BOT/Virus Warnings From DSL Provider

[canonf1]

Attach DDS for second machine

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 1/19/2008 9:53:46 PM
System Uptime: 3/9/2010 7:01:14 PM (2 hours ago)

Motherboard: TOSHIBA | | Portable PC
Processor: Intel(R) Pentium(R) M processor 1.73GHz | mFCPGA | 1729/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 93 GiB total, 73.428 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP41: 12/9/2009 2:20:09 PM - Software Distribution Service 3.0
RP42: 12/20/2009 10:07:34 AM - Software Distribution Service 3.0
RP43: 12/26/2009 11:30:32 AM - Software Distribution Service 3.0
RP44: 12/26/2009 1:17:39 PM - Software Distribution Service 3.0
RP45: 1/4/2010 9:32:38 PM - Software Distribution Service 3.0
RP46: 1/27/2010 8:15:37 PM - System Checkpoint
RP47: 1/27/2010 8:59:05 PM - Software Distribution Service 3.0
RP48: 2/5/2010 8:34:24 PM - Software Distribution Service 3.0
RP49: 2/16/2010 8:39:27 PM - Software Distribution Service 3.0
RP50: 2/19/2010 6:30:20 PM - Software Distribution Service 3.0
RP51: 2/20/2010 3:00:27 AM - Software Distribution Service 3.0
RP52: 2/20/2010 12:27:51 PM - Installed AVG Free 8.5
RP53: 2/21/2010 2:18:50 AM - Software Distribution Service 3.0
RP54: 2/21/2010 3:00:45 AM - Software Distribution Service 3.0
RP55: 2/23/2010 5:10:28 PM - Avg8 Update
RP56: 2/23/2010 5:24:44 PM - Software Distribution Service 3.0
RP57: 2/23/2010 6:39:06 PM - Software Distribution Service 3.0
RP58: 2/24/2010 6:59:37 PM - Software Distribution Service 3.0
RP59: 2/25/2010 7:42:32 PM - Software Distribution Service 3.0
RP60: 2/26/2010 7:02:13 PM - Software Distribution Service 3.0
RP61: 3/8/2010 7:38:03 PM - Avg8 Update
RP62: 3/8/2010 7:45:52 PM - Software Distribution Service 3.0

==== Installed Programs ======================

Adobe Flash Player 10 Plugin
Adobe Reader 7.0
America Online (Choose which version to remove)
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Connectivity Services
AOL Spyware Protection
AOL You've Got Pictures Screensaver
ArcSoft Software Suite
AVG Free 8.5
Bluetooth Stack for Windows by Toshiba
CD/DVD Drive Acoustic Silencer
DVD-RAM Driver
ESET Online Scanner v3
Google Toolbar for Internet Explorer
Google Update Helper
High Definition Audio Driver Package - KB888111
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Intel(R) Graphics Media Accelerator Driver for Mobile
Intel(R) PROSet/Wireless Software
InterVideo WinDVD Creator 2
InterVideo WinDVD for TOSHIBA
J2SE Runtime Environment 5.0 Update 4
Macromedia Flash Player 8
McAfee SecurityCenter
McAfee VirusScan
mCore
mDrWiFi
Metamail (Toshiba Registration Utility)
mHelp
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office OneNote 2003
Microsoft Office Standard Edition 2003
Microsoft Security Essentials
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
mIWA
mIWCA
mLogView
mMHouse
Mozilla Firefox (3.0.15)
mPfMgr
mPfWiz
mProSafe
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
mWlsSafe
mXML
MyConnect Special Offer
mZConfig
Office 2003 Trial Assistant
Pure Networks Port Magic
Quicken 2005
QuickTime
RealPlayer Basic
Realtek High Definition Audio Driver
SD Secure Module
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Sonic DLA
Sonic RecordNow!
Spybot - Search & Destroy
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515 drivers.
TIxx21/x515
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Controls
TOSHIBA Hotkey Utility
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
Toshiba Q4 Retail Demo ScreenSaver
TOSHIBA SD Memory Card Format
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA TouchPad ON/Off Utility
TOSHIBA Utilities
TOSHIBA Virtual Sound
TOSHIBA Zooming Utility
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Viewpoint Media Player
WebFldrs XP
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
Xvid 1.1.3 final uninstall
Yahoo! Music Engine

==== Event Viewer Messages From Past Week ========

3/9/2010 8:47:48 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 120 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
3/9/2010 7:47:41 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 60 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
3/9/2010 7:27:34 PM, error: Service Control Manager [7034] - The McAfee.com McShield service terminated unexpectedly. It has done this 1 time(s).
3/9/2010 7:23:05 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the McShield service.
3/9/2010 7:22:20 PM, error: Service Control Manager [7034] - The Swupdtmr service terminated unexpectedly. It has done this 1 time(s).
3/9/2010 7:17:39 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
3/9/2010 7:02:36 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)

==== End Of File ===========================

 

[shelf life]

the good news is I dont see anything malware related in those logs either.

 

[canonf1]

Hi Shelf life,

So the GMER log, post#14, is complete? Just want to triple check as this log is from the original safe one and is the most important machine.

The second machine is a laptop (whose logs are above), and I expected it to be relatively clean but not 100% sure.

Well then, on to the last, and most suspect machine. It went for a long time without any virus/malware protection due to a really strange problem with the version of Zone Alarm I had installed.

I will post those logs next.

Thanks again.

 

[canonf1]

combofix log for high risk machine

I think it has a problem!!

ComboFix 10-03-09.04 - Mark MacKinnon 03/10/2010 20:45:21.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.361 [GMT -6:00]
Running from: c:\documents and settings\Mark MacKinnon\Desktop\ComboFix.exe
AV: AVG Internet Security *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2010-02-11 to 2010-03-11 )))))))))))))))))))))))))))))))
.

2010-03-11 02:44 . 2010-03-11 02:44 12568 ----a-w- c:\windows\system32\drivers\PROCEXP113.SYS
2010-02-23 02:33 . 2010-02-23 02:33 -------- d-----w- c:\program files\ERUNT
2010-02-23 01:33 . 2010-02-23 01:32 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-23 01:30 . 2010-02-23 01:30 152576 ----a-w- c:\documents and settings\Mark MacKinnon\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-02-23 01:25 . 2010-02-23 01:25 79488 ----a-w- c:\documents and settings\Mark MacKinnon\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-22 14:24 . 2010-02-21 20:44 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-02-22 14:24 . 2010-02-21 20:44 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-02-22 01:21 . 2010-02-22 01:21 -------- d-----w- c:\documents and settings\Mark MacKinnon\Local Settings\Application Data\AVG Security Toolbar
2010-02-21 20:46 . 2010-02-21 20:46 -------- d-----w- C:\$AVG
2010-02-21 20:45 . 2010-02-21 20:45 25608 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-02-21 20:45 . 2010-02-21 20:45 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-02-21 20:45 . 2010-02-21 20:45 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-21 20:45 . 2010-02-21 20:45 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-21 20:45 . 2010-02-21 20:45 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-21 20:45 . 2010-02-21 20:45 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-02-21 20:45 . 2010-02-27 01:05 -------- d-----w- c:\windows\system32\drivers\Avg
2010-02-21 20:44 . 2010-02-24 00:51 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-02-21 18:34 . 2010-02-21 18:34 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2010-02-21 18:34 . 2010-02-21 18:34 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-02-21 18:34 . 2010-02-21 18:34 -------- d-----w- c:\program files\AVG
2010-02-21 18:33 . 2010-02-21 18:34 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-11 02:40 . 2007-02-19 03:20 -------- d-----w- c:\documents and settings\Mark MacKinnon\Application Data\U3
2010-02-27 01:15 . 2010-02-27 01:15 -------- d-----w- c:\program files\ESET
2010-02-25 02:49 . 2010-02-25 02:49 -------- d-----w- c:\program files\Panda Security
2010-02-24 03:34 . 2010-02-24 00:56 -------- d-----w- c:\program files\Windows Live Safety Center
2010-02-23 02:46 . 2010-02-23 02:46 388096 ----a-r- c:\documents and settings\Mark MacKinnon\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-23 02:46 . 2010-02-23 02:46 -------- d-----w- c:\program files\TrendMicro
2010-02-23 01:32 . 2007-07-26 23:09 -------- d-----w- c:\program files\Java
2010-02-20 03:46 . 2007-01-29 02:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-14 17:12 . 2009-09-02 00:01 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-05 10:00 . 2001-08-23 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2001-08-23 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-05 02:31 . 2010-01-05 02:31 8892928 ----a-w- c:\documents and settings\All Users\Application Data\atscie.msi
2010-01-01 18:02 . 2006-05-13 22:01 1087 ----a-w- c:\windows\checkip.dat
2010-01-01 17:58 . 2006-05-13 22:00 1074 ----a-w- c:\windows\ipconfig.dat
2009-12-31 16:50 . 2001-08-23 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 18:43 . 2007-04-15 18:37 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2001-08-23 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 19:02 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 24576]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-03-09 7561216]
"nwiz"="nwiz.exe" [2006-03-09 1519616]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-03-09 86016]
"SoundMan"="SOUNDMAN.EXE" [2004-02-26 65024]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-02-23 149280]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-28 221184]
"DMXLauncher"="c:\program files\Roxio\Media Experience\DMXLauncher.exe" [2006-11-14 102400]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-11-15 1121016]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-04-07 642856]

c:\documents and settings\Mark MacKinnon\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-02-21 20:45 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"3429:TCP"= 3429:TCP:Services

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2/21/2010 2:45 PM 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2/21/2010 2:45 PM 161800]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2/24/2010 8:53 PM 28552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/21/2010 2:45 PM 333192]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/21/2010 2:45 PM 360584]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2/21/2010 2:44 PM 906520]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2/21/2010 2:44 PM 285392]
R2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [2/21/2010 2:44 PM 2304192]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2/21/2010 2:44 PM 5832712]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2/21/2010 12:34 PM 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [2/21/2010 2:44 PM 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [2/21/2010 2:44 PM 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [2/21/2010 2:44 PM 25736]
R3 STDRIVER;USB Bulk Out Driver for STM;c:\windows\system32\drivers\STDriver.sys [2/12/2006 1:53 PM 15930]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2/21/2010 12:34 PM 30104]
S3 FXDRV;FXDRV;\??\d:\fxdrv.sys --> d:\Fxdrv.sys [?]
S3 iadusb;Zoom USB Network Adapter;c:\windows\system32\drivers\glauiad.sys [7/7/2008 8:09 AM 30371]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.crh.noaa.gov/ifps/MapClick.php?MapType=3&site=MPX&CiTemplate=1&map.x=189&map.y=153
FF - ProfilePath - c:\documents and settings\Mark MacKinnon\Application Data\Mozilla\Firefox\Profiles\nhmtv5mp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.simhq.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-DSLAGENTEXE - c:\program files\Zoom\Adsl\dslagent.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-10 20:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x832E40E0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7633f28
\Driver\ACPI -> 0x832e40e0
\Driver\atapi -> atapi.sys @ 0xf755e852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: SiS 900-Based PCI Fast Ethernet Adapter -> SendCompleteHandler -> 0x82d10690
PacketIndicateHandler -> NDIS.sys @ 0xf7442a0d
SendHandler -> NDIS.sys @ 0xf7456b40
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0E4F8121
malicious code @ sector 0x0E4F8124 !
PE file found in sector at 0x0E4F813A !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(192)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-10 21:01:10
ComboFix-quarantined-files.txt 2010-03-11 03:01

Pre-Run: 40,440,467,456 bytes free
Post-Run: 40,596,123,648 bytes free

- - End Of File - - 85355CE31989624041B5842EC59002CD

 

[canonf1]

DDS Log for Risky machine

DDS (Ver_09-12-01.01) - NTFSx86
Run by Mark MacKinnon at 21:32:58.12 on Wed 03/10/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.338 [GMT -6:00]

AV: AVG Internet Security *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Mark MacKinnon\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.crh.noaa.gov/ifps/MapClick.php?MapType=3&site=MPX&CiTemplate=1&map.x=189&map.y=153
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [WINDVDPatch] CTHELPER.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [Jet Detection] "c:\program files\creative\sblive\program\ADGJDet.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [DMXLauncher] "c:\program files\roxio\media experience\DMXLauncher.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
StartupFolder: c:\docume~1\markma~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0000000A-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
DPF: {00000161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab
DPF: {00000162-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/B/B/0BB06A5C-8611-4840-86B3-54DDDD0344B9/wma9dmo.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1247796145640
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\markma~1\applic~1\mozilla\firefox\profiles\nhmtv5mp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.simhq.com/
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2010-2-21 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-2-21 161800]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-2-24 28552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-2-21 333192]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-2-21 28424]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-2-21 360584]
R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-2-21 906520]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-2-21 285392]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2010-2-21 2304192]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-2-21 5832712]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-2-21 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2010-2-21 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2010-2-21 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2010-2-21 25736]
R3 STDRIVER;USB Bulk Out Driver for STM;c:\windows\system32\drivers\STDriver.sys [2006-2-12 15930]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-2-21 30104]
S3 FXDRV;FXDRV;\??\d:\fxdrv.sys --> d:\Fxdrv.sys [?]
S3 iadusb;Zoom USB Network Adapter;c:\windows\system32\drivers\glauiad.sys [2008-7-7 30371]

=============== Created Last 30 ================

2010-03-11 02:44:54 12568 ----a-w- c:\windows\system32\drivers\PROCEXP113.SYS
2010-03-11 02:43:23 98816 ----a-w- c:\windows\sed.exe
2010-03-11 02:43:23 77312 ----a-w- c:\windows\MBR.exe
2010-03-11 02:43:23 261632 ----a-w- c:\windows\PEV.exe
2010-03-11 02:43:23 161792 ----a-w- c:\windows\SWREG.exe
2010-02-27 01:15:55 0 d-----w- c:\program files\ESET
2010-02-25 02:53:00 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-02-25 02:49:28 0 d-----w- c:\program files\Panda Security
2010-02-23 02:46:15 0 d-----w- c:\program files\TrendMicro
2010-02-23 01:33:34 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-21 20:46:12 0 d-----w- C:\$AVG
2010-02-21 20:45:42 25608 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-02-21 20:45:42 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-02-21 20:45:42 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-21 20:45:41 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-21 20:45:29 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-21 20:45:16 0 d-----w- c:\windows\system32\drivers\Avg
2010-02-21 20:44:50 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2010-02-21 18:34:15 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2010-02-21 18:34:15 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-02-21 18:34:10 0 d-----w- c:\program files\AVG
2010-02-21 18:33:56 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9

==================== Find3M ====================

2010-01-14 17:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-05 10:00:29 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll

============= FINISH: 21:33:33.18 ===============

 

[canonf1]

Attach DDS for last machine

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 4/15/2007 12:46:32 PM
System Uptime: 3/10/2010 8:34:07 PM (1 hours ago)

Motherboard: | | SiS-741
Processor: AMD Athlon(tm) XP 2000+ | Socket A | 1666/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 114 GiB total, 37.832 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: PCI\VEN_1039&DEV_7002&SUBSYS_70021039&REV_00\3&61AAA01&0&1A
Manufacturer:
Name:
PNP Device ID: PCI\VEN_1039&DEV_7002&SUBSYS_70021039&REV_00\3&61AAA01&0&1A
Service:

==== System Restore Points ===================

RP700: 12/8/2009 6:24:45 PM - Software Distribution Service 3.0
RP701: 12/9/2009 3:00:14 AM - Software Distribution Service 3.0
RP702: 12/10/2009 6:35:31 PM - Software Distribution Service 3.0
RP703: 12/11/2009 8:48:43 PM - System Checkpoint
RP704: 12/12/2009 9:41:08 PM - System Checkpoint
RP705: 12/16/2009 8:29:31 PM - Software Distribution Service 3.0
RP706: 12/17/2009 6:24:43 PM - Software Distribution Service 3.0
RP707: 12/22/2009 6:27:53 PM - Software Distribution Service 3.0
RP708: 12/23/2009 6:57:33 PM - System Checkpoint
RP709: 12/24/2009 3:03:32 PM - Software Distribution Service 3.0
RP710: 12/26/2009 9:44:37 AM - System Checkpoint
RP711: 12/26/2009 4:29:21 PM - Installed Windows NLSDownlevelMapping.
RP712: 12/26/2009 4:30:12 PM - Installed Windows IDNMitigationAPIs.
RP713: 12/26/2009 4:30:29 PM - Installed Windows Internet Explorer 7.
RP714: 12/26/2009 4:30:55 PM - Software Distribution Service 3.0
RP715: 12/27/2009 3:00:18 AM - Software Distribution Service 3.0
RP716: 12/30/2009 8:57:37 AM - Software Distribution Service 3.0
RP717: 12/30/2009 9:00:26 AM - Software Distribution Service 3.0
RP718: 12/31/2009 2:09:40 PM - System Checkpoint
RP719: 1/1/2010 2:57:12 PM - System Checkpoint
RP720: 1/1/2010 4:52:24 PM - Software Distribution Service 3.0
RP721: 1/2/2010 5:24:45 PM - Unsigned driver install
RP722: 1/4/2010 7:18:02 PM - Software Distribution Service 3.0
RP723: 1/5/2010 7:40:11 PM - System Checkpoint
RP724: 1/6/2010 7:50:59 PM - System Checkpoint
RP725: 1/7/2010 6:24:23 PM - Software Distribution Service 3.0
RP726: 1/8/2010 6:45:46 PM - System Checkpoint
RP727: 1/9/2010 7:25:10 PM - System Checkpoint
RP728: 1/10/2010 7:57:50 PM - System Checkpoint
RP729: 1/11/2010 5:05:03 PM - Software Distribution Service 3.0
RP730: 1/12/2010 5:45:43 PM - Software Distribution Service 3.0
RP731: 1/13/2010 6:03:29 PM - System Checkpoint
RP732: 1/13/2010 7:42:14 PM - Software Distribution Service 3.0
RP733: 1/14/2010 6:16:42 PM - Software Distribution Service 3.0
RP734: 1/15/2010 8:01:19 PM - System Checkpoint
RP735: 1/16/2010 8:35:17 PM - System Checkpoint
RP736: 1/19/2010 6:18:45 PM - Software Distribution Service 3.0
RP737: 1/20/2010 7:14:38 PM - System Checkpoint
RP738: 1/21/2010 5:36:23 PM - Software Distribution Service 3.0
RP739: 1/22/2010 3:00:15 AM - Software Distribution Service 3.0
RP740: 1/23/2010 5:33:57 PM - System Checkpoint
RP741: 1/24/2010 6:22:22 PM - System Checkpoint
RP742: 1/26/2010 2:07:56 PM - Software Distribution Service 3.0
RP743: 1/26/2010 5:41:44 PM - Microsoft Antimalware Checkpoint
RP744: 1/27/2010 6:19:32 PM - Software Distribution Service 3.0
RP745: 1/27/2010 6:23:30 PM - Software Distribution Service 3.0
RP746: 1/27/2010 10:55:33 PM - Software Distribution Service 3.0
RP747: 1/28/2010 6:30:17 PM - Software Distribution Service 3.0
RP748: 1/28/2010 6:38:03 PM - Software Distribution Service 3.0
RP749: 1/30/2010 9:16:43 AM - Software Distribution Service 3.0
RP750: 1/30/2010 6:57:33 PM - Software Distribution Service 3.0
RP751: 1/31/2010 1:08:55 PM - Software Distribution Service 3.0
RP752: 1/31/2010 6:41:15 PM - Software Distribution Service 3.0
RP753: 2/1/2010 6:38:08 PM - Software Distribution Service 3.0
RP754: 2/1/2010 6:55:00 PM - Software Distribution Service 3.0
RP755: 2/3/2010 5:23:53 PM - Software Distribution Service 3.0
RP756: 2/5/2010 6:02:50 PM - Software Distribution Service 3.0
RP757: 2/5/2010 6:09:10 PM - Software Distribution Service 3.0
RP758: 2/6/2010 8:10:01 PM - Software Distribution Service 3.0
RP759: 2/7/2010 8:10:11 PM - Software Distribution Service 3.0
RP760: 2/9/2010 5:53:53 PM - Software Distribution Service 3.0
RP761: 2/9/2010 5:57:36 PM - Software Distribution Service 3.0
RP762: 2/9/2010 6:00:26 PM - Software Distribution Service 3.0
RP763: 2/10/2010 3:39:02 AM - Software Distribution Service 3.0
RP764: 2/11/2010 6:08:31 PM - Software Distribution Service 3.0
RP765: 2/11/2010 6:16:04 PM - Software Distribution Service 3.0
RP766: 2/12/2010 2:51:09 PM - Software Distribution Service 3.0
RP767: 2/15/2010 9:53:23 PM - System Checkpoint
RP768: 2/17/2010 6:55:22 PM - System Checkpoint
RP769: 2/17/2010 8:52:57 PM - Software Distribution Service 3.0
RP770: 2/18/2010 8:48:00 PM - Software Distribution Service 3.0
RP771: 2/18/2010 8:48:54 PM - Software Distribution Service 3.0
RP772: 2/19/2010 5:55:34 PM - Software Distribution Service 3.0
RP773: 2/21/2010 12:33:54 PM - Installed AVG 9.0
RP774: 2/21/2010 2:43:49 PM - Configured AVG 9.0
RP775: 2/22/2010 8:24:54 AM - Avg8 Update
RP776: 2/22/2010 7:32:13 PM - Installed Java(TM) 6 Update 17
RP777: 2/22/2010 8:46:14 PM - Installed HiJackThis
RP778: 2/23/2010 8:26:42 PM - Software Distribution Service 3.0
RP779: 2/24/2010 6:39:32 PM - Avg8 Update
RP780: 2/25/2010 7:06:18 PM - System Checkpoint
RP781: 2/26/2010 7:47:38 PM - System Checkpoint
RP782: 3/4/2010 6:03:05 PM - System Checkpoint
RP783: 3/5/2010 7:00:09 PM - System Checkpoint
RP784: 3/6/2010 7:18:03 PM - System Checkpoint
RP785: 3/10/2010 8:43:41 PM - ComboFix created restore point

==== Installed Programs ======================

Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
AutoUpdate
AVG 9.0
Call of Duty
Call of Duty - United Offensive
DivX Codec
DivX Version Checker
ERUNT 1.1j
ESET Online Scanner v3
HiJackThis
HOTAS Cougar
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
IL-2 Sturmovik: Forgotten Battles
IL-2 Sturmovik: Forgotten Battles AEP
Java(TM) 6 Update 17
Java(TM) 6 Update 2
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.8)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MyDVD-VR Recorder
Network Magic
NVIDIA Drivers
Panda ActiveScan 2.0
PF+FB+AEP
PowerDVD
Pure Networks Platform
Realtek AC'97 Audio
Roxio Drag-to-Disc
Roxio Easy Media Creator 9 Suite
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 9 Series (KB969878)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
SightSpeed (remove only)
SiS 900 PCI Fast Ethernet Adapter Driver
Sonic MyDVD-VR
Sound Blaster Live!
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
SuperUtilities
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC 9.0 Runtime
VC80CRTRedist - 8.0.50727.4053
WebEx Support Manager for Internet Explorer
WebFldrs XP
WinAce Archiver
Windows Defender
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
Zoom ADSL Modem
Zoom ADSL Modem Status

==== Event Viewer Messages From Past Week ========

3/10/2010 8:36:08 PM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================

 

[canonf1]

GMER Log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-10 22:34:38
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\MARKMA~1\LOCALS~1\Temp\pxtdypoc.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwOpenProcess [0xF79E0470]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwTerminateProcess [0xF79E0520]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwTerminateThread [0xF79E05C0]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwWriteVirtualMemory [0xF79E0660]

Code \??\C:\DOCUME~1\MARKMA~1\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs sisidex.sys (SISIDEX Driver/Windows (R) 2000 DDK provider)
AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\ACPI \Device\00000050 832E40E0
Device \Driver\ACPI \Device\00000051 832E40E0
Device \Driver\ACPI \Device\00000052 832E40E0
Device \Driver\ACPI \Device\00000060 832E40E0
Device \Driver\ACPI \Device\00000061 832E40E0

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\ACPI \Device\00000062 832E40E0
Device \Driver\ACPI \Device\00000057 832E40E0
Device \Driver\ACPI \Device\00000064 832E40E0
Device \Driver\ACPI \Device\00000068 832E40E0
Device \Driver\ACPI \Device\00000069 832E40E0
Device \Driver\ACPI \Device\0000004c 832E40E0
Device \Driver\ACPI \Device\0000005a 832E40E0
Device \Driver\ACPI \Device\0000004d 832E40E0
Device \Driver\ACPI \Device\0000005b 832E40E0
Device \Driver\ACPI \Device\0000005c 832E40E0

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\ACPI \Device\0000005d 832E40E0

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\ACPI \Device\0000005e 832E40E0
Device \Driver\ACPI \Device\0000006a 832E40E0
Device \Driver\ACPI \Device\0000006b 832E40E0
Device \Driver\ACPI \Device\0000006c 832E40E0

AttachedDevice \FileSystem\Fastfat \Fat sisidex.sys (SISIDEX Driver/Windows (R) 2000 DDK provider)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies )

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- EOF - GMER 1.0.15 ----

 

[shelf life]

ok for this 'risky machine' as you called it we will get two more downloads. One is MBR.exe from GMER. the other from Kapsersky.
Use the Gmer exe first:

Please download MBR.exe from here.

Save the file to your desktop and double click on it.

A new text file will appear on your desktop after running the utility. Copy/paste in the text file results in your reply.

Next:
Please download TDSS Killer.zip and save it to your desktop
Extract the zip file to your desktop
double click the TDSSkiller.exe to run
a window will open,
When its finished press any key to continue.
If prompted please reboot your computer
Please post the report.txt that will be generated in your root C: (Local Disk)
it will be named TDSkiller.2.2.8_11.03.10 (version followed by date ran)
post the txt file in reply please.

 

[canonf1]

MBR for risky machine

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x832ef240
NDIS: SiS 900-Based PCI Fast Ethernet Adapter -> SendCompleteHandler -> 0x82d12690
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0E4F8121
malicious code @ sector 0x0E4F8124 !
PE file found in sector at 0x0E4F813A !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

 

[canonf1]

TDS Log for Risky Machine

23:19:09:390 2528 TDSS rootkit removing tool 2.2.8 Mar 10 2010 15:53:20
23:19:09:390 2528 ================================================================================
23:19:09:406 2528 SystemInfo:

23:19:09:406 2528 OS Version: 5.1.2600 ServicePack: 3.0
23:19:09:406 2528 Product type: Workstation
23:19:09:406 2528 ComputerName: MARK
23:19:09:406 2528 UserName: Mark MacKinnon
23:19:09:406 2528 Windows directory: C:\WINDOWS
23:19:09:406 2528 Processor architecture: Intel x86
23:19:09:406 2528 Number of processors: 1
23:19:09:406 2528 Page size: 0x1000
23:19:09:406 2528 Boot type: Normal boot
23:19:09:406 2528 ================================================================================
23:19:09:421 2528 UnloadDriverW: NtUnloadDriver error 2
23:19:09:421 2528 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
23:19:09:515 2528 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
23:19:09:515 2528 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:19:09:515 2528 wfopen_ex: Trying to KLMD file open
23:19:09:515 2528 wfopen_ex: File opened ok (Flags 2)
23:19:09:531 2528 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
23:19:09:531 2528 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:19:09:531 2528 wfopen_ex: Trying to KLMD file open
23:19:09:531 2528 wfopen_ex: File opened ok (Flags 2)
23:19:09:531 2528 Initialize success
23:19:09:531 2528
23:19:09:531 2528 Scanning Services ...
23:19:09:640 2528 GetAdvancedServicesInfo: Raw services enum returned 349 services
23:19:09:640 2528
23:19:09:640 2528 Scanning Kernel memory ...
23:19:09:640 2528 Devices to scan: 2
23:19:09:640 2528
23:19:09:640 2528 Driver Name: Disk
23:19:09:640 2528 IRP_MJ_CREATE : F7635BB0
23:19:09:640 2528 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
23:19:09:640 2528 IRP_MJ_CLOSE : F7635BB0
23:19:09:640 2528 IRP_MJ_READ : F762FD1F
23:19:09:656 2528 IRP_MJ_WRITE : F762FD1F
23:19:09:656 2528 IRP_MJ_QUERY_INFORMATION : 804FA88E
23:19:09:656 2528 IRP_MJ_SET_INFORMATION : 804FA88E
23:19:09:656 2528 IRP_MJ_QUERY_EA : 804FA88E
23:19:09:656 2528 IRP_MJ_SET_EA : 804FA88E
23:19:09:656 2528 IRP_MJ_FLUSH_BUFFERS : F76302E2
23:19:09:656 2528 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
23:19:09:656 2528 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
23:19:09:656 2528 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
23:19:09:656 2528 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
23:19:09:656 2528 IRP_MJ_DEVICE_CONTROL : F76303BB
23:19:09:656 2528 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7633F28
23:19:09:656 2528 IRP_MJ_SHUTDOWN : F76302E2
23:19:09:656 2528 IRP_MJ_LOCK_CONTROL : 804FA88E
23:19:09:656 2528 IRP_MJ_CLEANUP : 804FA88E
23:19:09:656 2528 IRP_MJ_CREATE_MAILSLOT : 804FA88E
23:19:09:656 2528 IRP_MJ_QUERY_SECURITY : 804FA88E
23:19:09:656 2528 IRP_MJ_SET_SECURITY : 804FA88E
23:19:09:656 2528 IRP_MJ_POWER : F7631C82
23:19:09:656 2528 IRP_MJ_SYSTEM_CONTROL : F763699E
23:19:09:656 2528 IRP_MJ_DEVICE_CHANGE : 804FA88E
23:19:09:656 2528 IRP_MJ_QUERY_QUOTA : 804FA88E
23:19:09:656 2528 IRP_MJ_SET_QUOTA : 804FA88E
23:19:09:687 2528 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
23:19:09:687 2528
23:19:09:687 2528 Driver Name: atapi
23:19:09:687 2528 IRP_MJ_CREATE : F75626F2
23:19:09:687 2528 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
23:19:09:687 2528 IRP_MJ_CLOSE : F75626F2
23:19:09:703 2528 IRP_MJ_READ : 804FA88E
23:19:09:703 2528 IRP_MJ_WRITE : 804FA88E
23:19:09:703 2528 IRP_MJ_QUERY_INFORMATION : 804FA88E
23:19:09:703 2528 IRP_MJ_SET_INFORMATION : 804FA88E
23:19:09:703 2528 IRP_MJ_QUERY_EA : 804FA88E
23:19:09:703 2528 IRP_MJ_SET_EA : 804FA88E
23:19:09:703 2528 IRP_MJ_FLUSH_BUFFERS : 804FA88E
23:19:09:703 2528 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
23:19:09:703 2528 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
23:19:09:703 2528 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
23:19:09:703 2528 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
23:19:09:703 2528 IRP_MJ_DEVICE_CONTROL : F7562712
23:19:09:703 2528 IRP_MJ_INTERNAL_DEVICE_CONTROL : F755E852
23:19:09:703 2528 IRP_MJ_SHUTDOWN : 804FA88E
23:19:09:703 2528 IRP_MJ_LOCK_CONTROL : 804FA88E
23:19:09:703 2528 IRP_MJ_CLEANUP : 804FA88E
23:19:09:703 2528 IRP_MJ_CREATE_MAILSLOT : 804FA88E
23:19:09:703 2528 IRP_MJ_QUERY_SECURITY : 804FA88E
23:19:09:703 2528 IRP_MJ_SET_SECURITY : 804FA88E
23:19:09:703 2528 IRP_MJ_POWER : F756273C
23:19:09:703 2528 IRP_MJ_SYSTEM_CONTROL : F7569336
23:19:09:703 2528 IRP_MJ_DEVICE_CHANGE : 804FA88E
23:19:09:703 2528 IRP_MJ_QUERY_QUOTA : 804FA88E
23:19:09:703 2528 IRP_MJ_SET_QUOTA : 804FA88E
23:19:09:718 2528 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
23:19:09:718 2528
23:19:09:718 2528 Completed
23:19:09:718 2528
23:19:09:718 2528 Results:
23:19:09:718 2528 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
23:19:09:718 2528 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
23:19:09:718 2528 File objects infected / cured / cured on reboot: 0 / 0 / 0
23:19:09:718 2528
23:19:09:718 2528 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
23:19:09:718 2528 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
23:19:09:718 2528 KLMD(ARK) unloaded successfully

 

[canonf1]

Thanks Shelf life.

 

[shelf life]

on this last machine we will get yet another download. Its another tool for rootkits. link and directions:

Please download: RootRepeal

http://ad13.geekstogo.com/RootRepeal.exe

Click the icon on your desktop to start.
Click on the Report tab at the bottom of the window
Next, Click on the Scan button
In the Select Scan Window check everything:

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click the OK button
In the next dialog window select all the drives that are listed
Click OK to start the scan

May take some time to complete.
When done click the Save Report button.
Save the report to your desktop
To Exit RootRepeal: click File>Exit
Post the report in your reply

 

[canonf1]

Here is the RootRepeal report;

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/03/13 20:30
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF536E000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B5B000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB943E000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

SSDT
-------------------
#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys" at address 0xf78a0470

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys" at address 0xf78a0520

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys" at address 0xf78a05c0

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys" at address 0xf78a0660

Stealth Objects
-------------------
Object: Hidden Code [Driver: ACPI, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x830c1850 Size: 1968

==EOF==

Thanks for your help Shelf life!http://forums.spybot.info/images/smilies/bigthumb.gif

 

[shelf life]

ok both say MBR rootkits. How do you feel about reinstalling windows on this machine? Another solution would be to re-write a new MBR from the recovery console. Do you have the original installation (Windows) media? Keep this machine off your local network and the internet.
Some somewhat old info about rootkits. the first one dosnt mention them as root kits, but it all still applies.

http://technet.microsoft.com/en-us/library/cc512587.aspx
http://technet.microsoft.com/en-us/library/cc512642.aspx

 

[canonf1]

Thanks Shelf life.
I do have the original XP Home install disk, and based on the first link it would appear that a complete wipe and reinstall is the only 100% safe way to eradicate the rootkit?
I would prefer a less drastic method, as my original disk is about 5-6yrs old, so there is a ton of patching/updates to go through, and then reinstalling software.
Rewriting the MBR via the recovery console would appear to be a less painful fix, but would the vulnerabilities (hidden backdoors, etc) discussed in the first link still be present?

If the first option, reformat and reinstall XP, is the way to go, are there any scanners that can check individual files for malware so that I can copy some files off the machine to avoid losing them?

I have kept this machine off the local network and off the internet since we started this process and have had no more warnings from the DSL provider so it is pretty clear this one is the bad apple.

 

[shelf life]

thanks for all the info.

this one is the bad apple

based on the gmer and root repeal log yes, another tip was all the open ports in the combofix log.

Yes a reformat/reinstall would be the safest in the case of root kits.
Your right just to get all the Windows updates would be a massive download.
A rewrite of the MBR would be pretty easy and quick to do.

but would the vulnerabilities (hidden backdoors, etc) discussed in the first link still be present?

Yes it is possible.

scanners that can check individual files for malware so that I can copy some files off the machine to avoid losing them?

Yes most scanners can. if you use a usb drive or external drive then before you move them to another machine you should disable auto run first before plugging it in. some malware can get transferred via these drives form one computer to another. the default is to read the autorun.ini file on the device which will execute any malware;

autorun.ini
autorun=
virus.exe

Not saying you have malware that can do this, its just a precaution.

I have kept this machine off the local network and off the internet since we started

good, good and more good.

Let me know what you want to do and we will proceed.

disable autorun

 

[canonf1]

Thanks much for the feedback Shelf life,
I am inferring from your reply that, in most cases, rewriting the MBR poses a minimal risk to reinfection, but not zero risk?

My concern here, and please educate me if I am missing something as I have next to zero knowledge of these issues, is that my 'infection' is fairly sophisticated and the possible exposure to some of the less likely (hidden backdoors for one) undesireable outcomes of a MBR rewrite is higher than one would normally expect. I am basing this on a couple of observations;

1. Prior to being alerted by my DSL provider, I had no indication of anything wrong. No strange popups or mysterious website redirects. And no blocking of sites such as spybot, etc. and the computer, though slow on occasion, did not show any really strange behaviours
2. The DSL provider indicated that the malicious activity was being reported by other users(?), indicating some level of sophistication in what was done to my computer and what the real intent was?

I am by no means asking for a guarantee that the MBR rewrite has very little risk, I just am curious as to whether my info/condition and results indicate that what infected this computer is more than the 'common cold' in the world of malware.

Last question;

If I use a CD/DVD to move the files I wish to save (if I choose the wipe and reinstall XP option), then I should run the Panda vaccination on the machine that will be 'receiving' the questionable files, in order to avoid a hidden transfer of malware? If I use a USB pen drive, then I would run the Panda vaccine onto the USB drive?

And again, very heartfelt thanks for your time and patience with me and my problems. I am now off the precipice of losing internet access, and have learned a great deal on how many perils exist on the internet.

 

[shelf life]

hi,

Its a good thing that most malware is rather "noisy", this is one way that people can notice somethings wrong. Root kits can be 'stealthy' going undetected by traditional antivirus/malware scanners. They are also rather new to the Windows OS and are on the increase so yes i would consider root kits more serious/sophisticated than the usual malware one can get. More than a common cold anyway.
Normally when one has a root kit there is also other malware on board. I dont recognize any other malware in this case. Both Gmer and Root Repeal flagged a mbr root kit which is good enough evidence although any is capable of false positives.
Not sure what your isp meant by 'other users' maybe you were sending out spam.

We can get one more tool from Gmer:
Please download MBR.exe from:

http://www2.gmer.net/mbr/mbr.exe
Save the file to your desktop and double click on it.
A new text file will appear on your desktop, created by the tool. Copy and paste that file in your reply.
We can also use the tool to rewrite a new MBR.

rewriting the MBR poses a minimal risk to reinfection, but not zero risk

Its not zero risk because there is no guarantee that everything was removed or that other OS files etc are not modified. Lets see what this new gmer tool yields.
you would put the Panda tool on the computer that will receive the usb drive and it should run automatically when you insert the usb drive.
your welcome, no problem.

 

[canonf1]

Thanks Shelf life,
I tried to run that gmer tool last night, but I am thinking it was not working correctly. When I 2Xclicked, a window popped up and closed so fast I could not read it, and there is no log/window that either stays up or comes up later??
I will try it again tonight in safe mode, unless you recommend otherwise.

Thanks

 

[canonf1]

Hi Shelf life,
I guess the gmer tool did run correctly, I just did not see the results log. So here it is;

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x832ef240
NDIS: SiS 900-Based PCI Fast Ethernet Adapter -> SendCompleteHandler -> 0x82d12690
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0E4F8121
malicious code @ sector 0x0E4F8124 !
PE file found in sector at 0x0E4F813A !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.