Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with rootkit and trojan


  • Please log in to reply
1 reply to this topic

#1 spliznice

spliznice

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 04 March 2009 - 01:01 AM

I can't seem to get this dang rootkit and trojan off my system.



According to Anti-Malware:
The rootkit is : mrxdavv.sys
the trojan is : kwave.sys

i've tried everything i can think of to remove them, but they just won't leave!

here is my hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:42:59 PM, on 3/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20935)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [nurvqpfxqwe1dc] C:\DOCUME~1\Owner\LOCALS~1\Temp\w53xbu5.exe
O4 - HKCU\..\Run: [c9blabawj198oic9nmjghc5jr1hq9a3c5bgg4qdc6lw01loh] C:\DOCUME~1\Owner\LOCALS~1\Temp\snv8cc.exe
O4 - HKCU\..\Run: [bfqpnhwzfacykiu9vcs] C:\DOCUME~1\Owner\LOCALS~1\Temp\yomx381rdp84.exe
O4 - HKCU\..\Run: [yn5n2gh7v9rc21xzienlhds9eziddq6snuytpyl1y4e] C:\DOCUME~1\Owner\LOCALS~1\Temp\fu9gj5z59k.exe
O4 - HKCU\..\Run: [ceaw588llx3czjwmffbaqd3kt02edb28egvwtm29wsjliby] C:\DOCUME~1\Owner\LOCALS~1\Temp\bghzgjc7w98qa.exe
O4 - HKCU\..\Run: [abq0dje0yd9z5nvhftki2d05] C:\DOCUME~1\Owner\LOCALS~1\Temp\yf9s254ey.exe
O4 - HKCU\..\Run: [yyn9pm3licz20pfke98ndrrbr6ko0fcfdnchztmq] C:\DOCUME~1\Owner\LOCALS~1\Temp\gu50wmip.exe
O4 - HKCU\..\Run: [iio3m3foas0pg0w2yxh] C:\DOCUME~1\Owner\LOCALS~1\Temp\guuhn3.exe
O4 - HKCU\..\Run: [odec6pa6zos66gzxjc9susseiy61] C:\DOCUME~1\Owner\LOCALS~1\Temp\gjqf3g.exe
O4 - HKCU\..\Run: [s6c33vgt2evnw1ml6wqpcutd] C:\DOCUME~1\Owner\LOCALS~1\Temp\m3k8ngm0lc.exe
O4 - HKCU\..\Run: [z2gqahymjvcpkcttjrq3ruhzjvrk00zbkb] C:\DOCUME~1\Owner\LOCALS~1\Temp\nup6ex6bm6k.exe
O4 - HKCU\..\Run: [z5w0y7uqndf70u2ksmm1k] C:\DOCUME~1\Owner\LOCALS~1\Temp\j6103njrzn.exe
O4 - HKCU\..\Run: [rwzokkp64dq6edd6w67sz5jdfpwg3k74f7g7461jyplr9c8b] C:\DOCUME~1\Owner\LOCALS~1\Temp\tkyk10y2v.exe
O4 - HKCU\..\Run: [xl3zr28ha5qasus81r3py0mq4bbg13kwmvererbw] C:\DOCUME~1\Owner\LOCALS~1\Temp\fd31frk6zqb.exe
O4 - HKCU\..\Run: [ijz82kvuf0qez6] C:\DOCUME~1\Owner\LOCALS~1\Temp\komzkk5fvg.exe
O4 - HKCU\..\Run: [n42mb7qy2y0l8kufh745mtl3t5qia4ay7jj8hxq0oogroqr6qz] C:\DOCUME~1\Owner\LOCALS~1\Temp\q3tjpzyihsy.exe
O4 - HKCU\..\Run: [nn0ttq8pfr5kxl5hh] C:\DOCUME~1\Owner\LOCALS~1\Temp\wnao9i2c35.exe
O4 - HKCU\..\Run: [zzmpb2kygmfg2bqsvuglgkb4] C:\DOCUME~1\Owner\LOCALS~1\Temp\bxeddxz3e.exe
O4 - HKCU\..\Run: [l1nkqtrej2woklziea5io9wnb5z0p] C:\DOCUME~1\Owner\LOCALS~1\Temp\chevau.exe
O4 - HKCU\..\Run: [jiehq417w0fqsvz94pdqcwucwjx] C:\DOCUME~1\Owner\LOCALS~1\Temp\baq3mo9.exe
O4 - HKCU\..\Run: [lvv1b4da92lrb3joiqh5wb6g68soz] C:\DOCUME~1\Owner\LOCALS~1\Temp\v11rkxlll.exe
O4 - HKCU\..\Run: [sz30a9oghlj4kp1f7u2jryryhdvkmthkzvtb5vsc00tbdc0zj] C:\DOCUME~1\Owner\LOCALS~1\Temp\moh4h2ype.exe
O4 - HKCU\..\Run: [ka5kjmas2zqju1h4jk5bhjifnjzhgubhynq2d] C:\DOCUME~1\Owner\LOCALS~1\Temp\fgc6x5e5h.exe
O4 - HKCU\..\Run: [xfvn1k0kkhn992cvl7pw0ds006y3vi1q4] C:\DOCUME~1\Owner\LOCALS~1\Temp\b1v8qpirn81.exe
O4 - HKCU\..\Run: [fqwsbhojvilri4kh4obae5ii1en0yh42jr0dkk7xbo2] C:\DOCUME~1\Owner\LOCALS~1\Temp\w3ij36o5irjt.exe
O4 - HKCU\..\Run: [d9l296r66hva9byxfejrnhi40v] C:\DOCUME~1\Owner\LOCALS~1\Temp\dq1l20d.exe
O4 - HKCU\..\Run: [sxfus7hjstzoz789v3vh9986rtrn2t1mtyzc3972zt] C:\DOCUME~1\Owner\LOCALS~1\Temp\wiwnz3t.exe
O4 - HKCU\..\Run: [lgiaifolczp28nciszx9qazkt11ut10x82a] C:\DOCUME~1\Owner\LOCALS~1\Temp\rdlxdh4jx644.exe
O4 - HKCU\..\Run: [jw5b0cs8y80j] C:\DOCUME~1\Owner\LOCALS~1\Temp\i4un44so5093.exe
O4 - HKCU\..\Run: [ajkowxst04szrypiiubgd3qzmqjgjoggysqlksq2jh64znhzyu] C:\DOCUME~1\Owner\LOCALS~1\Temp\wh5glplqdu1.exe
O4 - HKCU\..\Run: [ts6zb43kvyudvw6j] C:\DOCUME~1\Owner\LOCALS~1\Temp\mtpoh0.exe
O4 - HKCU\..\Run: [rxuxe3r84l0dikqfudw3ytl91pic6vluy19] C:\DOCUME~1\Owner\LOCALS~1\Temp\ozv1ab0vf7.exe
O4 - HKCU\..\Run: [eqyknxr6m4pgsorie53x47q079kkfc7dqpqyjbu4g9w8] C:\DOCUME~1\Owner\LOCALS~1\Temp\sdjtzexs2.exe
O4 - HKCU\..\Run: [d45qud9s7ov2bmumvx65sr67jrqatvxx1e6e] C:\DOCUME~1\Owner\LOCALS~1\Temp\n5xh6l.exe
O4 - HKCU\..\Run: [mnzj8n4o3hqb753lon8u9xa47zh] C:\DOCUME~1\Owner\LOCALS~1\Temp\i14imq.exe
O4 - HKCU\..\Run: [ln81r9onj192666ul4h2ycnpl] C:\DOCUME~1\Owner\LOCALS~1\Temp\kb1rwqui.exe
O4 - HKCU\..\Run: [dsbmp2tvfv7c54h7c1qovxv21hp] C:\DOCUME~1\Owner\LOCALS~1\Temp\u3wcbjc0.exe
O4 - HKCU\..\Run: [fg43kut053fh3p8x6uzgum7y31vu8o4l1fu14ascvyatzbhe] C:\DOCUME~1\Owner\LOCALS~1\Temp\yehm8bep6oaz.exe
O4 - HKCU\..\Run: [kzdr0w6ln9l30idug8amyf7] C:\DOCUME~1\Owner\LOCALS~1\Temp\nllgd34kys5.exe
O4 - HKCU\..\Run: [hwblcp9cknu539uozrwu8oi33znxgu] C:\DOCUME~1\Owner\LOCALS~1\Temp\zxorfy.exe
O4 - HKCU\..\Run: [haz545y52c42bth] C:\DOCUME~1\Owner\LOCALS~1\Temp\v3zn323j4rd.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Google Update Service (gupdate1c9939aa859b8ce) (gupdate1c9939aa859b8ce) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

--
End of file - 7938 bytes






and here is my DDS log:

DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 21:57:24.42 on Tue 03/03/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1332 [GMT -8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mWinlogon: SfcDisable=-99 (0xffffff9d)
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [nurvqpfxqwe1dc] c:\docume~1\owner\locals~1\temp\w53xbu5.exe
uRun: [c9blabawj198oic9nmjghc5jr1hq9a3c5bgg4qdc6lw01loh] c:\docume~1\owner\locals~1\temp\snv8cc.exe
uRun: [bfqpnhwzfacykiu9vcs] c:\docume~1\owner\locals~1\temp\yomx381rdp84.exe
uRun: [yn5n2gh7v9rc21xzienlhds9eziddq6snuytpyl1y4e] c:\docume~1\owner\locals~1\temp\fu9gj5z59k.exe
uRun: [ceaw588llx3czjwmffbaqd3kt02edb28egvwtm29wsjliby] c:\docume~1\owner\locals~1\temp\bghzgjc7w98qa.exe
uRun: [abq0dje0yd9z5nvhftki2d05] c:\docume~1\owner\locals~1\temp\yf9s254ey.exe
uRun: [yyn9pm3licz20pfke98ndrrbr6ko0fcfdnchztmq] c:\docume~1\owner\locals~1\temp\gu50wmip.exe
uRun: [iio3m3foas0pg0w2yxh] c:\docume~1\owner\locals~1\temp\guuhn3.exe
uRun: [odec6pa6zos66gzxjc9susseiy61] c:\docume~1\owner\locals~1\temp\gjqf3g.exe
uRun: [s6c33vgt2evnw1ml6wqpcutd] c:\docume~1\owner\locals~1\temp\m3k8ngm0lc.exe
uRun: [z2gqahymjvcpkcttjrq3ruhzjvrk00zbkb] c:\docume~1\owner\locals~1\temp\nup6ex6bm6k.exe
uRun: [z5w0y7uqndf70u2ksmm1k] c:\docume~1\owner\locals~1\temp\j6103njrzn.exe
uRun: [rwzokkp64dq6edd6w67sz5jdfpwg3k74f7g7461jyplr9c8b] c:\docume~1\owner\locals~1\temp\tkyk10y2v.exe
uRun: [xl3zr28ha5qasus81r3py0mq4bbg13kwmvererbw] c:\docume~1\owner\locals~1\temp\fd31frk6zqb.exe
uRun: [ijz82kvuf0qez6] c:\docume~1\owner\locals~1\temp\komzkk5fvg.exe
uRun: [n42mb7qy2y0l8kufh745mtl3t5qia4ay7jj8hxq0oogroqr6qz] c:\docume~1\owner\locals~1\temp\q3tjpzyihsy.exe
uRun: [nn0ttq8pfr5kxl5hh] c:\docume~1\owner\locals~1\temp\wnao9i2c35.exe
uRun: [zzmpb2kygmfg2bqsvuglgkb4] c:\docume~1\owner\locals~1\temp\bxeddxz3e.exe
uRun: [l1nkqtrej2woklziea5io9wnb5z0p] c:\docume~1\owner\locals~1\temp\chevau.exe
uRun: [jiehq417w0fqsvz94pdqcwucwjx] c:\docume~1\owner\locals~1\temp\baq3mo9.exe
uRun: [lvv1b4da92lrb3joiqh5wb6g68soz] c:\docume~1\owner\locals~1\temp\v11rkxlll.exe
uRun: [sz30a9oghlj4kp1f7u2jryryhdvkmthkzvtb5vsc00tbdc0zj] c:\docume~1\owner\locals~1\temp\moh4h2ype.exe
uRun: [ka5kjmas2zqju1h4jk5bhjifnjzhgubhynq2d] c:\docume~1\owner\locals~1\temp\fgc6x5e5h.exe
uRun: [xfvn1k0kkhn992cvl7pw0ds006y3vi1q4] c:\docume~1\owner\locals~1\temp\b1v8qpirn81.exe
uRun: [fqwsbhojvilri4kh4obae5ii1en0yh42jr0dkk7xbo2] c:\docume~1\owner\locals~1\temp\w3ij36o5irjt.exe
uRun: [d9l296r66hva9byxfejrnhi40v] c:\docume~1\owner\locals~1\temp\dq1l20d.exe
uRun: [sxfus7hjstzoz789v3vh9986rtrn2t1mtyzc3972zt] c:\docume~1\owner\locals~1\temp\wiwnz3t.exe
uRun: [lgiaifolczp28nciszx9qazkt11ut10x82a] c:\docume~1\owner\locals~1\temp\rdlxdh4jx644.exe
uRun: [jw5b0cs8y80j] c:\docume~1\owner\locals~1\temp\i4un44so5093.exe
uRun: [ajkowxst04szrypiiubgd3qzmqjgjoggysqlksq2jh64znhzyu] c:\docume~1\owner\locals~1\temp\wh5glplqdu1.exe
uRun: [ts6zb43kvyudvw6j] c:\docume~1\owner\locals~1\temp\mtpoh0.exe
uRun: [rxuxe3r84l0dikqfudw3ytl91pic6vluy19] c:\docume~1\owner\locals~1\temp\ozv1ab0vf7.exe
uRun: [eqyknxr6m4pgsorie53x47q079kkfc7dqpqyjbu4g9w8] c:\docume~1\owner\locals~1\temp\sdjtzexs2.exe
uRun: [d45qud9s7ov2bmumvx65sr67jrqatvxx1e6e] c:\docume~1\owner\locals~1\temp\n5xh6l.exe
uRun: [mnzj8n4o3hqb753lon8u9xa47zh] c:\docume~1\owner\locals~1\temp\i14imq.exe
uRun: [ln81r9onj192666ul4h2ycnpl] c:\docume~1\owner\locals~1\temp\kb1rwqui.exe
uRun: [dsbmp2tvfv7c54h7c1qovxv21hp] c:\docume~1\owner\locals~1\temp\u3wcbjc0.exe
uRun: [fg43kut053fh3p8x6uzgum7y31vu8o4l1fu14ascvyatzbhe] c:\docume~1\owner\locals~1\temp\yehm8bep6oaz.exe
uRun: [kzdr0w6ln9l30idug8amyf7] c:\docume~1\owner\locals~1\temp\nllgd34kys5.exe
uRun: [hwblcp9cknu539uozrwu8oi33znxgu] c:\docume~1\owner\locals~1\temp\zxorfy.exe
uRun: [haz545y52c42bth] c:\docume~1\owner\locals~1\temp\v3zn323j4rd.exe
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-explorer: MaxRecentDocs = 18 (0x12)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
uPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\osotktmb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\google\google updater\2.4.1508.6312\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - HiddenExtension: XUL Cache: {368AB565-35AB-4167-A2AA-B6E1A9088988} - c:\documents and settings\owner\local settings\application data\{368AB565-35AB-4167-A2AA-B6E1A9088988}

============= SERVICES / DRIVERS ===============

R0 lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-3 64160]
R2 dmsmbios;dmsmbios;c:\windows\system32\dmsmbios.sys [2000-5-2 16480]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 951120]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-3-3 38496]
S1 855e9cb2;855e9cb2;c:\windows\system32\drivers\855e9cb2.sys [2009-3-3 0]
S2 gupdate1c9939aa859b8ce;Google Update Service (gupdate1c9939aa859b8ce);c:\program files\google\update\GoogleUpdate.exe [2009-2-20 133104]
S3 HabuFltr;Habu Mouse;c:\windows\system32\drivers\habu.sys [2008-11-18 27776]

=============== Created Last 30 ================

2009-03-03 18:36 15,688 a------- c:\windows\system32\lsdelete.exe
2009-03-03 17:02 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-03-03 16:58 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-03 16:58 <DIR> --d----- c:\program files\Lavasoft
2009-03-03 16:47 485,902 a------- C:\HaxFix.exe
2009-03-03 16:47 <DIR> --d----- C:\HaxFix
2009-03-03 16:12 <DIR> --d----- c:\documents and settings\owner\DoctorWeb
2009-03-03 15:15 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-03 15:15 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-03 15:15 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-03 15:05 <DIR> --dsh--- C:\found.000
2009-03-03 13:54 4 a------- c:\windows\system32\gaopdxcounter
2009-03-03 11:03 <DIR> --d----- c:\program files\Trend Micro
2009-03-03 11:01 <DIR> --d----- c:\program files\SpywareBlaster
2009-03-03 10:17 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-03-03 10:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-03 09:53 1 a------- c:\windows\system32\uniq.tll
2009-03-03 09:53 0 a------- c:\windows\system32\drivers\855e9cb2.sys
2009-03-03 09:53 8,688 a------- c:\windows\system32\drivers\InCDPass.sys
2009-03-03 09:53 8,688 a------- c:\windows\system32\uvsync.sys
2009-02-25 12:40 <DIR> --d----- c:\windows\Applian FLV Player
2009-02-09 07:27 <DIR> --d----- c:\docume~1\owner\applic~1\Atari
2009-02-09 07:21 197,120 a------- c:\windows\patchw32.dll
2009-02-09 07:21 <DIR> --d----- c:\program files\common files\PocketSoft
2009-02-08 14:52 <DIR> --d----- c:\windows\system32\AGEIA
2009-02-04 10:09 <DIR> --d----- c:\windows\pss

==================== Find3M ====================

2009-02-27 15:12 66,872 a------- c:\windows\system32\PnkBstrA.exe
2009-01-20 10:52 137,688 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-01-20 10:52 202,040 a------- c:\windows\system32\PnkBstrB.exe
2008-12-12 22:26 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 04:33 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-11-18 20:30 22,328 a------- c:\docume~1\owner\applic~1\PnkBstrK.sys

============= FINISH: 21:57:36.00 ===============





any help would be soooo greatly appreciated. i don't want to have to wipe the drive if i don't have to, so I thought I'd ask around.

Thanks in advance for any help you guys can offer.

Attached Files



BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:54 PM

Posted 12 March 2009 - 05:25 PM

Hello Spliznice and welcome to Bleeping Computer,

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

2. Please read this tutorial carefully to download ComboFix from one of the locations specified, and save it to your Desktop.
Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbup2:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users