Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    Skype Preview for Windows 10 is Getting Split View Mode

Featured Deal: Get 95% Off the Certified Information Systems Security Professional Training Course

Photo

Possible virus/trojan/mallware in explorer.exe

Started by BarbaEnzo , Mar 27 2009 09:50 AM

  • This topic is locked This topic is locked
22 replies to this topic

#1 BarbaEnzo

BarbaEnzo

  • Members
  • 14 posts
  • OFFLINE
    •  
  • Local time:10:22 AM

Posted 27 March 2009 - 09:50 AM

Hi All,

I am hoping to get help with a problem a recently discovered. I am using Windows XP SP3 (Media Center Edition). I recently noticed my computer misbehaving, slowness, occasional pop-up from Super Anti-Spyware when browsing IE7. I started to look in the usual places like msconfig and current processes running and found a suspicious dll in the startup menu. The line in msconfig currently reads O4 - HKLM\..\Run: [Jrobibere] rundll32.exe "C:\WINDOWS\atadavakul.dll",e. I have tried several utilities to erradicate the dll without success. Here are the steps I have taken so far (both in standard and safe mode):

- Run CCLeaner
- Run AD-Aware
- Run Search & Destroy
- Run Avira AnitVir
- Run SUPERAntispyware
- Run HijackThis

Running the above utilities does not get rid of the dll. The only app that seems to locate it is HijackThis. I try removing it via Hijack, but it comes immediately back after a re-scan. I also ran ProcessExplorer to look up the dll relation, and it seems to be hooked into Explorer.exe. I even went as far as running through a suggested Vundo fix solution, I saw on here months back. Still no luck. I am able to rename the dll, reboot, and successfully remove the dll. However the dll gets randomly renamed. The only things that seems to stay the same is the "Jrobibere" name. Also I tried to remove the run key from the regisrty and it immediately comes back, even if Windows Restore is turned off. Below is my DDS results and I have zipped up and attached the "attached.txt" file. Any help is greatly appreciated.

DDS (Ver_09-03-16.01) - NTFSx86
Run by Kodak Dental Systems at 8:02:16.40 on Fri 03/27/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.860 [GMT -7:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Firebird\Firebird_2_1\bin\fbguard.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\ehome\RMSvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Firebird\Firebird_2_1\bin\fbserver.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Logitech\MediaLife\MediaLifeService.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\WINDOWS\FixCamera.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\REALTEK RTL8185 Wireless LAN Driver and Utility\RtWlan.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\YAC\yac.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\SysMetrix\SysMetrix.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\taskmgr.exe
E:\Music I\Apps\CleanUp\Post-Cleaners\McAfee Stinger.exe
C:\Documents and Settings\Kodak Dental Systems\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig
mWinlogon: UIHost=c:\program files\tgtsoft\stylexp\logon\CurrentLogon.EXE
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CoTGT_BHO Class: {c333cf63-767f-4831-94ac-e683d962c63c} - c:\program files\tgtsoft\stylexp\TGT_BHO.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [STYLEXP] c:\program files\tgtsoft\stylexp\StyleXP.exe -Hide
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [MediaLifeService] "c:\program files\logitech\medialife\MediaLifeService.exe"
mRun: [CTHelper] CTHELPER.EXE
mRun: [SysMetrix] c:\program files\sysmetrix\SysMetrix.exe
mRun: [CTDVDDET] "c:\program files\creative\sbaudigy4\dvdaudio\CTDVDDET.EXE"
mRun: [CTSysVol] c:\program files\creative\sbaudigy4\surround mixer\CTSysVol.exe /r
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [HydraVisionDesktopManager] c:\program files\ati technologies\ati hydravision\HydraDM.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [FixCamera] c:\windows\FixCamera.exe
mRun: [tsnp2std] c:\windows\tsnp2std.exe
mRun: [snp2std] c:\windows\vsnp2std.exe
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Jrobibere] rundll32.exe "c:\windows\atadavakul.dll",e
StartupFolder: c:\docume~1\kodakd~1\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\objectdock\ObjectDock.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\realte~1.lnk - c:\program files\realtek rtl8185 wireless lan driver and utility\RtWlan.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\settings.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\yac.lnk - c:\program files\yac\yac.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\program files\icq6.5\ICQ.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://echat.bellsouth.net/sdccommon/download/tgctlcm.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/b/e/5/be592e3e-4442-4588-b01e-8fe3a2e104ac/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {4A01A151-E350-4839-A2B8-03DC39D6C8E5} - hxxp://download.yahoo.com/dl/ypc/ypcxwizard2003080601.cab
DPF: {55027008-315F-4F45-BBC3-8BE119764741} - hxxp://www.slide.com/uploader/SlideImageUploader.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.tabblo.com/bitty-static/uploader/ImageUploader5.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} - hxxp://10.100.100.252/qcbin/Spider90.ocx
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DB3DEA16-7799-4289-96CE-BE8AE96A0D54} - hxxp://www.kodaksharemce.com/KodakSymphony.cab
TCP: {6F7CFE34-3AFB-4892-B203-54906D772853} = 192.168.5.1
TCP: {DF12D48E-6B01-40D1-961A-C361594D1954} = 192.168.5.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: PCANotify - PCANotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli c:\windows\system32\nizuputa.dll mtpcht.dll

============= SERVICES / DRIVERS ===============

R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [2006-6-22 156800]
R0 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [2006-6-22 5248]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-26 64160]
R0 m5288;m5288;c:\windows\system32\drivers\m5288.sys [2006-1-5 102528]
R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2008-7-14 11840]
R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2001-10-22 33496]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.SYS [2000-9-11 10816]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 AntiVirScheduler;Avira AntiVir Personal – Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2008-7-14 68865]
R2 AntiVirService;Avira AntiVir Personal – Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2008-7-14 151297]
R2 AVWEBCAM;AV WebCam, WDM Video Capture;c:\windows\system32\drivers\avwebcam.sys [2007-9-14 215552]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\firebird\firebird_2_1\bin\fbguard.exe -s defaultinstance --> c:\program files\firebird\firebird_2_1\bin\fbguard.exe -s DefaultInstance [?]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]
R2 WebCamHelper;WebCamHelper;c:\progra~1\avwebc~1\WebCamHelper.sys [2007-9-14 2688]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2008-7-14 52032]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\firebird\firebird_2_1\bin\fbserver.exe -s defaultinstance --> c:\program files\firebird\firebird_2_1\bin\fbserver.exe -s DefaultInstance [?]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\AWHOST32.EXE [2001-11-2 114749]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2007-7-27 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2007-7-27 7680]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-7-27 22528]
S3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\drivers\lv532av.sys --> c:\windows\system32\drivers\LV532AV.SYS [?]
S3 PsSdk30;PsSdk30;\??\c:\windows\system32\drivers\pssdk30.drv --> c:\windows\system32\drivers\PsSdk30.drv [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2006-6-14 13532]

=============== Created Last 30 ================

2009-03-27 05:50 <DIR> --d----- c:\program files\RealSolutions
2009-03-26 15:21 300 a------- c:\windows\Glerohaqiteji.dat
2009-03-26 15:21 0 a------- c:\windows\Hhevulineteriwe.bin
2009-03-26 12:16 15,688 a------- c:\windows\system32\lsdelete.exe
2009-03-26 08:59 4,958,588 a------- c:\windows\{00000003-00000000-00000010-00001102-00000008-10211102}.BAK
2009-03-26 08:59 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-03-26 08:15 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-26 06:52 <DIR> --d----- C:\VundoFix Backups
2009-03-16 11:35 <DIR> --d----- c:\program files\ICQ6.5
2009-03-15 11:59 <DIR> --d----- c:\program files\Windows Installer Clean Up
2009-03-11 07:06 <DIR> --d----- C:\fbfix
2009-03-01 14:28 <DIR> --dsh--- c:\documents and settings\kodak dental systems\IECompatCache
2009-03-01 14:27 <DIR> --dsh--- c:\documents and settings\kodak dental systems\PrivacIE
2009-03-01 14:27 <DIR> --dsh--- c:\documents and settings\kodak dental systems\IETldCache
2009-03-01 14:12 <DIR> --d----- c:\windows\ie8updates
2009-03-01 14:11 81,920 a------- c:\windows\system32\ieencode.dll
2009-03-01 14:04 79,360 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-03-01 13:56 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-01 13:32 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat

==================== Find3M ====================

2009-03-18 07:49 2,147,328 a------- c:\windows\system32\kernel1.exe
2009-03-01 13:55 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 18:52 49,504 a------- c:\windows\system32\sirenacm.dll
2006-06-26 15:42 19,270,946 a------- c:\program files\Themes.7z
2004-10-01 15:00 40,960 a------- c:\program files\Uninstall_CDS.exe
2006-05-03 02:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 03:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2008-11-13 07:52 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008111320081114\index.dat

============= FINISH: 8:03:23.17 ===============

Edited by BarbaEnzo, 27 March 2009 - 10:05 AM.

BC AdBot (Login to Remove)

 

#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:01:22 PM

Posted 05 April 2009 - 04:17 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 BarbaEnzo

BarbaEnzo
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
    •  
  • Local time:10:22 AM

Posted 10 April 2009 - 03:08 PM

Thanks for the re-open of the issue. I am still having the problem. I tried to use MalwareBytes and it finds the suspicous start up entry and attempts to remove it, but it seems to come back after a reboot and creating a new dll. Here is a current DDS log file and I attached the zipped up attach.zip file. Let me know what steps to take next. Thanks in advance.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Kodak Dental Systems at 12:58:40.04 on Fri 04/10/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1298 [GMT -7:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Firebird\Firebird_2_1\bin\fbguard.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\ehome\RMSvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Firebird\Firebird_2_1\bin\fbserver.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Logitech\MediaLife\MediaLifeService.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\SysMetrix\SysMetrix.exe
C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\REALTEK RTL8185 Wireless LAN Driver and Utility\RtWlan.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\YAC\yac.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SpacialAudio\SAMBC\SAMBC.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Documents and Settings\Kodak Dental Systems\My Documents\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig
mWinlogon: UIHost=c:\program files\tgtsoft\stylexp\logon\CurrentLogon.EXE
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CoTGT_BHO Class: {c333cf63-767f-4831-94ac-e683d962c63c} - c:\program files\tgtsoft\stylexp\TGT_BHO.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [STYLEXP] c:\program files\tgtsoft\stylexp\StyleXP.exe -Hide
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [MediaLifeService] "c:\program files\logitech\medialife\MediaLifeService.exe"
mRun: [CTHelper] CTHELPER.EXE
mRun: [SysMetrix] c:\program files\sysmetrix\SysMetrix.exe
mRun: [CTDVDDET] "c:\program files\creative\sbaudigy4\dvdaudio\CTDVDDET.EXE"
mRun: [CTSysVol] c:\program files\creative\sbaudigy4\surround mixer\CTSysVol.exe /r
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [HydraVisionDesktopManager] c:\program files\ati technologies\ati hydravision\HydraDM.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [FixCamera] c:\windows\FixCamera.exe
mRun: [tsnp2std] c:\windows\tsnp2std.exe
mRun: [snp2std] c:\windows\vsnp2std.exe
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Jrobibere] rundll32.exe "c:\windows\ekavivamebo.dll",e
StartupFolder: c:\docume~1\kodakd~1\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\objectdock\ObjectDock.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\realte~1.lnk - c:\program files\realtek rtl8185 wireless lan driver and utility\RtWlan.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\settings.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\yac.lnk - c:\program files\yac\yac.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\program files\icq6.5\ICQ.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://echat.bellsouth.net/sdccommon/download/tgctlcm.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {4A01A151-E350-4839-A2B8-03DC39D6C8E5} - hxxp://download.yahoo.com/dl/ypc/ypcxwizard2003080601.cab
DPF: {55027008-315F-4F45-BBC3-8BE119764741} - hxxp://www.slide.com/uploader/SlideImageUploader.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.tabblo.com/bitty-static/uploader/ImageUploader5.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} - hxxp://10.100.100.252/qcbin/Spider90.ocx
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DB3DEA16-7799-4289-96CE-BE8AE96A0D54} - hxxp://www.kodaksharemce.com/KodakSymphony.cab
TCP: {6F7CFE34-3AFB-4892-B203-54906D772853} = 192.168.5.1
TCP: {DF12D48E-6B01-40D1-961A-C361594D1954} = 192.168.5.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: PCANotify - PCANotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli c:\windows\system32\nizuputa.dll mtpcht.dll

============= SERVICES / DRIVERS ===============

R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [2006-6-22 156800]
R0 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [2006-6-22 5248]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-26 64160]
R0 m5288;m5288;c:\windows\system32\drivers\m5288.sys [2006-1-5 102528]
R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2008-7-14 11840]
R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2001-10-22 33496]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.SYS [2000-9-11 10816]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 AntiVirScheduler;Avira AntiVir Personal – Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2008-7-14 68865]
R2 AntiVirService;Avira AntiVir Personal – Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2008-7-14 151297]
R2 AVWEBCAM;AV WebCam, WDM Video Capture;c:\windows\system32\drivers\avwebcam.sys [2007-9-14 215552]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\firebird\firebird_2_1\bin\fbguard.exe -s defaultinstance --> c:\program files\firebird\firebird_2_1\bin\fbguard.exe -s DefaultInstance [?]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]
R2 WebCamHelper;WebCamHelper;c:\progra~1\avwebc~1\WebCamHelper.sys [2007-9-14 2688]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2008-7-14 52032]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\firebird\firebird_2_1\bin\fbserver.exe -s defaultinstance --> c:\program files\firebird\firebird_2_1\bin\fbserver.exe -s DefaultInstance [?]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
R3 SamsonLLDriver;Samson LL Driver;c:\windows\system32\drivers\SamsonLLDriver.sys [2006-12-12 56832]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
R3 SWWDM_multi;Samson Audio (WDM);c:\windows\system32\drivers\SWAudWDM.sys [2006-12-12 25088]
S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\AWHOST32.EXE [2001-11-2 114749]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2007-7-27 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2007-7-27 7680]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-7-27 22528]
S3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\drivers\lv532av.sys --> c:\windows\system32\drivers\LV532AV.SYS [?]
S3 PsSdk30;PsSdk30;\??\c:\windows\system32\drivers\pssdk30.drv --> c:\windows\system32\drivers\PsSdk30.drv [?]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2006-6-14 13532]

=============== Created Last 30 ================

2009-04-01 10:09 <DIR> --d----- c:\docume~1\kodakd~1\applic~1\Malwarebytes
2009-04-01 10:09 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-01 10:09 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-01 10:09 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-01 10:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-30 08:32 <DIR> --d----- c:\program files\ManyCam 2.4
2009-03-30 08:32 <DIR> --d----- c:\docume~1\kodakd~1\applic~1\ManyCam
2009-03-27 18:49 <DIR> --d----- c:\program files\Samson
2009-03-27 18:39 <DIR> --d----- c:\docume~1\kodakd~1\applic~1\Cakewalk
2009-03-27 18:37 233,472 a------- c:\windows\system32\REX Shared Library.dll
2009-03-27 18:37 368,640 a------- c:\windows\system32\ReWire.dll
2009-03-27 18:37 <DIR> --d----- c:\program files\Cakewalk
2009-03-27 18:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Cakewalk
2009-03-27 18:37 <DIR> --d----- C:\Cakewalk Projects
2009-03-27 05:50 <DIR> --d----- c:\program files\RealSolutions
2009-03-26 15:21 408 a------- c:\windows\Glerohaqiteji.dat
2009-03-26 15:21 0 a------- c:\windows\Hhevulineteriwe.bin
2009-03-26 12:16 15,688 a------- c:\windows\system32\lsdelete.exe
2009-03-26 08:59 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-03-26 08:15 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-26 06:52 <DIR> --d----- C:\VundoFix Backups
2009-03-16 11:35 <DIR> --d----- c:\program files\ICQ6.5
2009-03-15 11:59 <DIR> --d----- c:\program files\Windows Installer Clean Up

==================== Find3M ====================

2009-03-18 07:49 2,147,328 a------- c:\windows\system32\kernel1.exe
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 18:52 49,504 a------- c:\windows\system32\sirenacm.dll
2006-06-26 15:42 19,270,946 a------- c:\program files\Themes.7z
2004-10-01 15:00 40,960 a------- c:\program files\Uninstall_CDS.exe
2006-05-03 02:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 03:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2008-11-13 07:52 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008111320081114\index.dat

============= FINISH: 12:59:21.31 ===============

Attached Files


#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:01:22 PM

Posted 10 April 2009 - 03:25 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

If I have been helping you (including trainees) and do not reply within 48 hours, please send me a message.

#5 BarbaEnzo

BarbaEnzo
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
    •  
  • Local time:10:22 AM

Posted 11 April 2009 - 04:34 PM

Hi Panda,

Thanks for the help. I ran the ComboFix without any problems. I attached the log.

I am trying to run the GREM, but am having an issue. It runs for about 7 hours, and seems to be working fine then all of the sudden the whole computer freezes. I cant even use taskmanager to exit. I can click the power button to perform a shutdown. I see a few window errors upon exit, someting about Widows Delayed Write Failed (I think it alos mentioned HardDisk/Volume I/$MFT) and another generic one about Windows Application failed. I have tried twice and cant get it to complete successfully. Do you have amy suggestions or recommendations? I was thinking of running it in Safe Mode, but I will wait for your reply.

UPDATE: Loking at the eventviewer from today's log, here is more details on the two errrors I recived today while running GREM:

Error #1: Application popup: Windows - Application Error : The application failed to initialize properly (0xc0000017). Click on OK to terminate the application.

Error #2: Application popup: Windows - Delayed Write Failed : Windows was unable to save all the data for the file \Device\HarddiskVolume1\$Mft. The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.


Thanks again for all the help.

ComboFix 09-04-04.01 - Kodak Dental Systems 2009-04-10 13:55:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1464 [GMT -7:00]
Running from: e:\music i\Apps\CleanUp\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\Internet Explorer.lnk
c:\windows\system32\skinboxer43.dll

.
((((((((((((((((((((((((( Files Created from 2009-03-10 to 2009-04-10 )))))))))))))))))))))))))))))))
.

2009-04-01 10:09 . 2009-04-01 10:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-01 10:09 . 2009-04-01 10:09 <DIR> d-------- c:\documents and settings\Kodak Dental Systems\Application Data\Malwarebytes
2009-04-01 10:09 . 2009-04-01 10:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-01 10:09 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-01 10:09 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-30 08:32 . 2009-03-30 08:32 <DIR> d-------- c:\program files\ManyCam 2.4
2009-03-30 08:32 . 2009-03-30 08:32 <DIR> d-------- c:\documents and settings\Kodak Dental Systems\Application Data\ManyCam
2009-03-27 18:49 . 2009-03-27 18:49 <DIR> d-------- c:\program files\Samson
2009-03-27 18:39 . 2009-03-27 18:44 <DIR> d-------- c:\documents and settings\Kodak Dental Systems\Application Data\Cakewalk
2009-03-27 18:37 . 2009-03-27 18:38 <DIR> d-------- c:\program files\Cakewalk
2009-03-27 18:37 . 2009-03-27 18:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Cakewalk
2009-03-27 18:37 . 2009-03-27 18:44 <DIR> d-------- C:\Cakewalk Projects
2009-03-27 18:37 . 2006-11-30 15:49 368,640 --a------ c:\windows\system32\ReWire.dll
2009-03-27 18:37 . 2004-04-13 14:48 233,472 --a------ c:\windows\system32\REX Shared Library.dll
2009-03-27 05:50 . 2009-03-27 05:50 <DIR> d-------- c:\program files\RealSolutions
2009-03-26 15:21 . 2009-04-10 13:45 408 --a------ c:\windows\Glerohaqiteji.dat
2009-03-26 15:21 . 2009-04-10 11:41 0 --a------ c:\windows\Hhevulineteriwe.bin
2009-03-26 12:16 . 2009-03-09 12:06 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-03-26 08:59 . 2009-03-09 12:06 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-03-26 08:15 . 2009-03-26 08:48 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-26 06:52 . 2009-03-26 07:43 <DIR> d-------- C:\VundoFix Backups
2009-03-16 11:35 . 2009-03-16 11:37 <DIR> d-------- c:\program files\ICQ6.5
2009-03-15 11:59 . 2009-03-15 11:59 <DIR> d-------- c:\program files\Windows Installer Clean Up
2009-03-15 11:30 . 2009-03-15 11:32 <DIR> d-------- c:\documents and settings\Larry Barba\Tracing
2009-03-11 07:06 . 2009-03-11 07:11 <DIR> d-------- C:\fbfix

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-10 21:02 --------- d-----w c:\program files\SysMetrix
2009-04-10 18:53 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-01 20:16 --------- d-----w c:\documents and settings\Kodak Dental Systems\Application Data\wootalyzer
2009-03-31 15:56 --------- d-----w c:\program files\Java
2009-03-30 15:32 --------- d-----w c:\program files\ManyCam 2.3
2009-03-26 21:22 --------- d-----w c:\program files\SUPERAntiSpyware
2009-03-26 20:27 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-26 15:48 --------- d-----w c:\program files\Lavasoft
2009-03-26 15:48 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-26 12:40 --------- d-----w c:\program files\Wootalyzer
2009-03-25 15:24 --------- d-----w c:\documents and settings\Kodak Dental Systems\Application Data\mIRC
2009-03-25 14:44 --------- d-----w c:\program files\mIRC
2009-03-19 18:06 --------- d-----w c:\program files\AV WebCam Morpher Silver
2009-03-17 15:51 --------- d-----w c:\documents and settings\Kodak Dental Systems\Application Data\ICQ
2009-03-17 15:38 --------- d-----w c:\documents and settings\Kodak Dental Systems\Application Data\gtk-2.0
2009-03-16 18:36 --------- d-----w c:\program files\ICQ6
2009-03-15 19:53 --------- d-----w c:\program files\Windows Live
2009-03-15 19:53 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2009-03-15 19:51 --------- d-----w c:\program files\Microsoft
2009-03-15 18:59 --------- d-----w c:\program files\MSECache
2009-03-14 17:01 --------- d-----w c:\program files\Winamp
2009-03-11 14:01 --------- d-----w c:\program files\Evrsoft First Page 2006
2009-03-01 21:14 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-12 00:24 --------- d-----w c:\program files\TeamViewer
2009-02-11 20:21 --------- d-----w c:\documents and settings\Kodak Dental Systems\Application Data\TeamViewer
2008-01-02 23:54 722,176 ----a-w c:\documents and settings\Larry Barba\gotomypc_428.exe
2006-06-26 22:42 19,270,946 ----a-w c:\program files\Themes.7z
2004-10-01 22:00 40,960 ----a-w c:\program files\Uninstall_CDS.exe
2006-05-03 09:06 163,328 --sh--r c:\windows\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r c:\windows\system32\msfDX.dll
2008-11-13 14:52 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008111320081114\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"STYLEXP"="c:\program files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 1372160]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 49152]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"MediaLifeService"="c:\program files\Logitech\MediaLife\MediaLifeService.exe" [2005-05-12 110739]
"SysMetrix"="c:\program files\SysMetrix\SysMetrix.exe" [2006-02-25 2637824]
"CTDVDDET"="c:\program files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"CTSysVol"="c:\program files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe" [2005-02-15 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"HydraVisionDesktopManager"="c:\program files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe" [2003-09-15 270336]
"FixCamera"="c:\windows\FixCamera.exe" [2007-02-12 20480]
"tsnp2std"="c:\windows\tsnp2std.exe" [2007-02-13 262144]
"snp2std"="c:\windows\vsnp2std.exe" [2006-12-05 344064]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-19 266497]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-04-19 149024]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Jrobibere"="c:\windows\ekavivamebo.dll" [2008-04-13 155648]
"Tweak UI"="TWEAKUI.CPL" [2000-06-18 c:\windows\system32\TWEAKUI.CPL]
"CTHelper"="CTHELPER.EXE" [2007-04-09 c:\windows\system32\CtHelper.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-05-20 c:\windows\KHALMNPR.Exe]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
CamTrack.lnk - c:\program files\DigitalPeers\CamTrack\camtrack.exe [2007-07-23 407408]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
CamTrack.lnk - c:\program files\DigitalPeers\CamTrack\camtrack.exe [2007-07-23 407408]

c:\documents and settings\MCX3\Start Menu\Programs\Startup\
CamTrack.lnk - c:\program files\DigitalPeers\CamTrack\camtrack.exe [2007-07-23 407408]

c:\documents and settings\Shay Barba.QA3-REMOTE\Start Menu\Programs\Startup\
CamTrack.lnk - c:\program files\DigitalPeers\CamTrack\camtrack.exe [2007-07-23 407408]

c:\documents and settings\user\Start Menu\Programs\Startup\
CamTrack.lnk - c:\program files\DigitalPeers\CamTrack\camtrack.exe [2007-07-23 407408]
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2006-06-19 3450608]

c:\documents and settings\Wendi Barba\Start Menu\Programs\Startup\
CamTrack.lnk - c:\program files\DigitalPeers\CamTrack\camtrack.exe [2007-07-23 407408]

c:\documents and settings\Evan Barba\Start Menu\Programs\Startup\
CamTrack.lnk - c:\program files\DigitalPeers\CamTrack\camtrack.exe [2007-07-23 407408]

c:\documents and settings\Larry Barba\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2006-06-19 3450608]

c:\documents and settings\MCX1\Start Menu\Programs\Startup\
CamTrack.lnk - c:\program files\DigitalPeers\CamTrack\camtrack.exe [2007-07-23 407408]

c:\documents and settings\MCX2\Start Menu\Programs\Startup\
CamTrack.lnk - c:\program files\DigitalPeers\CamTrack\camtrack.exe [2007-07-23 407408]

c:\documents and settings\LocalService\Start Menu\Programs\Startup\
CamTrack.lnk - c:\program files\DigitalPeers\CamTrack\camtrack.exe [2007-07-23 407408]

c:\documents and settings\Kodak Dental Systems\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2006-06-19 3450608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-05-10 282624]
REALTEK RTL8185 Wireless LAN Utility.lnk - c:\program files\REALTEK RTL8185 Wireless LAN Driver and Utility\RtWlan.exe [2006-06-14 675840]
Settings.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2006-06-26 450560]
YAC.lnk - c:\program files\YAC\yac.exe [2002-09-26 134656]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\program files\TGTSoft\StyleXP\Logon\CurrentLogon.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2002-02-15 10:51 24638 c:\windows\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.avis"= ffdshow.ax
"vidc.VP31"= vp31vfw.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.l3codecp"= l3codecp.acm
"msacm.divxa32"= DivXa32.acm
"msacm.CoreFLAC_ACM"= CoreFLAC_ACM.acm
"msacm.qmpeg"= qmpeg.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli mtpcht.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"=
"c:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"c:\\Program Files\\XLink Kai Evolution VII\\kaiLaunch.exe"=
"c:\\Program Files\\XLink Kai Evolution VII\\kaiEngine.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\Ubisoft\\Crytek\\Far Cry\\Bin32\\FarCry.exe"=
"c:\\UT2003\\System\\UT2003.exe"=
"c:\\Program Files\\Ubisoft\\Splinter Cell Pandora Tomorrow\\pandora.exe"=
"c:\\Program Files\\Army Operations\\System\\ArmyOps.exe"=
"c:\\Program Files\\Quake III Arena\\quake3.exe"=
"c:\\Program Files\\VUGames\\Tribes Vengeance\\Program\\Bin\\TV_CD_DVD.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\Ubisoft\\Splinter Cell Pandora Tomorrow\\Support\\Check_Appli\\pandora_detection.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\User\\Counter-Strike Source\\hl2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Qwix\\Qwix.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\SpacialAudio\\SAMBC\\SAMBC.exe"=
"c:\\Program Files\\UltraVnc\\vncviewer.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\TGTSoft\\StyleXP\\Logon\\CurrentLogon.EXE"=
"c:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\SpacialAudio\\SAMBC\\SAMReporter\\SAMReporter.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
"1221:TCP"= 1221:TCP:SAMRequests
"5801:TCP"= 5801:TCP:vnc5801
"5901:TCP"= 5901:TCP:vnc5901

R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [2006-06-22 156800]
R0 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [2006-06-22 5248]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-26 64160]
R0 m5288;m5288;c:\windows\system32\drivers\m5288.sys [2006-01-05 102528]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R2 AVWEBCAM;AV WebCam, WDM Video Capture;c:\windows\system32\drivers\avwebcam.sys [2007-09-14 215552]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbguard.exe -s DefaultInstance --> c:\program files\Firebird\Firebird_2_1\bin\fbguard.exe -s DefaultInstance [?]
R2 WebCamHelper;WebCamHelper;c:\progra~1\AVWEBC~1\WebCamHelper.sys [2007-09-14 2688]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbserver.exe -s DefaultInstance --> c:\program files\Firebird\Firebird_2_1\bin\fbserver.exe -s DefaultInstance [?]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-01-14 21632]
R3 SamsonLLDriver;Samson LL Driver;c:\windows\system32\drivers\SamsonLLDriver.sys [2006-12-12 56832]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
R3 SWWDM_multi;Samson Audio (WDM);c:\windows\system32\drivers\SWAudWDM.sys [2006-12-12 25088]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2007-07-27 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2007-07-27 7680]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-07-27 22528]
S3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\DRIVERS\LV532AV.SYS --> c:\windows\system32\DRIVERS\LV532AV.SYS [?]
S3 PsSdk30;PsSdk30;\??\c:\windows\system32\Drivers\PsSdk30.drv --> c:\windows\system32\Drivers\PsSdk30.drv [?]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2006-06-14 13532]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
.
Contents of the 'Scheduled Tasks' folder

2009-04-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 12:06]

2009-04-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-04-07 c:\windows\Tasks\EasyShare Registration Task.job
- c:\docume~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.8.30.2.sxt _RegistrationOffer@16 []

2009-04-10 c:\windows\Tasks\shutdown.job
- c:\shutdown\shutdown.exe [2005-08-15 19:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
TCP: {6F7CFE34-3AFB-4892-B203-54906D772853} = 192.168.5.1
TCP: {DF12D48E-6B01-40D1-961A-C361594D1954} = 192.168.5.1
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} - hxxp://10.100.100.252/qcbin/Spider90.ocx
DPF: {DB3DEA16-7799-4289-96CE-BE8AE96A0D54} - hxxp://www.kodaksharemce.com/KodakSymphony.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-10 14:04:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSSdk21]
"ImagePath"="\??\c:\windows\system32\Drivers\HNPsSdk.drv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PsSdk30]
"ImagePath"="\??\c:\windows\system32\Drivers\PsSdk30.drv"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-746137067-1637723038-682003330-1013\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{57A48FE7-C423-7BC9-88F9-BF2273FFCBBB}*]
"haachdlnknekecjo"=hex:69,61,6e,63,6a,63,6a,69,6b,6b,66,6c,67,69,62,63,6a,6d,
00,00
"iagbnefkfoeoaebomg"=hex:63,61,6a,64,61,64,00,7c
"iakodbciofilklplpf"=hex:69,61,6e,63,6a,63,6a,69,6b,6b,66,6c,67,69,62,63,6a,6d,
00,00
"dbkdodaiclejgmbcbhmlpoahllnlfghaihahdogh"=hex:6a,62,68,6f,63,67,6d,65,65,6e,
64,67,65,65,6b,70,62,65,65,69,6a,63,6d,6b,6f,67,70,65,61,64,68,63,67,6f,61,\
"jbkdodaiclejgmbcbhmlonmmnkonoigodiicihefeicnejpclapj"=hex:6f,61,67,62,6e,70,
62,6e,70,6a,62,64,63,67,68,69,64,65,67,61,6c,68,66,6d,6e,64,63,70,62,6c,00,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\貢€|晙|鶗A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(776)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(832)
c:\windows\mtpcht.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\TGTSoft\StyleXP\StyleXPService.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Common Files\Seagate\Schedule2\schedul2.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Firebird\Firebird_2_1\bin\fbguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\windows\ehome\RMSvc.exe
c:\windows\system32\UAService7.exe
c:\windows\ehome\McrdSvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Firebird\Firebird_2_1\bin\fbserver.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2009-04-10 14:15:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-10 21:15:07

Pre-Run: 37,155,160,064 bytes free
Post-Run: 37,899,776,000 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition (bootscreen)" /noexecute=optin /fastdetect /KERNEL=kernel1.exe
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

325 --- E O F --- 2009-03-20 12:28:29

Attached Files


Edited by PropagandaPanda, 12 April 2009 - 09:27 AM.

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:01:22 PM

Posted 12 April 2009 - 09:35 AM

Hello.

Let's see what we can do.

Did you set this task yourself?

2009-04-10 c:\windows\Tasks\shutdown.job
- c:\shutdown\shutdown.exe [2005-08-15 19:57]


Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    KILLALL::
File::
c:\windows\Glerohaqiteji.dat
c:\windows\Hhevulineteriwe.bin
c:\windows\ekavivamebo.dll
c:\windows\mtpcht.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Jrobibere"=-

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\drivers\\svchost.exe"=-
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download and run MalwareBytes Anti-Malware
If you already have MBAM installed, simply update and run a quick scan.

Please download Malwarebytes Anti-Malware setup and to your desktop.
alternate download link 1
alternate download link 2

Refer to the steps given here on installing MalwareBytes, running the scan, and saving the log file (not on using File Assasin).
  • If you have trouble updating, try the other mirror download site.
  • Should the computer in question not be able update using the normal method download the update file from here, using another machine if needed. Simple double click the file to install the updates.
  • If MalwareBytes asks to reboot to remove certain items, do so right away.
Please include the scan logfile in your next reply.

Download and Run Scan with RootRepeal
We will use RootRepeal to scan for rootkits.
  • Download RootRepeal from the following location and save it to your desktop:
  • Extract RootRepeal.exe from the zip archive.
  • Open RootRepeal.exe on your desktop. If you are using Windows Vista, right click RootRepeal.exe and select Run As Administrator.
  • Click the Report tab.
  • Click the Scan button.
  • Check all six boxes.
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
With Regards,
The Panda

Edited by PropagandaPanda, 12 April 2009 - 10:23 AM.

If I have been helping you (including trainees) and do not reply within 48 hours, please send me a message.

#7 BarbaEnzo

BarbaEnzo
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
    •  
  • Local time:10:22 AM

Posted 12 April 2009 - 11:50 AM

Thanks Panda,

I will get started on these tasks and get back to you as soon as I can. I will be out part of today and returning this evening. I will let you know how it goes and post back the logs. I do have the shutdown.exe in the task scheduler by choice. I use it to auto shut down my computer at night.

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:01:22 PM

Posted 12 April 2009 - 12:00 PM

Hello BarbaEnzo.

That's no problem. See you then.

The Panda

If I have been helping you (including trainees) and do not reply within 48 hours, please send me a message.

#9 BarbaEnzo

BarbaEnzo
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
    •  
  • Local time:10:22 AM

Posted 12 April 2009 - 08:04 PM

Hi Panda,

Here are the log files. I am still having trouble with the rootkit checkers. This time it seemed to try and run and locked up, I was away for wuite a long time. When I got back, it was not running and there was a RootRepeal crash log. I have attached it, along with the new ComboFix and Malwarebyte logs.

ComboFix 09-04-12.03 - Kodak Dental Systems 2009-04-12 9:54.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1461 [GMT -7:00]
Running from: c:\documents and settings\Kodak Dental Systems\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kodak Dental Systems\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\ekavivamebo.dll
c:\windows\Glerohaqiteji.dat
c:\windows\Hhevulineteriwe.bin
c:\windows\mtpcht.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\ekavivamebo.dll
c:\windows\Glerohaqiteji.dat
c:\windows\Hhevulineteriwe.bin
c:\windows\mtpcht.dll

.
((((((((((((((((((((((((( Files Created from 2009-03-12 to 2009-04-12 )))))))))))))))))))))))))))))))
.

2009-04-11 21:19 . 2009-04-12 05:42 4958588 ------w c:\windows\{00000003-00000000-00000010-00001102-00000008-10211102}.BAK
2009-04-10 20:46 . 2000-08-31 15:00 89504 ----a-w c:\windows\fdsv.exe
2009-04-01 17:09 . 2009-04-01 17:09 -------- d-----w c:\documents and settings\Kodak Dental Systems\Application Data\Malwarebytes
2009-04-01 17:09 . 2009-03-26 23:49 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-01 17:09 . 2009-03-26 23:49 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-01 17:09 . 2009-04-01 17:09 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-01 17:09 . 2009-04-01 17:09 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-30 15:32 . 2009-04-11 18:36 -------- d-----w c:\program files\ManyCam 2.4
2009-03-30 15:32 . 2009-03-30 15:32 -------- d-----w c:\documents and settings\Kodak Dental Systems\Application Data\ManyCam
2009-03-28 01:49 . 2009-03-28 01:49 -------- d-----w c:\program files\Samson
2009-03-28 01:39 . 2009-03-28 01:44 -------- d-----w c:\documents and settings\Kodak Dental Systems\Application Data\Cakewalk
2009-03-28 01:37 . 2004-04-13 21:48 233472 ----a-w c:\windows\system32\REX Shared Library.dll
2009-03-28 01:37 . 2006-11-30 22:49 368640 ----a-w c:\windows\system32\ReWire.dll
2009-03-28 01:37 . 2009-03-28 01:44 -------- d-----w C:\Cakewalk Projects
2009-03-28 01:37 . 2009-03-28 01:38 -------- d-----w c:\documents and settings\All Users\Application Data\Cakewalk
2009-03-28 01:37 . 2009-03-28 01:38 -------- d-----w c:\program files\Cakewalk
2009-03-27 12:50 . 2009-03-27 12:50 -------- d-----w c:\program files\RealSolutions
2009-03-26 19:16 . 2009-03-09 19:06 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-03-26 15:59 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-03-26 15:15 . 2009-03-26 15:48 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-26 13:52 . 2009-03-26 14:43 -------- d-----w C:\VundoFix Backups
2009-03-16 18:35 . 2009-03-16 18:37 -------- d-----w c:\program files\ICQ6.5
2009-03-15 18:59 . 2009-03-15 18:59 -------- d-----w c:\program files\Windows Installer Clean Up
2009-03-15 18:30 . 2009-03-15 18:32 -------- d-----w c:\documents and settings\Larry Barba\Tracing

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-12 17:12 . 2006-06-19 11:40 -------- d-----w c:\program files\SysMetrix
2009-04-12 17:09 . 2009-03-26 20:08 6268 ----a-w C:\aaw7boot.log
2009-04-11 18:36 . 2008-11-21 21:18 -------- d-----w c:\program files\Wootalyzer
2009-04-10 20:05 . 2008-10-07 19:32 6490 ----a-w C:\winzip.log
2009-04-10 18:53 . 2008-09-23 16:05 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-03 22:01 . 2009-03-04 02:20 7015 ----a-w C:\dummy.txt
2009-04-01 20:16 . 2008-11-21 21:18 -------- d-----w c:\documents and settings\Kodak Dental Systems\Application Data\wootalyzer
2009-03-31 15:56 . 2006-08-09 14:43 -------- d-----w c:\program files\Java
2009-03-30 15:32 . 2008-08-19 15:53 -------- d-----w c:\program files\ManyCam 2.3
2009-03-26 21:22 . 2009-01-28 05:07 -------- d-----w c:\program files\SUPERAntiSpyware
2009-03-26 20:27 . 2009-01-28 01:19 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-26 15:48 . 2006-06-19 17:37 -------- d-----w c:\program files\Lavasoft
2009-03-26 15:48 . 2008-09-22 23:16 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-26 14:58 . 2009-03-26 13:52 468 ----a-w C:\VundoFix.txt
2009-03-25 15:24 . 2008-10-26 06:16 -------- d-----w c:\documents and settings\Kodak Dental Systems\Application Data\mIRC
2009-03-25 14:44 . 2008-10-26 06:16 -------- d-----w c:\program files\mIRC
2009-03-19 18:06 . 2007-09-14 22:46 -------- d-----w c:\program files\AV WebCam Morpher Silver
2009-03-18 14:49 . 2006-06-19 02:34 2147328 ----a-w c:\windows\system32\kernel1.exe
2009-03-17 15:51 . 2008-08-23 03:04 -------- d-----w c:\documents and settings\Kodak Dental Systems\Application Data\ICQ
2009-03-17 15:38 . 2008-11-20 15:44 -------- d-----w c:\documents and settings\Kodak Dental Systems\Application Data\gtk-2.0
2009-03-16 18:36 . 2008-08-23 03:04 -------- d-----w c:\program files\ICQ6
2009-03-15 19:53 . 2008-04-09 18:03 -------- d-----w c:\program files\Windows Live
2009-03-15 19:53 . 2008-04-09 18:02 -------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2009-03-15 19:51 . 2008-08-24 21:16 -------- d-----w c:\program files\Microsoft
2009-03-15 18:59 . 2007-11-06 13:53 -------- d-----w c:\program files\MSECache
2009-03-14 17:01 . 2006-06-19 15:04 -------- d-----w c:\program files\Winamp
2009-03-11 14:01 . 2006-08-01 15:59 -------- d-----w c:\program files\Evrsoft First Page 2006
2009-03-09 12:19 . 2008-12-19 13:37 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-01 21:14 . 2008-11-13 18:09 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-18 22:19 . 2008-06-30 16:45 921624 ----a-w C:\snp2sxp-001.raw
2009-02-12 00:24 . 2009-02-11 20:21 -------- d-----w c:\program files\TeamViewer
2009-02-11 20:21 . 2009-02-11 20:21 -------- d-----w c:\documents and settings\Kodak Dental Systems\Application Data\TeamViewer
2009-02-09 11:13 . 2004-10-08 12:01 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 01:52 . 2009-02-07 01:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-02 14:14 . 2009-02-02 14:14 232 ---ha-w C:\sqmdata01.sqm
2009-02-02 14:14 . 2009-02-02 14:14 244 ---ha-w C:\sqmnoopt01.sqm
2009-01-15 19:18 . 2009-01-15 19:18 244 ---ha-w C:\sqmnoopt00.sqm
2009-01-15 19:18 . 2009-01-15 19:18 232 ---ha-w C:\sqmdata00.sqm
2008-01-02 23:54 . 2008-01-02 23:54 722176 ----a-w c:\documents and settings\Larry Barba\gotomypc_428.exe
2006-06-26 22:42 . 2006-06-26 22:40 19270946 ----a-w c:\program files\Themes.7z
2004-10-01 22:00 . 2006-06-15 01:40 40960 ----a-w c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"STYLEXP"="c:\program files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 1372160]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 49152]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"MediaLifeService"="c:\program files\Logitech\MediaLife\MediaLifeService.exe" [2005-05-12 110739]
"SysMetrix"="c:\program files\SysMetrix\SysMetrix.exe" [2006-02-25 2637824]
"CTDVDDET"="c:\program files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"CTSysVol"="c:\program files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe" [2005-02-15 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"HydraVisionDesktopManager"="c:\program files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe" [2003-09-15 270336]
"FixCamera"="c:\windows\FixCamera.exe" [2007-02-12 20480]
"tsnp2std"="c:\windows\tsnp2std.exe" [2007-02-13 262144]
"snp2std"="c:\windows\vsnp2std.exe" [2006-12-05 344064]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-19 266497]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-04-19 149024]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Tweak UI"="TWEAKUI.CPL" [2000-06-18 c:\windows\system32\TWEAKUI.CPL]
"CTHelper"="CTHELPER.EXE" [2007-04-09 c:\windows\system32\CtHelper.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-05-20 c:\windows\KHALMNPR.Exe]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
CamTrack.lnk - c:\program files\DigitalPeers\CamTrack\camtrack.exe [2007-07-23 407408]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
CamTrack.lnk - c:\program files\DigitalPeers\CamTrack\camtrack.exe [2007-07-23 407408]

c:\documents and settings\MCX3\Start Menu\Programs\Startup\
CamTrack.lnk - c:\program files\DigitalPeers\CamTrack\camtrack.exe [2007-07-23 407408]

c:\documents and settings\Shay Barba.QA3-REMOTE\Start Menu\Programs\Startup\
CamTrack.lnk - c:\program files\DigitalPeers\CamTrack\camtrack.exe [2007-07-23 407408]

c:\documents and settings\user\Start Menu\Programs\Startup\
CamTrack.lnk - c:\program files\DigitalPeers\CamTrack\camtrack.exe [2007-07-23 407408]
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2006-06-19 3450608]

c:\documents and settings\Wendi Barba\Start Menu\Programs\Startup\
CamTrack.lnk - c:\program files\DigitalPeers\CamTrack\camtrack.exe [2007-07-23 407408]

c:\documents and settings\Evan Barba\Start Menu\Programs\Startup\
CamTrack.lnk - c:\program files\DigitalPeers\CamTrack\camtrack.exe [2007-07-23 407408]

c:\documents and settings\Larry Barba\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2006-06-19 3450608]

c:\documents and settings\MCX1\Start Menu\Programs\Startup\
CamTrack.lnk - c:\program files\DigitalPeers\CamTrack\camtrack.exe [2007-07-23 407408]

c:\documents and settings\MCX2\Start Menu\Programs\Startup\
CamTrack.lnk - c:\program files\DigitalPeers\CamTrack\camtrack.exe [2007-07-23 407408]

c:\documents and settings\LocalService\Start Menu\Programs\Startup\
CamTrack.lnk - c:\program files\DigitalPeers\CamTrack\camtrack.exe [2007-07-23 407408]

c:\documents and settings\Kodak Dental Systems\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2006-06-19 3450608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-05-10 282624]
REALTEK RTL8185 Wireless LAN Utility.lnk - c:\program files\REALTEK RTL8185 Wireless LAN Driver and Utility\RtWlan.exe [2006-06-14 675840]
Settings.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2006-06-26 450560]
YAC.lnk - c:\program files\YAC\yac.exe [2002-09-26 134656]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\program files\TGTSoft\StyleXP\Logon\CurrentLogon.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2002-02-15 10:51 24638 c:\windows\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.avis"= ffdshow.ax
"vidc.VP31"= vp31vfw.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.l3codecp"= l3codecp.acm
"msacm.divxa32"= DivXa32.acm
"msacm.CoreFLAC_ACM"= CoreFLAC_ACM.acm
"msacm.qmpeg"= qmpeg.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"=
"c:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"c:\\Program Files\\XLink Kai Evolution VII\\kaiLaunch.exe"=
"c:\\Program Files\\XLink Kai Evolution VII\\kaiEngine.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\Ubisoft\\Crytek\\Far Cry\\Bin32\\FarCry.exe"=
"c:\\UT2003\\System\\UT2003.exe"=
"c:\\Program Files\\Ubisoft\\Splinter Cell Pandora Tomorrow\\pandora.exe"=
"c:\\Program Files\\Army Operations\\System\\ArmyOps.exe"=
"c:\\Program Files\\Quake III Arena\\quake3.exe"=
"c:\\Program Files\\VUGames\\Tribes Vengeance\\Program\\Bin\\TV_CD_DVD.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\Ubisoft\\Splinter Cell Pandora Tomorrow\\Support\\Check_Appli\\pandora_detection.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\User\\Counter-Strike Source\\hl2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Qwix\\Qwix.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\SpacialAudio\\SAMBC\\SAMBC.exe"=
"c:\\Program Files\\UltraVnc\\vncviewer.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\TGTSoft\\StyleXP\\Logon\\CurrentLogon.EXE"=
"c:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\SpacialAudio\\SAMBC\\SAMReporter\\SAMReporter.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
"1221:TCP"= 1221:TCP:SAMRequests
"5801:TCP"= 5801:TCP:vnc5801
"5901:TCP"= 5901:TCP:vnc5901

R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2007-04-05 17920]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2007-01-23 7680]
R3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [2007-05-04 22528]
R3 PID_0920;Logitech QuickCam Express(PID_0920); [x]
R3 PsSdk30;PsSdk30; [x]
R3 SjyPkt;SjyPkt;c:\windows\System32\Drivers\SjyPkt.sys [2002-10-02 13532]
S0 d346bus;d346bus;c:\windows\system32\DRIVERS\d346bus.sys [2004-03-12 156800]
S0 d346prt;d346prt;c:\windows\System32\Drivers\d346prt.sys [2004-03-12 5248]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160]
S0 m5288;m5288;c:\windows\system32\DRIVERS\m5288.sys [2005-10-18 102528]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-01-15 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-01-15 55024]
S2 AVWEBCAM;AV WebCam, WDM Video Capture;c:\windows\system32\DRIVERS\avwebcam.sys [2005-11-22 215552]
S2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbguard.exe [2007-10-16 81920]
S2 WebCamHelper;WebCamHelper;c:\progra~1\AVWEBC~1\WebCamHelper.sys [2006-03-02 2688]
S3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbserver.exe [2007-10-16 2711552]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam.sys [2008-01-14 21632]
S3 SamsonLLDriver;Samson LL Driver;c:\windows\system32\Drivers\SamsonLLDriver.sys [2006-12-12 56832]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
S3 SWWDM_multi;Samson Audio (WDM);c:\windows\system32\drivers\SWAudWDM.sys [2006-12-12 25088]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
.
Contents of the 'Scheduled Tasks' folder

2009-04-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 12:06]

2009-04-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-04-07 c:\windows\Tasks\EasyShare Registration Task.job
- c:\docume~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.8.30.2.sxt _RegistrationOffer@16 []

2009-04-10 c:\windows\Tasks\shutdown.job
- c:\shutdown\shutdown.exe [2005-08-15 19:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
TCP: {6F7CFE34-3AFB-4892-B203-54906D772853} = 192.168.5.1
TCP: {DF12D48E-6B01-40D1-961A-C361594D1954} = 192.168.5.1
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} - hxxp://10.100.100.252/qcbin/Spider90.ocx
DPF: {DB3DEA16-7799-4289-96CE-BE8AE96A0D54} - hxxp://www.kodaksharemce.com/KodakSymphony.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-12 10:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSSdk21]
"ImagePath"="\??\c:\windows\system32\Drivers\HNPsSdk.drv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PsSdk30]
"ImagePath"="\??\c:\windows\system32\Drivers\PsSdk30.drv"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-746137067-1637723038-682003330-1013\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{57A48FE7-C423-7BC9-88F9-BF2273FFCBBB}*]
"haachdlnknekecjo"=hex:69,61,6e,63,6a,63,6a,69,6b,6b,66,6c,67,69,62,63,6a,6d,
00,00
"iagbnefkfoeoaebomg"=hex:63,61,6a,64,61,64,00,7c
"iakodbciofilklplpf"=hex:69,61,6e,63,6a,63,6a,69,6b,6b,66,6c,67,69,62,63,6a,6d,
00,00
"dbkdodaiclejgmbcbhmlpoahllnlfghaihahdogh"=hex:6a,62,68,6f,63,67,6d,65,65,6e,
64,67,65,65,6b,70,62,65,65,69,6a,63,6d,6b,6f,67,70,65,61,64,68,63,67,6f,61,\
"jbkdodaiclejgmbcbhmlonmmnkonoigodiicihefeicnejpclapj"=hex:6f,61,67,62,6e,70,
62,6e,70,6a,62,64,63,67,68,69,64,65,67,61,6c,68,66,6d,6e,64,63,70,62,6c,00,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\貢€|晙|鶗A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(776)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2248)
c:\program files\ATI Technologies\ATI HYDRAVISION\HydraDMH.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\TGTSoft\StyleXP\StyleXPService.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Common Files\Seagate\Schedule2\schedul2.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\windows\ehome\RMSvc.exe
c:\windows\system32\UAService7.exe
c:\windows\ehome\McrdSvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2009-04-12 10:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-12 17:25
ComboFix2.txt 2009-04-10 21:15

Pre-Run: 37,760,671,744 bytes free
Post-Run: 37,799,346,176 bytes free

332 --- E O F --- 2009-03-20 12:28

Malwarebytes' Anti-Malware 1.36
Database version: 1970
Windows 5.1.2600 Service Pack 3

4/12/2009 10:34:07 AM
mbam-log-2009-04-12 (10-34-07).txt

Scan type: Quick Scan
Objects scanned: 124077
Time elapsed: 2 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Files


Edited by PropagandaPanda, 13 April 2009 - 08:44 AM.

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:01:22 PM

Posted 13 April 2009 - 08:46 AM

Hello.

Though the other logs look clean, I want to get a rootkit scan off still.

Boot your computer into Safe Mode.

Try running RootRepeal again from there. If it takes more than an hour, skip it.

With Regards,
The Panda

If I have been helping you (including trainees) and do not reply within 48 hours, please send me a message.

#11 BarbaEnzo

BarbaEnzo
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
    •  
  • Local time:10:22 AM

Posted 13 April 2009 - 11:00 AM

Good Morning Panda,

I forgot to mention one warning message I get when I start RootRepeal. It says:

"Mismatch between the kernel reported by Windows and the one reported by a hardware scan. Do you want to use the kernel reported by Windows ?"

I click [Yes] and it appears to start without a problem. I select all the options and it start to scan, I think. It says "Initializing, please wait..." towards the middle of the window, and "Scanning... at the very bottm. But nothing else ever happens, I see no prgress or files being scanned.

I just wanted to add that before I try it in SafeMode, in case that was something important I left out.

Thanks,

Barbaenzo

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:01:22 PM

Posted 13 April 2009 - 11:00 AM

Hello.

Continue with trying it in Safe Mode please.

The Panda

If I have been helping you (including trainees) and do not reply within 48 hours, please send me a message.

#13 BarbaEnzo

BarbaEnzo
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
    •  
  • Local time:10:22 AM

Posted 13 April 2009 - 01:53 PM

Hi Panda,

The RootRepeal is still being stubborn in safemode. The only difference this time, is a did get a warning I was running it in safemode. But it still behaves the same by locking up after I click [Scan] and select the options and drives. Any other suggestions?

Thanks,

BarbaEnzo

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:01:22 PM

Posted 13 April 2009 - 03:14 PM

Hello.

Let's try another tool.

Please download Rooter.exe and save it to your desktop
  • Double-click it to start the tool. If you are using Vista, please right-click and choose Run As Administrator...
  • Alow it to run when you get a Security Warning.
  • A black Command Prompt window will open saying: "Please Wait..."
  • It will now begin to scan, please be paitent. The scan should not take more than 2 minutes
  • A Notepad file containing the report will open soon. It can also be found at %systemdrive%\Rooter.txt
  • Please post the contents of that log in your next reply.
With Regards,
The Panda

If I have been helping you (including trainees) and do not reply within 48 hours, please send me a message.

#15 BarbaEnzo

BarbaEnzo
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
    •  
  • Local time:10:22 AM

Posted 13 April 2009 - 03:36 PM

Hi Panda,

It seems the third try worked like a charm. I attached the log file from the Rooter.exe. Let me know what else I may need to do. Thanks again for all your help so far!

- BarbaEnzo

Attached Files


Back to Virus, Trojan, Spyware, and Malware Removal Help


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Help
  4. Privacy Policy
  5. Rules ·