Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RootKit/Trojan Trouble - Costrat?


  • This topic is locked This topic is locked
15 replies to this topic

#1 jsteacy

jsteacy

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 17 February 2009 - 04:10 PM

I have been running Kaspersky Anti-Virus 2009 and scanned recently and found a few trojans and some kinda of trojan-dropper, I cleaned with Kaspersky, but they all seem to come back after being disinfected. Kaspersky finds Trojan-Clicker.Win32.Costrat.gb in memory everytime and will try to remove it with a reboot only to have it show up again next scan.

I grabbed Avira AntiVir Personal - Free AntiVirus, and it did a great job of cleaning out some of the trojans that would just reappear when Kaspersky would clean. Unfortunetly it keeps detecting a rootkit and other things when scanning: Agent.39936, TDss.eyj.65, TDss.eyh.66, TDss.eyj.415, and uacxmjyuhtp.sys. It seems unable to clean those.

Under the guide of boopme and quietman7, I ran SDFix, then Dr.Web CureIt.
Then I ran Panda AntiRootKit which found nothing, so I grabbed AVG Anti-Rootkit and ran that, it found 11 entries (2 were sdfix for process killing), scanned again with AVG and it found nothing the second time.

Hoping my troubles are gone, I ran Kaspersky again and unfortunetly Costrat still shows up. Quietman7 asked me to post here with HijackLogs. I will post a Kaspersky log as well in hopes that it will help.

DDS:

DDS (Ver_09-02-01.01) - NTFSx86
Run by Admin at 12:19:22.78 on Tue 02/17/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.488 [GMT -8:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)
AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MCECardBusTV.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\system32\dllhost.exe
C:\software\HP\Digital Imaging\bin\hpqSTE08.exe
C:\software\HP\Digital Imaging\bin\hpqbam08.exe
C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Admin\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.alienware.com/Mothership?Comp=AWC&SysCode=PC-LT-AREA51-M-7700&ai=636E3D33333733323926706F3D504F2D33353935353641
mSearchAssistant = hxxp://www.google.com/ie
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\software\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [MCECardBusTV] c:\windows\system32\MCECardBusTV.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [WinampAgent] c:\software\winamp\winampa.exe
mRun: [AVP] "c:\software\kaspersky anti-virus 2009\avp.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\software\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\software\kaspersky anti-virus 2009\SCIEPlgn.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\software\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?e=1231233641097&h=74ef8c8feea552b3663af2a5f3b93d26/&filename=jinstall-6u11-windows-i586-jc.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
AppInit_DLLs: wbsys.dll,c:\software\kasper~1\mzvkbd.dll,c:\software\kasper~1\mzvkbd3.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\rqRKATlL

============= SERVICES / DRIVERS ===============

R0 avg anti-rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R1 avgarcln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2009-2-16 3968]
R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-2-14 11840]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-1-22 226832]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-2-14 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-2-14 151297]
R2 AVP;Kaspersky Anti-Virus;c:\software\kaspersky anti-virus 2009\avp.exe [2008-11-11 206088]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-2-14 52032]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
R3 scrcap;scrcap;c:\windows\system32\drivers\scrcap.sys [2006-12-27 9006]
R3 Slazldrv;SmartLink AMR_PCI Driver;c:\windows\system32\drivers\sldrv\slazldrv.sys [2005-5-5 230448]
S3 1012NDS5;1012NDS5 NDIS Protocol Driver;c:\windows\system32\1012NDS5.sys [2003-3-11 15872]
S3 mamotou;mamotou;c:\windows\system32\drivers\mamotou.sys [2007-5-14 49399]
S3 PhTVTune;AVerMedia TVTuner;c:\windows\system32\drivers\PhTVTune.sys [2004-11-23 28800]
S4 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2009-1-9 234888]

=============== Created Last 30 ================


==================== Find3M ====================

2009-02-11 21:10 33,808 a------- c:\windows\system32\drivers\klbg.sys
2009-01-27 13:55 81,920 a------- c:\windows\ALCFDRTM.EXE
2009-01-06 12:52 86,811 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-06 01:15 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-03 03:24 81,920 a------- c:\windows\system32\frapsvid.dll
2008-11-27 11:47 10,240 a------- c:\windows\system32\RtNicProp32.dll
2005-12-20 13:47 32 a----r-- c:\documents and settings\all users\hash.dat

============= FINISH: 12:20:45.42 ===============


Kaspersky: (I omitted scans in between that only found and attempted to clean costrat since it is still there)

Disinfect active threats: completed 2/17/2009 1:14:13 PM (events: 4, objects: 3337, time: 00:04:18)
2/12/2009 2:40:08 PM Task completed
2/12/2009 2:39:06 PM Deleted: Trojan-Spy.Win32.Pophot.gzv c:\WINDOWS\system32\inf\xccdfb16_090131.dll
2/12/2009 2:39:03 PM Detected: Trojan-Spy.Win32.Pophot.gzv c:\WINDOWS\system32\inf\xccdfb16_090131.dll
2/12/2009 2:37:45 PM Deleted: Email-Worm.Win32.Bagle.maml c:\WINDOWS\system32\sys16u.dll
2/12/2009 2:37:45 PM Detected: Email-Worm.Win32.Bagle.maml c:\WINDOWS\system32\sys16u.dll
2/12/2009 2:36:58 PM Deleted: Trojan.Win32.BHO.lzt c:\WINDOWS\system32\fejokt.dll
2/12/2009 2:36:52 PM Detected: Trojan.Win32.BHO.lzt c:\WINDOWS\system32\fejokt.dll
2/12/2009 2:20:59 PM Deleted: Trojan-Spy.Win32.Pophot.gzu c:\WINDOWS\xccdf32_090131a.dll
2/12/2009 2:20:43 PM Deleted: Trojan-Spy.Win32.Pophot.gzv c:\WINDOWS\xccdf16_090131a.dll
2/12/2009 2:20:41 PM Detected: Trojan-Spy.Win32.Pophot.gzu c:\WINDOWS\xccdf32_090131a.dll
2/12/2009 2:20:40 PM Detected: Trojan-Spy.Win32.Pophot.gzv c:\WINDOWS\xccdf16_090131a.dll
2/12/2009 1:32:40 PM Deleted: Trojan-Dropper.Win32.VB.ivt c:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\VQOMFVB8\_0003[1].htm
2/12/2009 1:32:09 PM Deleted: Trojan-Dropper.Win32.VB.ivt c:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\VQOMFVB8\_1[1].htm
2/12/2009 1:32:06 PM Deleted: Trojan-Dropper.Win32.VB.ivt c:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\VQOMFVB8\_5[1].htm
2/12/2009 1:32:02 PM Detected: Trojan-Dropper.Win32.VB.ivt c:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\VQOMFVB8\_0003[1].htm
2/12/2009 1:32:01 PM Detected: Trojan-Dropper.Win32.VB.ivt c:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\VQOMFVB8\_1[1].htm
2/12/2009 1:32:01 PM Detected: Trojan-Dropper.Win32.VB.ivt c:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\VQOMFVB8\_5[1].htm
2/12/2009 1:30:58 PM Deleted: Trojan-Dropper.Win32.VB.ivt c:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\U4VNJQBH\_a[1].htm
2/12/2009 1:30:50 PM Detected: Trojan-Dropper.Win32.VB.ivt c:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\U4VNJQBH\_a[1].htm
2/12/2009 1:30:08 PM Deleted: Trojan-Downloader.Win32.Agent.bheo c:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\SU3HKLSE\qjgguh[1].htm
2/12/2009 1:30:05 PM Detected: Trojan-Downloader.Win32.Agent.bheo c:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\SU3HKLSE\qjgguh[1].htm
2/12/2009 1:30:03 PM Deleted: Trojan.Win32.Qhost.aru c:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\SU3HKLSE\islre[1].htm
2/12/2009 1:30:03 PM Detected: Trojan.Win32.Qhost.aru c:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\SU3HKLSE\islre[1].htm/PE_Patch.UPX/UPX
2/12/2009 1:30:00 PM Deleted: Trojan.Win32.Inject.oll c:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\SU3HKLSE\bbsuper2[1].htm
2/12/2009 1:30:00 PM Deleted: Backdoor.Win32.KeyStart.ak c:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\SU3HKLSE\721f[1].exe
2/12/2009 1:29:57 PM Deleted: not-a-virus:AdWare.Win32.BHO.fav c:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\OW3Y7NKG\u816[1].psd
2/12/2009 1:29:57 PM Detected: Trojan.Win32.Inject.oll c:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\SU3HKLSE\bbsuper2[1].htm/PE_Patch.UPX/UPX
2/12/2009 1:29:55 PM Detected: Backdoor.Win32.KeyStart.ak c:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\SU3HKLSE\721f[1].exe
2/12/2009 1:29:52 PM Detected: not-a-virus:AdWare.Win32.BHO.fav c:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\OW3Y7NKG\u816[1].psd
2/12/2009 1:29:30 PM Deleted: Trojan.Win32.Monder.atxg c:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\OW3Y7NKG\apstpldr.dll[1].htm
2/12/2009 1:29:24 PM Detected: Trojan.Win32.Monder.atxg c:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\OW3Y7NKG\apstpldr.dll[1].htm
2/12/2009 1:29:06 PM Deleted: Trojan.Win32.Agent.bptq c:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\ID83IFPV\bbsuper1[1].htm
2/12/2009 1:28:57 PM Deleted: Trojan-Dropper.Win32.VB.ivt c:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\CUE8SPD7\_4[1].htm
2/12/2009 1:28:50 PM Detected: Trojan.Win32.Agent.bptq c:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\ID83IFPV\bbsuper1[1].htm
2/12/2009 1:28:49 PM Deleted: Trojan-Dropper.Win32.VB.ivt c:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\CUE8SPD7\_0001[1].htm
2/12/2009 1:28:46 PM Detected: Trojan-Dropper.Win32.VB.ivt c:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\CUE8SPD7\_4[1].htm
2/12/2009 1:28:46 PM Detected: Trojan-Dropper.Win32.VB.ivt c:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\CUE8SPD7\_0001[1].htm
2/12/2009 1:28:24 PM Deleted: Packed.Win32.Mondera.a c:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\8E5BX0SR\_3[1].htm
2/12/2009 1:28:18 PM Detected: Packed.Win32.Mondera.a c:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\8E5BX0SR\_3[1].htm
2/12/2009 1:25:50 PM Deleted: Trojan-Dropper.Win32.VB.ivt c:\Documents and Settings\Admin\Local Settings\Temp\_0003.exe
2/12/2009 1:25:15 PM Deleted: Trojan-Dropper.Win32.VB.ivt c:\Documents and Settings\Admin\Local Settings\Temp\_0001.exe
2/12/2009 1:25:03 PM Deleted: Trojan-Dropper.Win32.VB.ivt c:\Documents and Settings\Admin\Local Settings\Temp\a.exe
2/12/2009 1:25:03 PM Detected: Trojan-Dropper.Win32.VB.ivt c:\Documents and Settings\Admin\Local Settings\Temp\_0003.exe
2/12/2009 1:25:01 PM Detected: Trojan-Dropper.Win32.VB.ivt c:\Documents and Settings\Admin\Local Settings\Temp\_0001.exe
2/12/2009 1:24:55 PM Deleted: Trojan-Downloader.Win32.Suurch.ir c:\Documents and Settings\Admin\Local Settings\Temp\640919704.exe
2/12/2009 1:24:53 PM Deleted: Trojan-Dropper.Win32.VB.ivt c:\Documents and Settings\Admin\Local Settings\Temp\5.exe
2/12/2009 1:24:51 PM Detected: Trojan-Dropper.Win32.VB.ivt c:\Documents and Settings\Admin\Local Settings\Temp\a.exe
2/12/2009 1:24:50 PM Detected: Trojan-Downloader.Win32.Suurch.ir c:\Documents and Settings\Admin\Local Settings\Temp\640919704.exe
2/12/2009 1:24:50 PM Deleted: Trojan-Dropper.Win32.VB.ivt c:\Documents and Settings\Admin\Local Settings\Temp\4.exe
2/12/2009 1:24:45 PM Detected: Trojan-Dropper.Win32.VB.ivt c:\Documents and Settings\Admin\Local Settings\Temp\5.exe
2/12/2009 1:24:44 PM Deleted: Trojan-Dropper.Win32.VB.ivt c:\Documents and Settings\Admin\Local Settings\Temp\1.exe
2/12/2009 1:24:40 PM Detected: Trojan-Dropper.Win32.VB.ivt c:\Documents and Settings\Admin\Local Settings\Temp\4.exe
2/12/2009 1:24:38 PM Deleted: Trojan-Downloader.Win32.Suurch.ir c:\Documents and Settings\Admin\Local Settings\Temp\1034172000.exe
2/12/2009 1:24:35 PM Detected: Trojan-Dropper.Win32.VB.ivt c:\Documents and Settings\Admin\Local Settings\Temp\1.exe
2/12/2009 1:24:35 PM Detected: Trojan-Downloader.Win32.Suurch.ir c:\Documents and Settings\Admin\Local Settings\Temp\1034172000.exe
2/12/2009 1:17:27 PM Deleted: Trojan.Win32.Qhost.aru c:\oxri.exe
2/12/2009 1:17:27 PM Deleted: Trojan.Win32.Inject.oll c:\cisq.exe
2/12/2009 1:17:27 PM Detected: Trojan.Win32.Qhost.aru c:\oxri.exe/PE_Patch.UPX/UPX
2/12/2009 1:17:20 PM Detected: Trojan.Win32.Inject.oll c:\cisq.exe/PE_Patch.UPX/UPX
2/12/2009 1:15:59 PM Deleted: Net-Worm.Win32.Kolab.bcp c:\System Volume Information\_restore{B8A0467E-9AEE-4C53-AE46-ED6CC97340FC}\RP168\A0068262.exe
2/12/2009 1:15:52 PM Detected: Net-Worm.Win32.Kolab.bcp c:\System Volume Information\_restore{B8A0467E-9AEE-4C53-AE46-ED6CC97340FC}\RP168\A0068262.exe
2/12/2009 1:11:09 PM Disinfected: Trojan-Clicker.Win32.Costrat.gb System Memory
2/12/2009 1:10:48 PM Detected: Trojan-Clicker.Win32.Costrat.gb System Memory
2/12/2009 1:10:48 PM Task started
Disinfect active threats: completed 2/17/2009 1:14:13 PM (events: 4, objects: 3337, time: 00:04:18)
2/17/2009 1:09:55 PM Task started
2/17/2009 1:09:55 PM Detected: Trojan-Clicker.Win32.Costrat.gb System Memory
2/17/2009 1:09:55 PM Disinfected: Trojan-Clicker.Win32.Costrat.gb System Memory
2/17/2009 1:14:13 PM Task completed
Disinfect active threats: completed 2/17/2009 1:14:13 PM (events: 4, objects: 3337, time: 00:04:18)
2/17/2009 2:12:36 PM Task started
2/17/2009 2:12:36 PM Detected: Trojan-Clicker.Win32.Costrat.gb System Memory
2/17/2009 2:12:43 PM Untreated: Trojan-Clicker.Win32.Costrat.gb System Memory Postponed
2/17/2009 2:12:43 PM Task stopped

Attached Files


Edited by jsteacy, 17 February 2009 - 05:28 PM.


BC AdBot (Login to Remove)

 


#2 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:06:16 PM

Posted 20 February 2009 - 08:23 AM

Hello jsteacy,

Welcome to Bleeping Computer.

My name mas_pogi and I will be helping you with your Malware problem.
As I am still in training I will be helping you under supervision of our expert teachers, so there may be a delay between posts.

Attention!

Please do not run any other tool untill instructed to do so.
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.
Please reply to this thread, do not start another.


You might want to save this page on your bookmark, so you can find it again when you return.

Firefox: Posted Image Then click on Done.

IExplorer: Posted Image Then click on Add.

Stay calm.

  • Kaspersky and Avira: Two Antvirus
    Using more than one anti-virus program is not advisable. The primary concern with using more than one anti-virus program is due to conflicts that can arise when they are running in real-time mode simultaneously. Even when one of them is disabled for use as a stand-alone scanner, it can affect the other. Anti-virus software components insert themselves into the operating systems core and using more than one can cause instability, crash your computer, slow performance and waste system resources. When actively running in the background while connected to the Internet, they both may try to update their definition databases at the same time. As the programs compete for resources required to download the necessary files this often can result in sluggish system performance or unresponsive behavior.

    Each anti-virus will often interpret the activity of the other as a virus and there is a greater chance of them alerting you to a "False Positive". If one finds a virus and then the other also finds the same virus, both programs will be competing over exclusive rights on dealing with that virus. Each anti-virus will attempt to remove the offending file and quarantine it. If one finds and quarantines the file before the other one does, then you encounter the problem of both wanting to scan each other's zipped or archived files and each reporting the other's quarantined contents. This can lead to a repetitive cycle of endless alerts that continually warn you that a virus has been found when that is not the case.

    Anti-virus scanners use virus definitions to check for viruses and these can include a fragment of the virus code which may be recognized by other anti-virus programs as the virus itself. Because of this, most anti-virus programs encrypt their definitions so that they do not trigger a false alarm when scanned by other security programs. However, some anti-virus vendors do not encrypt their definitions and will trigger false alarms if used while another resident anti-virus program is active.

    To avoid these problems, use only one anti-virus solution. Uninstall one of them.


  • Download GMER from here:
    http://www.gmer.net/files.php

    Unzip it to the desktop.

    Rename GMER.exe to G-mir.exe.
    Open the program and click on the Rootkit tab.
    Make sure all the boxes on the right of the screen are checked, EXCEPT for 'Show All'.
    Click on Scan.
    When the scan has run click Copy and paste the results (if any) into this thread.
Please post back the result of GMER.

With Regards,
mas_pogi

#3 jsteacy

jsteacy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 20 February 2009 - 02:33 PM

Avira was removed per your suggestion, I only installed it to confirm and assist in cleaning of mal-programs on my computer.
I wanted to also notify you I have a buisness trip and will be back late sunday and it is unlikely I will be taking this infected pc let alone have free wifi at the hotel. You will hear from you late sunday or early monday for sure tho.
Thank you for your assistance as well. :thumbup2:

Here are the results from gmer (renamed g-mir):


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-20 11:29:02
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwAdjustPrivilegesToken [0xF2F1B1DA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwClose [0xF2F1B7AE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwConnectPort [0xF2F1D1EA]
SSDT \SystemRoot\System32\drivers\ca5893b.sys ZwCreateEvent [0xF769A915]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateFile [0xF2F1CB9C]
SSDT \SystemRoot\System32\drivers\ca5893b.sys ZwCreateKey [0xF7698A05]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xF2F1EB7C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateThread [0xF2F1B5AE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteKey [0xF2F1AD92]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteValueKey [0xF2F1AF92]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeviceIoControlFile [0xF2F1CEAC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDuplicateObject [0xF2F1F084]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateKey [0xF2F1B0A8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateValueKey [0xF2F1B110]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwFsControlFile [0xF2F1CD5E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwLoadDriver [0xF2F1E620]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenFile [0xF2F1C9F8]
SSDT \SystemRoot\System32\drivers\ca5893b.sys ZwOpenKey [0xF7698AB9]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenProcess [0xF2F1B3B2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenSection [0xF2F1EBA6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenThread [0xF2F1B2FE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryKey [0xF2F1B178]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryMultipleValueKey [0xF2F1AE7C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryValueKey [0xF2F1AC5A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueueApcThread [0xF2F1E888]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwReplaceKey [0xF2F1A5D2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRequestWaitReplyPort [0xF2F1DA74]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRestoreKey [0xF2F1A734]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwResumeThread [0xF2F1EF56]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSaveKey [0xF2F1A3D0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSecureConnectPort [0xF2F1D08C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetContextThread [0xF2F1B6AC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSecurityObject [0xF2F1E71A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSystemInformation [0xF2F1EBD0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetValueKey [0xF2F1AB08]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendProcess [0xF2F1ECB4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendThread [0xF2F1EDE0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSystemDebugControl [0xF2F1E54C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwTerminateProcess [0xF2F1B47E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwWriteVirtualMemory [0xF2F1B4F0]

Code b26715856e1cf68e85c902d81a802f12.sys (ckmd/Noves Inc) ZwQueryDirectoryFile [0xF7505999]
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code b26715856e1cf68e85c902d81a802f12.sys (ckmd/Noves Inc) IoCreateFile
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) IoIsOperationSynchronous
Code b26715856e1cf68e85c902d81a802f12.sys (ckmd/Noves Inc) NtQueryDirectoryFile

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2FB8 80504854 12 Bytes [ B4, EC, F1, F2, E0, ED, F1, ... ]
PAGE ntkrnlpa.exe!IoCreateFile 8057691C 5 Bytes JMP F7505872 b26715856e1cf68e85c902d81a802f12.sys (ckmd/Noves Inc)
PAGE ntkrnlpa.exe!NtQueryDirectoryFile 80579E64 5 Bytes JMP F750599D b26715856e1cf68e85c902d81a802f12.sys (ckmd/Noves Inc)
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
? C:\WINDOWS\System32\Drivers\SPTDDRV1.SYS The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload F561C8AC 5 Bytes JMP 8651B1B8
.text vaxscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 F54E24D0 16 Bytes [ 82, 32, E6, 2B, 2A, F2, BF, ... ]
.text vaxscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 + 11 F54E24E1 31 Bytes [ 10, 4E, F5, 7F, 38, 1E, E7, ... ]
? C:\WINDOWS\System32\Drivers\vaxscsi.sys The process cannot access the file because it is being used by another process.
.text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 F54984D0 16 Bytes [ B2, A3, 92, 2F, 0C, 89, 44, ... ]
.text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 + 11 F54984E1 31 Bytes [ 70, 49, F5, 97, 9C, EC, 90, ... ]
? C:\WINDOWS\System32\Drivers\dtscsi.sys The process cannot access the file because it is being used by another process.
? C:\WINDOWS\System32\drivers\ca5893b.sys The system cannot find the file specified.

---- User code sections - GMER 1.0.14 ----

? C:\software\Kaspersky Anti-Virus 2009\avp.exe[1260] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\software\Kaspersky Anti-Virus 2009\avp.exe[1260] USER32.dll!AlignRects + FFFA5598 7E412A78 4 Bytes [ 70, 11, 41, 6D ]
? C:\software\Kaspersky Anti-Virus 2009\avp.exe[3208] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\software\Kaspersky Anti-Virus 2009\avp.exe[3208] USER32.dll!AlignRects + FFFA5598 7E412A78 4 Bytes [ 70, 11, 41, 6D ]

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F730AAB6] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F730ABEE] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F730AB76] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F730B71C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F730B5F2] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F732F7AE] sptd.sys
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] [F6C06530] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] [F6C06530] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4028] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4028] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4028] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4028] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4028] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4028] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4028] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4028] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4028] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4028] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4028] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4028] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4028] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4028] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [63601740] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4028] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4028] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4028] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4028] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4028] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4028] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4028] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4028] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4028] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4028] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4028] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4028] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4028] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4028] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4028] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4028] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4028] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs ca5893b.sys
Device \FileSystem\Ntfs \Ntfs 871CE1D8

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Ip ca5893b.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\NetBT \Device\NetBT_Tcpip_{4C580A03-484D-44FB-966F-4B46D0008A30} 85AF91D8

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\usbuhci \Device\USBPDO-0 865BD990
Device \Driver\kl1 \Device\klick ca5893b.sys
Device \Driver\dmio \Device\DmControl\DmIoDaemon 871D01D8
Device \Driver\dmio \Device\DmControl\DmConfig 871D01D8
Device \Driver\dmio \Device\DmControl\DmPnP 871D01D8
Device \Driver\dmio \Device\DmControl\DmInfo 871D01D8
Device \Driver\usbuhci \Device\USBPDO-1 865BD990
Device \Driver\usbuhci \Device\USBPDO-2 865BD990
Device \Driver\usbuhci \Device\USBPDO-3 865BD990
Device \Driver\usbstor \Device\000000a0 85AF11D8
Device \Driver\usbehci \Device\USBPDO-4 86629990

AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Tcp ca5893b.sys

Device \Driver\kl1 \Device\kl1 ca5893b.sys
Device \Driver\usbstor \Device\000000a1 85AF11D8
Device \Driver\usbstor \Device\000000a2 85AF11D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 871661D8
Device \Driver\usbstor \Device\000000a3 85AF11D8
Device \Driver\Cdrom \Device\CdRom0 86373990
Device \Driver\usbstor \Device\000000a4 85AF11D8
Device \Driver\Cdrom \Device\CdRom1 86373990
Device \Driver\NetBT \Device\NetBT_Tcpip_{DAF98F09-64F6-4DE1-B3F4-93AD7443AB60} 85AF91D8
Device \Driver\Cdrom \Device\CdRom2 86373990
Device \Driver\kl1 \Device\KLCR ca5893b.sys
Device \Driver\NetBT \Device\NetBt_Wins_Export 85AF91D8
Device \Driver\kl1 \Device\Klop ca5893b.sys
Device \Driver\NetBT \Device\NetbiosSmb 85AF91D8

AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Udp ca5893b.sys
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\RawIp ca5893b.sys

Device \Driver\00000119 \Device\0000005e sptd.sys
Device \Driver\kl1 \Device\kimul14 ca5893b.sys
Device \Driver\00000119 \Device\0000005f sptd.sys
Device \Driver\kl1 \Device\klnkd5 ca5893b.sys
Device \Driver\usbuhci \Device\USBFDO-0 865BD990
Device \Driver\usbuhci \Device\USBFDO-1 865BD990
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 85AF51D8
Device \Driver\usbuhci \Device\USBFDO-2 865BD990
Device \FileSystem\MRxSmb \Device\LanmanRedirector 85AF51D8
Device \Driver\usbuhci \Device\USBFDO-3 865BD990
Device \Driver\usbehci \Device\USBFDO-4 86629990
Device \Driver\Ftdisk \Device\FtControl 871661D8
Device \Driver\kl1 \Device\klin ca5893b.sys
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1 86357990
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1Port3Path0Target0Lun0 86357990
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 86355990
Device \Driver\UlSata \Device\Scsi\UlSata1Port1Path0Target4Lun0 871CF1D8
Device \Driver\dtscsi \Device\Scsi\dtscsi1 86355990
Device \Driver\UlSata \Device\Scsi\UlSata1 871CF1D8
Device \FileSystem\Cdfs \Cdfs 859051D8

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\system32\b26715856e1cf68e85c902d81a802f12.sys (*** hidden *** ) [BOOT] b26715856e1cf68e85c902d81a802f12 <-- ROOTKIT !!!
Service C:\WINDOWS\System32\drivers\ca5893b.sys (*** hidden *** ) [SYSTEM] ca5893b <-- ROOTKIT !!!
Service system32\drivers\UACxmjyuhtp.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\b26715856e1cf68e85c902d81a802f12
Reg HKLM\SYSTEM\CurrentControlSet\Services\b26715856e1cf68e85c902d81a802f12@c &registry_path=\Registry\Machine\System\CurrentControlSet\Services\b26715856e1cf68e85c902d81a802f12&download_period=846000&first_download_delay=180&version=2&ip_0=586742989&port_0=7000&max_fails_0=5&ip_1=704183501&port_1=8300&max_fails_1=5&ip_2=2241985741&port_2=9002&max_fails_2=2&ip_3=1512966353&port_3=11234&max_fails_3=2&ips_count=4&name=b26715856e1cf68e85c902d81a802f12&path=system32\b26715856e1cf68e85c902d81a802f12.sys&wmid=Dcl995&idate=2009-02-12 12:16:18:887&last_download_time=2009-2-12 12:20:34.890&first_skip=1
Reg HKLM\SYSTEM\CurrentControlSet\Services\b26715856e1cf68e85c902d81a802f12@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\b26715856e1cf68e85c902d81a802f12@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\b26715856e1cf68e85c902d81a802f12@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\b26715856e1cf68e85c902d81a802f12@Tag 15
Reg HKLM\SYSTEM\CurrentControlSet\Services\b26715856e1cf68e85c902d81a802f12@ImagePath system32\b26715856e1cf68e85c902d81a802f12.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\b26715856e1cf68e85c902d81a802f12@DisplayName b26715856e1cf68e85c902d81a802f12
Reg HKLM\SYSTEM\CurrentControlSet\Services\b26715856e1cf68e85c902d81a802f12@Group System Bus Extender
Reg HKLM\SYSTEM\CurrentControlSet\Services\b26715856e1cf68e85c902d81a802f12\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\b26715856e1cf68e85c902d81a802f12\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\ca5893b@ImagePath \SystemRoot\System32\drivers\ca5893b.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\ca5893b@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\ca5893b@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\ca5893b@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 1136105370
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -1129818929
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x09 0x78 0xD6 0x7F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x7D 0x5C 0x0D 0xA9 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xD6 0x29 0x72 0x33 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\software\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x95 0xE0 0x22 0xFD ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xCF 0xCE 0x4B 0x45 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x0E 0xDA 0xB3 0x11 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACxmjyuhtp.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACxmjyuhtp.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACjbgrvpxj.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACwwfpfwkp.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACxmnswewf.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UAClotegbft.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACapmykrjc.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACxpihqofy.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACxilrfnsd.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACivbqibnm.log
Reg HKLM\SYSTEM\ControlSet002\Services\b26715856e1cf68e85c902d81a802f12
Reg HKLM\SYSTEM\ControlSet002\Services\b26715856e1cf68e85c902d81a802f12@c &registry_path=\Registry\Machine\System\CurrentControlSet\Services\b26715856e1cf68e85c902d81a802f12&download_period=846000&first_download_delay=180&version=2&ip_0=586742989&port_0=7000&max_fails_0=5&ip_1=704183501&port_1=8300&max_fails_1=5&ip_2=2241985741&port_2=9002&max_fails_2=2&ip_3=1512966353&port_3=11234&max_fails_3=2&ips_count=4&name=b26715856e1cf68e85c902d81a802f12&path=system32\b26715856e1cf68e85c902d81a802f12.sys&wmid=Dcl995&idate=2009-02-12 12:16:18:887&last_download_time=2009-2-12 12:20:34.890&first_skip=1
Reg HKLM\SYSTEM\ControlSet002\Services\b26715856e1cf68e85c902d81a802f12@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\b26715856e1cf68e85c902d81a802f12@Start 0
Reg HKLM\SYSTEM\ControlSet002\Services\b26715856e1cf68e85c902d81a802f12@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\b26715856e1cf68e85c902d81a802f12@Tag 15
Reg HKLM\SYSTEM\ControlSet002\Services\b26715856e1cf68e85c902d81a802f12@ImagePath system32\b26715856e1cf68e85c902d81a802f12.sys
Reg HKLM\SYSTEM\ControlSet002\Services\b26715856e1cf68e85c902d81a802f12@DisplayName b26715856e1cf68e85c902d81a802f12
Reg HKLM\SYSTEM\ControlSet002\Services\b26715856e1cf68e85c902d81a802f12@Group System Bus Extender
Reg HKLM\SYSTEM\ControlSet002\Services\b26715856e1cf68e85c902d81a802f12\Security
Reg HKLM\SYSTEM\ControlSet002\Services\b26715856e1cf68e85c902d81a802f12\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\ControlSet002\Services\ca5893b@ImagePath \SystemRoot\System32\drivers\ca5893b.sys
Reg HKLM\SYSTEM\ControlSet002\Services\ca5893b@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\ca5893b@Start 1
Reg HKLM\SYSTEM\ControlSet002\Services\ca5893b@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x09 0x78 0xD6 0x7F ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x7D 0x5C 0x0D 0xA9 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xD6 0x29 0x72 0x33 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\software\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x95 0xE0 0x22 0xFD ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xCF 0xCE 0x4B 0x45 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x0E 0xDA 0xB3 0x11 ...
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACxmjyuhtp.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACxmjyuhtp.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACjbgrvpxj.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACwwfpfwkp.dat
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACxmnswewf.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UAClotegbft.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACapmykrjc.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACxpihqofy.log
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACxilrfnsd.log
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACivbqibnm.log
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x09 0x78 0xD6 0x7F ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x7D 0x5C 0x0D 0xA9 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xD6 0x29 0x72 0x33 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\software\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x95 0xE0 0x22 0xFD ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xCF 0xCE 0x4B 0x45 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x0E 0xDA 0xB3 0x11 ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\FD8F9B0A949Cde548980D75C0C1CC918\Usage@statusexe 978586093

---- Files - GMER 1.0.14 ----

File C:\WINDOWS\system32\b26715856e1cf68e85c902d81a802f12.sys 39936 bytes executable <-- ROOTKIT !!!

---- EOF - GMER 1.0.14 ----

#4 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:06:16 PM

Posted 21 February 2009 - 10:52 AM

hi jsteacy.

You have an installed Rootkit in your computer.

A Rootkit is software that cloaks the presence of files and data to evade detection, while allowing an attacker to take control of the machine without the user's knowledge. Rootkits are typically used by malware including viruses, spyware, trojans, and backdoors, to conceal themselves from the user as well as from malware detection software such as anti-virus and anti-spyware applications. Rootkits are also used by some adware applications and DRM (Digital Rights Management) programs to thwart the removal of that unwanted software by users.

They are typically installed without user interaction through security exploits, and can severely compromise system security. Such risks may open illicit network connections, use polymorphic tactics to self-mutate, disable security software, modify system files, and install additional malware. These risks may also collect and transmit personally identifiable information (PII) without your consent and severely degrade the performance and stability of your computer.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.


Please follow the instructions promptly;
  • Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case Vuze). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

    It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

    It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

    Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

  • Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

    Link 1
    Link 2
    Link 3

    Posted Image


    Posted Image
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on Bleeping-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
In your reply, please post

C:\combofix.txt
C:\QooBox\Add-Remove Programs.txt


Mark

#5 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:06:16 PM

Posted 23 February 2009 - 10:15 PM

Hi.


Do you still need help? :thumbup2:


M_P

#6 jsteacy

jsteacy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 24 February 2009 - 02:48 PM

Sorry about that, trip took an extra day.

Here is the combofix.txt:

ComboFix 09-02-21.01 - Admin 2009-02-24 11:22:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.590 [GMT -8:00]
Running from: c:\documents and settings\Admin\Desktop\Bleeping-Fix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\inf\rundll33.exe
c:\windows\system32\jdxcngce.ini
c:\windows\system32\LlTAKRqr.ini
c:\windows\system32\LlTAKRqr.ini2
c:\windows\xccwinsys.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-01-24 to 2009-02-24 )))))))))))))))))))))))))))))))
.

2009-02-16 15:10 . 2007-01-18 04:00 3,968 --a------ c:\windows\system32\drivers\AvgArCln.sys
2009-02-16 11:51 . 2009-02-16 11:56 <DIR> d-------- c:\documents and settings\Admin\DoctorWeb
2009-02-15 21:55 . 2009-02-15 21:55 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-02-15 21:51 . 2009-02-15 21:51 <DIR> d-------- c:\windows\ERUNT
2009-02-15 21:41 . 2009-02-15 22:59 <DIR> d-------- C:\SDFix
2009-02-14 14:17 . 2009-02-14 14:47 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-14 14:17 . 2009-02-14 14:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-14 14:17 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-14 14:17 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-14 00:55 . 2009-02-24 11:14 2,184 --a------ c:\windows\system32\wpa.dbl
2009-02-13 19:12 . 2009-02-13 19:13 <DIR> d-------- c:\documents and settings\Admin\Application Data\Antispyware
2009-02-13 17:41 . 2009-02-13 17:41 <DIR> d-------- C:\VundoFix Backups
2009-02-12 23:49 . 2009-02-13 17:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\SITEguard
2009-02-12 23:43 . 2009-02-12 23:43 <DIR> d-------- c:\program files\Common Files\iS3
2009-02-12 23:43 . 2009-02-13 15:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-02-12 19:45 . 2009-02-14 20:10 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-12 19:45 . 2009-02-14 20:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-12 13:16 . 2009-02-12 13:16 131,584 --a------ c:\windows\urusedoxiyetuk.dll
2009-02-12 12:12 . 2009-02-16 14:55 82,565 --a------ c:\windows\system32\UACxpihqofy.lo_
2009-02-12 12:12 . 2009-02-16 14:55 81,920 --a------ c:\windows\system32\UACapmykrjc.dl_
2009-02-12 12:12 . 2009-02-12 12:12 5,189 --a------ c:\windows\system32\uacinit.dl_
2009-02-12 12:11 . 2009-02-16 11:25 127 --a------ c:\windows\system32\UACwwfpfwkp.da_
2009-02-12 12:06 . 2009-02-12 12:06 99,696 --a------ c:\windows\system32\drivers\fff5e9d8.sys
2009-02-12 12:05 . 2009-02-24 11:24 <DIR> d-------- c:\windows\system32\inf
2009-02-12 12:05 . 2009-02-24 11:35 99,696 --a------ c:\windows\system32\drivers\ca5893b.sys
2009-02-12 10:35 . 2009-02-12 11:12 <DIR> d-------- C:\Screen Recordings
2009-02-11 20:02 . 2009-02-11 20:45 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-02-09 15:20 . 2009-02-09 15:21 <DIR> d-------- c:\documents and settings\Admin\Application Data\.purple
2009-02-03 18:49 . 2009-02-24 11:20 <DIR> d-------- c:\documents and settings\Admin\Application Data\HPAppData
2009-01-31 19:35 . 2009-01-31 19:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\WEBREG
2009-01-31 18:02 . 2009-01-31 18:02 <DIR> d-------- c:\documents and settings\Admin\Application Data\HP
2009-01-31 17:59 . 2009-01-31 17:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP
2009-01-31 17:58 . 2009-01-31 17:58 <DIR> d-------- c:\program files\Hewlett-Packard
2009-01-31 17:58 . 2009-01-31 17:58 <DIR> d-------- c:\program files\Common Files\HP
2009-01-31 17:58 . 2009-01-31 17:58 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2009-01-31 17:57 . 2009-01-31 17:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-01-31 17:56 . 2007-12-06 15:55 271,704 -ra------ c:\windows\system32\hpzids01.dll
2009-01-31 17:56 . 2007-03-15 15:32 118,272 --a------ c:\windows\system32\hpz3l5ha.dll
2009-01-31 17:55 . 2007-11-01 03:28 970,752 -ra------ c:\windows\system32\hpotiop5.dll
2009-01-31 17:55 . 2007-11-01 03:28 729,088 -ra------ c:\windows\system32\hpowiax5.dll
2009-01-31 17:55 . 2007-11-01 03:28 364,544 -ra------ c:\windows\system32\hppldcoi.dll
2009-01-31 17:55 . 2007-11-01 03:28 309,760 -ra------ c:\windows\system32\difxapi.dll
2009-01-31 17:55 . 2007-11-01 03:28 303,104 -ra------ c:\windows\system32\hpovst12.dll
2009-01-31 17:55 . 2001-08-17 13:53 6,784 --a------ c:\windows\system32\drivers\serscan.sys
2009-01-31 17:55 . 2001-08-17 13:53 6,784 --a--c--- c:\windows\system32\dllcache\serscan.sys
2009-01-31 17:53 . 2009-01-31 17:53 <DIR> d-------- c:\program files\HP
2009-01-31 17:53 . 2008-04-13 10:47 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2009-01-31 17:53 . 2008-04-13 10:47 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2009-01-31 17:50 . 2009-01-31 19:35 165,024 --a------ c:\windows\hpoins21.dat
2009-01-31 17:50 . 2008-02-13 01:18 7,262 --------- c:\windows\hpomdl21.dat
2009-01-28 20:50 . 2009-01-28 20:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Firefly Studios
2009-01-27 23:58 . 2009-01-27 23:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sandlot Games
2009-01-27 23:58 . 2009-01-27 23:58 4,096 --a------ c:\windows\d3dx.dat
2009-01-27 23:47 . 2009-01-27 23:47 <DIR> d-------- c:\program files\ReflexiveArcade
2009-01-27 01:32 . 2009-01-27 01:32 <DIR> d-------- c:\documents and settings\Admin\Application Data\vlc
2009-01-24 15:29 . 2009-01-24 15:29 <DIR> d-------- c:\documents and settings\Admin\Application Data\XnView

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-24 19:34 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-02-24 19:31 491,552 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-02-24 19:31 2,760 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-02-24 19:31 173,468 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-02-24 19:31 14,710,816 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-02-14 21:48 --------- d-----w c:\program files\Google
2009-02-12 20:58 89,601 ----a-w c:\windows\system32\drivers\klick.dat
2009-02-12 20:58 101,287 ----a-w c:\windows\system32\drivers\klin.dat
2009-02-12 20:06 --------- d-----w c:\documents and settings\Admin\Application Data\Azureus
2009-02-12 05:10 33,808 ----a-w c:\windows\system32\drivers\klbg.sys
2009-02-01 08:59 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-27 21:55 81,920 ----a-w c:\windows\ALCFDRTM.EXE
2009-01-22 17:30 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-01-22 17:09 --------- d-----w c:\documents and settings\Admin\Application Data\Uniblue
2009-01-22 04:32 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-01-22 04:15 --------- d-----w c:\program files\Common Files\Adobe
2009-01-22 04:04 --------- d-----w c:\program files\Common Files\Macrovision Shared
2009-01-18 21:07 --------- d-----w c:\documents and settings\All Users\Application Data\PlayFirst
2009-01-18 21:07 --------- d-----w c:\documents and settings\Admin\Application Data\PlayFirst
2009-01-10 09:07 --------- d-----w c:\documents and settings\Admin\Application Data\Winamp
2009-01-10 02:54 --------- d-----w c:\program files\AskBarDis
2009-01-10 02:54 --------- d-----w c:\documents and settings\All Users\Application Data\Azureus
2009-01-06 23:07 --------- d-----w c:\program files\McAfee
2009-01-06 23:01 --------- d-----w c:\documents and settings\All Users\Application Data\yahoo!
2009-01-06 09:14 --------- d-----w c:\program files\Java
2009-01-06 03:24 --------- d-----w c:\documents and settings\Admin\Application Data\Ventrilo
2009-01-06 03:02 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-06 01:34 --------- d-----w c:\documents and settings\Admin\Application Data\HouseCall 6.6
2009-01-06 01:07 --------- d-----w c:\program files\SystemRequirementsLab
2008-12-29 00:01 --------- d-----w c:\program files\Trend Micro
2008-12-27 23:03 --------- d-----w c:\program files\Sun
2005-12-20 21:47 32 ----a-r c:\documents and settings\All Users\hash.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-01-19 4670968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCECardBusTV"="c:\windows\system32\MCECardBusTV.exe" [2005-06-03 126976]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-17 7561216]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-06 136600]
"AVP"="c:\software\Kaspersky Anti-Virus 2009\avp.exe" [2009-02-11 206088]
"nwiz"="nwiz.exe" [2006-03-17 c:\windows\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-09-21 c:\windows\SOUNDMAN.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\software\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ZDSV"= scrvid.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2004-08-10 03:04 59392 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-09-10 16:40 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-03-17 17:16 7561216 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-07-15 01:07 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 13:03 36975 c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2005-05-05 17:33 708698 c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 2005-05-05 17:33 102490 c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 18:43 69632 c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
--a------ 2005-09-21 15:32 2807808 c:\windows\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
--a------ 2001-12-26 00:12 472576 c:\windows\mHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2005-09-21 10:24 86016 c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
"DisableUnicastResponsesToMulticastBroadcast"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\AOL\\1134182906\\ee\\aim6.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1134182906\\ee\\aolsoftware.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Admin\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Admin\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\software\\Ventrilo\\Ventrilo.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\software\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\software\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\software\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\software\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\software\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\software\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\software\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\software\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\software\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2799:UDP"= 2799:UDP:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:Altova License Metering Port (TCP)

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 33808]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-04-30 24592]
R3 scrcap;scrcap;c:\windows\system32\drivers\scrcap.sys [2006-12-27 9006]
R3 Slazldrv;SmartLink AMR_PCI Driver;c:\windows\system32\drivers\SLDRV\slazldrv.sys [2005-05-05 230448]
S3 1012NDS5;1012NDS5 NDIS Protocol Driver;c:\windows\system32\1012NDS5.sys [2003-03-11 15872]
S3 mamotou;mamotou;c:\windows\system32\drivers\mamotou.sys [2007-05-14 49399]
S3 PhTVTune;AVerMedia TVTuner;c:\windows\system32\drivers\PhTVTune.sys [2004-11-23 28800]
S4 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [2009-01-09 234888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0c5e2aa-d646-11db-a434-000b6b373569}]
\Shell\AutoRun\command - rundll32.exe url.dll,FileProtocolHandler LapNetWizard.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b232ab4e-bc55-11db-a417-000b6b373569}]
\Shell\AutoRun\command - rundll32.exe url.dll,FileProtocolHandler LapNetWizard.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-14 c:\windows\Tasks\Antispyware Scheduled Scan.job
- c:\program files\Antispyware\Antispyware.exe []

2009-02-14 c:\windows\Tasks\Antispyware Scheduled Scan.job
- c:\program files\Antispyware []
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - c:\program files\AskBarDis\bar\bin\askBar.dll
HKLM-Run-WinampAgent - c:\software\Winamp\winampa.exe
MSConfigStartUp-McAfee Guardian - c:\program files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
MSConfigStartUp-MPFExe - c:\software\McAfee.com\PERSON~1\MpfTray.exe
MSConfigStartUp-Yahoo! Pager - c:\program files\Yahoo!\Messenger\ypager.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.alienware.com/Mothership?Comp=AWC&SysCode=PC-LT-AREA51-M-7700&ai=636E3D33333733323926706F3D504F2D33353935353641
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-24 11:35:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MCECardBusTV = c:\windows\system32\MCECardBusTV.exe?sTV.exe?exe???w??????f???f?????????????????????????????????????2???????????x???g??w0??w????*??w???w????Ta?]????????P?????????f????????????????????????????????w??f???f?P?????????????????????????A?????x???(AA???????@???A???@

scanning hidden files ...


c:\windows\system32\b26715856e1cf68e85c902d81a802f12.sys 39936 bytes executable
c:\windows\system32\_b26715856e1cf68e85c902d81a802f12.sys_.vir 39936 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\b26715856e1cf68e85c902d81a802f12]
"ImagePath"="system32\b26715856e1cf68e85c902d81a802f12.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ca5893b]
"ImagePath"="\SystemRoot\System32\drivers\ca5893b.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\s-1-5-21-1421691402-1772962490-2775497362-1010\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:77,82,c9,8a,b8,18,96,8f,f6,92,ee,34,c9,1c,b8,a2,d6,86,98,e7,06,20,ea,
b8,f2,e0,43,0e,13,4c,5e,6e,67,98,17,08,a2,62,5a,dd,a7,53,96,ef,d9,94,ca,7b,\
"??"=hex:06,f5,19,08,9a,73,29,74,c0,03,b5,58,b9,6f,b2,e9
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\slserv.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\windows\system32\dllhost.exe
c:\software\HP\Digital Imaging\bin\hpqste08.exe
c:\software\HP\Digital Imaging\bin\hpqbam08.exe
.
**************************************************************************
.
Completion time: 2009-02-24 11:41:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-24 19:41:14

Pre-Run: 3,455,148,032 bytes free
Post-Run: 3,596,062,720 bytes free

281 --- E O F --- 2008-04-21 22:14:28

Here is the Add-Remove Porgrams.txt:

32 Bit HP CIO Components Installer
Ad-Aware SE Personal
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Reader 7.0
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AIO_Scan
AlienGUIse
AOL Uninstaller (Choose which Products to Remove)
Apple Mobile Device Support
Apple Software Update
AVerMedia Hardware MPEG CardBus TV
AVG Anti-Rootkit Free
BisonCam, USB2.0
Blender (remove only)
Bonjour
BufferChm
C8100
C8100_Help
CDisplayEx 1.4
Copy
Destination Component
DeviceDiscovery
DeviceManagementQFolder
DISCoverGameGuide
DocProc
DocProcQFolder
Fax
Google Chrome
Google Talk (remove only)
Google Talk Plugin
GTK+ Runtime 2.14.6 rev a (remove only)
High Definition Audio Driver Package - KB835221
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
HP Imaging Device Functions 10.0
HP Photosmart All-In-One Driver Software 10.0 Rel .2
HP Smart Web Printing
ILLUSION RapeLay
InCD
IntelliJ IDEA 7.0.3
iTunes
J2SE Development Kit 5.0 Update 11
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Java DB 10.2.2.0
Java Media Framework 2.1.1e
Java™ 6 Update 11
Java™ 6 Update 2
Java™ SE Development Kit 6 Update 2
Kaspersky Anti-Virus 2009
Lemonade Tycoon
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft FrontPage Client - English
Microsoft Games for Windows - LIVE Redistributable
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft MPEG-4 VKI Video Codec V1/V2/V3
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Excel Viewer 2003
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C# 2005 Express Edition - ENU
Microsoft Visual C# 2005 Express Edition - ENU Service Pack 1 (KB926749)
Microsoft Visual C++ .NET Standard 2003 - English
Microsoft Visual C++ 2005 Redistributable
Microsoft XNA Framework Redistributable 2.0
Microsoft XNA Game Studio 2.0
Microsoft XNA Game Studio 2.0 (ARP entry)
Microsoft XNA Game Studio 2.0 (Redists)
Microsoft XNA Game Studio 2.0 (shared components)
Microsoft XNA Game Studio 2.0 (spacewar)
Microsoft XNA Game Studio 2.0 (xnaliveproxy)
Microsoft XNA Game Studio 2.0 Documentation
MSXML 6.0 Parser (KB927977)
Multimedia / Internet Keyboard Driver VerR8.16
Nero Digital
Nero OEM
NeroVision Express Content
NetDeviceManager
NVIDIA Drivers
OCR Software by I.R.I.S. 10.0
Open Video Capture version 1.0
OpenOffice.org Installer 1.0
PanoStandAlone
PDF Settings
Pidgin
PowerDVD
PS_AIO_02_ProductContext
PS_AIO_02_Software
PS_AIO_02_Software_Min
QuickTime
REALTEK Gigabit and Fast Ethernet NIC Driver
Realtek High Definition Audio Driver
RoxioShim
Scan
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Smart Link 56K Voice Modem
SmartWebPrintingOC
Sony Noise Reduction Plug-In 2.0e
Sony Sound Forge 9.0
Status
Synaptics Pointing Device Driver
System Requirements Lab
Theme Manager
Toolbox
TrayApp
UnloadSupport
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update Rollup 1 for Windows XP Media Center Edition 2005 with HDTV Support (KB873369)
Ventrilo Client
VideoLAN VLC media player 0.8.5
Visual C++ .NET Standard 2003 - English
Visual Studio.NET Baseline - English
Vuze
Vuze Toolbar
WebFldrs XP
WebReg
Winamp
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Live Messenger
Windows Presentation Foundation
Windows XP Media Center Edition 2005 KB888316
Windows XP Service Pack 3
WinRAR archiver
WLAN
WLAN a+b+g mini-PCI Module
World of Warcraft
XML Paper Specification Shared Components Pack 1.0
XnView 1.95.4
XviD MPEG-4 Video Codec
Yahoo! Install Manager
Yahoo! Messenger
ZD Soft Screen Recorder
ZD Soft Screen Video Decoder


I am still finding rootkits or the presence of them with Avira, tho they could be the quarentened files.

Edited by jsteacy, 24 February 2009 - 04:54 PM.


#7 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:06:16 PM

Posted 26 February 2009 - 08:28 AM

hi.

Seem you failed to install Recovery console. We needed it just incase the situation will become undesirable.



With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System
Posted Image
Download the file & save it as it's originally named.


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Posted Image
  • Drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
    Posted Image
  • At the next prompt, click No'.
  • When the tool is finished, a log named CF_RC.txt will open.
You can also find it in C:\CF_RC.txt .

You can also check if it is install when you reboot your computer, you will see an option,

Please post it in your next reply.


Mark

#8 jsteacy

jsteacy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 26 February 2009 - 03:29 PM

This is from the log:

ComboFix 09-02-26.01 - Admin 2009-02-26 12:20:18.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.623 [GMT -8:00]
Running from: c:\documents and settings\Admin\Desktop\Bleeping-Fix.exe
Command switches used :: c:\documents and settings\Admin\My Documents\Downloads\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point
.

It is installed, what next :thumbup2:

#9 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:06:16 PM

Posted 26 February 2009 - 04:02 PM

hi.

Let's continue;
  • 1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open notepad and copy/paste the text in the quotebox below into it:

    ROOTKIT::
    c:\windows\system32\b26715856e1cf68e85c902d81a802f12.sys
    c:\windows\system32\_b26715856e1cf68e85c902d81a802f12.sys_.vir
    c:\windows\system32\drivers\ca5893b.sys
    c:\windows\system32\uacinit.dll
    c:\windows\system32\drivers\fff5e9d8.sys
    c:\windows\system32\UACjbgrvpxj.dll
    c:\windows\system32\UACwwfpfwkp.dat
    c:\windows\system32\UACxmnswewf.dll
    c:\windows\system32\UAClotegbft.dll
    c:\windows\system32\UACapmykrjc.dll
    c:\windows\system32\UACxpihqofy.log
    c:\windows\system32\UACxilrfnsd.log
    c:\windows\system32\UACivbqibnm.log
    c:\windows\system32\drivers\UACxmjyuhtp.sys
    c:\windows\urusedoxiyetuk.dll
    FOLDER::
    c:\program files\Antispyware
    FILE::
    c:\windows\Tasks\Antispyware Scheduled Scan.job
    DIRLOOK::
    c:\windows\system32\inf
    REGISTRY::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "DisableNotifications"=dword:00000000
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
    "DisableMonitoring"=dword:00000000
    DRIVER::
    b26715856e1cf68e85c902d81a802f12
    ca5893b


    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

  • Please download ATF Cleaner by Atribune & save it to your desktop.
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main "Select Files to Delete" choose: Select All.
    • Click the Empty Selected button.
    • If you use Firefox browser click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
      If you would like to keep your saved passwords, please click No at the prompt.
    • If you use Opera browser click Opera at the top and choose: Select All
    • Click the Empty Selected button.
      If you would like to keep your saved passwords, please click No at the prompt.
    • Click Exit on the Main menu to close the program.
    Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

  • Please do a scan with Kaspersky Online Scanner

    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

    Click on the Accept button and install any components it needs.
    • The program will install and then begin downloading the latest definition files.
    • After the files have been downloaded on the left side of the page in the Scan section select My Computer
    • This will start the program and scan your system.
    • The scan will take a while, so be patient and let it run.
    • Once the scan is complete, click on View scan report
    • Now, click on the Save Report as button.
    • Save the file to your desktop.
    • Copy and paste that information in your next post.
  • How's your computer now?

In your reply, please post

C:\combofix.txt
Kaspersky scan result
Answer to my questions


Mark

#10 jsteacy

jsteacy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 26 February 2009 - 09:48 PM

ComboFix:

ComboFix 09-02-26.01 - Admin 2009-02-26 15:45:42.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.521 [GMT -8:00]
Running from: c:\documents and settings\Admin\Desktop\Bleeping-Fix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\Tasks\Antispyware Scheduled Scan.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\_b26715856e1cf68e85c902d81a802f12.sys_.vir
c:\windows\system32\drivers\ca5893b.sys
c:\windows\Tasks\Antispyware Scheduled Scan.job
c:\windows\urusedoxiyetuk.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_B26715856E1CF68E85C902D81A802F12
-------\Service_b26715856e1cf68e85c902d81a802f12
-------\Service_ca5893b


((((((((((((((((((((((((( Files Created from 2009-01-26 to 2009-02-26 )))))))))))))))))))))))))))))))
.

2009-02-24 11:55 . 2009-02-24 11:55 <DIR> d-------- c:\program files\Avira
2009-02-24 11:55 . 2009-02-24 11:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-02-16 15:10 . 2007-01-18 04:00 3,968 --a------ c:\windows\system32\drivers\AvgArCln.sys
2009-02-16 11:51 . 2009-02-16 11:56 <DIR> d-------- c:\documents and settings\Admin\DoctorWeb
2009-02-15 21:55 . 2009-02-15 21:55 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-02-15 21:51 . 2009-02-15 21:51 <DIR> d-------- c:\windows\ERUNT
2009-02-15 21:41 . 2009-02-15 22:59 <DIR> d-------- C:\SDFix
2009-02-14 14:17 . 2009-02-14 14:47 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-14 14:17 . 2009-02-14 14:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-14 14:17 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-14 14:17 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-14 00:55 . 2009-02-25 17:50 2,184 --a------ c:\windows\system32\wpa.dbl
2009-02-13 19:12 . 2009-02-13 19:13 <DIR> d-------- c:\documents and settings\Admin\Application Data\Antispyware
2009-02-13 17:41 . 2009-02-13 17:41 <DIR> d-------- C:\VundoFix Backups
2009-02-12 23:49 . 2009-02-13 17:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\SITEguard
2009-02-12 23:43 . 2009-02-12 23:43 <DIR> d-------- c:\program files\Common Files\iS3
2009-02-12 23:43 . 2009-02-13 15:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-02-12 19:45 . 2009-02-14 20:10 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-12 19:45 . 2009-02-14 20:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-12 12:12 . 2009-02-16 14:55 82,565 --a------ c:\windows\system32\UACxpihqofy.lo_
2009-02-12 12:12 . 2009-02-12 12:12 5,189 --a------ c:\windows\system32\uacinit.dl_
2009-02-12 12:11 . 2009-02-16 11:25 127 --a------ c:\windows\system32\UACwwfpfwkp.da_
2009-02-12 12:05 . 2009-02-24 11:24 <DIR> d-------- c:\windows\system32\inf
2009-02-12 10:35 . 2009-02-12 11:12 <DIR> d-------- C:\Screen Recordings
2009-02-11 20:02 . 2009-02-11 20:45 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-02-09 15:20 . 2009-02-09 15:21 <DIR> d-------- c:\documents and settings\Admin\Application Data\.purple
2009-02-03 18:49 . 2009-02-24 11:20 <DIR> d-------- c:\documents and settings\Admin\Application Data\HPAppData
2009-01-31 19:35 . 2009-01-31 19:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\WEBREG
2009-01-31 18:02 . 2009-01-31 18:02 <DIR> d-------- c:\documents and settings\Admin\Application Data\HP
2009-01-31 17:59 . 2009-01-31 17:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP
2009-01-31 17:58 . 2009-01-31 17:58 <DIR> d-------- c:\program files\Hewlett-Packard
2009-01-31 17:58 . 2009-01-31 17:58 <DIR> d-------- c:\program files\Common Files\HP
2009-01-31 17:58 . 2009-01-31 17:58 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2009-01-31 17:57 . 2009-01-31 17:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-01-31 17:56 . 2007-12-06 15:55 271,704 -ra------ c:\windows\system32\hpzids01.dll
2009-01-31 17:56 . 2007-03-15 15:32 118,272 --a------ c:\windows\system32\hpz3l5ha.dll
2009-01-31 17:55 . 2007-11-01 03:28 970,752 -ra------ c:\windows\system32\hpotiop5.dll
2009-01-31 17:55 . 2007-11-01 03:28 729,088 -ra------ c:\windows\system32\hpowiax5.dll
2009-01-31 17:55 . 2007-11-01 03:28 364,544 -ra------ c:\windows\system32\hppldcoi.dll
2009-01-31 17:55 . 2007-11-01 03:28 309,760 -ra------ c:\windows\system32\difxapi.dll
2009-01-31 17:55 . 2007-11-01 03:28 303,104 -ra------ c:\windows\system32\hpovst12.dll
2009-01-31 17:55 . 2001-08-17 13:53 6,784 --a------ c:\windows\system32\drivers\serscan.sys
2009-01-31 17:55 . 2001-08-17 13:53 6,784 --a--c--- c:\windows\system32\dllcache\serscan.sys
2009-01-31 17:53 . 2009-01-31 17:53 <DIR> d-------- c:\program files\HP
2009-01-31 17:53 . 2008-04-13 10:47 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2009-01-31 17:53 . 2008-04-13 10:47 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2009-01-31 17:50 . 2009-01-31 19:35 165,024 --a------ c:\windows\hpoins21.dat
2009-01-31 17:50 . 2008-02-13 01:18 7,262 --------- c:\windows\hpomdl21.dat
2009-01-28 20:50 . 2009-01-28 20:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Firefly Studios
2009-01-27 23:58 . 2009-01-27 23:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sandlot Games
2009-01-27 23:58 . 2009-01-27 23:58 4,096 --a------ c:\windows\d3dx.dat
2009-01-27 23:47 . 2009-01-27 23:47 <DIR> d-------- c:\program files\ReflexiveArcade
2009-01-27 01:32 . 2009-01-27 01:32 <DIR> d-------- c:\documents and settings\Admin\Application Data\vlc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-14 21:48 --------- d-----w c:\program files\Google
2009-02-12 20:06 --------- d-----w c:\documents and settings\Admin\Application Data\Azureus
2009-02-01 08:59 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-27 21:55 81,920 ----a-w c:\windows\ALCFDRTM.EXE
2009-01-24 23:29 --------- d-----w c:\documents and settings\Admin\Application Data\XnView
2009-01-22 17:30 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-01-22 17:09 --------- d-----w c:\documents and settings\Admin\Application Data\Uniblue
2009-01-22 04:32 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-01-22 04:15 --------- d-----w c:\program files\Common Files\Adobe
2009-01-22 04:04 --------- d-----w c:\program files\Common Files\Macrovision Shared
2009-01-18 21:07 --------- d-----w c:\documents and settings\All Users\Application Data\PlayFirst
2009-01-18 21:07 --------- d-----w c:\documents and settings\Admin\Application Data\PlayFirst
2009-01-10 09:07 --------- d-----w c:\documents and settings\Admin\Application Data\Winamp
2009-01-10 02:54 --------- d-----w c:\program files\AskBarDis
2009-01-10 02:54 --------- d-----w c:\documents and settings\All Users\Application Data\Azureus
2009-01-06 23:07 --------- d-----w c:\program files\McAfee
2009-01-06 23:01 --------- d-----w c:\documents and settings\All Users\Application Data\yahoo!
2009-01-06 09:14 --------- d-----w c:\program files\Java
2009-01-06 03:24 --------- d-----w c:\documents and settings\Admin\Application Data\Ventrilo
2009-01-06 03:02 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-06 01:34 --------- d-----w c:\documents and settings\Admin\Application Data\HouseCall 6.6
2009-01-06 01:07 --------- d-----w c:\program files\SystemRequirementsLab
2008-12-29 00:01 --------- d-----w c:\program files\Trend Micro
2008-12-27 23:03 --------- d-----w c:\program files\Sun
2005-12-20 21:47 32 ----a-r c:\documents and settings\All Users\hash.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\windows\system32\inf ----



((((((((((((((((((((((((((((( SnapShot@2009-02-24_11.40.03.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-09 20:15:51 45,376 ----a-w c:\windows\system32\drivers\avgntdd.sys
+ 2008-01-22 01:11:28 22,336 ----a-w c:\windows\system32\drivers\avgntmgr.sys
+ 2008-10-30 18:21:03 75,072 ----a-w c:\windows\system32\drivers\avipbb.sys
+ 2007-03-01 17:34:22 28,352 ----a-w c:\windows\system32\drivers\ssmdrv.sys
+ 2009-02-26 23:53:02 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6e0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-01-19 4670968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCECardBusTV"="c:\windows\system32\MCECardBusTV.exe" [2005-06-03 126976]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-17 7561216]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-06 136600]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"nwiz"="nwiz.exe" [2006-03-17 c:\windows\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-09-21 c:\windows\SOUNDMAN.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\software\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ZDSV"= scrvid.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2004-08-10 03:04 59392 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-09-10 16:40 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-03-17 17:16 7561216 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-07-15 01:07 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 13:03 36975 c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2005-05-05 17:33 708698 c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 2005-05-05 17:33 102490 c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 18:43 69632 c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
--a------ 2005-09-21 15:32 2807808 c:\windows\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
--a------ 2001-12-26 00:12 472576 c:\windows\mHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2005-09-21 10:24 86016 c:\windows\SOUNDMAN.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\AOL\\1134182906\\ee\\aim6.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1134182906\\ee\\aolsoftware.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Admin\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Admin\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\software\\Ventrilo\\Ventrilo.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\software\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\software\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\software\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\software\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\software\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\software\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\software\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\software\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\software\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2799:UDP"= 2799:UDP:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:Altova License Metering Port (TCP)

R3 scrcap;scrcap;c:\windows\system32\drivers\scrcap.sys [2006-12-27 9006]
R3 Slazldrv;SmartLink AMR_PCI Driver;c:\windows\system32\drivers\SLDRV\slazldrv.sys [2005-05-05 230448]
S3 1012NDS5;1012NDS5 NDIS Protocol Driver;c:\windows\system32\1012NDS5.sys [2003-03-11 15872]
S3 mamotou;mamotou;c:\windows\system32\drivers\mamotou.sys [2007-05-14 49399]
S3 PhTVTune;AVerMedia TVTuner;c:\windows\system32\drivers\PhTVTune.sys [2004-11-23 28800]
S4 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [2009-01-09 234888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0c5e2aa-d646-11db-a434-000b6b373569}]
\Shell\AutoRun\command - rundll32.exe url.dll,FileProtocolHandler LapNetWizard.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b232ab4e-bc55-11db-a417-000b6b373569}]
\Shell\AutoRun\command - rundll32.exe url.dll,FileProtocolHandler LapNetWizard.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.alienware.com/Mothership?Comp=AWC&SysCode=PC-LT-AREA51-M-7700&ai=636E3D33333733323926706F3D504F2D33353935353641
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-26 15:54:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MCECardBusTV = c:\windows\system32\MCECardBusTV.exe?sTV.exe?exe???w??????f???f?????????????????????????????????????2???????????x???g??w0??w????*??w???w????Ta?]????????P?????????f????????????????????????????????w??f???f?P?????????????????????????A?????x???(AA???????@???A???@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1421691402-1772962490-2775497362-1010\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:77,82,c9,8a,b8,18,96,8f,f6,92,ee,34,c9,1c,b8,a2,d6,86,98,e7,06,20,ea,
b8,f2,e0,43,0e,13,4c,5e,6e,67,98,17,08,a2,62,5a,dd,a7,53,96,ef,d9,94,ca,7b,\
"??"=hex:06,f5,19,08,9a,73,29,74,c0,03,b5,58,b9,6f,b2,e9
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\slserv.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\windows\system32\dllhost.exe
c:\software\HP\Digital Imaging\bin\hpqste08.exe
c:\software\HP\Digital Imaging\bin\hpqbam08.exe
.
**************************************************************************
.
Completion time: 2009-02-26 16:00:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-27 00:00:03
ComboFix2.txt 2009-02-26 20:23:20
ComboFix3.txt 2009-02-26 20:11:26
ComboFix4.txt 2009-02-26 03:29:23
ComboFix5.txt 2009-02-26 23:44:32

Pre-Run: 3,346,522,112 bytes free
Post-Run: 3,329,314,816 bytes free

267 --- E O F --- 2008-04-21 22:14:28

Kaspersky scan:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, February 26, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, February 26, 2009 23:24:55
Records in database: 1849955
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan statistics:
Files scanned: 114402
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 02:21:37


File name / Threat name / Threats count
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090212-154720-583.dll Infected: not-a-virus:AdWare.Win32.BHO.fqc 1

The selected area was scanned.

Answers:

Computer seems to be running alot better, no weird pauses on startup or freezing up from massive process loads.

#11 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:06:16 PM

Posted 28 February 2009 - 10:43 AM

Hello jsteacy.

Glad that your computer now is doing fine. :thumbup2:

We will clean some remnant but don't worry they are inactive now.
  • Please uninstall the following. Using windows ADD/REMOVE program at the control panel.

    HijackThis 2.0.2

  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck: Hide protected operating system files (recommended) option.
    Click Yes to confirm.

    Delete the file

    By browsing them to their directories using Windows explorer, delete them one by one.

    c:\windows\system32\UACxpihqofy.lo_
    c:\windows\system32\uacinit.dl_
    c:\windows\system32\UACwwfpfwkp.da_


Congratulations! You now appear clean! :)

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

We Need to Clean Up Our Mess
  • Uninstall ComboFix
    Remove Combofix now that we're done with it.
    • Click on your Start Menu, then Run....
    • Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
      Posted Image
    • When shown the disclaimer, Select "2"
    Uninstalling ComboFix will do the following:
    • Delete ComboFix and its components from your computer.
    • Delete other tools commonly used during the malware removal process.
    • Resets clock settings to standard format.
    • Hides file extensions and hidden/system files.
    • Clears System Restore cache and creates new restore point.
  • Please also delete the DDS.scr located at your desktop.
  • Uninstall GMER. At Posted Image the look for Posted Image. Key in
    C:\WINDOWS\gmer_uninstall.cmd
Recommendations
Below are some recommendations to lower your chances of (re)infection.
  • Install and maintain an outbound firewall

  • Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.

  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file

  • Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.

  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.

  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :step4:.
Maraming salamat.
Mark

#12 jsteacy

jsteacy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 01 March 2009 - 03:23 PM

Everything seems to be working great when I am finaly logged into the computer.

I installed zonealarm, MVPs hostfile, and malwarebytes.

I have two issues on starting up and shutting down.
When starting up, first it asks me if I want to startup using the recovery console or windows xp media center edition. This isn't a big deal but I was hoping there might be a way to fix/hide it so I only see that if I hit f8. The other issue which is a bit worry some is it can take about 2 minutes to get into xp after clicking on my account to login. I imagine it might be zonealarm starting and other things fighting to load so I am looking into startup light to see if that fixes it.

The shutting down issue I think is related to my HP Digital Imaging Monitor, when shutting down without fail, the task manager lets me know that DeviceIO isn't responding and will be terminated in some amount of seconds or I can just end task it now. If it is HP doing that hopefully startup light will solve that problem too (unless I need to print something or scan something and turn it on).

Any info on this would be extremely helpful, but in any case thank you for all the hard work guiding me through this to make my computer work again. :thumbup2:

#13 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:06:16 PM

Posted 02 March 2009 - 04:24 PM

hi.

When starting up, first it asks me if I want to startup using the recovery console or windows xp media center edition. This isn't a big deal but I was hoping there might be a way to fix/hide it so I only see that if I hit f8

We could uninstall it but I suggest not to. It will be your tool when time get rough and tough. Anyways, if you want to uninstall it you can follow the instruction below. A word of warning, please follow the instruction carefully if you did it in a wrong way, you computer might not boot anymore. :thumbup2:

Read all of the instructions below before you proceed.



Please set your system to show all files and extension.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck: Hide protected operating system files (recommended) option.
Uncheck: Hide extension of know file types option.
Click Yes to confirm.


Uninstalling Recovery Console:

WARNING - Failure to strictly adhere to the above instructions may result in an unbootable machine.

This file must be present - C:\Boot.bak.
It is a backup of the machine's previous Boot.ini. Do not proceed if it's not present

1) Right click on current copy of C:\Boot.ini & select 'Properties'. Then remove the file's 'Read-Only' attribute
2) Rename C:\Boot.ini to C:\Boot.old (Do not delete it)
3) Rename C:\Boot.bak to C:\Boot.ini
4) Right click on the new C:\Boot.ini & select 'Properties'. Then make the file 'Read-Only'
5) Reboot the machine. You will note that the Recovery Console is no longer an option on the Boot Menu
6) Delete the folder - C:\CmdCons
7) Delete C:\Boot.old

After we are done

Please set your system not to show all files and extension.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
check: Hide file extensions for known file types
check: Hide protected operating system files (recommended) option.
check: Hide extension of know file types option.
Click Yes to confirm.

Goodluck :)



The other issue which is a bit worry some is it can take about 2 minutes to get into xp after clicking on my account to login. I imagine it might be zonealarm starting and other things fighting to load so I am looking into startup light to see if that fixes it.

The Zonealarm might be the culprit. It has some issues with slowness in startup. You can uninstall it and try the
the other free firewall :step4:

The shutting down issue I think is related to my HP Digital Imaging Monitor, when shutting down without fail, the task manager lets me know that DeviceIO isn't responding and will be terminated in some amount of seconds or I can just end task it now. If it is HP doing that hopefully startup light will solve that problem too (unless I need to print something or scan something and turn it on).

Hmm.. we could remove it from autostarting.

Go to to this folder :
c:\documents and settings\All Users\Start Menu\Programs\Startup

Then delete this file inside that folder:
HP Digital Imaging Monitor.lnk

You can turn it on just when needed.

Let me know in your next reply.


Mark

#14 jsteacy

jsteacy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 04 March 2009 - 05:58 PM

I will just keep the recover console installed, I was just hoping there was a nice way to hide it. I would rather have it then not and it isn't hurting anything to have it take a whole 2 seconds on boot. :thumbup2:

Zonealarm seems to be acting alot better, only a slight lag on startup of which I am used too by now. If it causes any further problems I will try using another firewall but I am pretty happy with zonealarm right now.

I have removed the startup for Hp Digital Imaging Monitor, and it does not have the IODevice issue, unless of course I have it running after using the printer/scanner. It shorts down much smoother now. Thank you very much.

#15 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:06:16 PM

Posted 05 March 2009 - 05:55 AM

hi.

I will just keep the recover console installed, I was just hoping there was a nice way to hide it. I would rather have it then not and it isn't hurting anything to have it take a whole 2 seconds on boot. :)


Yes, you can adjust the time for that.

One alternative to removal is to set the timeout value to a very low number - this means Windows boots almost as quickly as if it didn't ask you to choose. This option can be found in

Control Panel>>System>>Advanced tab>>Startup and Recovery settings button. ( in classic view)
Change the "Time to display list of operating systems" to 1 or 2 seconds.

Hope this helps.

If you have other issue, please post it here. If none, please post back so that I could close this thread. :thumbup2:

Mark




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users