Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Recycler Worm -- Unsure what it is


  • This topic is locked This topic is locked
16 replies to this topic

#1 perrymc

perrymc

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 27 March 2009 - 01:27 PM

I have a Dell Optiplex GX400, with Intel Pentium 4, 1.6ghz running Win XP Pro SP2

I am not sure if I have one or multiple infections so I will try to give an accurate description of what is going on.

A little over a week ago I upgraded from Windows Media Player 9 to WMP 11. Somewhere along the way I did add DIVX codec for WMP11 from DIVX website. No apparent problems related to this at the time.

Was on a P2P, BTJunkie (I know, I know). Normally avoid these. Mea Culpa.

Noticed slowdown and very active hard drive. Found ld02.exe and pp04.exe in my Msconfig startup menu. Unchecked both. Previously AVG 8 Free found Trojans Sheur2.org, Generic12.BKLQ, Sheur2.USH (nabukeyu.dll) among others, another day it found virus HTML/Framer.S and then Mar 19 it found Trojan Pakes.CTG (C:\windows\system32\dll32.dll) and Sheur2.Whp (C:\window\pp03.exe). All were quarantined. I have since noticed that nabukey.dll remains in my registry as 020 – AppInit_DLLs: C:\windows\system32\nabukeyu.dll. It was on the 19th all my major problems started.

I am concerned that the dll32.dll may be a false positive. At this point I have taken no action to correct.

Presently:

1. I cannot connect to the internet with this computer (I still use my other computer for access). I tried checking device manager. It reported everything ok. I tried enabling/disabling both the Ethernet and Wifi cards (switched between both). Attempts to run a repair on each would return ‘Windows could not finish repairing the problem because the following action cannot be completed. ‘Registering with DNS’’. Regardless of the state of the cards, the network connections both continued to show enabled. I can still bring over programs like DDS.scr via usb thumb drive. Although malware removal programs will not be able to automatically update via an internet connection.
2. I normally use IE 7 but Firefox would return ‘The proxy server is refusing connections’. Is that my router preventing an outgoing connection?
3. My SuperAntispyware program is corrupted and will not load on boot.
4. AVG 8 Free no longer finds any problems
5. Until a couple days ago, I could not access Control Panel from the start menu or any of my drives using My Computer. I would get errors like “Windows cannot find ‘Recycler\S-9-4-94-100016161-100016006-100017509-4926.COM’. make sure you typed the name correctly and try again ….” Other attempts will also return ‘Access is Denied’. I was still able to access using windows explorer. Don’t know what changed to start allowing me access via My Computer. One thing I did do was delete the hidden file autorun.inf from my thumb (flash) drive which was connected to the system when I started having serious problems. Accessing the thumb drive wasn’t a problem after that.
6. Task Bar is white instead of blue.
7. I cannot use System Restore, all previous restore points prior to 16 March are gone. System Restore just hangs.
8. Cannot boot into normal Safe Mode (can boot into ‘safe Mode with networking’). Attempts to boot in normal safe mode hang at message ‘ESC to cancel loading SPTD.SYS’. It has to be rebooted whether you hit ESC or not.
9. An immediate problem was that Windows Firewall was turned off. I would turn it on and it would be back off the next time I logged on. Eventually it went to an ‘unable to turn on’ message.
10. There is a folder called HDExtrem (empty) in my Start Menu, All Programs that I just learned is a Trojan related to viewing TV programs. 3 - 4 weeks ago I did have to install a program to watch a FOX network tv show on the internet. I was at the Fox website when I installed it.

Okay, I am fairly certain all of the above symptoms are related to the malware, but if not I will deal with them another time. So for now here are the DDS logs you want. Sorry, cannot do an online Kaspersky scan.

DDS.txt

DDS (Ver_09-03-16.01) - NTFSx86
Run by NAU at 10:02:25.65 on Fri 03/27/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_01
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.231 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\NAU\Application Data\nSvcAppFlt.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Documents and Settings\NAU\Desktop\dds.scr
C:\WINDOWS\system32\svchost.exe -k netsvcs

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.mamma.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {73018ca9-5596-4e28-adc2-270c4c454735} - c:\windows\system32\palozora.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {07AA283A-43D7-4CBE-A064-32A21112D94D} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Win32load] c:\documents and settings\nau\application data\nSvcAppFlt.exe -lds
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
TCP: NameServer = 85.255.112.146,85.255.112.76
TCP: {F4FF1D72-3DD6-4FC7-8DC9-D7A872DD6B08} = 85.255.112.146,85.255.112.76
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\windows\system32\nabukeyu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli c:\windows\system32\nabukeyu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nau\applic~1\mozilla\firefox\profiles\gjvszn7m.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - mamma
FF - prefs.js: browser.startup.homepage - hxxp://tucson.cox.net/cci/home
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 1
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-10-6 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-27 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-10-27 27656]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-9-3 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 55024]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-4 298264]
S3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;c:\windows\system32\drivers\Ngrpci.sys [2008-10-20 32840]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]
S3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\TNET1130.sys [2008-3-22 386688]

=============== Created Last 30 ================

2009-03-25 21:27 <DIR> --d----- c:\program files\gBurner
2009-03-18 14:55 11,776 ----h--- c:\windows\pp04.exe
2009-03-18 14:43 0 a------- c:\windows\system32\nfr.gpref
2009-03-18 12:54 0 a------- c:\windows\system32\nfr.assembly
2009-03-18 12:39 1 a------- c:\windows\9g234sdfdfgjf23
2009-03-18 12:39 2 ----h--- c:\windows\t55ft2950f44.dat
2009-03-18 12:39 14,848 ----h--- c:\windows\ld02.exe
2009-03-18 09:33 11,264 a------- c:\docume~1\nau\applic~1\nSvcAppFlt.exe
2009-03-13 18:01 1,197,294 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-03-13 18:01 764,868 -c------ c:\windows\system32\dllcache\apph_sp.sdb
2009-03-13 18:01 217,118 -c------ c:\windows\system32\dllcache\apphelp.sdb
2009-03-13 18:00 <DIR> --d----- c:\program files\Windows Media Connect 2

==================== Find3M ====================

2009-03-27 08:54 0 a------- c:\windows\system32\drivers\lvuvc.hs
2009-03-27 08:53 0 a------- c:\windows\system32\drivers\logiflt.iad
2009-02-23 19:05 1,744 a------- c:\windows\system32\d3d9caps.dat
2009-02-09 03:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-02-04 18:03 1,632 a------- c:\windows\system32\d3d8caps.dat
2009-02-04 16:59 589,824 a------- c:\windows\system32\CDDBControlRoxio.dll
2009-02-04 16:59 761,856 a------- c:\windows\system32\CDDBUIRoxio.dll
2009-02-04 16:59 66,992 a------- c:\windows\system32\drivers\cdr4_xp.sys
2009-02-04 16:59 61,440 a------- c:\windows\system32\cdrtc.dll
2009-02-04 16:59 45,056 a------- c:\windows\system32\cdral.dll
2009-02-04 16:59 24,698 a------- c:\windows\system32\drivers\cdralw2k.sys
2009-02-04 16:49 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-02-04 16:49 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-27 16:41 98,304 a------- c:\windows\system32\CmdLineExt.dll
2009-01-20 16:51 18,312 a------- c:\docume~1\nau\applic~1\GDIPFONTCACHEV1.DAT
2009-01-02 18:19 1,752 a------- c:\windows\pchealth\helpctr\config\incstore.bin

============= FINISH: 10:02:44.54 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:07:44 AM

Posted 05 April 2009 - 04:25 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 perrymc

perrymc
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 09 April 2009 - 12:20 PM

I can see business has picked up almost exponentially since last year! Wow!

Thanks for the reply, Koan. Sorry for the delayed reply back as I have been overwhelmed myself but I am ready to get this system cleaned up. I did see references to different malware along with what I think is the trojan DNSChanger. I elected to not run MalwareBytes or do anything until u could take a look. I did run a new DDS today and attached the zip file. Will wait for ur next step.


DDS (Ver_09-03-16.01) - NTFSx86
Run by NAU at 9:42:44.36 on Thu 04/09/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_01
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.258 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\NAU\Application Data\nSvcAppFlt.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Documents and Settings\NAU\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.mamma.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {73018ca9-5596-4e28-adc2-270c4c454735} - c:\windows\system32\palozora.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {07AA283A-43D7-4CBE-A064-32A21112D94D} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Win32load] c:\documents and settings\nau\application data\nSvcAppFlt.exe -lds
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
TCP: NameServer = 85.255.112.146,85.255.112.76
TCP: {F4FF1D72-3DD6-4FC7-8DC9-D7A872DD6B08} = 85.255.112.146,85.255.112.76
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\windows\system32\nabukeyu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli c:\windows\system32\nabukeyu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nau\applic~1\mozilla\firefox\profiles\gjvszn7m.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - mamma
FF - prefs.js: browser.startup.homepage - hxxp://tucson.cox.net/cci/home
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 1
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-10-6 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-27 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-10-27 27656]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-9-3 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 55024]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-4 298264]
S3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;c:\windows\system32\drivers\Ngrpci.sys [2008-10-20 32840]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]
S3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\TNET1130.sys [2008-3-22 386688]

=============== Created Last 30 ================

2009-03-25 21:27 <DIR> --d----- c:\program files\gBurner
2009-03-18 14:55 11,776 ----h--- c:\windows\pp04.exe
2009-03-18 14:43 0 a------- c:\windows\system32\nfr.gpref
2009-03-18 12:54 0 a------- c:\windows\system32\nfr.assembly
2009-03-18 12:39 1 a------- c:\windows\9g234sdfdfgjf23
2009-03-18 12:39 2 ----h--- c:\windows\t55ft2950f44.dat
2009-03-18 12:39 14,848 ----h--- c:\windows\ld02.exe
2009-03-18 09:33 11,264 a------- c:\docume~1\nau\applic~1\nSvcAppFlt.exe
2009-03-13 18:01 1,197,294 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-03-13 18:01 764,868 -c------ c:\windows\system32\dllcache\apph_sp.sdb
2009-03-13 18:01 217,118 -c------ c:\windows\system32\dllcache\apphelp.sdb
2009-03-13 18:00 <DIR> --d----- c:\program files\Windows Media Connect 2

==================== Find3M ====================

2009-03-31 09:10 0 a------- c:\windows\system32\drivers\lvuvc.hs
2009-03-31 09:09 0 a------- c:\windows\system32\drivers\logiflt.iad
2009-03-28 11:35 1,744 a------- c:\windows\system32\d3d9caps.dat
2009-02-09 03:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-02-04 18:03 1,632 a------- c:\windows\system32\d3d8caps.dat
2009-02-04 16:59 589,824 a------- c:\windows\system32\CDDBControlRoxio.dll
2009-02-04 16:59 761,856 a------- c:\windows\system32\CDDBUIRoxio.dll
2009-02-04 16:59 61,440 a------- c:\windows\system32\cdrtc.dll
2009-02-04 16:59 45,056 a------- c:\windows\system32\cdral.dll
2009-02-04 16:49 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-27 16:41 98,304 a------- c:\windows\system32\CmdLineExt.dll
2009-01-20 16:51 18,312 a------- c:\docume~1\nau\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 9:43:21.11 ===============

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:44 AM

Posted 09 April 2009 - 08:27 PM

Hello.

I see some vundo infections and more.

Let's run MBAM.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

WIth Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 perrymc

perrymc
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 10 April 2009 - 12:19 AM

Thanks for the help Extremeboy. Understand u guys are very busy. Take your time, get to me when u can.

I installed malwarebytes and manually downloaded mbam-rules from another computer and installed. Afraid it did not work.
Malwarebytes fails to run immediately after the install, from the desktop icon, from the start menu, in Safe Mode with Networking (normal safe mode is not available). I also tried to run it while I had the task manager open and I never saw any indication malwarebytes ever attempted to execute (I did get all the installation windows, just nothing after)

Vundo among others you say. Looking forward to beating this bugger.

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:44 AM

Posted 10 April 2009 - 09:13 AM

Hello.

Okay, seems there's more than just the vundos. Perhaps a rootkit hiding around somewhere.

Download and Run ComboFix (Rename Before Saving)

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image

Posted Image

Refer to the page below for further instructions on running ComboFix. This includes installing the Recovery Console. Note that you do not need your Windows XP disk to install it. Refer to this page if you are unsure how.

Double click on Combo-Fix.exe & follow the prompts.

When finished, it will produce a open a report for you. Post back with it. It is at C:\ComboFix.txt.

Do not mouseclick the ComboFix window while it's running. That may cause it to stall.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 perrymc

perrymc
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 10 April 2009 - 02:45 PM

Extremeboy

Dragged and dropped the WinXP Pro file onto ComboFix to install the RecoveryConsole and allowed ComboFix to cycle thru the stages and a couple of reboots. It only requested that I make a note of one file 'Seneka.sys' located in the Windows System32 drivers folder. Here is the log. At your leisure. Thank You.



ComboFix 09-04-04.01 - NAU 2009-04-10 12:18:17.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.245 [GMT -7:00]
Running from: c:\documents and settings\NAU\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\NAU\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated)
.
ADS - WINDOWS: deleted 96 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\9g234sdfdfgjf23
c:\windows\ld02.exe
c:\windows\pp04.exe
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\nfr.assembly
c:\windows\system32\nfr.gpref

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA


((((((((((((((((((((((((( Files Created from 2009-03-10 to 2009-04-10 )))))))))))))))))))))))))))))))
.

2009-04-09 21:25 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-09 21:25 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-04-09 21:24 . 2009-04-09 21:25 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-09 21:24 . 2009-04-09 21:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-25 21:27 . 2009-03-25 21:27 <DIR> d-------- c:\program files\gBurner
2009-03-19 19:24 . 2009-03-19 19:24 <DIR> d-------- c:\documents and settings\Administrator.NAU-ALLAZLTG2Q7
2009-03-18 12:39 . 2009-03-18 12:39 2 ---h----- c:\windows\t55ft2950f44.dat
2009-03-18 09:33 . 2009-03-18 09:33 11,264 --a------ c:\documents and settings\NAU\Application Data\nSvcAppFlt.exe
2009-03-13 18:01 . 2006-10-04 07:06 1,197,294 -----c--- c:\windows\system32\dllcache\sysmain.sdb
2009-03-13 18:01 . 2006-10-04 07:06 764,868 -----c--- c:\windows\system32\dllcache\apph_sp.sdb
2009-03-13 18:01 . 2006-10-04 07:06 217,118 -----c--- c:\windows\system32\dllcache\apphelp.sdb
2009-03-13 18:00 . 2009-03-13 18:00 <DIR> d-------- c:\program files\Windows Media Connect 2
2009-03-13 17:54 . 2009-03-13 17:57 <DIR> d-------- c:\windows\system32\drivers\UMDF
2009-03-11 19:28 . 2009-03-11 19:28 <DIR> d-------- c:\documents and settings\Mom.NAU-ALLAZLTG2Q7\Application Data\Leadertech

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-31 16:10 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2009-03-31 16:09 0 ----a-w c:\windows\system32\drivers\logiflt.iad
2009-03-26 04:08 --------- d-----w c:\documents and settings\NAU\Application Data\Roxio
2009-03-25 00:34 --------- d-----w c:\documents and settings\NAU\Application Data\Azureus
2009-03-12 02:58 --------- d-----w c:\documents and settings\Mom.NAU-ALLAZLTG2Q7\Application Data\Skype
2009-03-12 02:20 --------- d-----w c:\documents and settings\Mom.NAU-ALLAZLTG2Q7\Application Data\skypePM
2009-03-09 19:27 --------- d-----w c:\program files\SUPERAntiSpyware
2009-03-08 17:29 --------- d-----w c:\documents and settings\NAU\Application Data\Move Networks
2009-02-28 16:00 --------- d-----w c:\program files\Ancient Sudoku
2009-02-27 15:08 --------- d-----w c:\program files\Vuze
2009-02-25 02:07 --------- d-----w c:\documents and settings\NAU\Application Data\Skype
2009-02-24 23:03 --------- d-----w c:\documents and settings\NAU\Application Data\skypePM
2009-02-21 20:41 --------- d-----w c:\program files\RelevantKnowledge
2009-02-21 20:11 --------- d-----w c:\program files\DivXCodec
2009-02-14 03:24 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2009-02-14 02:43 --------- d-----w c:\program files\SlySoft
2009-02-10 20:45 --------- d-----w c:\program files\Readiris Pro 11
2009-02-09 10:19 1,846,272 ----a-w c:\windows\system32\win32k.sys
2009-02-04 23:59 761,856 ----a-w c:\windows\system32\CDDBUIRoxio.dll
2009-02-04 23:59 61,440 ----a-w c:\windows\system32\cdrtc.dll
2009-02-04 23:59 589,824 ----a-w c:\windows\system32\CDDBControlRoxio.dll
2009-02-04 23:59 45,056 ----a-w c:\windows\system32\cdral.dll
2009-02-04 23:49 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2009-02-02 04:55 18,312 ----a-w c:\documents and settings\Guest\Application Data\GDIPFONTCACHEV1.DAT
2009-01-27 23:41 98,304 ----a-w c:\windows\system32\CmdLineExt.dll
2009-01-20 23:51 18,312 ----a-w c:\documents and settings\NAU\Application Data\GDIPFONTCACHEV1.DAT
2008-02-02 10:07 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-02-02 10:07 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-02-02 10:07 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-02-02 10:07 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-02-02 10:07 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-09 1830128]
"Win32load"="c:\documents and settings\NAU\Application Data\nSvcAppFlt.exe" [2009-03-18 11264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-04 1601304]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-03-09 12:27 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-04 16:49 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\nabukeyu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--a------ 2006-09-28 12:21 57344 c:\program files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
--a------ 2003-03-28 07:18 57344 c:\program files\Lexmark X1100 Series\lxbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
--a------ 2008-08-14 17:15 2407184 c:\program files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 09:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 03:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2009-02-03 18:14 77824 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
--a------ 2009-02-04 17:26 319488 c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 03:43 83608 c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2003-07-28 14:19 323584 c:\windows\system32\nwiz.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\NAU\\Application Data\\nSvcAppFlt.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:blizzard downloader 6112
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-10-06 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-27 325128]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-09-03 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-09-03 55024]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-04 298264]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-09-03 7408]
S3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;c:\windows\system32\drivers\Ngrpci.sys [2008-10-20 32840]
S3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\TNET1130.sys [2008-03-22 386688]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0231e16e-e75b-11dd-872e-00065b2f9c12}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
- - - - ORPHANS REMOVED - - - -

BHO-{73018ca9-5596-4e28-adc2-270c4c454735} - c:\windows\system32\palozora.dll
WebBrowser-{07AA283A-43D7-4CBE-A064-32A21112D94D} - (no file)
MSConfigStartUp-EPSON Stylus C84 Series - c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
MSConfigStartUp-pp - c:\windows\pp04.exe
MSConfigStartUp-sysldtray - c:\windows\ld02.exe
MSConfigStartUp-zeponuhaha - c:\windows\system32\sokofosu.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mamma.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\NAU\Application Data\Mozilla\Firefox\Profiles\gjvszn7m.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - mamma
FF - prefs.js: browser.startup.homepage - hxxp://tucson.cox.net/cci/home
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 1
FF - component: c:\progra~1\MOZILL~1\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\gaopdxserv.sys]
"imagepath"="\systemroot\system32\drivers\gaopdxltkndodpputupuphwuhsauuwvsalcnpm.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\documents and settings\NAU\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\devldr32.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2009-04-10 12:29:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-10 19:29:22

Pre-Run: 15,196,819,456 bytes free
Post-Run: 15,802,941,440 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

215 --- E O F --- 2009-03-15 14:00:30

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:44 AM

Posted 10 April 2009 - 04:34 PM

Hello.

You have a nasty infection. I think there still might be more ..

Posted ImageBackdoor Threat

IMPORTANT NOTE: Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure. If you wish to continue follow the steps below.


Let's run Combofix with a script first.

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    KillAll::
    
    Driver::
    pavboot
    File::
    c:\windows\t55ft2950f44.dat
    c:\windows\system32\nabukeyu.dll
    c:\windows\system32\drivers\pavboot.sys 
    RegLock::
    [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\gaopdxserv.sys]
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=""
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "6112:TCP"=-
    "3724:TCP"=-
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Please run GMER for me.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
    If it detects rootkit activity, you will receive a prompt to run a full scan. Click Yes..
  • When it's done scanning, you may receive another notice. Click OK if prompted.
  • Click on Save ... to save the log on your desktop.
    Save the log as GMER.txt when you save it on your desktop.
  • Close Gmer and copy and paste the contents of GMER.txt in your next reply.
  • If you receive no notice, click on the Scan button near the bottom.
  • It will start scanning again like before.
  • When it is done, Click on Save ... to save the log on your desktop.
    Save the log as GMER.txt when you save it on your desktop.
  • Close Gmer and copy and paste the contents of GMER.txt in your next reply.If GMER doesn't work in Normal Mode try running it in Safe Mode
Note: Do Not run any program while GMER is running

Important!:Please do not select the Show all checkbox during the scan.

Post back with:
-Combofix log
-GMER log

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 perrymc

perrymc
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 11 April 2009 - 12:10 PM

Bummer, I was afraid it was serious ... Once again, take your time Extremeboy and thank you

1) Until I get a new hard drive, I would still like to clean this up

2) Don't want to be naive about this, but fairly sure we have not accessed any accounts via this computer. If we did, we never save passwords or allow the site to 'remember me'. I almost always run CCleaner whenever I exit my web browser. We are still making a list of potential accounts to change. I already had accessed the links you reffed.

3) Per my first post this topic, I am pretty sure my router squelched any communications via this computer (or was it just the rootkit making me think there was no connection?). Attempts to use either wifi or ethernet failed (I ultimately did unplug the cat5 cable and the wifi antenna from the wifi card just as a precaution). Also I tested my router security (via broadbandreports and grc websites) from a good computer and found all the ports to be stealthed. Not sure if that means much.

4) While this computer was configured to be networked, it cannot see the other computers (they could see this one's shared files but it could not see theirs). I believe it is because I set up mine as "Groups" and not Domain. This one was purchased used from a university and I am sure was configured for Domain. I was never able to get all the kinks out and finally gave up working on it for awhile. So reinstalling on a new hard drive will have an upside to it!

Anyway here are the ComboFix and GMER text files you asked for

ComboFix did ask me to note these two files:

c:\windows\system32\drivers\gaopdxltkndodpputupuphwuhsauuwvsalcnpm.sys
c:\windows\system32\gaopdxavktjoaxkjvpwcnksqotkotquqptlxqt.dll

GMER did not ask to load GMER.sys and there were no notices other than the screen did have four items under Type, Name and Value but no popups or requests for me to do anything, so I just clicked the scan button and let it do its thing.


ComboFix 09-04-04.01 - NAU 2009-04-11 7:36:11.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.244 [GMT -7:00]
Running from: c:\documents and settings\NAU\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\NAU\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated)

FILE ::
c:\windows\system32\drivers\pavboot.sys
c:\windows\system32\nabukeyu.dll
c:\windows\t55ft2950f44.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\gaopdxltkndodpputupuphwuhsauuwvsalcnpm.sys
c:\windows\system32\drivers\pavboot.sys
c:\windows\system32\gaopdxavktjoaxkjvpwcnksqotkotquqptlxqt.dll
c:\windows\system32\gaopdxcounter
c:\windows\t55ft2950f44.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys
-------\Legacy_PAVBOOT
-------\Service_pavboot


((((((((((((((((((((((((( Files Created from 2009-03-11 to 2009-04-11 )))))))))))))))))))))))))))))))
.

2009-04-09 21:25 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-09 21:25 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-04-09 21:24 . 2009-04-09 21:25 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-09 21:24 . 2009-04-09 21:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-25 21:27 . 2009-03-25 21:27 <DIR> d-------- c:\program files\gBurner
2009-03-19 19:24 . 2009-03-19 19:24 <DIR> d-------- c:\documents and settings\Administrator.NAU-ALLAZLTG2Q7
2009-03-18 09:33 . 2009-03-18 09:33 11,264 --a------ c:\documents and settings\NAU\Application Data\nSvcAppFlt.exe
2009-03-13 18:01 . 2006-10-04 07:06 1,197,294 -----c--- c:\windows\system32\dllcache\sysmain.sdb
2009-03-13 18:01 . 2006-10-04 07:06 764,868 -----c--- c:\windows\system32\dllcache\apph_sp.sdb
2009-03-13 18:01 . 2006-10-04 07:06 217,118 -----c--- c:\windows\system32\dllcache\apphelp.sdb
2009-03-13 18:00 . 2009-03-13 18:00 <DIR> d-------- c:\program files\Windows Media Connect 2
2009-03-13 17:54 . 2009-03-13 17:57 <DIR> d-------- c:\windows\system32\drivers\UMDF
2009-03-11 19:28 . 2009-03-11 19:28 <DIR> d-------- c:\documents and settings\Mom.NAU-ALLAZLTG2Q7\Application Data\Leadertech

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-31 16:10 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2009-03-31 16:09 0 ----a-w c:\windows\system32\drivers\logiflt.iad
2009-03-26 04:08 --------- d-----w c:\documents and settings\NAU\Application Data\Roxio
2009-03-25 00:34 --------- d-----w c:\documents and settings\NAU\Application Data\Azureus
2009-03-12 02:58 --------- d-----w c:\documents and settings\Mom.NAU-ALLAZLTG2Q7\Application Data\Skype
2009-03-12 02:20 --------- d-----w c:\documents and settings\Mom.NAU-ALLAZLTG2Q7\Application Data\skypePM
2009-03-09 19:27 --------- d-----w c:\program files\SUPERAntiSpyware
2009-03-08 17:29 --------- d-----w c:\documents and settings\NAU\Application Data\Move Networks
2009-02-28 16:00 --------- d-----w c:\program files\Ancient Sudoku
2009-02-27 15:08 --------- d-----w c:\program files\Vuze
2009-02-25 02:07 --------- d-----w c:\documents and settings\NAU\Application Data\Skype
2009-02-24 23:03 --------- d-----w c:\documents and settings\NAU\Application Data\skypePM
2009-02-21 20:41 --------- d-----w c:\program files\RelevantKnowledge
2009-02-21 20:11 --------- d-----w c:\program files\DivXCodec
2009-02-14 03:24 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2009-02-14 02:43 --------- d-----w c:\program files\SlySoft
2009-02-09 10:19 1,846,272 ----a-w c:\windows\system32\win32k.sys
2009-02-04 23:59 761,856 ----a-w c:\windows\system32\CDDBUIRoxio.dll
2009-02-04 23:59 61,440 ----a-w c:\windows\system32\cdrtc.dll
2009-02-04 23:59 589,824 ----a-w c:\windows\system32\CDDBControlRoxio.dll
2009-02-04 23:59 45,056 ----a-w c:\windows\system32\cdral.dll
2009-02-04 23:49 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2009-02-02 04:55 18,312 ----a-w c:\documents and settings\Guest\Application Data\GDIPFONTCACHEV1.DAT
2009-01-27 23:41 98,304 ----a-w c:\windows\system32\CmdLineExt.dll
2009-01-20 23:51 18,312 ----a-w c:\documents and settings\NAU\Application Data\GDIPFONTCACHEV1.DAT
2008-02-02 10:07 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-02-02 10:07 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-02-02 10:07 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-02-02 10:07 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-02-02 10:07 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Win32load"="c:\documents and settings\NAU\Application Data\nSvcAppFlt.exe" [2009-03-18 11264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-04 1601304]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-03-09 12:27 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-04 16:49 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--a------ 2006-09-28 12:21 57344 c:\program files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
--a------ 2003-03-28 07:18 57344 c:\program files\Lexmark X1100 Series\lxbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
--a------ 2008-08-14 17:15 2407184 c:\program files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 09:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 03:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2009-02-03 18:14 77824 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
--a------ 2009-02-04 17:26 319488 c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 03:43 83608 c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2003-07-28 14:19 323584 c:\windows\system32\nwiz.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\NAU\\Application Data\\nSvcAppFlt.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-27 325128]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-09-03 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-09-03 55024]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-04 298264]
S3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;c:\windows\system32\drivers\Ngrpci.sys [2008-10-20 32840]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-09-03 7408]
S3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\TNET1130.sys [2008-03-22 386688]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0231e16e-e75b-11dd-872e-00065b2f9c12}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mamma.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\NAU\Application Data\Mozilla\Firefox\Profiles\gjvszn7m.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - mamma
FF - prefs.js: browser.startup.homepage - hxxp://tucson.cox.net/cci/home
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 1
FF - component: c:\progra~1\MOZILL~1\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\documents and settings\NAU\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\devldr32.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2009-04-11 7:43:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-11 14:43:16
ComboFix2.txt 2009-04-10 19:29:28

Pre-Run: 15,826,513,920 bytes free
Post-Run: 15,810,015,232 bytes free

195 --- E O F --- 2009-03-15 14:00:30


GMER 1.0.15.14878 - http://www.gmer.net
Rootkit scan 2009-04-11 08:05:17
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT spjq.sys ZwCreateKey [0xF84E40E0]
SSDT spjq.sys ZwEnumerateKey [0xF8502CA2]
SSDT spjq.sys ZwEnumerateValueKey [0xF8503030]
SSDT spjq.sys ZwOpenKey [0xF84E40C0]
SSDT spjq.sys ZwQueryKey [0xF8503108]
SSDT spjq.sys ZwQueryValueKey [0xF8502F88]
SSDT spjq.sys ZwSetValueKey [0xF850319A]

INT 0x39 ? 82F71BF8
INT 0x39 ? 82D67BF8
INT 0x3A ? 82D67BF8
INT 0x3B ? 82D67BF8
INT 0x3B ? 82D67BF8
INT 0x3B ? 82D67BF8
INT 0x3E ? 82FDEBF8
INT 0x3F ? 82FDEBF8

Code \??\C:\DOCUME~1\NAU\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

? spjq.sys The system cannot find the file specified. !
? Combo-Fix.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F80B862C 5 Bytes JMP 82D671D8
.text anq0rtrg.SYS F801B386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text anq0rtrg.SYS F801B3AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text anq0rtrg.SYS F801B3C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text anq0rtrg.SYS F801B3C9 1 Byte [2E]
.text anq0rtrg.SYS F801B3CB 9 Bytes [00, 00, 5A, 02, 00, 00, 00, ...] {ADD [EAX], AL; POP EDX; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...
? C:\DOCUME~1\NAU\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 82F712D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F8515C4C] spjq.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F8515CA0] spjq.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F84E5040] spjq.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F84E513C] spjq.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F84E50BE] spjq.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F84E57FC] spjq.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F84E56D2] spjq.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 82D672D8
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F84F5048] spjq.sys
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!RtlInitUnicodeString] 2296E852
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!swprintf] 478B0000
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!KeSetEvent] 50016A40
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!IoCreateSymbolicLink] 1CAC8E8D
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!IoGetConfigurationInformation] E8510000
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!IoDeleteSymbolicLink] 00002284
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!MmFreeMappingAddress] 6A18538B
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!IoFreeErrorLogEntry] 868D5200
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!IoDisconnectInterrupt] 00001C98
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!MmUnmapIoSpace] 2272E850
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!ObReferenceObjectByPointer] 4B8B0000
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!IofCompleteRequest] 51016A18
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!RtlCompareUnicodeString] 1CB4968D
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!IofCallDriver] E8520000
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!MmAllocateMappingAddress] 00002260
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!IoAllocateErrorLogEntry] 8A05478A
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!IoConnectInterrupt] 001CBB8E
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!IoDetachDevice] 30C48300
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!KeWaitForSingleObject] 1CBD8688
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!KeInitializeEvent] 80E90000
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString] C6000000
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!RtlInitAnsiString] 001CBB86
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!IoBuildDeviceIoControlRequest] 438B0100
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!IoQueueWorkItem] 8E8D5018
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!MmMapIoSpace] 00001C90
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!IoInvalidateDeviceRelations] 2232E851
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!IoReportDetectedDevice] 538B0000
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!IoReportResourceForDetection] 52016A18
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] 1CAC868D
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!NlsMbCodePageTag] E8500000
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!PoRequestPowerIrp] 00002220
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!KeInsertByKeyDeviceQueue] 8A05478A
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!PoRegisterDeviceForIdleDetection] 001CBB8E
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!sprintf] 18C48300
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] 1CBD8688
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!ObfDereferenceObject] 43EB0000
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!IoGetAttachedDeviceReference] 320C538A
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!IoInvalidateDeviceState] 88F93BC0
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!ZwClose] 001CBB96
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!ObReferenceObjectByHandle] F6317300
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!ZwCreateDirectoryObject] 74070647
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!IoBuildSynchronousFsdRequest] 75C0841A
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!PoStartNextPowerIrp] 05578A0B
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!PoCallDriver] 968801B0
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!IoCreateDevice] 00001CBD
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!IoAllocateDriverObjectExtension] 57B60F66
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!RtlQueryRegistryValues] 533B6604
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!ZwOpenKey] 03087408
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!RtlFreeUnicodeString] 72F93B3F
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!IoStartTimer] 8A09EBDA
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!KeInitializeTimer] 86880547
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!IoInitializeTimer] 00001CBD
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!KeInitializeDpc] 88084B8A
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!KeInitializeSpinLock] 001CBE8E
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!IoInitializeIrp] 40578B00
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!ZwCreateKey] 8D52006A
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!RtlAppendUnicodeStringToString] 001CC086
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!RtlIntegerToUnicodeString] B1E85000
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!ZwSetValueKey] 8B000021
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!KeInsertQueueDpc] 001CB88E
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] BC968B00
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!IoStartPacket] 8900001C
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] 001CC48E
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!IoBuildAsynchronousFsdRequest] C8968900
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!IoFreeMdl] 8B00001C
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!MmUnlockPages] 016A4047
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!IoWriteErrorLogEntry] CCC68150
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!KeRemoveByKeyDeviceQueue] 5600001C
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!MmMapLockedPagesWithReservedMapping] 002187E8
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!MmUnmapReservedMapping] 18C48300
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!KeSynchronizeExecution] 5D5B5E5F
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!IoStartNextPacket] CCCCCCC3
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!KeBugCheckEx] CCCCCCCC
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!KeRemoveDeviceQueue] CCCCCCCC
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!KeSetTimer] CCCCCCCC
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!KeCancelTimer] 8BEC8B55
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!_allmul] 00C73445
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!MmProbeAndLockPages] 00000000
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!_except_handler3] 830C458B
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!PoSetPowerState] C0840CEC
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey] 053C0D74
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!RtlWriteRegistryValue] 57B80974
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!_aulldiv] 8B000000
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!strstr] 56C35DE5
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!_strupr] 8D08758B
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!KeQuerySystemTime] 8D51FC4D
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!IoWMIRegistrationControl] 8D52FD55
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!KeTickCount] 8D51FE4D
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!IoAttachDeviceToDeviceStack] 8D52FF55
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!IoDeleteDevice] 8D51F84D
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] 5052F455
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!IoAllocateWorkItem] EACAE856
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!IoAllocateIrp] C483FFFF
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!IoAllocateMdl] 0FC08520
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool] 0001B185
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!MmLockPagableDataSection] 46B70F00
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!IoGetDriverObjectExtension] F44D8B48
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!MmUnlockPagableImageSection] C1815753
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!ExFreePoolWithTag] 00002590
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!IoFreeIrp] 467C8D51
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!IoFreeWorkItem] 76F6E84A
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!InitSafeBootMode] D88BFFFF
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!RtlCompareMemory] 8504C483
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!RtlCopyUnicodeString] 5F0A75DB
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!memmove] 5B08438D
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[ntoskrnl.exe!MmHighestUserAddress] 5DE58B5E
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[HAL.dll!KfAcquireSpinLock] 4B8BDF8B
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[HAL.dll!READ_PORT_UCHAR] 8D3F0304
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[HAL.dll!KeGetCurrentIrql] CB033043
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[HAL.dll!KfRaiseIrql] 0673C13B
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[HAL.dll!KfLowerIrql] C13B0003
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[HAL.dll!HalGetInterruptVector] 8366FA72
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[HAL.dll!HalTranslateBusAddress] 75000E7B
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[HAL.dll!KeStallExecutionProcessor] 0B7D80E3
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[HAL.dll!KfReleaseSpinLock] 307B8D00
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 00AA840F
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[HAL.dll!READ_PORT_USHORT] 83660000
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 6A000E7A
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[HAL.dll!WRITE_PORT_UCHAR] C6647400
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[WMILIB.SYS!WmiSystemControl] 4F8B0200
IAT \SystemRoot\System32\Drivers\anq0rtrg.SYS[WMILIB.SYS!WmiCompleteRequest] 968D5140

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\explorer.exe[844] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [009B2F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\explorer.exe[844] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [009B2CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\explorer.exe[844] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [009B2D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\explorer.exe[844] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [009B2CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[1096] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00EA2F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[1096] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00EA2CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[1096] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00EA2D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[1096] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00EA2CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[1504] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [008D2F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[1504] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [008D2CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[1504] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [008D2D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[1504] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [008D2CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\ctfmon.exe[1576] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [009C2F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\ctfmon.exe[1576] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [009C2CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\ctfmon.exe[1576] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [009C2D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\ctfmon.exe[1576] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [009C2CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\NAU\Application Data\nSvcAppFlt.exe[2096] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00952F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\NAU\Application Data\nSvcAppFlt.exe[2096] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00952CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\NAU\Application Data\nSvcAppFlt.exe[2096] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00952D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\NAU\Application Data\nSvcAppFlt.exe[2096] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00952CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[3588] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003B2F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[3588] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003B2CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[3588] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [003B2D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[3588] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003B2CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[3964] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00A92F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[3964] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00A92CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[3964] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00A92D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[3964] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00A92CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\devldr32.exe[4088] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [008D2F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\devldr32.exe[4088] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [008D2CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\devldr32.exe[4088] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [008D2D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\devldr32.exe[4088] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [008D2CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\NAU\Desktop\gmer\gmer.exe[8772] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00802F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\NAU\Desktop\gmer\gmer.exe[8772] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00802CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\NAU\Desktop\gmer\gmer.exe[8772] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00802D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\NAU\Desktop\gmer\gmer.exe[8772] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00802CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 82FDD1F8
Device \Driver\sptd \Device\1380395648 spjq.sys
Device \Driver\usbohci \Device\USBPDO-0 82D661F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 82F6F1F8
Device \Driver\dmio \Device\DmControl\DmConfig 82F6F1F8
Device \Driver\dmio \Device\DmControl\DmPnP 82F6F1F8
Device \Driver\dmio \Device\DmControl\DmInfo 82F6F1F8
Device \Driver\usbuhci \Device\USBPDO-1 82C401F8
Device \Driver\usbohci \Device\USBPDO-2 82D661F8
Device \Driver\usbuhci \Device\USBPDO-3 82C401F8
Device \Driver\usbehci \Device\USBPDO-4 82D4F1F8
Device \Driver\Cdrom \Device\CdRom0 82D401F8
Device \Driver\Cdrom \Device\CdRom1 82D401F8
Device \Driver\atapi \Device\Ide\IdePort0 82FDE1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 82FDE1F8
Device \Driver\atapi \Device\Ide\IdePort1 82FDE1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c 82FDE1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 82FDE1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 82FDE1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 82DF21F8
Device \Driver\PCI_PNP3344 \Device\0000004b spjq.sys
Device \Driver\PCI_PNP3344 \Device\0000004b spjq.sys
Device \Driver\NetBT \Device\NetbiosSmb 82DF21F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{F4FF1D72-3DD6-4FC7-8DC9-D7A872DD6B08} 82DF21F8
Device \Driver\usbohci \Device\USBFDO-0 82D661F8
Device \Driver\usbohci \Device\USBFDO-1 82D661F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 82D85500
Device \Driver\usbehci \Device\USBFDO-2 82D4F1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 82D85500
Device \Driver\usbuhci \Device\USBFDO-3 82C401F8
Device \Driver\usbuhci \Device\USBFDO-4 82C401F8
Device \Driver\Ftdisk \Device\FtControl 82FDF1F8
Device \Driver\anq0rtrg \Device\Scsi\anq0rtrg1Port2Path0Target0Lun0 82C291F8
Device \Driver\anq0rtrg \Device\Scsi\anq0rtrg1 82C291F8
Device \FileSystem\Cdfs \Cdfs 82B66500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxltkndodpputupuphwuhsauuwvsalcnpm.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxltkndodpputupuphwuhsauuwvsalcnpm.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxavktjoaxkjvpwcnksqotkotquqptlxqt.dll
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x42 0xF2 0x1E 0x30 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xEF 0x77 0xC0 0xD0 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x21 0xDB 0xCB 0x3D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x42 0xF2 0x1E 0x30 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xEF 0x77 0xC0 0xD0 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x21 0xDB 0xCB 0x3D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x42 0xF2 0x1E 0x30 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xEF 0x77 0xC0 0xD0 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x21 0xDB 0xCB 0x3D ...

---- EOF - GMER 1.0.15 ----

U guys are absolutely fantastic!

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:44 AM

Posted 11 April 2009 - 12:30 PM

Hello.

Not quite done yet.

Still would be a good idea if you changed your passwords. Doesn't matter if you ALWAYS run CCleaner. As long as you accessed an account while this infection active you need to change your passwords.

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    RegLock::
    HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Update and Scan with MalwareBytes Anti-Malware
  • Launch Malwarebytes' Anti-Malware
  • Go to the Update tab
  • Select Check for Update and let MBAM download and install any available updates.
  • After the update is complete go to the Scanner tab.
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download and run RootRepeal CR

Please download RootRepeal to your desktop
  • Physically disconnect your machine from the internet as your system will be unprotected.
  • Unzip it to it's own folder
  • Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
  • Double-click on Rooter.exe to run it. If you are using Vista, please right-click and run as Administrator...
  • Click the Report tab at the bottom.
  • Now click the Scan button in the Report Tab. Posted Image
  • A box will pop up, check the boxes beside ALL SIX
    Posted Image
  • Now click OK.
  • Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
  • The scan will take a little while to run, so let it go unhindered.
  • Once it is done, click the Save Report button. Posted Image
  • Save it as RepealScan and save it to your desktop
  • Reconnect to the internet.
  • Post the log here in your reply.
Post back with:
-Combofix log
-MBAM log
-RootRepeal log

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 perrymc

perrymc
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 11 April 2009 - 03:00 PM

Okay Extremeboy

Here are the three logs. All executed okay. I actually updated the Malwarebytes definitions manually. I have not tried to connect the infected computer to the internet as yet. A little hesitant until it is as clean as we can make it without a reformat.

ComboFix 09-04-04.01 - NAU 2009-04-11 12:16:06.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.252 [GMT -7:00]
Running from: c:\documents and settings\NAU\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\NAU\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-11 to 2009-04-11 )))))))))))))))))))))))))))))))
.

2009-04-09 21:25 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-09 21:25 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-04-09 21:24 . 2009-04-09 21:25 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-09 21:24 . 2009-04-09 21:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-25 21:27 . 2009-03-25 21:27 <DIR> d-------- c:\program files\gBurner
2009-03-19 19:24 . 2009-03-19 19:24 <DIR> d-------- c:\documents and settings\Administrator.NAU-ALLAZLTG2Q7
2009-03-18 09:33 . 2009-03-18 09:33 11,264 --a------ c:\documents and settings\NAU\Application Data\nSvcAppFlt.exe
2009-03-13 18:01 . 2006-10-04 07:06 1,197,294 -----c--- c:\windows\system32\dllcache\sysmain.sdb
2009-03-13 18:01 . 2006-10-04 07:06 764,868 -----c--- c:\windows\system32\dllcache\apph_sp.sdb
2009-03-13 18:01 . 2006-10-04 07:06 217,118 -----c--- c:\windows\system32\dllcache\apphelp.sdb
2009-03-13 18:00 . 2009-03-13 18:00 <DIR> d-------- c:\program files\Windows Media Connect 2
2009-03-13 17:54 . 2009-03-13 17:57 <DIR> d-------- c:\windows\system32\drivers\UMDF
2009-03-11 19:28 . 2009-03-11 19:28 <DIR> d-------- c:\documents and settings\Mom.NAU-ALLAZLTG2Q7\Application Data\Leadertech

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-31 16:10 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2009-03-31 16:09 0 ----a-w c:\windows\system32\drivers\logiflt.iad
2009-03-26 04:08 --------- d-----w c:\documents and settings\NAU\Application Data\Roxio
2009-03-25 00:34 --------- d-----w c:\documents and settings\NAU\Application Data\Azureus
2009-03-12 02:58 --------- d-----w c:\documents and settings\Mom.NAU-ALLAZLTG2Q7\Application Data\Skype
2009-03-12 02:20 --------- d-----w c:\documents and settings\Mom.NAU-ALLAZLTG2Q7\Application Data\skypePM
2009-03-09 19:27 --------- d-----w c:\program files\SUPERAntiSpyware
2009-03-08 17:29 --------- d-----w c:\documents and settings\NAU\Application Data\Move Networks
2009-02-28 16:00 --------- d-----w c:\program files\Ancient Sudoku
2009-02-27 15:08 --------- d-----w c:\program files\Vuze
2009-02-25 02:07 --------- d-----w c:\documents and settings\NAU\Application Data\Skype
2009-02-24 23:03 --------- d-----w c:\documents and settings\NAU\Application Data\skypePM
2009-02-21 20:41 --------- d-----w c:\program files\RelevantKnowledge
2009-02-21 20:11 --------- d-----w c:\program files\DivXCodec
2009-02-14 03:24 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2009-02-14 02:43 --------- d-----w c:\program files\SlySoft
2009-02-09 10:19 1,846,272 ----a-w c:\windows\system32\win32k.sys
2009-02-04 23:59 761,856 ----a-w c:\windows\system32\CDDBUIRoxio.dll
2009-02-04 23:59 61,440 ----a-w c:\windows\system32\cdrtc.dll
2009-02-04 23:59 589,824 ----a-w c:\windows\system32\CDDBControlRoxio.dll
2009-02-04 23:59 45,056 ----a-w c:\windows\system32\cdral.dll
2009-02-04 23:49 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2009-02-02 04:55 18,312 ----a-w c:\documents and settings\Guest\Application Data\GDIPFONTCACHEV1.DAT
2009-01-27 23:41 98,304 ----a-w c:\windows\system32\CmdLineExt.dll
2009-01-20 23:51 18,312 ----a-w c:\documents and settings\NAU\Application Data\GDIPFONTCACHEV1.DAT
2008-02-02 10:07 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-02-02 10:07 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-02-02 10:07 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-02-02 10:07 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-02-02 10:07 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Win32load"="c:\documents and settings\NAU\Application Data\nSvcAppFlt.exe" [2009-03-18 11264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-04 1601304]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-03-09 12:27 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-04 16:49 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--a------ 2006-09-28 12:21 57344 c:\program files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
--a------ 2003-03-28 07:18 57344 c:\program files\Lexmark X1100 Series\lxbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
--a------ 2008-08-14 17:15 2407184 c:\program files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 09:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 03:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2009-02-03 18:14 77824 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
--a------ 2009-02-04 17:26 319488 c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 03:43 83608 c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2003-07-28 14:19 323584 c:\windows\system32\nwiz.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\NAU\\Application Data\\nSvcAppFlt.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-27 325128]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-09-03 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-09-03 55024]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-04 298264]
S3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;c:\windows\system32\drivers\Ngrpci.sys [2008-10-20 32840]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-09-03 7408]
S3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\TNET1130.sys [2008-03-22 386688]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0231e16e-e75b-11dd-872e-00065b2f9c12}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mamma.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\NAU\Application Data\Mozilla\Firefox\Profiles\gjvszn7m.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - mamma
FF - prefs.js: browser.startup.homepage - hxxp://tucson.cox.net/cci/home
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 1
FF - component: c:\progra~1\MOZILL~1\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\documents and settings\NAU\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
.
Completion time: 2009-04-11 12:19:45
ComboFix-quarantined-files.txt 2009-04-11 19:19:43
ComboFix2.txt 2009-04-11 14:43:24
ComboFix3.txt 2009-04-10 19:29:28

Pre-Run: 15,772,221,440 bytes free
Post-Run: 15,756,156,928 bytes free

165 --- E O F --- 2009-03-15 14:00:30



Malwarebytes' Anti-Malware 1.35
Database version: 1954
Windows 5.1.2600 Service Pack 2

4/11/2009 12:30:26 PM
mbam-log-2009-04-11 (12-30-26).txt

Scan type: Quick Scan
Objects scanned: 91487
Time elapsed: 3 minute(s), 56 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 2

Memory Processes Infected:
C:\Documents and Settings\NAU\Application Data\nSvcAppFlt.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3ba4271e-5c1e-48e2-b432-d8bf420dd31d} (Rogue.DeusCleaner) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831} (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win32load (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.146,85.255.112.76 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{f4ff1d72-3dd6-4fc7-8dc9-d7a872dd6b08}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.146,85.255.112.76 -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\RelevantKnowledge (Spyware.Marketscore) -> Quarantined and deleted successfully.
C:\Documents and Settings\NAU\Start Menu\Programs\HDExtrem (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\RelevantKnowledge\rlservice.exe (Spyware.Marketscore) -> Quarantined and deleted successfully.
C:\Documents and Settings\NAU\Application Data\nSvcAppFlt.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.




ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/04/11 12:38
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF5A8B000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8B64000 Size: 8192 File Visible: No
Status: -

Name: PCI_PNP4208
Image Path: \Driver\PCI_PNP4208
Address: 0x00000000 Size: 0 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF51EC000 Size: 45056 File Visible: No
Status: -

Name: spof.sys
Image Path: spof.sys
Address: 0xF84D5000 Size: 1048576 File Visible: No
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No
Status: -

Name: ttqjf.sys
Image Path: ttqjf.sys
Address: 0xF85F6000 Size: 61440 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\Prefetch\LULNCHR.EXE-0B9CE39E.pf
Status: Size mismatch (API: 20988, Raw: 20968)

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "spof.sys" at address 0xf84d60e0

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spof.sys" at address 0xf84f4ca2

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spof.sys" at address 0xf84f5030

#: 119 Function Name: NtOpenKey
Status: Hooked by "spof.sys" at address 0xf84d60c0

#: 160 Function Name: NtQueryKey
Status: Hooked by "spof.sys" at address 0xf84f5108

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spof.sys" at address 0xf84f4f88

#: 247 Function Name: NtSetValueKey
Status: Hooked by "spof.sys" at address 0xf84f519a

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x82fdd1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x82fdd1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x82fdd1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x82fdd1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x82fdd1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x82fdd1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x82fdd1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x82fdd1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82fdd1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x82fdd1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x82fdd1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x82fdd1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x82fdd1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82fdd1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82fdd1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x82fdd1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x82fdd1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x82fdd1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x82fdd1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x82fdd1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x82fdd1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x82fdd1f8 Size: -

Object: Hidden Code [Driver: age6piuwȅఐ卆浩, IRP_MJ_CREATE]
Process: System Address: 0x82bdc1f8 Size: -

Object: Hidden Code [Driver: age6piuwȅఐ卆浩, IRP_MJ_CLOSE]
Process: System Address: 0x82bdc1f8 Size: -

Object: Hidden Code [Driver: age6piuwȅఐ卆浩, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82bdc1f8 Size: -

Object: Hidden Code [Driver: age6piuwȅఐ卆浩, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82bdc1f8 Size: -

Object: Hidden Code [Driver: age6piuwȅఐ卆浩, IRP_MJ_POWER]
Process: System Address: 0x82bdc1f8 Size: -

Object: Hidden Code [Driver: age6piuwȅఐ卆浩, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82bdc1f8 Size: -

Object: Hidden Code [Driver: age6piuwȅఐ卆浩, IRP_MJ_PNP]
Process: System Address: 0x82bdc1f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x82cf61f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x82cf61f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x82cf61f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x82cf61f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82cf61f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82cf61f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82cf61f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82cf61f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x82cf61f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82cf61f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x82cf61f8 Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x82fde1f8 Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x82fde1f8 Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82fde1f8 Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82fde1f8 Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x82fde1f8 Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82fde1f8 Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x82fde1f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x82f6f1f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x82f6f1f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x82f6f1f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x82f6f1f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82f6f1f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82f6f1f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82f6f1f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82f6f1f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x82f6f1f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82f6f1f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x82f6f1f8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x82bf41f8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x82bf41f8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82bf41f8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82bf41f8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x82bf41f8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82bf41f8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x82bf41f8 Size: -

Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE]
Process: System Address: 0x82d851f8 Size: -

Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE]
Process: System Address: 0x82d851f8 Size: -

Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82d851f8 Size: -

Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82d851f8 Size: -

Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER]
Process: System Address: 0x82d851f8 Size: -

Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82d851f8 Size: -

Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP]
Process: System Address: 0x82d851f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x82fdf1f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x82fdf1f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x82fdf1f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82fdf1f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82fdf1f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82fdf1f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82fdf1f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x82fdf1f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x82fdf1f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82fdf1f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x82fdf1f8 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x82dfe500 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x82dfe500 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82dfe500 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82dfe500 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x82dfe500 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x82dfe500 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x82d833f8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x82d833f8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82d833f8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82d833f8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x82d833f8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82d833f8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x82d833f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x82e241f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x82e241f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x82e241f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x82e241f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x82e241f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x82e241f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x82e241f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x82e241f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x82e241f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82e241f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x82e241f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x82e241f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x82e241f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x82e241f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82e241f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82e241f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82e241f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x82e241f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x82e241f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x82e241f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x82e241f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x82e241f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x82e241f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82e241f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x82e241f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x82e241f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x82e241f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x82e241f8 Size: -

Object: Hidden Code [Driver: CdfsЅ扏煓Ёం扏楄, IRP_MJ_CREATE]
Process: System Address: 0x82b67500 Size: -

Object: Hidden Code [Driver: CdfsЅ扏煓Ёం扏楄, IRP_MJ_CLOSE]
Process: System Address: 0x82b67500 Size: -

Object: Hidden Code [Driver: CdfsЅ扏煓Ёం扏楄, IRP_MJ_READ]
Process: System Address: 0x82b67500 Size: -

Object: Hidden Code [Driver: CdfsЅ扏煓Ёం扏楄, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x82b67500 Size: -

Object: Hidden Code [Driver: CdfsЅ扏煓Ёం扏楄, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x82b67500 Size: -

Object: Hidden Code [Driver: CdfsЅ扏煓Ёం扏楄, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x82b67500 Size: -

Object: Hidden Code [Driver: CdfsЅ扏煓Ёం扏楄, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x82b67500 Size: -

Object: Hidden Code [Driver: CdfsЅ扏煓Ёం扏楄, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x82b67500 Size: -

Object: Hidden Code [Driver: CdfsЅ扏煓Ёం扏楄, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82b67500 Size: -

Object: Hidden Code [Driver: CdfsЅ扏煓Ёం扏楄, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82b67500 Size: -

Object: Hidden Code [Driver: CdfsЅ扏煓Ёం扏楄, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x82b67500 Size: -

Object: Hidden Code [Driver: CdfsЅ扏煓Ёం扏楄, IRP_MJ_CLEANUP]
Process: System Address: 0x82b67500 Size: -

Object: Hidden Code [Driver: CdfsЅ扏煓Ёం扏楄, IRP_MJ_PNP]
Process: System Address: 0x82b67500 Size: -


:thumbup2: Thanks once more !

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:44 AM

Posted 11 April 2009 - 03:34 PM

Hello.

You can connect to the internet now as we need it to run the online scan.

Also, update MBAM again. Run a quick-scan like last time and post back with the log. Make sure you update it this time. The current defination is 1968 but it may change once you read this post, however I would like you to update it and run a quick scan again.

Please update your Java and run an online scan.

Update Java to Version 6 Update 12

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 13.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
*If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
** If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
*** The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

Post back with:
-MBAM log
-Kaspersky log
-How is your computer running?

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 perrymc

perrymc
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 12 April 2009 - 04:32 PM

Extremeboy,

It looks like we (You!) are almost there. I continue to be amazed at how all of you are able to identify the problems and quickly work thru the solutions. Without you many of us would be floundering. Thank you!

I struggled a bit actually getting IE7 and Firefox to connect. I knew the internet was working because I could ping the router and pc both directions plus automatic updates took place (did not allow install just yet as it went straight to install on power down without asking me which ones I want to install (my default) and my AVG 8 updates worked just fine. Solution: A little Googling and had to reset the Layered Service Provider via Start/Run/Cmd “netsh winsock reset”. It worked.

Trying to use the computer and test different programs. Not seeing any issues at present. Restored the windows firewall and reactivated anti-virus and anti-spyware protection (after running Kaspersky). Not sure why the Malwarebytes updates didn’t apply. I copied the most current mbam-rules.exe to the desktop and doubleclicked to install (from gt500.org – that might be why). It said it did. Anyway now have the most current. Here are the results of it and the Kaspersky online scan.

Malwarebytes' Anti-Malware 1.36
Database version: 1970
Windows 5.1.2600 Service Pack 2

4/12/2009 9:49:42 AM
mbam-log-2009-04-12 (09-49-42).txt

Scan type: Quick Scan
Objects scanned: 92234
Time elapsed: 4 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, April 12, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, April 12, 2009 17:36:19
Records in database: 2038212
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 50022
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 02:10:52

File name / Threat name / Threats count
C:\WINDOWS\system32\cncs32.dll Infected: Trojan-Banker.Win32.Banker.afwk 1

The selected area was scanned.

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:44 AM

Posted 12 April 2009 - 05:01 PM

Hello.

Thank you for your kind words.

Let's remove one file and do a final checkup :thumbup2:

Download and Run OTMoveIT3
  • Please download OTMoveIt3 by OldTimer and save it to your desktop. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :files
    C:\WINDOWS\system32\cncs32.dll
    :commands
    [EmptyTemp]
    [Reboot]
  • Click the large Posted Image button.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
Note:If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Post back with:
-OTMoveIT log
-New DDS logs

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 perrymc

perrymc
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 12 April 2009 - 08:53 PM

Here is the info from the logs. Just a little curious, why not just go to the system32 folder and delete cncs32.dll? It seems to be a benign file, although I cannot identify a program it may have belonged to.

Thank you and hope today has been a good one for you!

========== FILES ==========
DllUnregisterServer procedure not found in C:\WINDOWS\system32\cncs32.dll
C:\WINDOWS\system32\cncs32.dll NOT unregistered.
C:\WINDOWS\system32\cncs32.dll moved successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\NAU\Local Settings\Temporary Internet Files\Content.IE5\MDTPH2P7\topic214415[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\NAU\Local Settings\Temporary Internet Files\Content.IE5\362AOY1S\iframe[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\NAU\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\NAU\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\logishrd\LVPrcInj01.dll scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_6bc.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04122009_180044

Files moved on Reboot...
File C:\Documents and Settings\NAU\Local Settings\Temporary Internet Files\Content.IE5\MDTPH2P7\topic214415[1].htm not found!
File C:\Documents and Settings\NAU\Local Settings\Temporary Internet Files\Content.IE5\362AOY1S\iframe[1].htm not found!
C:\Documents and Settings\NAU\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\temp\logishrd\LVPrcInj01.dll
C:\WINDOWS\temp\logishrd\LVPrcInj01.dll NOT unregistered.
File move failed. C:\WINDOWS\temp\logishrd\LVPrcInj01.dll scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_6bc.dat not found!



DDS (Ver_09-03-16.01) - NTFSx86
Run by NAU at 18:22:18.77 on Sun 04/12/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.245 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\NAU\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.mamma.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERANTISPYWARE.EXE
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nau\applic~1\mozilla\firefox\profiles\gjvszn7m.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - mamma
FF - prefs.js: browser.startup.homepage - hxxp://tucson.cox.net/cci/home
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-27 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-10-27 27656]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-9-3 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 55024]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-4 298264]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]
S3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;c:\windows\system32\drivers\Ngrpci.sys [2008-10-20 32840]
S3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\TNET1130.sys [2008-3-22 386688]

=============== Created Last 30 ================

2009-04-12 18:00 <DIR> --d----- C:\_OTMoveIt
2009-04-12 00:00 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-12 00:00 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-11 12:23 <DIR> --d----- c:\docume~1\nau\applic~1\Malwarebytes
2009-04-10 12:07 <DIR> a-dshr-- C:\cmdcons
2009-04-10 12:06 161,792 a------- c:\windows\SWREG.exe
2009-04-10 12:06 98,816 a------- c:\windows\sed.exe
2009-04-09 21:25 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-09 21:25 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-09 21:24 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-09 21:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-25 21:27 <DIR> --d----- c:\program files\gBurner

==================== Find3M ====================

2009-04-12 18:03 0 a------- c:\windows\system32\drivers\lvuvc.hs
2009-04-12 18:03 0 a------- c:\windows\system32\drivers\logiflt.iad
2009-04-12 13:42 1,744 a------- c:\windows\system32\d3d9caps.dat
2009-02-09 03:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-02-04 18:03 1,632 a------- c:\windows\system32\d3d8caps.dat
2009-02-04 16:59 589,824 a------- c:\windows\system32\CDDBControlRoxio.dll
2009-02-04 16:59 761,856 a------- c:\windows\system32\CDDBUIRoxio.dll
2009-02-04 16:59 61,440 a------- c:\windows\system32\cdrtc.dll
2009-02-04 16:59 45,056 a------- c:\windows\system32\cdral.dll
2009-02-04 16:49 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-27 16:41 98,304 a------- c:\windows\system32\CmdLineExt.dll
2009-01-20 16:51 18,312 a------- c:\docume~1\nau\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 18:22:50.73 ===============


I await .... :thumbup2:

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users