Author Topic: new worm?, avast doesn' know it (Read 57642 times)

Markwest · « **Reply #45 on:** December 26, 2009, 01:14:24 PM »

Error - 24/12/2009 20:55:23 | Computer Name = BEAST-3DDF91376 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.3156, faulting
module unknown, version 0.0.0.0, fault address 0x012158ad.

Error - 24/12/2009 20:55:29 | Computer Name = BEAST-3DDF91376 | Source = Application Error | ID = 1000
Description = Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module
dbghelp.dll, version 5.1.2600.2180, fault address 0x0001295d.

Error - 24/12/2009 23:29:37 | Computer Name = BEAST-3DDF91376 | Source = Application Error | ID = 1000
Description = Faulting application ctfmon.exe, version 5.1.2600.2180, faulting module
am30400.dll, version 4.72.0.30400, fault address 0x000014d3.

Error - 24/12/2009 23:29:37 | Computer Name = BEAST-3DDF91376 | Source = Application Error | ID = 1000
Description = Faulting application rundll32.exe, version 5.1.2600.2180, faulting
module am30400.dll, version 4.72.0.30400, fault address 0x000014d3.

Error - 26/12/2009 05:15:44 | Computer Name = BEAST-3DDF91376 | Source = Application Error | ID = 1000
Description = Faulting application mbam.exe, version 1.42.0.0, faulting module ntdll.dll,
version 5.1.2600.2180, fault address 0x00018fea.

Error - 26/12/2009 05:18:49 | Computer Name = BEAST-3DDF91376 | Source = Application Hang | ID = 1002
Description = Hanging application mbam.exe, version 1.42.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 26/12/2009 00:09:21 | Computer Name = BEAST-3DDF91376 | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 30 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 26/12/2009 00:09:21 | Computer Name = BEAST-3DDF91376 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 30 minutes. NtpClient has no source of accurate
time.

Error - 26/12/2009 05:29:46 | Computer Name = BEAST-3DDF91376 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 26/12/2009 05:29:50 | Computer Name = BEAST-3DDF91376 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 26/12/2009 05:31:08 | Computer Name = BEAST-3DDF91376 | Source = Service Control Manager | ID = 7001
Description = The DHCP Client service depends on the NetBT service which failed
to start because of the following error: %%31

Error - 26/12/2009 05:31:08 | Computer Name = BEAST-3DDF91376 | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
which failed to start because of the following error: %%31

Error - 26/12/2009 05:31:08 | Computer Name = BEAST-3DDF91376 | Source = Service Control Manager | ID = 7001
Description = The TCP/IP NetBIOS Helper service depends on the AFD service which
failed to start because of the following error: %%31

Error - 26/12/2009 05:31:08 | Computer Name = BEAST-3DDF91376 | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 26/12/2009 05:31:08 | Computer Name = BEAST-3DDF91376 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Aavmker4 AFD aswSP aswTdi Fips intelppm IPSec MRxSmb NetBIOS NetBT prodrv06 RasAcd Rdbss SASDIFSV
SASKUTIL
Tcpip

Error - 26/12/2009 05:32:51 | Computer Name = BEAST-3DDF91376 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

< End of report >

oldman · « **Reply #46 on:** December 26, 2009, 07:47:31 PM »

Hi there,

I've been asked to have a look at your logs. Please do not make any changes to your computer or download any other programs than I request.

Lot's of malware present and there may be a rootkit involved. Let's see how deep this is before we clean it.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Download GMER Rootkit Scanner from here or here.

Extract the contents of the zipped file to desktop.
Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
Sections
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)

Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and post it in your next reply.

Please post back with the GMER log.

Markwest · « **Reply #47 on:** December 26, 2009, 08:27:01 PM »

how far do i need to go do stop all the running programs will i ahve to use the ctrl alt del and stop most of the programs/running stuff in there, if so what are the few things i need to leave on to keep the comp running?

oldman · « **Reply #48 on:** December 26, 2009, 08:30:09 PM »

Hi

Just disable your antimalware scanners and make sure no windows are open or minimized on the try.

Markwest · « **Reply #49 on:** December 26, 2009, 11:56:56 PM »

i got a error msg saying a rootkit has changed a file, and then the scan stopped, posting the log (needing to restart the comp through since it crashed on me)

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-26 22:33:57
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Mark\LOCALS~1\Temp\kgnyypow.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xA528B6B8] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xA528B574] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xA528BA52] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xA528B14C] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xA528B64E] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xA528B08C] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xA528B0F0] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xA528B76E] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xA528B72E] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xA528B8AE] <-- ROOTKIT !!!
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA53470B0] <-- ROOTKIT !!!

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8ACE0210

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\prodrv06 \Device\ProDrv06 E1DD26E8
Device \Driver\iaStor \Device\Ide\iaStor0 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort0 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort1 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-1 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\prohlp02 \Device\ProHlp02 E1014770

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] kpgmh <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\kpgmh@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kpgmh@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\kpgmh@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\kpgmh@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\Services\kpgmh@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\kpgmh@Start 0
Reg HKLM\SYSTEM\ControlSet002\Services\kpgmh@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\kpgmh@Group Boot Bus Extender

Markwest · « **Reply #50 on:** December 27, 2009, 12:01:53 AM »

it started looking through my warcraft add ons at this point and made the log huge, will post them anyways
if you want me to, it started looking through them and that is when the thing said a rootkit has changed a file and i's why it stopped working, willpost after this post if you need me to

oldman · « **Reply #51 on:** December 27, 2009, 12:21:30 AM »

Hi MarkWest,

That's ok, we can see the rootkit. Let's se if we can get it before it changes.

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.[color="red"]Do not mouse-click Combofix's window while it is running. That may cause it to stall.[/color]
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Markwest · « **Reply #52 on:** December 27, 2009, 12:30:00 AM »

is ther eany way i can get the microsoft recovery console onto my computer via a flash drive, i am not connected to the net on that machine currently because every time i connect it starts messing up

from what i've seen so far the root kit has stayed in the same file i hope it stays that way :'(

other then that i may need to get some sleep soon so i may have to go to this latest thing to do after a nights sleep

oldman · « **Reply #53 on:** December 27, 2009, 12:55:52 AM »

Hi MarkWest,

Yes we can do that.

Depending on whether you have XP Home or XP Pro will indicate which file to download.

Home

Pro

To determine which file you need

Click your Start button
Right click on My Computer.
You will find the version on the General tab.

Once you have found which version you need, click the appropriate link above.

Download the file and transfer it to the infected computer's Desktop.

Make sure the copy of combofix you have is also located on the desktop.

With your left mouse button, drag the file onto the combofix icon as shown below. This will start combofix so don't do anything else. Also make sure your security programs have been disabled per the previous instructions.

note: If the attached image is not animated, click it.

Markwest · « **Reply #54 on:** December 27, 2009, 03:30:06 PM »

can it take a while to create a system restore point, it doesn't sound like it's doing anything, after i accepted the agreement s i haven't touched my machine and it seems to still be on attempting to create a system restore point

if it shouldn't be taking a while to do this should i restart my computer and try again?

edit: of no worries it carried on like 1 min ater hehe

Markwest · « **Reply #55 on:** December 27, 2009, 03:50:38 PM »

ComboFix 09-12-26.01 - Mark 27/12/2009 14:30:13.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.3327.2930 [GMT 0:00]
Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mark\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: avast! antivirus 4.8.1368 [VPS 091225-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Mark\Local Settings\Application Data\{FFC6B7D5-902E-4EBD-9177-7C584223F0D8}
c:\documents and settings\Mark\Local Settings\Application Data\{FFC6B7D5-902E-4EBD-9177-7C584223F0D8}\chrome.manifest
c:\documents and settings\Mark\Local Settings\Application Data\{FFC6B7D5-902E-4EBD-9177-7C584223F0D8}\chrome\content\_cfg.js
c:\documents and settings\Mark\Local Settings\Application Data\{FFC6B7D5-902E-4EBD-9177-7C584223F0D8}\chrome\content\overlay.xul
c:\documents and settings\Mark\Local Settings\Application Data\{FFC6B7D5-902E-4EBD-9177-7C584223F0D8}\install.rdf
c:\recycler\NPROTECT
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\windows\jestertb.dll
c:\windows\obipufic.dll
c:\windows\system32\ekafelat.ini
c:\windows\system32\iyanusuf.ini
c:\windows\system32\SIntf16.dll
c:\windows\system32\ububimem.ini
c:\windows\Tasks\dvadaeqn.job
E:\install.exe

----- BITS: Possible infected sites -----

hxxp://download.xbox.com:80
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS

((((((((((((((((((((((((( Files Created from 2009-11-27 to 2009-12-27 )))))))))))))))))))))))))))))))
.

2009-12-26 09:30 . 2009-12-26 09:30   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-12-26 02:24 . 2009-12-26 02:24   52224   ----a-w-   c:\documents and settings\Mark\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-26 02:20 . 2009-12-26 02:24   117760   ----a-w-   c:\documents and settings\Mark\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-26 02:19 . 2009-12-26 02:19   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-26 02:18 . 2009-12-26 02:18   --------   d-----w-   c:\program files\SUPERAntiSpyware
2009-12-26 02:18 . 2009-12-26 02:18   --------   d-----w-   c:\documents and settings\Mark\Application Data\SUPERAntiSpyware.com
2009-12-26 02:17 . 2009-12-26 02:13   2386270   ----a-w-   C:\MGtools.exe
2009-12-26 01:48 . 2009-12-26 01:47   411368   ----a-w-   c:\windows\system32\deploytk.dll
2009-12-26 01:47 . 2009-12-26 01:47   --------   d-----w-   c:\program files\Java
2009-12-25 13:52 . 2009-12-25 13:52   --------   d-----w-   c:\documents and settings\Mark\.kde
2009-12-25 09:45 . 2009-12-25 09:45   4844295   ----a-w-   c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-25 00:46 . 2009-12-27 14:07   0   ----a-w-   c:\windows\Igaqofevinuyoz.bin
2009-12-25 00:46 . 2009-12-25 00:46   120   ----a-w-   c:\windows\Avasub.dat
2009-12-25 00:43 . 2009-12-27 14:35   714752   ----a-w-   c:\windows\system32\drivers\kpgmh.sys
2009-12-25 00:43 . 2009-12-25 09:45   116   ----a-w-   c:\windows\system32\fjhdyfhsn.bat
2009-12-16 21:46 . 2009-09-04 17:44   515416   ----a-w-   c:\windows\system32\XAudio2_5.dll
2009-12-16 21:46 . 2009-09-04 17:44   238936   ----a-w-   c:\windows\system32\xactengine3_5.dll
2009-12-16 21:46 . 2009-09-04 17:29   1974616   ----a-w-   c:\windows\system32\D3DCompiler_42.dll
2009-12-16 21:46 . 2009-09-04 17:29   5501792   ----a-w-   c:\windows\system32\d3dcsx_42.dll
2009-12-16 21:46 . 2009-09-04 17:29   235344   ----a-w-   c:\windows\system32\d3dx11_42.dll
2009-12-16 21:45 . 2009-12-16 21:46   --------   d--h--w-   c:\windows\msdownld.tmp
2009-12-09 15:38 . 2009-12-09 15:38   --------   d-----w-   c:\program files\Microsoft
2009-12-04 05:32 . 2009-09-04 17:29   453456   ----a-w-   c:\windows\system32\d3dx10_42.dll
2009-12-04 05:32 . 2009-09-04 17:29   1892184   ----a-w-   c:\windows\system32\D3DX9_42.dll
2009-12-02 23:21 . 2009-12-02 23:21   --------   d-----w-   c:\documents and settings\Mark\Local Settings\Application Data\Thunderbird
2009-12-02 23:21 . 2009-12-02 23:21   --------   d-----w-   c:\documents and settings\Mark\Application Data\Thunderbird
2009-12-02 23:09 . 2009-12-02 23:09   --------   d-----w-   c:\documents and settings\LocalService\Local Settings\Application Data\GNU
2009-12-02 23:09 . 2009-12-02 23:09   --------   d-----w-   c:\documents and settings\LocalService\Application Data\gnupg
2009-12-02 23:09 . 2009-12-02 23:09   --------   d-----w-   c:\documents and settings\Mark\Application Data\gnupg
2009-12-02 23:09 . 2009-12-02 23:09   --------   d-----w-   c:\documents and settings\All Users\Application Data\GNU
2009-12-02 23:09 . 2009-12-02 23:09   --------   d-----w-

Markwest · « **Reply #56 on:** December 27, 2009, 03:51:45 PM »

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-27 14:35 . 2008-05-07 16:19   --------   d-----w-   c:\documents and settings\Mark\Application Data\OpenOffice.org2
2009-12-27 14:35 . 2009-02-05 13:05   --------   d-----w-   c:\program files\DNA
2009-12-27 14:35 . 2009-02-05 13:05   --------   d-----w-   c:\documents and settings\Mark\Application Data\DNA
2009-12-27 14:35 . 2009-02-20 09:52   --------   d-----w-   c:\program files\Steam
2009-12-26 02:18 . 2008-05-18 11:04   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2009-12-26 02:05 . 2008-08-04 05:26   --------   d-----w-   c:\program files\EA Games
2009-12-26 02:03 . 2009-02-20 04:33   --------   d-----w-   c:\program files\Konami
2009-12-26 02:00 . 2008-04-26 03:44   --------   d-----w-   c:\program files\THQ
2009-12-26 02:00 . 2008-09-04 13:02   --------   d-----w-   c:\program files\Three Rings Design
2009-12-25 09:45 . 2008-12-15 23:26   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2009-12-25 03:34 . 2009-09-24 02:54   --------   d-----w-   c:\program files\Pando Networks
2009-12-24 17:13 . 2008-06-11 16:29   --------   d-----w-   c:\program files\mIRC
2009-12-21 04:14 . 2008-05-07 16:20   1   ----a-w-   c:\documents and settings\Mark\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-12-20 11:52 . 2008-05-18 11:04   --------   d-----w-   c:\program files\AGEIA Technologies
2009-12-18 23:13 . 2008-12-09 03:13   --------   d-----w-   c:\program files\World of Warcraft
2009-12-10 10:33 . 2008-04-25 13:50   --------   d-----w-   c:\documents and settings\Mark\Application Data\.purple
2009-12-04 06:11 . 2008-10-29 11:04   104   ----a-w-   c:\windows\popcinfot.dat
2009-12-03 16:14 . 2008-12-15 23:26   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 16:13 . 2008-12-15 23:26   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-11-30 03:11 . 2009-11-22 21:06   --------   d-----w-   c:\program files\FantasyGrounds
2009-11-27 14:16 . 2008-04-25 15:47   --------   d-----w-   c:\documents and settings\Mark\Application Data\gtk-2.0
2009-11-24 23:54 . 2008-12-15 02:08   1280480   ----a-w-   c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2008-12-15 02:08   93424   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2008-12-15 02:08   94160   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2008-12-15 02:08   114768   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2008-12-15 02:08   20560   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2008-12-15 02:08   48560   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2008-12-15 02:08   23120   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2008-12-15 02:08   27408   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2008-12-15 02:08   97480   ----a-w-   c:\windows\system32\AvastSS.scr
2009-11-22 21:12 . 2009-11-22 21:12   --------   d-----w-   c:\program files\LogMeIn Hamachi
2009-11-22 21:12 . 2009-04-29 23:42   --------   d-----w-   c:\documents and settings\Mark\Application Data\Hamachi
2009-11-19 22:36 . 2008-11-19 16:41   --------   d-----w-   c:\program files\ooVoo
2009-11-06 10:59 . 2009-11-06 10:59   15406728   ----a-w-   c:\windows\system32\xlive.dll
2009-11-06 10:59 . 2009-11-06 10:59   13642888   ----a-w-   c:\windows\system32\xlivefnt.dll
2009-11-06 04:09 . 2009-11-06 04:09   --------   d-----w-   c:\documents and settings\All Users\Application Data\BioWare
2009-11-03 10:28 . 2009-11-03 10:28   --------   d-----w-   c:\documents and settings\Mark\Application Data\runic games
2009-11-01 16:51 . 2009-11-01 16:48   --------   d-----w-   c:\documents and settings\Mark\Application Data\Red Alert 3 Uprising
2009-10-29 19:34 . 2009-10-29 04:59   --------   d-----w-   c:\documents and settings\All Users\Application Data\NOS
2009-10-29 04:59 . 2009-10-29 04:59   1925024   ----a-w-   c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2009-10-28 14:45 . 2009-10-28 14:45   --------   d-----w-   c:\program files\PC Suite
2009-10-28 14:45 . 2008-04-22 11:19   --------   d--h--w-   c:\program files\InstallShield Installation Information
.

Markwest · « **Reply #57 on:** December 27, 2009, 03:52:27 PM »

------- Sigcheck -------

[-] 2007-12-19 . 3702A9C76696A70323330FD3879A5408 . 1589248 . . [5.1.2600.3186] . . c:\windows\system32\sfcfiles.dll

[7] 2007-07-27 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\ctfmon.exe

c:\windows\System32\ctfmon.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-13 3660848]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-09-03 3342336]
"oovoo.exe"="c:\program files\ooVoo\oovoo.exe" [2009-10-12 17507000]
"Steam"="c:\program files\steam\steam.exe" [2009-10-24 1217808]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-02-24 3558136]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-02-10 1937408]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-13 323392]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-16 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"nwiz"="nwiz.exe" [2007-12-05 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"CTHelper"="CTHELPER.EXE" [2008-02-20 19456]
"CTxfiHlp"="CTXFIHLP.EXE" [2008-02-20 19968]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 376912]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-26 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2007-07-27 53760]

c:\documents and settings\Mark\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

Markwest · « **Reply #58 on:** December 27, 2009, 03:53:09 PM »

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Firefly Studios\\Stronghold 2\\Stronghold2.exe"=
"c:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"c:\\Program Files\\Cyanide\\GameCenter\\GameCenter.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Namco Bandai Games\\Warhammer Mark of Chaos\\Warhammer.exe"=
"c:\\Program Files\\Microsoft Games\\Dungeon Siege 2\\DungeonSiege2.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Ntreev\\Grand Chase\\main.exe"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"c:\\Program Files\\Wizards of the Coast\\Magic Online III\\Renamer.exe"=
"c:\\Program Files\\softnyx\\GunboundWC\\GunBound.gme"=
"c:\\Program Files\\ooVoo\\ooVoo.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Outspark\\WindSlayer\\WindSlayer.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\dawn of war 2\\DOW2.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Apprentice\\Appr.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Soulstorm\\Soulstorm.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\patchget.dat"=
"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.1.9835-to-3.1.2.9901-enUS-downloader.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\plants vs zombies\\PlantsVsZombies.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\overlord ii\\Overlord2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\overlord ii\\Config.exe"=
"c:\\Program Files\\Electronic Arts\\BattleForge\\Bootstrapper.exe"=
"c:\\Program Files\\Electronic Arts\\BattleForge\\BattleForge.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\bookworm adventures volume 2\\BookwormAdventuresVol2.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\Cyanide\\Blood Bowl\\Autorun\\Exe\\Autorun.exe"=
"c:\\Program Files\\Cyanide\\Blood Bowl\\BB.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\Turbine\\DDO Unlimited\\dndclient.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\Dragon Age Origins Character Creator\\bin_ship\\DAOCharacterCreator.exe"=
"c:\\Program Files\\Dragon Age Origins Character Creator\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\command and conquer red alert 3 uprising\\RA3EP1.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\dragon age origins\\bin_ship\\daupdatersvc.service.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\zuma's revenge\\ZumasRevenge.exe"=
"c:\\Program Files\\FantasyGrounds\\FantasyGrounds.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead 2\\left4dead2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\dragon age origins\\bin_ship\\DAOrigins.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\dragon age origins\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\torchlight\\Torchlight.exe"=

Markwest · « **Reply #59 on:** December 27, 2009, 03:53:54 PM »

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:ooVoo TCP port 443
"443:UDP"= 443:UDP:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:ooVoo UDP port 37675
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"37676:TCP"= 37676:TCP:ooVoo TCP port 37676
"37676:UDP"= 37676:UDP:ooVoo UDP port 37676
"37677:UDP"= 37677:UDP:ooVoo UDP port 37677

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [15/12/2008 02:08 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [16/12/2009 16:26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [16/12/2009 16:26 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [15/12/2008 02:08 20560]
R2 DirMngr;DirMngr;c:\program files\GNU\GnuPG\dirmngr.exe [28/09/2009 16:15 242176]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [29/10/2009 12:27 1074568]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/12/2009 16:27 7408]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Steam\SteamApps\common\dragon age origins\bin_ship\daupdatersvc.service.exe [06/11/2009 01:10 25832]
S3 EraserUtilDrv10633;EraserUtilDrv10633;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10633.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10633.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 XDva226;XDva226;\??\c:\windows\system32\XDva226.sys --> c:\windows\system32\XDva226.sys [?]
S3 zgwhsdiag;ZTE WCDMA Handset Diagnostic Port;c:\windows\system32\drivers\zgwhsdiag.sys [28/10/2009 14:45 105216]
S3 zgwhsmdm;ZTE WCDMA Handset USB Modem;c:\windows\system32\drivers\zgwhsmdm.sys [28/10/2009 14:45 105216]
S3 zgwhsnmea;WCDMA Handset NMEA Port;c:\windows\system32\drivers\zgwhsnmea.sys [28/10/2009 14:45 105216]

--- Other Services/Drivers In Memory ---

*Deregistered* - kpgmh
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.virginmedia.com
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\tz9chjai.default\
FF - plugin: c:\documents and settings\Mark\My Documents\Sparkplay Media\Sparkplayer (Beta)\npSparkPlayerNS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiCHPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Asaxugesavadeb - c:\windows\obipufic.dll

Author Topic: new worm?, avast doesn' know it (Read 57642 times)

Markwest

Re: new worm?, avast doesn' know it

oldman

Re: new worm?, avast doesn' know it

Markwest

Re: new worm?, avast doesn' know it

oldman

Re: new worm?, avast doesn' know it

Markwest

Re: new worm?, avast doesn' know it

Markwest

Re: new worm?, avast doesn' know it

oldman

Re: new worm?, avast doesn' know it

Markwest

Re: new worm?, avast doesn' know it

oldman

Re: new worm?, avast doesn' know it

Markwest

Re: new worm?, avast doesn' know it

Markwest

Re: new worm?, avast doesn' know it

Markwest

Re: new worm?, avast doesn' know it

Markwest

Re: new worm?, avast doesn' know it

Markwest

Re: new worm?, avast doesn' know it

Markwest

Re: new worm?, avast doesn' know it