Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't remove this Trojan :(


  • This topic is locked This topic is locked
3 replies to this topic

#1 DoubleDolomite

DoubleDolomite

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 25 April 2009 - 08:47 AM

Hello, Eset NOD32 has detected this:

Operating memory - Win32/Rootkit.Agent.ODG trojan - unable to clean


When I run safe mode and try to remove it using Eset NOD32 my computer shuts off mid-process. I assume it's due to the virus.

Here is my Combofix log:


ComboFix 09-04-25.A1 - Marc 04/25/2009 9:25.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.471 [GMT -4:00]
Running from: c:\documents and settings\Marc\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Marc\Application Data\Adobe\crc.dat
C:\install.exe
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Packet.dll
c:\windows\system32\Process.exe
c:\windows\system32\pthreadVC.dll
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\system32\WS2Fix.exe
c:\windows\TEMP\logishrd\LVPrcInj03.dll

----- BITS: Possible infected sites -----

hxxp://drm.wippiespace.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-4-25 )))))))))))))))))))))))))))))))
.

2009-04-25 00:35 . 2009-04-25 00:41 76751 ----a-w c:\windows\War3Unin.dat
2009-04-25 00:35 . 2009-04-25 00:40 2829 ----a-w c:\windows\War3Unin.pif
2009-04-25 00:35 . 2009-04-25 00:40 139264 ----a-w c:\windows\War3Unin.exe
2009-04-24 22:55 . 2009-04-24 22:55 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-23 13:37 . 2009-04-23 15:01 -------- d-----w c:\program files\Defraggler
2009-04-22 00:19 . 2009-04-22 01:10 -------- d-----w c:\program files\StarCraft
2009-04-21 21:59 . 2009-04-21 22:02 -------- d-----w c:\documents and settings\Marc\Contacts
2009-04-21 21:58 . 2009-04-21 21:58 -------- d-----w c:\program files\MSN Messenger
2009-04-19 23:19 . 2009-04-19 23:20 -------- d-----w C:\rsit
2009-04-19 23:05 . 2009-04-19 23:20 -------- d-----w c:\documents and settings\Marc\SmitfraudFix
2009-04-17 21:36 . 2009-04-17 21:36 -------- d-----w c:\documents and settings\Marc\Local Settings\Application Data\Installer3708
2009-04-17 21:15 . 2009-04-17 21:16 -------- d-----w c:\documents and settings\Marc\Local Settings\Application Data\Installer3984
2009-04-17 20:40 . 2009-04-25 13:34 89448 ----a-w c:\windows\system32\drivers\52e68a70.sys
2009-04-17 20:19 . 2009-04-17 20:19 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-17 20:18 . 2009-04-17 20:19 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-17 20:18 . 2009-04-17 20:18 -------- d-----w c:\documents and settings\Marc\Application Data\SUPERAntiSpyware.com
2009-04-17 20:18 . 2009-04-17 20:18 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-17 20:12 . 2009-04-17 20:12 0 ----a-w c:\windows\system32\8104297.jun
2009-04-17 20:12 . 2009-04-17 20:12 -------- d-----w c:\program files\Browser Hijack Recover
2009-04-17 19:55 . 2009-04-17 19:55 -------- d-----w c:\documents and settings\All Users\Application Data\Avg7
2009-04-17 17:48 . 2009-04-19 23:20 -------- d-----w c:\program files\Trend Micro
2009-04-17 03:46 . 2009-04-17 03:46 108336 ----a-w c:\windows\system32\mswinsck.ocx
2009-04-16 15:51 . 2009-04-16 16:02 -------- d-----w c:\program files\Soulseek
2009-04-16 05:24 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-16 05:24 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 05:24 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 05:24 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-16 05:24 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 05:24 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 05:24 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 05:24 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 05:24 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 05:23 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 05:23 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 05:23 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-12 00:42 . 2009-04-12 00:42 -------- d-----w c:\program files\WinSCP
2009-04-06 16:57 . 2009-04-06 16:58 -------- d-----w c:\program files\Hero Editor
2009-04-06 16:57 . 2009-04-06 16:57 249856 ------w c:\windows\Setup1.exe
2009-04-06 16:57 . 2009-04-06 16:57 73216 ----a-w c:\windows\ST6UNST.EXE
2009-04-04 03:27 . 2009-04-04 03:27 21840 ----a-w c:\windows\system32\SIntfNT.dll
2009-04-04 03:27 . 2009-04-04 03:27 17212 ----a-w c:\windows\system32\SIntf32.dll
2009-04-04 03:27 . 2009-04-04 03:27 12067 ----a-w c:\windows\system32\SIntf16.dll
2009-04-04 03:01 . 2009-04-04 03:28 35457 ----a-w c:\windows\DIIUnin.dat
2009-04-04 03:01 . 2009-04-04 03:01 94208 ----a-w c:\windows\DIIUnin.exe
2009-04-04 03:01 . 2009-04-04 03:01 2829 ----a-w c:\windows\DIIUnin.pif
2009-04-04 02:40 . 2009-04-07 04:02 -------- d-----w c:\program files\Diablo II
2009-04-03 23:57 . 2009-04-03 23:57 -------- d-----w C:\D2LOD-1.12A-enUS
2009-04-03 23:55 . 2009-04-03 23:55 -------- d-----w C:\D2-1.12A-enUS
2009-03-30 13:54 . 2009-03-30 13:55 -------- d-----w c:\program files\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-25 12:05 . 2008-06-28 16:37 -------- d-----w c:\program files\FlashGet
2009-04-25 04:24 . 2007-05-23 15:54 -------- d-----w c:\documents and settings\Marc\Application Data\.purple
2009-04-25 01:52 . 2006-08-30 01:27 -------- d-----w c:\documents and settings\Marc\Application Data\Skype
2009-04-25 01:20 . 2008-04-28 04:26 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-25 00:47 . 2008-12-23 02:43 -------- d-----w c:\documents and settings\Marc\Application Data\Hamachi
2009-04-25 00:41 . 2008-10-16 03:17 -------- d-----w c:\program files\Warcraft III
2009-04-25 00:30 . 2006-10-27 10:33 -------- d-----w c:\documents and settings\Marc\Application Data\Azureus
2009-04-24 22:17 . 2008-08-30 19:51 -------- d-----w c:\program files\GGPO
2009-04-24 02:20 . 2009-03-25 00:33 -------- d-----w c:\documents and settings\Marc\Application Data\Audacity
2009-04-24 01:48 . 2007-05-23 16:02 -------- d-----w c:\documents and settings\Marc\Application Data\gtk-2.0
2009-04-24 01:21 . 2007-03-21 14:41 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-23 00:39 . 2008-02-13 05:15 -------- d-----r c:\program files\Skype
2009-04-23 00:39 . 2008-02-13 05:15 -------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-04-22 00:22 . 2008-07-09 14:27 -------- d-----w c:\program files\Common Files\Blizzard Entertainment
2009-04-21 01:37 . 2007-10-18 04:54 91321 ----a-w C:\moduleName.txt
2009-04-20 17:27 . 2006-08-25 07:30 91208 -c--a-w c:\documents and settings\Marc\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-19 23:20 . 2009-04-19 23:06 2450 ----a-w C:\rapport.txt
2009-04-17 17:16 . 2006-09-01 16:59 -------- d-----w c:\program files\LimeWire
2009-04-17 03:55 . 2008-09-02 03:55 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-16 16:12 . 2006-09-01 17:00 -------- d-----w c:\documents and settings\Marc\Application Data\LimeWire
2009-04-16 14:50 . 2006-10-27 10:32 -------- d-----w c:\program files\Azureus
2009-04-16 13:58 . 2006-08-25 20:40 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-11 21:06 . 2008-02-19 02:47 -------- d-----w c:\documents and settings\Marc\Application Data\U3
2009-04-09 06:53 . 2006-12-03 23:42 -------- d-----w c:\program files\mIRC
2009-04-06 19:32 . 2008-09-02 03:55 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2008-09-02 03:55 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-29 15:46 . 2008-03-02 21:27 -------- d-----w c:\program files\Dl_cats
2009-03-25 16:20 . 2007-09-10 19:44 -------- d-----w c:\program files\SystemRequirementsLab
2009-03-25 16:18 . 2007-09-10 19:20 -------- d-----w c:\documents and settings\Marc\Application Data\SystemRequirementsLab
2009-03-25 00:33 . 2009-03-25 00:32 -------- d-----w c:\program files\Audacity 1.3 Beta (Unicode)
2009-03-23 19:35 . 2009-03-23 19:35 -------- d-----w c:\program files\Audacity
2009-03-22 23:29 . 2006-08-25 04:15 98304 ----a-w c:\windows\DUMP7327.tmp
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\system32\dllcache\kernel32.dll
2009-03-06 14:22 . 2004-08-04 09:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-01-09 15:08 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-03 00:18 . 2006-01-09 15:08 826368 ----a-w c:\windows\system32\dllcache\wininet.dll
2009-02-28 18:59 . 2009-02-28 18:59 -------- d-----w c:\documents and settings\Marc\Application Data\Winamp
2009-02-28 18:59 . 2008-04-30 15:23 -------- d-----w c:\program files\Winamp
2009-02-28 04:54 . 2004-08-04 09:00 636072 ----a-w c:\windows\system32\dllcache\iexplore.exe
2009-02-20 10:20 . 2007-05-09 03:43 13824 ------w c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 10:20 . 2004-08-04 09:00 70656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 05:14 . 2004-08-04 09:00 161792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2009-02-09 12:10 . 2004-08-04 09:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 09:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 09:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 09:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2008-10-16 03:15 1846784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 11:13 . 2004-08-04 09:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 23:02 . 2008-10-16 03:14 2066048 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-04 09:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2008-10-16 03:14 2189056 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-16 03:14 2145280 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 11:06 . 2005-09-28 21:02 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 09:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:39 . 2004-08-04 09:00 35328 ----a-w c:\windows\system32\dllcache\sc.exe
2009-02-06 10:32 . 2008-10-16 03:14 2023936 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 10:32 . 2005-09-28 20:35 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\system32\dllcache\secur32.dll
2009-02-03 19:59 . 2004-08-04 09:00 56832 ----a-w c:\windows\system32\secur32.dll
2008-02-13 05:15 . 2008-02-13 05:15 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2006-08-25 07:30 . 2006-08-25 07:30 127 ----a-w c:\documents and settings\Marc\Local Settings\Application Data\fusioncache.dat
2008-09-21 17:54 . 2008-09-21 17:54 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092120080922\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Marc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-20 133104]
"SansaDispatch"="c:\documents and settings\Marc\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2008-11-28 79872]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-09-14 73728]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-05-09 352256]
"Flashget"="c:\program files\FlashGet\FlashGet.exe" [2007-09-25 2007088]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 127022]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-09 136600]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-09-12 36352]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=c:\windows\pss\Google Updater.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SansaDispatch
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"WinDefend"=2 (0x2)
"SymAppCore"=2 (0x2)
"Symantec Core LC"=3 (0x3)
"Speed Disk service"=2 (0x2)
"S24EventMonitor"=2 (0x2)
"RichVideo"=2 (0x2)
"RegSrvc"=2 (0x2)
"ose"=3 (0x3)
"O&O Defrag"=2 (0x2)
"NProtectService"=2 (0x2)
"McTaskManager"=2 (0x2)
"McShield"=2 (0x2)
"McAfeeFramework"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"LiveUpdate"=3 (0x3)
"LightScribeService"=2 (0x2)
"IDriverT"=3 (0x3)
"EvtEng"=2 (0x2)
"CyberLink Media Library Service"=2 (0x2)
"CVPND"=2 (0x2)
"CLTNetCnService"=2 (0x2)
"CLSched"=2 (0x2)
"CLCapSvc"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"btwdins"=2 (0x2)
"AWService"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Alcmtr"=ALCMTR.EXE
"RTHDCPL"=RTHDCPL.EXE
"BluetoothAuthenticationAgent"=rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 TfFsMon;TfFsMon; [x]
R0 TfSysMon;TfSysMon; [x]
R1 atitray;atitray; [x]
R3 AVerE506;AVerE506 service;c:\windows\system32\DRIVERS\AVerE506.sys [2006-03-20 520192]
R3 AVerM115;AVerM115 service;c:\windows\system32\DRIVERS\AVerM115.sys [2006-03-20 1274880]
R3 ICAM3NT5;Intel USB Video Camera III;c:\windows\system32\Drivers\Icam3.sys [2001-08-17 141056]
R3 leafnets;Leaf Networks Adapter;c:\windows\system32\DRIVERS\leafnets.sys [2007-05-02 55296]
R3 NdisFilt;OSA NdisFilter Protocol;c:\windows\system32\Drivers\NdisFilt.sys [2005-09-13 4392]
R3 NTProcDrv;Process creation detector for NT.; [x]
R3 PAC7302;PC VGA Camer@ Plus;c:\windows\system32\DRIVERS\PAC7302.SYS [2007-06-14 457856]
R3 PsSdk41;PsSdk41;c:\windows\system32\Drivers\pssdk41.sys [2008-07-15 36928]
R3 TfNetMon;TfNetMon; [x]
R3 WPRO_40_1123;WinPcap Packet Driver (WPRO_40_1123); [x]
R3 WPSYM24;WildPackets Symbol-OEM Wireless LAN Card Driver;c:\windows\system32\DRIVERS\WPSYM24.sys [2003-09-24 18432]
S0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2008-07-09 40368]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-02-06 106208]
S1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2009-02-06 93336]
S1 OsaFsLoc;OsaFsLoc;c:\windows\system32\drivers\OsaFsLoc.sys [2005-10-15 12106]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-02-06 727720]
S2 EpmPsd;Acer EPM Power Scheme Driver;c:\windows\system32\drivers\epm-psd.sys [2006-01-23 4096]
S2 EpmShd;Acer EPM System Hardware Driver;c:\windows\system32\drivers\epm-shd.sys [2006-01-23 78208]
S2 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2005-06-30 7296]
S2 osanbm;osanbm;c:\windows\system32\drivers\osanbm.sys [2005-01-14 4010]
S3 lv321av;Logitech USB PC Camera (VC0321);c:\windows\system32\Drivers\lv321av.sys [2006-11-28 847392]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2009-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-04-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-28 17:58]

2009-04-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3595138701-2782903559-139868061-1006.job
- c:\documents and settings\Marc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-20 16:19]
.
.
------- Supplementary Scan -------
.
mWindow Title =
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uInternet Settings,ProxyOverride = local;*.local
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Marc\Application Data\Mozilla\Firefox\Profiles\2cm6k6ak.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Dictionary.com
FF - component: c:\documents and settings\Marc\Application Data\Mozilla\Firefox\Profiles\2cm6k6ak.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\Marc\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npstrlnk.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nprpjplug.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.08
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 600000
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: general.useragent.extra.zencast -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-25 09:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...


c:\windows\system32\drivers\ovfsthxexrvqaiq.sys 83456 bytes executable
c:\docume~1\Marc\LOCALS~1\Temp\ovfsthxqejcbwmirp.tmp 343040 bytes executable
c:\docume~1\Marc\LOCALS~1\Temp\ovfsthxrnkrbxdmsb.tmp 132096 bytes executable
c:\docume~1\Marc\LOCALS~1\Temp\ovfsthxrpevstllbv.tmp 106496 bytes executable
c:\windows\system32\ovfsthxdoyrejfq.dll 18432 bytes executable
c:\windows\system32\ovfsthxmltltbqy.dll 60928 bytes executable
c:\windows\system32\ovfsthxmsfokhwe.dat 43 bytes
c:\windows\system32\ovfsthxrvknbmqc.dll 18432 bytes executable
c:\windows\system32\ovfsthxxfujyiur.dat 679649 bytes

scan completed successfully
hidden files: 9

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ovfsthxvpavnowx]
"imagepath"="\systemroot\system32\drivers\ovfsthxexrvqaiq.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\52e68a70]
"ImagePath"="\SystemRoot\System32\drivers\52e68a70.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\s-1-5-21-3595138701-2782903559-139868061-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:ce,d2,33,09,82,8e,fa,9f,ca,49,76,ed,b9,8d,1d,0f,23,ce,7e,5c,86,b5,de,
dc,cd,41,bd,e8,b8,53,d8,de,d4,fe,59,42,09,cf,9e,a9,2a,bd,d3,4f,9d,22,f7,52,\
"??"=hex:ab,e8,a8,f6,8e,ab,56,43,e0,4b,f3,36,ee,b1,52,a0

[HKEY_USERS\s-1-5-21-3595138701-2782903559-139868061-1006\Software\SecuROM\License information*]
"datasecu"=hex:63,0e,23,00,11,5b,4e,d4,2d,37,01,85,e7,5d,01,15,63,ad,e5,87,99,
89,78,b3,b6,77,06,a3,c7,bb,9b,32,72,6d,e0,fe,f7,ec,17,49,f0,80,11,ac,86,96,\
"rkeysecu"=hex:9f,ca,16,75,83,0a,d6,fd,d2,a5,ab,cb,c1,0d,12,f7

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG08.00.00.01WORKSTATION"="5A38C9ADA749FCFE1F1133CF76CDEFAA0C9395BB15E47544038B9BB09478F4C22DCA8280D7562C589E2DE3BB188E2E97C8C64EE4475B173D4011AA393C9E2574522C7B83A966943A6739DC087490D2CDBAB0E375456C7DAAFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C8EDD5E5BE2F6E667A9C6AECB7A5D14079DB7CE019D40AA5C9DB7CE019D40AA5CE6812850B96D8CB35953B7A78E3F87C2B6868CF46CC3579CA99E02F9AAA27507C44697D5967414F0AEA8CA7B0E709D6D2E6CBD3B6CA387467CB23657483F6E17652B5F2A7B70897DC332E3DB864B6A573E8858AC37C48F14E193F3C4A7BFC18A80B216A40A24C4736B992111478B5A5DF5CC209E667C11C0459E45CBCF3165A0FBC2AB1FD475B1AFABEFF3E30D92ED1B1593AAEF85C2414E469583773945E4D8F5A65EF5E0F04F57BB2721A48E62B7761597627E16366980B99C5FD9D2535CF83E0C438C2BC4AF4E0B1844A5F1A361169EFA082E0E9665DEA53D5D06FE537F0A5985C4C722427CBE3A7DCABC5323A7641241AC66D5C7A736C6E5D3161365945A808A9E90A962EE9720F6744444CE5A9180D23793C955B5158AE8702659C8F5F81F73E0D497BF578B4507D91CC73CDD90307C62243CE929D117F8B0D610E591BC57017107B698970F6616E3A6D5232A979C6D3E0DEFD72E03C2B16A4DE844E8BD7B53889CC75029DCF56FCE4AD95E4BA1F23B2C45A1130785988E4331899413D995F2B38EFA6D95741AC12EF1B5EE616F97DDE448FAB4087AD873B9300D27BAB1E1C7525BFA9AFD95AB21E68CBC78A183A0326F179E799AC376249CF901711E2BD1231B04DFA79349B884338B35C2542458F72EB321C23D8A1A490E44668E0FEE8835948E3A869ED780C7A0E55DB954DD3CD4D2A60B96003C1E7207C6343BF26A5E951D848CCE794F7CAA909764EC147E7FCE637ADA1B8786128FD3BE55D9C64D613E65734D3C9582D24F3A1EEE90161A89543CC0809E8F60BA7613EB2670958F510CF06CE8ABF308E23FA57C137CF288F3B58A0BE19363008E603A947A29046722451A863DA12DB8BCE2B139DEACD7E20D26D0F2D50CE461B8EA8F80955246D4FB0D0DDA1D43EBB3270C8EDE5242038AD8BFE713ABC209C519172FFB35DB2996BD6E4A0651DD705A9AECC47C607ECB200C7D790BA493D83144CA095804DC88B2F558A6AB135E0C54469DABA471CA180D12BF83FD7301736B80CF616926905872E89CCB7012D8A8890B99726DE034E47B0ACBD91543AE870049524F88B0529E6311F2B4FCF104BE2AFCBF1A728069C2DA444AA2FAAFE5DB414F64BE122D26F4D599F3B47FC83ADF2867D3795113BCD55DCA46D9604B12C94175FBEEE69BB00B5F639E6EAAA1FA2E38C67C39AC5029D57B54314C761AC6BE58"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1780)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(6876)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\program files\FlashGet\fgmgr.dll
c:\acer\Empowering Technology\ePower\SysHook.dll
c:\program files\SUPERAntiSpyware\SASSEH.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Mozilla Firefox\firefox.exe
.
**************************************************************************
.
Completion time: 2009-04-25 9:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-25 13:40

Pre-Run: 50,170,193,408 bytes free
Post-Run: 50,081,319,424 bytes free

382 --- E O F --- 2009-04-16 14:02










Thank you if you can help!!

BC AdBot (Login to Remove)

 


#2 DoubleDolomite

DoubleDolomite
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 25 April 2009 - 09:15 AM

I downloaded and ran GMER rootkit Detector and Remover and my computer shut off mid-scan again. :thumbup2:


I have no idea what to do.

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:06:10 PM

Posted 07 May 2009 - 08:44 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#4 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:06:10 PM

Posted 12 May 2009 - 06:15 PM

Due to the lack of feedback This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users