Possible Rootkit (google redirects)

[DJKDSN]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:27:19 AM, on 2/12/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.avg.com/ww.special-toolbar-first-run-tlbrf
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=\\.\globalroot\systemroot\system32\userinit.exe,
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKUS\S-1-5-21-1837890183-2995969870-2060756648-500\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Administrator')
O4 - S-1-5-21-1837890183-2995969870-2060756648-500 Startup: Vongo Tray.lnk.disabled (User 'Administrator')
O4 - S-1-5-18 Startup: Vongo Tray.lnk.disabled (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk.disabled (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Global Startup: Pidgin.lnk = C:\Program Files\Pidgin\pidgin.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 3884 bytes

 

[Blade81]

Hi,

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt
• Save both reports to your desktop. Post them back to your topic.

Download GMER here by clicking download exe -button and then saving it your desktop:

• Double-click .exe that you downloaded
• Click rootkit-tab and then scan.
• Don't check
  Show All
  box while scanning in progress!
• When scanning is ready, click Copy.
• This copies log to clipboard
• Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply.

 

[DJKDSN]

DDS (Ver_09-12-01.01) - NTFSx86
Run by KDSN at 1:23:48.01 on Thu 02/18/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2038.1587 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mspaint.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\KDSN.MATBOX\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = hxxp://www.avg.com/ww.special-toolbar-first-run-tlbrf
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mWinlogon: Userinit=\\.\globalroot\systemroot\system32\userinit.exe,
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pidgin.lnk - c:\program files\pidgin\pidgin.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: igfxcui - igfxdev.dll

Sorry know you guys prefer the logs but Attach was kinda big, also GMER scan is still running. Will post it when its finished, just wanna let you know I'm still out here.

 

[Blade81]

Hi,

Seems that only the beginning part of dds.txt contents got posted. Could you post the whole contents, please?

 

[DJKDSN]

bah, sorry about that.

DDS (Ver_09-12-01.01) - NTFSx86
Run by KDSN at 1:23:48.01 on Thu 02/18/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2038.1587 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mspaint.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\KDSN.MATBOX\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = hxxp://www.avg.com/ww.special-toolbar-first-run-tlbrf
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mWinlogon: Userinit=\\.\globalroot\systemroot\system32\userinit.exe,
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pidgin.lnk - c:\program files\pidgin\pidgin.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: igfxcui - igfxdev.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kdsn~1.mat\applic~1\mozilla\firefox\profiles\h07v5jdv.default\
FF - prefs.js: browser.search.selectedEngine - Wowhead
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\kdsn.matbox\application data\mozilla\firefox\profiles\h07v5jdv.default\extensions\{190b412f-3273-4922-9954-56e8bcb5e113}\plugins\NPnsv.dll
FF - plugin: c:\documents and settings\kdsn.matbox\application data\mozilla\firefox\profiles\h07v5jdv.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-27 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-10-27 26824]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-10-27 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-10-31 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-10-27 76040]

=============== Created Last 30 ================

2010-02-09 21:46:40 0 d-----w- c:\program files\VideoLAN
2010-02-07 05:57:45 3469 ----a-w- c:\documents and settings\kdsn.matbox\.recently-used.xbel
2010-02-05 05:42:27 1089601 ------w- c:\windows\system32\dllcache\ntprint.cat
2010-02-03 19:42:38 0 d-----w- c:\windows\system32\XPSViewer
2010-02-03 19:41:18 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-02-03 19:41:18 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-02-03 19:41:18 117760 ------w- c:\windows\system32\prntvpt.dll
2010-02-03 19:41:17 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-02-03 19:41:17 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-02-03 19:41:17 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-02-03 19:41:17 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2010-02-03 19:41:17 0 d-----w- C:\76c9ad802ac1953bf118f71b08a990
2010-02-03 19:37:22 0 d-----w- c:\program files\MSXML 6.0
2010-02-03 19:32:56 0 d--h--r- C:\AHCache
2010-01-30 02:04:50 0 d-----w- c:\docume~1\kdsn~1.mat\applic~1\CreeperWorldDEMO.BA6B793AB2C9FDD744493F22666C1F8DFA806A5E.1
2010-01-30 02:04:50 0 d-----w- c:\docume~1\kdsn~1.mat\applic~1\CreeperWorld
2010-01-30 02:04:41 0 d-----w- c:\program files\KnuckleCracker
2010-01-21 23:57:13 1355 ----a-w- c:\windows\imsins.BAK

==================== Find3M ====================

2010-01-07 22:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 16:14:12 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-31 16:14:12 352640 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-31 15:33:06 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-31 15:33:06 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-12-18 13:05:43 634648 ------w- c:\windows\system32\dllcache\iexplore.exe
2009-12-18 13:04:09 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2009-12-16 12:58:04 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 12:58:04 343040 ------w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:35:35 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:35:35 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-08 18:14:02 2185984 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:14:02 2185984 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-08 18:11:44 2142720 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-08 17:35:25 2020864 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-08 17:35:22 2063104 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 17:35:22 2063104 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-08 09:13:51 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2009-12-04 14:41:55 453760 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-11-27 17:33:35 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:33:35 17920 ------w- c:\windows\system32\dllcache\msyuv.dll
2009-11-27 17:33:35 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:33:35 1291264 ------w- c:\windows\system32\dllcache\quartz.dll
2009-11-27 16:37:27 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:37:27 8704 ------w- c:\windows\system32\dllcache\tsbyuv.dll
2009-11-27 16:37:27 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:37:27 84992 ------w- c:\windows\system32\dllcache\avifil32.dll
2009-11-27 16:37:27 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:37:27 48128 ------w- c:\windows\system32\dllcache\iyuv_32.dll
2009-11-27 16:37:27 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:37:27 28672 ------w- c:\windows\system32\dllcache\msvidc32.dll
2009-11-27 16:37:27 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:37:27 11264 ------w- c:\windows\system32\dllcache\msrle32.dll
2009-11-21 16:36:13 470528 ------w- c:\windows\system32\dllcache\aclayers.dll
2008-10-26 08:44:43 19888 -c--a-w- c:\program files\common files\yfune.db
2008-10-26 08:44:43 19522 -c--a-w- c:\program files\common files\riku.com
2008-10-26 08:44:43 18905 -c--a-w- c:\program files\common files\hyseha.ban
2008-10-26 08:44:43 17116 -c--a-w- c:\program files\common files\fybyc._sy
2008-10-26 08:44:43 16764 -c--a-w- c:\program files\common files\okic.reg
2008-09-01 01:51:02 0 -c--a-w- c:\program files\temp01

============= FINISH: 1:24:34.57 ===============



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-19 05:04:15
Windows 5.1.2600 Service Pack 2
Running: nvbh56q5.exe; Driver: C:\DOCUME~1\KDSN~1.MAT\LOCALS~1\Temp\uxtdypoc.sys


---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\lsass.exe[752] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [356729F4] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\lsass.exe[752] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [3567297E] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[976] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [356729F4] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[976] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [3567297E] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1020] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [356729F4] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1020] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [3567297E] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1088] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [356729F4] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1088] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [3567297E] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1148] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [356729F4] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1148] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [3567297E] \\74.117.114.86\max++.x86.dll
IAT C:\Program Files\Pidgin\pidgin.exe[1324] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [356729F4] \\74.117.114.86\max++.x86.dll
IAT C:\Program Files\Pidgin\pidgin.exe[1324] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [3567297E] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\spoolsv.exe[1444] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [356729F4] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\spoolsv.exe[1444] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [3567297E] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1516] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [356729F4] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1516] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [3567297E] \\74.117.114.86\max++.x86.dll
IAT C:\Program Files\Java\jre6\bin\jqs.exe[1584] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [356729F4] \\74.117.114.86\max++.x86.dll
IAT C:\Program Files\Java\jre6\bin\jqs.exe[1584] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [3567297E] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\System32\alg.exe[2464] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [356729F4] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\System32\alg.exe[2464] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [3567297E] \\74.117.114.86\max++.x86.dll

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)

Device \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\IPMULTICAST avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Driver\Disk \GLOBAL??\C2CAD972#4079#4fd3#A68D#AD34CC121074 F77A9BDE

---- Threads - GMER 1.0.15 ----

Thread System [4:276] F77AA93A
---- Processes - GMER 1.0.15 ----

Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\lsass.exe [752] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [976] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1020] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1088] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1148] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\Program Files\Pidgin\pidgin.exe [1324] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1444] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1516] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [1584] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [2464] 0x35670000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- EOF - GMER 1.0.15 ----

 

[Blade81]

Hi,

You must first verify that you can logon to the Windows Recovery Console.
To do so, you must have the Recovery Console installed or use the Windows XP installation cd.

How to install and use the Windows XP Recovery Console


Next, please download maxlook, saving the file to your desktop.
Double click maxlook.exe to run it. Note - you must run it only once!
As instructed when the tool runs, restart the computer and logon to the Recovery Console.
Execute the following bolded command at the x:\windows> prompt <--- the red x represents your operating system drive letter, usually C

batch look.bat

You will see 1 file copied many times then return to the x:\windows> prompt.
Type Exit to restart your computer then logon in normal mode.
Please run maxlook.exe again now. Note - you must run it only once!
It will produce looklog.txt on the desktop and open it.
Please post the results here.

 

[DJKDSN]

My recovery console is blue screening. I'm pretty sure I have able to use it before.

Otherwise I ran maxlook and when the recovery console gets to the end of the loading bar it blue screens.

 

[Blade81]

Hi,

Do you have recovery console installed on your hard drive or did you attempt to run it from the installation cd? Please don't take any further fixing attempts before we get recovery console working.

 

[DJKDSN]

It was installed on my harddrive.

 

[Blade81]

Hi,

Do you have the installation media handy so that we could attempt launch recovery console from it?

 

[DJKDSN]

Unfortunately no, been looking into making a recovery boot from usb, but haven't tried anything.

I'm beginning to think my original cd was lost in a move, but i do have i386 on my harddrive, if that helps.

 

[Blade81]

Hi,

Do you have burning cd-rom drive and blank cd available to make bootable recovery console cd?

1. Download recovery_console_cd.zip file to your drive and extract it to its own folder (c:\recoverycd for example).
2. Download floppy disk setup package for your operating system (XP home SP2) and save it to the folder you extracted the zip to.
3. Rename the floppy disk setup package to Bootdisk.exe.
4. Insert a blank cd into your burner.
5. Double-click the RecoveryCD.bat file and follow the prompts to burn a cd that will allow you to boot to the recovery console.

 

[DJKDSN]

That I can do.

 

[DJKDSN]

Alright made the CD, just fine. Rebooted windows to get it to load. Entered the recovery console and its giving me an error telling me there is no hard drive installed. The machine boots windows from its hard drive just fine, don't understand why recovery console cant find it.

 

[Blade81]

Hi,

It seems we need to use one more blank cd. You have to download and burn Hiren's BootCD here. There's a readme.txt file included if you need help with burning the media.

Let me know when you have the media created.

 

[Blade81]

Hi,

Please leave Hiren's bootcd option for now if you haven't burnt it yet and enter BIOS settings, change AHCI setting to IDE (if you can't find such setting see if there's SATA enabled/disabled setting present and change it to disabled if visible). Then try to reboot with recovery console cd again.

 

[DJKDSN]

Disabling SATA did the trick. When I entered windows it found a whole load of new devices, am I better off leaving the bios or setting back and reenabling SATA?

Run from C:\Documents and Settings\KDSN.MATBOX\Desktop\maxlook.exe on Tue 02/23/2010 at 2:14:25.42

C:\WINDOWS\system32\drivers\HSFHWAZL.sys is infected!

2005-08-22 00:06:16 . 2005-08-22 00:06:16 - 201600 - 89E256C5F5346BE265D9F86AC8625D4F -c--a-w- C:\SwSetup\Modem\HSFHWAZL.sys
2005-08-22 00:06:16 . 2005-08-22 00:06:16 - 201600 - 5F0CB2C343E731B30D186F6AFCEB81AB ----a-w- C:\WINDOWS\system32\drivers\HSFHWAZL.sys
2006-08-19 10:25:04 . 2005-08-22 00:06:16 - 201600 - 89E256C5F5346BE265D9F86AC8625D4F -c--a-w- C:\WINDOWS\system32\ReinstallBackups\0012\DriverFiles\HSFHWAZL.sys

Rogue configuration file = C:\WINDOWS\system32\config\caiifgbe.sav
Rogue configuration file = C:\WINDOWS\system32\config\system.sav

 

[Blade81]

Hi,

Probably better re-enable SATA (disable it again before recovery console steps below and re-enable after).

In Windows, click start->run->type cmd.exe and press enter. In command prompt window type following command:

[B]copy C:\WINDOWS\system32\ReinstallBackups\0012\DriverFiles\HSFHWAZL.sys C:\WINDOWS\system32\drivers\HSFHWAZL.sys.bak[/B]

You should get message "1 file(s) copied.". If so, please continue with steps below.

When done, save instructions below and then reboot back into recovery console.

In recovery console, type following commands (press enter after each one), 2nd copy command should ask for permission to overwrite, let it do so:

cd system32\drivers
copy HSFHWAZL.sys HSFHWAZL.sys.vir
copy HSFHWAZL.sys.bak HSFHWAZL.sys
exit

Re-enable SATA and enter normal mode. Run GMER scan again and post back the results.

 

[DJKDSN]

Its giving my an error telling me HSFHWAZL.sys cannot be run in Win32 mode.

 

[Blade81]

:slap:

I forgot copy command there. Please see the corrected version.