Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan/rootkit infection (netsik and ksi32sk)


  • This topic is locked This topic is locked
10 replies to this topic

#1 perrymc

perrymc

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 21 May 2009 - 06:11 PM

I recently replaced my AVG Free with Avira Antivir because AVG seems to slow my older system down more than I would like. I am running an 8 or 9 year old Dell Optilplex GX400 with Windows XP. Along with Antivirus I have SuperAntispyware and occasionally run MBam. I use MS Firewall (have not installed the free zonealarm yet) and I have a router firewalled.

I made the mistake of googling what appeared to be some Windows Media Player codecs then going to a web site to have a look (called SpaceKeys something at www upgrade-media-player dot com DON’T GO THERE). Just surfing to the site I got hit. I did not download any codecs or do anything else that I could tell. Go Figure … my AVG plugin would probably have let me know the link was not safe … not sure.

I have run both MalwareBytes and Avira Antivir multiple times but the rootkit persists. One file 1042o.exe could not be opened by Avira and Windows Explorer could not see it (even in safe mode). MBam consistently quarantines multiple entries but they are right back with every reboot (even when running MBam in Safe mode)

I am not getting any popups or indication I have a problem other than the system is very sluggish. I am not seeing or hearing the hard drive running non-stop. I am keeping my internet Ethernet unplugged except for specific actions like updating MBam, Avira and running the Kaspersky online virus scanner (came back as clean!)

So I have run DDS.scr, Kaspersky, MBam, and Gmer in this order today. Here are the results. I zipped and attached Attach.txt.

I don’t expect to be at this computer from 23 May until late on 25 May. Know you all are very, very busy and probably won’t get to this that soon anyway, but just wanted you to know in case.

Thank you and talk to you soon

DDS (Ver_09-05-14.01) - NTFSx86
Run by NAU at 8:16:23.39 on Thu 05/21/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.272 [GMT -7:00]

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
svchost.exe "C:\WINDOWS\system32\1042o.exe"
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\NAU\NAU.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\NAU\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.mamma.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERANTISPYWARE.EXE
uRun: [NAU] c:\documents and settings\nau\NAU.exe /i
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-5-15 11840]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-9-3 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 55024]
R2 AntiVirScheduler;Avira AntiVir Personal – Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-5-15 68865]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]
S2 AntiVirService;Avira AntiVir Personal – Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-5-15 147201]
S2 netsik;netsik;c:\windows\system32\drivers\netsik.sys [2008-3-24 29824]
S2 TermServiceSSDPSRV;Terminal Services TermServiceSSDPSRV;c:\windows\system32\1042o.exe srv --> c:\windows\system32\1042o.exe srv [?]
S3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-5-15 49472]
S3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;c:\windows\system32\drivers\Ngrpci.sys [2008-10-20 32840]
S3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\TNET1130.sys [2008-3-22 386688]

=============== Created Last 30 ================

2009-05-19 11:24 32 a--s---- c:\windows\system32\1279876501.dat
2009-05-19 11:23 53,248 ---shr-- c:\windows\system32\1042o.exe
2009-05-19 11:23 20,530 ----h--- c:\documents and settings\nau\NAU.exe
2009-05-15 22:36 <DIR> --d----- c:\program files\Avira
2009-05-15 22:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-05-13 23:50 <DIR> --d----- c:\windows\system32\NtmsData
2009-05-12 08:54 547 a------- c:\windows\system32\ff_vfw.dll.manifest
2009-05-12 08:54 85,504 a------- c:\windows\system32\ff_vfw.dll
2009-05-12 08:54 50,688 a------- c:\windows\system32\ff_acm.acm
2009-05-12 08:54 60,273 a------- c:\windows\system32\pthreadGC2.dll
2009-05-12 08:54 <DIR> --d----- c:\program files\ffdshow
2009-05-06 18:23 <DIR> --d----- c:\windows\Cache
2009-05-06 12:46 <DIR> --d----- c:\docume~1\nau\applic~1\TrueCrypt
2009-05-06 12:40 215,872 a------- c:\windows\system32\drivers\truecrypt.sys
2009-05-06 12:40 <DIR> --d----- c:\program files\TrueCrypt

==================== Find3M ====================

2009-05-21 07:46 29,824 a------- c:\windows\system32\drivers\netsik.sys
2009-05-21 07:24 0 a------- c:\windows\system32\drivers\lvuvc.hs
2009-05-21 07:24 0 a------- c:\windows\system32\drivers\logiflt.iad
2009-05-10 17:42 1,744 a------- c:\windows\system32\d3d9caps.dat
2009-04-15 14:25 18,872 a------- c:\docume~1\nau\applic~1\GDIPFONTCACHEV1.DAT
2009-04-12 00:00 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-06 07:44 283,648 a------- c:\windows\system32\pdh.dll
2009-03-02 17:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 11:09 78,336 a------- c:\windows\system32\ieencode.dll

============= FINISH: 8:16:40.36 ===============


Kaspersky Results (ran about noon my time)

Thursday, May 21, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, May 21, 2009 17:48:45
Records in database: 2210998


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area Critical Areas
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\NAU\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS

Scan statistics
Files scanned 32612
Threat name 0
Infected objects 0
Suspicious objects 0
Duration of the scan 01:03:10

No malware has been detected. The scan area is clean.
The selected area was scanned.

____________________________________________________
MBAM Results

Malwarebytes' Anti-Malware 1.36
Database version: 2161
Windows 5.1.2600 Service Pack 2

5/21/2009 2:46:39 PM
mbam-log-2009-05-21 (14-46-39).txt

Scan type: Quick Scan
Objects scanned: 112542
Time elapsed: 6 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 95
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\netsik (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\netsik (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsik (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ksi32sk (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCONSOL.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP32.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVNT.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navw32.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVWNT.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCAN32.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZONEALARM.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\filemon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpost.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regmon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapro.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OllyDBG.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regtool.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\niu.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A2SERVICE.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGUARD.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSCAN.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CASECURITYCENTER.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EKRN.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FAMEH32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPAVSERVER.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPWIN.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSAV32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSGK32ST.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSMA32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwadins.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwebupw.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFRing3.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArcaCheck.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arcavir.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashDisp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashEnhcd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashServ.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashUpd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswUpdSv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avadmin.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcls.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz4.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz_se.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdinit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\caav.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\caavguiscan.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccupdate.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfpupdat.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmdagent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRWEB32.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fpscan.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardgui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxservice.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxup.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navigator.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSTUB.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\preupd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pskdr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SfFnUp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Vba32arkit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vba32ldr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zoneband.dll (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ksi32sk (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\netsik.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\ksi32sk.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

____________________________________________
GMer Results

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-21 15:48:34
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT spvy.sys ZwCreateKey [0xF84960E0]
SSDT F8D0DA6C ZwCreateThread
SSDT spvy.sys ZwEnumerateKey [0xF84B4CA2]
SSDT spvy.sys ZwEnumerateValueKey [0xF84B5030]
SSDT spvy.sys ZwOpenKey [0xF84960C0]
SSDT F8D0DA58 ZwOpenProcess
SSDT F8D0DA5D ZwOpenThread
SSDT spvy.sys ZwQueryKey [0xF84B5108]
SSDT spvy.sys ZwQueryValueKey [0xF84B4F88]
SSDT spvy.sys ZwSetValueKey [0xF84B519A]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF5988F20]
SSDT F8D0DA62 ZwWriteVirtualMemory

INT 0x39 ? 82FDFBF8
INT 0x39 ? 82C2CF00
INT 0x3A ? 82C2CF00
INT 0x3B ? 82C2CF00
INT 0x3B ? 82C2CF00
INT 0x3B ? 82C2CF00
INT 0x3E ? 82F6FBF8
INT 0x3F ? 82F6FBF8

---- Kernel code sections - GMER 1.0.15 ----

? pzwpksrw.sys The system cannot find the file specified. !
? spvy.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F7E6162C 5 Bytes JMP 82C2C4E0
.text a6nmml3w.SYS F7DC4386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text a6nmml3w.SYS F7DC43AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text a6nmml3w.SYS F7DC43C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text a6nmml3w.SYS F7DC43C9 1 Byte [2E]
.text a6nmml3w.SYS F7DC43C9 11 Bytes [2E, 00, 00, 00, 5A, 02, 00, ...]
.text ...

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 82FDF2D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F84C7C4C] spvy.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F84C7CA0] spvy.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F8497040] spvy.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F849713C] spvy.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F84970BE] spvy.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F84977FC] spvy.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F84976D2] spvy.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 82C2C5E0
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F84A7048] spvy.sys
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!RtlInitUnicodeString] 2296E852
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!swprintf] 478B0000
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!KeSetEvent] 50016A40
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!IoCreateSymbolicLink] 1CAC8E8D
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!IoGetConfigurationInformation] E8510000
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!IoDeleteSymbolicLink] 00002284
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!MmFreeMappingAddress] 6A18538B
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!IoFreeErrorLogEntry] 868D5200
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!IoDisconnectInterrupt] 00001C98
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!MmUnmapIoSpace] 2272E850
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!ObReferenceObjectByPointer] 4B8B0000
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!IofCompleteRequest] 51016A18
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!RtlCompareUnicodeString] 1CB4968D
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!IofCallDriver] E8520000
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!MmAllocateMappingAddress] 00002260
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!IoAllocateErrorLogEntry] 8A05478A
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!IoConnectInterrupt] 001CBB8E
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!IoDetachDevice] 30C48300
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!KeWaitForSingleObject] 1CBD8688
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!KeInitializeEvent] 80E90000
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString] C6000000
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!RtlInitAnsiString] 001CBB86
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!IoBuildDeviceIoControlRequest] 438B0100
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!IoQueueWorkItem] 8E8D5018
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!MmMapIoSpace] 00001C90
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!IoInvalidateDeviceRelations] 2232E851
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!IoReportDetectedDevice] 538B0000
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!IoReportResourceForDetection] 52016A18
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] 1CAC868D
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!NlsMbCodePageTag] E8500000
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!PoRequestPowerIrp] 00002220
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!KeInsertByKeyDeviceQueue] 8A05478A
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!PoRegisterDeviceForIdleDetection] 001CBB8E
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!sprintf] 18C48300
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] 1CBD8688
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!ObfDereferenceObject] 43EB0000
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!IoGetAttachedDeviceReference] 320C538A
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!IoInvalidateDeviceState] 88F93BC0
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!ZwClose] 001CBB96
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!ObReferenceObjectByHandle] F6317300
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!ZwCreateDirectoryObject] 74070647
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!IoBuildSynchronousFsdRequest] 75C0841A
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!PoStartNextPowerIrp] 05578A0B
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!PoCallDriver] 968801B0
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!IoCreateDevice] 00001CBD
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!IoAllocateDriverObjectExtension] 57B60F66
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!RtlQueryRegistryValues] 533B6604
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!ZwOpenKey] 03087408
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!RtlFreeUnicodeString] 72F93B3F
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!IoStartTimer] 8A09EBDA
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!KeInitializeTimer] 86880547
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!IoInitializeTimer] 00001CBD
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!KeInitializeDpc] 88084B8A
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!KeInitializeSpinLock] 001CBE8E
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!IoInitializeIrp] 40578B00
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!ZwCreateKey] 8D52006A
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!RtlAppendUnicodeStringToString] 001CC086
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!RtlIntegerToUnicodeString] B1E85000
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!ZwSetValueKey] 8B000021
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!KeInsertQueueDpc] 001CB88E
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] BC968B00
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!IoStartPacket] 8900001C
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] 001CC48E
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!IoBuildAsynchronousFsdRequest] C8968900
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!IoFreeMdl] 8B00001C
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!MmUnlockPages] 016A4047
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!IoWriteErrorLogEntry] CCC68150
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!KeRemoveByKeyDeviceQueue] 5600001C
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!MmMapLockedPagesWithReservedMapping] 002187E8
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!MmUnmapReservedMapping] 18C48300
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!KeSynchronizeExecution] 5D5B5E5F
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!IoStartNextPacket] CCCCCCC3
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!KeBugCheckEx] CCCCCCCC
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!KeRemoveDeviceQueue] CCCCCCCC
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!KeSetTimer] CCCCCCCC
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!KeCancelTimer] 8BEC8B55
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!_allmul] 00C73445
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!MmProbeAndLockPages] 00000000
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!_except_handler3] 830C458B
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!PoSetPowerState] C0840CEC
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey] 053C0D74
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!RtlWriteRegistryValue] 57B80974
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!_aulldiv] 8B000000
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!strstr] 56C35DE5
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!_strupr] 8D08758B
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!KeQuerySystemTime] 8D51FC4D
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!IoWMIRegistrationControl] 8D52FD55
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!KeTickCount] 8D51FE4D
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!IoAttachDeviceToDeviceStack] 8D52FF55
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!IoDeleteDevice] 8D51F84D
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] 5052F455
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!IoAllocateWorkItem] EACAE856
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!IoAllocateIrp] C483FFFF
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!IoAllocateMdl] 0FC08520
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool] 0001B185
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!MmLockPagableDataSection] 46B70F00
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!IoGetDriverObjectExtension] F44D8B48
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!MmUnlockPagableImageSection] C1815753
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!ExFreePoolWithTag] 00002590
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!IoFreeIrp] 467C8D51
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!IoFreeWorkItem] 76F6E84A
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!InitSafeBootMode] D88BFFFF
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!RtlCompareMemory] 8504C483
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!RtlCopyUnicodeString] 5F0A75DB
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!memmove] 5B08438D
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[ntoskrnl.exe!MmHighestUserAddress] 5DE58B5E
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[HAL.dll!KfAcquireSpinLock] 4B8BDF8B
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[HAL.dll!READ_PORT_UCHAR] 8D3F0304
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[HAL.dll!KeGetCurrentIrql] CB033043
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[HAL.dll!KfRaiseIrql] 0673C13B
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[HAL.dll!KfLowerIrql] C13B0003
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[HAL.dll!HalGetInterruptVector] 8366FA72
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[HAL.dll!HalTranslateBusAddress] 75000E7B
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[HAL.dll!KeStallExecutionProcessor] 0B7D80E3
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[HAL.dll!KfReleaseSpinLock] 307B8D00
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 00AA840F
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[HAL.dll!READ_PORT_USHORT] 83660000
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 6A000E7A
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[HAL.dll!WRITE_PORT_UCHAR] C6647400
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[WMILIB.SYS!WmiSystemControl] 4F8B0200
IAT \SystemRoot\System32\Drivers\a6nmml3w.SYS[WMILIB.SYS!WmiCompleteRequest] 968D5140

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[824] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003B2F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[824] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003B2CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[824] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [003B2D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[824] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003B2CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[2228] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [009B2F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[2228] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [009B2CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[2228] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [009B2D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[2228] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [009B2CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[2684] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00A92F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[2684] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00A92CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[2684] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00A92D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[2684] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00A92CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[2768] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00EB2F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[2768] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00EB2CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[2768] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00EB2D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[2768] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00EB2CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Java\jre6\bin\jusched.exe[2780] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003E2F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Java\jre6\bin\jusched.exe[2780] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003E2CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Java\jre6\bin\jusched.exe[2780] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [003E2D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Java\jre6\bin\jusched.exe[2780] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003E2CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[2804] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00AB2F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[2804] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00AB2CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[2804] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00AB2D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[2804] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00AB2CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\NOTEPAD.EXE[2852] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [009C2F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\NOTEPAD.EXE[2852] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [009C2CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\NOTEPAD.EXE[2852] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [009C2D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\NOTEPAD.EXE[2852] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [009C2CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\ctfmon.exe[3028] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [009C2F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\ctfmon.exe[3028] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [009C2CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\ctfmon.exe[3028] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [009C2D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\ctfmon.exe[3028] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [009C2CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\devldr32.exe[3108] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [008C2F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\devldr32.exe[3108] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [008C2CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\devldr32.exe[3108] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [008C2D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\devldr32.exe[3108] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [008C2CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\NAU\Desktop\gmer\gmer.exe[9408] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00802F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\NAU\Desktop\gmer\gmer.exe[9408] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00802CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\NAU\Desktop\gmer\gmer.exe[9408] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00802D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\NAU\Desktop\gmer\gmer.exe[9408] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00802CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 82F6E1F8
Device \FileSystem\Fastfat \FatCdrom 829D5500
Device \Driver\usbohci \Device\USBPDO-0 82C2B1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 82FDD1F8
Device \Driver\dmio \Device\DmControl\DmConfig 82FDD1F8
Device \Driver\dmio \Device\DmControl\DmPnP 82FDD1F8
Device \Driver\dmio \Device\DmControl\DmInfo 82FDD1F8
Device \Driver\usbuhci \Device\USBPDO-1 82AFC1F8
Device \Driver\usbohci \Device\USBPDO-2 82C2B1F8
Device \Driver\usbuhci \Device\USBPDO-3 82AFC1F8
Device \Driver\usbehci \Device\USBPDO-4 82C14500
Device \Driver\Cdrom \Device\CdRom0 82BFF1F8
Device \Driver\Cdrom \Device\CdRom1 82BFF1F8
Device \Driver\atapi \Device\Ide\IdePort0 82F6F1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 82F6F1F8
Device \Driver\atapi \Device\Ide\IdePort1 82F6F1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c 82F6F1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 82F6F1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 82F6F1F8
Device \Driver\sptd \Device\4005594416 spvy.sys
Device \Driver\NetBT \Device\NetBt_Wins_Export 829B5500
Device \Driver\NetBT \Device\NetbiosSmb 829B5500
Device \Driver\PCI_PNP1968 \Device\0000004d spvy.sys
Device \Driver\NetBT \Device\NetBT_Tcpip_{F4FF1D72-3DD6-4FC7-8DC9-D7A872DD6B08} 829B5500
Device \Driver\USBSTOR \Device\0000006a 82A7B500
Device \Driver\usbohci \Device\USBFDO-0 82C2B1F8
Device \Driver\USBSTOR \Device\0000006d 82A7B500
Device \Driver\usbohci \Device\USBFDO-1 82C2B1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 82CA9500
Device \Driver\usbehci \Device\USBFDO-2 82C14500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 82CA9500
Device \Driver\usbuhci \Device\USBFDO-3 82AFC1F8
Device \Driver\usbuhci \Device\USBFDO-4 82AFC1F8
Device \Driver\Ftdisk \Device\FtControl 82F701F8
Device \Driver\a6nmml3w \Device\Scsi\a6nmml3w1 82AE51F8
Device \Driver\a6nmml3w \Device\Scsi\a6nmml3w1Port2Path0Target0Lun0 82AE51F8
Device \FileSystem\Fastfat \Fat 829D5500

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 829A21F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxltkndodpputupuphwuhsauuwvsalcnpm.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxltkndodpputupuphwuhsauuwvsalcnpm.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxavktjoaxkjvpwcnksqotkotquqptlxqt.dll
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x42 0xF2 0x1E 0x30 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xEF 0x77 0xC0 0xD0 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x21 0xDB 0xCB 0x3D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x42 0xF2 0x1E 0x30 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xEF 0x77 0xC0 0xD0 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x37 0x07 0x7A 0xE6 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x42 0xF2 0x1E 0x30 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xEF 0x77 0xC0 0xD0 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x37 0x07 0x7A 0xE6 ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@NoChange 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:08:01 AM

Posted 04 June 2009 - 05:46 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 perrymc

perrymc
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 05 June 2009 - 12:43 AM

Appreciate your reply. I understand how busy you all are. Unfortunately I am out of town for 5-7 days. Please keep this post open and I will follow up with the new logs as soon as I get back. Thank you so much!

#4 perrymc

perrymc
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 09 June 2009 - 04:49 PM

Thank you for keeping my post open. Here are the current dds files.


DDS (Ver_09-05-14.01) - NTFSx86
Run by NAU at 14:37:54.37 on Tue 06/09/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.214 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Documents and Settings\NAU\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [NAU] c:\documents and settings\nau\NAU.exe /i
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-9 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-9 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-9 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-9-3 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 55024]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-9 298776]
S2 TermServiceSSDPSRV;Terminal Services TermServiceSSDPSRV;c:\windows\system32\1042o.exe srv --> c:\windows\system32\1042o.exe srv [?]
S3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;c:\windows\system32\drivers\Ngrpci.sys [2008-10-20 32840]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]
S3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\TNET1130.sys [2008-3-22 386688]

=============== Created Last 30 ================

2009-06-09 11:50 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-06-09 11:32 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-09 11:32 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-06-09 11:31 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-09 11:31 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-06-09 11:31 <DIR> --d----- c:\docume~1\nau\applic~1\AVGTOOLBAR
2009-06-09 11:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-05-19 11:24 32 a--s---- c:\windows\system32\1279876501.dat
2009-05-15 22:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-05-13 23:50 <DIR> --d----- c:\windows\system32\NtmsData
2009-05-12 08:54 547 a------- c:\windows\system32\ff_vfw.dll.manifest
2009-05-12 08:54 85,504 a------- c:\windows\system32\ff_vfw.dll
2009-05-12 08:54 50,688 a------- c:\windows\system32\ff_acm.acm
2009-05-12 08:54 60,273 a------- c:\windows\system32\pthreadGC2.dll
2009-05-12 08:54 <DIR> --d----- c:\program files\ffdshow

==================== Find3M ====================

2009-06-09 14:28 0 a------- c:\windows\system32\drivers\lvuvc.hs
2009-06-09 14:27 0 a------- c:\windows\system32\drivers\logiflt.iad
2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-21 19:43 1,744 a------- c:\windows\system32\d3d9caps.dat
2009-05-06 12:40 215,872 a------- c:\windows\system32\drivers\truecrypt.sys
2009-04-15 14:25 18,872 a------- c:\docume~1\nau\applic~1\GDIPFONTCACHEV1.DAT
2009-04-12 00:00 410,984 a------- c:\windows\system32\deploytk.dll

============= FINISH: 14:38:33.63 ===============

Attached Files



#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:01 PM

Posted 13 June 2009 - 04:58 AM

Hi perrymc,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

Please do both the steps to make sure IE is set to the correct settings to avoid connection problems in IE.
  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Close any open browsers.

      Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

      DDS::
      uInternet Settings,ProxyServer = http=localhost:7171
      uInternet Settings,ProxyOverride = *.local;<local>
      EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
      Registry::
      [HKEY_CURRENT_USER\Software\Microsoft\Internet Connection Wizard]
      "ShellNext"=-
      [HKEY_CURRENT_USER\Software\Microsoft\Internet Connection Wizard]
      "ShellNext"="http://windowsupdate.microsoft.com/"
      "Completed"=hex:01,00,00,00

      Save this as CFScript.txt, in the same location as ComboFix.exe


      Posted Image

      Referring to the picture above, drag CFScript into ComboFix.exe.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


      When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

      Note:
      Do not mouseclick combofix's window whilst it's running. That may cause it to stall
  • Go to Tools => Internet Options => click on the Connections tab, then click on LAN Settings. The following items should be unchecked:
    • Automatically detect settings
    • Use a proxy server for your LAN


#6 perrymc

perrymc
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 14 June 2009 - 05:31 PM

Thank you Farbar,

Understand what you are saying about not making changes to the system for now. I did remove Avira and reinstall AVG since I first reported my troubles. Won't do anymore. Here is my Combofix log. Thank you and get to me when you can. I have another computer so this is not a show stopper.

ComboFix 09-06-13.09 - NAU 06/14/2009 15:00.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.240 [GMT -7:00]
Running from: c:\documents and settings\NAU\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\NAU\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\NAU\LOCALS~1\Temp\catchme.dll
c:\documents and settings\NAU\Local Settings\temp\catchme.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ATI64SI
-------\Legacy_FIPS32CUP
-------\Legacy_KSI32SK
-------\Legacy_NETSIK
-------\Legacy_TERMSERVICESSDPSRV
-------\Service_TermServiceSSDPSRV


((((((((((((((((((((((((( Files Created from 2009-05-14 to 2009-06-14 )))))))))))))))))))))))))))))))
.

2009-06-09 18:50 . 2009-06-13 09:11 -------- d--h--w- C:\$AVG8.VAULT$
2009-06-09 18:32 . 2009-06-09 18:32 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-09 18:32 . 2009-06-09 18:32 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-09 18:31 . 2009-06-09 18:31 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-09 18:31 . 2009-06-09 18:31 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-09 18:31 . 2009-06-12 15:20 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-09 18:31 . 2009-06-12 03:49 -------- d-----w- c:\documents and settings\NAU\Application Data\AVGTOOLBAR
2009-06-09 18:31 . 2009-06-09 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-05-20 19:09 . 2009-05-20 19:09 -------- d-----w- c:\documents and settings\Administrator.NAU-ALLAZLTG2Q7\Application Data\Malwarebytes
2009-05-19 18:24 . 2009-05-19 18:24 32 --s-a-w- c:\windows\system32\1279876501.dat
2009-05-16 05:36 . 2009-06-09 16:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-14 22:08 . 2009-03-13 20:06 117760 ----a-w- c:\documents and settings\NAU\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-14 22:07 . 2008-09-02 01:23 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-06-14 22:07 . 2008-09-02 01:23 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-06-12 18:24 . 2008-12-24 21:51 0 ----a-w- c:\documents and settings\Mom.NAU-ALLAZLTG2Q7\Local Settings\Application Data\prvlcl.dat
2009-06-12 18:24 . 2008-12-07 18:46 0 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\prvlcl.dat
2009-06-09 19:25 . 2009-04-10 04:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-09 19:24 . 2009-04-12 16:44 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-09 16:48 . 2008-10-22 00:08 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-05-26 20:20 . 2009-04-10 04:25 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 20:19 . 2009-04-10 04:25 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-22 02:50 . 2008-09-02 01:59 -------- d-----w- c:\documents and settings\NAU\Application Data\Skype
2009-05-22 02:43 . 2008-09-02 01:19 1744 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-22 02:33 . 2008-09-02 02:00 -------- d-----w- c:\documents and settings\NAU\Application Data\skypePM
2009-05-19 18:34 . 2008-11-03 06:58 -------- d-----w- c:\documents and settings\NAU\Application Data\Azureus
2009-05-14 01:50 . 2009-02-04 23:40 -------- d-----w- c:\documents and settings\NAU\Application Data\Roxio
2009-05-13 23:19 . 2008-11-04 20:03 -------- d-----w- c:\program files\Ancient Sudoku
2009-05-13 19:45 . 2006-09-22 16:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-12 15:54 . 2009-05-12 15:54 -------- d-----w- c:\program files\ffdshow
2009-05-07 14:55 . 2009-05-07 14:55 10684866 ----a-w- c:\documents and settings\NAU\Application Data\Azureus\plugins\azump\mplayer.exe
2009-05-06 19:49 . 2009-05-06 19:46 -------- d-----w- c:\documents and settings\NAU\Application Data\TrueCrypt
2009-05-06 19:40 . 2009-05-06 19:40 215872 ----a-w- c:\windows\system32\drivers\truecrypt.sys
2009-05-06 19:40 . 2009-05-06 19:40 -------- d-----w- c:\program files\TrueCrypt
2009-05-04 03:39 . 2009-05-12 15:54 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-05-04 03:39 . 2009-05-12 15:54 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2009-04-30 16:23 . 2008-11-03 06:57 -------- d-----w- c:\program files\Vuze
2009-04-16 20:59 . 2008-03-24 20:41 18872 ----a-w- c:\documents and settings\NAU\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-12 07:00 . 2009-04-12 07:00 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-03-19 20:33 . 2008-09-22 01:15 18312 ----a-w- c:\documents and settings\Doug\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-02-02 10:07 . 2008-09-30 05:20 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-02-02 10:07 . 2008-09-30 05:20 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-02-02 10:07 . 2008-09-30 05:20 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-02-02 10:07 . 2008-09-30 05:20 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-02-02 10:07 . 2008-09-30 05:20 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-15 565008]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-02 65536]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-15 2407184]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-12 148888]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-09 1947928]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-03-09 19:27 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-09 18:32 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/9/2009 11:31 AM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/9/2009 11:32 AM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [9/3/2008 2:07 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2008 2:07 PM 55024]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/9/2009 11:31 AM 298776]
S3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;c:\windows\system32\drivers\Ngrpci.sys [10/20/2008 10:33 AM 32840]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/3/2008 2:07 PM 7408]
S3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\TNET1130.sys [3/22/2008 10:09 PM 386688]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-NAU - c:\documents and settings\NAU\NAU.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2052111302-113007714-1343024091-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\documents and settings\NAU\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

- - - - - - - > 'explorer.exe'(7340)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\CF11250.exe
c:\windows\system32\devldr32.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2009-06-14 15:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-14 22:15

Pre-Run: 6,215,593,984 bytes free
Post-Run: 6,237,028,352 bytes free

183 --- E O F --- 2009-04-17 06:36

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:01 PM

Posted 14 June 2009 - 05:59 PM

Seems the ComboFix was already run three times before and those rootkit files on GMER are removed.
  • Open your Malwarebytes' Anti-Malware, first update it, run a "quick scan", let reboot if needed and copy/paste the log to your reply.

    Note: The logs are saved by default under the Logs tab. If the log did not automatically open you can obtain the latest log from there.

  • Please run DDS and copy and paste the firs log it creates. No need for attach.txt any more. Tell me also how is your computer running.


#8 perrymc

perrymc
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 15 June 2009 - 01:27 AM

Thanks farbar,

I neglected to tell you I had a power bump that stopped combo-fix, so when I restarted the computer I re-executed the drag of the script onto combofix. Don't know about a third iteration, other than did have to remove rootkit etc about 2 months ago (also ran Gmer at that time but don't think I did this time). So here are the MBam log and dds txt info.

Note: System is not giving me any trouble, other than initially I was noticing very heavy hdd activity and system was sluggish. Wasn't getting popups, but MBam keeps coming back with infections that persist. Unable to get a clean scan.
Also the infected file it refers to is simply a word document with a bleeping computer link to freeware in the forums (topic 3616).

Malwarebytes' Anti-Malware 1.37
Database version: 2280
Windows 5.1.2600 Service Pack 2

6/14/2009 10:10:11 PM
mbam-log-2009-06-14 (22-10-11).txt

Scan type: Quick Scan
Objects scanned: 114525
Time elapsed: 4 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\NAU\Desktop\Free software list came from Bleeping computer.doc (Rogue.Link) -> Not selected for removal.

-------------


DDS (Ver_09-05-14.01) - NTFSx86
Run by NAU at 22:15:08.97 on Sun 06/14/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.178 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Documents and Settings\NAU\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-9 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-9 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-9 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-9-3 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 55024]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-9 298776]
S3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;c:\windows\system32\drivers\Ngrpci.sys [2008-10-20 32840]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]
S3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\TNET1130.sys [2008-3-22 386688]

=============== Created Last 30 ================

2009-06-14 14:59 161,792 a------- c:\windows\SWREG.exe
2009-06-14 14:59 155,136 a------- c:\windows\PEV.exe
2009-06-14 14:59 98,816 a------- c:\windows\sed.exe
2009-06-14 14:59 388,608 a------- c:\windows\system32\CF11250.exe
2009-06-09 11:50 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-06-09 11:32 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-09 11:32 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-06-09 11:31 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-09 11:31 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-06-09 11:31 <DIR> --d----- c:\docume~1\nau\applic~1\AVGTOOLBAR
2009-06-09 11:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-05-19 11:24 32 a--s---- c:\windows\system32\1279876501.dat
2009-05-15 22:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira

==================== Find3M ====================

2009-06-14 22:12 0 a------- c:\windows\system32\drivers\lvuvc.hs
2009-06-14 22:12 0 a------- c:\windows\system32\drivers\logiflt.iad
2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-21 19:43 1,744 a------- c:\windows\system32\d3d9caps.dat
2009-05-06 12:40 215,872 a------- c:\windows\system32\drivers\truecrypt.sys
2009-05-03 20:39 85,504 a------- c:\windows\system32\ff_vfw.dll
2009-05-03 20:39 60,273 a------- c:\windows\system32\pthreadGC2.dll
2009-04-15 14:25 18,872 a------- c:\docume~1\nau\applic~1\GDIPFONTCACHEV1.DAT
2009-04-12 00:00 410,984 a------- c:\windows\system32\deploytk.dll

============= FINISH: 22:15:53.23 ===============

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:01 PM

Posted 15 June 2009 - 11:19 AM

Also the infected file it refers to is simply a word document with a bleeping computer link to freeware in the forums (topic 3616).


c:\documents and settings\NAU\Desktop\Free software list came from Bleeping computer.doc (Rogue.Link) -> Not selected for removal.

If you are sure about the link after running MBAM select it and then click Ignore . It will be added to the ignore list.

MBam keeps coming back with infections that persist. Unable to get a clean scan.


Go to start => Control Panel => Security Center and open it => In the linker pane select Change the way Security Center alerts me => a window will open, check all the 3 items and click OK.

Then run MBAM and you will get a clean log. :)

++++++++++++++++

Everything looks good. :thumbup2:

Go to Start => Run => copy and paste next command in the field then hit enter:

ComboFix /u

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

The first reboot might be a little slow, the next one will be faster.

Optional Recommendations:
  • Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office.
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC. Windows XP Service Pack 2 is now outdated. Microsoft has released Service Pack 3 which has more features and is more secure than Service Pack 2.

    You can update by going to start > All Programs > Windows update > click on Custom button.

    Note: Download Service Pack 3 but before installing it disable your antivirus real-time protection.

  • Install Javacools© SpywareBlaster
    SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs. What you need is updating it once in 2-3 weeks and enabling the restriction. You can find more information and a download link.
    After each update click on Protection Status in the left pane. Then click on Enable All Protection (bottom left of the right pane).

  • The rule of thumb: One AntiVirus with real-time protection, one firewall (other than Windows firewall) and one antispyware with real-time protection. Any additional anti-malware shouldn't be running. You might have two or three antispyware but they should not be running at the same time and should be set not to start with Windows.

Please let me know if you have any question.

Happy Surfing!

#10 perrymc

perrymc
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 16 June 2009 - 06:56 PM

Thank you Farbar,

Performed the final cleanup and removed combofix. Went ahead and deleted the word doc with the link that MBam didnt care for since I can do without it.

Reran MBam, then AVG and SuperAntispyware. All came back clean. Thanks for the guidance and additional suggestions. Still need to get another firewall installed other than Microsoft. Hope to not need your services for a long time.

Good day

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:01 PM

Posted 17 June 2009 - 07:09 AM

You are very welcome perrymc. I hope you never need our assistance. :thumbup2:

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users