Author Topic: new worm?, avast doesn' know it  (Read 58497 times)

0 Members and 1 Guest are viewing this topic.

Markwest

  • Guest
Re: new worm?, avast doesn' know it
« Reply #45 on: December 26, 2009, 01:14:24 PM »

Error - 24/12/2009 20:55:23 | Computer Name = BEAST-3DDF91376 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.3156, faulting
 module unknown, version 0.0.0.0, fault address 0x012158ad.
 
Error - 24/12/2009 20:55:29 | Computer Name = BEAST-3DDF91376 | Source = Application Error | ID = 1000
Description = Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module
 dbghelp.dll, version 5.1.2600.2180, fault address 0x0001295d.
 
Error - 24/12/2009 23:29:37 | Computer Name = BEAST-3DDF91376 | Source = Application Error | ID = 1000
Description = Faulting application ctfmon.exe, version 5.1.2600.2180, faulting module
 am30400.dll, version 4.72.0.30400, fault address 0x000014d3.
 
Error - 24/12/2009 23:29:37 | Computer Name = BEAST-3DDF91376 | Source = Application Error | ID = 1000
Description = Faulting application rundll32.exe, version 5.1.2600.2180, faulting
 module am30400.dll, version 4.72.0.30400, fault address 0x000014d3.
 
Error - 26/12/2009 05:15:44 | Computer Name = BEAST-3DDF91376 | Source = Application Error | ID = 1000
Description = Faulting application mbam.exe, version 1.42.0.0, faulting module ntdll.dll,
 version 5.1.2600.2180, fault address 0x00018fea.
 
Error - 26/12/2009 05:18:49 | Computer Name = BEAST-3DDF91376 | Source = Application Hang | ID = 1002
Description = Hanging application mbam.exe, version 1.42.0.0, hang module hungapp,
 version 0.0.0.0, hang address 0x00000000.
 
[ System Events ]
Error - 26/12/2009 00:09:21 | Computer Name = BEAST-3DDF91376 | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
 manually  configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
 again in 30  minutes.  The error was: A socket operation was attempted to an unreachable
 host. (0x80072751)
 
Error - 26/12/2009 00:09:21 | Computer Name = BEAST-3DDF91376 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
 or more  time sources, however none of the sources are currently accessible.   No attempt
 to contact a source will be made for 30 minutes.  NtpClient has no source of accurate
 time.
 
Error - 26/12/2009 05:29:46 | Computer Name = BEAST-3DDF91376 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
 arguments ""  in order to run the server:  {BA126AE5-2166-11D1-B1D0-00805FC1270E}
 
Error - 26/12/2009 05:29:50 | Computer Name = BEAST-3DDF91376 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
 with arguments ""  in order to run the server:  {1BE1F766-5536-11D1-B726-00C04FB926AF}
 
Error - 26/12/2009 05:31:08 | Computer Name = BEAST-3DDF91376 | Source = Service Control Manager | ID = 7001
Description = The DHCP Client service depends on the NetBT service which failed
to start because of the following error:   %%31

Error - 26/12/2009 05:31:08 | Computer Name = BEAST-3DDF91376 | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
 which failed to start because of the following error:   %%31
 
Error - 26/12/2009 05:31:08 | Computer Name = BEAST-3DDF91376 | Source = Service Control Manager | ID = 7001
Description = The TCP/IP NetBIOS Helper service depends on the AFD service which
 failed to start because of the following error:   %%31
 
Error - 26/12/2009 05:31:08 | Computer Name = BEAST-3DDF91376 | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
 failed to start because of the following error:   %%31
 
Error - 26/12/2009 05:31:08 | Computer Name = BEAST-3DDF91376 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
   Aavmker4  AFD  aswSP  aswTdi  Fips  intelppm  IPSec  MRxSmb  NetBIOS  NetBT  prodrv06  RasAcd  Rdbss  SASDIFSV
SASKUTIL
Tcpip
 
Error - 26/12/2009 05:32:51 | Computer Name = BEAST-3DDF91376 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
 with arguments ""  in order to run the server:  {1BE1F766-5536-11D1-B726-00C04FB926AF}
 
 
< End of report >

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: new worm?, avast doesn' know it
« Reply #46 on: December 26, 2009, 07:47:31 PM »
Hi there,

I've been asked to have a look at your logs. Please do not make any changes to your computer or download any other programs than I request.

Lot's of malware present and there may be a rootkit involved. Let's see how deep this is before we clean it.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.


**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries



Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


    Click the image to enlarge it

  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

    • Save it where you can easily find it, such as your desktop, and post it in your next reply.


    Please post back with the GMER log.


    Markwest

    • Guest
    Re: new worm?, avast doesn' know it
    « Reply #47 on: December 26, 2009, 08:27:01 PM »
    how far do i need to go do stop all the running programs will i ahve to use the ctrl alt del and stop most of the programs/running stuff in there, if so what are the few things i need to leave on to keep the comp running?

    Offline oldman

    • Avast Evangelist
    • Massive Poster
    • ***
    • Posts: 4142
    • Some days..... MOS...this bug's for you
    Re: new worm?, avast doesn' know it
    « Reply #48 on: December 26, 2009, 08:30:09 PM »
    Hi

    Just disable your antimalware scanners and make sure no windows are open or minimized on the try.

    Markwest

    • Guest
    Re: new worm?, avast doesn' know it
    « Reply #49 on: December 26, 2009, 11:56:56 PM »
    i got a error msg saying a rootkit has changed a file, and then the scan stopped, posting the log (needing to restart the comp through since it crashed on me)

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2009-12-26 22:33:57
    Windows 5.1.2600 Service Pack 2
    Running: gmer.exe; Driver: C:\DOCUME~1\Mark\LOCALS~1\Temp\kgnyypow.sys


    ---- System - GMER 1.0.15 ----

    SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                           ZwClose [0xA528B6B8]                                                               <-- ROOTKIT !!!
    SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                           ZwCreateKey [0xA528B574]                                                           <-- ROOTKIT !!!
    SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                           ZwDeleteValueKey [0xA528BA52]                                                      <-- ROOTKIT !!!
    SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                           ZwDuplicateObject [0xA528B14C]                                                     <-- ROOTKIT !!!
    SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                           ZwOpenKey [0xA528B64E]                                                             <-- ROOTKIT !!!
    SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                           ZwOpenProcess [0xA528B08C]                                                         <-- ROOTKIT !!!
    SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                           ZwOpenThread [0xA528B0F0]                                                          <-- ROOTKIT !!!
    SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                           ZwQueryValueKey [0xA528B76E]                                                       <-- ROOTKIT !!!
    SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                           ZwRestoreKey [0xA528B72E]                                                          <-- ROOTKIT !!!
    SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                           ZwSetValueKey [0xA528B8AE]                                                         <-- ROOTKIT !!!
    SSDT            \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com)                   ZwTerminateProcess [0xA53470B0]                                                    <-- ROOTKIT !!!

    ---- Devices - GMER 1.0.15 ----

    Device          \FileSystem\Ntfs \Ntfs                                                                                                          8ACE0210

    AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                                                          aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
    AttachedDevice  \Driver\Tcpip \Device\Ip                                                                                                        aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                                       aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    Device          \Driver\prodrv06 \Device\ProDrv06                                                                                               E1DD26E8
    Device          \Driver\iaStor \Device\Ide\iaStor0                                                                                              prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
    Device          \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3                                                                                     prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
    Device          \Driver\atapi \Device\Ide\IdePort0                                                                                              prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
    Device          \Driver\atapi \Device\Ide\IdePort1                                                                                              prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
    Device          \Driver\iaStor \Device\Ide\IAAStorageDevice-0                                                                                   prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
    Device          \Driver\iaStor \Device\Ide\IAAStorageDevice-1                                                                                   prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
    Device          \Driver\prohlp02 \Device\ProHlp02                                                                                               E1014770

    AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                                       aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                                                     aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice  \FileSystem\Fastfat \Fat                                                                                                        fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice  \FileSystem\Fastfat \Fat                                                                                                        aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

    ---- Services - GMER 1.0.15 ----

    Service          (*** hidden *** )                                                                                                              [BOOT] kpgmh                                                                       <-- ROOTKIT !!!

    ---- Registry - GMER 1.0.15 ----

    Reg             HKLM\SYSTEM\CurrentControlSet\Services\kpgmh@Type                                                                               1
    Reg             HKLM\SYSTEM\CurrentControlSet\Services\kpgmh@Start                                                                              0
    Reg             HKLM\SYSTEM\CurrentControlSet\Services\kpgmh@ErrorControl                                                                       0
    Reg             HKLM\SYSTEM\CurrentControlSet\Services\kpgmh@Group                                                                              Boot Bus Extender
    Reg             HKLM\SYSTEM\ControlSet002\Services\kpgmh@Type                                                                                   1
    Reg             HKLM\SYSTEM\ControlSet002\Services\kpgmh@Start                                                                                  0
    Reg             HKLM\SYSTEM\ControlSet002\Services\kpgmh@ErrorControl                                                                           0
    Reg             HKLM\SYSTEM\ControlSet002\Services\kpgmh@Group                                                                                  Boot Bus Extender


    Markwest

    • Guest
    Re: new worm?, avast doesn' know it
    « Reply #50 on: December 27, 2009, 12:01:53 AM »
    it started looking through my warcraft add ons at this point and made the log huge, will post them anyways
    if you want me to, it started looking through them and that is when the thing said a rootkit has changed a file and i's why it stopped working, willpost after this post if you need me to

    Offline oldman

    • Avast Evangelist
    • Massive Poster
    • ***
    • Posts: 4142
    • Some days..... MOS...this bug's for you
    Re: new worm?, avast doesn' know it
    « Reply #51 on: December 27, 2009, 12:21:30 AM »
    Hi MarkWest,

    That's ok, we can see the rootkit. Let's se if we can get it before it changes.


    Please read through these instructions to familarize yourself with what to expect when this tool runs


    Download ComboFix from one of these locations:

    Link 1
    Link 2


    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.  Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs

    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

    Notes:

    1.[color="red"]Do not mouse-click Combofix's window while it is running. That may cause it to stall.[/color]
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.   
    4. CF disconnects your machine from the internet.  The connection is automatically restored before CF completes its run.  If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Markwest

    • Guest
    Re: new worm?, avast doesn' know it
    « Reply #52 on: December 27, 2009, 12:30:00 AM »
    is ther eany way i can get the microsoft recovery console onto my computer via a flash drive, i am not connected to the net on that machine currently because every time i connect it starts messing up

    from what i've seen so far the root kit has stayed in the same file i hope it stays that way  :'(

    other then that i may need to get some sleep soon so i may have to go to this latest thing to do after a nights sleep

    Offline oldman

    • Avast Evangelist
    • Massive Poster
    • ***
    • Posts: 4142
    • Some days..... MOS...this bug's for you
    Re: new worm?, avast doesn' know it
    « Reply #53 on: December 27, 2009, 12:55:52 AM »
    Hi MarkWest,

    Yes we can do that.

    Depending on whether you have XP Home or XP Pro will indicate which file to download.

    Home

    Pro

    To determine which file you need
    • Click your Start button
    • Right click on My Computer.
    • You will find the version on the General tab.
    Once you have found which version you need, click the appropriate link above.

    Download the file and transfer it to the infected computer's Desktop.

    Make sure the copy of combofix you have is also located on the desktop.

    With your left mouse button, drag the file onto the combofix icon as shown below. This will start combofix so don't do anything else. Also make sure your security programs have been disabled per the previous instructions.

    note: If the attached image is not animated, click it.

    « Last Edit: December 27, 2009, 01:01:33 AM by oldman »

    Markwest

    • Guest
    Re: new worm?, avast doesn' know it
    « Reply #54 on: December 27, 2009, 03:30:06 PM »
    can it take a while to create a system restore point, it doesn't sound like it's doing anything, after i accepted the agreement s i haven't touched my machine and it seems to still be on attempting to create a system restore point

    if it shouldn't be taking a while to do this should i restart my computer and try again?

    edit: of no worries it carried on like 1 min ater hehe

    Markwest

    • Guest
    Re: new worm?, avast doesn' know it
    « Reply #55 on: December 27, 2009, 03:50:38 PM »
    ComboFix 09-12-26.01 - Mark 27/12/2009  14:30:13.1.4 - x86
    Microsoft Windows XP Professional  5.1.2600.2.1252.44.1033.18.3327.2930 [GMT 0:00]
    Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Mark\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    AV: avast! antivirus 4.8.1368 [VPS 091225-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .

    (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    c:\documents and settings\Mark\Local Settings\Application Data\{FFC6B7D5-902E-4EBD-9177-7C584223F0D8}
    c:\documents and settings\Mark\Local Settings\Application Data\{FFC6B7D5-902E-4EBD-9177-7C584223F0D8}\chrome.manifest
    c:\documents and settings\Mark\Local Settings\Application Data\{FFC6B7D5-902E-4EBD-9177-7C584223F0D8}\chrome\content\_cfg.js
    c:\documents and settings\Mark\Local Settings\Application Data\{FFC6B7D5-902E-4EBD-9177-7C584223F0D8}\chrome\content\overlay.xul
    c:\documents and settings\Mark\Local Settings\Application Data\{FFC6B7D5-902E-4EBD-9177-7C584223F0D8}\install.rdf
    c:\recycler\NPROTECT
    c:\temp\1cb
    c:\temp\1cb\syscheck.log
    c:\windows\jestertb.dll
    c:\windows\obipufic.dll
    c:\windows\system32\ekafelat.ini
    c:\windows\system32\iyanusuf.ini
    c:\windows\system32\SIntf16.dll
    c:\windows\system32\ububimem.ini
    c:\windows\Tasks\dvadaeqn.job
    E:\install.exe

    ----- BITS: Possible infected sites -----

    hxxp://download.xbox.com:80
    .
    (((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_TDSSSERV.SYS


    (((((((((((((((((((((((((   Files Created from 2009-11-27 to 2009-12-27  )))))))))))))))))))))))))))))))
    .

    2009-12-26 09:30 . 2009-12-26 09:30   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
    2009-12-26 02:24 . 2009-12-26 02:24   52224   ----a-w-   c:\documents and settings\Mark\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2009-12-26 02:20 . 2009-12-26 02:24   117760   ----a-w-   c:\documents and settings\Mark\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2009-12-26 02:19 . 2009-12-26 02:19   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2009-12-26 02:18 . 2009-12-26 02:18   --------   d-----w-   c:\program files\SUPERAntiSpyware
    2009-12-26 02:18 . 2009-12-26 02:18   --------   d-----w-   c:\documents and settings\Mark\Application Data\SUPERAntiSpyware.com
    2009-12-26 02:17 . 2009-12-26 02:13   2386270   ----a-w-   C:\MGtools.exe
    2009-12-26 01:48 . 2009-12-26 01:47   411368   ----a-w-   c:\windows\system32\deploytk.dll
    2009-12-26 01:47 . 2009-12-26 01:47   --------   d-----w-   c:\program files\Java
    2009-12-25 13:52 . 2009-12-25 13:52   --------   d-----w-   c:\documents and settings\Mark\.kde
    2009-12-25 09:45 . 2009-12-25 09:45   4844295   ----a-w-   c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
    2009-12-25 00:46 . 2009-12-27 14:07   0   ----a-w-   c:\windows\Igaqofevinuyoz.bin
    2009-12-25 00:46 . 2009-12-25 00:46   120   ----a-w-   c:\windows\Avasub.dat
    2009-12-25 00:43 . 2009-12-27 14:35   714752   ----a-w-   c:\windows\system32\drivers\kpgmh.sys
    2009-12-25 00:43 . 2009-12-25 09:45   116   ----a-w-   c:\windows\system32\fjhdyfhsn.bat
    2009-12-16 21:46 . 2009-09-04 17:44   515416   ----a-w-   c:\windows\system32\XAudio2_5.dll
    2009-12-16 21:46 . 2009-09-04 17:44   238936   ----a-w-   c:\windows\system32\xactengine3_5.dll
    2009-12-16 21:46 . 2009-09-04 17:29   1974616   ----a-w-   c:\windows\system32\D3DCompiler_42.dll
    2009-12-16 21:46 . 2009-09-04 17:29   5501792   ----a-w-   c:\windows\system32\d3dcsx_42.dll
    2009-12-16 21:46 . 2009-09-04 17:29   235344   ----a-w-   c:\windows\system32\d3dx11_42.dll
    2009-12-16 21:45 . 2009-12-16 21:46   --------   d--h--w-   c:\windows\msdownld.tmp
    2009-12-09 15:38 . 2009-12-09 15:38   --------   d-----w-   c:\program files\Microsoft
    2009-12-04 05:32 . 2009-09-04 17:29   453456   ----a-w-   c:\windows\system32\d3dx10_42.dll
    2009-12-04 05:32 . 2009-09-04 17:29   1892184   ----a-w-   c:\windows\system32\D3DX9_42.dll
    2009-12-02 23:21 . 2009-12-02 23:21   --------   d-----w-   c:\documents and settings\Mark\Local Settings\Application Data\Thunderbird
    2009-12-02 23:21 . 2009-12-02 23:21   --------   d-----w-   c:\documents and settings\Mark\Application Data\Thunderbird
    2009-12-02 23:09 . 2009-12-02 23:09   --------   d-----w-   c:\documents and settings\LocalService\Local Settings\Application Data\GNU
    2009-12-02 23:09 . 2009-12-02 23:09   --------   d-----w-   c:\documents and settings\LocalService\Application Data\gnupg
    2009-12-02 23:09 . 2009-12-02 23:09   --------   d-----w-   c:\documents and settings\Mark\Application Data\gnupg
    2009-12-02 23:09 . 2009-12-02 23:09   --------   d-----w-   c:\documents and settings\All Users\Application Data\GNU
    2009-12-02 23:09 . 2009-12-02 23:09   --------   d-----w-

    Markwest

    • Guest
    Re: new worm?, avast doesn' know it
    « Reply #56 on: December 27, 2009, 03:51:45 PM »

    .
    ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-12-27 14:35 . 2008-05-07 16:19   --------   d-----w-   c:\documents and settings\Mark\Application Data\OpenOffice.org2
    2009-12-27 14:35 . 2009-02-05 13:05   --------   d-----w-   c:\program files\DNA
    2009-12-27 14:35 . 2009-02-05 13:05   --------   d-----w-   c:\documents and settings\Mark\Application Data\DNA
    2009-12-27 14:35 . 2009-02-20 09:52   --------   d-----w-   c:\program files\Steam
    2009-12-26 02:18 . 2008-05-18 11:04   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
    2009-12-26 02:05 . 2008-08-04 05:26   --------   d-----w-   c:\program files\EA Games
    2009-12-26 02:03 . 2009-02-20 04:33   --------   d-----w-   c:\program files\Konami
    2009-12-26 02:00 . 2008-04-26 03:44   --------   d-----w-   c:\program files\THQ
    2009-12-26 02:00 . 2008-09-04 13:02   --------   d-----w-   c:\program files\Three Rings Design
    2009-12-25 09:45 . 2008-12-15 23:26   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
    2009-12-25 03:34 . 2009-09-24 02:54   --------   d-----w-   c:\program files\Pando Networks
    2009-12-24 17:13 . 2008-06-11 16:29   --------   d-----w-   c:\program files\mIRC
    2009-12-21 04:14 . 2008-05-07 16:20   1   ----a-w-   c:\documents and settings\Mark\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
    2009-12-20 11:52 . 2008-05-18 11:04   --------   d-----w-   c:\program files\AGEIA Technologies
    2009-12-18 23:13 . 2008-12-09 03:13   --------   d-----w-   c:\program files\World of Warcraft
    2009-12-10 10:33 . 2008-04-25 13:50   --------   d-----w-   c:\documents and settings\Mark\Application Data\.purple
    2009-12-04 06:11 . 2008-10-29 11:04   104   ----a-w-   c:\windows\popcinfot.dat
    2009-12-03 16:14 . 2008-12-15 23:26   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
    2009-12-03 16:13 . 2008-12-15 23:26   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
    2009-11-30 03:11 . 2009-11-22 21:06   --------   d-----w-   c:\program files\FantasyGrounds
    2009-11-27 14:16 . 2008-04-25 15:47   --------   d-----w-   c:\documents and settings\Mark\Application Data\gtk-2.0
    2009-11-24 23:54 . 2008-12-15 02:08   1280480   ----a-w-   c:\windows\system32\aswBoot.exe
    2009-11-24 23:51 . 2008-12-15 02:08   93424   ----a-w-   c:\windows\system32\drivers\aswmon.sys
    2009-11-24 23:50 . 2008-12-15 02:08   94160   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
    2009-11-24 23:50 . 2008-12-15 02:08   114768   ----a-w-   c:\windows\system32\drivers\aswSP.sys
    2009-11-24 23:50 . 2008-12-15 02:08   20560   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
    2009-11-24 23:49 . 2008-12-15 02:08   48560   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
    2009-11-24 23:48 . 2008-12-15 02:08   23120   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
    2009-11-24 23:47 . 2008-12-15 02:08   27408   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
    2009-11-24 23:47 . 2008-12-15 02:08   97480   ----a-w-   c:\windows\system32\AvastSS.scr
    2009-11-22 21:12 . 2009-11-22 21:12   --------   d-----w-   c:\program files\LogMeIn Hamachi
    2009-11-22 21:12 . 2009-04-29 23:42   --------   d-----w-   c:\documents and settings\Mark\Application Data\Hamachi
    2009-11-19 22:36 . 2008-11-19 16:41   --------   d-----w-   c:\program files\ooVoo
    2009-11-06 10:59 . 2009-11-06 10:59   15406728   ----a-w-   c:\windows\system32\xlive.dll
    2009-11-06 10:59 . 2009-11-06 10:59   13642888   ----a-w-   c:\windows\system32\xlivefnt.dll
    2009-11-06 04:09 . 2009-11-06 04:09   --------   d-----w-   c:\documents and settings\All Users\Application Data\BioWare
    2009-11-03 10:28 . 2009-11-03 10:28   --------   d-----w-   c:\documents and settings\Mark\Application Data\runic games
    2009-11-01 16:51 . 2009-11-01 16:48   --------   d-----w-   c:\documents and settings\Mark\Application Data\Red Alert 3 Uprising
    2009-10-29 19:34 . 2009-10-29 04:59   --------   d-----w-   c:\documents and settings\All Users\Application Data\NOS
    2009-10-29 04:59 . 2009-10-29 04:59   1925024   ----a-w-   c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
    2009-10-28 14:45 . 2009-10-28 14:45   --------   d-----w-   c:\program files\PC Suite
    2009-10-28 14:45 . 2008-04-22 11:19   --------   d--h--w-   c:\program files\InstallShield Installation Information
    .

    Markwest

    • Guest
    Re: new worm?, avast doesn' know it
    « Reply #57 on: December 27, 2009, 03:52:27 PM »

    ------- Sigcheck -------

    [-] 2007-12-19 . 3702A9C76696A70323330FD3879A5408 . 1589248 . . [5.1.2600.3186] . . c:\windows\system32\sfcfiles.dll

    [7] 2007-07-27 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\ctfmon.exe

    c:\windows\System32\ctfmon.exe ... is missing !!
    .
    (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-13 3660848]
    "MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
    "EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-09-03 3342336]
    "oovoo.exe"="c:\program files\ooVoo\oovoo.exe" [2009-10-12 17507000]
    "Steam"="c:\program files\steam\steam.exe" [2009-10-24 1217808]
    "VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-02-24 3558136]
    "NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-02-10 1937408]
    "BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-13 323392]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-16 2002160]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
    "nwiz"="nwiz.exe" [2007-12-05 1626112]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
    "CTHelper"="CTHELPER.EXE" [2008-02-20 19456]
    "CTxfiHlp"="CTXFIHLP.EXE" [2008-02-20 19968]
    "BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 376912]
    "WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
    "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-26 149280]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2007-07-27 53760]

    c:\documents and settings\Mark\Start Menu\Programs\Startup\
    OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 14:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    Markwest

    • Guest
    Re: new worm?, avast doesn' know it
    « Reply #58 on: December 27, 2009, 03:53:09 PM »

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Firefly Studios\\Stronghold 2\\Stronghold2.exe"=
    "c:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=
    "c:\\Program Files\\Cyanide\\GameCenter\\GameCenter.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrA.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrB.exe"=
    "c:\\Program Files\\Namco Bandai Games\\Warhammer Mark of Chaos\\Warhammer.exe"=
    "c:\\Program Files\\Microsoft Games\\Dungeon Siege 2\\DungeonSiege2.exe"=
    "c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
    "c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
    "c:\\Program Files\\mIRC\\mirc.exe"=
    "c:\\Ntreev\\Grand Chase\\main.exe"=
    "c:\\Program Files\\SecondLife\\SLVoice.exe"=
    "c:\\Program Files\\Wizards of the Coast\\Magic Online III\\Renamer.exe"=
    "c:\\Program Files\\softnyx\\GunboundWC\\GunBound.gme"=
    "c:\\Program Files\\ooVoo\\ooVoo.exe"=
    "c:\\Program Files\\DNA\\btdna.exe"=
    "c:\\Program Files\\Outspark\\WindSlayer\\WindSlayer.exe"=
    "c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
    "c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
    "c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
    "c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
    "c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\common\\dawn of war 2\\DOW2.exe"=
    "c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
    "c:\\Program Files\\Apprentice\\Appr.exe"=
    "c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
    "c:\\Program Files\\World of Warcraft\\Launcher.exe"=
    "c:\\Program Files\\THQ\\Dawn of War - Soulstorm\\Soulstorm.exe"=
    "c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
    "c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\patchget.dat"=
    "c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=
    "c:\\Program Files\\World of Warcraft\\WoW-3.1.1.9835-to-3.1.2.9901-enUS-downloader.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\common\\plants vs zombies\\PlantsVsZombies.exe"=
    "c:\\Program Files\\World of Warcraft\\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\common\\overlord ii\\Overlord2.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\common\\overlord ii\\Config.exe"=
    "c:\\Program Files\\Electronic Arts\\BattleForge\\Bootstrapper.exe"=
    "c:\\Program Files\\Electronic Arts\\BattleForge\\BattleForge.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\common\\bookworm adventures volume 2\\BookwormAdventuresVol2.exe"=
    "c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
    "c:\\Program Files\\Cyanide\\Blood Bowl\\Autorun\\Exe\\Autorun.exe"=
    "c:\\Program Files\\Cyanide\\Blood Bowl\\BB.exe"=
    "c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
    "c:\\Program Files\\Turbine\\DDO Unlimited\\dndclient.exe"=
    "c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
    "c:\\Program Files\\Dragon Age Origins Character Creator\\bin_ship\\DAOCharacterCreator.exe"=
    "c:\\Program Files\\Dragon Age Origins Character Creator\\DAOriginsLauncher.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\common\\command and conquer red alert 3 uprising\\RA3EP1.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\common\\dragon age origins\\bin_ship\\daupdatersvc.service.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\common\\zuma's revenge\\ZumasRevenge.exe"=
    "c:\\Program Files\\FantasyGrounds\\FantasyGrounds.exe"=
    "c:\\Program Files\\Steam\\steam.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead 2\\left4dead2.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\common\\dragon age origins\\bin_ship\\DAOrigins.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\common\\dragon age origins\\DAOriginsLauncher.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\common\\torchlight\\Torchlight.exe"=

    Markwest

    • Guest
    Re: new worm?, avast doesn' know it
    « Reply #59 on: December 27, 2009, 03:53:54 PM »

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "443:TCP"= 443:TCP:ooVoo TCP port 443
    "443:UDP"= 443:UDP:ooVoo UDP port 443
    "37674:TCP"= 37674:TCP:ooVoo TCP port 37674
    "37674:UDP"= 37674:UDP:ooVoo UDP port 37674
    "37675:UDP"= 37675:UDP:ooVoo UDP port 37675
    "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
    "37676:TCP"= 37676:TCP:ooVoo TCP port 37676
    "37676:UDP"= 37676:UDP:ooVoo UDP port 37676
    "37677:UDP"= 37677:UDP:ooVoo UDP port 37677

    R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [15/12/2008 02:08 114768]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [16/12/2009 16:26 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [16/12/2009 16:26 74480]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [15/12/2008 02:08 20560]
    R2 DirMngr;DirMngr;c:\program files\GNU\GnuPG\dirmngr.exe [28/09/2009 16:15 242176]
    R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [29/10/2009 12:27 1074568]
    R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/12/2009 16:27 7408]
    S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Steam\SteamApps\common\dragon age origins\bin_ship\daupdatersvc.service.exe [06/11/2009 01:10 25832]
    S3 EraserUtilDrv10633;EraserUtilDrv10633;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10633.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10633.sys [?]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
    S3 XDva226;XDva226;\??\c:\windows\system32\XDva226.sys --> c:\windows\system32\XDva226.sys [?]
    S3 zgwhsdiag;ZTE WCDMA Handset Diagnostic Port;c:\windows\system32\drivers\zgwhsdiag.sys [28/10/2009 14:45 105216]
    S3 zgwhsmdm;ZTE WCDMA Handset USB Modem;c:\windows\system32\drivers\zgwhsmdm.sys [28/10/2009 14:45 105216]
    S3 zgwhsnmea;WCDMA Handset NMEA Port;c:\windows\system32\drivers\zgwhsnmea.sys [28/10/2009 14:45 105216]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - kpgmh
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.virginmedia.com
    Trusted Zone: com.tw\asia.msi
    Trusted Zone: com.tw\global.msi
    Trusted Zone: com.tw\www.msi
    DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
    FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\tz9chjai.default\
    FF - plugin: c:\documents and settings\Mark\My Documents\Sparkplay Media\Sparkplayer (Beta)\npSparkPlayerNS.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiCHPlugin.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
    FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
    FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
    FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-Asaxugesavadeb - c:\windows\obipufic.dll