A friend of mine called me for assistance with her computer, and I went over to help her out.
Avast!'s registration had expired, and therefore something must have gotten in -- anyway, Avast! was disabled, and I couldn't run HJT (even with renaming it), nor MalwareBytes (again, even with renaming it). I renamed and ran ComboFix (because that was the only thing that would function); it detected rootkit activity, rebooted the computer, and then ran. I rebooted again and tried to run MWB or HJT again, no soap. I can't even rename them now, it says that access is denied. I tried running CFix again, but that didn't help. Stupidly, I didn't save the first log, so all I have is the log from the most recent run, included below.
I'm running XP in Safe Mode logged in as Administrator. No networking, no nothing - this box has been quarantined until we sort this.
Thanks in advance for your help,
MC
--ComboFix log follows:
- Code: Select all
ComboFix 09-09-28.01 - Kay1 09/29/2009 15:17.2.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.223.5 [GMT -7:00] Running from: c:\documents and settings\Administrator.KAY\Desktop\cfix.exe AV: avast! antivirus 4.8.1335 [VPS 090929-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} . ((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-29 ))))))))))))))))))))))))))))))) . 2009-09-29 20:35 . 2009-09-29 20:35 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-09-29 20:35 . 2009-09-29 20:35 -------- d-----w- c:\documents and settings\Administrator.KAY\Application Data\SUPERAntiSpyware.com 2009-09-29 20:31 . 2009-09-29 20:31 -------- d-----w- c:\documents and settings\Administrator.KAY\Application Data\Malwarebytes 2009-09-29 20:31 . 2009-09-29 20:31 -------- d-----w- c:\program files\poo 2009-09-29 19:57 . 2009-09-29 19:57 -------- d-----w- c:\documents and settings\Kay1\Application Data\Malwarebytes 2009-09-29 19:57 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-29 19:57 . 2009-09-29 20:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-09-29 19:57 . 2009-09-29 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-09-29 19:57 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-28 05:10 . 2009-09-29 20:22 0 ----a-r- c:\windows\win32k.sys 2009-09-09 08:51 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-29 22:03 . 2009-02-07 21:49 256 ----a-w- c:\windows\system32\pool.bin 2009-09-29 21:34 . 2009-03-01 01:39 -------- d-----w- c:\program files\Trend Micro 2009-09-06 01:21 . 2005-04-11 13:48 34528 ----a-w- c:\documents and settings\Kay1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-29 02:28 . 2009-08-20 19:58 -------- d-----w- c:\program files\eGames 2009-08-23 00:18 . 2009-08-23 00:18 -------- d-----w- c:\program files\MSBuild 2009-08-23 00:18 . 2009-08-23 00:18 -------- d-----w- c:\program files\Reference Assemblies 2009-08-22 23:58 . 2009-08-22 23:58 4096 ----a-w- c:\windows\d3dx.dat 2009-08-05 09:01 . 2003-03-31 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-07-17 19:01 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-12 19:21 . 2004-08-16 00:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll . ((((((((((((((((((((((((((((( SnapShot@2009-09-29_21.12.44 ))))))))))))))))))))))))))))))))))))))))) . + 2009-09-29 22:03 . 2009-09-29 22:03 16384 c:\windows\Temp\Perflib_Perfdata_528.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2007-8-17 1447184] ZDWLan Utility.lnk - c:\program files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe [2008-5-3 471040] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Games\\Age of Mythology\\aomx.exe"= R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2/28/2009 7:18 PM 114768] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/28/2009 7:18 PM 20560] S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\ADMINI~1.KAY\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\ADMINI~1.KAY\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?] S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\ADMINI~1.KAY\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys --> c:\docume~1\ADMINI~1.KAY\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys [?] S3 SASENUM;SASENUM;\??\c:\docume~1\ADMINI~1.KAY\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS --> c:\docume~1\ADMINI~1.KAY\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS [?] . Contents of the 'Scheduled Tasks' folder 2009-09-23 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://m.www.yahoo.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms} mStart Page = hxxp://qwest.live.com uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = <local> uSearchURL,(Default) = hxxp://www.google.com/search?q=%s . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-29 15:24 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3384) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll . Completion time: 2009-09-29 15:28 ComboFix-quarantined-files.txt 2009-09-29 22:28 ComboFix2.txt 2009-09-29 21:26 Pre-Run: 27,014,672,384 bytes free Post-Run: 26,986,725,376 bytes free 99 --- E O F --- 2009-09-09 10:05