Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Trojan.rookit/gen

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Trojan.rookit/gen

Unread postby Patryn38 » April 24th, 2010, 3:45 pm

Hi. I have been infected with a nasty and difficult to remove Trojan. It is not allowing me to do certain searches without redirecting me to other sites. It also has the Windows Security center totally turned off.

The Items that show on my current scans are: Trojan.Agent/Gen and Trojan.Rootkit/Gen

Here are the HJT logs and Uninstall logs you require:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:35:44 PM, on 4/24/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: C:\Windows\system32\hl1ap.dll - {A2BA40A0-74F1-52BD-F411-00B15A2C8953} - C:\Windows\system32\hl1ap.dll (file missing)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [mcexecwin] rundll32.exe C:\Users\Brian\AppData\Local\Temp\t5mulcv.dll, RestoreWindows
O4 - HKCU\..\Run: [tolrpm] RUNDLL32.EXE C:\Users\Brian\AppData\Local\Temp\mseltall.dll,w
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O13 - Gopher Prefix:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O22 - SharedTaskScheduler: kjsfi8sjefiuoshiefyhiusdhfdf - {A2BA40A0-74F1-52BD-F411-00B15A2C8953} - C:\Windows\system32\hl1ap.dll (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative ALchemy AL6 Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\AL6Licensing.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

--
End of file - 4971 bytes



Acronis True Image Home
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.2
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
CDDRV_Installer
Creative ALchemy
Creative Audio Control Panel
Creative Console Launcher
Creative MediaSource 5
Creative Software AutoUpdate
Creative Sound Blaster Properties
Creative System Information
Dream Aquarium
EVEREST Ultimate Edition v4.50
Gigabyte Raid Configurer
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
iTunes
Java(TM) 6 Update 13
Java(TM) SE Runtime Environment 6
KhalInstallWrapper
Logitech SetPoint
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.9)
Nero 7 Essentials
NVIDIA Display Control Panel
NVIDIA Drivers
NVIDIA PhysX v8.10.13
OpenAL
Paint Shop Pro 6.0 (ESD)
PVSonyDll
QuickTime
RivaTuner v2.09
Sound Blaster X-Fi
SUPERAntiSpyware Free Edition
System Requirements Lab
Ultimate Extras sounds from Microsoft® Tinker™
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Ventrilo Client
Volume Panel
Windows Sound Schemes
WinRAR archiver
World of Warcraft




Thank you for any help you may be able to provide.
Patryn38
Regular Member
 
Posts: 26
Joined: April 24th, 2010, 3:28 pm
Advertisement
Register to Remove

Re: Trojan.rookit/gen

Unread postby MWR 3 day Mod » April 27th, 2010, 6:31 pm

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: Trojan.rookit/gen

Unread postby xixo_12 » April 28th, 2010, 9:43 am

Hello and Welcome to Malware Removal Forums.
  • My name is xixo_12 and I will guide you.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • You may wish to print them off or copy the instruction into Notepad.
  • If you have any question please don't hesitate to ask.
  • The instructions that I will give to you are specific to your current problem and shouldn't be used on other systems.
  • If you are receiving help or have received help on this problem elsewhere, please let us know.
  • Keep interact with me until your computer is clean.

Please make sure you have done your reading on this topic : How to get help at this forum
Please! If you need more time to do all the instructions, let me know before 72hours is done. Otherwise, your thread will be closed
***Note : Windows Vista require user to right click > Run as Administrator to use the tools.

First,
No Antivirus!.
  • Antivirus help you to give the maximum protection for the system.
  • You are advice to have only one antivirus running on the system.
  • Please consider one of this program and install it now:

Next,
Reboot into the usual account.

Next,
RSIT by random/random.
Please download from HERE and save to the desktop.
  • Right click on RSIT.exe > Run as Administrator to run the tool.
  • Click Continue at the disclaimer screen.
  • Once it finishes, two logs will open.
    • log.txt will be opened maximized
    • info.txt will be opened minimized
  • Please post the contents of both logs in your next post.
***You can find manually the log at C:\rsit

Next,
GMER.
Please download from HERE and save to the desktop.
  • Unzip/extract the file to its own folder.
  • Disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Right click on Gmer.exe > Run as Administrator to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan,click NO.
  • Click on >>> symbol and choose on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan..

Next,
Checklist.
Please post.
  • Content of log.txt and info.txt (Find both in c:\rsit)
  • Content of GMER.txt
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Trojan.rookit/gen

Unread postby Patryn38 » April 28th, 2010, 4:09 pm

Ok. I ran into a few issues attempting to do what was requested.

I first tried to install Avast, but each time it would crash my computer before it finished installing. I tried 3 times before I figured I was getting nowhere. I assumed my current issues were preventing it from installing, so decided to skip it for now and install it after I was clean.

I next downloaded and ran RSIT as instructed. Shortly after starting the program produced and error message and stops. This happened only a few seconds into the scan. I also tried to run this 3 times, and got the same error each time. The error I received was as follows:
AutoIt Error
Line-1:
Error: Subscript used with non-Array variable

RSIT did still produce a log.txt, so I will include in this post what it contained. There is no info.txt though. I'm guessing that's because it did not complete?

Next I downloaded and extracted GMER as instructed. I ran it according to your instructions and I did receive the warning about rootkit activity. The scan continued, but within 15 seconds or so it crashed my computer. After reboot I attempted the process again, with the same results.

At this point I decided to start back at the beginning. I this time chose AntiVir and installed it. AntiVir installed and ran without a problem. It found the threats that made me seek help here, but said it could not delete/quarantine them. So I now have an Antivirus installed, and it confirmed my problems. :cry:

After the antivirus installation I again tried the other steps you listed. RSIT ended up with the same results as before. GMER now ran without a problem and I have the full scan txt for that.

Here is the RSIT log.txt that I do have, followed by the GMER text. I apologize if any of the above sounds confusing, but believe me, I am confused at this point. :?:
Again, thank you for your help.



Logfile of random's system information tool 1.06 (written by random/random)
Run by Brian at 2010-04-28 15:21:43
Microsoft® Windows Vista™ Ultimate Service Pack 2
System drive C: has 209 GB (66%) free of 314 GB
Total RAM: 3326 MB (66% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:21:48 PM, on 4/28/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Brian\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Brian.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [mcexecwin] rundll32.exe C:\Users\Brian\AppData\Local\Temp\t5mulcv.dll, RestoreWindows
O4 - HKCU\..\Run: [tolrpm] RUNDLL32.EXE C:\Users\Brian\AppData\Local\Temp\mseltall.dll,w
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O13 - Gopher Prefix:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative ALchemy AL6 Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\AL6Licensing.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

--
End of file - 5573 bytes

======Scheduled tasks folder======

C:\Windows\tasks\At1.job
C:\Windows\tasks\At10.job
C:\Windows\tasks\At11.job
C:\Windows\tasks\At12.job
C:\Windows\tasks\At13.job
C:\Windows\tasks\At14.job
C:\Windows\tasks\At15.job
C:\Windows\tasks\At16.job
C:\Windows\tasks\At17.job
C:\Windows\tasks\At18.job
C:\Windows\tasks\At19.job
C:\Windows\tasks\At2.job
C:\Windows\tasks\At20.job
C:\Windows\tasks\At21.job
C:\Windows\tasks\At22.job
C:\Windows\tasks\At23.job
C:\Windows\tasks\At24.job
C:\Windows\tasks\At3.job
C:\Windows\tasks\At4.job
C:\Windows\tasks\At5.job
C:\Windows\tasks\At6.job
C:\Windows\tasks\At7.job
C:\Windows\tasks\At8.job
C:\Windows\tasks\At9.job
C:\Windows\tasks\NOIMJHYS.job
C:\Windows\tasks\ParetoLogic Registration.job

======Registry dump======

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]
"TrueImageMonitor.exe"=C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe [2006-10-17 1164912]
"AcronisTimounterMonitor"=C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe [2006-10-17 1941784]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2010-03-26 142120]
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2010-03-02 282792]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2009-04-11 1233920]
"mcexecwin"=C:\Users\Brian\AppData\Local\Temp\t5mulcv.dll, RestoreWindows []
"tolrpm"=C:\Users\Brian\AppData\Local\Temp\mseltall.dll,w []
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2010-04-01 2010864]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-19 202240]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe


**************************************************

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-28 15:38:44
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\Brian\AppData\Local\Temp\aglcqpow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS ZwTerminateProcess [0x953AD320] <-- ROOTKIT !!!

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 621 81CE8D84 4 Bytes [20, D3, 3A, 95]
.pak2 C:\Windows\System32\Drivers\stkak.sys entry point in ".pak2" section [0x8227F4E0]
? C:\Windows\System32\Drivers\stkak.sys A device attached to the system is not functioning.
.rsrc C:\Windows\system32\DRIVERS\mouclass.sys entry point in ".rsrc" section [0x905DE014]

---- User code sections - GMER 1.0.15 ----

? C:\Windows\System32\svchost.exe[3144] image checksum mismatch; time/date stamp mismatch;
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] ntdll.dll!NtQueryInformationProcess 776E4E54 5 Bytes JMP 01DD0DED
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] WS2_32.dll!closesocket 7786330C 5 Bytes JMP 01DBC549
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] WS2_32.dll!recv 7786343A 5 Bytes JMP 01DBC300
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] WS2_32.dll!GetAddrInfoW 77863D12 5 Bytes JMP 01DBB90E
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] WS2_32.dll!getaddrinfo 7786418A 5 Bytes JMP 01DBB833
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] WS2_32.dll!WSASend 77864496 5 Bytes JMP 01DBC3A7
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] WS2_32.dll!send 7786659B 5 Bytes JMP 01DBC25D
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] WS2_32.dll!WSARecv 77868400 5 Bytes JMP 01DBC465
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] WS2_32.dll!WSAAsyncGetHostByName 77875FB9 5 Bytes JMP 01DBBBA6
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] WS2_32.dll!gethostbyname 778762D4 5 Bytes JMP 01DBB779
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] USER32.dll!DrawTextExW 75E791CE 5 Bytes JMP 01DBCB0A
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] USER32.dll!DrawTextW 75E797D3 5 Bytes JMP 01DBC94C
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] USER32.dll!DrawTextA 75E8558D 5 Bytes JMP 01DBC873
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] USER32.dll!DrawTextExA 75E855C4 5 Bytes JMP 01DBCA25
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] USER32.dll!DialogBoxParamW 75E910B0 5 Bytes JMP 01DBBC7E
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] USER32.dll!SetClipboardData 75EA6410 5 Bytes JMP 01DBC5D4
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] GDI32.dll!ExtTextOutW 7789872B 5 Bytes JMP 01DBCCD1
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] GDI32.dll!GetGlyphIndicesW 7789B765 5 Bytes JMP 01DBD143
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] GDI32.dll!ExtTextOutA 778A00A5 5 Bytes JMP 01DBCBEF
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] GDI32.dll!TextOutA 778A0BAB 5 Bytes JMP 01DBC6DF
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] GDI32.dll!TextOutW 778A0D6D 5 Bytes JMP 01DBC7A9
.text C:\Program Files\Mozilla Firefox\firefox.exe[4756] GDI32.dll!GetGlyphIndicesA 778B9DC0 5 Bytes JMP 01DBD07C

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\services.exe[740] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00130002
IAT C:\Windows\system32\services.exe[740] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 00130000
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!HeapSetInformation] 51EC8B55
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] 1845DB51
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!CreateActCtxW] F855DD56
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!ReleaseActCtx] E8084DDC
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LCMapStringW] 000004D2
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!lstrlenW] FF184589
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] 40516015
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!InterlockedExchange] F845DD00
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] 8B104DDC
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] 1865DAF0
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetModuleHandleA] 0004B9E8
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] 8BC88B00
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetTickCount] F74199C6
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] C28B5EF9
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] C9184503
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] 6015FFC3
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!TerminateProcess] 8B004051
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetCurrentProcess] 2B08244C
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] 9904244C
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetCommandLineW] 8BF9F741
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!ExitProcess] 244403C2
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!SetProcessAffinityUpdateMode] FF56C304
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetProcessHeap] 244C8B00
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!SetErrorMode] [748D9908] C:\Windows\System32\WINMM.dll (MCI API DLL/Microsoft Corporation)
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!HeapFree] 2BC28B5E
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] 244403C1
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LocalFree] 15FFC308
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!CloseHandle] [00405160] C:\Windows\System32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LocalAlloc] 04244C8B
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] F9F74199
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] FFC3C28B
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!FreeLibrary] 40516015
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!Sleep] 646A9900
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetProcAddress] 33F9F759
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!DeactivateActCtx] 24543BC0
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] C09C0F04
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetLastError] EC8B55C3
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!ActivateActCtx] 0204EC81
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!lstrcmpW] 00000100
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!lstrcmpiW] 8B590040
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__p__commode] 8D500000
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_adjust_fdiv] FFFEFC8D
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__setusermatherr] C93351FF
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_amsg_exit] 558D5151
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_initterm] 8D5052FC
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [msvcrt.dll!exit] FFFDFC85
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__p__fmode] FF5150FF
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_exit] 40504415
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [msvcrt.dll!memcpy] 56216A00
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [msvcrt.dll!memset] FFFC75FF
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__set_app_type] 40515C15
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [msvcrt.dll!?terminate@@YAXXZ] 0CC48300
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_except_handler4_common] C01BD8F7
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_controlfp] C95EC623
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_cexit] EC8B55C3
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__wgetmainargs] 458B5151
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_XcptFilter] 33565308
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ADVAPI32.dll!GetTokenInformation] 33FC7589
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] 01518DFF
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] 8441198A
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] 2BF975DB
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] 802974CA
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] 7420063C
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] [75FF850A] C:\Windows\system32\urlmon.dll (OLE32 Extensions for Win32/Microsoft Corporation)
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ADVAPI32.dll!RegDisablePredefinedCacheEx] 45FF470C
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] 8A01518D
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] DB844119
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ADVAPI32.dll!RegCloseKey] CA2BF975
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] D772F13B
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ADVAPI32.dll!SetServiceStatus] 5FFC458B
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ADVAPI32.dll!OpenProcessToken] C3C95B5E
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] 56530CEC
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlFreeHeap] 68F63357
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlCopySid] 00000400
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] FFF87589
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] 40515815
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlAllocateHeap] 085D8B00
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlInitializeSid] C38BF88B
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlImageNtHeader] FC758959
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlSetProcessIsCritical] 8D0007C6
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] 108A0148
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlInitializeCriticalSection] 75D28440
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerListen] 1E048D66
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] 74203880
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] FC7D8328
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] FF0A7500
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] 45C7F845
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] 000001FC
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] 0C4D8B00
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] F84D3941
IAT C:\Windows\System32\svchost.exe[3144] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] 016A3275

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 85F60130

AttachedDevice \Driver\tdx \Device\Tcp aswRdr.SYS (avast! TDI RDR Driver/ALWIL Software)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)

Device -> \Driver\iaStorV \Device\Harddisk0\DR0 87503AC8

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] stkak <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\stkak@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\stkak@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\stkak@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\stkak@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\Services\stkak@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\stkak@Start 0
Reg HKLM\SYSTEM\ControlSet002\Services\stkak@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\stkak@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet003\Services\stkak@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\stkak@Start 0
Reg HKLM\SYSTEM\ControlSet003\Services\stkak@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\stkak@Group Boot Bus Extender

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\DRIVERS\mouclass.sys suspicious modification
File C:\Windows\system32\drivers\iaStorV.sys suspicious modification

---- EOF - GMER 1.0.15 ----
Patryn38
Regular Member
 
Posts: 26
Joined: April 24th, 2010, 3:28 pm

Re: Trojan.rookit/gen

Unread postby xixo_12 » April 28th, 2010, 6:56 pm

Hi,
Ok, no worries.
Please proceed with this one.

First,
ComboFix
Download ComboFix from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links)
Save as Combo-Fix.exe <<Please have a look on the file name. You have to change.
Link 1
Link 2

**IMPORTANT !!! Save Combo-Fix.exe to your Desktop**
  • Disable your AntiVirus/AntiSpyware/Firewall applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    A guide to do this can be found here
  • Right click on Combo-Fix.exe > Run as Administrator & follow the prompts
  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Next,
Checklist.
Please post.
  • Content of ComboFix.txt
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Trojan.rookit/gen

Unread postby Patryn38 » April 28th, 2010, 11:42 pm

ComboFix installed and run successfully. Here is the contents of the log:


ComboFix 10-04-28.03 - Brian 04/28/2010 23:30:08.1.4 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3326.2119 [GMT -4:00]
Running from: c:\users\Brian\Desktop\Combo-Fix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-51003140-4199384537-3980697693-500
c:\programdata\Microsoft\Windows\Start Menu\Programs\Antimalware Doctor
c:\programdata\Microsoft\Windows\Start Menu\Programs\Antimalware Doctor\Antimalware Doctor.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\Antimalware Doctor\Uninstall.lnk
c:\recycler\S-1-5-21-790525478-117609710-682003330-1003
c:\users\Brian\AppData\Local\{CE8D7388-8226-473C-BA4B-E1A4B2C05471}
c:\users\Brian\AppData\Local\{CE8D7388-8226-473C-BA4B-E1A4B2C05471}\chrome.manifest
c:\users\Brian\AppData\Local\{CE8D7388-8226-473C-BA4B-E1A4B2C05471}\chrome\content\_cfg.js
c:\users\Brian\AppData\Local\{CE8D7388-8226-473C-BA4B-E1A4B2C05471}\chrome\content\overlay.xul
c:\users\Brian\AppData\Local\{CE8D7388-8226-473C-BA4B-E1A4B2C05471}\install.rdf
c:\users\Brian\AppData\Local\Microsoft\Windows\Temporary Internet Files\22Au6Tb.jpg
c:\users\Brian\AppData\Local\Microsoft\Windows\Temporary Internet Files\8y3uc5.jpg
c:\users\Brian\AppData\Local\Microsoft\Windows\Temporary Internet Files\OwTEJ2d.jpg
c:\users\Brian\AppData\Local\Microsoft\Windows\Temporary Internet Files\Uck0U.jpg
c:\users\Brian\AppData\Roaming\FD8773E1EB6688BA39BEF89B0E56062A
c:\users\Brian\AppData\Roaming\FD8773E1EB6688BA39BEF89B0E56062A\enemies-names.txt
c:\users\Brian\AppData\Roaming\FD8773E1EB6688BA39BEF89B0E56062A\lsrslt.ini
c:\windows\system32\cthelper .exe
c:\windows\system32\ctxfihlp .exe
c:\windows\updreg .exe

Infected copy of c:\windows\system32\drivers\mouclass.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-29 )))))))))))))))))))))))))))))))
.

2010-04-29 03:35 . 2010-04-29 03:36 -------- d-----w- c:\users\Brian\AppData\Local\temp
2010-04-29 03:35 . 2010-04-29 03:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-28 18:05 . 2010-04-28 18:05 -------- d-----w- c:\programdata\Avira
2010-04-28 18:05 . 2010-04-28 18:05 -------- d-----w- c:\program files\Avira
2010-04-28 18:05 . 2010-03-01 14:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-04-28 18:05 . 2010-02-16 18:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-28 18:05 . 2009-05-11 16:49 51992 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-04-28 18:05 . 2009-05-11 16:49 17016 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-04-28 17:50 . 2010-04-28 17:50 -------- d-----w- C:\Gmer
2010-04-28 17:45 . 2010-04-28 17:45 -------- d-----w- C:\rsit
2010-04-28 17:23 . 2010-04-14 16:35 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-28 17:23 . 2010-04-14 16:35 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-28 17:23 . 2010-04-14 16:31 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-28 17:23 . 2010-04-14 16:31 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-28 17:23 . 2010-04-14 16:31 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-04-28 17:23 . 2010-04-14 16:47 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-28 17:23 . 2010-04-14 16:47 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-28 17:23 . 2010-04-28 17:23 -------- d-----w- c:\programdata\Alwil Software
2010-04-28 17:23 . 2010-04-28 17:23 -------- d-----w- c:\program files\Alwil Software
2010-04-24 19:35 . 2010-04-24 19:35 -------- d-----w- c:\program files\Trend Micro
2010-04-21 22:02 . 2010-04-21 22:02 125952 ----a-w- c:\programdata\ParetoLogic\UUS2\Temp\Update.exe
2010-04-21 22:02 . 2010-04-22 00:16 3347488 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-04-21 21:59 . 2010-04-22 00:15 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-04-21 21:58 . 2010-04-22 00:15 -------- d-----w- c:\programdata\ParetoLogic
2010-04-21 21:58 . 2010-04-21 21:58 -------- d-----w- c:\users\Brian\AppData\Local\Downloaded Installations
2010-04-21 02:54 . 2010-04-21 02:54 52224 ----a-w- c:\users\Brian\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-21 02:54 . 2010-04-25 13:11 117760 ----a-w- c:\users\Brian\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-21 02:53 . 2010-04-21 02:53 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-04-21 02:53 . 2010-04-21 02:53 65024 ----a-r- c:\users\Brian\AppData\Roaming\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
2010-04-21 02:53 . 2010-04-21 02:53 5120 ----a-r- c:\users\Brian\AppData\Roaming\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
2010-04-21 02:53 . 2010-04-21 02:53 18944 ----a-r- c:\users\Brian\AppData\Roaming\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
2010-04-21 02:53 . 2010-04-21 02:53 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-21 02:53 . 2010-04-21 02:53 -------- d-----w- c:\users\Brian\AppData\Roaming\SUPERAntiSpyware.com
2010-04-21 02:27 . 2010-04-21 02:28 -------- d-----w- c:\program files\NVIDIA Corporation
2010-04-21 01:16 . 2010-04-21 01:16 148 ----a-w- c:\windows\system32\565488.BAT
2010-04-21 01:02 . 2010-04-21 01:02 120 ----a-w- c:\users\Brian\AppData\Local\Qzojayew.dat
2010-04-21 01:02 . 2010-04-21 01:02 0 ----a-w- c:\users\Brian\AppData\Local\Ddepazalebinurif.bin
2010-04-21 01:01 . 2010-04-21 01:01 148 ----a-w- c:\windows\system32\16349513.BAT
2010-04-21 01:01 . 2010-04-29 03:36 823808 ----a-w- c:\windows\system32\drivers\stkak.sys
2010-04-21 01:00 . 2010-04-21 01:00 70656 --sha-r- c:\windows\system32\msvcrte.dll
2010-04-15 00:40 . 2010-04-15 01:11 -------- d-----w- c:\users\Brian\AppData\Roaming\Apple Computer
2010-04-15 00:40 . 2010-04-15 00:40 -------- d-----w- c:\users\Brian\AppData\Local\Apple Computer
2010-04-15 00:40 . 2010-04-15 00:40 -------- dc----w- c:\windows\system32\DRVSTORE
2010-04-15 00:40 . 2009-05-18 17:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-04-15 00:40 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-04-15 00:39 . 2010-04-15 00:39 -------- d-----w- c:\program files\iPod
2010-04-15 00:39 . 2010-04-15 00:40 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-15 00:39 . 2010-04-26 18:32 -------- d-----w- c:\program files\iTunes
2010-04-15 00:38 . 2010-04-21 02:18 -------- d-----w- c:\program files\QuickTime
2010-04-15 00:38 . 2010-04-15 00:39 -------- d-----w- c:\programdata\Apple Computer
2010-04-15 00:38 . 2010-04-15 00:38 -------- d-----w- c:\users\Brian\AppData\Local\Apple
2010-04-15 00:38 . 2010-04-15 00:38 -------- d-----w- c:\program files\Apple Software Update
2010-04-15 00:37 . 2010-04-15 00:37 -------- d-----w- c:\program files\Bonjour
2010-04-15 00:37 . 2010-04-15 00:39 -------- d-----w- c:\program files\Common Files\Apple
2010-04-15 00:37 . 2010-04-15 00:37 -------- d-----w- c:\programdata\Apple
2010-04-13 18:54 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-13 18:54 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-13 18:54 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-13 18:54 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-13 18:54 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-13 18:54 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-13 18:54 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-13 18:54 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-13 18:54 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-13 18:54 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-13 18:54 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-06 15:35 . 2010-04-06 15:36 -------- d-----w- c:\users\Brian\AppData\Local\Adobe
2010-04-06 15:33 . 2010-04-06 15:33 -------- d-----w- c:\program files\Common Files\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-29 00:08 . 2010-04-21 02:28 34901 ----a-w- c:\programdata\nvModes.dat
2010-04-24 20:50 . 2009-01-18 20:18 34360 ----a-w- c:\windows\system32\drivers\mouclass.sys
2010-04-24 19:26 . 2009-04-28 21:40 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-24 19:26 . 2009-04-28 21:40 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-04-22 00:16 . 2010-04-21 22:02 46952 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-04-21 02:53 . 2009-01-17 20:42 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-21 02:36 . 2009-01-17 20:35 -------- d-----w- c:\programdata\NVIDIA
2010-04-21 02:18 . 2009-01-18 16:56 -------- d-----w- c:\program files\RivaTuner v2.09
2010-04-21 01:34 . 2009-04-23 23:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-21 01:34 . 2009-06-21 14:16 5918776 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-19 20:49 . 2010-04-19 20:49 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-04-13 23:26 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-31 23:04 . 2009-01-20 04:15 196608 ----a-w- c:\users\Brian\AppData\Roaming\Acreon\WowMatrix\Libraries\wmweb.dll
2010-03-31 23:04 . 2009-01-20 04:15 258048 ----a-w- c:\users\Brian\AppData\Roaming\Acreon\WowMatrix\Libraries\wmzip.dll
2010-03-30 04:46 . 2009-04-23 23:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2009-04-23 23:16 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-26 05:48 . 2010-03-26 05:48 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-03-16 06:15 . 2010-03-16 06:15 985704 ----a-w- c:\windows\system32\nvsvc.dll
2010-03-16 06:15 . 2010-03-16 06:15 66664 ----a-w- c:\windows\system32\nvshext.dll
2010-03-16 06:15 . 2010-03-16 06:15 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-03-16 06:14 . 2010-03-16 06:14 13683816 ----a-w- c:\windows\system32\nvcpl.dll
2010-03-16 06:14 . 2010-03-16 06:14 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-03-04 17:50 . 2010-03-04 17:50 261152 ----a-w- c:\windows\system32\drivers\Rtlh86.sys
2010-02-24 22:53 . 2009-01-17 19:54 49168 ----a-w- c:\users\Brian\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 14:16 . 2009-10-02 19:36 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39 . 2010-03-30 21:28 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-03-30 21:28 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-03-30 21:28 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-03-30 21:28 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06 . 2010-03-11 22:19 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-11 22:19 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-11 22:19 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-12 15:46 . 2010-02-12 15:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 15:46 . 2010-02-12 15:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-03 16:24 . 2010-02-03 16:24 94208 ----a-w- c:\windows\system32\RTNUninst32.dll
2007-06-25 20:43 . 2006-11-22 14:58 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
Code: Select all
<pre>
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\Common Files\Acronis\Schedule2\schedhlp .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Common Files\Ahead\Lib\nerocheck .exe
c:\program files\Common Files\Ahead\Lib\nmbgmonitor .exe
c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\volpanlu .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\RivaTuner v2.09\rivatunerwrapper .exe
c:\program files\Spybot - Search & Destroy\teatimer .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-01 2010864]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2006-10-17 1164912]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-10-17 1941784]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-2-21 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):d3,67,c3,7a,9a,33,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2159073726-709688122-2792182354-1000]
"EnableNotificationsRef"=dword:00000001

R2 aswFsBlk;aswFsBlk;aswFsBlk.sys [x]
R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2009-01-18 79360]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2009-01-18 79360]
R3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.SYS [2008-10-08 171032]
R3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.SYS [2008-10-08 1324056]
R3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.SYS [2008-10-08 72728]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]
R3 scsichk;scsichk;c:\windows\system32\scsichk.sys [x]
S1 aswSP;aswSP; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-02-17 66632]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-04-14 51792]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\System32\drivers\CT20XUT.SYS [2008-10-08 171032]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\System32\drivers\CTEXFIFX.SYS [2008-10-08 1324056]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\System32\drivers\CTHWIUT.SYS [2008-10-08 72728]


--- Other Services/Drivers In Memory ---

*Deregistered* - stkak

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
2008-04-12 01:23 38400 ----a-w- c:\windows\System32\SoundSchemes.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]
2008-08-28 18:50 30720 ----a-w- c:\windows\System32\soundschemes2.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\users\Brian\AppData\Roaming\Mozilla\Firefox\Profiles\fdnk086e.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/defaulta.aspx
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-28 23:36
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wttufwqsqheyxfx]
"imagepath"="\??\c:\windows\TEMP\6CDA.tmp"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\stkak]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(752)
c:\windows\system32\relog_ap.dll
.
Completion time: 2010-04-28 23:37:48
ComboFix-quarantined-files.txt 2010-04-29 03:37

Pre-Run: 218,547,834,880 bytes free
Post-Run: 218,649,997,312 bytes free

- - End Of File - - E551AA1798EC6439677AD688D7F0D2C5
Patryn38
Regular Member
 
Posts: 26
Joined: April 24th, 2010, 3:28 pm

Re: Trojan.rookit/gen

Unread postby xixo_12 » April 29th, 2010, 7:23 am

Hi,
Let's proceed.
Do update about your system behaviour.

First,
CFScript
  • Close any open browsers.
  • Open notepad and copy/paste the text in the code box below into it:
    Code: Select all
    Driver::
    wttufwqsqheyxfx
    stkak
    scsichk
    File::
    c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
    c:\program files\Common Files\Acronis\Schedule2\schedhlp .exe
    c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
    c:\program files\Common Files\Ahead\Lib\nerocheck .exe
    c:\program files\Common Files\Ahead\Lib\nmbgmonitor .exe
    c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\volpanlu .exe
    c:\program files\iTunes\ituneshelper .exe
    c:\program files\Java\jre6\bin\jusched .exe
    c:\program files\QuickTime\qttask   .exe
    c:\program files\RivaTuner v2.09\rivatunerwrapper .exe
    c:\program files\Spybot - Search & Destroy\teatimer .exe
    c:\windows\system32\drivers\stkak.sys
    c:\windows\system32\scsichk.sys
    AtJob::
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Disable your AntiVirus/AntiSpyware/Firewall applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. A guide to do this can be found here
    Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Next,
Malwarebytes' Anti-Malware - Run
  • Right click on Malwarebytes' Anti-Malware icon > Run as Administrator to run the program.
  • Click on Update tab > Check for Updates.
  • Once done, click on Scanner tab, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
    Image
  • Refer to above image and then click Remove Selected to proceed.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
Note:
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware.


Next,
Checklist.
Please post.
  • Content of ComboFix.txt
  • Content of MBAM log
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Trojan.rookit/gen

Unread postby Patryn38 » April 29th, 2010, 4:21 pm

Hi,
My system is generally working fine. My boot process is faster, and shutdown is much faster after these various programs have been run. I have not tried to do too much else as I'd like to be clean before I start entering passwords into sites.

Here is the information you requested from your last set of instructions.


ComboFix 10-04-28.03 - Brian 04/29/2010 14:54:15.2.4 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3326.2255 [GMT -4:00]
Running from: c:\users\Brian\Desktop\Combo-Fix.exe
Command switches used :: c:\users\Brian\Desktop\CFScript.txt
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe"
"c:\program files\Common Files\Acronis\Schedule2\schedhlp .exe"
"c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe"
"c:\program files\Common Files\Ahead\Lib\nerocheck .exe"
"c:\program files\Common Files\Ahead\Lib\nmbgmonitor .exe"
"c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\volpanlu .exe"
"c:\program files\iTunes\ituneshelper .exe"
"c:\program files\Java\jre6\bin\jusched .exe"
"c:\program files\QuickTime\qttask .exe"
"c:\program files\RivaTuner v2.09\rivatunerwrapper .exe"
"c:\program files\Spybot - Search & Destroy\teatimer .exe"
"c:\windows\system32\drivers\stkak.sys"
"c:\windows\system32\scsichk.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\Common Files\Acronis\Schedule2\schedhlp .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Common Files\Ahead\Lib\nerocheck .exe
c:\program files\Common Files\Ahead\Lib\nmbgmonitor .exe
c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\volpanlu .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\QuickTime\qttask .exe
c:\program files\RivaTuner v2.09\rivatunerwrapper .exe
c:\program files\Spybot - Search & Destroy\teatimer .exe
c:\windows\system32\drivers\stkak.sys . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SCSICHK
-------\Legacy_STKAK
-------\Service_scsichk
-------\Service_stkak
-------\Service_wttufwqsqheyxfx


((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-29 )))))))))))))))))))))))))))))))
.

2010-04-29 18:58 . 2010-04-29 19:01 -------- d-----w- c:\users\Brian\AppData\Local\temp
2010-04-29 18:58 . 2010-04-29 18:58 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-04-29 18:58 . 2010-04-29 18:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-29 18:51 . 2010-04-29 18:51 -------- d-----w- C:\32788R22FWJFW
2010-04-28 18:05 . 2010-04-28 18:05 -------- d-----w- c:\programdata\Avira
2010-04-28 18:05 . 2010-04-28 18:05 -------- d-----w- c:\program files\Avira
2010-04-28 18:05 . 2010-03-01 14:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-04-28 18:05 . 2010-02-16 18:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-28 18:05 . 2009-05-11 16:49 51992 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-04-28 18:05 . 2009-05-11 16:49 17016 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-04-28 17:50 . 2010-04-28 17:50 -------- d-----w- C:\Gmer
2010-04-28 17:45 . 2010-04-28 17:45 -------- d-----w- C:\rsit
2010-04-28 17:23 . 2010-04-14 16:35 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-28 17:23 . 2010-04-14 16:35 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-28 17:23 . 2010-04-14 16:31 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-28 17:23 . 2010-04-14 16:31 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-28 17:23 . 2010-04-14 16:31 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-04-28 17:23 . 2010-04-14 16:47 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-28 17:23 . 2010-04-14 16:47 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-28 17:23 . 2010-04-28 17:23 -------- d-----w- c:\programdata\Alwil Software
2010-04-28 17:23 . 2010-04-28 17:23 -------- d-----w- c:\program files\Alwil Software
2010-04-24 19:35 . 2010-04-24 19:35 -------- d-----w- c:\program files\Trend Micro
2010-04-21 22:02 . 2010-04-21 22:02 125952 ----a-w- c:\programdata\ParetoLogic\UUS2\Temp\Update.exe
2010-04-21 22:02 . 2010-04-22 00:16 3347488 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-04-21 21:59 . 2010-04-22 00:15 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-04-21 21:58 . 2010-04-22 00:15 -------- d-----w- c:\programdata\ParetoLogic
2010-04-21 21:58 . 2010-04-21 21:58 -------- d-----w- c:\users\Brian\AppData\Local\Downloaded Installations
2010-04-21 02:54 . 2010-04-21 02:54 52224 ----a-w- c:\users\Brian\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-21 02:54 . 2010-04-25 13:11 117760 ----a-w- c:\users\Brian\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-21 02:53 . 2010-04-21 02:53 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-04-21 02:53 . 2010-04-21 02:53 65024 ----a-r- c:\users\Brian\AppData\Roaming\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
2010-04-21 02:53 . 2010-04-21 02:53 5120 ----a-r- c:\users\Brian\AppData\Roaming\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
2010-04-21 02:53 . 2010-04-21 02:53 18944 ----a-r- c:\users\Brian\AppData\Roaming\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
2010-04-21 02:53 . 2010-04-21 02:53 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-21 02:53 . 2010-04-21 02:53 -------- d-----w- c:\users\Brian\AppData\Roaming\SUPERAntiSpyware.com
2010-04-21 02:27 . 2010-04-21 02:28 -------- d-----w- c:\program files\NVIDIA Corporation
2010-04-21 01:16 . 2010-04-21 01:16 148 ----a-w- c:\windows\system32\565488.BAT
2010-04-21 01:02 . 2010-04-21 01:02 120 ----a-w- c:\users\Brian\AppData\Local\Qzojayew.dat
2010-04-21 01:02 . 2010-04-21 01:02 0 ----a-w- c:\users\Brian\AppData\Local\Ddepazalebinurif.bin
2010-04-21 01:01 . 2010-04-21 01:01 148 ----a-w- c:\windows\system32\16349513.BAT
2010-04-21 01:01 . 2010-04-29 19:01 823808 ----a-w- c:\windows\system32\drivers\stkak.sys
2010-04-21 01:00 . 2010-04-21 01:00 70656 --sha-r- c:\windows\system32\msvcrte.dll
2010-04-15 00:40 . 2010-04-15 01:11 -------- d-----w- c:\users\Brian\AppData\Roaming\Apple Computer
2010-04-15 00:40 . 2010-04-15 00:40 -------- d-----w- c:\users\Brian\AppData\Local\Apple Computer
2010-04-15 00:40 . 2010-04-15 00:40 -------- dc----w- c:\windows\system32\DRVSTORE
2010-04-15 00:40 . 2009-05-18 17:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-04-15 00:40 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-04-15 00:39 . 2010-04-15 00:39 -------- d-----w- c:\program files\iPod
2010-04-15 00:39 . 2010-04-15 00:40 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-15 00:39 . 2010-04-29 18:57 -------- d-----w- c:\program files\iTunes
2010-04-15 00:38 . 2010-04-29 18:57 -------- d-----w- c:\program files\QuickTime
2010-04-15 00:38 . 2010-04-15 00:39 -------- d-----w- c:\programdata\Apple Computer
2010-04-15 00:38 . 2010-04-15 00:38 -------- d-----w- c:\users\Brian\AppData\Local\Apple
2010-04-15 00:38 . 2010-04-15 00:38 -------- d-----w- c:\program files\Apple Software Update
2010-04-15 00:37 . 2010-04-15 00:37 -------- d-----w- c:\program files\Bonjour
2010-04-15 00:37 . 2010-04-15 00:39 -------- d-----w- c:\program files\Common Files\Apple
2010-04-15 00:37 . 2010-04-15 00:37 -------- d-----w- c:\programdata\Apple
2010-04-13 18:54 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-13 18:54 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-13 18:54 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-13 18:54 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-13 18:54 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-13 18:54 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-13 18:54 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-13 18:54 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-13 18:54 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-13 18:54 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-13 18:54 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-06 15:35 . 2010-04-06 15:36 -------- d-----w- c:\users\Brian\AppData\Local\Adobe
2010-04-06 15:33 . 2010-04-06 15:33 -------- d-----w- c:\program files\Common Files\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-29 19:01 . 2010-04-21 02:28 34901 ----a-w- c:\programdata\nvModes.dat
2010-04-29 18:57 . 2009-04-28 21:40 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-29 18:57 . 2009-01-18 16:56 -------- d-----w- c:\program files\RivaTuner v2.09
2010-04-24 20:50 . 2009-01-18 20:18 34360 ----a-w- c:\windows\system32\drivers\mouclass.sys
2010-04-24 19:26 . 2009-04-28 21:40 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-04-22 00:16 . 2010-04-21 22:02 46952 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-04-21 02:53 . 2009-01-17 20:42 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-21 02:36 . 2009-01-17 20:35 -------- d-----w- c:\programdata\NVIDIA
2010-04-21 01:34 . 2009-04-23 23:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-21 01:34 . 2009-06-21 14:16 5918776 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-19 20:49 . 2010-04-19 20:49 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-04-13 23:26 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-31 23:04 . 2009-01-20 04:15 196608 ----a-w- c:\users\Brian\AppData\Roaming\Acreon\WowMatrix\Libraries\wmweb.dll
2010-03-31 23:04 . 2009-01-20 04:15 258048 ----a-w- c:\users\Brian\AppData\Roaming\Acreon\WowMatrix\Libraries\wmzip.dll
2010-03-30 04:46 . 2009-04-23 23:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2009-04-23 23:16 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-26 05:48 . 2010-03-26 05:48 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-03-16 06:15 . 2010-03-16 06:15 985704 ----a-w- c:\windows\system32\nvsvc.dll
2010-03-16 06:15 . 2010-03-16 06:15 66664 ----a-w- c:\windows\system32\nvshext.dll
2010-03-16 06:15 . 2010-03-16 06:15 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-03-16 06:14 . 2010-03-16 06:14 13683816 ----a-w- c:\windows\system32\nvcpl.dll
2010-03-16 06:14 . 2010-03-16 06:14 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-03-04 17:50 . 2010-03-04 17:50 261152 ----a-w- c:\windows\system32\drivers\Rtlh86.sys
2010-02-24 22:53 . 2009-01-17 19:54 49168 ----a-w- c:\users\Brian\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 14:16 . 2009-10-02 19:36 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39 . 2010-03-30 21:28 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-03-30 21:28 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-03-30 21:28 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-03-30 21:28 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06 . 2010-03-11 22:19 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-11 22:19 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-11 22:19 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-12 15:46 . 2010-02-12 15:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 15:46 . 2010-02-12 15:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-03 16:24 . 2010-02-03 16:24 94208 ----a-w- c:\windows\system32\RTNUninst32.dll
2007-06-25 20:43 . 2006-11-22 14:58 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2010-04-29_03.36.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-17 19:56 . 2010-04-29 18:31 42876 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:03 . 2010-04-29 19:02 70266 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-01-17 19:56 . 2010-04-29 19:02 10092 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2159073726-709688122-2792182354-1000_UserData.bin
+ 2006-11-02 13:00 . 2010-04-29 18:29 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2006-11-02 13:00 . 2010-04-29 03:36 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2006-11-02 13:00 . 2010-04-29 18:29 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2006-11-02 13:00 . 2010-04-29 03:36 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2006-11-02 13:00 . 2010-04-29 18:29 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2006-11-02 13:00 . 2010-04-29 03:36 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-04-29 03:29 . 2010-04-29 03:29 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-04-29 19:00 . 2010-04-29 19:00 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-04-29 03:29 . 2010-04-29 03:29 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-04-29 19:00 . 2010-04-29 19:00 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2006-11-02 12:46 . 2010-02-24 22:53 228176 c:\windows\System32\FNTCACHE.DAT
+ 2006-11-02 12:46 . 2010-04-29 19:00 228176 c:\windows\System32\FNTCACHE.DAT
+ 2006-11-02 10:22 . 2010-04-29 18:58 6549504 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2010-04-29 18:58 . 2010-04-29 18:58 6549504 c:\windows\ERDNT\subs\SCHEMA.DAT
+ 2010-04-29 18:52 . 2010-04-29 18:52 6549504 c:\windows\ERDNT\Hiv-backup\SCHEMA.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-01 2010864]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2006-10-17 1164912]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-10-17 1941784]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-2-21 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):d3,67,c3,7a,9a,33,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2159073726-709688122-2792182354-1000]
"EnableNotificationsRef"=dword:00000001

R2 aswFsBlk;aswFsBlk;aswFsBlk.sys [x]
R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2009-01-18 79360]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2009-01-18 79360]
R3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.SYS [2008-10-08 171032]
R3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.SYS [2008-10-08 1324056]
R3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.SYS [2008-10-08 72728]
S1 aswSP;aswSP; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-02-17 66632]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-04-14 51792]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\System32\drivers\CT20XUT.SYS [2008-10-08 171032]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\System32\drivers\CTEXFIFX.SYS [2008-10-08 1324056]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\System32\drivers\CTHWIUT.SYS [2008-10-08 72728]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
2008-04-12 01:23 38400 ----a-w- c:\windows\System32\SoundSchemes.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]
2008-08-28 18:50 30720 ----a-w- c:\windows\System32\soundschemes2.exe
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\users\Brian\AppData\Roaming\Mozilla\Firefox\Profiles\fdnk086e.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/defaulta.aspx
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-29 15:01
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(784)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'Explorer.exe'(2028)
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\iPod\bin\iPodService.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2010-04-29 15:04:42 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-29 19:04
ComboFix2.txt 2010-04-29 03:37

Pre-Run: 218,483,683,328 bytes free
Post-Run: 218,248,126,464 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,4,5
- - End Of File - - CBF038086E42368611B4D672EB40D68C


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


My BMAM.log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

4/29/2010 4:01:40 PM
mbam-log-2010-04-29 (16-01-40).txt

Scan type: Full scan (C:\|)
Objects scanned: 227793
Time elapsed: 45 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\drivers\stkak.sys (Rootkit.Agent) -> Not selected for removal.


I did not select for that to be removed, as I was not sure if that was one I should select or not.
Patryn38
Regular Member
 
Posts: 26
Joined: April 24th, 2010, 3:28 pm

Re: Trojan.rookit/gen

Unread postby xixo_12 » April 29th, 2010, 6:40 pm

Hi,
Let's proceed.
You're heavily infected. I don't see any reason, why you don't want to remove the file that infected with it.

First,
Malwarebytes' Anti-Malware - Run
Run it again, and please remove what it found. Please give me a new log after remove the infection

Next,
RSIT.
  • Copy the code as below by highlight > right click > copy:
    Code: Select all
    "%userprofile%\desktop\rsit.exe" /info
  • Click on Image > Run....
  • Paste the code into the box and click OK.
  • Click on Continue at the disclaimer screen.
  • Once it finishes, two logs will open.
    • log.txt will be opened maximized
    • info.txt will be opened minimized
  • Please post the contents of both logs in your next post.
***You can find manually the log at C:\rsit

Next,
GMER.
Please run it again to produce new log

Next,
Checklist.
Please post.
  • Content of MBAM log
  • Content of log.txt and info.txt (Find both in c:\rsit)
  • Content of GMER.txt
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Trojan.rookit/gen

Unread postby Patryn38 » April 29th, 2010, 8:41 pm

Hello again.
I did not click to remove it as this is one of the files that keeps showing back up even after it says it is removed. I did run the scan again though, and clicked to remove it. Once again, the log shows it was successfully removed.

On to RSIT. Maybe I am just stupid, or maybe I'm just so frustrated with this whole thing that I am overlooking something very simple. Either way, when I click the windows icon, there is no RUN option on it. I do remember such an option being available in the past on my older operating systems, but I do not see the option in Vista.
So I scrolled up, and attempted to run RSIT from your original instructions a few posts back. I ended up getting the *exact* same error as I did the first time. After 2 tries I gave up.

I then attempted to run GMER following the same instructions listed ealier. The scan started fine, but shortly into it (30-45 seconds) I get a message saying GMER has stopped working and windows will close the program. After it closes, each time I tried to rerun it, Windows crashes.

So the only thing I have for you is my MBAM log. Neither of the other 2 would successfully run this time.


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

4/29/2010 7:55:20 PM
mbam-log-2010-04-29 (19-55-20).txt

Scan type: Full scan (C:\|)
Objects scanned: 227919
Time elapsed: 48 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\drivers\stkak.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
Patryn38
Regular Member
 
Posts: 26
Joined: April 24th, 2010, 3:28 pm

Re: Trojan.rookit/gen

Unread postby xixo_12 » April 30th, 2010, 12:11 am

Hi,
No worries.
I will take care of it soon.
Try this method

First,
Run Command
  • Right click on Image > Properties.
  • Under Start Menu tab > Start Menu options > Click Customize...
  • Scroll down, search and tick run command box.
  • Click OK to apply

Next,
RSIT.
  • Copy the code as below by highlight > right click > copy:
    Code: Select all
    "%userprofile%\desktop\rsit.exe" /info
  • Click on Image > Run....
  • Paste the code into the box and click OK.
  • Click on Continue at the disclaimer screen.
  • Once it finishes, two logs will open.
    • log.txt will be opened maximized
    • info.txt will be opened minimized
  • Please post the contents of both logs in your next post.
***You can find manually the log at C:\rsit

If only above instructions doesn't work.
RSIT by random/random.
  • Right click on RSIT.exe > Run as Administrator to run the tool.
  • Click Continue at the disclaimer screen.
  • Once it finishes, one log will open.
    • log.txt will be opened maximized
  • Please post the contents in your next post.
***You can find manually the log at C:\rsit


Next,
SystemLook by jpshortstuff.
Please download from one of the links below and save it to the Desktop.
Download Mirror #1
Download Mirror #2

  • Right click on SystemLook.exe > Run as Administrator to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :filefind
    *iaStorV*
    :contents
    c:\windows\system32\565488.BAT
    c:\windows\system32\16349513.BAT
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Next,
Checklist.
Please post.
  • Content of log.txt and info.txt (Find both in c:\rsit)
  • Content of SystemLook.txt
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Trojan.rookit/gen

Unread postby Patryn38 » April 30th, 2010, 7:26 pm

Thank you for your patience through all this. It seems like my computer is totally against me at this point. :(

I now have the run command showing. I attempted to run RSIT but STILL get the exact same error. I will still post what log is available though.

I then downloaded SystemLook at instructed. I ran it and entered the code into the window. After a few seconds the program stopped working. I tried it twice and got the exact same message both times. "System Querying tool has stopped working. A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available."

Have I mentioned that my computer is working against me now?

Here is the contents of the RSIT.log:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Brian at 2010-04-30 19:14:18
Microsoft® Windows Vista™ Ultimate Service Pack 2
System drive C: has 209 GB (66%) free of 314 GB
Total RAM: 3326 MB (65% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:14:19 PM, on 4/30/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Brian\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Brian.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative ALchemy AL6 Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\AL6Licensing.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

--
End of file - 4302 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]
"TrueImageMonitor.exe"=C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe [2006-10-17 1164912]
"AcronisTimounterMonitor"=C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe [2006-10-17 1941784]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2010-03-26 142120]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2009-04-11 1233920]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2010-04-29 2020592]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-19 202240]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe
Patryn38
Regular Member
 
Posts: 26
Joined: April 24th, 2010, 3:28 pm

Re: Trojan.rookit/gen

Unread postby xixo_12 » April 30th, 2010, 7:30 pm

Hi,
Let's proceed.
I will think different approach for this issue.

First,
DDS by sUBs.
Please download from HERE and save to the desktop.
Note : Please disable any anti-malware program that will block scripts from running before running DDS.
Image
  • Double-Click on dds.scr to run it and a command window will appear. This is normal.
  • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • Follow the instruction that appear on How to post the logs
    Note : Please save the logs on your desktop.

Next,
Discussion.
Can you boot into safe mode? Please let me know about it.

Next,
Checklist.
Please post.
  • Content of DDS.txt and Attach.txt
  • Response to our discussion
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Trojan.rookit/gen

Unread postby Patryn38 » May 1st, 2010, 10:52 am

Hello.

I think I could boot into Safe Mode, but I'd need to hook up a different keyboard first. I use a Logitech G11 and it does not 'power up' until the computer is booted. On the times my computer crashed running some of the other programs, I had the options on how to boot, and safe mode was listed there, I just couldn't choose another option because of my keyboard.

Here are the 2 logs you requested.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Brian at 10:43:27.18 on Sat 05/01/2010
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3326.2406 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Brian\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 relog_ap
mASetup: {7070D8E0-650A-46b3-B03C-9497582E6A74} - %SystemRoot%\system32\soundschemes.exe /AddRegistration
mASetup: {B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24} - %SystemRoot%\system32\soundschemes2.exe /AddRegistration

================= FIREFOX ===================

FF - ProfilePath - c:\users\brian\appdata\roaming\mozilla\firefox\profiles\fdnk086e.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/defaulta.aspx
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-4-28 162768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 61440]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-4-28 51792]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2008-10-8 171032]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2008-10-8 1324056]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2008-10-8 72728]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-28 40384]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-28 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-28 40384]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\common files\creative labs shared\service\AL6Licensing.exe [2009-1-18 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-1-18 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2008-10-8 171032]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2008-10-8 1324056]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2008-10-8 72728]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-1-18 21504]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]

=============== Created Last 30 ================

2010-04-29 19:01:08 0 d-sh--w- C:\$RECYCLE.BIN
2010-04-29 03:24:07 98816 ----a-w- c:\windows\sed.exe
2010-04-29 03:24:07 77312 ----a-w- c:\windows\MBR.exe
2010-04-29 03:24:07 256512 ----a-w- c:\windows\PEV.exe
2010-04-29 03:24:07 161792 ----a-w- c:\windows\SWREG.exe
2010-04-28 17:50:14 0 d-----w- C:\Gmer
2010-04-28 17:25:18 261916958 ----a-w- c:\windows\MEMORY.DMP
2010-04-28 17:23:25 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-04-28 17:23:12 0 d-----w- c:\programdata\Alwil Software
2010-04-24 19:35:05 0 d-----w- c:\program files\Trend Micro
2010-04-21 22:02:26 46952 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-04-21 22:02:26 3347488 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-04-21 22:02:22 3004 ----a-w- C:\rollback.ini
2010-04-21 21:59:00 0 d-----w- c:\program files\common files\ParetoLogic
2010-04-21 21:58:59 0 d-----w- c:\programdata\ParetoLogic
2010-04-21 02:53:43 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-04-21 02:53:39 0 d-----w- c:\users\brian\appdata\roaming\SUPERAntiSpyware.com
2010-04-21 02:53:39 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-21 02:28:24 34901 ----a-w- c:\programdata\nvModes.dat
2010-04-21 02:27:50 0 d-----w- c:\program files\NVIDIA Corporation
2010-04-21 01:16:24 148 ----a-w- c:\windows\system32\565488.BAT
2010-04-21 01:01:19 148 ----a-w- c:\windows\system32\16349513.BAT
2010-04-21 01:00:17 70656 --sha-r- c:\windows\system32\msvcrte.dll
2010-04-19 20:49:34 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-04-15 00:40:04 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-04-15 00:40:04 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-04-15 00:39:44 0 d-----w- c:\program files\iPod
2010-04-15 00:39:40 0 d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-15 00:39:39 0 d-----w- c:\program files\iTunes
2010-04-15 00:38:54 0 d-----w- c:\programdata\Apple Computer
2010-04-15 00:37:17 0 d-----w- c:\program files\Bonjour
2010-04-15 00:37:06 0 d-----w- c:\programdata\Apple
2010-04-06 15:33:36 0 d-----w- c:\programdata\Adobe

==================== Find3M ====================

2010-04-29 18:24:59 9751960 ----a-w- c:\windows\fonts\simhei.ttf
2010-04-29 16:19:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 16:19:14 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-24 20:50:42 34360 ----a-w- c:\windows\system32\drivers\mouclass.sys
2010-04-21 02:27:45 51200 ----a-w- c:\windows\inf\infpub.dat
2010-04-21 02:27:45 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-04-21 02:27:41 86016 ----a-w- c:\windows\inf\infstor.dat
2010-03-16 06:15:00 985704 ----a-w- c:\windows\system32\nvsvc.dll
2010-03-16 06:15:00 66664 ----a-w- c:\windows\system32\nvshext.dll
2010-03-16 06:15:00 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-03-16 06:14:00 13683816 ----a-w- c:\windows\system32\nvcpl.dll
2010-03-16 06:14:00 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-03-05 14:01:02 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-04 17:50:14 261152 ----a-w- c:\windows\system32\drivers\Rtlh86.sys
2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39:13 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06:41 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05:14 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-18 14:07:05 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-18 14:07:05 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-18 13:30:03 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-02-12 15:46:14 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 15:46:14 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-03 16:24:36 94208 ----a-w- c:\windows\system32\RTNUninst32.dll
2009-11-17 21:23:54 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-01-18 20:38:34 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-11-18 22:36:56 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2007-06-25 20:43:58 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 10:44:11.74 ===============






UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft® Windows Vista™ Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 1/17/2009 11:41:26 AM
System Uptime: 5/1/2010 10:28:59 AM (0 hours ago)

Motherboard: Gigabyte Technology Co., Ltd. | | X38-DQ6
Processor: Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz | Socket 775 | 2400/266mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 307 GiB total, 203.859 GiB free.
D: is FIXED (NTFS) - 466 GiB total, 408.239 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================


==== Installed Programs ======================

Acronis True Image Home
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.2
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
CDDRV_Installer
Creative ALchemy
Creative Audio Control Panel
Creative Console Launcher
Creative MediaSource 5
Creative Software AutoUpdate
Creative Sound Blaster Properties
Creative System Information
Curse Client
Dream Aquarium
EVEREST Ultimate Edition v4.50
Gigabyte Raid Configurer
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
iTunes
Java(TM) 6 Update 13
Java(TM) SE Runtime Environment 6
KhalInstallWrapper
LightScribe 1.4.136.1
Logitech SetPoint
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.5.9)
Nero 7 Essentials
NVIDIA Display Control Panel
NVIDIA Drivers
NVIDIA PhysX v8.10.13
OpenAL
Paint Shop Pro 6.0 (ESD)
PVSonyDll
QuickTime
RivaTuner v2.09
Sound Blaster X-Fi
SUPERAntiSpyware Free Edition
System Requirements Lab
Ultimate Extras sounds from Microsoft® Tinker™
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Ventrilo Client
Volume Panel
Windows Sound Schemes
WinRAR archiver
World of Warcraft

==== End Of File ===========================
Patryn38
Regular Member
 
Posts: 26
Joined: April 24th, 2010, 3:28 pm

Re: Trojan.rookit/gen

Unread postby xixo_12 » May 1st, 2010, 11:13 am

Hi,
Please run ComboFix once again and provide the log for my review.

Thanks!

ComboFix
Download ComboFix from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links)
Save as Combo-Fix.exe <<Please have a look on the file name. You have to change.
Link 1
Link 2

**IMPORTANT !!! Save Combo-Fix.exe to your Desktop**
  • Disable your AntiVirus/AntiSpyware/Firewall applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    A guide to do this can be found here
  • Right click on Combo-Fix.exe > Run as Administrator & follow the prompts
  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: M2Judy and 32 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware