Avg scan shows:
"Trojan horse Rootkit-Pakes.U";"C:\WINDOWS\system32\drivers\atapi.sys";"Object is white-listed (critical/system file that should not be removed)
I'm using Windows XP SP2. I noticed this problem after installing several Windows updates last week.
I'm not very comfortable with trying to fix this sort of thing, but have researched and, hopefully, am doing the right thing by posting these logs:
Malwarebytes' Anti-Malware 1.41
Database version: 3039
Windows 5.1.2600 Service Pack 2
10/27/2009 9:30:28 AM
mbam-log-2009-10-27 (09-30-28).txt
Scan type: Full Scan (C:\|)
Objects scanned: 182680
Time elapsed: 1 hour(s), 30 minute(s), 50 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
And combofix:
ComboFix 09-10-20.03 - nancy 10/23/2009 22:51.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2559.1931 [GMT -4:00]
Running from: c:\documents and settings\nancy\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((( Files Created from 2009-09-24 to 2009-10-24 )))))))))))))))))))))))))))))))
.
2009-10-23 16:43 . 2009-10-23 16:43 -------- d-----w- c:\documents and settings\nancy\Application Data\AVG8
2009-10-22 15:34 . 2009-10-22 15:35 105104 ----a-w- C:\MGlogs.zip
2009-10-22 15:34 . 2009-10-22 15:35 -------- d-----w- C:\MGtools
2009-10-21 14:05 . 2009-10-21 14:05 -------- d-----w- c:\documents and settings\john\Local Settings\Application Data\Xobni
2009-10-21 06:07 . 2009-10-21 06:07 -------- d-----w- c:\documents and settings\john\Application Data\Malwarebytes
2009-10-21 01:50 . 2009-10-21 01:50 -------- d-----w- c:\documents and settings\Junkie\Application Data\Malwarebytes
2009-10-20 18:06 . 2009-10-20 18:06 -------- d-----w- c:\documents and settings\nancy\Application Data\Malwarebytes
2009-10-20 18:05 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-20 18:05 . 2009-10-20 18:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-20 18:05 . 2009-10-22 14:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-20 18:05 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-16 01:42 . 2009-10-16 01:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Xobni
2009-10-14 14:12 . 2009-10-14 14:12 -------- d-s---w- c:\documents and settings\john\UserData
2009-10-14 14:12 . 2009-10-14 14:12 -------- d-----w- c:\documents and settings\john\Local Settings\Application Data\P2P_Torrent
2009-10-13 12:00 . 2009-10-13 12:00 -------- d-----w- c:\documents and settings\john\Application Data\IObit
2009-10-11 23:00 . 2009-10-11 23:00 -------- d-----w- c:\documents and settings\Junkie\Application Data\IObit
2009-10-11 17:36 . 2009-10-11 17:36 -------- d-----w- c:\documents and settings\nancy\Application Data\IObit
2009-10-10 18:32 . 2009-10-10 18:32 -------- d-----w- c:\documents and settings\Junkie\Application Data\SUPERAntiSpyware.com
2009-10-10 13:15 . 2009-10-10 13:15 -------- d-----w- c:\windows\system32\wbem\Repository
2009-10-10 01:42 . 2009-10-10 13:14 -------- d-----w- c:\program files\Accessories
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-24 03:06 . 2009-01-28 04:29 -------- d-----w- c:\documents and settings\Junkie\Application Data\uTorrent
2009-10-23 17:40 . 2009-01-28 00:08 -------- d-----w- c:\program files\AVG
2009-10-23 17:39 . 2009-01-28 00:08 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-23 12:29 . 2009-01-28 01:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-22 13:23 . 2009-08-03 15:22 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-22 13:23 . 2009-03-19 22:26 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-22 13:21 . 2009-04-04 03:15 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-22 13:20 . 2009-01-28 16:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-22 13:20 . 2009-01-28 16:16 -------- d-----w- c:\program files\SpywareBlaster
2009-10-16 01:42 . 2009-07-27 18:13 -------- d-----w- c:\program files\Xobni
2009-10-15 20:59 . 2009-02-11 14:51 -------- d-----w- c:\documents and settings\nancy\Application Data\LimeWire
2009-10-15 12:58 . 2009-02-11 22:13 -------- d-----w- c:\program files\P2P_Torrent
2009-10-10 18:36 . 2009-07-27 18:12 -------- d-----w- c:\program files\Vuze
2009-10-10 18:34 . 2009-01-28 21:50 -------- d-----w- c:\program files\Total Video Converter
2009-10-10 18:34 . 2009-05-24 16:48 -------- d-----w- c:\program files\TeamViewer
2009-10-10 18:28 . 2009-02-11 02:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony
2009-10-10 13:46 . 2009-01-27 23:51 87832 ----a-w- c:\documents and settings\nancy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-10 11:06 . 2009-02-01 18:34 87832 ----a-w- c:\documents and settings\john\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-02 19:31 . 2009-01-28 05:59 -------- d-----w- c:\documents and settings\Junkie\Application Data\U3
2009-09-25 05:56 . 2006-03-04 03:33 662016 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:56 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-23 18:44 . 2009-04-04 23:04 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-21 22:40 . 2009-09-21 22:40 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-09-21 21:08 . 2009-02-11 22:17 -------- d-----w- c:\documents and settings\Junkie\Application Data\LimeWire
2009-09-11 14:03 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-07 19:20 . 2009-01-28 04:25 87832 ----a-w- c:\documents and settings\Junkie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-04 20:45 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-03 23:56 . 2009-09-03 23:56 -------- d-----w- c:\documents and settings\Junkie\Application Data\GRETECH
2009-09-03 23:24 . 2009-09-03 23:24 -------- d-----w- c:\program files\GRETECH
2009-08-31 03:25 . 2009-08-31 03:13 -------- d-----w- c:\documents and settings\Junkie\Application Data\Steinberg
2009-08-31 03:15 . 2009-08-31 03:10 -------- d-----w- c:\program files\Lexicon
2009-08-31 03:14 . 2009-08-31 03:13 -------- d-----w- c:\program files\Steinberg
2009-08-31 03:13 . 2009-08-31 03:12 -------- d-----w- c:\program files\Syncrosoft
2009-08-31 03:13 . 2009-08-31 03:13 2892 ----a-w- c:\windows\system32\audcon.sys
2009-08-31 03:13 . 2009-08-31 03:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Syncrosoft
2009-08-26 08:16 . 2004-08-04 10:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 05:49 . 2009-08-25 05:49 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2009-08-19 13:03 . 2009-01-28 15:25 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-19 13:03 . 2009-01-28 15:25 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-19 13:03 . 2009-01-28 15:25 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-05 09:11 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 12:51 . 2005-03-30 01:23 2185984 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 12:02 . 2005-03-30 01:01 2062976 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-03-16 01:48 . 2009-02-11 03:18 10856 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 16:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 13:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-17 2025752]
"Zone Labs Client"="c:\progra~1\ZONELA~1\ZONEAL~1\zlclient.exe" [2004-04-01 693520]
"WINCINEMAMGR"="c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe" [2005-09-27 266240]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-28 136600]
"PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2004-03-11 406016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"Home Theater SchSvr"="c:\program files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2005-09-27 106496]
"CTSysVol"="c:\program files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe" [2003-05-02 57344]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
c:\documents and settings\Junkie\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-7-26 576000]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-01-27 23:38 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-19 13:03 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15607:TCP"= 15607:TCP:BitComet 15607 TCP
"15607:UDP"= 15607:UDP:BitComet 15607 UDP
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/28/2009 11:25 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/28/2009 11:25 AM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 9:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 9:24 PM 74480]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [1/28/2009 11:25 AM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/27/2009 10:56 PM 297752]
R2 XobniService;XobniService;c:\program files\Xobni\XobniService.exe [5/6/2009 9:21 PM 46824]
R3 DfuUsb;DfuUsb;c:\windows\system32\drivers\DFUUsb.sys [11/8/2007 4:51 PM 10880]
S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [7/18/2009 1:58 AM 234888]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe --> c:\program files\MAGIX\Common\Database\bin\fbserver.exe [?]
S3 MSSQL$SONY_MEDIAMGR2;SQL Server (SONY_MEDIAMGR2);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 5:29 AM 29178224]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 9:24 PM 7408]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [8/30/2009 11:12 PM 18432]
.
Contents of the 'Scheduled Tasks' folder
2009-10-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
2009-10-19 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-10-11 13:22]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: aol.com\free
DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} - file://e:\setup\RiffLick.cab
FF - ProfilePath - c:\documents and settings\nancy\Application Data\Mozilla\Firefox\Profiles\lw63vwtn.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-23 23:02
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Componen ts\ð•€|ÿÿÿÿ.•€|þ»Ôw*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(648)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
- - - - - - - > 'winlogon.exe'(1524)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
Completion time: 2009-10-24 23:08
ComboFix-quarantined-files.txt 2009-10-24 03:08
Pre-Run: 55,701,790,720 bytes free
Post-Run: 55,754,956,800 bytes free
- - End Of File - - 74D9DD5439EFBAC2DB3881202A030155
If there's a way to get rid of the trojan, could you please be very specific? It's ok to treat me like a dummy haha.
Thank you so much.
Bookmarks