Jump to content

Change Mode

Rootkit infection

Recommended Posts

Ok here is a link to my post in the virus forum, I decided with out waiting to go ahead and post a HiJackThis log here as well




Logfile of Trend Micro HijackThis v2.0.3 (BETA)

Scan saved at 3:20:28 PM, on 21/01/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal


Running processes:













D:\Jaret\Programs\Anti-Virus\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe



C:\Program Files\Razer\Lycosa\razerhid.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe


C:\Program Files\Pando Networks\Media Booster\PMB.exe

C:\Program Files\Razer\Lycosa\razertra.exe





R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE


O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [Lycosa] "C:\Program Files\Razer\Lycosa\razerhid.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')


O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1231553025359

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/webgames/popcaploader_v10.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - D:\Jaret\Programs\Anti-Virus\Avira\AntiVir Desktop\sched.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

Link to post
Share on other sites

Hello there :cool: Welcome to the PCPitstop Forums.

My name is NeonFx. I'll be glad to help you with your computer problems. Logs can take some time to research, so please be patient with me.



Please note the following:

  • The fixes are specific to your problem and should only be used on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clean. Absence of symptoms does not necessarily mean that the system is completely clean.
  • It's often worth reading through these instructions and printing them for ease of reference. I may ask you to boot into Safe Mode where you will be unable to follow my instructions online.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
Step 1


Download OTS to your Desktop

  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Under Additional Scans check the following:
    • Reg - Desktop Components
    • Reg - Disabled MS Config Items
    • Reg - NetSvcs
    • Reg - Shell Spawning
    • Reg - Uninstall List
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EvtViewer (last 10)
  • Please paste the contents of the following codebox into the Custom Scans box at the bottom
%systemroot%\*. /mp /s
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post. To do so click on the "New Reply" button and use the "Browse.." button and the "Add This Attachment" button to add it.


To ensure that I get all the information this log will need to be attached. If it is too large to attach then upload it to Dropio and post the sharing link/url (The Drop's URL will be similar to : http:://drop.io/daerk)


Step 2


Download the GMER Rootkit Scanner. Unzip it to your Desktop.


Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.


Double-click gmer.exe. The program will begin to run.



These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!


If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.

    Once the scan is complete, you may receive another notice about rootkit activity.

  • Click OK.
  • GMER will produce a log. Click on the [save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply. Edited by NeonFx
Link to post
Share on other sites

Ok NeonFx, I have the results of the GMER scan but not the OTS. I set up the OTS as you had in your post, but it got to the Manual Scan part the it froze. I checked in the task manager and it said it was not responding. Let me know what you want me to try next either with the OTS or something else, here is the GMER log.


GMER - http://www.gmer.net

Rootkit scan 2010-01-21 19:48:53

Windows 5.1.2600 Service Pack 2

Running: gmer.exe; Driver: C:\DOCUME~1\BROADS~1\LOCALS~1\Temp\awtdqpow.sys



---- System - GMER 1.0.15 ----


SSDT F8B5D956 ZwCreateKey

SSDT F8B5D94C ZwCreateThread

SSDT F8B5D95B ZwDeleteKey

SSDT F8B5D965 ZwDeleteValueKey

SSDT F8B5D96A ZwLoadKey

SSDT F8B5D938 ZwOpenProcess

SSDT F8B5D93D ZwOpenThread

SSDT F8B5D974 ZwReplaceKey

SSDT F8B5D96F ZwRestoreKey

SSDT F8B5D960 ZwSetValueKey

SSDT F8B5D947 ZwTerminateProcess


---- Kernel code sections - GMER 1.0.15 ----


.rsrc C:\WINDOWS\system32\drivers\IdeChnDr.sys entry point in ".rsrc" section [0xF84787A4]

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF7986000, 0x1BDE76, 0xE8000020]


---- Devices - GMER 1.0.15 ----


Device -> \Driver\IdeChnDr \Device\Harddisk0\DR0 82315618


---- Files - GMER 1.0.15 ----


File C:\WINDOWS\system32\drivers\IdeChnDr.sys suspicious modification

Link to post
Share on other sites

Good Job :) I can see the cause of your problems and you're right. It is a rootkit. This one in particular infects a harddrive driver in order to load itself every time at bootup.


Let's try the following:



NOTE: ComboFix should NOT be used without supervision by someone trained in its use. It does a whole lot more to a system than just remove infected files.


Download ComboFix from one of these locations:


Link 1

Link 2



* IMPORTANT !!! Save ComboFix.exe to your Desktop



  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Disabling Security Programs
  • Double click on ComboFix.exe & follow the prompts.


    Note: Combofix will run without the Recovery Console installed.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image



Click on Yes, to continue scanning for malware.


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.




1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you please let me know. A increasing number of infections are spreading using Autoplay and leaving it disabled is a good idea.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Link to post
Share on other sites

Okie Dokie NeonFx, here is the log from Combofix, please tell me good news!


ComboFix 10-01-21.01 - broadsword 21/01/2010 21:23:03.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.2.1033.18.511.283 [GMT -5:00]

Running from: c:\documents and settings\broadsword\Desktop\ComboFix.exe



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



c:\documents and settings\heather\Application Data\Microsoft\Internet Explorer\Quick Launch\SUPERAntiSpyware Free Edition.lnk

c:\program files\autorun.inf

c:\windows\Downloaded Program Files\popcaploader.inf



Infected copy of c:\windows\system32\DRIVERS\IdeChnDr.sys was found and disinfected

Restored copy from - Kitty ate it :P


((((((((((((((((((((((((( Files Created from 2009-12-22 to 2010-01-22 )))))))))))))))))))))))))))))))



2010-01-21 20:19 . 2010-01-21 20:19 388096 ----a-r- c:\documents and settings\broadsword\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe

2010-01-21 18:52 . 2010-01-21 18:52 2 --shatr- c:\windows\winstart.bat

2010-01-21 18:52 . 2010-01-21 19:02 -------- d-----w- c:\program files\UnHackMe

2010-01-20 19:08 . 2010-01-20 19:08 -------- d-----w- c:\documents and settings\broadsword\Application Data\Malwarebytes

2010-01-20 19:08 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-20 19:08 . 2010-01-20 19:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-01-20 19:08 . 2010-01-20 19:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-20 19:08 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-14 21:24 . 2010-01-14 21:24 -------- d-----w- c:\documents and settings\heather\Local Settings\Application Data\Mozilla

2010-01-14 21:21 . 2010-01-14 21:21 -------- d-----w- c:\documents and settings\The Boys\Local Settings\Application Data\Mozilla

2010-01-13 16:57 . 2010-01-13 16:57 -------- d-----w- c:\documents and settings\broadsword\Application Data\Turbine

2010-01-13 16:57 . 2010-01-13 16:57 133 ----a-w- c:\documents and settings\broadsword\Local Settings\Application Data\fusioncache.dat

2010-01-13 16:57 . 2010-01-13 16:57 -------- d-----w- c:\documents and settings\broadsword\Local Settings\Application Data\Turbine

2010-01-13 11:12 . 2010-01-13 11:13 -------- d-----w- c:\documents and settings\heather\Local Settings\Application Data\ApplicationHistory

2010-01-13 04:21 . 2010-01-13 23:03 -------- d-----w- c:\documents and settings\broadsword\Local Settings\Application Data\ApplicationHistory

2010-01-13 04:18 . 2010-01-13 04:18 -------- d-----w- c:\windows\system32\URTTEMP

2010-01-12 23:01 . 2010-01-22 02:32 -------- d-----w- c:\documents and settings\broadsword\Local Settings\Application Data\PMB Files

2010-01-12 23:01 . 2010-01-13 03:53 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files

2010-01-12 23:00 . 2010-01-12 23:00 -------- d-----w- c:\program files\Pando Networks

2009-12-29 18:30 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-12-29 18:30 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-12-29 18:30 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-12-29 18:30 . 2009-12-29 18:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-12-27 21:05 . 2009-12-29 02:33 52224 ----a-w- c:\documents and settings\heather\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2009-12-27 21:03 . 2009-12-29 02:33 117760 ----a-w- c:\documents and settings\heather\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-12-27 21:02 . 2009-12-27 21:02 -------- d-----w- c:\documents and settings\heather\Application Data\SUPERAntiSpyware.com

2009-12-26 23:49 . 2009-12-28 04:16 -------- d-----w- c:\documents and settings\broadsword\Application Data\QuickScan



(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))


2010-01-21 16:21 . 2007-11-26 23:50 101431 ----a-w- c:\windows\system32\drivers\IdeChnDr.sys

2010-01-21 00:56 . 2009-01-10 16:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-01-20 23:59 . 2009-06-13 14:50 117760 ----a-w- c:\documents and settings\broadsword\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-01-20 23:37 . 2009-12-21 18:40 52224 ----a-w- c:\documents and settings\broadsword\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-01-20 20:01 . 2009-01-10 16:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-01-19 00:27 . 2009-01-10 04:17 -------- d-----w- c:\program files\Common Files\Adobe

2010-01-04 20:41 . 2009-05-03 14:00 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-12-29 02:22 . 2009-07-04 00:15 -------- d-----w- c:\program files\Defraggler

2009-12-26 23:57 . 2007-11-26 23:50 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-12-20 01:01 . 2009-12-20 01:01 4608 ----a-w- c:\windows\system32\w95inf32.dll

2009-12-20 01:01 . 2009-12-20 01:01 2272 ----a-w- c:\windows\system32\w95inf16.dll

2009-12-18 22:14 . 2009-01-10 03:58 -------- d-----w- c:\program files\Mozilla Thunderbird

2009-12-07 00:02 . 2009-11-01 12:32 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment

2009-11-29 02:12 . 2009-11-29 02:12 98304 ----a-w- c:\windows\system32\CmdLineExt.dll

2009-11-29 02:00 . 2009-11-29 02:00 -------- d-----w- c:\documents and settings\broadsword\Application Data\Leadertech

2009-11-23 18:11 . 2009-01-11 19:00 -------- d-----w- c:\program files\Java

2009-11-23 18:10 . 2009-11-23 18:10 152576 ----a-w- c:\documents and settings\broadsword\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

2009-11-23 18:10 . 2009-11-23 18:10 79488 ----a-w- c:\documents and settings\broadsword\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2009-11-15 02:43 . 2009-11-12 01:20 2083786840 ----a-w- c:\documents and settings\broadsword\Application Data\ijjigame\U_SUN_setup.exe

2009-10-28 13:31 . 2009-10-28 13:31 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2008-11-26 20:07 . 2009-04-24 18:08 4822 ----a-w- c:\program files\install.ini

2008-11-26 20:02 . 2009-04-24 18:11 1222776 ----a-w- c:\program files\check.md

2008-11-26 20:02 . 2009-04-24 18:10 660612519 ----a-w- c:\program files\data1.pck

2008-11-26 20:02 . 2009-04-24 18:08 623501266 ----a-w- c:\program files\data4.pck

2008-11-26 20:02 . 2009-04-24 18:08 1196032 ----a-w- c:\program files\install.exe

2008-11-26 20:00 . 2009-04-24 18:09 660569555 ----a-w- c:\program files\data3.pck

2008-11-26 19:57 . 2009-04-24 18:10 660636086 ----a-w- c:\program files\data2.pck

2008-08-04 18:52 . 2009-04-24 18:11 29256 ----a-w- c:\program files\CopyRight.txt

2005-07-14 19:12 . 2009-04-24 18:08 4150 ----a-w- c:\program files\icon.ico

2005-05-10 22:54 . 2009-04-24 18:08 258352 ----a-w- c:\program files\unicows.dll

2000-09-15 19:51 . 2009-04-24 18:08 372736 ----a-w- c:\program files\ijl15.dll



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))



*Note* empty entries & legit default entries are not shown




"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-01-12 2935480]



"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-10-10 69632]

"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-10-10 69632]

"Lycosa"="c:\program files\Razer\Lycosa\razerhid.exe" [2008-10-16 147456]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]



"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 15:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-11-07 21:41 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll





[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk

backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup


[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]

2009-03-02 17:08 209153 ----a-w- d:\jaret\Programs\Anti-Virus\Avira\AntiVir Desktop\avgnt.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2001-07-09 16:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]

2009-02-04 03:21 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe



"EnableFirewall"= 0 (0x0)




"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=



"56096:TCP"= 56096:TCP:Pando Media Booster

"56096:UDP"= 56096:UDP:Pando Media Booster



"AllowInboundEchoRequest"= 1 (0x1)


R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [15/01/2009 3:17 PM 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [15/01/2009 3:17 PM 55024]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\jaret\Programs\Anti-Virus\Avira\AntiVir Desktop\sched.exe [29/12/2009 1:30 PM 108289]

R3 LycoFltr;Lycosa Keyboard;c:\windows\system32\drivers\Lycosa.sys [02/06/2009 6:51 PM 16896]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [15/01/2009 3:17 PM 7408]

S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;c:\windows\system32\drivers\SWUSBFLT.SYS [16/07/2009 7:55 PM 3968]

S3 XDva264;XDva264;\??\c:\windows\system32\XDva264.sys --> c:\windows\system32\XDva264.sys [?]



------- Supplementary Scan -------


uStart Page = hxxp://www.google.ca/

DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab

FF - ProfilePath - c:\documents and settings\broadsword\Application Data\Mozilla\Firefox\Profiles\devbcyzd.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/

FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=

FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll



FF - user.js: yahoo.homepage.dontask - true.

- - - - ORPHANS REMOVED - - - -


ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)






catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-01-21 21:31

Windows 5.1.2600 Service Pack 2 NTFS


scanning hidden processes ...


scanning hidden autostart entries ...


scanning hidden files ...


scan completed successfully

hidden files: 0





"ImagePath"="c:\windows\system32\GameMon.des -service"


--------------------- DLLs Loaded Under Running Processes ---------------------


- - - - - - - > 'winlogon.exe'(660)

c:\program files\SUPERAntiSpyware\SASWINLO.dll


c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

c:\program files\common files\logitech\bluetooth\LBTServ.dll


- - - - - - - > 'explorer.exe'(828)





------------------------ Other Running Processes ------------------------






c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe


c:\program files\Razer\Lycosa\razertra.exe




Completion time: 2010-01-21 21:36:11 - machine was rebooted

ComboFix-quarantined-files.txt 2010-01-22 02:36


Pre-Run: 18,026,188,800 bytes free

Post-Run: 18,268,205,056 bytes free



[boot loader]



[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect


- - End Of File - - BF98AA61582B1FE951EA8E8B7C8BB8CB

Link to post
Share on other sites

That seems to have done my job for me :) It cured the infected driver. You shouldn't be experiencing redirects any more.





  • Under the Paste Fix Here box on the right, paste in the contents of following code box
[Unregister Dlls]
[Registry - Safe List]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> \{fee7b702-9c7b-11dc-9ab0-806d6172696f} -> 
[Files/Folders - Created Within 30 Days]
NY ->  3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY ->  3 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp
NY ->  1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[Empty Temp Folders]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • This will create a log in C:\_OTS\MovedFiles\<date>_<time>.log where date and time are those of when the fix was run. Open it from there if it does not appear automatically on reboot. Please copy and paste or attach the contents of that file here.
Note: You may receive some errors while running the fix. Just press Ok and the fix should continue normally.

If it seems to get stuck, give it some time. It's probably still working.







I also want to run an online scan to make sure there's nothing else on your system. This will take a while but it's well worth it as it's one of our more in depth scanners.


Using Internet Explorer or Firefox, visit Kaspersky Online Scanner


1. Click Accept, when prompted to download and install the program files and database of malware definitions.




2. To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.
3. Click Run at the Security prompt.



The program will then begin downloading and installing and will also update the database.



Please be patient as this can take quite a long time to download.

  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases
Click on My Computer under the green Scan bar to the left to start the scan.Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.Click View report... at the bottom.Click the Save report... button.


Posted Image

Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply
Link to post
Share on other sites

Ok NeonFx, here it the log from the OTS fix you posted last night. I'm going to run the Kaspersky Scan next the post the results as well. So far so good!


All Processes Killed

[Registry - Safe List]

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fee7b702-9c7b-11dc-9ab0-806d6172696f}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{fee7b702-9c7b-11dc-9ab0-806d6172696f}\ not found.

[Files/Folders - Created Within 30 Days]

C:\WINDOWS\SET3.tmp deleted successfully.

C:\WINDOWS\SET4.tmp deleted successfully.

C:\WINDOWS\SET8.tmp deleted successfully.

C:\Documents and Settings\All Users\Application Data\xml9.tmp deleted successfully.

C:\Documents and Settings\All Users\Application Data\xmlA.tmp deleted successfully.

C:\Documents and Settings\All Users\Application Data\xmlB.tmp deleted successfully.

C:\WINDOWS\System32\CONFIG.TMP deleted successfully.

[Empty Temp Folders]



User: All Users


User: broadsword

->Temp folder emptied: 4002 bytes

->Temporary Internet Files folder emptied: 46994 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 55193631 bytes


User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes


User: heather

->Temp folder emptied: 6482 bytes

->Temporary Internet Files folder emptied: 2326691 bytes

->Java cache emptied: 44621968 bytes

->FireFox cache emptied: 63616770 bytes


User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 32902 bytes


User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 402 bytes


User: The Boys

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 78991 bytes

->Java cache emptied: 669213 bytes

->FireFox cache emptied: 81600409 bytes


%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 4352805 bytes

RecycleBin emptied: 0 bytes


Total Files Cleaned = 241.00 mb



Restorepoints cleared and new OTS Restore Point set!

< End of fix log >

OTS by OldTimer - Version fix logfile created on 01222010_122840


Files\Folders moved on Reboot...


Registry entries deleted on Reboot...

Link to post
Share on other sites

Ok NeonFx, here is the Kaspersky log for the online scan,




Friday, January 22, 2010

Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)

Kaspersky Online Scanner version:

Last database update: Friday, January 22, 2010 16:47:08

Records in database: 3358598



Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes


Scan area - My Computer:






Scan statistics:

Objects scanned: 46113

Threats found: 1

Infected objects found: 1

Suspicious objects found: 0

Scan duration: 01:56:39



File name / Threat / Threats count

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\IdeChnDr.sys.vir Infected: Rootkit.Win32.TDSS.y 1


Selected area has been scanned.

Link to post
Share on other sites

Thank you :) I'm glad it worked out.


Let's cleanup.




The following will implement some cleanup procedures as well as reset System Restore points:


Click Start > Run and copy/paste the following bolded text into the Run box and click OK:


(If you use Vista or 7 just paste it into the text box that appears next to your start button)


ComboFix /Uninstall


Note: If you renamed ComboFix to something else (Combo-Fix or Gotcha for example) you might have to change the command accordingly: Combo-Fix /Uninstall




To clean up OldTimer's tools, along with a few others, do the following:

  • Run OTS.exe by double clicking on it
  • Click on the "CleanUp" button on the top.
  • You will be asked if you wish to reboot your system, select "Yes"


Remove any other tools or files we used by right-clicking on them or any folders they created, hold down the Shift key, and select "Delete" by clicking on it. This will delete the files without sending them to the RecycleBin.


You can also uninstall the other programs (HijackThis or MalwareBytes if we used them) by going to Start > Control Panel > Add/Remove programs (The Control Panel is different in different versions of Windows. It will be Programs and Features in Vista and Programs > Uninstall a Program in 7)


You might want to keep MalwareBytes AntiMalware though and that's fine :) Make sure you update it before you run the scans in the future.


All Clean


Congratulations!, Posted Image, your system is now clean. Now that your system is safe we would like you to keep it that way. Take the time to follow these instructions and it will greatly reduce the risk of further infections and greatly diminish the chances of you having to visit here again.


Microsoft Windows Update

Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.

To update Windows

Go to (Start) > (All) Programs > Windows Update

To update Office

Open up any Office program.

Go to Help > Check for Updates



Download and Install a HOSTS File

A HOSTS file is a big list of bad web sites. The list has a specific format, a specific name, (name is just HOSTS with no file extension), and a specific location. Your machine always looks at that file in that location before connecting to a web site to verify the address. A HOSTS listing can be used to "short circuit" a request to a bad website by giving it the address of your own machine and prevent your computer from connecting to that website.


See how to get it HERE

(For Vista and 7 see HERE )


You can also use a tool to update your Hosts file. See HERE and HERE


If you have a separate party firewall or Winpatrol, you may have to give permissions at various times to Unlock the present default HOSTS file and install the new one.


Note: A Hosts file can slow some systems down. If it is slowed down beyond tolerable you might want to empty the Hosts file or reset it using one of the tools.


Install WinPatrol

Download it HERE

You can find information about how WinPatrol works HERE and HERE


Note: This program will work alongside all other security programs without conflicts. It might ask you to allow certain actions that security programs perform often, but if you tell Scotty to remember the action by checking the option, the alerts will lessen.


Other Software Updates

It is very important to update the other software on your computer to patch up any security issues you may have. Go HERE to scan your computer for any out of date software. In particular make sure you download the updates for Java and Adobe as these are subject to many security vulnerabilities.


Setting up Automatic Updates

So that it is not necessary to have to remember to update your computer regularly (something very important to securing your system), automatic updates should be configured on your computer. Microsoft has guides for XP and Vista on how to do this. See HERE for Windows 7.


Read further information HERE, HERE, and HERE on how to prevent Malware infections and keep yourself clean.

Link to post
Share on other sites
This topic is now closed to further replies.
  • Create New...