Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan.Vundo.H / Virtumonde


  • This topic is locked This topic is locked
16 replies to this topic

#1 GabMar883

GabMar883

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 18 February 2009 - 11:52 PM

The programs I have are Malwarebytes', AdAware SE, NOD32, and they are all up to date (except for AdAware I believe)
I have no idea where it came from but i keep coming up with this "Trojan.Vundo.H" virus every time I do a Malwarebytes' scan. NOD32 warned me about it but was not able to get rid of it.
Malwarebytes' on the other hand tells me it got rid of it. but when I scan again the files still show up as infected.

This is the only message I get from NOD32:

Posted Image


The files that Malwarebytes' finds are the following:

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{517f628b-c5eb-4787-85e3-adbd1e97bd34} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{517f628b-c5eb-4787-85e3-adbd1e97bd34} (Trojan.Vundo.H) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\meruyejaso (Trojan.Vundo.H) -> No action taken.


I'm running out of ideas. Please help. :thumbup2:

DDS.txt

DDS (Ver_09-02-01.01) - NTFSx86  
Run by Owner at 23:29:36.75 on Wed 02/18/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.3711.3122 [GMT -5:00]

AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Netopia\C3kWepN.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdrserv.exe
C:\WINDOWS\system32\lxdrcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Cobian Backup 8\Cobian.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig?referrer=theme_ign
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com/ig?referrer=theme_ign
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - 
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {517f628b-c5eb-4787-85e3-adbd1e97bd34} - c:\windows\system32\kapigagi.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: {c333cf63-767f-4831-94ac-e683d962c63c} - CoTGT_BHO Class
BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {E6AE90A4-1B01-47F0-AA78-E6B122E145E9} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - 
TB: {E7D38ED4-2933-43B8-B0B9-52D11CE9CA10} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [STYLEXP] c:\program files\tgtsoft\stylexp\StyleXP.exe -Hide
mRun: [C2kWep] c:\program files\netopia\C3kWepN.exe
mRun: [<NO NAME>] 
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [meruyejaso] Rundll32.exe "c:\windows\system32\hayaheta.dll",s
dRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\objectdock\ObjectDock.exe
IE: &Search
IE: Add to AMV Convert Tool... - c:\program files\mp3 player utilities 4.00\amvconverter\grab.html
IE: Add to Media Manager... - c:\program files\mp3 player utilities 4.00\mediamanager\grab.html
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\owner\start menu\programs\>imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\imon.dll
Trusted Zone: gamemakergames.com
Trusted Zone: snafu-comics.com\grim
Trusted Zone: snafu-comics.com\www
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} - hxxp://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142209616106
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} - hxxp://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin7USA.cab
DPF: {BC5E698E-77CF-45EF-80A3-090A4B6AAF83} - hxxp://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin8USA.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - hxxp://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
TCP: {8532F616-9F31-40CE-BB6F-EF490F0C5751} = 4.2.2.2
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: flballoon - flwzx.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: cikszg.dll c:\windows\system32\kahowuhi.dll ejuyhe.dll  
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - No File
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
LSA: Notification Packages = scecli c:\windows\system32\kahowuhi.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\s034v7jh.default\
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2009-2-7 15424]
R2 lxdr_device;lxdr_device;c:\windows\system32\lxdrcoms.exe -service --> c:\windows\system32\lxdrcoms.exe -service [?]
R2 lxdrCATSCustConnectService;lxdrCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdrserv.exe [2009-1-22 98984]
R2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2009-2-7 552064]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2008-11-21 2749224]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2008-9-25 15656]
S3 DISK_DRIVE32;DISK_DRIVE32;\??\c:\documents and settings\owner\desktop\downloads\ce\disk_1024.sys --> c:\documents and settings\owner\desktop\downloads\ce\disk_1024.sys [?]
S3 npkycryp;npkycryp;\??\c:\nexon\maplestory\npkycryp.sys --> c:\nexon\maplestory\npkycryp.sys [?]
S3 SWLD23U;Netopia 802.11b WLAN USB Adapter;c:\windows\system32\drivers\swld23u.sys --> c:\windows\system32\drivers\SWLD23U.sys [?]
S3 swlubtl;WLAN USB Boot Device;c:\windows\system32\drivers\swlubtl.sys --> c:\windows\system32\drivers\swlubtl.sys [?]
S3 USB200M;Linksys USB 2.0 Network Adapter ver.2;c:\windows\system32\drivers\USB200M2.sys [2006-3-12 18048]
S3 XDva025;XDva025;\??\c:\windows\system32\xdva025.sys --> c:\windows\system32\XDva025.sys [?]
S3 zenx1;zenx1;\??\c:\documents and settings\owner\desktop\ms hack\zenx.sys --> c:\documents and settings\owner\desktop\ms hack\zenx.sys [?]

=============== Created Last 30 ================

2009-02-18 21:47	<DIR>	--d-----	c:\program files\Cobian Backup 8
2009-02-18 21:33	<DIR>	--d-----	c:\program files\Trend Micro
2009-02-18 16:59	<DIR>	--d-----	c:\docume~1\owner\applic~1\SPORE
2009-02-07 20:30	512,096	a-------	c:\windows\system32\drivers\amon.sys
2009-02-07 20:30	298,104	a-------	c:\windows\system32\imon.dll
2009-02-07 20:30	15,424	a-------	c:\windows\system32\drivers\nod32drv.sys
2009-02-02 19:27	<DIR>	--d-----	c:\program files\Hamachi
2009-01-29 15:54	<DIR>	--d-----	c:\program files\ESET
2009-01-22 13:09	<DIR>	--d-----	c:\documents and settings\all users\Lx_cats
2009-01-22 13:07	<DIR>	--d-----	C:\logs
2009-01-22 13:06	40,960	a-------	c:\windows\system32\lxdrvs.dll
2009-01-22 13:06	360,448	a-------	c:\windows\system32\lxdrcoin.dll
2009-01-22 13:06	61,218	a-------	c:\windows\system32\lxdrprpr.chm
2009-01-22 13:06	87,040	ac------	c:\windows\system32\dllcache\wiafbdrv.dll
2009-01-22 13:06	87,040	a-------	c:\windows\system32\wiafbdrv.dll
2009-01-22 13:05	1,036,288	a-------	c:\windows\system32\lxdrdrs.dll
2009-01-22 13:05	81,920	a-------	c:\windows\system32\lxdrcaps.dll
2009-01-22 13:05	69,632	a-------	c:\windows\system32\lxdrcnv4.dll
2009-01-22 13:05	<DIR>	--d-----	c:\program files\Lexmark Toolbar
2009-01-22 13:05	<DIR>	--d-----	c:\program files\Lexmark Printable Web
2009-01-22 13:04	44	a-------	c:\windows\system32\lxdrrwrd.ini
2009-01-22 13:04	17,064	a-------	c:\windows\system32\LXDRwupd.exe
2009-01-22 13:04	352,256	a-------	c:\windows\system32\LXDRwupd.dll
2009-01-22 13:01	<DIR>	--d-----	c:\program files\Lexmark 4900 Series

==================== Find3M  ====================

2009-02-11 10:19	38,496	a-------	c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 10:19	15,504	a-------	c:\windows\system32\drivers\mbam.sys
2009-02-02 19:27	25,280	a-------	c:\windows\system32\drivers\hamachi.sys
2008-12-20 18:15	826,368	a-------	c:\windows\system32\wininet.dll
2008-11-25 12:31	410,976	a-------	c:\windows\system32\deploytk.dll
2008-09-08 19:01	1,780	ac------	c:\docume~1\owner\applic~1\wklnhst.dat
2007-12-07 16:26	74,960	ac------	c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT
2006-12-21 13:41	76	a---h---	c:\program files\Desktop.ini
0000-00-00 00:00	72,192	a--sh---	c:\windows\system32\kahowuhi.dll

============= FINISH: 23:30:39.29 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:52 AM

Posted 28 February 2009 - 09:08 AM

Hello.

Re-run scan with MalwareBytes Anti-Malware

Your MBAM log shows "No action taken". This usually occurs if you forget to click "Remove Selected" and instead only clicked "Save Logfile. Please read this thread and rescan again only using the (Quick Scan) in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. After performing the new scan, click the Logs tab and copy/paste the contents of the new report in your next reply.

Post back with:
-MBAM Scan log
-New DDS logs
-Problems you may still have.


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 GabMar883

GabMar883
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 02 March 2009 - 11:36 PM

Sorry for taking so long, The computer keeps giving me problems.
As far as the MBAM log, that's odd, I've been using MBAM for a while and always pressed "Remove Selected Files".

Never mind. That was a quick scan that I made just to get the name of the files MBAM keeps finding. When I do remove the files, and reboot the computer, and perform another MBAM scan, the files are still showing up.

Here's the MBAM log:
Malwarebytes' Anti-Malware 1.34
Database version: 1778
Windows 5.1.2600 Service Pack 2

3/2/2009 11:22:21 PM
mbam-log-2009-03-02 (23-22-21).txt

Scan type: Quick Scan
Objects scanned: 86604
Time elapsed: 10 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{517f628b-c5eb-4787-85e3-adbd1e97bd34} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{517f628b-c5eb-4787-85e3-adbd1e97bd34} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\meruyejaso (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\vimoveta.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

And here's the DDS logs that I got after rebooting the PC

DDS (Ver_09-02-01.01) - NTFSx86  
Run by Owner at 23:28:33.95 on Mon 03/02/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.3583.3154 [GMT -5:00]

AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Netopia\C3kWepN.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdrserv.exe
C:\WINDOWS\system32\lxdrcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {517f628b-c5eb-4787-85e3-adbd1e97bd34} - c:\windows\system32\kapigagi.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {E6AE90A4-1B01-47F0-AA78-E6B122E145E9} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - 
TB: {E7D38ED4-2933-43B8-B0B9-52D11CE9CA10} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [STYLEXP] c:\program files\tgtsoft\stylexp\StyleXP.exe -Hide
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
mRun: [C2kWep] c:\program files\netopia\C3kWepN.exe
mRun: [<NO NAME>] 
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [meruyejaso] Rundll32.exe "c:\windows\system32\hayaheta.dll",s
dRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\objectdock\ObjectDock.exe
IE: &Search
IE: Add to AMV Convert Tool... - c:\program files\mp3 player utilities 4.00\amvconverter\grab.html
IE: Add to Media Manager... - c:\program files\mp3 player utilities 4.00\mediamanager\grab.html
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\imon.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142209616106
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
TCP: {8532F616-9F31-40CE-BB6F-EF490F0C5751} = 4.2.2.2
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\kahowuhi.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - No File
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
LSA: Notification Packages = scecli c:\windows\system32\kahowuhi.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\s034v7jh.default\
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2009-2-7 15424]
R2 lxdr_device;lxdr_device;c:\windows\system32\lxdrcoms.exe -service --> c:\windows\system32\lxdrcoms.exe -service [?]
R2 lxdrCATSCustConnectService;lxdrCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdrserv.exe [2009-1-22 98984]
R2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2009-2-7 552064]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2008-11-21 2749224]
R3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2009-2-21 40840]
R3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2009-2-21 66952]
R3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2009-2-21 81288]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2008-9-25 15656]
S3 DISK_DRIVE32;DISK_DRIVE32;\??\c:\documents and settings\owner\desktop\downloads\ce\disk_1024.sys --> c:\documents and settings\owner\desktop\downloads\ce\disk_1024.sys [?]
S3 npkycryp;npkycryp;\??\c:\nexon\maplestory\npkycryp.sys --> c:\nexon\maplestory\npkycryp.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-2-21 356920]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-2-21 1079176]
S3 SWLD23U;Netopia 802.11b WLAN USB Adapter;c:\windows\system32\drivers\swld23u.sys --> c:\windows\system32\drivers\SWLD23U.sys [?]
S3 swlubtl;WLAN USB Boot Device;c:\windows\system32\drivers\swlubtl.sys --> c:\windows\system32\drivers\swlubtl.sys [?]
S3 USB200M;Linksys USB 2.0 Network Adapter ver.2;c:\windows\system32\drivers\USB200M2.sys [2006-3-12 18048]
S3 XDva025;XDva025;\??\c:\windows\system32\xdva025.sys --> c:\windows\system32\XDva025.sys [?]
S3 zenx1;zenx1;\??\c:\documents and settings\owner\desktop\ms hack\zenx.sys --> c:\documents and settings\owner\desktop\ms hack\zenx.sys [?]

=============== Created Last 30 ================

2009-02-21 20:39	<DIR>	--d-----	c:\program files\common files\EasyInfo
2009-02-21 19:02	<DIR>	--d-----	C:\VundoFix Backups
2009-02-21 18:51	81,288	a-------	c:\windows\system32\drivers\iksyssec.sys
2009-02-21 18:51	66,952	a-------	c:\windows\system32\drivers\iksysflt.sys
2009-02-21 18:51	40,840	a-------	c:\windows\system32\drivers\ikfilesec.sys
2009-02-21 18:51	29,576	a-------	c:\windows\system32\drivers\kcom.sys
2009-02-21 18:51	<DIR>	--d-----	c:\program files\Spyware Doctor
2009-02-21 18:51	<DIR>	--d-----	c:\docume~1\owner\applic~1\PC Tools
2009-02-21 16:38	1,272	a-------	c:\windows\system32\tmp.reg
2009-02-19 23:22	2,713	---sh---	c:\windows\system32\bimaraze.dll
2009-02-18 21:47	<DIR>	--d-----	c:\program files\Cobian Backup 8
2009-02-18 21:33	<DIR>	--d-----	c:\program files\Trend Micro
2009-02-18 16:59	<DIR>	--d-----	c:\docume~1\owner\applic~1\SPORE
2009-02-07 20:30	512,096	a-------	c:\windows\system32\drivers\amon.sys
2009-02-07 20:30	298,104	a-------	c:\windows\system32\imon.dll
2009-02-07 20:30	15,424	a-------	c:\windows\system32\drivers\nod32drv.sys
2009-02-02 19:27	<DIR>	--d-----	c:\program files\Hamachi

==================== Find3M  ====================

2009-02-11 10:19	38,496	a-------	c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 10:19	15,504	a-------	c:\windows\system32\drivers\mbam.sys
2009-02-02 19:27	25,280	a-------	c:\windows\system32\drivers\hamachi.sys
2008-12-20 18:15	826,368	a-------	c:\windows\system32\wininet.dll
2008-12-12 00:57	78,336	a-------	c:\windows\system32\Agent.OMZ.Fix.exe
2008-09-08 19:01	1,780	ac------	c:\docume~1\owner\applic~1\wklnhst.dat
2007-12-07 16:26	74,960	ac------	c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT
2006-12-21 13:41	76	a---h---	c:\program files\Desktop.ini
0000-00-00 00:00	72,192	a--sh---	c:\windows\system32\kahowuhi.dll
0000-00-00 00:00	108,544	a--sh---	c:\windows\system32\mopifobi.dll
0000-00-00 00:00	144,384	a--sh---	c:\windows\system32\petageyo.dll
0000-00-00 00:00	104,448	a--sh---	c:\windows\system32\porevujo.dll

============= FINISH: 23:29:11.45 ===============

Attached Files


Edited by GabMar883, 02 March 2009 - 11:39 PM.


#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:52 AM

Posted 03 March 2009 - 01:08 PM

Hello.

It seems those vundos are still there.. :thumbup2:

Let's start off with Combofix then.

Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
    Alternate Download Site 1
    Alternate Download Site 2
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
Important!:Please do not select the Show all checkbox during the scan..

Post back with:
-Combofix log
-GMER log
-New Hijackthis log
-Description of any problem you still have


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 GabMar883

GabMar883
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 03 March 2009 - 05:02 PM

Okay, when I ran Combo Fix it told me that NOD32av was running. However it was not on the task bar, so I tried to see if a process of it was still running using the Task Manager, but it was not. I clicked OK to continue the scan, but it warned me again that NOD32av was running. At this point I opened up the "Add or Remove Programs" window and uninstalled NOD32av.

This is the log:
ComboFix 09-03-02.03 - Owner 2009-03-03 16:13:43.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3583.3127 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Outdated)
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\temp\fCOe
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\aimsmx.dll
c:\windows\system32\aosmx.dll
c:\windows\system32\asubinov.ini
c:\windows\system32\busuhepi.dll
c:\windows\system32\dumphive.exe
c:\windows\system32\fayabopi.dll
c:\windows\system32\fdecarew.dll
c:\windows\system32\fetokuze.dll
c:\windows\system32\fupipivo.dll
c:\windows\system32\gtalsmx.dll
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\jivuvomo.dll
c:\windows\system32\kahowuhi.dll
c:\windows\system32\mopifobi.dll
c:\windows\system32\o4Patch.exe
c:\windows\system32\oTt09e
c:\windows\system32\ovipipuf.ini
c:\windows\system32\petageyo.dll
c:\windows\system32\porevujo.dll
c:\windows\system32\Process.exe
c:\windows\system32\qdviewfe.dll
c:\windows\system32\raswenrt.dll
c:\windows\system32\rhqmdk.dll
c:\windows\system32\smtsmxpfx.dll
c:\windows\system32\spmsmtsmxpfx.dll
c:\windows\system32\SrchSTS.exe
c:\windows\system32\srvswc2.dll
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\vonibusa.dll
c:\windows\system32\WS2Fix.exe
c:\windows\system32\ymsgsmx.dll
c:\windows\system32\zhikxa.dll

----- BITS: Possible infected sites -----

hxxp://82.98.235.205
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV
-------\Service_TDSSserv


((((((((((((((((((((((((( Files Created from 2009-02-03 to 2009-03-03 )))))))))))))))))))))))))))))))
.

2009-02-21 20:39 . 2009-02-21 20:39 <DIR> d-------- c:\program files\Common Files\EasyInfo
2009-02-21 19:02 . 2009-02-21 19:02 <DIR> d-------- C:\VundoFix Backups
2009-02-21 18:51 . 2009-03-03 00:00 <DIR> d-------- c:\program files\Spyware Doctor
2009-02-21 18:51 . 2009-02-21 18:51 <DIR> d-------- c:\documents and settings\Owner\Application Data\PC Tools
2009-02-21 18:51 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-02-21 18:51 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-02-21 18:51 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-02-21 18:51 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2009-02-19 23:22 . 2009-02-19 23:22 2,713 ---hs---- c:\windows\system32\bimaraze.dll
2009-02-18 21:47 . 2009-02-18 21:47 <DIR> d-------- c:\program files\Cobian Backup 8
2009-02-18 21:33 . 2009-02-18 21:33 <DIR> d-------- c:\program files\Trend Micro
2009-02-18 16:59 . 2009-02-18 16:59 <DIR> d-------- c:\documents and settings\Owner\Application Data\SPORE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-03 21:20 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-03 21:19 --------- d-----w c:\documents and settings\Owner\Application Data\WTablet
2009-03-03 21:17 --------- d-----w c:\program files\ESET
2009-03-03 21:17 --------- d-----w c:\documents and settings\LocalService\Application Data\WTablet
2009-02-22 01:19 --------- d-----w c:\program files\EA GAMES
2009-02-22 00:00 --------- d-----w c:\documents and settings\Owner\Application Data\FileZilla
2009-02-19 00:03 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-18 21:59 --------- d-----w c:\program files\Electronic Arts
2009-02-12 03:53 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-11 15:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 15:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-10 04:15 --------- d-----w c:\documents and settings\Owner\Application Data\U3
2009-02-08 01:42 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-07 23:23 --------- d-----w c:\documents and settings\Owner\Application Data\Hamachi
2009-02-03 00:27 25,280 ----a-w c:\windows\system32\drivers\hamachi.sys
2009-02-03 00:27 --------- d-----w c:\program files\Hamachi
2009-01-30 00:25 --------- d-----w c:\program files\Real
2009-01-30 00:25 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-01-30 00:24 --------- d-----w c:\program files\Common Files\Real
2009-01-29 22:00 --------- d-----w c:\program files\McAfee
2009-01-29 22:00 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-01-28 03:29 --------- d-----w c:\program files\CCleaner
2009-01-22 18:07 --------- d-----w c:\program files\Lexmark 4900 Series
2009-01-22 18:05 --------- d-----w c:\program files\Lexmark Toolbar
2009-01-22 18:05 --------- d-----w c:\program files\Lexmark Printable Web
2009-01-17 07:04 --------- d-----w c:\program files\AdobeCS4
2009-01-10 19:06 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-01-10 06:08 --------- d-----w c:\documents and settings\Owner\Application Data\SiteAdvisor
2009-01-03 02:11 --------- d-----w c:\program files\Nexon
2008-09-09 00:01 1,780 -c--a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2007-12-07 21:26 74,960 -c--a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2006-12-21 18:41 76 ---ha-w c:\program files\Desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"STYLEXP"="c:\program files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 1372160]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C2kWep"="c:\program files\Netopia\C3kWepN.exe" [2004-03-24 233472]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Stardock ObjectDock.lnk
backup=c:\windows\pss\Stardock ObjectDock.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mainpc

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 09:32 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 09:36 114688 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-09-20 09:35 94208 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mainpc\EPSON Stylus CX9400Fax Series]
--a------ 2007-03-23 05:00 182272 c:\windows\system32\spool\drivers\w32x86\3\E_FATICFA.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1142654719\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1142654719\\ee\\aim6.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Age Of Empires\\age2_x1.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\WINDOWS\\system32\\lxdrcoms.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\Stardock\\ObjectDock\\ObjectDock.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"48170:TCP"= 48170:TCP:127.0.0.1
"54474:UDP"= 54474:UDP:127.0.0.1
"9842:TCP"= 9842:TCP:*:Disabled:SolidNetworkManager
"9842:UDP"= 9842:UDP:*:Disabled:SolidNetworkManager
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R2 lxdr_device;lxdr_device;c:\windows\system32\lxdrcoms.exe -service --> c:\windows\system32\lxdrcoms.exe -service [?]
R2 lxdrCATSCustConnectService;lxdrCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdrserv.exe [2009-01-22 98984]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2008-11-21 2749224]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2008-09-25 15656]
S3 DISK_DRIVE32;DISK_DRIVE32;\??\c:\documents and settings\Owner\Desktop\Downloads\ce\disk_1024.sys --> c:\documents and settings\Owner\Desktop\Downloads\ce\disk_1024.sys [?]
S3 npkycryp;npkycryp;\??\c:\nexon\MapleStory\npkycryp.sys --> c:\nexon\MapleStory\npkycryp.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-02-21 356920]
S3 SWLD23U;Netopia 802.11b WLAN USB Adapter;c:\windows\system32\DRIVERS\SWLD23U.sys --> c:\windows\system32\DRIVERS\SWLD23U.sys [?]
S3 swlubtl;WLAN USB Boot Device;c:\windows\system32\Drivers\swlubtl.sys --> c:\windows\system32\Drivers\swlubtl.sys [?]
S3 USB200M;Linksys USB 2.0 Network Adapter ver.2;c:\windows\system32\drivers\USB200M2.sys [2006-03-12 18048]
S3 XDva025;XDva025;\??\c:\windows\system32\XDva025.sys --> c:\windows\system32\XDva025.sys [?]
S3 zenx1;zenx1;\??\c:\documents and settings\Owner\Desktop\MS HACK\zenx.sys --> c:\documents and settings\Owner\Desktop\MS HACK\zenx.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10cd5682-d112-11dc-9c54-00121769e996}]
\Shell\AutoRun\command - wd_windows_tools\WDSetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{13eb67f2-f621-11dd-9e56-00121769e996}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e735672e-8350-11dd-9d7f-00121769e996}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
- - - - ORPHANS REMOVED - - - -

BHO-{3ef5e9ea-17b4-4f8d-9c39-1307f7e849de} - c:\windows\system32\rhqmdk.dll
BHO-{517f628b-c5eb-4787-85e3-adbd1e97bd34} - c:\windows\system32\kapigagi.dll
WebBrowser-{E6AE90A4-1B01-47F0-AA78-E6B122E145E9} - (no file)
HKLM-Run-meruyejaso - c:\windows\system32\hayaheta.dll
HKU-Default-Run-msnmsgr - c:\program files\MSN Messenger\msnmsgr.exe
HKU-Default-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
MSConfigStartUp-meruyejaso - c:\windows\system32\hayaheta.dll


.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &Search
IE: Add to AMV Convert Tool... - c:\program files\MP3 Player Utilities 4.00\AMVConverter\grab.html
IE: Add to Media Manager... - c:\program files\MP3 Player Utilities 4.00\MediaManager\grab.html
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {8532F616-9F31-40CE-BB6F-EF490F0C5751} = 4.2.2.2
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\s034v7jh.default\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-03 16:19:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-117609710-1677128483-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:65,12,d5,e0,76,81,a2,5d,12,29,20,08,a2,31,8e,fa,5e,0d,82,fe,c7,
af,64,bc,b4,92,a9,e5,0e,c7,8e,11,f5,f6,67,b0,e9,fa,4f,50,fc,19,a8,20,b2,63,\
"rkeysecu"=hex:35,d5,d1,f8,1f,02,c3,f1,00,38,d6,e1,00,10,09,53
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxdrcoms.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\pctspk.exe
c:\program files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
c:\windows\system32\WTablet\Wacom_TabletUser.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-03 16:27:44 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-03 21:27:41

Pre-Run: 35,888,828,416 bytes free
Post-Run: 35,950,370,816 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

261 --- E O F --- 2009-02-12 03:54:58



This is the GMER log:
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-03-03 16:54:31
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT spfa.sys ZwCreateKey [0xF74D70E0]
SSDT spfa.sys ZwEnumerateKey [0xF74F5CA2]
SSDT spfa.sys ZwEnumerateValueKey [0xF74F6030]
SSDT spfa.sys ZwOpenKey [0xF74D70C0]
SSDT spfa.sys ZwQueryKey [0xF74F6108]
SSDT spfa.sys ZwQueryValueKey [0xF74F5F88]
SSDT spfa.sys ZwSetValueKey [0xF74F619A]

INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) B678316D
INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) B6782FC2
INT 0x62 ? 8AF58BF8
INT 0x73 ? 8AE1ABF8
INT 0x73 ? 8AE1ABF8
INT 0x82 ? 8AF58BF8
INT 0x83 ? 8AF58BF8
INT 0x83 ? 8AF58BF8
INT 0x83 ? 8AE1ABF8
INT 0x83 ? 8AF58BF8
INT 0xA4 ? 8AE1ABF8
INT 0xB4 ? 8AE1ABF8

---- Kernel code sections - GMER 1.0.14 ----

? spfa.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B8F9A62C 5 Bytes JMP 8AE1A1D8
.text at4xjkb8.SYS B8E4F386 35 Bytes [ 00, 00, 00, 00, 00, 00, 20, ... ]
.text at4xjkb8.SYS B8E4F3AA 24 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text at4xjkb8.SYS B8E4F3C4 3 Bytes [ 00, 70, 02 ]
.text at4xjkb8.SYS B8E4F3C9 1 Byte [ 2E ]
.text at4xjkb8.SYS B8E4F3CB 9 Bytes [ 00, 00, 5C, 02, 00, 00, 00, ... ]
.text ...

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8AF5A2D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F7508C4C] spfa.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7508CA0] spfa.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F74D8040] spfa.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F74D813C] spfa.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74D80BE] spfa.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F74D87FC] spfa.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74D86D2] spfa.sys
IAT \SystemRoot\System32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8AE1A2D8
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F74E8048] spfa.sys
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!RtlInitUnicodeString] 0975013E
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!swprintf] 1B42E853
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!KeSetEvent] C4830000
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!IoCreateSymbolicLink] B05E5F04
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!IoGetConfigurationInformation] E58B5B01
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!IoDeleteSymbolicLink] CCCCC35D
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!MmFreeMappingAddress] CCCCCCCC
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!IoFreeErrorLogEntry] 53EC8B55
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!IoDisconnectInterrupt] 08758B56
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!MmUnmapIoSpace] 0214BE83
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!ObReferenceObjectByPointer] 57000000
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!IofCompleteRequest] 45C60674
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!RtlCompareUnicodeString] 1EEB010B
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!IofCallDriver] 020C868B
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!MmAllocateMappingAddress] C0850000
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!IoAllocateErrorLogEntry] 808A1074
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!IoConnectInterrupt] 00000804
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!IoDetachDevice] A03CF024
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!KeWaitForSingleObject] 0B45950F
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!KeInitializeEvent] 45C604EB
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString] 458A000B
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!RtlInitAnsiString] 88C0840B
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!IoBuildDeviceIoControlRequest] 840F0946
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!IoQueueWorkItem] 000000C1
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!MmMapIoSpace] 14B30E8B
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!IoInvalidateDeviceRelations] 1C8286C6
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!IoReportDetectedDevice] 88010000
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!IoReportResourceForDetection] 001C859E
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] A19E8800
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!NlsMbCodePageTag] C600001C
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!PoRequestPowerIrp] 001C8686
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!KeInsertByKeyDeviceQueue] 86C60100
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!PoRegisterDeviceForIdleDetection] 00001CA2
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!sprintf] 70518B01
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] 8D52006A
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!ObfDereferenceObject] 001C8886
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!IoGetAttachedDeviceReference] 55E85000
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!IoInvalidateDeviceState] 8B000023
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!ZwClose] 70518B0E
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!ObReferenceObjectByHandle] 8D52016A
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!ZwCreateDirectoryObject] 001CA486
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!IoBuildSynchronousFsdRequest] 41E85000
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!PoStartNextPowerIrp] 8B000023
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!PoCallDriver] 18C4830E
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!IoCreateDevice] 1C8D9E88
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!IoAllocateDriverObjectExtension] 9E880000
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!RtlQueryRegistryValues] 00001CA9
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!ZwOpenKey] 0E798366
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!RtlFreeUnicodeString] 74AAB000
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!IoStartTimer] 8186C636
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!KeInitializeTimer] 1A00001C
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!IoInitializeTimer] 1C8386C6
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!KeInitializeDpc] C6020000
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!KeInitializeSpinLock] 001C8E86
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!IoInitializeIrp] 86C60200
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!ZwCreateKey] 00001CAA
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!RtlAppendUnicodeStringToString] 959E8802
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!RtlIntegerToUnicodeString] 8800001C
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!ZwSetValueKey] 001CB19E
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!KeInsertQueueDpc] 96868800
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] 8800001C
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!IoStartPacket] 001CB286
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] C61AEB00
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!IoBuildAsynchronousFsdRequest] 001C8186
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!IoFreeMdl] 86C61200
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!MmUnlockPages] 00001C83
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!IoWriteErrorLogEntry] 8E868801
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!KeRemoveByKeyDeviceQueue] 8800001C
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!MmMapLockedPagesWithReservedMapping] 001CAA86
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!MmUnmapReservedMapping] 80968B00
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!KeSynchronizeExecution] 8900001C
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!IoStartNextPacket] 001C9C96
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!KeBugCheckEx] C6168B00
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!KeRemoveDeviceQueue] 001CB986
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!KeSetTimer] 428A0A00
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!KeCancelTimer] BA86880C
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!_allmul] 8B00001C
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!MmProbeAndLockPages] 24A48DFA
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!_except_handler3] 00000000
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!PoSetPowerState] 4B8BDF8B
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey] 8D3F0304
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!RtlWriteRegistryValue] CB033043
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!_aulldiv] 0673C13B
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!strstr] C13B0003
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!_strupr] 8366FA72
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!KeQuerySystemTime] 75000E7B
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!IoWMIRegistrationControl] 0B7D80E3
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!KeTickCount] 307B8D00
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!IoAttachDeviceToDeviceStack] 00AA840F
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!IoDeleteDevice] 83660000
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] 6A000E7A
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!IoAllocateWorkItem] C6647400
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!IoAllocateIrp] 001CBB86
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!IoAllocateMdl] 4F8B0200
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool] 968D5140
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!MmLockPagableDataSection] 00001C90
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!IoGetDriverObjectExtension] 2266E852
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!MmUnlockPagableImageSection] 478B0000
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!ExFreePoolWithTag] 50016A40
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!IoFreeIrp] 1CAC8E8D
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!IoFreeWorkItem] E8510000
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!InitSafeBootMode] 00002254
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!RtlCompareMemory] 6A18538B
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!RtlCopyUnicodeString] 868D5200
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!memmove] 00001C98
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[ntoskrnl.exe!MmHighestUserAddress] 2242E850
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[HAL.dll!KfAcquireSpinLock] 8A000002
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[HAL.dll!READ_PORT_UCHAR] 83880846
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[HAL.dll!KeGetCurrentIrql] 000001C0
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[HAL.dll!KfRaiseIrql] 2C4EB70F
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[HAL.dll!KfLowerIrql] 8303C183
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[HAL.dll!HalGetInterruptVector] D103FCE1
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[HAL.dll!HalTranslateBusAddress] 2E7E8366
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[HAL.dll!KeStallExecutionProcessor] 8D1C7400
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[HAL.dll!KfReleaseSpinLock] 83893204
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 00000218
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[HAL.dll!READ_PORT_USHORT] 2E4EB70F
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 021C8B89
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[HAL.dll!WRITE_PORT_UCHAR] B70F0000
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[WMILIB.SYS!WmiSystemControl] 03D00304
IAT \SystemRoot\System32\Drivers\at4xjkb8.SYS[WMILIB.SYS!WmiCompleteRequest] 0CB389F2

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8AF571F8
Device \FileSystem\Fastfat \FatCdrom 8ABF2360
Device \Driver\usbuhci \Device\USBPDO-0 8ADF81F8
Device \Driver\usbuhci \Device\USBPDO-1 8ADF81F8
Device \Driver\usbuhci \Device\USBPDO-2 8ADF81F8
Device \Driver\usbuhci \Device\USBPDO-3 8ADF81F8
Device \Driver\usbehci \Device\USBPDO-4 8ADBE1F8
Device \Driver\PCI_PNP6636 \Device\00000056 spfa.sys
Device \Driver\PCI_PNP6636 \Device\00000056 spfa.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 8AFC81F8
Device \Driver\Cdrom \Device\CdRom0 8ADAD1F8
Device \Driver\Cdrom \Device\CdRom1 8ADAD1F8
Device \Driver\atapi \Device\Ide\IdePort0 8AF581F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 8AF581F8
Device \Driver\atapi \Device\Ide\IdePort1 8AF581F8
Device \Driver\atapi \Device\Ide\IdePort2 8AF581F8
Device \Driver\atapi \Device\Ide\IdePort3 8AF581F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-12 8AF581F8
Device \Driver\sptd \Device\3151775386 spfa.sys
Device \Driver\NetBT \Device\NetBT_Tcpip_{28259509-ABE9-4387-8531-03FD250EC757} 8AAAF1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8AAAF1F8
Device \Driver\NetBT \Device\NetbiosSmb 8AAAF1F8
Device \Driver\usbuhci \Device\USBFDO-0 8ADF81F8
Device \Driver\usbuhci \Device\USBFDO-1 8ADF81F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8AA841F8
Device \Driver\usbuhci \Device\USBFDO-2 8ADF81F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8AA841F8
Device \Driver\usbuhci \Device\USBFDO-3 8ADF81F8
Device \Driver\usbehci \Device\USBFDO-4 8ADBE1F8
Device \Driver\Ftdisk \Device\FtControl 8AFC81F8
Device \Driver\at4xjkb8 \Device\Scsi\at4xjkb81Port4Path0Target0Lun0 8AD6F1F8
Device \Driver\at4xjkb8 \Device\Scsi\at4xjkb81 8AD6F1F8
Device \FileSystem\Fastfat \Fat 8ABF2360
Device \FileSystem\Cdfs \Cdfs 8AA6A500

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -422033861
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -877954284
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x99 0xAF 0xC2 0x39 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x8F 0x6E 0x98 0xF9 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xFC 0x2D 0x95 0x70 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x99 0xAF 0xC2 0x39 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x8F 0x6E 0x98 0xF9 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xFC 0x2D 0x95 0x70 ...

---- EOF - GMER 1.0.14 ----


This is the Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:00:50, on 3/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdrserv.exe
C:\WINDOWS\system32\lxdrcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Netopia\C3kWepN.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Lexmark Printable Web - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [C2kWep] C:\Program Files\Netopia\C3kWepN.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKUS\S-1-5-21-117609710-1677128483-725345543-501\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Guest')
O4 - HKUS\S-1-5-21-117609710-1677128483-725345543-501\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Guest')
O4 - HKUS\S-1-5-21-117609710-1677128483-725345543-501\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp (User 'Guest')
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1142209616106
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8532F616-9F31-40CE-BB6F-EF490F0C5751}: NameServer = 4.2.2.2
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxdrCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdrserv.exe
O23 - Service: lxdr_device - - C:\WINDOWS\system32\lxdrcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe

--
End of file - 8287 bytes

Thank you so much for all your help :thumbup2:

Edited by extremeboy, 03 March 2009 - 05:14 PM.
Remove CodeBox


#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:52 AM

Posted 03 March 2009 - 05:23 PM

Hello.

That looks better. Combofix removed the Rootkit! :thumbup2:

Posted ImageBackdoor Threat

IMPORTANT NOTE: Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you want to continue do the steps below:

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    File::
    c:\windows\system32\XDva025.sys 
    c:\windows\system32\bimaraze.dll
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UpdatesDisableNotify"=dword:00000000
    Drivers::
    XDva025
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner.

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

Post back with:
-Combofix log
-Kaspersky log
-New Hijackthis log
-How's your computer running?


Edit: Next time, don't post the logs with , just copy and paste the logs. If you want to help me put bold and big headings :)

With Regards,
Extremeboy

Edited by extremeboy, 03 March 2009 - 05:24 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 GabMar883

GabMar883
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 04 March 2009 - 01:15 AM

Don't want to yell "Victory" yet, but here's the logs.

COMBOFIX LOG

ComboFix 09-03-02.03 - Owner 2009-03-03 22:26:17.2 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.3583.3192 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
 * Created a new restore point

FILE ::
c:\windows\system32\bimaraze.dll
c:\windows\system32\XDva025.sys
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bimaraze.dll

.
(((((((((((((((((((((((((   Files Created from 2009-02-04 to 2009-03-04  )))))))))))))))))))))))))))))))
.

2009-03-03 16:31 . 2009-03-03 16:41	345	--a------	c:\windows\gmer.ini
2009-02-21 20:39 . 2009-02-21 20:39	<DIR>	d--------	c:\program files\Common Files\EasyInfo
2009-02-21 19:02 . 2009-02-21 19:02	<DIR>	d--------	C:\VundoFix Backups
2009-02-21 18:51 . 2009-03-03 00:00	<DIR>	d--------	c:\program files\Spyware Doctor
2009-02-21 18:51 . 2009-02-21 18:51	<DIR>	d--------	c:\documents and settings\Owner\Application Data\PC Tools
2009-02-21 18:51 . 2008-08-25 12:36	81,288	--a------	c:\windows\system32\drivers\iksyssec.sys
2009-02-21 18:51 . 2008-08-25 12:36	66,952	--a------	c:\windows\system32\drivers\iksysflt.sys
2009-02-21 18:51 . 2008-08-25 12:36	40,840	--a------	c:\windows\system32\drivers\ikfilesec.sys
2009-02-21 18:51 . 2008-06-02 16:19	29,576	--a------	c:\windows\system32\drivers\kcom.sys
2009-02-18 21:47 . 2009-02-18 21:47	<DIR>	d--------	c:\program files\Cobian Backup 8
2009-02-18 21:33 . 2009-02-18 21:33	<DIR>	d--------	c:\program files\Trend Micro
2009-02-18 16:59 . 2009-02-18 16:59	<DIR>	d--------	c:\documents and settings\Owner\Application Data\SPORE

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-04 03:25	---------	d---a-w	c:\documents and settings\All Users\Application Data\TEMP
2009-03-04 03:17	---------	d-----w	c:\documents and settings\Owner\Application Data\WTablet
2009-03-04 03:17	---------	d-----w	c:\documents and settings\LocalService\Application Data\WTablet
2009-03-03 21:17	---------	d-----w	c:\program files\ESET
2009-02-22 01:19	---------	d-----w	c:\program files\EA GAMES
2009-02-22 00:00	---------	d-----w	c:\documents and settings\Owner\Application Data\FileZilla
2009-02-19 00:03	---------	d-----w	c:\program files\Malwarebytes' Anti-Malware
2009-02-18 21:59	---------	d-----w	c:\program files\Electronic Arts
2009-02-12 03:53	---------	d-----w	c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-11 15:19	38,496	----a-w	c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 15:19	15,504	----a-w	c:\windows\system32\drivers\mbam.sys
2009-02-10 04:15	---------	d-----w	c:\documents and settings\Owner\Application Data\U3
2009-02-08 01:42	---------	d--h--w	c:\program files\InstallShield Installation Information
2009-02-07 23:23	---------	d-----w	c:\documents and settings\Owner\Application Data\Hamachi
2009-02-03 00:27	25,280	----a-w	c:\windows\system32\drivers\hamachi.sys
2009-02-03 00:27	---------	d-----w	c:\program files\Hamachi
2009-01-30 00:25	---------	d-----w	c:\program files\Real
2009-01-30 00:25	---------	d-----w	c:\documents and settings\All Users\Application Data\Viewpoint
2009-01-30 00:24	---------	d-----w	c:\program files\Common Files\Real
2009-01-29 22:00	---------	d-----w	c:\program files\McAfee
2009-01-29 22:00	---------	d-----w	c:\documents and settings\All Users\Application Data\McAfee
2009-01-28 03:29	---------	d-----w	c:\program files\CCleaner
2009-01-22 18:07	---------	d-----w	c:\program files\Lexmark 4900 Series
2009-01-22 18:05	---------	d-----w	c:\program files\Lexmark Toolbar
2009-01-22 18:05	---------	d-----w	c:\program files\Lexmark Printable Web
2009-01-17 07:04	---------	d-----w	c:\program files\AdobeCS4
2009-01-10 19:06	---------	d-----w	c:\documents and settings\LocalService\Application Data\SACore
2009-01-10 06:08	---------	d-----w	c:\documents and settings\Owner\Application Data\SiteAdvisor
2008-12-20 23:15	826,368	----a-w	c:\windows\system32\wininet.dll
2008-09-09 00:01	1,780	-c--a-w	c:\documents and settings\Owner\Application Data\wklnhst.dat
2007-12-07 21:26	74,960	-c--a-w	c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2006-12-21 18:41	76	---ha-w	c:\program files\Desktop.ini
.

(((((((((((((((((((((((((((((   SnapShot@2009-03-03_16.26.50.31   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-03 21:31:53	884,736	----a-w	c:\windows\gmer.dll
+ 2008-04-18 02:13:02	811,008	----a-w	c:\windows\gmer.exe
+ 2009-03-03 21:31:53	85,969	----a-w	c:\windows\system32\drivers\gmer.sys
+ 2009-03-04 03:17:15	16,384	----atw	c:\windows\Temp\Perflib_Perfdata_444.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"STYLEXP"="c:\program files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 1372160]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C2kWep"="c:\program files\Netopia\C3kWepN.exe" [2004-03-24 233472]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Stardock ObjectDock.lnk
backup=c:\windows\pss\Stardock ObjectDock.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 09:32 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 09:36 114688 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-09-20 09:35 94208 c:\windows\system32\igfxtray.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1142654719\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1142654719\\ee\\aim6.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Age Of Empires\\age2_x1.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\WINDOWS\\system32\\lxdrcoms.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\Stardock\\ObjectDock\\ObjectDock.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"48170:TCP"= 48170:TCP:127.0.0.1
"54474:UDP"= 54474:UDP:127.0.0.1
"9842:TCP"= 9842:TCP:*:Disabled:SolidNetworkManager
"9842:UDP"= 9842:UDP:*:Disabled:SolidNetworkManager
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R2 lxdr_device;lxdr_device;c:\windows\system32\lxdrcoms.exe -service --> c:\windows\system32\lxdrcoms.exe -service [?]
R2 lxdrCATSCustConnectService;lxdrCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdrserv.exe [2009-01-22 98984]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2008-11-21 2749224]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2008-09-25 15656]
S3 DISK_DRIVE32;DISK_DRIVE32;\??\c:\documents and settings\Owner\Desktop\Downloads\ce\disk_1024.sys --> c:\documents and settings\Owner\Desktop\Downloads\ce\disk_1024.sys [?]
S3 npkycryp;npkycryp;\??\c:\nexon\MapleStory\npkycryp.sys --> c:\nexon\MapleStory\npkycryp.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-02-21 356920]
S3 SWLD23U;Netopia 802.11b WLAN USB Adapter;c:\windows\system32\DRIVERS\SWLD23U.sys --> c:\windows\system32\DRIVERS\SWLD23U.sys [?]
S3 swlubtl;WLAN USB Boot Device;c:\windows\system32\Drivers\swlubtl.sys --> c:\windows\system32\Drivers\swlubtl.sys [?]
S3 USB200M;Linksys USB 2.0 Network Adapter ver.2;c:\windows\system32\drivers\USB200M2.sys [2006-03-12 18048]
S3 XDva025;XDva025;\??\c:\windows\system32\XDva025.sys --> c:\windows\system32\XDva025.sys [?]
S3 zenx1;zenx1;\??\c:\documents and settings\Owner\Desktop\MS HACK\zenx.sys --> c:\documents and settings\Owner\Desktop\MS HACK\zenx.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10cd5682-d112-11dc-9c54-00121769e996}]
\Shell\AutoRun\command - wd_windows_tools\WDSetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{13eb67f2-f621-11dd-9e56-00121769e996}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e735672e-8350-11dd-9d7f-00121769e996}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &Search
IE: Add to AMV Convert Tool... - c:\program files\MP3 Player Utilities 4.00\AMVConverter\grab.html
IE: Add to Media Manager... - c:\program files\MP3 Player Utilities 4.00\MediaManager\grab.html
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {8532F616-9F31-40CE-BB6F-EF490F0C5751} = 4.2.2.2
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\s034v7jh.default\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-03 22:30:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-117609710-1677128483-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:65,12,d5,e0,76,81,a2,5d,12,29,20,08,a2,31,8e,fa,5e,0d,82,fe,c7,
   af,64,bc,b4,92,a9,e5,0e,c7,8e,11,f5,f6,67,b0,e9,fa,4f,50,fc,19,a8,20,b2,63,\
"rkeysecu"=hex:35,d5,d1,f8,1f,02,c3,f1,00,38,d6,e1,00,10,09,53
.
Completion time: 2009-03-03 22:33:10
ComboFix-quarantined-files.txt  2009-03-04 03:32:41
ComboFix2.txt  2009-03-03 21:27:46

Pre-Run: 35,948,453,888 bytes free
Post-Run: 35,932,532,736 bytes free

190	--- E O F ---	2009-02-12 03:54:58

I accidentally saved the Kaspersky Log as an HTML, so here's a screen shot of that... :thumbup2:
Posted Image

And then there's the HijackThis Log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:07:55, on 3/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdrserv.exe
C:\WINDOWS\system32\lxdrcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Lexmark Printable Web - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [C2kWep] C:\Program Files\Netopia\C3kWepN.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKUS\S-1-5-21-117609710-1677128483-725345543-501\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Guest')
O4 - HKUS\S-1-5-21-117609710-1677128483-725345543-501\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Guest')
O4 - HKUS\S-1-5-21-117609710-1677128483-725345543-501\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp (User 'Guest')
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142209616106
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8532F616-9F31-40CE-BB6F-EF490F0C5751}: NameServer = 4.2.2.2
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxdrCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdrserv.exe
O23 - Service: lxdr_device -   - C:\WINDOWS\system32\lxdrcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe

--
End of file - 8132 bytes

Thank you so much for your help, by the way. The computer already shows signs of getting better.
For one the "missing file" errors I was getting at start up have disappeared. The time it takes for the computer to start up has also greatly decreased.

Thanks again for your help :D

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:52 AM

Posted 04 March 2009 - 07:50 AM

Hello.

Yes, that does look better. Please update your windows and let me know how it goes.

Update Windows Installation

Your Microsoft Windows installation is out of date.
Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
Go here to check for & install updates to Microsoft applications.

Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.

Please reboot and repeat the update process until there are no more updates to install.

Was there any problems while doing any of the updates, if there was any updates please specify in your next reply.

Post back with:
-New DDS logs

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 GabMar883

GabMar883
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 04 March 2009 - 08:46 AM

Whoopee! :thumbup2:


Thank you so much, this place is the greatest! :D
I just finished fully updating windows. Here's the new DDS log:

DDS (Ver_09-02-01.01) - NTFSx86  
Run by Owner at  9:14:06.42 on Wed 03/04/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.3583.3099 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdrserv.exe
C:\WINDOWS\system32\lxdrcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Netopia\C3kWepN.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - 
TB: {E7D38ED4-2933-43B8-B0B9-52D11CE9CA10} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [STYLEXP] c:\program files\tgtsoft\stylexp\StyleXP.exe -Hide
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
mRun: [C2kWep] c:\program files\netopia\C3kWepN.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
IE: &Search
IE: Add to AMV Convert Tool... - c:\program files\mp3 player utilities 4.00\amvconverter\grab.html
IE: Add to Media Manager... - c:\program files\mp3 player utilities 4.00\mediamanager\grab.html
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142209616106
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
TCP: {8532F616-9F31-40CE-BB6F-EF490F0C5751} = 4.2.2.2
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - No File
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\s034v7jh.default\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R2 lxdr_device;lxdr_device;c:\windows\system32\lxdrcoms.exe -service --> c:\windows\system32\lxdrcoms.exe -service [?]
R2 lxdrCATSCustConnectService;lxdrCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdrserv.exe [2009-1-22 98984]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2008-11-21 2749224]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2008-9-25 15656]
S3 DISK_DRIVE32;DISK_DRIVE32;\??\c:\documents and settings\owner\desktop\downloads\ce\disk_1024.sys --> c:\documents and settings\owner\desktop\downloads\ce\disk_1024.sys [?]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2009-2-21 40840]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2009-2-21 66952]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2009-2-21 81288]
S3 npkycryp;npkycryp;\??\c:\nexon\maplestory\npkycryp.sys --> c:\nexon\maplestory\npkycryp.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-2-21 356920]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-2-21 1079176]
S3 SWLD23U;Netopia 802.11b WLAN USB Adapter;c:\windows\system32\drivers\swld23u.sys --> c:\windows\system32\drivers\SWLD23U.sys [?]
S3 swlubtl;WLAN USB Boot Device;c:\windows\system32\drivers\swlubtl.sys --> c:\windows\system32\drivers\swlubtl.sys [?]
S3 USB200M;Linksys USB 2.0 Network Adapter ver.2;c:\windows\system32\drivers\USB200M2.sys [2006-3-12 18048]
S3 XDva025;XDva025;\??\c:\windows\system32\xdva025.sys --> c:\windows\system32\XDva025.sys [?]
S3 zenx1;zenx1;\??\c:\documents and settings\owner\desktop\ms hack\zenx.sys --> c:\documents and settings\owner\desktop\ms hack\zenx.sys [?]

=============== Created Last 30 ================

2009-03-03 16:31	345	a-------	c:\windows\gmer.ini
2009-03-03 16:24	1,089,601	-c------	c:\windows\system32\dllcache\ntprint.cat
2009-03-03 16:10	<DIR>	a-dshr--	C:\cmdcons
2009-03-03 16:08	161,792	a-------	c:\windows\SWREG.exe
2009-03-03 16:08	98,816	a-------	c:\windows\sed.exe
2009-02-21 20:39	<DIR>	--d-----	c:\program files\common files\EasyInfo
2009-02-21 19:02	<DIR>	--d-----	C:\VundoFix Backups
2009-02-21 18:51	81,288	a-------	c:\windows\system32\drivers\iksyssec.sys
2009-02-21 18:51	66,952	a-------	c:\windows\system32\drivers\iksysflt.sys
2009-02-21 18:51	40,840	a-------	c:\windows\system32\drivers\ikfilesec.sys
2009-02-21 18:51	29,576	a-------	c:\windows\system32\drivers\kcom.sys
2009-02-21 18:51	<DIR>	--d-----	c:\program files\Spyware Doctor
2009-02-21 18:51	<DIR>	--d-----	c:\docume~1\owner\applic~1\PC Tools
2009-02-18 21:47	<DIR>	--d-----	c:\program files\Cobian Backup 8
2009-02-18 21:33	<DIR>	--d-----	c:\program files\Trend Micro
2009-02-18 16:59	<DIR>	--d-----	c:\docume~1\owner\applic~1\SPORE
2009-02-02 19:27	<DIR>	--d-----	c:\program files\Hamachi

==================== Find3M  ====================

2009-02-11 10:19	38,496	a-------	c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 10:19	15,504	a-------	c:\windows\system32\drivers\mbam.sys
2009-02-02 19:27	25,280	a-------	c:\windows\system32\drivers\hamachi.sys
2008-12-20 18:15	826,368	a-------	c:\windows\system32\wininet.dll
2008-09-08 19:01	1,780	ac------	c:\docume~1\owner\applic~1\wklnhst.dat
2007-12-07 16:26	74,960	ac------	c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT
2006-12-21 13:41	76	a---h---	c:\program files\Desktop.ini

============= FINISH:  9:15:40.92 ===============


The one thing that bugged me about the updates is that they where performed last night when I shut the computer off. When I came back this morning, the computer was on. Unless someone in my house turned it back on... but that's odd because no one ever touches it.
However nothing was found and the computer seems to be running better than ever.

I have a questing before ending it all. What is the best group of antiSpyware, antiMalware, and/or antiVirus programs to have on the computer for protection?

Attached Files


Edited by GabMar883, 04 March 2009 - 09:16 AM.


#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:52 AM

Posted 04 March 2009 - 01:11 PM

Hello.

I will answer your questions and look over the logs once I come back because I need to go soon, as I came home just for Lunch.

When I came back this morning, the computer was on.

Test it again and see if it turns on again. I don't think malware would do that and I never heard of anything like that happen before. Perhaps you hit the Restart button accidentally?

What is the best group of antiSpyware, antiMalware, and/or antiVirus programs to have on the computer for protection?

Well. Having just protection isn't enough there are other things involved including good surfing habits. When I give you my "all-clean", everything will be included regarding protection and how to prevent them.

Below are some programs I recommend to others.

List of Free Antivirus Programs

An anti-virus is essential in keeping your computer safe while surfing the Internet. Please install a (ONE) free anti-virus program from one of the links below:List of Firewall Programs

Install a third-party firewall from the following selection of excellent programsThe main reason you would prefer a third-party firewall over the Windows XP Firewall is because Windows Firewall only stops incoming signals from accessing your computer. However, it will not stop Outgoing signles (possibly ones that could intrude your privacy) from sending information to the Internet or to other networks.

After you have installed one of the above firewalls, please disable your Windows Firewall, if you had it enabled.

*Note: If you choose the PC Tools Firewall Plus and you are asked to install ThreatFire do not do so.

List of Antispyware Program

Please download and install an antispyware program:

Update your JAVA now. We are almost done, just a final checkup once I get back :thumbup2:

Update Java to Version 6 Update 12

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 Update 12 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 12.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    Repeat as many times as necessary to remove each Java versions. The older versions of Java are all of these:
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 9
    Java(TM) 6 Update 10
    Java(TM) 6 Update 2
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) SE Runtime Environment 6 Update 1
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version.
*If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
** If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
*** The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Another New DDS logs (only DDS.txt is required)

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 GabMar883

GabMar883
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 04 March 2009 - 11:48 PM

Alrite. I'll make sure to take more care of the computer from now on.

Here's the new DDS log:

DDS (Ver_09-02-01.01) - NTFSx86  
Run by Owner at 23:45:36.89 on Wed 03/04/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.3583.3111 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdrserv.exe
C:\WINDOWS\system32\lxdrcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Netopia\C3kWepN.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - 
TB: {E7D38ED4-2933-43B8-B0B9-52D11CE9CA10} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [STYLEXP] c:\program files\tgtsoft\stylexp\StyleXP.exe -Hide
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
mRun: [C2kWep] c:\program files\netopia\C3kWepN.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: &Search
IE: Add to AMV Convert Tool... - c:\program files\mp3 player utilities 4.00\amvconverter\grab.html
IE: Add to Media Manager... - c:\program files\mp3 player utilities 4.00\mediamanager\grab.html
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142209616106
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
TCP: {8532F616-9F31-40CE-BB6F-EF490F0C5751} = 4.2.2.2
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - No File
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\s034v7jh.default\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R2 lxdr_device;lxdr_device;c:\windows\system32\lxdrcoms.exe -service --> c:\windows\system32\lxdrcoms.exe -service [?]
R2 lxdrCATSCustConnectService;lxdrCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdrserv.exe [2009-1-22 98984]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2008-11-21 2749224]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2008-9-25 15656]
S3 DISK_DRIVE32;DISK_DRIVE32;\??\c:\documents and settings\owner\desktop\downloads\ce\disk_1024.sys --> c:\documents and settings\owner\desktop\downloads\ce\disk_1024.sys [?]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2009-2-21 40840]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2009-2-21 66952]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2009-2-21 81288]
S3 npkycryp;npkycryp;\??\c:\nexon\maplestory\npkycryp.sys --> c:\nexon\maplestory\npkycryp.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-2-21 356920]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-2-21 1079176]
S3 SWLD23U;Netopia 802.11b WLAN USB Adapter;c:\windows\system32\drivers\swld23u.sys --> c:\windows\system32\drivers\SWLD23U.sys [?]
S3 swlubtl;WLAN USB Boot Device;c:\windows\system32\drivers\swlubtl.sys --> c:\windows\system32\drivers\swlubtl.sys [?]
S3 USB200M;Linksys USB 2.0 Network Adapter ver.2;c:\windows\system32\drivers\USB200M2.sys [2006-3-12 18048]
S3 XDva025;XDva025;\??\c:\windows\system32\xdva025.sys --> c:\windows\system32\XDva025.sys [?]
S3 zenx1;zenx1;\??\c:\documents and settings\owner\desktop\ms hack\zenx.sys --> c:\documents and settings\owner\desktop\ms hack\zenx.sys [?]

=============== Created Last 30 ================

2009-03-04 23:37	73,728	a-------	c:\windows\system32\javacpl.cpl
2009-03-03 16:31	345	a-------	c:\windows\gmer.ini
2009-03-03 16:24	1,089,601	-c------	c:\windows\system32\dllcache\ntprint.cat
2009-03-03 16:10	<DIR>	a-dshr--	C:\cmdcons
2009-03-03 16:08	161,792	a-------	c:\windows\SWREG.exe
2009-03-03 16:08	98,816	a-------	c:\windows\sed.exe
2009-02-21 20:39	<DIR>	--d-----	c:\program files\common files\EasyInfo
2009-02-21 19:02	<DIR>	--d-----	C:\VundoFix Backups
2009-02-21 18:51	81,288	a-------	c:\windows\system32\drivers\iksyssec.sys
2009-02-21 18:51	66,952	a-------	c:\windows\system32\drivers\iksysflt.sys
2009-02-21 18:51	40,840	a-------	c:\windows\system32\drivers\ikfilesec.sys
2009-02-21 18:51	29,576	a-------	c:\windows\system32\drivers\kcom.sys
2009-02-21 18:51	<DIR>	--d-----	c:\program files\Spyware Doctor
2009-02-21 18:51	<DIR>	--d-----	c:\docume~1\owner\applic~1\PC Tools
2009-02-18 21:47	<DIR>	--d-----	c:\program files\Cobian Backup 8
2009-02-18 21:33	<DIR>	--d-----	c:\program files\Trend Micro
2009-02-18 16:59	<DIR>	--d-----	c:\docume~1\owner\applic~1\SPORE

==================== Find3M  ====================

2009-03-04 23:37	410,984	a-------	c:\windows\system32\deploytk.dll
2009-02-11 10:19	38,496	a-------	c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 10:19	15,504	a-------	c:\windows\system32\drivers\mbam.sys
2009-02-02 19:27	25,280	a-------	c:\windows\system32\drivers\hamachi.sys
2008-12-20 18:15	826,368	a-------	c:\windows\system32\wininet.dll
2008-09-08 19:01	1,780	ac------	c:\docume~1\owner\applic~1\wklnhst.dat
2007-12-07 16:26	74,960	ac------	c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT
2006-12-21 13:41	76	a---h---	c:\program files\Desktop.ini

============= FINISH: 23:46:22.65 ===============


and thank you so much for all your help :thumbup2:

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:52 AM

Posted 05 March 2009 - 01:02 PM

Hello.

Alrite. I'll make sure to take more care of the computer from now on.

:thumbup2:

That log looks fine, one things we can remove though. Let's gid rid of it.

Download and Run OTMoveIT3
  • Please download OTMoveIt3 by OldTimer and save it to your desktop. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :services
    XDva025
    :files
    c:\windows\system32\xdva025.sys 
    :commands
    [EmptyTemp]
    [Reboot]
  • Click the large Posted Image button.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
Note:If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Post back with:
-OTMoveIT log
-New Hijackthis log

Almost done :)

With Regards,
extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 GabMar883

GabMar883
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 05 March 2009 - 09:40 PM

Here's the OTMoveIT Log:

Error: Unable to interpret <XDva025> in the current context!
========== FILES ==========
File/Folder c:\windows\system32\xdva025.sys not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\etilqs_kkOMEaoxPtC6XnYSjfTN scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\JET584C.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_570.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_7a4.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\s034v7jh.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\s034v7jh.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\s034v7jh.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\s034v7jh.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\s034v7jh.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\s034v7jh.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
 
OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 03052009_213816


Posting back with the HijackThis log...
Here's the HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:53:57, on 3/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdrserv.exe
C:\WINDOWS\system32\lxdrcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Netopia\C3kWepN.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [C2kWep] C:\Program Files\Netopia\C3kWepN.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Webroot Desktop Firewall] C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142209616106
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8532F616-9F31-40CE-BB6F-EF490F0C5751}: NameServer = 4.2.2.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{8532F616-9F31-40CE-BB6F-EF490F0C5751}: NameServer = 4.2.2.2
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxdrCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdrserv.exe
O23 - Service: lxdr_device -   - C:\WINDOWS\system32\lxdrcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe
O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software Inc (www.webroot.com) - C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe

--
End of file - 8550 bytes


Edited by GabMar883, 05 March 2009 - 09:55 PM.


#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:52 AM

Posted 06 March 2009 - 08:13 AM

Hello.

You did not copy the WHOLE OTMoveIT Script. Make sure you copy everything including the colon (:) and the services part. Please run OTMoveIT again with the script below.

:services
XDva025

Post back with:
-OTMoveIT log
-New Hijackthis log


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 GabMar883

GabMar883
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 06 March 2009 - 09:58 AM

:thumbup2:

Here's the OTMoveIT log (the good one):

========== SERVICES/DRIVERS ==========
Service XDva025 stopped successfully.
Service XDva025 deleted successfully.
========== FILES ==========
File/Folder c:\windows\system32\xdva025.sys not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\JET96BD.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_578.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_bc.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
 
OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 03062009_095148

Files moved on Reboot...
File C:\DOCUME~1\Owner\LOCALS~1\Temp\JET96BD.tmp not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
C:\WINDOWS\temp\Perflib_Perfdata_578.dat moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_bc.dat not found!


And here's the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:54:55, on 3/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdrserv.exe
C:\WINDOWS\system32\lxdrcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Netopia\C3kWepN.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [C2kWep] C:\Program Files\Netopia\C3kWepN.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Webroot Desktop Firewall] C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142209616106
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8532F616-9F31-40CE-BB6F-EF490F0C5751}: NameServer = 4.2.2.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{8532F616-9F31-40CE-BB6F-EF490F0C5751}: NameServer = 4.2.2.2
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxdrCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdrserv.exe
O23 - Service: lxdr_device -   - C:\WINDOWS\system32\lxdrcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe
O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software Inc (www.webroot.com) - C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe

--
End of file - 8582 bytes


XD Sorry about that.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users