Safer-networking.org is blank page

siskara · Jun 19, 2009

technet.microsoft is blank page...

I will ask my coleaque to help me refresh modem / router cross network and setup it again....

This few web pages don't bothers me so much, I will not reinstal windows because of that stupid virus....

I still have acsess to my favorite web pages and machine PC is quite fast...

thanks...

:greeting:

shelf life · Jun 19, 2009

hi siskara,

Resetting your router wont do any good. You have a rootkit on your machine.
This isnt like adware or something, its a potential gateway to your machine, network and everything on them. you could be "pwnd". Your machine could be used to relay spam, for communications or directed attacks against others. Your own personal and financial well being could be at risk.

I would reformat/reinstall Windows, If you dont want to do that then i will attempt to help you remove it using combofix if you want.

siskara · Jun 19, 2009

svchost.exe

svchost.exe: task manager - in process:

svchost.exe - local service - 4.452 K
svchost.exe - network service - 4.080 K
svchost.exe - system - 19.096 K
svchost.exe - network service - 4.204 K
svchost.exe - system - 4.8024 K
svchost.exe - system - 4.620 K

when I try to shutdown process, nothing happened (still some web pages are blank), some of this svchost.exe can't be shutdown (importand system file), some of them when I shutdown it - put pop up window: 30 sec until shutdown PC and then PC after coundown shuts down!

I don't have any financial informations and did not give to anyone my bank account or something like that, that I never use on PC.

If some file is hidden that could mean that is file very importand to system, not nessesary is that could be a virus.

I've heard that router can have viruses also, because our main server in one bigger city are not quite well protected!

We will harm to PC if we somehow delete svchost.exe, did You found something else strange in this reports?

siskara · Jun 19, 2009

can You contact with Blade 81?

And ask him a fewor to look my reports?:thanks:

siskara · Jun 19, 2009

Is there any possibility to download complete

Spybot with virus base???? even a old version will help I think, because that is best spyware, adaware, antivirus scanner and removal!
:crowned:

shelf life · Jun 20, 2009

we will use combofix:

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:

Code:

File::
C:\WINDOWS\system32\itxlf.dll

NetSvcs::
ekqwsf

Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on your desktop
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log.

siskara · Jun 21, 2009

remeber this?

remember this? :I forgot to wrote that one option is missing on desktop right click - propertys: no desktop option (where You can chose background) and there is customise desktop option where You can choose 4 main icons - no such option.

I have that option now, don't know when it start to work.... sorry...

But we making some progress.

siskara · Jun 21, 2009

combofix log

ComboFix 09-06-20.04 - Administrator 21.06.2009 23:23.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.385.1033.18.1023.696 [GMT 2:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090620-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\windows\system32\itxlf.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\itxlf.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ekqwsf
-------\Service_ekqwsf

((((((((((((((((((((((((( Files Created from 2009-05-21 to 2009-06-21 )))))))))))))))))))))))))))))))
.

2009-06-16 18:58 . 2007-01-18 12:00 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2009-06-13 14:56 . 2009-06-13 14:57 -------- d-----w- c:\windows\ERUNT
2009-06-13 14:53 . 2009-06-13 15:15 -------- d-----w- C:\SDFix
2009-06-12 16:23 . 2009-06-12 16:23 -------- d-s---w- c:\windows\Cookies
2009-06-11 21:29 . 2009-06-11 21:29 1915520 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-06-09 23:01 . 2009-06-09 23:00 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-09 23:00 . 2009-06-09 23:00 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-07 07:56 . 2009-06-07 07:56 -------- d-----w- c:\program files\Trend Micro
2009-06-04 19:33 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-06-04 19:33 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-06-04 19:33 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-06-04 19:33 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-06-04 19:33 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-06-04 19:33 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-06-04 19:33 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-06-04 19:33 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-06-04 19:33 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-06-04 19:32 . 2009-06-04 19:32 -------- d-----w- c:\program files\Alwil Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-16 19:54 . 2008-12-29 17:51 -------- d-----w- c:\program files\WinClamAVShield
2009-06-16 19:54 . 2008-04-12 15:04 -------- d-----w- c:\program files\Spyware Terminator
2009-06-16 19:54 . 2008-04-12 15:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\Spyware Terminator
2009-06-14 18:30 . 2008-07-11 16:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-06-14 18:30 . 2009-05-12 19:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2009-06-12 16:13 . 2008-02-16 21:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Free Download Manager
2009-06-09 23:02 . 2007-10-25 20:22 -------- d-----w- c:\program files\Java
2009-06-08 16:49 . 2009-05-08 22:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-26 11:20 . 2009-05-08 22:17 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 11:19 . 2009-05-08 22:17 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-20 22:16 . 2008-01-07 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-05-13 19:58 . 2008-02-16 21:01 -------- d-----w- c:\program files\Free Download Manager
2009-05-08 22:17 . 2009-05-08 22:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-08 22:17 . 2009-05-08 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-06 21:45 . 2006-10-20 17:08 44112 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-06 20:26 . 2006-10-20 16:53 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-03 00:33 . 2008-01-01 14:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-02 19:52 . 2009-05-02 19:52 -------- d-----w- c:\program files\MSSOAP
.

((((((((((((((((((((((((((((( SnapShot@2009-06-12_16.18.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-21 21:27 . 2009-06-21 21:27 16384 c:\windows\Temp\Perflib_Perfdata_658.dat
+ 2009-06-21 21:27 . 2009-06-21 21:27 16384 c:\windows\Temp\Perflib_Perfdata_4c0.dat
- 2009-05-31 21:34 . 2009-05-31 21:34 29926 c:\windows\Installer\{508CE775-4BA4-4748-82DF-FE28DA9F03B0}\MsblIco.Exe
+ 2009-06-12 19:30 . 2009-06-12 19:30 29926 c:\windows\Installer\{508CE775-4BA4-4748-82DF-FE28DA9F03B0}\MsblIco.Exe
+ 2009-06-12 16:23 . 2009-06-12 16:06 16384 c:\windows\Cookies\index.dat
+ 2007-01-31 13:33 . 2007-01-31 13:33 5632 c:\windows\system32\drivers\avgarkt.sys
+ 2009-06-13 14:57 . 2009-06-13 14:57 385024 c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2009-06-13 14:57 . 2008-08-07 13:27 163328 c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2009-06-13 14:57 . 2009-06-13 14:57 385024 c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2009-06-13 14:57 . 2008-08-07 13:27 163328 c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2009-06-13 14:57 . 2009-06-13 14:57 8282112 c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2009-06-13 14:57 . 2009-06-13 14:57 8282112 c:\windows\ERUNT\SDFIX\Users\00000001\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2004-08-25 28672]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-30 344064]
"SpywareTerminator"="c:\progra~1\SPYWAR~1\SpywareTerminatorShield.exe" [2009-05-08 1783808]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2004-08-25 28672]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoFileUrl"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware SE Personal\\Ad-Aware.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Free Download Manager\\fdmwi.exe"=
"c:\\Program Files\\Free Download Manager\\fdm.exe"=
"c:\\Program Files\\Valve\\hl.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Nero\\Nero8\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*

isabled

xpsp2res.dll,-22009
"2604:TCP"= 2604:TCP:cocrho

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 0 (0x0)
"AllowInboundTimestampRequest"= 0 (0x0)
"AllowInboundMaskRequest"= 0 (0x0)
"AllowInboundRouterRequest"= 0 (0x0)
"AllowOutboundDestinationUnreachable"= 0 (0x0)
"AllowOutboundSourceQuench"= 0 (0x0)
"AllowOutboundParameterProblem"= 0 (0x0)
"AllowOutboundTimeExceeded"= 0 (0x0)
"AllowRedirect"= 0 (0x0)
"AllowOutboundPacketTooBig"= 0 (0x0)

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4.6.2009 21:33 114768]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [12.4.2008 17:05 141312]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4.6.2009 21:33 20560]
R3 PAC207;i-Look 111;c:\windows\system32\drivers\PFC027.SYS [29.6.2007 16:32 611584]
S2 Akamai;Akamai;c:\windows\System32\svchost.exe -k Akamai [23.8.2001 14:00 14336]
S2 ekqwsf;Task Installer;c:\windows\system32\svchost.exe -k netsvcs [23.8.2001 14:00 14336]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;c:\program files\Windows Live\Messenger\usnsvc.exe [18.10.2007 11:31 98328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ekqwsf
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ba/
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: I&zvoz u Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Preuzmi odabrano Free Download Manager-om - file://c:\program files\Free Download Manager\dlselected.htm
IE: Preuzmi sa Free Download Managerom - file://c:\program files\Free Download Manager\dllink.htm
IE: Preuzmi sve sa Free Download Manager-om - file://c:\program files\Free Download Manager\dlall.htm
Trusted Zone: google.ba\www
Trusted Zone: live.com \www
Trusted Zone: safer-networking.org\www
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-21 23:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ekqwsf]
"ServiceDll"="c:\windows\system32\itxlf.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1078081533-1801674531-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,42,08,25,11,cc,ca,bd,4b,97,42,24,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,42,08,25,11,cc,ca,bd,4b,97,42,24,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,42,08,25,11,cc,ca,bd,4b,97,42,24,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="6013BED46240E7E816847E01A76B661D583E6AA8CD94DE9705991B1A99C421A6EA7327FAE797D3E68270E7748E83223AFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7FD869164D6794A6A0AC4980AC7933FEBC9E127BECC74CA1AAF134A19346334F32F294DF176F45E439A07946096C955CC2981FDCACD795A93CC03AC6446DA4F4C08C2FAED0B094AB670B547AEAEFAC671ED14255AA8DC6969C2F360A1F9B7A80DEAE0A2ACFCB5896B8ECAC0556A72F92EB3CBFF487A0EFE9631B31F225698D8B63F5F2FEA626FEF062BE3CDB9065C880E44C5A17D77012BB69959460DDE1D7C168B121AF6F989E1D642B20446270C4E686AAB8E53750D5B7CDE3B182D2057A63CC612A1543707090FB92D95B970216918F33E4E34108849CF180BA6214C7B84636BD8CD844ED5153AD86CF908147545D0976CCE499D00F3DFC1846D63491FB5088B128791547C0844452C92874E337BD3939C492E35C8582D78CD18E49BE4EFEF1D9C0C95CA465D3C76D753AC9EC1EB62E7401E74BCAA1E5B1733B0CEC1E61E25F8A7E71C72387078C89E530DC6C096539D31C38FD35BC777C16C624C0F4079F84C86FEA845314F7A20A8E4C8F6120F66E389626ABA556DA6E711B8163FA396DD8D0038348BB9B93E505C9A1C6BC2BAC29B6502B8B1C114680B744A0005D9298180F0D60CAD3D25A70C8541869649ADD84179194D58A3486F24F3154BC3AD38340294776C58A93632252D06B65B37EF5E1D50302C958A979C55035424C265F1E94F1CD91F93F5AD5A0D5C22A2BF60DEFE7A4B469A7600113410988645EA9BEF41E769F4F2BC6477053BA95B9AF71A0617D66981436726DDA6EF9C608AABF1DA2A474A124A1EA2004E51E9551EBD7366ED2B4841D3F5046EB9AD96D4E6DDACA56BADD1E55A7E8CEF4494E74FC5A567053D55BB3F48FB284745913E02FE1DB3CD5B1DA3F7F0E71DDBEB0CDC71CFE89155CBD5C43E2F742C8B88040E9F14D9D8779A044168F28297FEC95D58862DB040EEC036A377E50A0D591A935B136F5E9E9AC63A997C84C2A09A0B35114D8FA4B6AF9E3EF74B3F0DF9166B37749EBA6814270194D9CC1D88072900ADE2CD8E75959105E8746C3B785083A40BE24DAAC9996D724A5DE662B2D59045DD3F594331CB2CBBB03DAC3868EE79EB5F9979B5BD80C0CACDC02F3A7A67EDAB6B6FA8DF3F6F0E082E5C41C43E803BABDCB611C0A5B704A9C52097E36D3C604E1C3A91E3F3EAF1380E9FA8AD6F8514A4707209E93323360A4185C6C4213B9856E6851EF35BC333FC67AD51E2E14ED9C84B6D6B85560E83536744878BAB58679314A2905F3B05FD22AB8953D3D061715EA986D54B2DD47400A61FC30947EFC8C41C0C8AEA0CA40CE45F95D20F78E30"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(572)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Spyware Terminator\sp_rsser.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-06-21 23:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-21 21:33
ComboFix2.txt 2009-06-21 21:12
ComboFix3.txt 2009-06-12 16:38
ComboFix4.txt 2009-06-12 16:21

Pre-Run: 27.353.030.656 bytes free
Post-Run: 27.259.138.048 bytes free

196 --- E O F --- 2007-12-21 18:34

siskara · Jun 22, 2009

we fix something but not all

:bigthumb:virustotal and some others web pages are now ok, but safer-networking, malwarebytes, nod 32 - eset, and some more are still blocked....

shelf life · Jun 22, 2009

ok, run GMER again:

doubleclick the gmer icon to start.
if you get a message box that says:

warning!!
Gmer has found system modification....
do you want to fully scan your system?

--->select NO<---

then click on the "scan" button
Dont check the 'show all' option
gmer will scan computer.
If you get a Rootkit warning window during the scan: click OK
When finished click "Save" to save log to your desktop
Copy/Paste the saved Gmer log in your reply.

siskara · Jun 23, 2009

gmer.txt

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-24 00:19:53
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwClose [0xAACC9606]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwCreateFile [0xAACC905A]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwCreateKey [0xAACC8D3C]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwCreateSection [0xAACCA652]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwDeleteKey [0xAACC8E46]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwDeleteValueKey [0xAACC8F30]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xAABCC14C]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwLoadDriver [0xAACC98CC]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwOpenFile [0xAACC9362]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xAABCC64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xAABCC08C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xAABCC0F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xAABCC76E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xAABCC72E]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwSetValueKey [0xAACC8BBA]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwTerminateProcess [0xAACC9814]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwWriteFile [0xAACC9494]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[612] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002
IAT C:\WINDOWS\system32\services.exe[612] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] ekqwsf <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\ekqwsf@DisplayName Task Installer
Reg HKLM\SYSTEM\CurrentControlSet\Services\ekqwsf@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\ekqwsf@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\ekqwsf@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\ekqwsf@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\ekqwsf@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\ekqwsf@Description Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\CurrentControlSet\Services\ekqwsf\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\ekqwsf\Parameters@ServiceDll C:\WINDOWS\system32\itxlf.dll
Reg HKLM\SYSTEM\ControlSet003\Services\ekqwsf@DisplayName Task Installer
Reg HKLM\SYSTEM\ControlSet003\Services\ekqwsf@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\ekqwsf@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\ekqwsf@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\ekqwsf@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\ekqwsf@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\ekqwsf@Description Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\ControlSet003\Services\ekqwsf\Parameters
Reg HKLM\SYSTEM\ControlSet003\Services\ekqwsf\Parameters@ServiceDll C:\WINDOWS\system32\itxlf.dll
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG10.00.00.01WORKSTATION 6013BED46240E7E816847E01A76B661D583E6AA8CD94DE9705991B1A99C421A6EA7327FAE797D3E68270E7748E83223AFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7FD869164D6794A6A0AC4980AC7933FEBC9E127BECC74CA1AAF134A19346334F32F294DF176F45E439A07946096C955CC2981FDCACD795A93CC03AC6446DA4F4C08C2FAED0B094AB670B547AEAEFAC671ED14255AA8DC6969C2F360A1F9B7A80DEAE0A2ACFCB5896B8ECAC0556A72F92EB3CBFF487A0EFE9631B31F225698D8B63F5F2FEA626FEF062BE3CDB9065C880E44C5A17D77012BB69959460DDE1D7C168B121AF6F989E1D642B20446270C4E686AAB8E53750D5B7CDE3B182D2057A63CC612A1543707090FB92D95B970216918F33E4E34108849CF180BA6214C7B84636BD8CD844ED5153AD86CF908147545D0976CCE499D00F3DFC1846D63491FB5088B128791547C0844452C92874E337BD3939C492E35C8582D78CD18E49BE4EFEF1D9C0C95CA465D3C76D753AC9EC1EB62E7401E74BCAA1E5B1733B0CEC1E61E25F8A7E71C72387078C89E530DC6C096539D31C38FD35BC777C16C624C0F4079F84C86FEA845314F7A20A8E4C8F6120F66E389626ABA556DA6E711B8163FA396DD8D0038348BB9B93E505C9A1C6BC2BAC29B6502B8B1C1

---- EOF - GMER 1.0.15 ----

shelf life · Jun 24, 2009

ok we will use combofix again;

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:

Code:

File::
C:\WINDOWS\system32\itxlf.dll

Driver::
ekqwsf

NetSvcs::
ekqwsf

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ekqwsf]

Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on your desktop
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log when finished. Post the new combofix log.

siskara · Jun 24, 2009

combofix log

ComboFix 09-06-20.04 - Administrator 24.06.2009 17:16.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.385.1033.18.1023.704 [GMT 2:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090623-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\windows\system32\itxlf.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EKQWSF
-------\Service_ekqwsf

((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-06-24 )))))))))))))))))))))))))))))))
.

2009-06-23 20:46 . 2004-08-03 21:10 38912 -c--a-w- c:\windows\system32\dllcache\avc.sys
2009-06-23 20:45 . 2001-08-17 12:07 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys
2009-06-23 20:44 . 2001-08-17 12:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2009-06-16 18:58 . 2007-01-18 12:00 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2009-06-13 14:56 . 2009-06-13 14:57 -------- d-----w- c:\windows\ERUNT
2009-06-13 14:53 . 2009-06-13 15:15 -------- d-----w- C:\SDFix
2009-06-12 16:23 . 2009-06-12 16:23 -------- d-s---w- c:\windows\Cookies
2009-06-11 21:29 . 2009-06-11 21:29 1915520 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-06-09 23:01 . 2009-06-09 23:00 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-09 23:00 . 2009-06-09 23:00 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-07 07:56 . 2009-06-07 07:56 -------- d-----w- c:\program files\Trend Micro
2009-06-04 19:33 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-06-04 19:33 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-06-04 19:33 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-06-04 19:33 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-06-04 19:33 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-06-04 19:33 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-06-04 19:33 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-06-04 19:33 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-06-04 19:33 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-06-04 19:32 . 2009-06-04 19:32 -------- d-----w- c:\program files\Alwil Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-21 23:59 . 2008-12-29 17:51 -------- d-----w- c:\program files\WinClamAVShield
2009-06-21 23:56 . 2008-04-12 15:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\Spyware Terminator
2009-06-21 23:56 . 2008-04-12 15:04 -------- d-----w- c:\program files\Spyware Terminator
2009-06-21 23:53 . 2008-01-07 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-06-14 18:30 . 2008-07-11 16:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-06-14 18:30 . 2009-05-12 19:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2009-06-12 16:13 . 2008-02-16 21:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Free Download Manager
2009-06-09 23:02 . 2007-10-25 20:22 -------- d-----w- c:\program files\Java
2009-06-08 16:49 . 2009-05-08 22:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-26 11:20 . 2009-05-08 22:17 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 11:19 . 2009-05-08 22:17 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-13 19:58 . 2008-02-16 21:01 -------- d-----w- c:\program files\Free Download Manager
2009-05-08 22:17 . 2009-05-08 22:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-08 22:17 . 2009-05-08 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-06 21:45 . 2006-10-20 17:08 44112 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-06 20:26 . 2006-10-20 16:53 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-03 00:33 . 2008-01-01 14:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-02 19:52 . 2009-05-02 19:52 -------- d-----w- c:\program files\MSSOAP
.

------- Sigcheck -------

[7] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2002-08-29 01:58 332928 244A2F9816BC9B593957281EF577D976 c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2004-08-03 21:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB917953$\tcpip.sys
[7] 2004-08-03 21:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\system32\dllcache\tcpip.sys
[-] 2006-04-20 11:51 359808 B4E29943B4B04BD5E7381546848E6669 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2004-08-25 28672]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-30 344064]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe" [2009-05-08 1783808]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2004-08-25 28672]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoFileUrl"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Valve\\hl.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4.6.2009 21:33 114768]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [12.4.2008 17:05 141312]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4.6.2009 21:33 20560]
R3 PAC207;i-Look 111;c:\windows\system32\drivers\PFC027.SYS [29.6.2007 16:32 611584]
S2 Akamai;Akamai;c:\windows\System32\svchost.exe -k Akamai [23.8.2001 14:00 14336]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;c:\program files\Windows Live\Messenger\usnsvc.exe [18.10.2007 11:31 98328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ba/
uInternet Settings,ProxyOverride = *.local
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: I&zvoz u Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Preuzmi odabrano Free Download Manager-om - file://c:\program files\Free Download Manager\dlselected.htm
IE: Preuzmi sa Free Download Managerom - file://c:\program files\Free Download Manager\dllink.htm
IE: Preuzmi sve sa Free Download Manager-om - file://c:\program files\Free Download Manager\dlall.htm
Trusted Zone: google.ba\www
Trusted Zone: live.com \www
Trusted Zone: safer-networking.org\www
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-24 17:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1078081533-1801674531-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,42,08,25,11,cc,ca,bd,4b,97,42,24,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,42,08,25,11,cc,ca,bd,4b,97,42,24,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,42,08,25,11,cc,ca,bd,4b,97,42,24,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="6013BED46240E7E816847E01A76B661D583E6AA8CD94DE9705991B1A99C421A6EA7327FAE797D3E68270E7748E83223AFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7FD869164D6794A6A0AC4980AC7933FEBC9E127BECC74CA1AAF134A19346334F32F294DF176F45E439A07946096C955CC2981FDCACD795A93CC03AC6446DA4F4C08C2FAED0B094AB670B547AEAEFAC671ED14255AA8DC6969C2F360A1F9B7A80DEAE0A2ACFCB5896B8ECAC0556A72F92EB3CBFF487A0EFE9631B31F225698D8B63F5F2FEA626FEF062BE3CDB9065C880E44C5A17D77012BB69959460DDE1D7C168B121AF6F989E1D642B20446270C4E686AAB8E53750D5B7CDE3B182D2057A63CC612A1543707090FB92D95B970216918F33E4E34108849CF180BA6214C7B84636BD8CD844ED5153AD86CF908147545D0976CCE499D00F3DFC1846D63491FB5088B128791547C0844452C92874E337BD3939C492E35C8582D78CD18E49BE4EFEF1D9C0C95CA465D3C76D753AC9EC1EB62E7401E74BCAA1E5B1733B0CEC1E61E25F8A7E71C72387078C89E530DC6C096539D31C38FD35BC777C16C624C0F4079F84C86FEA845314F7A20A8E4C8F6120F66E389626ABA556DA6E711B8163FA396DD8D0038348BB9B93E505C9A1C6BC2BAC29B6502B8B1C114680B744A0005D9298180F0D60CAD3D25A70C8541869649ADD84179194D58A3486F24F3154BC3AD38340294776C58A93632252D06B65B37EF5E1D50302C958A979C55035424C265F1E94F1CD91F93F5AD5A0D5C22A2BF60DEFE7A4B469A7600113410988645EA9BEF41E769F4F2BC6477053BA95B9AF71A0617D66981436726DDA6EF9C608AABF1DA2A474A124A1EA2004E51E9551EBD7366ED2B4841D3F5046EB9AD96D4E6DDACA56BADD1E55A7E8CEF4494E74FC5A567053D55BB3F48FB284745913E02FE1DB3CD5B1DA3F7F0E71DDBEB0CDC71CFE89155CBD5C43E2F742C8B88040E9F14D9D8779A044168F28297FEC95D58862DB040EEC036A377E50A0D591A935B136F5E9E9AC63A997C84C2A09A0B35114D8FA4B6AF9E3EF74B3F0DF9166B37749EBA6814270194D9CC1D88072900ADE2CD8E75959105E8746C3B785083A40BE24DAAC9996D724A5DE662B2D59045DD3F594331CB2CBBB03DAC3868EE79EB5F9979B5BD80C0CACDC02F3A7A67EDAB6B6FA8DF3F6F0E082E5C41C43E803BABDCB611C0A5B704A9C52097E36D3C604E1C3A91E3F3EAF1380E9FA8AD6F8514A4707209E93323360A4185C6C4213B9856E6851EF35BC333FC67AD51E2E14ED9C84B6D6B85560E83536744878BAB58679314A2905F3B05FD22AB8953D3D061715EA986D54B2DD47400A61FC30947EFC8C41C0C8AEA0CA40CE45F95D20F78E30"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(572)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Spyware Terminator\sp_rsser.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-06-24 17:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-24 15:27
ComboFix2.txt 2009-06-21 21:34
ComboFix3.txt 2009-06-21 21:12
ComboFix4.txt 2009-06-12 16:38
ComboFix5.txt 2009-06-24 15:14

Pre-Run: 27.283.005.440 bytes free
Post-Run: 27.268.726.784 bytes free

165 --- E O F --- 2007-12-21 18:34

siskara · Jun 24, 2009

safer-networking is still blank page

do we must run Gmer again?

siskara · Jun 24, 2009

windows update is also blank page well nott quite blank but ...

All this time I don't have updates, instead blank page internet browser give me google main page on english, but http://update.microsoft.com/ adress in up on adress bar.... and below on page is something else....

shelf life · Jun 25, 2009

Yes Gmer once again.

siskara · Jun 26, 2009

I think that is not complete

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-26 20:37:29
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwClose [0xAAC1D606]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwCreateFile [0xAAC1D05A]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwCreateKey [0xAAC1CD3C]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwCreateSection [0xAAC1E652]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwDeleteKey [0xAAC1CE46]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwDeleteValueKey [0xAAC1CF30]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xAAB2014C]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwLoadDriver [0xAAC1D8CC]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwOpenFile [0xAAC1D362]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xAAB2064E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xAAB2008C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xAAB200F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xAAB2076E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xAAB2072E]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwSetValueKey [0xAAC1CBBA]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwTerminateProcess [0xAAC1D814]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwWriteFile [0xAAC1D494]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[612] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002
IAT C:\WINDOWS\system32\services.exe[612] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG10.00.00.01WORKSTATION 6013BED46240E7E816847E01A76B661D583E6AA8CD94DE9705991B1A99C421A6EA7327FAE797D3E68270E7748E83223AFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7FD869164D6794A6A0AC4980AC7933FEBC9E127BECC74CA1AAF134A19346334F32F294DF176F45E439A07946096C955CC2981FDCACD795A93CC03AC6446DA4F4C08C2FAED0B094AB670B547AEAEFAC671ED14255AA8DC6969C2F360A1F9B7A80DEAE0A2ACFCB5896B8ECAC0556A72F92EB3CBFF487A0EFE9631B31F225698D8B63F5F2FEA626FEF062BE3CDB9065C880E44C5A17D77012BB69959460DDE1D7C168B121AF6F989E1D642B20446270C4E686AAB8E53750D5B7CDE3B182D2057A63CC612A1543707090FB92D95B970216918F33E4E34108849CF180BA6214C7B84636BD8CD844ED5153AD86CF908147545D0976CCE499D00F3DFC1846D63491FB5088B128791547C0844452C92874E337BD3939C492E35C8582D78CD18E49BE4EFEF1D9C0C95CA465D3C76D753AC9EC1EB62E7401E74BCAA1E5B1733B0CEC1E61E25F8A7E71C72387078C89E530DC6C096539D31C38FD35BC777C16C624C0F4079F84C86FEA845314F7A20A8E4C8F6120F66E389626ABA556DA6E711B8163FA396DD8D0038348BB9B93E505C9A1C6BC2BAC29B6502B8B1C1

---- EOF - GMER 1.0.15 ----

shelf life · Jun 27, 2009

dont see anymore reference to the rootkit. No guarantees. Check MBAM for updates and do a scan with it and post the log. You use internet explorer for browsing?

siskara · Jun 28, 2009

check this

127.0.0.1 localhost
could be a virus

also and this below:

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG10.00.00.01WORKSTATION 6013BED46240E7E816847E01A76B661D583E6AA8CD94DE9705991B1A99C421A6EA7327FAE797D3E68270E7748E83223AFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7FD869164D6794A6A0AC4980AC7933FEBC9E127BECC74CA1AAF134A19346334F32F294DF176F45E439A07946096C955CC2981FDCACD795A93CC03AC6446DA4F4C08C2FAED0B094AB670B547AEAEFAC671ED14255AA8DC6969C2F360A1F9B7A80DEAE0A2ACFCB5896B8ECAC0556A72F92EB3CBFF487A0EFE9631B31F225698D8B63F5F2FEA626FEF062BE3CDB9065C880E44C5A17D77012BB69959460DDE1D7C168B121AF6F989E1D642B20446270C4E686AAB8E53750D5B7CDE3B182D2057A63CC612A1543707090FB92D95B970216918F33E4E34108849CF180BA6214C7B84636BD8CD844ED5153AD86CF908147545D0976CCE499D00F3DFC1846D63491FB5088B128791547C0844452C92874E337BD3939C492E35C8582D78CD18E49BE4EFEF1D9C0C95CA465D3C76D753AC9EC1EB62E7401E74BCAA1E5B1733B0CEC1E61E25F8A7E71C72387078C89E530DC6C096539D31C38FD35BC777C16C624C0F4079F84C86FEA845314F7A20A8E4C8F6120F66E389626ABA556DA6E711B8163FA396DD8D0038348BB9B93E505C9A1C6BC2BAC29B6502B8B1C1

Malwarebytes did not found anything, nothing....

siskara · Jun 28, 2009

yes I use internet explorer

but situation is same with Opera or Modzilla....

Safer-networking.org is blank page

New member

Emeritus

New member

New member

New member

Emeritus

New member

New member

New member

Emeritus

New member

Emeritus

New member

New member

New member

Emeritus

New member

Emeritus

New member

New member