70 0x64 ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.15 ----

shelf life
2011-01-29, 01:15
hi Patrick000,

Your log is a few days old. If you still need help simply reply back.

Patrick000
2011-01-31, 18:47
Hi, thank you for responding. Yes I do still need help. I read the forum rules and waited because I know you are busy. Please take a look at the logs and tell me what I must do.

shelf life
2011-02-01, 01:20
You should use the machine as little as possible until its clean. When not in use make sure it has no connectivity. If your not sure how to do this then power it off. We will get two downloads to use. The first is combofix, the second is malwarebytes which you can keep and use.
Combofix requires that you read a guide first. Read though the guide first then apply the directions on your own machine. Post the log;

Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

After the above use Malwarebytes and post its log also:

Please download the free version of Malwarebytes (http://www.malwarebytes.org/mbam.php) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.

Patrick000
2011-02-01, 18:42
Here are my logs. I am concerned that I may need some of the items that Combofix removed, such as twain.dll (need for scanner and digital camera).

Thank you for your help.

ComboFix 11-01-31.01 - Lord 02/01/2011 19:06:14.3.1 - x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.510.129 [GMT -8:00]
Running from: h:\virus malware infection_1-22-11\ComboFix.exe
.
/wow section - STAGE 10


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Local Settings\Application Data\C907D7A30E7D43AFD00202154480A33A.EXE
c:\documents and settings\Administrator\Recent\masonry siding_paint problems 1_homerepair.about.com.pif
c:\documents and settings\Administrator\Recent\Robert Grant_www.crowdconversion.com.pif
c:\documents and settings\Administrator\Recent\The Admiral Byrd Socitey Sales Letter_Dick Benson marketer_www.infomarketingblog.com.pif
c:\documents and settings\Administrator\Recent\wood siding_paint problems 2_homerepair.about.com.pif
c:\winnt\system32\twain.dll

.
((((((((((((((((((((((((( Files Created from 2011-01-02 to 2011-02-02 )))))))))))))))))))))))))))))))
.

2011-02-02 02:21 . 2010-12-21 02:09 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2011-02-02 02:20 . 2011-02-02 02:20 -------- d-----w- c:\program files\REFN
2011-01-25 07:56 . 2011-01-25 07:56 -------- d-s---w- c:\documents and settings\Administrator\UserData
2011-01-20 06:46 . 2003-06-19 20:05 21872 -c--a-w- c:\winnt\system32\dllcache\usbprint.sys
2011-01-20 06:46 . 2003-06-19 20:05 21872 ----a-w- c:\winnt\system32\drivers\usbprint.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-22 00:07 . 2010-12-22 00:07 1409 ----a-w- c:\winnt\QTFont.for
2010-12-21 02:08 . 2008-05-09 19:54 19288 ----a-w- c:\winnt\system32\drivers\mbam.sys
2006-12-12 16:30 . 2006-12-12 16:30 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2006-12-12 16:30 . 2006-12-12 16:30 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2009-02-26 17:59 . 2008-05-12 02:42 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-02-26 17:59 . 2008-05-12 02:42 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-02-26 17:59 . 2008-05-12 02:42 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-02-26 17:59 . 2008-05-12 02:42 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-02-26 17:59 . 2008-05-12 02:42 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2005-05-14 00:12 217073 --sha-r- c:\winnt\meta4.exe
2005-10-24 18:13 66560 --sha-r- c:\winnt\MOTA113.exe
2005-10-14 04:27 422400 --sha-r- c:\winnt\x2.64.exe
2005-10-08 02:14 308224 --sha-r- c:\winnt\system32\avisynth.dll
2005-07-14 19:31 27648 --sha-r- c:\winnt\system32\AVSredirect.dll
2005-06-22 05:37 45568 --sha-r- c:\winnt\system32\cygz.dll
2004-01-25 07:00 70656 --sha-r- c:\winnt\system32\i420vfw.dll
2006-04-27 17:24 2945024 --sha-r- c:\winnt\system32\Smab.dll
2005-02-28 20:16 240128 --sha-r- c:\winnt\system32\x.264.exe
2004-01-25 07:00 70656 --sha-r- c:\winnt\system32\yv12vfw.dll
.

------- Sigcheck -------


[-] 2004-07-09 11:27 . 3120F6D2AB10CDF242EDE54052A8BE47 . 1689600 . . [ERROR: 0x0] . . c:\winnt\system32\d3d9.dll

c:\winnt\System32\comres.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 1415824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\winnt\system32\NeroCheck.exe" [2001-07-09 155648]
"MaxtorOneTouch"="c:\program files\Maxtor\OneTouch\utils\Onetouch.exe" [2006-03-27 712704]
"mspm"="c:\program files\Maxtor\OneTouch\utils\mspm.exe" [2005-09-03 225280]
"RetroExpress"="c:\progra~1\RETROS~1\RETROS~1.1\RetroExpress.exe" [2006-02-06 18583552]
"Dit"="Dit.exe" [2002-03-12 23026]
"Synchronization Manager"="mobsync.exe" [2003-06-19 111376]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Microsoft Office Shortcut Bar.lnk - c:\program files\Microsoft Office 2000\Office\1033\MSOFFICE.EXE [1999-2-1 405560]

c:\documents and settings\User\Start Menu\Programs\Startup\
Microsoft Office Shortcut Bar.lnk - c:\program files\Microsoft Office 2000\Office\1033\MSOFFICE.EXE [1999-2-1 405560]
Task Manager.lnk - c:\winnt\system32\TASKMGR.EXE [2006-4-16 87312]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Microsoft Office Shortcut Bar.lnk - c:\program files\Microsoft Office 2000\Office\1033\MSOFFICE.EXE [1999-2-1 405560]
My Network Places.lnk - [N/A]
TASKMGR.EXE.lnk - c:\winnt\system32\TASKMGR.EXE [2006-4-16 87312]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\AutorunsDisabled
TeaTimer.lnk - c:\program files\Spybot - Search & Destroy\TeaTimer.exe [2010-9-29 1415824]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Canon PC1200 iC D600 iR1200G Status Window.LNK - c:\winnt\system32\spool\drivers\w32x86\3\CAPM1LAK.EXE [2006-4-19 30208]
DisplayKEY eSYNC Info.lnk - c:\program files\GE Security Supra\SyncInfoApp.exe [2009-5-14 102400]
ScanSnap Manager.lnk - c:\program files\PFU\ScanSnap\Driver\PfuSsMon.exe [2010-1-5 1159168]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Adobe Acrobat Speed Launcher.lnk - c:\winnt\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-7-7 25214]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-4-30 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office 2000\Office\OSA9.EXE [2000-1-21 65588]
ScanSnap Manager.lnk - f:\program files\PFU\ScanSnap\Driver\PfuSsMon.exe [N/A]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

R0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [4/18/2009 11:21 PM 64160]
R0 ROFF;ROFF;c:\winnt\system32\drivers\roff.sys [6/9/2003 9:00 AM 42455]
R1 aswSP;aswSP;c:\winnt\system32\drivers\aswSP.sys [9/29/2010 10:35 PM 165584]
R1 bbcap;bbcap;c:\winnt\system32\drivers\bbcap.sys [7/18/2009 8:08 AM 2432]
R2 aswFsBlk;aswFsBlk;c:\winnt\system32\drivers\aswFsBlk.sys [9/29/2010 10:35 PM 17744]
R2 aswMon;aswMon;c:\winnt\system32\drivers\aswmon.sys [9/29/2010 10:35 PM 94544]
R2 RapidPortM1;RapidPortM1;c:\winnt\system32\drivers\CAPM1LP.SYS [4/19/2006 11:12 AM 22912]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\drivers\el90xbc5.sys [3/16/2006 4:39 PM 61712]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 11:06 AM 1029456]
S3 MV;MV;c:\docume~1\ADMINI~1\LOCALS~1\Temp\MV.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\MV.exe [?]
S3 pgusbmme;usb-audio.de MME-Adapter;c:\winnt\system32\drivers\pgusbmm3.sys [7/19/2005 12:00 PM 23520]
S3 pgusbwdm;usb-audio.de driver (commercial V2.6.1);c:\winnt\system32\drivers\pgusbwdm.sys [7/19/2005 12:01 PM 99200]
S3 SQLAgent$RETSDATA;SQLAgent$RETSDATA;c:\program files\Microsoft SQL Server\MSSQL$RETSDATA\Binn\sqlagent.EXE -i RETSDATA --> c:\program files\Microsoft SQL Server\MSSQL$RETSDATA\Binn\sqlagent.EXE -i RETSDATA [?]
S4 MSSQL$RETSDATA;MSSQL$RETSDATA;c:\program files\Microsoft SQL Server\MSSQL$RETSDATA\Binn\sqlservr.exe -sRETSDATA --> c:\program files\Microsoft SQL Server\MSSQL$RETSDATA\Binn\sqlservr.exe -sRETSDATA [?]
.
.
------- Supplementary Scan -------
.
IE: &Download by Orbit - f:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - f:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0 Professional\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0 Professional\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0 Professional\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0 Professional\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0 Professional\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0 Professional\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0 Professional\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0 Professional\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Do&wnload selected by Orbit - f:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - f:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Save F&lash with FlashCapture - f:\program files\FlashCapture\fciext.dll/FCIEXT.htm
LSP: %SystemRoot%\system32\msafd.dll
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\b5wt98kq.default\
.
- - - - ORPHANS REMOVED - - - -

AddRemove-A-PDF Restrictions Remover_is1 - f:\program files\A-PDF Restrictions Remover\unins000.exe
AddRemove-Adobe Illustrator 8.0 - f:\program files\adobe\illustrator 8.0\DeIsL1.isu
AddRemove-Adobe Illustrator 9.0 - f:\program files\Adobe\Illustrator 9.0\Uninst.isu
AddRemove-Audacity_is1 - f:\program files\Audacity\unins000.exe
AddRemove-DVD Decrypter - h:\program files\DVD Decrypter\uninstall.exe
AddRemove-Flash Movie Player - f:\program files\Flash Movie Player\uninst.exe
AddRemove-FlashCapture - f:\program files\FlashCapture\uninstall.exe
AddRemove-Free Video Converter_is1 - f:\program files\Free Video Converter\unins000.exe
AddRemove-KRISTAL Audio Engine - f:\program files\Kreatives.org\KRISTAL Audio Engine\Uninstall.exe
AddRemove-mIRC - f:\program files\mIRC\uninstall.exe
AddRemove-OpenSSL_is1 - c:\openssl\unins000.exe
AddRemove-Orbit_is1 - f:\program files\Orbitdownloader\unins000.exe
AddRemove-PDF Password Remover v3.0_is1 - f:\program files\PDF Password Remover v3.0\unins000.exe
AddRemove-SMPlayer_is1 - f:\program files\SMPlayer\unins000.exe
AddRemove-TeraCopy_is1 - f:\program files\TeraCopy\unins000.exe
AddRemove-TransMac_is1 - f:\program files\TransMac\unins000.exe
AddRemove-TurboTax 2008 - f:\pat\Tax\TurboTax Home & Business 2008\Installer\TurboTax 2008 Installer.exe
AddRemove-{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1 - f:\program files\Spybot - Search & Destroy\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-01 19:33
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\winnt\system32\Perflib_Perfdata_668.dat 16384 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-436374069-1343024091-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1BCB152E-00F5-17FC-ECC3-B84110A75B58}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oalkbjgccjpjicbobncekkjgadjllp"=hex:6a,61,70,64,69,69,70,68,6a,61,6d,6d,61,6f,
70,69,62,66,6f,70,00,00
"nablldnnhgnibjndhjbdpmobcifo"=hex:6a,61,70,64,69,69,70,68,6a,61,6d,6d,61,6f,
70,69,62,66,6f,70,00,00

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG04.00.00.01SERVER"="3A2078B92014A5B4CADFF5E4B7F422A58EEEDB1A75EEBEB580A4C89D2C1C7B102ABC78ECDD962013CBE59E26EB70DFEA8E1E535552F60B784DDE0B7577C557886B98235F8CAD29DF3A807D727AE87D1070ADA394609DD72130848D07A034498C1DF16003817AFD8006F9D0AC5C9AE2FD94948753D8DCD53E9AD922003F3E6DEC667A39D65451C22C26917A4C48F8DBF26440D89BB66599B307183D20B0703ED16ED75AF3633BFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7FD869164D67945D575E7D6A3B9808C038D530D6EB34522E68364DE22E87730B9ED2B760021749823AAEE139CA461B0CDC565E83538613A3279FF9798CAA47CB38BCF643AC09E22170E39BD19DA0947B8F090C49435E58A0189DF6FB07E9880A0A6D9571B98546B0EA04718844F726F5A0200A982A924192153C38355438FA1B33A4F0EFB87F3210AE20CE3AC4E2AE8398A0EF49A1F86748CC12A197444C95B72928DB6A4B321E8193CC12EAB3B9BE0FD590C958552E19F643350B3936A504FDB2BF1DACA899AF2B48250EC1BD1C1BE8897B976385115A37CD41C3D01F02256F6B38ECA919774518CBC50B0AA1EA3FC23B6ECD2F0743E00417D60CBB0AE58EF043627BF77CCF6EB5F351C23032CD5736C2FBD325C1AD96BF1F19177B1499854D7E12684FC5EE705868EBE44AD72DC4BDCE3C07CEB1F91AAD38AF1035EC2987AF34214B0F79DDC334A7C0948D0E391E386149B45EE7193F7609461330DAE5C1AAD06BAD3A32EF1464017DE755E2E22BE950C123A5083D0BA68C0C325B37611A3493528E751FBA42689952EA1F7960EBF8C448899EC9DCB92E12B571C66F772724903ADE0A0216E3A0EA769B908AAB8FF1BB0315E37B33B8E13A7A4927834133B9AF8B84E6B1A0C05541226E6E6004FCC3881D64357B402AF9FD95A7D50A1FBF94ABB25A1E97BA54B0BC1449A55BEA4D42D0450C76BEC764922746EDCE2CB6803C16A02EE4B108513FD38D0842EC25CD240E2E9430CC4FF3AC5551703527EF5A98514A411593749AF54D5479F89D3F01050E0FF78EC323152C797EF8CA4CF5EA7795A74A2D632BC8A947B1DF2087059BE5712129E0D1513CDA5D9843F901B98189EE3673CE5A1FA91532F372B2DB8A87A730240A9ABCAE0EE2986F01CF3D6EA165BC755A3FC6033BD6D2EC5DD05C26619392D9F3D55C5166D61CD6D87E108D0383B26B12690C52B5F041F0BEBBE0EF7BD2B60AB14B9C14D3292AA661D79953104159A09F5A20C8FD4A6B5B295B55485BF78DFD045C7E1617B359BAA8D78F3E68E08BA07CC58CE733AC910825B9B74FBA73DE061F0E953C29B29371AE99BB136107F9FC17FE6FF4A4C6485A2C869B6C869E42732B860B2BB2C49830E9DDF95A01BDA6"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(204)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'explorer.exe'(1900)
c:\winnt\AppPatch\AcLayers.DLL
c:\winnt\system32\SHDOCVW.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\ge security supra\syncservice.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Maxtor\OneTouch\Utils\SyncServices.exe
c:\program files\GE Security Supra\ProxyDaemon.exe
c:\ssl\stunnel-4.10.exe
c:\winnt\system32\MSTask.exe
c:\winnt\system32\stisvc.exe
c:\winnt\System32\WBEM\WinMgmt.exe
c:\winnt\system32\mspmspsv.exe
c:\winnt\system32\CAPM1RSK.EXE
c:\winnt\system32\spool\drivers\w32x86\3\CAPM1SWK.EXE
c:\progra~1\RETROS~1\RETROS~1.1\retrorun.exe
c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
**************************************************************************
.
Completion time: 2011-02-01 19:41:42 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-02 03:41
ComboFix2.txt 2008-05-09 18:11

Pre-Run: 1,699,901,440 bytes free
Post-Run: 2,130,616,320 bytes free

- - End Of File - - 5F5E9B72767A013E8AB40246CAB6DB2E



Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5651

Windows 5.0.2195 Service Pack 4
Internet Explorer 6.0.2800.1106

2/2/2011 2:31:04 AM
mbam-log-2011-02-02 (02-30-39).txt

Scan type: Full scan (C:\|H:\|)
Objects scanned: 232995
Time elapsed: 2 hour(s), 45 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\QooBox\quarantine\C\documents and settings\administrator\local settings\application data\c907d7a30e7d43afd00202154480a33a.exe.vir (Trojan.Agent) -> No action taken.

shelf life
2011-02-02, 01:51
Not sure why combofix removed those items. the log dosnt look bad at all, nor does the malwarebytes log. I was concerned about the gmer MBR results but it may be nothing to worry about.
On a side note Twain actually stands for: Technology Without An Interesting Name, dont get to mention that very often so I thought I would.
You can look in your root drive C: for combofix quarantine folder.
There should be a folder labeled System32 with the dll inside but it will have a .vir extension (twain.vir). You should be able to move the file out to your desktop and rename it to .dll
If you dont see it dont worry about it, we will do something else.

Just to make sure: once you rename it you can upload it to this website (http://www.virustotal.com/). Browse for the file on your desktop then upload using the send button. It will be checked out by some scanners. If the results are all negative then you can drag/drop it back into the System32 directory.
Did you install the recovery console when combofix was running?

Patrick000
2011-02-02, 03:01
I read the Guide to using Combofix and it talked about the windows recovery console. But when I ran Combofix, it just ran straight through and never asked me for the console.

What should I do with the file that mbam found in the Qoobox folder?
Qoobox folder is created by Combofix. Should I delete the file?

I will look for Twain and test it like you recommend.
Technology Without An Interesting Name is funny.

What should I make of the gmer MBR results?

shelf life
2011-02-02, 03:53
If combofix didnt prompt you to install the recovery console then you may already have it installed, in fact I think it was installed by default but it changed with XP and beyond. you have to download it now.

Your version of Internet Explorer is pretty old, it may have problems displaying web sites. You might try firefox (http://www.mozilla.com/en-US/firefox/).

The only reason i asked about the RC is if we re-wrote a new MBR.
DDS as well as combofix can show rootkits and neither one did so the gmer results may be nothing to worry about. I will look for another tool for another check.
Have you ever reformatted and reinstalled your operating system?

Patrick000
2011-02-02, 06:49
This is my old Dell Optiplex machine and I have not reinstalled any OS in years.
I don't really want to because it takes time. And if I did, I would just reinstall Windows 2000. But I am concerned that there is a hidden rootkit somewhere.

I am looking forward to any other tool you recommend to ferret out anything.

And what should I do with the Qoobox file that mbam found?
Files Infected:
c:\QooBox\quarantine\C\documents and settings\administrator\local settings\application data\c907d7a30e7d43afd00202154480a33a.exe.vir (Trojan.Agent) -> No action taken.

shelf life
2011-02-02, 23:49
what should I do with the Qoobox file that mbam found?
thats combofix's quarantine folder. anything in there was removed by combofix and is now harmless. Normally after you run malwarebytes it will prompt you to reboot to remove items.


I would just reinstall Windows 2000
Thats fine. After so many years a fresh install can only help.


there is a hidden rootkit
Both DDS and Combofix dont show a rootkit

You can try this tool, i think its supported on W2K, service pack 4:

Please Download Rootkit Unhooker (http://www.kernelmode.info/ARKs/RKUnhookerLE.EXE) Save it to your desktop.
*Now double-click on RKUnhookerLE.exe to run it.
*Click the Report tab, then click Scan.
*Check only: Drivers, Stealth Code, Files, Code Hooks. Uncheck the rest. then Click OK. An initial scan will be performed.
*When prompted to Select Disks for Scan, make sure C:\ is checked and click OK.
*Wait until the scanner is done, then click on File at the pull down menu, followed by Save Report.
*Save the report somewhere you can find it. Click Close to exit.
*Copy the entire contents of the report and paste it in your next reply.
You may get a warning about parasite detection. Please click OK to continue.

Patrick000
2011-02-03, 02:53
When I run RKUnhookerLE.EXE, I get this error:

Not supported Windows version, try to run anyway?
Yes.

Error loading driver, NTSTATUS code: 0xC0000263

Is there a different version that might work? Or another tool?

Thanks.

shelf life
2011-02-03, 04:15
I have no idea if this is supported in W2k. I would guess it is not. You can try it;

Please also download MBRCheck to your desktop


MBRcheck (http://ad13.geekstogo.com/MBRCheck.exe)

* Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)

* It will show a Black screen with some information that will contain either the below line if no problem is found:

o Done! Press ENTER to exit...

* Or you will see more information like below if a problem is found:
o Found non-standard or infected MBR.
o Enter 'Y' and hit ENTER for more options, or 'N' to exit:

* Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.

* MBRCheck will create a log on your desktop named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.

* Attach this log to your next message.

Patrick000
2011-02-03, 09:44
This tool worked:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows 2000 Professional
Windows Information: Service Pack 4 (build 2195)
Logical Drives Mask: 0x0000009d

Kernel Drivers (total 107):
0x80400000 \WINNT\System32\ntoskrnl.exe
0x80062000 \WINNT\System32\hal.dll
0xEB810000 \WINNT\System32\BOOTVID.dll
0xBFFD8000 ACPI.sys
0xEB9C8000 \WINNT\System32\DRIVERS\WMILIB.SYS
0xEB400000 pci.sys
0xEB410000 isapnp.sys
0xEB900000 intelide.sys
0xEB680000 \WINNT\System32\DRIVERS\PCIIDEX.SYS
0xEB688000 MountMgr.sys
0xBFFBB000 ftdisk.sys
0xEB902000 Diskperf.sys
0xEB904000 dmload.sys
0xBFF99000 dmio.sys
0xEB814000 PartMgr.sys
0xBFF83000 atapi.sys
0xEB690000 disk.sys
0xEB420000 \WINNT\System32\DRIVERS\CLASSPNP.SYS
0xBFF61000 fltmgr.sys
0xEB430000 Lbd.sys
0xEB440000 PxHelp20.sys
0xEB450000 ROFF.sys
0xBFF4F000 KSecDD.sys
0xBFED1000 Ntfs.sys
0xBFEA7000 NDIS.sys
0xEB460000 Combo-Fix.sys
0xBFE91000 Mup.sys
0xEB480000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
0xBFE4F000 \SystemRoot\System32\DRIVERS\i81xnt5.sys
0xEB490000 \SystemRoot\System32\DRIVERS\el90xbc5.sys
0xEB6B8000 \SystemRoot\System32\DRIVERS\fdc.sys
0xEB4A0000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xEB6C8000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xEB6D8000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xEB4B0000 \SystemRoot\System32\DRIVERS\serial.sys
0xEB880000 \SystemRoot\System32\DRIVERS\serenum.sys
0xEB6F0000 \SystemRoot\System32\DRIVERS\parport.sys
0xEB908000 \SystemRoot\System32\Drivers\ElbyDelay.sys
0xEB9DE000 \SystemRoot\System32\Drivers\Cdr4_2K.SYS
0xEB700000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xEB708000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xEB728000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xEB710000 \SystemRoot\System32\DRIVERS\uhcd.sys
0xBFE0A000 \SystemRoot\system32\drivers\KS.SYS
0xBFE2A000 \SystemRoot\system32\drivers\portcls.sys
0xEB738000 \SystemRoot\system32\drivers\ichaud.sys
0xEB9E7000 \SystemRoot\system32\DRIVERS\bbcap.sys
0xEB9E9000 \SystemRoot\System32\DRIVERS\audstub.sys
0xEB4C0000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xEB894000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xBFDF3000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xEB8A4000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xEB4D0000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xEB768000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xEB778000 \SystemRoot\System32\DRIVERS\raspti.sys
0xEB4E0000 \SystemRoot\System32\DRIVERS\parallel.sys
0xEB9F3000 \SystemRoot\System32\DRIVERS\swenum.sys
0xBFDA0000 \SystemRoot\System32\DRIVERS\update.sys
0xEB790000 \SystemRoot\System32\DRIVERS\flpydisk.sys
0xEB510000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xEB520000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xEB7A8000 \SystemRoot\System32\Drivers\EFS.SYS
0xEB7B8000 \SystemRoot\System32\DRIVERS\USBSTOR.SYS
0xEB912000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xEB9FF000 \SystemRoot\System32\Drivers\Null.SYS
0xEBA01000 \SystemRoot\System32\Drivers\Beep.SYS
0xEB8C8000 \SystemRoot\System32\drivers\vga.sys
0xEBA04000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xEB7D8000 \SystemRoot\System32\Drivers\Msfs.SYS
0xEB530000 \SystemRoot\System32\Drivers\Npfs.SYS
0xEB91A000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xBBCB1000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xEB540000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xEB7F8000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xEB550000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xBBBE6000 \SystemRoot\System32\DRIVERS\netbt.sys
0xEB560000 \SystemRoot\System32\DRIVERS\netbios.sys
0xBBBBC000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xBBB44000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xEB698000 \SystemRoot\System32\Drivers\ElbyCDIO.sys
0xBBAE2000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xBBA93000 \SystemRoot\System32\Drivers\aswSP.SYS
0xEB6D0000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xEBA36000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBBA7D000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xA0000000 \??\C:\WINNT\system32\win32k.sys
0xBB9DD000 \SystemRoot\System32\i81xdnt5.dll
0xBBA71000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xBB8A5000 \SystemRoot\System32\drivers\afd.sys
0xEB952000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xBB905000 \??\C:\WINNT\system32\Drivers\CAPM1LP.SYS
0xEB954000 \SystemRoot\System32\Drivers\ASCTRM.SYS
0xBB83F000 \SystemRoot\System32\Drivers\aswMon.SYS
0xBB805000 \SystemRoot\system32\drivers\wdmaud.sys
0xBBC21000 \SystemRoot\system32\drivers\sysaudio.sys
0xBB965000 \SystemRoot\System32\Drivers\Fips.SYS
0xBB6B5000 \SystemRoot\System32\DRIVERS\srv.sys
0xBB925000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xBB3EA000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xBB299000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xBB1BD000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xEB770000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xEB800000 \??\C:\ComboFix\catchme.sys
0xEB93E000 \??\C:\WINNT\system32\Drivers\PROCEXP113.SYS
0xBAB63000 \SystemRoot\System32\ATMFD.DLL
0xEB948000 \??\C:\WINNT\system32\Drivers\PROCEXP100.SYS
0x77F80000 \WINNT\system32\NTDLL.DLL

Processes (total 36):
0 System Idle Process
8 System
160 \SystemRoot\System32\smss.exe
184 CSRSS.EXE
204 \??\C:\WINNT\system32\winlogon.exe
232 C:\WINNT\system32\services.exe
244 C:\WINNT\system32\lsass.exe
424 C:\WINNT\system32\svchost.exe
448 C:\WINNT\system32\spoolsv.exe
500 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
400 c:\program files\ge security supra\syncservice.exe
576 C:\WINNT\System32\svchost.exe
592 C:\Program Files\Java\jre6\bin\jqs.exe
640 C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
696 C:\Program Files\GE Security Supra\ProxyDaemon.exe
744 C:\SSL\stunnel-4.10.exe
772 C:\WINNT\system32\MSTask.exe
828 C:\WINNT\system32\stisvc.exe
884 C:\WINNT\System32\WBEM\WinMgmt.exe
908 C:\WINNT\system32\mspmspsv.exe
920 C:\WINNT\system32\svchost.exe
932 C:\WINNT\System32\dmadmin.exe
300 C:\WINNT\system32\CAPM1RSK.EXE
1492 C:\Program Files\Maxtor\OneTouch\utils\mspm.exe
1504 C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe
1524 C:\Program Files\Alwil Software\Avast5\avastUI.exe
1552 C:\WINNT\system32\spool\drivers\w32x86\3\CAPM1LAK.EXE
1572 C:\Program Files\GE Security Supra\SyncInfoApp.exe
1580 C:\WINNT\system32\spool\drivers\w32x86\3\CAPM1SWK.EXE
1640 C:\Program Files\Microsoft Office 2000\Office\1033\MSOFFICE.EXE
1584 C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
1840 C:\WINNT\system32\TASKMGR.EXE
1900 C:\WINNT\explorer.exe
1384 C:\Program Files\Mozilla Firefox\firefox.exe
524 C:\Program Files\Internet Explorer\iexplore.exe
1800 H:\Virus Malware infection_1-22-11\MBRCheck.exe

WARNING: Unsupported Windows version! Results may not be accurate!
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\H: --> \\.\PhysicalDrive2 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD200BB-75CAA0, Rev: 16.06V16
PhysicalDrive2 Model Number: HitachiHDS722020ALA330, Rev:

Size Device Name MBR Status
--------------------------------------------
18 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
1863 GB \\.\PhysicalDrive2 RE: Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

shelf life
2011-02-03, 22:40
It did produce a log but its inconclusive. Has you see down near the bottom it says:

WARNING: Unsupported Windows version! Results may not be accurate!

I dont think you have a rootkit based on the log results I have seen.
If you dont feel comfortable then I have two suggestions:
One is to reformat and reinstall Windows 2000, the second is to boot into the recovey console and do a fixmbr. I wouldnt do it wtihout first backing up any files you couldnt afford to lose, just has a precaution.

Patrick000
2011-02-04, 10:34
I want to thank you for spending time and energy helping me solve this.
I really appreciate it.

I have to think about my next step.

shelf life
2011-02-04, 22:31
ok. Your welcome. You can remove combofix like this:
go to start>run and type in combofix /uninstall
click ok or enter
note the space after the x and before the /
This should uninstall combofix.
Note that the free version of Malwarebytes must be updated manually and a scan started manually. Its good practice to keep it updated even if you dont scan with it that much.

If you reformat/reinstall dont forget to backup any files you dont want to lose, make sure you can get any needed drivers and dont forget to update Windows.