Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Unable to Remove


  • This topic is locked This topic is locked
30 replies to this topic

#1 fpsa_ahmed

fpsa_ahmed

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 01 June 2009 - 10:02 PM

Hello,

This is my first post here. First I just wanted to say that I am really impressed by the knowledge and organization of the moderators and administrators helping users solve their Virus/Trojan/Spyware/Malware Removal issues. I am sure you guys are knowledgeable enough to help me solve my problem! Also I wanted to thank you in advance for your help.

My problem started last Thursday. First I tried to do a system restore but there were no previous restore points (It was set to do automatically). I tried to search my problem on the forum before posting and I tried to install Malwarebytes AntiMalware I couldnt isntall it in normal windows mode. I installed it in safe mode and ran a scan. It came up with a Trojan that I cant remember the name of, it had about 150 objects. I checked all and click on fix, then it told me it had to restart to complete. I had read that when restarting to restart back to normal not safe mode. When it bootup in normal mode after logging in the computer was bland with nothing but the background. I did ctrl+alt+del and went into taskmgr and there were two Mbam.exe so I ended one of them and then the desktop appeared. Then when I try to run it, it doesnt open. I tried renaming the exe to alot of different names I even tried changing exe to scr and bat but didnt work. I tried uninstalling and the redownloading and renaming the setup file and doing the install with the keyboard only (although I dont understand why that would make a difference) and then changed the exe file to a different name and it still didnt work.

Right now there is Iexplore.exe and rundll32 open. I can end task them but they open up again after maybe 2mins. I followed the posting instruction and got the pseudo HJT log. I had process explorer and taskmgr open when doing the log. Let me know if you have a solution or what additional information we need to solve this. I attached "Attach.txt" from dds.scr.

--------------------------------------------------------------------------------------------------
DDS (Ver_09-05-14.01) - NTFSx86
Run by administrator at 22:39:10.83 on Mon 06/01/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1279.882 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Synergy\synergyc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\ADMINISTRATOR.FLSA\Desktop\procexp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\ADMINISTRATOR.FLSA\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {20160a23-973d-47a9-8807-abb847ff0e53} - c:\windows\system32\jkkHWOhH.dll
BHO: {9c963f92-02a1-4297-969f-bc1c8218eb45} - c:\windows\system32\pmNfgdCu.dll
BHO: {fcb5785a-66a7-434b-87d9-eea867e1136f} - c:\windows\system32\ddcBUkjK.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178038936078
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://embla.webex.com/client/T26L/support/ieatgpc.cab
DPF: {E3CF5F1B-C29E-4D21-B695-E1B0E1CB6EC9} - hxxp://192.168.1.31/codebase/NewHCNetActiveX.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/RACtrl.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {1ae41033-05a0-a688-7e64-fef9564227b7}: {7b722465-9fef-46e7-886a-0a5033014ea1} - c:\windows\system32\wzeqql.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\jkkKdAQg.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\jkkHWOhH

============= SERVICES / DRIVERS ===============

R1 Winnov32;Winnov32;c:\windows\system32\drivers\Winnov32.sys [2007-5-1 528719]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2007-6-18 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-6-18 47640]
R2 Synergy Client;Synergy Client;c:\program files\synergy\synergyc.exe [2006-4-2 446464]
R3 DspPdo;PDO Driver;c:\windows\system32\drivers\DSPPDO.SYS [2003-3-6 10310]
R3 MCSPRBD;Driver for Artisan with Da Vinci interface (MCSPRBD);c:\windows\system32\drivers\MCSPRBD.sys [2008-5-7 92457]
R3 MCSPRIB;Driver for Monet16 with COM interface (MCSPRIB);c:\windows\system32\drivers\MCSPRIB.sys [2008-5-7 47881]
R3 MCSPRJB;Driver for Monet16 with USB interface (MCSPRJB);c:\windows\system32\drivers\MCSPRJB.sys [2003-12-24 47113]
R3 MCSPRKB;Driver for Monet24 with USB interface (MCSPRKB);c:\windows\system32\drivers\MCSPRKB.sys [2003-4-2 47337]
R3 PORTI;Porti Driver;c:\windows\system32\drivers\PORTI.SYS [2003-3-6 19190]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [2007-6-18 12192]
R3 USBFIB;Fiber to USB Driver;c:\windows\system32\drivers\USBFIB.SYS [2003-3-6 17790]
R3 WnvCOM;WnvCOM;c:\windows\system32\drivers\WnvCOM.sys [2007-5-1 21536]
R3 WnvKVid;Winnov Kernel Video;c:\windows\system32\drivers\WnvKVid.sys [2007-5-1 245480]
S3 EmblettaUSB;Device driver for Medcare USB devices;c:\windows\system32\drivers\EmblettaUSB.sys [2004-4-1 69632]
S3 WnvKAud;Winnov Kernel Audio;c:\windows\system32\drivers\WnvKAud.sys [2007-5-1 107232]
S4 ImapService;ImapService;c:\windows\svchost.exe --> c:\windows\svchost.exe [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 Wnvirq32Service;WnvIRQ32;c:\windows\system32\WnvIRQ32.EXE [2007-5-1 137216]

=============== Created Last 30 ================

2009-06-01 17:53 <DIR> --d----- c:\docume~1\admini~1.fls\applic~1\Malwarebytes
2009-06-01 17:53 <DIR> --d----- c:\program files\Mam
2009-06-01 17:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-28 23:46 75,264 a------- c:\documents and settings\administrator.flsa\nah_bbxm.exe
2009-05-28 23:46 75,264 a------- c:\docume~1\admini~1.fls\applic~1\upd.exe.exe
2009-05-28 17:59 <DIR> --d--r-- c:\docume~1\admini~1.fls\applic~1\Brother
2009-05-26 12:36 <DIR> --d----- c:\program files\PAV

==================== Find3M ====================

2009-01-12 11:00 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009011220090113\index.dat
2009-01-18 15:00 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009011820090119\index.dat

============= FINISH: 22:42:43.11 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fpsa_ahmed

fpsa_ahmed
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 01 June 2009 - 10:42 PM

I was just downloaded and ran a scan with RootRepeal. I saw it on a different post and thought just to run it to see if it will be helpful. When I first run the program it tells me "Could not load our kernel! Please contact the author!". I press Ok but I can still do a scan. When it come to SSDT scan the program crashes. Below is each report individually without the SSDT. It seems all suspicious file start with "UAC". I hope this is helpful!


ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/06/01 23:33
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF75A8000 Size: 187776 File Visible: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2180352 File Visible: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xB83C1000 Size: 138496 File Visible: -
Status: -

Name: agp440.sys
Image Path: agp440.sys
Address: 0xF7647000 Size: 42368 File Visible: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF749A000 Size: 95360 File Visible: -
Status: -

Name: ATMFD.DLL
Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\System32\DRIVERS\audstub.sys
Address: 0xBA91A000 Size: 3072 File Visible: -
Status: -

Name: BCMSM.sys
Image Path: C:\WINDOWS\System32\DRIVERS\BCMSM.sys
Address: 0xB9CC1000 Size: 1101696 File Visible: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF79E5000 Size: 4224 File Visible: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF7897000 Size: 12288 File Visible: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xB87B1000 Size: 63744 File Visible: -
Status: -

Name: Cdr4_xp.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdr4_xp.SYS
Address: 0xF76D7000 Size: 61152 File Visible: -
Status: -

Name: Cdralw2k.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdralw2k.SYS
Address: 0xF7767000 Size: 21856 File Visible: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Address: 0xF76E7000 Size: 49536 File Visible: -
Status: -

Name: cdudf_xp.SYS
Image Path: C:\WINDOWS\System32\Drivers\cdudf_xp.SYS
Address: 0xB8522000 Size: 241152 File Visible: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Address: 0xF7637000 Size: 53248 File Visible: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF7627000 Size: 36352 File Visible: -
Status: -

Name: dmio.sys
Image Path: dmio.sys
Address: 0xF74B2000 Size: 153344 File Visible: -
Status: -

Name: dmload.sys
Image Path: dmload.sys
Address: 0xF798D000 Size: 5888 File Visible: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF76A7000 Size: 61440 File Visible: -
Status: -

Name: DspPdo.sys
Image Path: C:\WINDOWS\System32\DRIVERS\DspPdo.sys
Address: 0xB8837000 Size: 9408 File Visible: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB78F1000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A09000 Size: 8192 File Visible: No
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xB8382000 Size: 12288 File Visible: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C3000 Size: 73728 File Visible: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xB7F03000 Size: 4096 File Visible: -
Status: -

Name: e100b325.sys
Image Path: C:\WINDOWS\System32\DRIVERS\e100b325.sys
Address: 0xB9AAC000 Size: 140288 File Visible: -
Status: -

Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xB5741000 Size: 143360 File Visible: -
Status: -

Name: fdc.sys
Image Path: C:\WINDOWS\System32\DRIVERS\fdc.sys
Address: 0xF775F000 Size: 27392 File Visible: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xBAF8F000 Size: 34944 File Visible: -
Status: -

Name: flpydisk.sys
Image Path: C:\WINDOWS\System32\DRIVERS\flpydisk.sys
Address: 0xF7797000 Size: 20480 File Visible: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xF747A000 Size: 128896 File Visible: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF79E3000 Size: 7936 File Visible: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF74D8000 Size: 125056 File Visible: -
Status: -

Name: gameenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\gameenum.sys
Address: 0xBAFE8000 Size: 10624 File Visible: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806EC000 Size: 131968 File Visible: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xF77A7000 Size: 28672 File Visible: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xB5570000 Size: 262784 File Visible: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\System32\DRIVERS\imapi.sys
Address: 0xF7587000 Size: 41856 File Visible: -
Status: -

Name: intelide.sys
Image Path: intelide.sys
Address: 0xF798B000 Size: 5504 File Visible: -
Status: -

Name: intelppm.sys
Image Path: C:\WINDOWS\System32\DRIVERS\intelppm.sys
Address: 0xF7697000 Size: 36096 File Visible: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipnat.sys
Address: 0xB82DE000 Size: 134912 File Visible: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipsec.sys
Address: 0xB8463000 Size: 74752 File Visible: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF75F7000 Size: 35840 File Visible: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
Address: 0xF778F000 Size: 24576 File Visible: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7987000 Size: 8192 File Visible: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ks.sys
Address: 0xB9C9E000 Size: 143360 File Visible: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF7451000 Size: 92032 File Visible: -
Status: -

Name: LMImirr.dll
Image Path: C:\WINDOWS\System32\LMImirr.dll
Address: 0xBFDE2000 Size: 20480 File Visible: -
Status: -

Name: LMImirr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\LMImirr.sys
Address: 0xBA91B000 Size: 3200 File Visible: -
Status: -

Name: lmimirr2.dll
Image Path: C:\WINDOWS\System32\lmimirr2.dll
Address: 0xBFDE7000 Size: 8192 File Visible: -
Status: -

Name: LMIRfsDriver.sys
Image Path: C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
Address: 0xB87F1000 Size: 40960 File Visible: -
Status: -

Name: MCSPRBD.sys
Image Path: C:\WINDOWS\System32\Drivers\MCSPRBD.sys
Address: 0xB9A63000 Size: 92384 File Visible: -
Status: -

Name: MCSPRIB.sys
Image Path: C:\WINDOWS\System32\Drivers\MCSPRIB.sys
Address: 0xBA2E0000 Size: 47808 File Visible: -
Status: -

Name: MCSPRJB.sys
Image Path: C:\WINDOWS\System32\Drivers\MCSPRJB.sys
Address: 0xBA2F0000 Size: 47040 File Visible: -
Status: -

Name: MCSPRKB.sys
Image Path: C:\WINDOWS\System32\Drivers\MCSPRKB.sys
Address: 0xBA300000 Size: 47264 File Visible: -
Status: -

Name: mmc_2K.SYS
Image Path: C:\WINDOWS\System32\Drivers\mmc_2K.SYS
Address: 0xB9FC3000 Size: 22688 File Visible: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF79E7000 Size: 4224 File Visible: -
Status: -

Name: Modem.SYS
Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xF7757000 Size: 30080 File Visible: -
Status: -

Name: MODEMCSA.sys
Image Path: C:\WINDOWS\system32\drivers\MODEMCSA.sys
Address: 0xB9F6B000 Size: 16128 File Visible: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mouclass.sys
Address: 0xB9FDB000 Size: 23040 File Visible: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF7607000 Size: 42240 File Visible: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mrxdav.sys
Address: 0xB65F4000 Size: 181248 File Visible: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
Address: 0xB82FF000 Size: 453120 File Visible: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF77B7000 Size: 19072 File Visible: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\System32\DRIVERS\msgpc.sys
Address: 0xBA2A0000 Size: 35072 File Visible: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mssmbios.sys
Address: 0xF7913000 Size: 15488 File Visible: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF7409000 Size: 107904 File Visible: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF7424000 Size: 182912 File Visible: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndistapi.sys
Address: 0xBAFB3000 Size: 9600 File Visible: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndisuio.sys
Address: 0xB679D000 Size: 12928 File Visible: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndiswan.sys
Address: 0xB9A4C000 Size: 91776 File Visible: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xBAF2F000 Size: 38016 File Visible: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\netbios.sys
Address: 0xF7517000 Size: 34560 File Visible: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\netbt.sys
Address: 0xB83E3000 Size: 162816 File Visible: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF77BF000 Size: 30848 File Visible: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF7B52000 Size: 574592 File Visible: -
Status: -

Name: ntoskrnl.exe
Image Path: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000 Size: 2180352 File Visible: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xBAAB0000 Size: 2944 File Visible: -
Status: -

Name: nv4_disp.dll
Image Path: C:\WINDOWS\System32\nv4_disp.dll
Address: 0xBF9D5000 Size: 4247552 File Visible: -
Status: -

Name: nv4_mini.sys
Image Path: C:\WINDOWS\System32\DRIVERS\nv4_mini.sys
Address: 0xB9E05000 Size: 1465312 File Visible: -
Status: -

Name: OMCI.SYS
Image Path: C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
Address: 0xB99F2000 Size: 12864 File Visible: -
Status: -

Name: P16X.sys
Image Path: C:\WINDOWS\system32\drivers\P16X.sys
Address: 0xB9B62000 Size: 1293440 File Visible: -
Status: -

Name: parport.sys
Image Path: C:\WINDOWS\System32\DRIVERS\parport.sys
Address: 0xB9A98000 Size: 80128 File Visible: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF770F000 Size: 18688 File Visible: -
Status: -

Name: ParVdm.SYS
Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xB861B000 Size: 6784 File Visible: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF7597000 Size: 68224 File Visible: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Address: 0xF7707000 Size: 28672 File Visible: -
Status: -

Name: PfModNT.sys
Image Path: C:\WINDOWS\System32\PfModNT.sys
Address: 0xB7DB9000 Size: 4352 File Visible: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2180352 File Visible: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xB9B3E000 Size: 147456 File Visible: -
Status: -

Name: PORTI.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\PORTI.SYS
Address: 0xF780F000 Size: 18112 File Visible: -
Status: -

Name: PROCEXP100.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP100.SYS
Address: 0xF79C5000 Size: 6656 File Visible: No
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\System32\DRIVERS\psched.sys
Address: 0xB9A3B000 Size: 69120 File Visible: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ptilink.sys
Address: 0xF777F000 Size: 17792 File Visible: -
Status: -

Name: pwd_2k.SYS
Image Path: C:\WINDOWS\System32\Drivers\pwd_2k.SYS
Address: 0xB9A7A000 Size: 122784 File Visible: -
Status: -

Name: radpms.sys
Image Path: C:\WINDOWS\system32\DRIVERS\radpms.sys
Address: 0xF7997000 Size: 5248 File Visible: -
Status: -

Name: RaInfo.sys
Image Path: C:\Program Files\LogMeIn\x86\RaInfo.sys
Address: 0xB8619000 Size: 6144 File Visible: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rasacd.sys
Address: 0xBAFF4000 Size: 8832 File Visible: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
Address: 0xBA2D0000 Size: 51328 File Visible: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspppoe.sys
Address: 0xBA2C0000 Size: 41472 File Visible: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspptp.sys
Address: 0xBA2B0000 Size: 48384 File Visible: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspti.sys
Address: 0xF7787000 Size: 16512 File Visible: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2180352 File Visible: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rdbss.sys
Address: 0xB8396000 Size: 174592 File Visible: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF79E9000 Size: 4224 File Visible: -
Status: -

Name: rdpdr.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rdpdr.sys
Address: 0xB9A0A000 Size: 196864 File Visible: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\System32\DRIVERS\redbook.sys
Address: 0xF76F7000 Size: 57472 File Visible: -
Status: -

Name: rr.sys
Image Path: C:\WINDOWS\system32\drivers\rr.sys
Address: 0xB54C8000 Size: 45056 File Visible: No
Status: -

Name: SENTINEL.SYS
Image Path: C:\WINDOWS\System32\Drivers\SENTINEL.SYS
Address: 0xB65B9000 Size: 76288 File Visible: -
Status: -

Name: serenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\serenum.sys
Address: 0xBAFC3000 Size: 15488 File Visible: -
Status: -

Name: serial.sys
Image Path: C:\WINDOWS\System32\DRIVERS\serial.sys
Address: 0xF76C7000 Size: 64896 File Visible: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF7468000 Size: 73472 File Visible: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\System32\DRIVERS\srv.sys
Address: 0xB649F000 Size: 332928 File Visible: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\swenum.sys
Address: 0xF79BF000 Size: 4352 File Visible: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xB61F7000 Size: 60800 File Visible: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Address: 0xB840B000 Size: 359808 File Visible: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\TDI.SYS
Address: 0xF7777000 Size: 20480 File Visible: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\termdd.sys
Address: 0xBA290000 Size: 40704 File Visible: -
Status: -

Name: UACbgogmjdtvrprrju.sys
Image Path: C:\WINDOWS\system32\drivers\UACbgogmjdtvrprrju.sys
Address: 0xB84CF000 Size: 81920 File Visible: -
Status: Hidden from Windows API!


Name: UdfReadr_xp.SYS
Image Path: C:\WINDOWS\System32\Drivers\UdfReadr_xp.SYS
Address: 0xB8488000 Size: 206464 File Visible: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\System32\DRIVERS\update.sys
Address: 0xB99AE000 Size: 209408 File Visible: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBD.SYS
Address: 0xF79CD000 Size: 8192 File Visible: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbehci.sys
Address: 0xF774F000 Size: 26624 File Visible: -
Status: -

Name: usbfib.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbfib.sys
Address: 0xB883B000 Size: 16384 File Visible: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbhub.sys
Address: 0xF7577000 Size: 57600 File Visible: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS
Address: 0xB9DCE000 Size: 143360 File Visible: -
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbuhci.sys
Address: 0xF7747000 Size: 20480 File Visible: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF77AF000 Size: 20992 File Visible: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS
Address: 0xB9DF1000 Size: 81920 File Visible: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF7617000 Size: 52352 File Visible: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\wanarp.sys
Address: 0xBAF7F000 Size: 34560 File Visible: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF779F000 Size: 20480 File Visible: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xB58CA000 Size: 82944 File Visible: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: -
Status: -

Name: Winnov32.sys
Image Path: C:\WINDOWS\System32\DRIVERS\Winnov32.sys
Address: 0xB9AE7000 Size: 354496 File Visible: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\WMILIB.SYS
Address: 0xF7989000 Size: 8192 File Visible: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2180352 File Visible: -
Status: -

Name: WnvCOM.sys
Image Path: C:\WINDOWS\System32\DRIVERS\WnvCOM.sys
Address: 0xBAFE4000 Size: 12128 File Visible: -
Status: -

Name: WnvKVid.sys
Image Path: C:\WINDOWS\System32\DRIVERS\WnvKVid.sys
Address: 0xB78CA000 Size: 156352 File Visible: -
Status: -

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/06/01 23:38
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP2
==================================================

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\ADMINISTRATOR.FLSA\NTUSER.dat.LOG
Status: Size mismatch (API: 1024, Raw: 20480)

Path: C:\WINDOWS\Prefetch\NOTEPAD.EXE-336351A9.pf
Status: Size mismatch (API: 25826, Raw: 25786)

Path: C:\WINDOWS\system32\UACamgypnncalvkhdj.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACkkapseuxjaluvfm.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UAClhdqhkkevoysqgi.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACqjusflgtcgcugdl.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uactmp.db
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACtpgaqttumlooqcs.db
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACvdhpvcbkxnhhdch.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACxycosrnfevmqeqw.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACyqddomktttbwqbu.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACyxytucgmpgnycac.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC6e0b.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACa538.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACbgogmjdtvrprrju.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\ADMINISTRATOR.FLSA\Local Settings\Temp\UAC7e16.tmp
Status: Invisible to the Windows API!

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/06/01 23:39
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP2
==================================================

Processes
-------------------
Path: System
PID: 4 Status: -

Path: C:\Program Files\Synergy\synergyc.exe
PID: 196 Status: -

Path: C:\WINDOWS\system32\smss.exe
PID: 632 Status: -

Path: C:\WINDOWS\system32\csrss.exe
PID: 680 Status: -

Path: C:\WINDOWS\system32\winlogon.exe
PID: 704 Status: -

Path: C:\WINDOWS\system32\services.exe
PID: 752 Status: -

Path: C:\WINDOWS\system32\lsass.exe
PID: 764 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 932 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1036 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1148 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1212 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1372 Status: -

Path: C:\WINDOWS\system32\spoolsv.exe
PID: 1476 Status: -

Path: C:\Program Files\LogMeIn\x86\ramaint.exe
PID: 1680 Status: -

Path: C:\Program Files\LogMeIn\x86\LogMeIn.exe
PID: 1864 Status: -

Path: C:\Program Files\LogMeIn\x86\LMIGuardian.exe
PID: 1912 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1932 Status: -

Path: C:\Documents and Settings\ADMINISTRATOR.FLSA\Desktop\RR.exepeal.exe
PID: 2460 Status: -

Path: C:\WINDOWS\explorer.exe
PID: 2876 Status: -

Path: C:\Program Files\LogMeIn\x86\LMIGuardian.exe
PID: 3108 Status: -

Path: C:\Program Files\Internet Explorer\iexplore.exe
PID: 3124 Status: -

Path: C:\Program Files\LogMeIn\x86\LogMeIn.exe
PID: 3332 Status: -

Path: C:\WINDOWS\system32\notepad.exe
PID: 3596 Status: -

Path: C:\WINDOWS\system32\ctfmon.exe
PID: 3840 Status: -

Path: C:\WINDOWS\system32\wbem\wmiprvse.exe
PID: 3884 Status: -

Path: C:\WINDOWS\system32\taskmgr.exe
PID: 4032 Status: -

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/06/01 23:39
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP2
==================================================

Stealth Objects
-------------------
Object: Hidden Module [Name: UACyqddomktttbwqbu.dll]
Process: winlogon.exe (PID: 704) Address: 0x00650000 Size: 49152

Object: Hidden Module [Name: UACamgypnncalvkhdj.dll]
Process: winlogon.exe (PID: 704) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyqddomktttbwqbu.dll]
Process: services.exe (PID: 752) Address: 0x00650000 Size: 49152

Object: Hidden Module [Name: UACamgypnncalvkhdj.dll]
Process: services.exe (PID: 752) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyqddomktttbwqbu.dll]
Process: lsass.exe (PID: 764) Address: 0x02420000 Size: 49152

Object: Hidden Module [Name: UACamgypnncalvkhdj.dll]
Process: lsass.exe (PID: 764) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyqddomktttbwqbu.dll]
Process: svchost.exe (PID: 932) Address: 0x00fe0000 Size: 49152

Object: Hidden Module [Name: UACa538.tmpsrnfevmqeqw.dll]
Process: svchost.exe (PID: 932) Address: 0x026f0000 Size: 200704

Object: Hidden Module [Name: UAClhdqhkkevoysqgi.dll]
Process: svchost.exe (PID: 932) Address: 0x027e0000 Size: 69632

Object: Hidden Module [Name: UACamgypnncalvkhdj.dll]
Process: svchost.exe (PID: 932) Address: 0x02b80000 Size: 45056

Object: Hidden Module [Name: UACxycosrnfevmqeqw.dll]
Process: svchost.exe (PID: 932) Address: 0x02b90000 Size: 200704

Object: Hidden Module [Name: UACyqddomktttbwqbu.dll]
Process: svchost.exe (PID: 932) Address: 0x04a40000 Size: 49152

Object: Hidden Module [Name: UACyxytucgmpgnycac.dll]
Process: svchost.exe (PID: 932) Address: 0x04ae0000 Size: 53248

Object: Hidden Module [Name: UACamgypnncalvkhdj.dll]
Process: svchost.exe (PID: 932) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyqddomktttbwqbu.dll]
Process: svchost.exe (PID: 1036) Address: 0x00fe0000 Size: 49152

Object: Hidden Module [Name: UACamgypnncalvkhdj.dll]
Process: svchost.exe (PID: 1036) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyqddomktttbwqbu.dll]
Process: svchost.exe (PID: 1148) Address: 0x00fe0000 Size: 49152

Object: Hidden Module [Name: UACamgypnncalvkhdj.dll]
Process: svchost.exe (PID: 1148) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyqddomktttbwqbu.dll]
Process: svchost.exe (PID: 1212) Address: 0x00fe0000 Size: 49152

Object: Hidden Module [Name: UACamgypnncalvkhdj.dll]
Process: svchost.exe (PID: 1212) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyqddomktttbwqbu.dll]
Process: svchost.exe (PID: 1372) Address: 0x00fe0000 Size: 49152

Object: Hidden Module [Name: UACamgypnncalvkhdj.dll]
Process: svchost.exe (PID: 1372) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyqddomktttbwqbu.dll]
Process: spoolsv.exe (PID: 1476) Address: 0x00e70000 Size: 49152

Object: Hidden Module [Name: UACamgypnncalvkhdj.dll]
Process: spoolsv.exe (PID: 1476) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyqddomktttbwqbu.dll]
Process: RaMaint.exe (PID: 1680) Address: 0x006e0000 Size: 49152

Object: Hidden Module [Name: UACamgypnncalvkhdj.dll]
Process: RaMaint.exe (PID: 1680) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACamgypnncalvkhdj.dll]
Process: LogMeIn.exe (PID: 1864) Address: 0x02d50000 Size: 45056

Object: Hidden Module [Name: UACyqddomktttbwqbu.dll]
Process: LogMeIn.exe (PID: 1864) Address: 0x02e10000 Size: 49152

Object: Hidden Module [Name: UACyqddomktttbwqbu.dll]
Process: LMIGuardian.exe (PID: 1912) Address: 0x00950000 Size: 49152

Object: Hidden Module [Name: UACamgypnncalvkhdj.dll]
Process: LMIGuardian.exe (PID: 1912) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyqddomktttbwqbu.dll]
Process: svchost.exe (PID: 1932) Address: 0x00fe0000 Size: 49152

Object: Hidden Module [Name: UACamgypnncalvkhdj.dll]
Process: svchost.exe (PID: 1932) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyqddomktttbwqbu.dll]
Process: synergyc.exe (PID: 196) Address: 0x009d0000 Size: 49152

Object: Hidden Module [Name: UACamgypnncalvkhdj.dll]
Process: synergyc.exe (PID: 196) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyqddomktttbwqbu.dll]
Process: explorer.exe (PID: 2876) Address: 0x00d00000 Size: 49152

Object: Hidden Module [Name: UACamgypnncalvkhdj.dll]
Process: explorer.exe (PID: 2876) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACamgypnncalvkhdj.dll]
Process: LogMeIn.exe (PID: 3332) Address: 0x02a50000 Size: 45056

Object: Hidden Module [Name: UACyqddomktttbwqbu.dll]
Process: LogMeIn.exe (PID: 3332) Address: 0x02b10000 Size: 49152

Object: Hidden Module [Name: UACyqddomktttbwqbu.dll]
Process: LMIGuardian.exe (PID: 3108) Address: 0x00950000 Size: 49152

Object: Hidden Module [Name: UACamgypnncalvkhdj.dll]
Process: LMIGuardian.exe (PID: 3108) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyqddomktttbwqbu.dll]
Process: taskmgr.exe (PID: 4032) Address: 0x00e70000 Size: 49152

Object: Hidden Module [Name: UACamgypnncalvkhdj.dll]
Process: taskmgr.exe (PID: 4032) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyqddomktttbwqbu.dll]
Process: RR.exe (PID: 2460) Address: 0x00ae0000 Size: 49152

Object: Hidden Module [Name: UACamgypnncalvkhdj.dll]
Process: RR.exe (PID: 2460) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyqddomktttbwqbu.dll]
Process: Iexplore.exe (PID: 3124) Address: 0x00a10000 Size: 49152

Object: Hidden Module [Name: UACamgypnncalvkhdj.dll]
Process: Iexplore.exe (PID: 3124) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyqddomktttbwqbu.dll]
Process: ctfmon.exe (PID: 3840) Address: 0x02670000 Size: 49152

Object: Hidden Module [Name: UACamgypnncalvkhdj.dll]
Process: ctfmon.exe (PID: 3840) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyqddomktttbwqbu.dll]
Process: wmiprvse.exe (PID: 3884) Address: 0x02550000 Size: 49152

Object: Hidden Module [Name: UACamgypnncalvkhdj.dll]
Process: wmiprvse.exe (PID: 3884) Address: 0x10000000 Size: 45056

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/06/01 23:40
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP2
==================================================

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACbgogmjdtvrprrju.sys

#3 fpsa_ahmed

fpsa_ahmed
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 02 June 2009 - 05:01 PM

Nobody? :thumbup2:
===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 02 June 2009 - 07:09 PM.


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:14 AM

Posted 13 June 2009 - 10:39 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 fpsa_ahmed

fpsa_ahmed
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 14 June 2009 - 10:00 PM

Hi _temp_.

Thank you for your help! Below is the log you requested:



DDS (Ver_09-05-14.01) - NTFSx86
Run by administrator at 22:56:20.63 on Sun 06/14/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1279.831 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Synergy\synergyc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Documents and Settings\ADMINISTRATOR.FLSA\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {20160a23-973d-47a9-8807-abb847ff0e53} - c:\windows\system32\jkkHWOhH.dll
BHO: {9c963f92-02a1-4297-969f-bc1c8218eb45} - c:\windows\system32\pmNfgdCu.dll
BHO: {fcb5785a-66a7-434b-87d9-eea867e1136f} - c:\windows\system32\ddcBUkjK.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178038936078
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://embla.webex.com/client/T26L/support/ieatgpc.cab
DPF: {E3CF5F1B-C29E-4D21-B695-E1B0E1CB6EC9} - hxxp://192.168.1.31/codebase/NewHCNetActiveX.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/RACtrl.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {1ae41033-05a0-a688-7e64-fef9564227b7}: {7b722465-9fef-46e7-886a-0a5033014ea1} - c:\windows\system32\wzeqql.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\jkkKdAQg.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\jkkHWOhH

============= SERVICES / DRIVERS ===============

R1 Winnov32;Winnov32;c:\windows\system32\drivers\Winnov32.sys [2007-5-1 528719]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2007-6-18 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-6-18 47640]
R2 Synergy Client;Synergy Client;c:\program files\synergy\synergyc.exe [2006-4-2 446464]
R3 DspPdo;PDO Driver;c:\windows\system32\drivers\DSPPDO.SYS [2003-3-6 10310]
R3 MCSPRBD;Driver for Artisan with Da Vinci interface (MCSPRBD);c:\windows\system32\drivers\MCSPRBD.sys [2008-5-7 92457]
R3 MCSPRIB;Driver for Monet16 with COM interface (MCSPRIB);c:\windows\system32\drivers\MCSPRIB.sys [2008-5-7 47881]
R3 MCSPRJB;Driver for Monet16 with USB interface (MCSPRJB);c:\windows\system32\drivers\MCSPRJB.sys [2003-12-24 47113]
R3 MCSPRKB;Driver for Monet24 with USB interface (MCSPRKB);c:\windows\system32\drivers\MCSPRKB.sys [2003-4-2 47337]
R3 PORTI;Porti Driver;c:\windows\system32\drivers\PORTI.SYS [2003-3-6 19190]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [2007-6-18 12192]
R3 USBFIB;Fiber to USB Driver;c:\windows\system32\drivers\USBFIB.SYS [2003-3-6 17790]
R3 WnvCOM;WnvCOM;c:\windows\system32\drivers\WnvCOM.sys [2007-5-1 21536]
R3 WnvKVid;Winnov Kernel Video;c:\windows\system32\drivers\WnvKVid.sys [2007-5-1 245480]
S3 EmblettaUSB;Device driver for Medcare USB devices;c:\windows\system32\drivers\EmblettaUSB.sys [2004-4-1 69632]
S3 WnvKAud;Winnov Kernel Audio;c:\windows\system32\drivers\WnvKAud.sys [2007-5-1 107232]
S4 ImapService;ImapService;c:\windows\svchost.exe --> c:\windows\svchost.exe [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 Wnvirq32Service;WnvIRQ32;c:\windows\system32\WnvIRQ32.EXE [2007-5-1 137216]

=============== Created Last 30 ================

2009-06-02 18:43 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-02 18:43 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-02 12:24 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-02 11:50 61,440 a------- c:\windows\system32\drivers\noquexw.sys
2009-06-01 18:07 5,586 a------- c:\windows\system32\uacinit.dll
2009-06-01 17:53 <DIR> --d----- c:\docume~1\admini~1.fls\applic~1\Malwarebytes
2009-06-01 17:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-01 17:32 161,792 a------- c:\windows\SWREG.exe
2009-06-01 17:32 154,624 a------- c:\windows\PEV.exe
2009-06-01 17:32 98,816 a------- c:\windows\sed.exe
2009-06-01 17:32 388,608 a------- c:\windows\system32\CF7944.exe
2009-05-29 00:01 120,832 a------- c:\windows\system32\daggfajt.dll
2009-05-29 00:01 1,287 a--sh--- c:\windows\system32\HhOWHkkj.ini2
2009-05-29 00:01 1,287 a--sh--- c:\windows\system32\HhOWHkkj.ini
2009-05-28 23:46 75,264 a------- c:\documents and settings\administrator.flsa\nah_bbxm.exe
2009-05-28 23:46 75,264 a------- c:\docume~1\admini~1.fls\applic~1\upd.exe.exe
2009-05-28 23:07 120,832 a------- c:\windows\system32\smnuph.dll
2009-05-28 23:07 120,832 a------- c:\windows\system32\qwbakdxy.dll
2009-05-28 23:07 1,281 a--sh--- c:\windows\system32\uCdgfNmp.ini2
2009-05-28 23:07 1,281 a--sh--- c:\windows\system32\uCdgfNmp.ini
2009-05-28 22:55 3,976,714 a------- c:\windows\system32\uactmp.db
2009-05-28 17:59 <DIR> --d--r-- c:\docume~1\admini~1.fls\applic~1\Brother
2009-05-28 12:27 66,560 a------- c:\windows\system32\UACxycosrnfevmqeqw.dll
2009-05-28 12:27 30,208 a------- c:\windows\system32\UACvdhpvcbkxnhhdch.dll
2009-05-28 12:27 1,110,399 a------- c:\windows\system32\UACtpgaqttumlooqcs.db
2009-05-28 12:27 19,456 a------- c:\windows\system32\UACyqddomktttbwqbu.dll
2009-05-28 12:27 17,408 a------- c:\windows\system32\UACamgypnncalvkhdj.dll
2009-05-28 12:27 19,968 a------- c:\windows\system32\UACyxytucgmpgnycac.dll
2009-05-28 12:27 224 a------- c:\windows\system32\UACkkapseuxjaluvfm.dat
2009-05-28 12:27 25,600 a------- c:\windows\system32\UAClhdqhkkevoysqgi.dll
2009-05-28 12:27 53,760 -------- c:\windows\system32\drivers\UACbgogmjdtvrprrju.sys
2009-05-28 12:27 120,832 a------- c:\windows\system32\efbfnk.dll
2009-05-28 12:27 120,832 a------- c:\windows\system32\iwegkspe.dll
2009-05-28 00:26 120,832 a------- c:\windows\system32\yevbdf.dll
2009-05-28 00:26 120,832 a------- c:\windows\system32\ejwetcjo.dll
2009-05-27 12:26 120,832 a------- c:\windows\system32\topiai.dll
2009-05-27 12:26 120,832 a------- c:\windows\system32\gjbcjwix.dll
2009-05-27 00:25 120,832 a------- c:\windows\system32\rrptrp.dll
2009-05-27 00:25 120,832 a------- c:\windows\system32\sdjepvna.dll
2009-05-26 12:36 <DIR> --d----- c:\program files\PAV
2009-05-26 12:25 120,832 a------- c:\windows\system32\fxxmtd.dll
2009-05-26 12:25 120,832 a------- c:\windows\system32\oyurkgji.dll
2009-05-26 00:25 120,832 a------- c:\windows\system32\ogjptm.dll
2009-05-26 00:25 120,832 a------- c:\windows\system32\bntulerl.dll
2009-05-25 12:25 120,832 a------- c:\windows\system32\pcnyyo.dll
2009-05-25 12:25 120,832 a------- c:\windows\system32\ocqkrryb.dll
2009-05-25 00:25 120,832 a------- c:\windows\system32\bbrmhg.dll
2009-05-25 00:25 120,832 a------- c:\windows\system32\ldncgkow.dll
2009-05-24 12:25 120,832 a------- c:\windows\system32\ftdmqvoh.dll
2009-05-24 12:25 120,832 a------- c:\windows\system32\eeyzdm.dll
2009-05-24 00:26 120,832 a------- c:\windows\system32\swcleb.dll
2009-05-24 00:26 120,832 a------- c:\windows\system32\jwayxqhy.dll
2009-05-23 12:25 120,832 a------- c:\windows\system32\bsuwkp.dll
2009-05-23 12:25 120,832 a------- c:\windows\system32\auswpbnl.dll
2009-05-23 00:26 120,832 a------- c:\windows\system32\zxqniy.dll
2009-05-23 00:26 120,832 a------- c:\windows\system32\dlewqmpo.dll
2009-05-22 12:25 120,832 a------- c:\windows\system32\sjtljq.dll
2009-05-22 12:25 120,832 a------- c:\windows\system32\piegbfko.dll
2009-05-22 00:25 120,832 a------- c:\windows\system32\ymconcvl.dll
2009-05-22 00:25 120,832 a------- c:\windows\system32\emyhrq.dll
2009-05-21 22:04 120,832 a------- c:\windows\system32\wtvhnc.dll
2009-05-21 22:04 120,832 a------- c:\windows\system32\lnicflul.dll
2009-05-21 12:22 120,832 a------- c:\windows\system32\pqoexu.dll
2009-05-21 12:22 120,832 a------- c:\windows\system32\dpayqvql.dll
2009-05-21 00:22 120,832 a------- c:\windows\system32\gqgcldqr.dll
2009-05-21 00:22 120,832 a------- c:\windows\system32\alfdsu.dll
2009-05-19 00:22 120,832 a------- c:\windows\system32\xtndvqia.dll
2009-05-19 00:22 120,832 a------- c:\windows\system32\rawilt.dll
2009-05-18 12:22 120,832 a------- c:\windows\system32\vtibei.dll
2009-05-18 12:22 120,832 a------- c:\windows\system32\oekmbxqt.dll
2009-05-18 00:22 120,832 a------- c:\windows\system32\lxbsuv.dll
2009-05-18 00:22 120,832 a------- c:\windows\system32\scnbsxhk.dll
2009-05-17 12:22 120,832 a------- c:\windows\system32\pilfqq.dll
2009-05-17 12:22 120,832 a------- c:\windows\system32\qrhjqrlr.dll
2009-05-17 00:22 120,832 a------- c:\windows\system32\tolhkv.dll
2009-05-17 00:22 120,832 a------- c:\windows\system32\egfgnist.dll
2009-05-16 12:22 120,832 a------- c:\windows\system32\mhjjnd.dll
2009-05-16 12:22 120,832 a------- c:\windows\system32\eojkcytg.dll
2009-05-16 00:22 120,832 a------- c:\windows\system32\celtxe.dll
2009-05-16 00:22 120,832 a------- c:\windows\system32\rahcjgmd.dll

==================== Find3M ====================

2009-05-28 22:55 2,718 a--sh--- c:\windows\system32\KjkUBcdd.ini2
2009-05-15 12:22 120,832 a------- c:\windows\system32\izbxtd.dll
2009-05-15 12:22 120,832 a------- c:\windows\system32\aqgpdilv.dll
2009-05-15 00:22 120,832 a------- c:\windows\system32\nqiwqfxi.dll
2009-05-15 00:22 120,832 a------- c:\windows\system32\mfrfll.dll
2009-05-14 12:22 120,832 a------- c:\windows\system32\ygbodj.dll
2009-05-14 12:22 120,832 a------- c:\windows\system32\kqqpasby.dll
2009-05-14 00:22 120,832 a------- c:\windows\system32\ztfpum.dll
2009-05-14 00:22 120,832 a------- c:\windows\system32\uongwfvc.dll
2009-05-13 12:22 120,832 a------- c:\windows\system32\kyjxqs.dll
2009-05-13 12:22 120,832 a------- c:\windows\system32\hccqkikb.dll
2009-05-13 00:22 120,832 a------- c:\windows\system32\rguwfr.dll
2009-05-13 00:22 120,832 a------- c:\windows\system32\pvkstnme.dll
2009-05-12 12:22 120,832 a------- c:\windows\system32\rsxilf.dll
2009-05-12 12:22 120,832 a------- c:\windows\system32\qybkdnrc.dll
2009-05-12 00:22 120,832 a------- c:\windows\system32\ryswrkjr.dll
2009-05-12 00:22 120,832 a------- c:\windows\system32\adjiqj.dll
2009-05-11 12:25 120,832 a------- c:\windows\system32\rbtmccab.dll
2009-05-11 12:25 120,832 a------- c:\windows\system32\mlncre.dll
2009-05-11 00:22 120,832 a------- c:\windows\system32\xhpejaah.dll
2009-05-11 00:22 120,832 a------- c:\windows\system32\sxmhgx.dll
2009-05-10 12:22 120,832 a------- c:\windows\system32\tbzvci.dll
2009-05-10 12:22 120,832 a------- c:\windows\system32\rinalujn.dll
2009-05-10 00:22 120,832 a------- c:\windows\system32\uupzrz.dll
2009-05-10 00:22 120,832 a------- c:\windows\system32\uewsjywy.dll
2009-05-09 12:25 120,832 a------- c:\windows\system32\lnoglqje.dll
2009-05-09 12:25 120,832 a------- c:\windows\system32\iqtfcg.dll
2009-05-09 00:22 120,832 a------- c:\windows\system32\wgypkjfp.dll
2009-05-09 00:22 120,832 a------- c:\windows\system32\llymvm.dll
2009-05-08 12:25 120,832 a------- c:\windows\system32\xvuxjo.dll
2009-05-08 12:25 120,832 a------- c:\windows\system32\dhfbainw.dll
2009-05-08 00:25 120,832 a------- c:\windows\system32\yzgtwz.dll
2009-05-08 00:25 120,832 a------- c:\windows\system32\lawponyn.dll
2009-05-07 12:25 120,832 a------- c:\windows\system32\rzmosk.dll
2009-05-07 12:25 120,832 a------- c:\windows\system32\aqnpfsph.dll
2009-05-07 00:25 120,832 a------- c:\windows\system32\khnvin.dll
2009-05-07 00:25 120,832 a------- c:\windows\system32\kayoxqto.dll
2009-05-06 12:22 120,832 a------- c:\windows\system32\lanqsw.dll
2009-05-06 12:22 120,832 a------- c:\windows\system32\fygqlchu.dll
2009-05-04 12:23 120,832 a------- c:\windows\system32\qiehwcof.dll
2009-05-04 12:23 120,832 a------- c:\windows\system32\gwiyub.dll
2009-05-04 00:20 120,832 a------- c:\windows\system32\rmsakbsq.dll
2009-05-04 00:20 120,832 a------- c:\windows\system32\kzpgye.dll
2009-05-03 12:23 120,832 a------- c:\windows\system32\urgpnqly.dll
2009-05-03 12:23 120,832 a------- c:\windows\system32\bwpctb.dll
2009-05-03 00:20 120,832 a------- c:\windows\system32\rpznne.dll
2009-05-03 00:20 120,832 a------- c:\windows\system32\lanuggop.dll
2009-05-02 12:23 120,832 a------- c:\windows\system32\risnxbfx.dll
2009-05-02 12:23 120,832 a------- c:\windows\system32\fvimks.dll
2009-05-02 00:20 120,832 a------- c:\windows\system32\ysaaaoft.dll
2009-05-02 00:20 120,832 a------- c:\windows\system32\oakwsl.dll
2009-05-01 12:23 120,832 a------- c:\windows\system32\pyfopvio.dll
2009-05-01 12:23 120,832 a------- c:\windows\system32\adzdwl.dll
2009-05-01 00:20 120,832 a------- c:\windows\system32\gjpydylr.dll
2009-05-01 00:20 120,832 a------- c:\windows\system32\dgqjfi.dll
2009-04-30 12:23 120,832 a------- c:\windows\system32\tepawx.dll
2009-04-30 12:23 120,832 a------- c:\windows\system32\bbayjguw.dll
2009-04-30 00:22 120,832 a------- c:\windows\system32\vtvycw.dll
2009-04-30 00:22 120,832 a------- c:\windows\system32\fnxwkqao.dll
2009-04-29 12:23 120,832 a------- c:\windows\system32\yskfqu.dll
2009-04-29 12:23 120,832 a------- c:\windows\system32\ewwsnxcg.dll
2009-04-29 00:20 120,832 a------- c:\windows\system32\myrahc.dll
2009-04-29 00:20 120,832 a------- c:\windows\system32\kjeeepfq.dll
2009-04-28 12:20 120,832 a------- c:\windows\system32\majiuvcp.dll
2009-04-28 12:20 120,832 a------- c:\windows\system32\ccdkba.dll
2009-04-28 00:23 120,832 a------- c:\windows\system32\xfsrtyyh.dll
2009-04-28 00:23 120,832 a------- c:\windows\system32\onkzxa.dll
2009-04-27 12:20 120,832 a------- c:\windows\system32\oxvogixk.dll
2009-04-27 12:20 120,832 a------- c:\windows\system32\hkzxkt.dll
2009-04-25 12:18 120,832 a------- c:\windows\system32\rgcgao.dll
2009-04-25 12:18 120,832 a------- c:\windows\system32\fuotgcco.dll
2009-04-25 00:21 120,832 a------- c:\windows\system32\egmhmbks.dll
2009-04-25 00:21 120,832 a------- c:\windows\system32\adevjj.dll
2009-04-24 12:18 120,832 a------- c:\windows\system32\wkbabsbd.dll
2009-04-24 12:18 120,832 a------- c:\windows\system32\nuyivv.dll
2009-04-24 00:18 120,832 a------- c:\windows\system32\svyvtcnj.dll
2009-04-24 00:18 120,832 a------- c:\windows\system32\erwbod.dll
2009-04-23 12:18 120,832 a------- c:\windows\system32\xgoprt.dll
2009-04-23 12:18 120,832 a------- c:\windows\system32\clhremug.dll
2009-04-23 00:21 120,832 a------- c:\windows\system32\rurluv.dll
2009-04-23 00:21 120,832 a------- c:\windows\system32\hxvckvij.dll
2009-04-22 12:21 120,832 a------- c:\windows\system32\xqckez.dll
2009-04-22 12:21 120,832 a------- c:\windows\system32\beaihkny.dll
2009-04-22 00:18 120,832 a------- c:\windows\system32\ytlxjv.dll
2009-04-22 00:18 120,832 a------- c:\windows\system32\wosdlovm.dll
2009-04-21 12:19 120,832 a------- c:\windows\system32\mgeyoehy.dll
2009-04-21 12:19 120,832 a------- c:\windows\system32\dnhozg.dll
2009-04-21 00:19 120,832 a------- c:\windows\system32\nhraxcjt.dll
2009-04-21 00:19 120,832 a------- c:\windows\system32\eoixjv.dll
2009-04-20 12:19 120,832 a------- c:\windows\system32\sqtvscbo.dll
2009-04-20 12:19 120,832 a------- c:\windows\system32\kmqdog.dll
2009-04-20 00:19 120,832 a------- c:\windows\system32\pftwhvbk.dll
2009-04-20 00:19 120,832 a------- c:\windows\system32\izmudq.dll
2009-04-19 12:19 120,832 a------- c:\windows\system32\wiyzcb.dll
2009-04-19 12:19 120,832 a------- c:\windows\system32\ppwhnrmo.dll
2009-04-19 00:22 120,832 a------- c:\windows\system32\pyhpyvnk.dll
2009-04-19 00:22 120,832 a------- c:\windows\system32\gqmwxv.dll
2009-04-18 12:19 120,832 a------- c:\windows\system32\fmqkvfse.dll
2009-04-18 12:19 120,832 a------- c:\windows\system32\elwwmz.dll
2009-04-18 00:19:30 A------- 120,832 c:\windows\system32\yldsmojk.dll
2009-01-12 11:00 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009011220090113\index.dat
2009-01-18 15:00 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009011820090119\index.dat

============= FINISH: 22:56:38.60 ===============

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:14 AM

Posted 16 June 2009 - 01:43 PM

Hi fpsa_ahmed,

Thanks for the compliments about the site.

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

Please give me a little time to go through your log and I will get back to you with your first instructions. Don't worry I won't abandon you.
  • Please subscribe to this topic, if you haven't already, and wait for me to get back to you.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day then I will close the topic.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#7 fpsa_ahmed

fpsa_ahmed
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 16 June 2009 - 02:36 PM

Hi m0le,

I am still here and need your help fixing the comp!

Thanks for your help!

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:14 AM

Posted 16 June 2009 - 06:08 PM

Hi fpsa_ahmed,

There are two very nasty infections in the logs you provided.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop but rename it Combo-Fix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#9 fpsa_ahmed

fpsa_ahmed
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 17 June 2009 - 08:37 PM

Hey m0le,

First I wanted to thank you for your help one more time. Below is the log ComboFix produced after it was done. It is pretty long.

ComboFix 09-06-16.05 - administrator 06/17/2009 17:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1279.844 [GMT -4:00]
Running from: c:\documents and settings\ADMINISTRATOR.FLSA\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\PAV
c:\windows\system32\Drivers\noquexw.sys
c:\windows\system32\drivers\UACbgogmjdtvrprrju.sys
c:\windows\system32\UACamgypnncalvkhdj.dll
c:\windows\system32\UACkkapseuxjaluvfm.dat
c:\windows\system32\UAClhdqhkkevoysqgi.dll
c:\windows\system32\UACyqddomktttbwqbu.dll
c:\windows\system32\UACyxytucgmpgnycac.dll
c:\documents and settings\ADMINISTRATOR.FLSA\nah_bbxm.exe
c:\program files\PAV\pav.exe.tmp1
c:\windows\system32\abrkhvbp.ini
c:\windows\system32\acjvdsxj.dll
c:\windows\system32\acsdkxrf.dll
c:\windows\system32\adevjj.dll
c:\windows\system32\adjiqj.dll
c:\windows\system32\adzdwl.dll
c:\windows\system32\ahsciuct.ini
c:\windows\system32\ajvbdcel.ini
c:\windows\system32\ajvdcbta.dll
c:\windows\system32\akitcgsg.dll
c:\windows\system32\alfdsu.dll
c:\windows\system32\alipoycg.ini
c:\windows\system32\alrcsypw.dll
c:\windows\system32\apbfie.dll
c:\windows\system32\aqglewgv.dll
c:\windows\system32\aqgpdilv.dll
c:\windows\system32\aqnpfsph.dll
c:\windows\system32\astslrln.ini
c:\windows\system32\aucydsnw.ini
c:\windows\system32\aufele.dll
c:\windows\system32\auswpbnl.dll
c:\windows\system32\auvddi.dll
c:\windows\system32\aylvksrs.ini
c:\windows\system32\baqxilid.ini
c:\windows\system32\bbayjguw.dll
c:\windows\system32\bbgbkmuh.ini
c:\windows\system32\bbrmhg.dll
c:\windows\system32\bdueqa.dll
c:\windows\system32\beaihkny.dll
c:\windows\system32\bggsmy.dll
c:\windows\system32\bhxohy.dll
c:\windows\system32\bmcfii.dll
c:\windows\system32\bmrxgt.dll
c:\windows\system32\bnppmyad.ini
c:\windows\system32\bntulerl.dll
c:\windows\system32\bnytogug.dll
c:\windows\system32\bodtcj.dll
c:\windows\system32\brtarkjf.ini
c:\windows\system32\bsikaj.dll
c:\windows\system32\bsuwkp.dll
c:\windows\system32\btdorsax.dll
c:\windows\system32\btngaq.dll
c:\windows\system32\bvcrsvfb.dll
c:\windows\system32\bwpctb.dll
c:\windows\system32\caecnr.dll
c:\windows\system32\ccdkba.dll
c:\windows\system32\ccpsfxij.dll
c:\windows\system32\cdrkjyoa.ini
c:\windows\system32\celtxe.dll
c:\windows\system32\cgfclgey.ini
c:\windows\system32\cgpbokqv.ini
c:\windows\system32\chrvni.dll
c:\windows\system32\cijyysoq.ini
c:\windows\system32\cjdzel.dll
c:\windows\system32\ckdvhqvt.ini
c:\windows\system32\clhremug.dll
c:\windows\system32\coaprmjp.ini
c:\windows\system32\cpriotpu.ini
c:\windows\system32\cqlserye.ini
c:\windows\system32\crupqlsp.ini
c:\windows\system32\csdcpxxb.ini
c:\windows\system32\ctgdpl.dll
c:\windows\system32\dadhyvbi.ini
c:\windows\system32\daggfajt.dll
c:\windows\system32\dcrymnne.ini
c:\windows\system32\dcujlp.dll
c:\windows\system32\depjkk.dll
c:\windows\system32\dfgkkopp.ini
c:\windows\system32\dghalt.dll
c:\windows\system32\dgqjfi.dll
c:\windows\system32\dgrgkm.dll
c:\windows\system32\dhfbainw.dll
c:\windows\system32\dhgbvkpo.ini
c:\windows\system32\dhjgmy.dll
c:\windows\system32\djclya.dll
c:\windows\system32\dlewqmpo.dll
c:\windows\system32\dnhozg.dll
c:\windows\system32\dpayqvql.dll
c:\windows\system32\drdhgi.dll
c:\windows\system32\drivers\noquexw.sys
c:\windows\system32\dstbytui.dll
c:\windows\system32\dugapfmq.ini
c:\windows\system32\eeyzdm.dll
c:\windows\system32\efbfnk.dll
c:\windows\system32\egfgnist.dll
c:\windows\system32\egmhmbks.dll
c:\windows\system32\egvupn.dll
c:\windows\system32\eiptaxap.ini
c:\windows\system32\ejwetcjo.dll
c:\windows\system32\ekesxuox.ini
c:\windows\system32\elwwmz.dll
c:\windows\system32\emyhrq.dll
c:\windows\system32\eoixjv.dll
c:\windows\system32\eojkcytg.dll
c:\windows\system32\ercyqbku.ini
c:\windows\system32\erwbod.dll
c:\windows\system32\etgeddyy.dll
c:\windows\system32\etlaxixw.ini
c:\windows\system32\evjqkh.dll
c:\windows\system32\evsorkgj.dll
c:\windows\system32\ewhskjtf.ini
c:\windows\system32\ewwsnxcg.dll
c:\windows\system32\eydmoh.dll
c:\windows\system32\faluwety.dll
c:\windows\system32\fclmuhyt.ini
c:\windows\system32\fddtknyw.ini
c:\windows\system32\febeokey.ini
c:\windows\system32\fghvkbyx.ini
c:\windows\system32\fgvwrywo.ini
c:\windows\system32\fhwzjy.dll
c:\windows\system32\fieagdfj.ini
c:\windows\system32\fiialujg.ini
c:\windows\system32\fiwnur.dll
c:\windows\system32\fjblglqt.ini
c:\windows\system32\fkeriquj.ini
c:\windows\system32\fklcuj.dll
c:\windows\system32\fkpfkc.dll
c:\windows\system32\fmqkvfse.dll
c:\windows\system32\fnxwkqao.dll
c:\windows\system32\fqmkqflx.ini
c:\windows\system32\ftcpcwnw.ini
c:\windows\system32\ftdmqvoh.dll
c:\windows\system32\fuotgcco.dll
c:\windows\system32\fvgqmbjm.ini
c:\windows\system32\fvhkbtkr.dll
c:\windows\system32\fvimks.dll
c:\windows\system32\fwkgpgsh.ini
c:\windows\system32\fwuxrwrw.dll
c:\windows\system32\fxxmtd.dll
c:\windows\system32\fyfllsqv.dll
c:\windows\system32\fygqlchu.dll
c:\windows\system32\fzkohj.dll
c:\windows\system32\gaabzx.dll
c:\windows\system32\gbtfcosk.ini
c:\windows\system32\gctrxnkg.ini
c:\windows\system32\gdbkoa.dll
c:\windows\system32\gdcsxctq.ini
c:\windows\system32\gdkbqgxj.dll
c:\windows\system32\gekmvrdq.dll
c:\windows\system32\gjbcjwix.dll
c:\windows\system32\gjkrtrfi.ini
c:\windows\system32\gjpydylr.dll
c:\windows\system32\gljjshbp.dll
c:\windows\system32\gnlhme.dll
c:\windows\system32\gphmpjwj.ini
c:\windows\system32\gqgcldqr.dll
c:\windows\system32\gqhubjip.dll
c:\windows\system32\gqmwxv.dll
c:\windows\system32\gqtqcugy.ini
c:\windows\system32\gseijyyd.dll
c:\windows\system32\gspmmaxw.dll
c:\windows\system32\gsuqdwde.dll
c:\windows\system32\gtqievby.dll
c:\windows\system32\gtqrojmq.ini
c:\windows\system32\gvvaqqia.ini
c:\windows\system32\gwiyub.dll
c:\windows\system32\gxfcihej.dll
c:\windows\system32\gxwlhamo.dll
c:\windows\system32\hccqkikb.dll
c:\windows\system32\hcothqsg.ini
c:\windows\system32\hdtlnsqv.ini
c:\windows\system32\hdyewf.dll
c:\windows\system32\hebkek.dll
c:\windows\system32\hetggdkt.dll
c:\windows\system32\hfelobct.ini
c:\windows\system32\hfzqor.dll
c:\windows\system32\HhOWHkkj.ini
c:\windows\system32\HhOWHkkj.ini2
c:\windows\system32\hiigwipi.ini
c:\windows\system32\hinxrnfe.dll
c:\windows\system32\hipforkm.ini
c:\windows\system32\hkzxkt.dll
c:\windows\system32\hlwychmm.ini
c:\windows\system32\howikwfi.ini
c:\windows\system32\hpcczu.dll
c:\windows\system32\htvjnefq.ini
c:\windows\system32\huphyrqu.ini
c:\windows\system32\hvmejcel.ini
c:\windows\system32\hxciyhdr.ini
c:\windows\system32\hxvckvij.dll
c:\windows\system32\hywlrsnf.ini
c:\windows\system32\ieonsffh.ini
c:\windows\system32\ieqhey.dll
c:\windows\system32\igwqisnl.ini
c:\windows\system32\iheochfh.dll
c:\windows\system32\ijqtli.dll
c:\windows\system32\inbyxb.dll
c:\windows\system32\iqljdqjc.dll
c:\windows\system32\iqstjvxs.ini
c:\windows\system32\iqtfcg.dll
c:\windows\system32\ircgadol.ini
c:\windows\system32\itortz.dll
c:\windows\system32\ivhmix.dll
c:\windows\system32\ivmkekjj.ini
c:\windows\system32\iwegkspe.dll
c:\windows\system32\iyeogdvn.dll
c:\windows\system32\izbxtd.dll
c:\windows\system32\izmudq.dll
c:\windows\system32\jctwgq.dll
c:\windows\system32\jetefj.dll
c:\windows\system32\jgkjii.dll
c:\windows\system32\jipudoot.ini
c:\windows\system32\jndqkqgn.ini
c:\windows\system32\jnlxruyo.dll
c:\windows\system32\jnxewgoc.ini
c:\windows\system32\jovsqvvi.dll
c:\windows\system32\jqbmoe.dll
c:\windows\system32\jrsonkjc.ini
c:\windows\system32\jsjwaonu.ini
c:\windows\system32\jssrxc.dll
c:\windows\system32\jwayxqhy.dll
c:\windows\system32\jzfwcm.dll
c:\windows\system32\karkdygw.dll
c:\windows\system32\kayoxqto.dll
c:\windows\system32\kbdiqgww.dll
c:\windows\system32\kdrhcdqs.ini
c:\windows\system32\kdrvewcq.ini
c:\windows\system32\kfupfo.dll
c:\windows\system32\kgdyjyqq.ini
c:\windows\system32\kgmatrih.ini
c:\windows\system32\khnvin.dll
c:\windows\system32\kjeeepfq.dll
c:\windows\system32\kjiugl.dll
c:\windows\system32\KjkUBcdd.ini
c:\windows\system32\KjkUBcdd.ini2
c:\windows\system32\kjoftrwd.dll
c:\windows\system32\kkyicold.ini
c:\windows\system32\klmpdocn.ini
c:\windows\system32\kloxdb.dll
c:\windows\system32\kltbibol.ini
c:\windows\system32\klxsxxtt.dll
c:\windows\system32\kmqdog.dll
c:\windows\system32\kqerwu.dll
c:\windows\system32\kqqpasby.dll
c:\windows\system32\krghlqju.dll
c:\windows\system32\kropuolw.ini
c:\windows\system32\ksqipkld.ini
c:\windows\system32\ktcgecxi.dll
c:\windows\system32\kufvwntx.ini
c:\windows\system32\kvbkmcoe.ini
c:\windows\system32\kvdqoawr.ini
c:\windows\system32\kyjxqs.dll
c:\windows\system32\kzpgye.dll
c:\windows\system32\lanqsw.dll
c:\windows\system32\lanuggop.dll
c:\windows\system32\lawponyn.dll
c:\windows\system32\lawrtw.dll
c:\windows\system32\lbblyswh.dll
c:\windows\system32\ldncgkow.dll
c:\windows\system32\legmccge.dll
c:\windows\system32\lfwapqtt.dll
c:\windows\system32\lgqrtlst.dll
c:\windows\system32\lkybvisc.ini
c:\windows\system32\llymvm.dll
c:\windows\system32\lmkimlrx.ini
c:\windows\system32\lnicflul.dll
c:\windows\system32\lnoglqje.dll
c:\windows\system32\lnuqsxsm.ini
c:\windows\system32\lohfxb.dll
c:\windows\system32\lrftgois.dll
c:\windows\system32\lrjhcnjx.ini
c:\windows\system32\lwlapdit.dll
c:\windows\system32\lxbsuv.dll
c:\windows\system32\lyqyvvej.dll
c:\windows\system32\majiuvcp.dll
c:\windows\system32\matoqwyp.ini
c:\windows\system32\mbbhddfp.ini
c:\windows\system32\mbjqlmji.ini
c:\windows\system32\mbpocnqv.ini
c:\windows\system32\mefjlo.dll
c:\windows\system32\mfrfll.dll
c:\windows\system32\mgeyoehy.dll
c:\windows\system32\mgoytlbi.ini
c:\windows\system32\mhjjnd.dll
c:\windows\system32\mhpbmktd.ini
c:\windows\system32\mhvjveus.dll
c:\windows\system32\miwkyuxp.dll
c:\windows\system32\mjntvyxi.ini
c:\windows\system32\mjsosb.dll
c:\windows\system32\mkvtndlv.ini
c:\windows\system32\mlncre.dll
c:\windows\system32\mnhafz.dll
c:\windows\system32\mnnajlgq.ini
c:\windows\system32\mqyefosl.ini
c:\windows\system32\mrmmxuii.ini
c:\windows\system32\msdgcfiu.ini
c:\windows\system32\muihhvko.ini
c:\windows\system32\mwkggy.dll
c:\windows\system32\myrahc.dll
c:\windows\system32\nbmwsdrl.ini
c:\windows\system32\nbnrontp.dll
c:\windows\system32\ndckbu.dll
c:\windows\system32\ndkmsuyi.ini
c:\windows\system32\ngidlbfn.ini
c:\windows\system32\nhraxcjt.dll
c:\windows\system32\njhthxoq.ini
c:\windows\system32\njvfanwm.ini
c:\windows\system32\nkkanvrc.ini
c:\windows\system32\nkzvpy.dll
c:\windows\system32\nlwjhskc.ini
c:\windows\system32\nmjaxboi.dll
c:\windows\system32\nnxvjz.dll
c:\windows\system32\noabnlvs.ini
c:\windows\system32\nonvxbqd.ini
c:\windows\system32\nqiwqfxi.dll
c:\windows\system32\nsboerdy.dll
c:\windows\system32\nuemonui.ini
c:\windows\system32\nuiyhvrb.ini
c:\windows\system32\nuyivv.dll
c:\windows\system32\nwsmqoju.dll
c:\windows\system32\oakwsl.dll
c:\windows\system32\oanhdqpy.ini
c:\windows\system32\ocqkrryb.dll
c:\windows\system32\odlqvq.dll
c:\windows\system32\oefejgwu.ini
c:\windows\system32\oekmbxqt.dll
c:\windows\system32\oenuef.dll
c:\windows\system32\ogjptm.dll
c:\windows\system32\omuyohbv.dll
c:\windows\system32\onkzxa.dll
c:\windows\system32\oojqsl.dll
c:\windows\system32\oqvebs.dll
c:\windows\system32\oqweam.dll
c:\windows\system32\oujoke.dll
c:\windows\system32\ovxmmyjg.dll
c:\windows\system32\owmzeo.dll
c:\windows\system32\oxjymwcq.ini
c:\windows\system32\oxvogixk.dll
c:\windows\system32\oycprnln.ini
c:\windows\system32\oyurkgji.dll
c:\windows\system32\pcekcd.dll
c:\windows\system32\pcnyyo.dll
c:\windows\system32\pcthqupu.ini
c:\windows\system32\pebycwsm.ini
c:\windows\system32\pftdbpgb.dll
c:\windows\system32\pftwhvbk.dll
c:\windows\system32\pfyyfs.dll
c:\windows\system32\phbdhlku.ini
c:\windows\system32\pidefujt.ini
c:\windows\system32\piegbfko.dll
c:\windows\system32\pijqidkc.dll
c:\windows\system32\pilfqq.dll
c:\windows\system32\pjtdmmgm.dll
c:\windows\system32\pmbtun.dll
c:\windows\system32\ppwhnrmo.dll
c:\windows\system32\pqoexu.dll
c:\windows\system32\prxmxx.dll
c:\windows\system32\puqdgjsb.dll
c:\windows\system32\pvjvhhlq.ini
c:\windows\system32\pvkstnme.dll
c:\windows\system32\pvwrsraa.ini
c:\windows\system32\pxkfyf.dll
c:\windows\system32\pyelnnef.ini
c:\windows\system32\pyfopvio.dll
c:\windows\system32\pyhpyvnk.dll
c:\windows\system32\qcfpvwfi.ini
c:\windows\system32\qereenfq.ini
c:\windows\system32\qgkbwati.ini
c:\windows\system32\qiehwcof.dll
c:\windows\system32\qjgpcyig.dll
c:\windows\system32\qknfmh.dll
c:\windows\system32\qlxgby.dll
c:\windows\system32\qmibkems.dll
c:\windows\system32\qoebhbbt.ini
c:\windows\system32\qrhjqrlr.dll
c:\windows\system32\qrmvbkdp.dll
c:\windows\system32\qwbakdxy.dll
c:\windows\system32\qwxgxmvy.dll
c:\windows\system32\qxgpcp.dll
c:\windows\system32\qxgxlfqh.ini
c:\windows\system32\qxvdbeav.dll
c:\windows\system32\qybkdnrc.dll
c:\windows\system32\qyydes.dll
c:\windows\system32\qzzzoh.dll
c:\windows\system32\rahcjgmd.dll
c:\windows\system32\rawilt.dll
c:\windows\system32\rbtmccab.dll
c:\windows\system32\requvw.dll
c:\windows\system32\rfjiltei.ini
c:\windows\system32\rgcgao.dll
c:\windows\system32\rguwfr.dll
c:\windows\system32\rinalujn.dll
c:\windows\system32\risnxbfx.dll
c:\windows\system32\rjbctbhx.dll
c:\windows\system32\rjhmgyqo.ini
c:\windows\system32\rksarygi.dll
c:\windows\system32\rkxpuesr.dll
c:\windows\system32\rlbhjtno.ini
c:\windows\system32\rmpooelc.ini
c:\windows\system32\rmsakbsq.dll
c:\windows\system32\rnoailsb.ini
c:\windows\system32\rpxrtved.ini
c:\windows\system32\rpznne.dll
c:\windows\system32\rqcgcc.dll
c:\windows\system32\rrptrp.dll
c:\windows\system32\rrqffsrj.ini
c:\windows\system32\rsnvkfmn.dll
c:\windows\system32\rsrmic.dll
c:\windows\system32\rsxilf.dll
c:\windows\system32\rtdprlcs.dll
c:\windows\system32\rurluv.dll
c:\windows\system32\rusdmpeu.ini
c:\windows\system32\rwliqhee.ini
c:\windows\system32\rxlnab.dll
c:\windows\system32\rxmqttnl.ini
c:\windows\system32\ryqqbscx.ini
c:\windows\system32\ryswrkjr.dll
c:\windows\system32\rzmosk.dll
c:\windows\system32\sbaeedds.ini
c:\windows\system32\sclpoxgw.dll
c:\windows\system32\scnbsxhk.dll
c:\windows\system32\sdjepvna.dll
c:\windows\system32\sdyxuhtj.ini
c:\windows\system32\segqjifi.ini
c:\windows\system32\sgcmarhd.ini
c:\windows\system32\sjtljq.dll
c:\windows\system32\smnuph.dll
c:\windows\system32\snbgeyxe.dll
c:\windows\system32\snccoquu.ini
c:\windows\system32\spstschm.ini
c:\windows\system32\sqsqub.dll
c:\windows\system32\sqtvscbo.dll
c:\windows\system32\svlywqaw.ini
c:\windows\system32\svyvtcnj.dll
c:\windows\system32\swcleb.dll
c:\windows\system32\sxmhgx.dll
c:\windows\system32\sxnumawy.dll
c:\windows\system32\syhwxuoo.ini
c:\windows\system32\tbsrlhpa.dll
c:\windows\system32\tbzvci.dll
c:\windows\system32\temltu.dll
c:\windows\system32\tepawx.dll
c:\windows\system32\tiqnlryu.dll
c:\windows\system32\tlaxtdsv.ini
c:\windows\system32\tmisidcb.dll
c:\windows\system32\tmpvyd.dll
c:\windows\system32\toawdlde.ini
c:\windows\system32\tolhkv.dll
c:\windows\system32\topiai.dll
c:\windows\system32\tpcgmcyr.ini
c:\windows\system32\tpfhpuab.ini
c:\windows\system32\tpodvbmy.dll
c:\windows\system32\tqfrlahv.dll
c:\windows\system32\trxghkhi.ini
c:\windows\system32\ttnqdebo.ini
c:\windows\system32\ttvdbctx.ini
c:\windows\system32\tvfcwnpf.dll
c:\windows\system32\tvwqxlct.dll
c:\windows\system32\twkcyqex.dll
c:\windows\system32\tyxffgnx.ini
c:\windows\system32\tzdyko.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\uactmp.db
c:\windows\system32\uajhjm.dll
c:\windows\system32\uCdgfNmp.ini
c:\windows\system32\uCdgfNmp.ini2
c:\windows\system32\ucsuwm.dll
c:\windows\system32\uewsjywy.dll
c:\windows\system32\ugklbcmu.ini
c:\windows\system32\uiszkd.dll
c:\windows\system32\ujkhwbxv.dll
c:\windows\system32\ujsgplbc.ini
c:\windows\system32\unstzl.dll
c:\windows\system32\unxboptt.dll
c:\windows\system32\uongwfvc.dll
c:\windows\system32\updtyaji.dll
c:\windows\system32\upegxolk.dll
c:\windows\system32\upfgpc.dll
c:\windows\system32\upxjhwbi.dll
c:\windows\system32\uqbhqugq.ini
c:\windows\system32\urgpnqly.dll
c:\windows\system32\urrumpkd.ini
c:\windows\system32\uupzrz.dll
c:\windows\system32\uyujvr.dll
c:\windows\system32\uzzyyp.dll
c:\windows\system32\vachfhhb.ini
c:\windows\system32\vgfuijfp.ini
c:\windows\system32\vgmltg.dll
c:\windows\system32\vhyqkpaw.dll
c:\windows\system32\vqhldssy.ini
c:\windows\system32\vqojjgve.ini
c:\windows\system32\vrvjtbcd.ini
c:\windows\system32\vsjnsxkj.ini
c:\windows\system32\vsvrxsce.ini
c:\windows\system32\vtibei.dll
c:\windows\system32\vtkxjkuy.ini
c:\windows\system32\vtvycw.dll
c:\windows\system32\vynkhcih.dll
c:\windows\system32\vzxzmp.dll
c:\windows\system32\waqyxvjs.ini
c:\windows\system32\wbkvutma.dll
c:\windows\system32\wbmkdw.dll
c:\windows\system32\wdxvrtit.ini
c:\windows\system32\weyabj.dll
c:\windows\system32\wgypkjfp.dll
c:\windows\system32\wivvcypi.ini
c:\windows\system32\wiyzcb.dll
c:\windows\system32\wkbabsbd.dll
c:\windows\system32\wmqcfavg.ini
c:\windows\system32\wnbobmhg.ini
c:\windows\system32\wosdlovm.dll
c:\windows\system32\woxvwp.dll
c:\windows\system32\wpaswyme.dll
c:\windows\system32\wphsuvjj.ini
c:\windows\system32\wqawixuk.ini
c:\windows\system32\wqzwwb.dll
c:\windows\system32\wsopnmqk.ini
c:\windows\system32\wsoxxpml.dll
c:\windows\system32\wspqvz.dll
c:\windows\system32\wsvwop.dll
c:\windows\system32\wtawdngh.dll
c:\windows\system32\wtvhnc.dll
c:\windows\system32\wulwkmhg.dll
c:\windows\system32\wuuylacy.ini
c:\windows\system32\wwlhheku.ini
c:\windows\system32\wwnuwgpk.ini
c:\windows\system32\wwuyefyf.dll
c:\windows\system32\wxawkjga.ini
c:\windows\system32\xacbeewu.ini
c:\windows\system32\xbzyyb.dll
c:\windows\system32\xfsrtyyh.dll
c:\windows\system32\xgoprt.dll
c:\windows\system32\xhpejaah.dll
c:\windows\system32\xihdxkvp.dll
c:\windows\system32\xilkmnja.ini
c:\windows\system32\xiymwrhc.ini
c:\windows\system32\xlxtvk.dll
c:\windows\system32\xmquhmyq.ini
c:\windows\system32\xmufneqm.ini
c:\windows\system32\xndbnnsm.ini
c:\windows\system32\xokpba.dll
c:\windows\system32\xoysjuep.dll
c:\windows\system32\xpmvivxg.ini
c:\windows\system32\xqckez.dll
c:\windows\system32\xrfwvfpr.ini
c:\windows\system32\xtndvqia.dll
c:\windows\system32\xuimpnoo.ini
c:\windows\system32\xvuxjo.dll
c:\windows\system32\xvxwifof.ini
c:\windows\system32\xwshiaiw.ini
c:\windows\system32\xxjkcrbt.ini
c:\windows\system32\xydfprvl.dll
c:\windows\system32\ycgvdhmc.dll
c:\windows\system32\ycwjfkar.dll
c:\windows\system32\ydqamesp.dll
c:\windows\system32\yeboiium.ini
c:\windows\system32\yevbdf.dll
c:\windows\system32\ygbodj.dll
c:\windows\system32\yghsuksc.dll
c:\windows\system32\ygkgusbo.ini
c:\windows\system32\ykympvvd.dll
c:\windows\system32\yldsmojk.dll
c:\windows\system32\ylmwxeek.ini
c:\windows\system32\ymahulaj.ini
c:\windows\system32\ymconcvl.dll
c:\windows\system32\yojjuaxh.ini
c:\windows\system32\yoqorglr.ini
c:\windows\system32\yoxvcckl.ini
c:\windows\system32\yqpjcgqb.ini
c:\windows\system32\yqwxfkxl.dll
c:\windows\system32\yrkovi.dll
c:\windows\system32\yrwwis.dll
c:\windows\system32\ysaaaoft.dll
c:\windows\system32\yskfqu.dll
c:\windows\system32\ytalkcvw.dll
c:\windows\system32\ytdhlebw.dll
c:\windows\system32\ytlxjv.dll
c:\windows\system32\yuknvcau.ini
c:\windows\system32\yvnudgom.ini
c:\windows\system32\yycxppeu.ini
c:\windows\system32\yzgtwz.dll
c:\windows\system32\znnptu.dll
c:\windows\system32\ztfpum.dll
c:\windows\system32\zxqniy.dll
c:\windows\Tasks\mtecvxhw.job
c:\windows\wiaserviv.log

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-05-18 to 2009-06-18 )))))))))))))))))))))))))))))))
.

2009-06-02 22:43 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-02 22:43 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-02 16:24 . 2009-06-02 22:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-01 21:53 . 2009-06-01 21:53 -------- d-----w- c:\documents and settings\ADMINISTRATOR.FLSA\Application Data\Malwarebytes
2009-06-01 21:53 . 2009-06-01 21:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-29 03:47 . 2009-05-29 03:47 422 ----a-w- c:\documents and settings\ADMINISTRATOR.FLSA\Application Data\Identities\socks1.exe
2009-05-29 03:47 . 2009-05-29 03:47 145131 ----a-w- c:\documents and settings\ADMINISTRATOR.FLSA\Application Data\Macromedia\nomad.exe
2009-05-29 03:47 . 2009-05-29 03:47 13221 ----a-w- c:\documents and settings\ADMINISTRATOR.FLSA\Application Data\Brother\rengo.dll
2009-05-29 03:47 . 2009-05-29 03:47 11232 ----a-w- c:\documents and settings\ADMINISTRATOR.FLSA\Application Data\Adobe\shalom.exe
2009-05-29 03:46 . 2009-05-29 03:46 75264 ----a-w- c:\documents and settings\ADMINISTRATOR.FLSA\Application Data\upd.exe.exe
2009-05-28 21:59 . 2009-05-28 21:59 -------- d-----r- c:\documents and settings\ADMINISTRATOR.FLSA\Application Data\Brother
2009-05-28 16:27 . 2009-06-02 22:41 66560 ----a-w- c:\windows\system32\UACxycosrnfevmqeqw.dll
2009-05-28 16:27 . 2009-05-28 16:27 30208 ----a-w- c:\windows\system32\UACvdhpvcbkxnhhdch.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-17 21:35 . 2007-05-10 00:40 -------- d-----w- c:\program files\LogMeIn
2009-06-02 22:11 . 2008-10-09 22:51 -------- d-----w- c:\program files\XoftSpySE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 63048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 22:55 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"WAVE1"=WnvWav32.dll
"MIXER"=WnvMxr.dll
"MIXER8"=WnvMxr.dll
"WAVE8"=WnvWav32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^REMbrandt Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\REMbrandt Manager.lnk
backup=c:\windows\pss\REMbrandt Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^REMbrandtManager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\REMbrandtManager.lnk
backup=c:\windows\pss\REMbrandtManager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Wnvirq32Service"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"NVSvc"=2 (0x2)
"MDM"=2 (0x2)
"idsvc"=3 (0x3)
"ImapService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

R1 Winnov32;Winnov32;c:\windows\system32\drivers\Winnov32.sys [5/1/2007 12:47 PM 528719]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [6/18/2007 10:18 AM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [6/18/2007 10:18 AM 47640]
R2 Synergy Client;Synergy Client;c:\program files\Synergy\synergyc.exe [4/2/2006 4:19 PM 446464]
R3 DspPdo;PDO Driver;c:\windows\system32\drivers\DSPPDO.SYS [3/6/2003 5:12 PM 10310]
R3 MCSPRBD;Driver for Artisan with Da Vinci interface (MCSPRBD);c:\windows\system32\drivers\MCSPRBD.sys [5/7/2008 1:42 PM 92457]
R3 MCSPRIB;Driver for Monet16 with COM interface (MCSPRIB);c:\windows\system32\drivers\MCSPRIB.sys [5/7/2008 1:42 PM 47881]
R3 MCSPRJB;Driver for Monet16 with USB interface (MCSPRJB);c:\windows\system32\drivers\MCSPRJB.sys [12/24/2003 1:59 PM 47113]
R3 MCSPRKB;Driver for Monet24 with USB interface (MCSPRKB);c:\windows\system32\drivers\MCSPRKB.sys [4/2/2003 6:16 PM 47337]
R3 PORTI;Porti Driver;c:\windows\system32\drivers\PORTI.SYS [3/6/2003 5:11 PM 19190]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [6/18/2007 10:18 AM 12192]
R3 USBFIB;Fiber to USB Driver;c:\windows\system32\drivers\USBFIB.SYS [3/6/2003 5:09 PM 17790]
R3 WnvCOM;WnvCOM;c:\windows\system32\drivers\WnvCOM.sys [5/1/2007 12:47 PM 21536]
R3 WnvKVid;Winnov Kernel Video;c:\windows\system32\drivers\WnvKVid.sys [5/1/2007 12:47 PM 245480]
S3 EmblettaUSB;Device driver for Medcare USB devices;c:\windows\system32\drivers\EmblettaUSB.sys [4/1/2004 7:56 PM 69632]
S3 WnvKAud;Winnov Kernel Audio;c:\windows\system32\drivers\WnvKAud.sys [5/1/2007 12:47 PM 107232]
S4 ImapService;ImapService;c:\windows\svchost.exe --> c:\windows\svchost.exe [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 Wnvirq32Service;WnvIRQ32;c:\windows\system32\WnvIRQ32.EXE [5/1/2007 12:47 PM 137216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{20160A23-973D-47A9-8807-ABB847FF0E53} - c:\windows\system32\jkkHWOhH.dll
BHO-{9C963F92-02A1-4297-969F-BC1C8218EB45} - c:\windows\system32\pmNfgdCu.dll
BHO-{FCB5785A-66A7-434B-87D9-EEA867E1136F} - c:\windows\system32\ddcBUkjK.dll
ShellExecuteHooks-{7b722465-9fef-46e7-886a-0a5033014ea1} - c:\windows\system32\wzeqql.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {E3CF5F1B-C29E-4D21-B695-E1B0E1CB6EC9} - hxxp://192.168.1.31/codebase/NewHCNetActiveX.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-17 21:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\WOW32.dll
c:\windows\system32\WNVASRC.dll
c:\windows\system32\LMIinit.dll

- - - - - - - > 'lsass.exe'(764)
c:\windows\system32\WOW32.dll
c:\windows\system32\WNVASRC.dll

- - - - - - - > 'explorer.exe'(4044)
c:\windows\system32\WOW32.dll
c:\windows\system32\WNVASRC.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\LogMeIn\x86\ramaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\windows\system32\wscntfy.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2009-06-18 21:31 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-18 01:31

Pre-Run: 6,903,676,928 bytes free
Post-Run: 6,973,927,424 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

756

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:14 AM

Posted 18 June 2009 - 06:48 AM

Hi yeek8,

Yes, a pretty long Combofix log.

We have to run it again though, we still have unwelcome visitors.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\UACxycosrnfevmqeqw.dll
c:\windows\system32\UACvdhpvcbkxnhhdch.dll


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Then

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#11 fpsa_ahmed

fpsa_ahmed
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 18 June 2009 - 09:59 AM

Hey m0le,

I did the combofix with the script and the mbam logs are below. Thank you!



ComboFix 09-06-17.04 - administrator 06/18/2009 10:15.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1279.967 [GMT -4:00]
Running from: c:\documents and settings\ADMINISTRATOR.FLSA\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\ADMINISTRATOR.FLSA\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\UACvdhpvcbkxnhhdch.dll"
"c:\windows\system32\UACxycosrnfevmqeqw.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\UACvdhpvcbkxnhhdch.dll
c:\windows\system32\UACxycosrnfevmqeqw.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-18 to 2009-06-18 )))))))))))))))))))))))))))))))
.

2009-06-02 22:43 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-02 22:43 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-02 16:24 . 2009-06-02 22:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-01 21:53 . 2009-06-01 21:53 -------- d-----w- c:\documents and settings\ADMINISTRATOR.FLSA\Application Data\Malwarebytes
2009-06-01 21:53 . 2009-06-01 21:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-29 03:47 . 2009-05-29 03:47 422 ----a-w- c:\documents and settings\ADMINISTRATOR.FLSA\Application Data\Identities\socks1.exe
2009-05-29 03:47 . 2009-05-29 03:47 145131 ----a-w- c:\documents and settings\ADMINISTRATOR.FLSA\Application Data\Macromedia\nomad.exe
2009-05-29 03:47 . 2009-05-29 03:47 13221 ----a-w- c:\documents and settings\ADMINISTRATOR.FLSA\Application Data\Brother\rengo.dll
2009-05-29 03:47 . 2009-05-29 03:47 11232 ----a-w- c:\documents and settings\ADMINISTRATOR.FLSA\Application Data\Adobe\shalom.exe
2009-05-29 03:46 . 2009-05-29 03:46 75264 ----a-w- c:\documents and settings\ADMINISTRATOR.FLSA\Application Data\upd.exe.exe
2009-05-28 21:59 . 2009-05-28 21:59 -------- d-----r- c:\documents and settings\ADMINISTRATOR.FLSA\Application Data\Brother

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-18 14:15 . 2007-05-10 00:40 -------- d-----w- c:\program files\LogMeIn
2009-06-02 22:11 . 2008-10-09 22:51 -------- d-----w- c:\program files\XoftSpySE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 63048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 22:55 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"WAVE1"=WnvWav32.dll
"MIXER"=WnvMxr.dll
"MIXER8"=WnvMxr.dll
"WAVE8"=WnvWav32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^REMbrandt Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\REMbrandt Manager.lnk
backup=c:\windows\pss\REMbrandt Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^REMbrandtManager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\REMbrandtManager.lnk
backup=c:\windows\pss\REMbrandtManager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Wnvirq32Service"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"NVSvc"=2 (0x2)
"MDM"=2 (0x2)
"idsvc"=3 (0x3)
"ImapService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

R1 Winnov32;Winnov32;c:\windows\system32\drivers\Winnov32.sys [5/1/2007 12:47 PM 528719]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [6/18/2007 10:18 AM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [6/18/2007 10:18 AM 47640]
R2 Synergy Client;Synergy Client;c:\program files\Synergy\synergyc.exe [4/2/2006 4:19 PM 446464]
R3 DspPdo;PDO Driver;c:\windows\system32\drivers\DSPPDO.SYS [3/6/2003 5:12 PM 10310]
R3 MCSPRBD;Driver for Artisan with Da Vinci interface (MCSPRBD);c:\windows\system32\drivers\MCSPRBD.sys [5/7/2008 1:42 PM 92457]
R3 MCSPRIB;Driver for Monet16 with COM interface (MCSPRIB);c:\windows\system32\drivers\MCSPRIB.sys [5/7/2008 1:42 PM 47881]
R3 MCSPRJB;Driver for Monet16 with USB interface (MCSPRJB);c:\windows\system32\drivers\MCSPRJB.sys [12/24/2003 1:59 PM 47113]
R3 MCSPRKB;Driver for Monet24 with USB interface (MCSPRKB);c:\windows\system32\drivers\MCSPRKB.sys [4/2/2003 6:16 PM 47337]
R3 PORTI;Porti Driver;c:\windows\system32\drivers\PORTI.SYS [3/6/2003 5:11 PM 19190]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [6/18/2007 10:18 AM 12192]
R3 USBFIB;Fiber to USB Driver;c:\windows\system32\drivers\USBFIB.SYS [3/6/2003 5:09 PM 17790]
R3 WnvCOM;WnvCOM;c:\windows\system32\drivers\WnvCOM.sys [5/1/2007 12:47 PM 21536]
R3 WnvKVid;Winnov Kernel Video;c:\windows\system32\drivers\WnvKVid.sys [5/1/2007 12:47 PM 245480]
S3 EmblettaUSB;Device driver for Medcare USB devices;c:\windows\system32\drivers\EmblettaUSB.sys [4/1/2004 7:56 PM 69632]
S3 WnvKAud;Winnov Kernel Audio;c:\windows\system32\drivers\WnvKAud.sys [5/1/2007 12:47 PM 107232]
S4 ImapService;ImapService;c:\windows\svchost.exe --> c:\windows\svchost.exe [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 Wnvirq32Service;WnvIRQ32;c:\windows\system32\WnvIRQ32.EXE [5/1/2007 12:47 PM 137216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
- - - - ORPHANS REMOVED - - - -

BHO-{20160A23-973D-47A9-8807-ABB847FF0E53} - (no file)
BHO-{9C963F92-02A1-4297-969F-BC1C8218EB45} - (no file)
BHO-{FCB5785A-66A7-434B-87D9-EEA867E1136F} - (no file)
ShellExecuteHooks-{7b722465-9fef-46e7-886a-0a5033014ea1} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {E3CF5F1B-C29E-4D21-B695-E1B0E1CB6EC9} - hxxp://192.168.1.31/codebase/NewHCNetActiveX.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-18 10:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\WOW32.dll
c:\windows\system32\WNVASRC.dll
c:\windows\system32\LMIinit.dll

- - - - - - - > 'lsass.exe'(764)
c:\windows\system32\WOW32.dll
c:\windows\system32\WNVASRC.dll
.
Completion time: 2009-06-18 10:19
ComboFix-quarantined-files.txt 2009-06-18 14:19
ComboFix2.txt 2009-06-18 01:31

Pre-Run: 9,890,582,528 bytes free
Post-Run: 9,878,261,760 bytes free

137

--------------------------------------------------------------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.38
Database version: 2304
Windows 5.1.2600 Service Pack 2

6/18/2009 10:48:03 AM
mbam-log-2009-06-18 (10-48-03).txt

Scan type: Full Scan (C:\|)
Objects scanned: 171975
Time elapsed: 20 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Qoobox\quarantine\C\WINDOWS\system32\UACamgypnncalvkhdj.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\UAClhdqhkkevoysqgi.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\UACvdhpvcbkxnhhdch.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\UACxycosrnfevmqeqw.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\UACyqddomktttbwqbu.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\UACyxytucgmpgnycac.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{fdeefc1a-6be7-4897-bec2-83bac42ad38f}\RP920\A0034258.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\system volume information\_restore{fdeefc1a-6be7-4897-bec2-83bac42ad38f}\RP920\A0034259.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\system volume information\_restore{fdeefc1a-6be7-4897-bec2-83bac42ad38f}\RP948\A0036753.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{fdeefc1a-6be7-4897-bec2-83bac42ad38f}\RP948\A0036754.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{fdeefc1a-6be7-4897-bec2-83bac42ad38f}\RP948\A0036755.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{fdeefc1a-6be7-4897-bec2-83bac42ad38f}\RP948\A0036756.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{fdeefc1a-6be7-4897-bec2-83bac42ad38f}\RP949\A0036903.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{fdeefc1a-6be7-4897-bec2-83bac42ad38f}\RP949\A0036904.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\documents and settings\ADMINISTRATOR.FLSA\Application Data\upd.exe.exe (Trojan.Agent) -> Quarantined and deleted successfully.

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:14 AM

Posted 18 June 2009 - 11:31 AM

That's looking a lot better. :)

Please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
Then please post fresh DDS logs. :thumbup2:
Posted Image
m0le is a proud member of UNITE

#13 fpsa_ahmed

fpsa_ahmed
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 18 June 2009 - 02:23 PM

Hey m0le,

I attached the results of the Kaspersky scan because it is a HUGE list. Did it just do a scan or did it remove the items it found?

Below is the DDS Log.


DDS (Ver_09-05-14.01) - NTFSx86
Run by administrator at 15:21:08.37 on Thu 06/18/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1279.809 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Synergy\synergyc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\ADMINISTRATOR.FLSA\Local Settings\temp\jkos-administrator\binaries\ScanningProcess.exe
C:\Documents and Settings\ADMINISTRATOR.FLSA\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {20160A23-973D-47A9-8807-ABB847FF0E53} - No File
BHO: {9C963F92-02A1-4297-969F-BC1C8218EB45} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FCB5785A-66A7-434B-87D9-EEA867E1136F} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178038936078
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://embla.webex.com/client/T26L/support/ieatgpc.cab
DPF: {E3CF5F1B-C29E-4D21-B695-E1B0E1CB6EC9} - hxxp://192.168.1.31/codebase/NewHCNetActiveX.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/RACtrl.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {7b722465-9fef-46e7-886a-0a5033014ea1} - No File

============= SERVICES / DRIVERS ===============

R1 Winnov32;Winnov32;c:\windows\system32\drivers\Winnov32.sys [2007-5-1 528719]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2007-6-18 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-6-18 47640]
R2 Synergy Client;Synergy Client;c:\program files\synergy\synergyc.exe [2006-4-2 446464]
R3 DspPdo;PDO Driver;c:\windows\system32\drivers\DSPPDO.SYS [2003-3-6 10310]
R3 MCSPRBD;Driver for Artisan with Da Vinci interface (MCSPRBD);c:\windows\system32\drivers\MCSPRBD.sys [2008-5-7 92457]
R3 MCSPRIB;Driver for Monet16 with COM interface (MCSPRIB);c:\windows\system32\drivers\MCSPRIB.sys [2008-5-7 47881]
R3 MCSPRJB;Driver for Monet16 with USB interface (MCSPRJB);c:\windows\system32\drivers\MCSPRJB.sys [2003-12-24 47113]
R3 MCSPRKB;Driver for Monet24 with USB interface (MCSPRKB);c:\windows\system32\drivers\MCSPRKB.sys [2003-4-2 47337]
R3 PORTI;Porti Driver;c:\windows\system32\drivers\PORTI.SYS [2003-3-6 19190]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [2007-6-18 12192]
R3 USBFIB;Fiber to USB Driver;c:\windows\system32\drivers\USBFIB.SYS [2003-3-6 17790]
R3 WnvCOM;WnvCOM;c:\windows\system32\drivers\WnvCOM.sys [2007-5-1 21536]
R3 WnvKVid;Winnov Kernel Video;c:\windows\system32\drivers\WnvKVid.sys [2007-5-1 245480]
S3 EmblettaUSB;Device driver for Medcare USB devices;c:\windows\system32\drivers\EmblettaUSB.sys [2004-4-1 69632]
S3 WnvKAud;Winnov Kernel Audio;c:\windows\system32\drivers\WnvKAud.sys [2007-5-1 107232]
S4 ImapService;ImapService;c:\windows\svchost.exe --> c:\windows\svchost.exe [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 Wnvirq32Service;WnvIRQ32;c:\windows\system32\WnvIRQ32.EXE [2007-5-1 137216]

=============== Created Last 30 ================

2009-06-18 13:51 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-18 13:51 73,728 a------- c:\windows\system32\javacpl.cpl
2009-06-17 17:31 <DIR> a-dshr-- C:\cmdcons
2009-06-02 18:43 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-02 18:43 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-02 12:24 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-01 17:53 <DIR> --d----- c:\docume~1\admini~1.fls\applic~1\Malwarebytes
2009-06-01 17:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-01 17:32 161,792 a------- c:\windows\SWREG.exe
2009-06-01 17:32 155,136 a------- c:\windows\PEV.exe
2009-06-01 17:32 98,816 a------- c:\windows\sed.exe
2009-05-28 17:59 <DIR> --d--r-- c:\docume~1\admini~1.fls\applic~1\Brother
2009-05-28 12:27 1,110,399 a------- c:\windows\system32\UACtpgaqttumlooqcs.db

==================== Find3M ====================

2009-01-12 11:00 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009011220090113\index.dat
2009-01-18 15:00 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009011820090119\index.dat

============= FINISH: 15:21:19.64 ===============

Attached Files

  • Attached File  scan.txt   83.09KB   5 downloads


#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:14 AM

Posted 18 June 2009 - 06:13 PM

Hi fpsa_ahmed,

Did it just do a scan or did it remove the items it found?


That was just a scanner but don't worry as all those items are either in quarantine or in your restore folder. Both these folders will be removed during clean up.

Use Windows Explorer to find and delete this file:

c:\windows\system32\UACtpgaqttumlooqcs.db

As an example:
To delete C:\WINDOWS\badfile.dll
Double click the My Computer icon on your Desktop. Or click on the Windows KEY + E.
Double click on Local Disc (C:\)
Double click on the Windows folder,
Right click on badfile.dll and then from the menu that appears, click on Delete


Then

Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

If you are using Firefox and this has caused page loading problems then please clear your private data. To do this go
to the Tools menu, select Clear Private Data, and then check Cache. Click Clear Private Data Now.

Then close Firefox and then reopen it.

Then please post a new DDS log.
Posted Image
m0le is a proud member of UNITE

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:14 AM

Posted 22 June 2009 - 02:14 PM

Hi fpsa_ahmed,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users