WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93083 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Resolved] My PC got infected with Koobface (2)

Started by Ribica , Sep 22 2009 12:09 PM

This topic is locked

13 replies to this topic

#1 Ribica

New Member

Authentic Member
7 posts

Posted 22 September 2009 - 12:09 PM

My PC was infected with Koobface so I used Symantec Anti-virus (which alerted me in the first place) and Malwarebytes to clean it. The PC seem to be fine now, but on this forum I read that after fixing it with Malwarebytes it still doesn't mean it's completely clean, and I just wanted to be sure. So I posted my logs and then you redirected me here with new steps to follow. But I had a little problem, I couldn't download RootRepeal - every time it came to the downloading point (at initializing) the PC would shut down and restart. I tried several times but the same thing happened each time. So I ran another rootkit tool that I already had from before and I hope it would be useful.

ROOTKIT LOG:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-09-22 19:43:58
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF95DD87E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF95DDBFE]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2872] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2872] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9521 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2872] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCB69 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2872] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2872] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E2543F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2872] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2872] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2872] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2872] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2872] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2872] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2872] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2872] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED408 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2872] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E3F78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2940] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2940] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9521 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2940] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCB69 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2940] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2940] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E2543F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2940] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2940] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2940] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2940] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2940] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2940] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2940] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2940] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED408 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2940] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E3F78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\iexplore.exe[2872] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2940] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

DDS LOG:

DDS (Ver_09-06-26.01) - NTFSx86
Run by Jelena at 19:09:12,43 on uto 22.09.2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1250.385.1033.18.247.51 [GMT 2:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jelena\Local Settings\Temporary Internet Files\Content.IE5\B7S5DWLB\dds[2].scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.google.hr/
uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/apps/vso/en-us/vso10/default.asp?affid=439-1
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {226ACC34-3194-40E2-9AE8-834FCFE9E80D} - hxxp://aolsvc.aol.com/onlinegames/free-trial-mystery-of-shark-island/MysteryOfSharkIslandWeb.1.0.0.8.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {775879E2-7309-4619-BB02-AADE41F4B690} - hxxp://aolsvc.aol.com/onlinegames/free-trial-dream-chronicles/dreamweb.1.0.0.9.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} - hxxp://aolsvc.aol.com/onlinegames/free-trial-mystery-pi-the-lottery-ticket/SpinTopGamesLauncher.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-15 64160]
R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2003-5-2 30208]
R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\symant~1\symant~1\Rtvscan.exe [2003-5-21 610304]
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\drivers\RMSPPPOE.SYS [2002-10-3 31504]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
S3 NAVAP;NAVAP;c:\progra~1\symant~1\symant~1\NAVAP.sys [2003-5-2 224256]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090918.003\NAVENG.sys [2009-9-18 84912]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090918.003\NAVEX15.sys [2009-9-18 1323568]
S3 USB_RNDIS_51;Broadcom USB Remote NDIS Device Driver;c:\windows\system32\drivers\usb8023.sys [2004-8-4 12800]

=============== Created Last 30 ================

2009-09-21 23:27 <DIR> --d----- c:\program files\TweetDeck
2009-09-16 17:56 1,242 a------- c:\windows\fs1234.dat
2009-09-16 17:55 1 ----h--- c:\windows\bk23567.dat
2009-09-13 17:39 <DIR> --d----- c:\docume~1\jelena\applic~1\Malwarebytes
2009-09-13 17:39 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-13 17:39 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-13 17:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-13 17:39 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-13 17:01 <DIR> --d----- c:\program files\common files\Uninstall
2009-09-08 23:41 153,088 -c------ c:\windows\system32\dllcache\triedit.dll
2009-08-31 10:34 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-08-31 10:34 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

==================== Find3M ====================

2009-08-05 11:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-31 15:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-17 21:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-03 19:09 915,456 a------- c:\windows\system32\wininet.dll
2007-04-27 20:32 40,296 ac------ c:\docume~1\jelena\applic~1\GDIPFONTCACHEV1.DAT
2009-06-07 21:17 16,384 a--sh--- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2008-12-28 19:16 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122820081229\index.dat

============= FINISH: 19:09:45,82 ===============

Attached Files

Attach.txt 9.01KB 985 downloads

Advertisements

Register to Remove

#2 jpshortstuff

Teacher Emeritus

Authentic Member
5,710 posts

Posted 22 September 2009 - 04:02 PM

Hi, and welcome to WhatTheTech

I can see one or two more Koobface related files on your system, let's see if we can sort that out for you.

Please download GooredFix from the locations below and save it to your Desktop
Download Mirror #1

Ensure all Firefox windows are closed.
To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
When prompted to run the scan, click Yes.
GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Are you experiencing any problems with your computer? Please run DDS again after the above and post the first log it gives (DDS.txt).

Proud Graduate of the TC/WTT Classroom

At weekends (GMT) I may not be able to reply promptly due to various commitments. Please be patient and I will respond as soon as I can.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here

Need help remembering those important computer maintenance tasks? Let SCars do it for you.

Posted Image

#3 Ribica

New Member

Authentic Member
7 posts

Posted 23 September 2009 - 11:30 AM

No, I don't really have problems with my PC. Sometimes internet freezes, but that's all. I use CCleaner and ATF Cleaner on a regular basis and that fixes the problem every time. The only thing I noticed that was weird - I couldn't download RootRepeal (that you previously suggested), it was like something was blocking it and making my PC restart. Anway, here are the logs: GooredFix by jpshortstuff (23.09.09.5) Log created at 19:09 on 23/09/2009 (Jelena) Firefox version [Unable to determine] ========== GooredScan ========== Deleting file: "C:\WINDOWS\bk23567.dat" -> Success! ========== GooredLog ========== C:\Program Files\Mozilla Firefox\extensions\ (none) [HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions] "jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [09:08 01/06/2009] -=E.O.F=- DDS (Ver_09-06-26.01) - NTFSx86 Run by Jelena at 19:15:23,87 on sri 23.09.2009 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Professional 5.1.2600.3.1250.385.1033.18.247.22 [GMT 2:00] ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\WINDOWS\system32\ctfmon.exe svchost.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINDOWS\system32\slserv.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Jelena\Local Settings\Temporary Internet Files\Content.IE5\SIEZAK75\dds[1].scr ============== Pseudo HJT Report =============== uSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 uStart Page = hxxp://www.google.hr/ uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/apps/vso/en-us/vso10/default.asp?affid=439-1 uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {226ACC34-3194-40E2-9AE8-834FCFE9E80D} - hxxp://aolsvc.aol.com/onlinegames/free-trial-mystery-of-shark-island/MysteryOfSharkIslandWeb.1.0.0.8.cab DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab DPF: {775879E2-7309-4619-BB02-AADE41F4B690} - hxxp://aolsvc.aol.com/onlinegames/free-trial-dream-chronicles/dreamweb.1.0.0.9.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} - hxxp://aolsvc.aol.com/onlinegames/free-trial-mystery-pi-the-lottery-ticket/SpinTopGamesLauncher.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: igfxcui - igfxdev.dll Notify: NavLogon - c:\windows\system32\NavLogon.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ============= SERVICES / DRIVERS =============== R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-15 64160] R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2003-5-2 30208] R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\symant~1\symant~1\Rtvscan.exe [2003-5-21 610304] R3 NAVAP;NAVAP;c:\progra~1\symant~1\symant~1\NAVAP.sys [2003-5-2 224256] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090918.003\NAVENG.sys [2009-9-18 84912] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090918.003\NAVEX15.sys [2009-9-18 1323568] R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\drivers\RMSPPPOE.SYS [2002-10-3 31504] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456] S3 USB_RNDIS_51;Broadcom USB Remote NDIS Device Driver;c:\windows\system32\drivers\usb8023.sys [2004-8-4 12800] =============== Created Last 30 ================ 2009-09-22 19:13 34,816 a------- c:\windows\system32\drivers\rootrepeal[1].sys 2009-09-21 23:27 <DIR> --d----- c:\program files\TweetDeck 2009-09-16 17:56 1,242 a------- c:\windows\fs1234.dat 2009-09-13 17:39 <DIR> --d----- c:\docume~1\jelena\applic~1\Malwarebytes 2009-09-13 17:39 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-13 17:39 19,160 a------- c:\windows\system32\drivers\mbam.sys 2009-09-13 17:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-09-13 17:39 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-09-13 17:01 <DIR> --d----- c:\program files\common files\Uninstall 2009-09-08 23:41 153,088 -c------ c:\windows\system32\dllcache\triedit.dll 2009-08-31 10:34 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf 2009-08-31 10:34 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf ==================== Find3M ==================== 2009-08-05 11:01 204,800 a------- c:\windows\system32\mswebdvd.dll 2009-07-31 15:23 411,368 a------- c:\windows\system32\deploytk.dll 2009-07-17 21:01 58,880 a------- c:\windows\system32\atl.dll 2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll 2009-07-03 19:09 915,456 a------- c:\windows\system32\wininet.dll 2007-04-27 20:32 40,296 ac------ c:\docume~1\jelena\applic~1\GDIPFONTCACHEV1.DAT 2009-06-07 21:17 16,384 a--sh--- c:\windows\system32\config\systemprofile\ietldcache\index.dat 2008-12-28 19:16 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122820081229\index.dat ============= FINISH: 19:16:15,62 ===============

#4 jpshortstuff

Teacher Emeritus

Authentic Member
5,710 posts

Posted 23 September 2009 - 11:37 AM

Hi,

Delete this file (Koobface remainder):
c:\windows\fs1234.dat

Does RootRepeal still fail if you try and download/use it?

Just in case you have something nasty lurking that is preventing RootRepeal from running, I just want you to run this scan (should be fairly quick):

Please save this file to your desktop. Click on Start -> Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK:
"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

Proud Graduate of the TC/WTT Classroom

#5 Ribica

New Member

Authentic Member
7 posts

Posted 23 September 2009 - 03:14 PM

Ok, I deleted c:\windows\fs1234.dat and after that I tried to run RootRepeal again, but the same thing happened again - when it started initializing, the computer shut down and restarted. Here is the log you asked for: Running from: C:\Documents and Settings\Jelena\desktop\win32kdiag.exe Log file at : C:\Documents and Settings\Jelena\Desktop\Win32kDiag.txt Removing all found mount points. Attempting to reset file permissions. WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Finished!

#6 jpshortstuff

Teacher Emeritus

Authentic Member
5,710 posts

Posted 23 September 2009 - 03:23 PM

Hi, I am just querying the developer of RootRepeal about this problem, to see if we can find the cause. I will get back to you as soon as I have some more information. Thanks.

Proud Graduate of the TC/WTT Classroom

#7 jpshortstuff

Teacher Emeritus

Authentic Member
5,710 posts

Posted 24 September 2009 - 12:16 PM

While we're waiting for the developer of RootRepeal to get back me, let's try a different Anti-Rootkit, as there may well be Rootkit interference.

Sysprot Antirootkit.

Double click Sysprot.exe to start the program.
Click on the Log tab.
In the Write to log box select all items.
Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive. Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was extracted to.
Open the text file and copy/paste the log in your next post.

Proud Graduate of the TC/WTT Classroom

#8 Ribica

New Member

Authentic Member
7 posts

Posted 24 September 2009 - 01:37 PM

Ok, here it is: SysProt AntiRootkit v1.0.1.0 by swatkat ******************************************************************************** ********** ******************************************************************************** ********** Process: Name: [System Idle Process] PID: 0 Hidden: No Window Visible: No Name: System PID: 4 Hidden: No Window Visible: No Name: C:\WINDOWS\system32\smss.exe PID: 532 Hidden: No Window Visible: No Name: C:\WINDOWS\system32\csrss.exe PID: 588 Hidden: No Window Visible: No Name: C:\WINDOWS\system32\winlogon.exe PID: 612 Hidden: No Window Visible: No Name: C:\WINDOWS\system32\services.exe PID: 656 Hidden: No Window Visible: No Name: C:\WINDOWS\system32\lsass.exe PID: 668 Hidden: No Window Visible: No Name: C:\WINDOWS\system32\svchost.exe PID: 832 Hidden: No Window Visible: No Name: C:\WINDOWS\system32\svchost.exe PID: 884 Hidden: No Window Visible: No Name: C:\WINDOWS\system32\svchost.exe PID: 952 Hidden: No Window Visible: No Name: C:\WINDOWS\system32\svchost.exe PID: 1028 Hidden: No Window Visible: No Name: C:\WINDOWS\system32\svchost.exe PID: 1084 Hidden: No Window Visible: No Name: C:\WINDOWS\system32\spoolsv.exe PID: 1288 Hidden: No Window Visible: No Name: C:\WINDOWS\explorer.exe PID: 1620 Hidden: No Window Visible: No Name: C:\WINDOWS\system32\hkcmd.exe PID: 1740 Hidden: No Window Visible: No Name: C:\PROGRA~1\SYMANT~1\SYMANT~1\VPTray.exe PID: 1748 Hidden: No Window Visible: No Name: C:\WINDOWS\system32\ctfmon.exe PID: 1780 Hidden: No Window Visible: No Name: C:\WINDOWS\system32\svchost.exe PID: 1888 Hidden: No Window Visible: No Name: C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe PID: 1932 Hidden: No Window Visible: No Name: C:\Program Files\Java\jre6\bin\jqs.exe PID: 1960 Hidden: No Window Visible: No Name: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe PID: 2024 Hidden: No Window Visible: No Name: C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe PID: 220 Hidden: No Window Visible: No Name: C:\WINDOWS\system32\slserv.exe PID: 272 Hidden: No Window Visible: No Name: C:\WINDOWS\system32\svchost.exe PID: 348 Hidden: No Window Visible: No Name: C:\WINDOWS\system32\alg.exe PID: 1364 Hidden: No Window Visible: No Name: C:\Program Files\Internet Explorer\iexplore.exe PID: 2764 Hidden: No Window Visible: No Name: C:\Program Files\Internet Explorer\iexplore.exe PID: 2824 Hidden: No Window Visible: No Name: C:\Program Files\Skype\Phone\Skype.exe PID: 3344 Hidden: No Window Visible: No Name: C:\Program Files\Skype\Plugin Manager\skypePM.exe PID: 3604 Hidden: No Window Visible: No Name: C:\Program Files\WinRAR\WinRAR.exe PID: 948 Hidden: No Window Visible: No Name: C:\DOCUME~1\Jelena\LOCALS~1\Temp\Rar$EX02.094\SysProt\SysProt.exe PID: 2656 Hidden: No Window Visible: Yes ******************************************************************************** ********** ******************************************************************************** ********** Kernel Modules: Module Name: \??\C:\DOCUME~1\Jelena\LOCALS~1\Temp\Rar$EX02.094\SysProt\SysProtDrv.sys Service Name: SysProtDrv.sys Module Base: EFA3D000 Module End: EFA48000 Hidden: No Module Name: \WINDOWS\system32\ntoskrnl.exe Service Name: --- Module Base: 804D7000 Module End: 806FF000 Hidden: No Module Name: \WINDOWS\system32\hal.dll Service Name: --- Module Base: 806FF000 Module End: 8071FD00 Hidden: No Module Name: \WINDOWS\system32\KDCOM.DLL Service Name: --- Module Base: F9A8D000 Module End: F9A8F000 Hidden: No Module Name: \WINDOWS\system32\BOOTVID.dll Service Name: --- Module Base: F999D000 Module End: F99A0000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\ACPI.sys Service Name: ACPI Module Base: F953E000 Module End: F956C000 Hidden: No Module Name: \WINDOWS\system32\DRIVERS\WMILIB.SYS Service Name: --- Module Base: F9A8F000 Module End: F9A91000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\pci.sys Service Name: PCI Module Base: F952D000 Module End: F953E000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\isapnp.sys Service Name: isapnp Module Base: F958D000 Module End: F9597000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\pciide.sys Service Name: PCIIde Module Base: F9B55000 Module End: F9B56000 Hidden: No Module Name: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS Service Name: --- Module Base: F980D000 Module End: F9814000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\intelide.sys Service Name: IntelIde Module Base: F9A91000 Module End: F9A93000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys Service Name: MountMgr Module Base: F959D000 Module End: F95A8000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys Service Name: Disk Module Base: F950E000 Module End: F952D000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\dmio.sys Service Name: dmio Module Base: F94E8000 Module End: F950E000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys Service Name: PartMgr Module Base: F9815000 Module End: F981A000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys Service Name: VolSnap Module Base: F95AD000 Module End: F95BA000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\atapi.sys Service Name: atapi Module Base: F94D0000 Module End: F94E8000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\disk.sys Service Name: --- Module Base: F95BD000 Module End: F95C6000 Hidden: No Module Name: \WINDOWS\system32\DRIVERS\CLASSPNP.SYS Service Name: --- Module Base: F95CD000 Module End: F95DA000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\fltmgr.sys Service Name: FltMgr Module Base: F94B0000 Module End: F94D0000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\sr.sys Service Name: sr Module Base: F949E000 Module End: F94B0000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\Lbd.sys Service Name: Lbd Module Base: F95DD000 Module End: F95EC000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\PxHelp20.sys Service Name: PxHelp20 Module Base: F95ED000 Module End: F95F6000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys Service Name: KSecDD Module Base: F9487000 Module End: F949E000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys Service Name: Ntfs Module Base: F93FA000 Module End: F9487000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\NDIS.sys Service Name: NDIS Module Base: F93CD000 Module End: F93FA000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\RecAgent.sys Service Name: RecAgent Module Base: F99A1000 Module End: F99A5000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\Mup.sys Service Name: Mup Module Base: F93B3000 Module End: F93CD000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\intelppm.sys Service Name: intelppm Module Base: F96ED000 Module End: F96F6000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\ialmnt5.sys Service Name: ialm Module Base: F922D000 Module End: F936B000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS Service Name: --- Module Base: F9219000 Module End: F922D000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\usbuhci.sys Service Name: usbuhci Module Base: F9885000 Module End: F988B000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS Service Name: --- Module Base: F91F5000 Module End: F9219000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\usbehci.sys Service Name: usbehci Module Base: F988D000 Module End: F9895000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys Service Name: RTL8023xp Module Base: F91E2000 Module End: F91F5000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\parport.sys Service Name: Parport Module Base: F91CE000 Module End: F91E2000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\i8042prt.sys Service Name: i8042prt Module Base: F96FD000 Module End: F970A000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\kbdclass.sys Service Name: Kbdclass Module Base: F989D000 Module End: F98A3000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\mouclass.sys Service Name: Mouclass Module Base: F98A5000 Module End: F98AB000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\serial.sys Service Name: Serial Module Base: F970D000 Module End: F971D000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\serenum.sys Service Name: serenum Module Base: F9A41000 Module End: F9A45000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\imapi.sys Service Name: Imapi Module Base: F971D000 Module End: F9728000 Hidden: No Module Name: C:\WINDOWS\System32\Drivers\AnyDVD.sys Service Name: AnyDVD Module Base: F98AD000 Module End: F98B2000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\cdrom.sys Service Name: Cdrom Module Base: F972D000 Module End: F973D000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\redbook.sys Service Name: redbook Module Base: F973D000 Module End: F974C000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\ks.sys Service Name: --- Module Base: F91AB000 Module End: F91CE000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\cmuda.sys Service Name: cmuda Module Base: F9065000 Module End: F91AB000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\portcls.sys Service Name: --- Module Base: F9041000 Module End: F9065000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\drmk.sys Service Name: --- Module Base: F974D000 Module End: F975C000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\audstub.sys Service Name: audstub Module Base: F9C84000 Module End: F9C85000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\rasirda.sys Service Name: irda Module Base: F98B5000 Module End: F98BA000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\TDI.SYS Service Name: --- Module Base: F98BD000 Module End: F98C2000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys Service Name: Rasl2tp Module Base: F975D000 Module End: F976A000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\ndistapi.sys Service Name: NdisTapi Module Base: F9A4D000 Module End: F9A50000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\ndiswan.sys Service Name: NdisWan Module Base: F8F8A000 Module End: F8FA1000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\raspppoe.sys Service Name: RasPppoe Module Base: F976D000 Module End: F9778000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\raspptp.sys Service Name: PptpMiniport Module Base: F977D000 Module End: F9789000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\psched.sys Service Name: PSched Module Base: F8F79000 Module End: F8F8A000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\msgpc.sys Service Name: Gpc Module Base: F978D000 Module End: F9796000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\ptilink.sys Service Name: Ptilink Module Base: F98C5000 Module End: F98CA000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\raspti.sys Service Name: Raspti Module Base: F98CD000 Module End: F98D2000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\rdpdr.sys Service Name: rdpdr Module Base: F8F21000 Module End: F8F51000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\termdd.sys Service Name: TermDD Module Base: F979D000 Module End: F97A7000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\RMSPPPOE.SYS Service Name: RMSPPPOE Module Base: F98D5000 Module End: F98DD000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\swenum.sys Service Name: swenum Module Base: F9AA7000 Module End: F9AA9000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\update.sys Service Name: Update Module Base: F8EC3000 Module End: F8F21000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\mssmbios.sys Service Name: mssmbios Module Base: F9A69000 Module End: F9A6D000 Hidden: No Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS Service Name: NDProxy Module Base: F97CD000 Module End: F97D7000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\usbhub.sys Service Name: usbhub Module Base: F97ED000 Module End: F97FC000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\USBD.SYS Service Name: --- Module Base: F9AA9000 Module End: F9AAB000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\flpydisk.sys Service Name: Flpydisk Module Base: F98ED000 Module End: F98F2000 Hidden: No Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS Service Name: Beep Module Base: F9AAF000 Module End: F9AB1000 Hidden: No Module Name: C:\WINDOWS\System32\drivers\vga.sys Service Name: VgaSave Module Base: F98FD000 Module End: F9903000 Hidden: No Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS Service Name: mnmdd Module Base: F9AB1000 Module End: F9AB3000 Hidden: No Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys Service Name: RDPCDD Module Base: F9AB3000 Module End: F9AB5000 Hidden: No Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS Service Name: Npfs Module Base: F990D000 Module End: F9915000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\rasacd.sys Service Name: RasAcd Module Base: F9A31000 Module End: F9A34000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\ipsec.sys Service Name: IPSec Module Base: F0C96000 Module End: F0CA9000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\tcpip.sys Service Name: Tcpip Module Base: F0C3D000 Module End: F0C96000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\netbt.sys Service Name: NetBT Module Base: F0C15000 Module End: F0C3D000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\ipnat.sys Service Name: IpNat Module Base: F0BEF000 Module End: F0C15000 Hidden: No Module Name: C:\WINDOWS\System32\drivers\afd.sys Service Name: AFD Module Base: F0BCD000 Module End: F0BEF000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\netbios.sys Service Name: NetBIOS Module Base: F969D000 Module End: F96A6000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\wanarp.sys Service Name: Wanarp Module Base: F96AD000 Module End: F96B6000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\rdbss.sys Service Name: Rdbss Module Base: F0BA2000 Module End: F0BCD000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys Service Name: MRxSmb Module Base: F0B32000 Module End: F0BA2000 Hidden: No Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS Service Name: Fips Module Base: F96BD000 Module End: F96C8000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\usbccgp.sys Service Name: usbccgp Module Base: F991D000 Module End: F9925000 Hidden: No Module Name: C:\WINDOWS\System32\Drivers\usbvideo.sys Service Name: usbvideo Module Base: F0B14000 Module End: F0B32000 Hidden: No Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS Service Name: Cdfs Module Base: F9011000 Module End: F9021000 Hidden: No Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys Service Name: --- Module Base: F0AD4000 Module End: F0AEC000 Hidden: Yes Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS Service Name: --- Module Base: F9ABD000 Module End: F9ABF000 Hidden: Yes Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys Service Name: --- Module Base: F0CED000 Module End: F0CF0000 Hidden: No Module Name: C:\WINDOWS\System32\watchdog.sys Service Name: --- Module Base: F9935000 Module End: F993A000 Hidden: No Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys Service Name: --- Module Base: F9C9A000 Module End: F9C9B000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\irda.sys Service Name: --- Module Base: F0956000 Module End: F096C000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\ndisuio.sys Service Name: Ndisuio Module Base: F09DC000 Module End: F09E0000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys Service Name: wdmaud Module Base: F0671000 Module End: F0686000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys Service Name: sysaudio Module Base: F0A4C000 Module End: F0A5B000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\mrxdav.sys Service Name: MRxDAV Module Base: F040E000 Module End: F043B000 Hidden: No Module Name: C:\WINDOWS\System32\Drivers\ElbyCDIO.sys Service Name: ElbyCDIO Module Base: F9B1B000 Module End: F9B1D000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\srv.sys Service Name: Srv Module Base: F02CC000 Module End: F031E000 Hidden: No Module Name: \??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS Service Name: NAVAPEL Module Base: F02BB000 Module End: F02CC000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\secdrv.sys Service Name: Secdrv Module Base: F076E000 Module End: F0778000 Hidden: No Module Name: \??\C:\Program Files\Symantec\SYMEVENT.SYS Service Name: SymEvent Module Base: F007A000 Module End: F008B000 Hidden: No Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys Service Name: HTTP Module Base: EFF99000 Module End: EFFDA000 Hidden: No Module Name: \??\C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAP.sys Service Name: NAVAP Module Base: EFF33000 Module End: EFF71000 Hidden: No Module Name: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090918.003\NAVEX15.sys Service Name: NAVEX15 Module Base: EFD01000 Module End: EFE43000 Hidden: No Module Name: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090918.003\NAVENG.sys Service Name: NAVENG Module Base: EFCED000 Module End: EFD01000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\kmixer.sys Service Name: kmixer Module Base: EF9F2000 Module End: EFA1D000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\dmload.sys Service Name: dmload Module Base: F9A93000 Module End: F9A95000 Hidden: No Module Name: C:\WINDOWS\System32\drivers\BrPar.sys Service Name: BrPar Module Base: F997D000 Module End: F9982000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\fdc.sys Service Name: Fdc Module Base: F9895000 Module End: F989C000 Hidden: No Module Name: C:\WINDOWS\System32\Drivers\ParVdm.SYS Service Name: ParVdm Module Base: F9B19000 Module End: F9B1B000 Hidden: No Module Name: C:\WINDOWS\System32\Drivers\Null.SYS Service Name: Null Module Base: F9C0A000 Module End: F9C0B000 Hidden: No Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS Service Name: Msfs Module Base: F9905000 Module End: F990A000 Hidden: No ******************************************************************************** ********** ******************************************************************************** ********** SSDT: Function Name: ZwCreateKey Address: F95DD87E Driver Base: F95DD000 Driver End: F95EC000 Driver Name: Lbd.sys Function Name: ZwSetValueKey Address: F95DDBFE Driver Base: F95DD000 Driver End: F95EC000 Driver Name: Lbd.sys ******************************************************************************** ********** ******************************************************************************** ********** Kernel Hooks: Hooked Function: PsGetProcessWin32WindowStation At Address: 804F41EC Jump To: FD806070 Module Name: _unknown_ Hooked Function: PsGetProcessJob At Address: 804F41EC Jump To: FD806070 Module Name: _unknown_ ******************************************************************************** ********** ******************************************************************************** ********** No IRP Hooks found ******************************************************************************** ********** ******************************************************************************** ********** Ports: Local Address: PENTIUM4.LAN:3038 Remote Address: WEBCS121.MSG.AC4.YAHOO.COM:5050 Type: TCP Process: C:\Program Files\Internet Explorer\iexplore.exe State: ESTABLISHED Local Address: PENTIUM4.LAN:1145 Remote Address: 89.205.70.187.ROBI.COM.MK:30345 Type: TCP Process: C:\Program Files\Skype\Phone\Skype.exe State: ESTABLISHED Local Address: PENTIUM4.LAN:NETBIOS-SSN Remote Address: 0.0.0.0:0 Type: TCP Process: System State: LISTENING Local Address: PENTIUM4:5152 Remote Address: 0.0.0.0:0 Type: TCP Process: C:\Program Files\Java\jre6\bin\jqs.exe State: LISTENING Local Address: PENTIUM4:1028 Remote Address: 0.0.0.0:0 Type: TCP Process: C:\WINDOWS\system32\alg.exe State: LISTENING Local Address: PENTIUM4:63974 Remote Address: 0.0.0.0:0 Type: TCP Process: C:\Program Files\Skype\Phone\Skype.exe State: LISTENING Local Address: PENTIUM4:MICROSOFT-DS Remote Address: 0.0.0.0:0 Type: TCP Process: System State: LISTENING Local Address: PENTIUM4:HTTPS Remote Address: 0.0.0.0:0 Type: TCP Process: C:\Program Files\Skype\Phone\Skype.exe State: LISTENING Local Address: PENTIUM4:EPMAP Remote Address: 0.0.0.0:0 Type: TCP Process: C:\WINDOWS\system32\svchost.exe State: LISTENING Local Address: PENTIUM4:HTTP Remote Address: 0.0.0.0:0 Type: TCP Process: C:\Program Files\Skype\Phone\Skype.exe State: LISTENING Local Address: PENTIUM4.LAN:1900 Remote Address: NA Type: UDP Process: C:\WINDOWS\system32\svchost.exe State: NA Local Address: PENTIUM4.LAN:138 Remote Address: NA Type: UDP Process: System State: NA Local Address: PENTIUM4.LAN:NETBIOS-NS Remote Address: NA Type: UDP Process: System State: NA Local Address: PENTIUM4.LAN:123 Remote Address: NA Type: UDP Process: C:\WINDOWS\system32\svchost.exe State: NA Local Address: PENTIUM4:1900 Remote Address: NA Type: UDP Process: C:\WINDOWS\system32\svchost.exe State: NA Local Address: PENTIUM4:1143 Remote Address: NA Type: UDP Process: C:\Program Files\Skype\Phone\Skype.exe State: NA Local Address: PENTIUM4:1062 Remote Address: NA Type: UDP Process: C:\Program Files\Internet Explorer\iexplore.exe State: NA Local Address: PENTIUM4:1038 Remote Address: NA Type: UDP Process: C:\Program Files\Internet Explorer\iexplore.exe State: NA Local Address: PENTIUM4:123 Remote Address: NA Type: UDP Process: C:\WINDOWS\system32\svchost.exe State: NA Local Address: PENTIUM4:63974 Remote Address: NA Type: UDP Process: C:\Program Files\Skype\Phone\Skype.exe State: NA Local Address: PENTIUM4:4500 Remote Address: NA Type: UDP Process: C:\WINDOWS\system32\lsass.exe State: NA Local Address: PENTIUM4:500 Remote Address: NA Type: UDP Process: C:\WINDOWS\system32\lsass.exe State: NA Local Address: PENTIUM4:MICROSOFT-DS Remote Address: NA Type: UDP Process: System State: NA Local Address: PENTIUM4:HTTPS Remote Address: NA Type: UDP Process: C:\Program Files\Skype\Phone\Skype.exe State: NA ******************************************************************************** ********** ******************************************************************************** ********** Hidden files/folders: Object: C:\System Volume Information\MountPointManagerRemoteDatabase Status: Access denied Object: C:\System Volume Information\tracking.log Status: Access denied Object: C:\System Volume Information\_restore{7473F4D6-B56C-4B67-8DEF-85F4206E0078} Status: Access denied

#9 jpshortstuff

Teacher Emeritus

Authentic Member
5,710 posts

Posted 25 September 2009 - 06:22 AM

Hi,

There is nothing bad showing in any of your logs. I wonder whether the RootRepeal issue is simply a bug with the program. There is one last thorough scan we can run to double-check your system, if you wish.

Go here to run an online scanner from ESET.

Note: You will need to use Internet explorer for this scan
Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activeX control to install
Click Start
Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic and also let me know how things are now.

Proud Graduate of the TC/WTT Classroom

#10 Ribica

New Member

Authentic Member
7 posts

Posted 25 September 2009 - 10:53 AM

Hi, My PC is doing just fine, I don't see any problems with it. I just wanted to make sure that I didn't have any left-overs from that Koobface infection. Oh, and I'm glad I found whatthetech.com, I'm so happy with your quick replies and easy-to-follow guide lines

Thank you! ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=6 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6050 # api_version=3.0.2 # EOSSerial=9b24e7e996134b4b88556118b9ad0614 # end=finished # remove_checked=false # archives_checked=true # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2009-09-25 04:18:30 # local_time=2009-09-25 06:18:30 (+0100, Central European Daylight Time) # country="Croatia" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=3586 62 40 16 731648669843750 # scanned=41268 # found=0 # cleaned=0 # scan_time=1847

#11 jpshortstuff

Teacher Emeritus

Authentic Member
5,710 posts

Posted 25 September 2009 - 11:09 AM

Hi,

Log looks good :thumbup:

You can now delete any other tools I had you download and use, unless you wish to keep them.

Now that your system appears to be clean, there's just a few steps I'd like you to take to prevent any future infections.

System restore:
We will now clear your existing system restore points and establish a new clean restore point:Click Start > Run > copy and paste the following into the run box:

%SystemRoot%\System32\restore\rstrui.exe
Press OK. Choose Create a Restore Point then click Next.
Name it (something you'll remember) and click Create,
when the confirmation screen shows the restore point has been created click Close.

Next, go to Start > Run and type in cleanmgr
Select the More options tab
Choose the option to clean up system restore and OK it.

This will remove all restore points except the new one you just created.
Keeping your Windows up-to-date is crucial to your computer's security. Please go to the Windows Update Site (using Internet Explorer) and download and install all critical updates on a regular basis.
Make sure you update your Anti-Virus software regularly, new viruses are being developed all the time.
Some more programs that it would be useful to have [OPTIONAL but RECOMMENDED]:

Download Spybot Search and Destroy 1.5 from here
Check for Updates/ Immunize and run a Full System Scan on a regular basis.

Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program.

Also, please read this great article by Tony Klein: So How Did I Get Infected In First Place

Glad we could be of assistance.

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.

Stay Clean!

jpshortstuff

Proud Graduate of the TC/WTT Classroom

#12 Ribica

New Member

Authentic Member
7 posts

Posted 25 September 2009 - 04:17 PM

Thank you for your help and advice, I am more than satisfied. Greetings from Croatia :wavey:

#13 jpshortstuff

Teacher Emeritus

Authentic Member
5,710 posts

Posted 26 September 2009 - 12:19 AM

Glad we could help you :thumbup:

Proud Graduate of the TC/WTT Classroom

#14 jpshortstuff

Teacher Emeritus

Authentic Member
5,710 posts

Posted 26 September 2009 - 12:19 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

Proud Graduate of the TC/WTT Classroom

Body Background

skin color theme