Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removal Of Windows AntiVirus Pro


  • This topic is locked This topic is locked
19 replies to this topic

#1 MoonKnight

MoonKnight

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 05 August 2009 - 11:02 PM

Have followed the steps in the self help but this thing still exists. May have it all sorts of screwy now. Here is the info from DDS.


DDS (Ver_09-07-30.01) - NTFSx86
Run by MoonKnight at 20:58:21.79 on Wed 08/05/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.198 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
C:WINDOWSsystem32Ati2evxx.exe
svchost.exe
C:WINDOWSsystem32spoolsv.exe
svchost.exe
C:PROGRA~1AVGAVG8avgwdsvc.exe
C:Program FilesAMDPowerNow!GemServ.exe
C:Program FilesAMDPowerNow!gemback.exe
C:PROGRA~1AVGAVG8avgrsx.exe
C:Program FilesAlcohol SoftAlcohol 120StarWindStarWindService.exe
C:WINDOWSSystem32svchost.exe -k imgsvc
C:WINDOWSSystem32wltrysvc.exe
C:WINDOWSSystem32bcmwltry.exe
C:WINDOWSExplorer.EXE
C:WINDOWSSOUNDMAN.EXE
C:Program FilesSynapticsSynTPSynTPEnh.exe
C:Program FilesMicrosoft IntelliPointipoint.exe
C:PROGRA~1AVGAVG8avgtray.exe
C:WINDOWSSystem32svchost.exe -k HTTPFilter
C:PROGRA~1ICQICQ.exe
C:Program FilesATI TechnologiesATI.ACECore-StaticMOM.exe
C:Program FilesWindows LiveMessengermsnmsgr.exe
C:Program FilesMessengermsmsgs.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesATI TechnologiesATI.ACECore-Staticccc.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesMicrosoft OfficeOFFICE11OUTLOOK.EXE
C:Program FilesAVGAVG8avgcsrvx.exe
C:Documents and SettingsMoonKnight.MOONSWORLDLocal SettingsTemporary Internet FilesContent.IE5CP3NCS7Pdds[1].scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.wowmb.net/
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:program filesgooglegoogletoolbar3.dll
TB: {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:program filesadobeacrobat 6.0acrobatAcroIEFavClient.dll
uRun: [msnmsgr] "c:program fileswindows livemessengermsnmsgr.exe" /background
uRun: [MSMSGS] "c:program filesmessengermsmsgs.exe" /background
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SynTPLpr] c:program filessynapticssyntpSynTPLpr.exe
mRun: [SynTPEnh] c:program filessynapticssyntpSynTPEnh.exe
mRun: [AtiPTA] atiptaxx.exe
mRun: [IntelliPoint] "c:program filesmicrosoft intellipointipoint.exe"
mRun: [AVG8_TRAY] c:progra~1avgavg8avgtray.exe
mRun: [Mirabilis ICQ] c:progra~1icqICQNet.exe
mRun: [Windows Defender] "c:program fileswindows defenderMSASCui.exe" -hide
mRun: [StartCCC] "c:program filesati technologiesati.acecore-staticCLIStart.exe" MSRun
mRun: [combofix] c:windowssystem32cf12433.exe /c c:combofixCombobatch.bat
IE: E&xport to Microsoft Excel - c:progra~1micros~4office11EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~4office11REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:windowsjavaclassesdajava.cab
DPF: Microsoft XML Parser for Java - file://c:windowsjavaclassesxmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {A3A5A466-739D-4685-95EA-40123927F975} = 10.0.0.254,10.0.0.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:program filesavgavg8avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll
SEH: RadExeExt Class: {35b2861b-2b26-4691-9ff0-09083722c736} - c:windowssystem32RadExe.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:progra~1wifd1f~1MpShHook.dll

============= SERVICES / DRIVERS ===============

R1 atitray;atitray;c:program filesradeon omega driversv4.8.442ati tray toolsatitray.sys [2009-5-8 17952]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:windowssystem32driversavgldx86.sys [2008-5-19 335752]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:windowssystem32driversavgmfx86.sys [2007-10-28 27784]
R1 gemwdm;AMD PowerNow! ™ Technology;c:windowssystem32driversgemwdm.sys [2004-12-30 11456]
R1 SSHDRV65;SSHDRV65;c:windowssystem32driversSSHDRV65.sys [2004-4-21 120320]
R1 SSHDRV76;SSHDRV76;c:windowssystem32driversSSHDRV76.sys [2004-4-21 53760]
R1 SSHDRV77;SSHDRV77;c:windowssystem32driversSSHDRV77.sys [2004-7-24 79360]
R1 SSHDRV85;SSHDRV85;c:windowssystem32driversSSHDRV85.sys [2006-2-18 78848]
R2 avg8wd;AVG8 WatchDog;c:progra~1avgavg8avgwdsvc.exe [2008-5-19 298776]
R2 PStrip;PSTRIP;c:windowssystem32driverspstrip.sys [2007-7-14 27992]
S1 SASKUTIL;SASKUTIL;??c:program filessuperantispywaresaskutil.sys --> c:program filessuperantispywareSASKUTIL.sys [?]
S2 WinDefend;Windows Defender;c:program fileswindows defenderMsMpEng.exe [2006-11-3 13592]
S3 AMDMSRIO;AMDMSRIO;??c:docume~1moonkn~1locals~1tempsafe to delete 3_0_4_8amdmsrio.sys --> c:docume~1moonkn~1locals~1tempsafe to delete 3_0_4_8AMDMSRIO.sys [?]
S3 bcgame;Nostromo HID Device Minidriver;c:windowssystem32driversbcgame.sys --> c:windowssystem32driversBCGAME.SYS [?]
S3 bcgbus;Nostromo USB Device Driver;c:windowssystem32driversbcgbus.sys --> c:windowssystem32driversBCGBUS.SYS [?]
S3 cel90xbe;cel90xbe;??c:docume~1moonkn~1locals~1tempcel90xbe.sys --> c:docume~1moonkn~1locals~1tempcel90xbe.sys [?]
S3 SUSTUCAM;Susteen USB Cable Modem Driver;c:windowssystem32driverssustucam.sys [2006-4-12 38016]
S3 SUSTUCAP;Susteen USB Cable Port Driver;c:windowssystem32driverssustucap.sys [2006-4-12 38016]
S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;c:windowssystem32driversSWUSBFLT.SYS [2004-8-8 3968]

=============== Created Last 30 ================

2009-08-05 14:47 <DIR> --dsh--- C:USMT.TMP
2009-08-05 10:20 <DIR> --d----- c:program filesSmart Virus Remover
2009-08-05 05:19 <DIR> --d----- C:WINDOWS.0
2009-08-05 02:02 <DIR> a-dshr-- C:cmdcons
2009-08-05 01:52 219,648 a------- c:windowsPEV.exe
2009-08-05 01:52 161,792 a------- c:windowsSWREG.exe
2009-08-05 01:52 98,816 a------- c:windowssed.exe
2009-08-05 01:52 389,120 a------- c:windowssystem32CF12433.exe
2009-08-05 01:52 <DIR> --ds---- C:ComboFix
2009-08-05 00:26 0 a------- c:documents and settingsmoonknight.moonsworldsettings.dat
2009-08-04 23:57 <DIR> --d----- c:docume~1alluse~1applic~1SUPERAntiSpyware.com
2009-08-04 23:56 <DIR> --d----- c:program filesSUPERAntiSpyware
2009-08-04 23:56 <DIR> --d----- c:docume~1moonkn~1.mooapplic~1SUPERAntiSpyware.com
2009-08-04 23:46 <DIR> --d----- c:windowssystem32CatRoot
2009-07-29 10:43 0 a------- c:windows~$temp001.tmp

==================== Find3M ====================

2009-08-03 13:36 38,160 a------- c:windowssystem32driversmbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:windowssystem32driversmbam.sys
2009-07-19 18:48 11,067,392 a------- c:windowssystem32dllcacheieframe.dll
2009-07-19 06:18 5,937,152 a------- c:windowssystem32dllcachemshtml.dll
2009-07-03 10:09 915,456 a------- c:windowssystem32wininet.dll
2009-07-03 10:09 915,456 a------- c:windowssystem32dllcachewininet.dll
2009-07-03 10:09 12,800 -------- c:windowssystem32dllcachexpshims.dll
2009-07-03 10:09 1,208,832 a------- c:windowssystem32dllcacheurlmon.dll
2009-07-03 10:09 206,848 a------- c:windowssystem32dllcacheoccache.dll
2009-07-03 10:09 594,432 a------- c:windowssystem32dllcachemsfeeds.dll
2009-07-03 10:09 55,296 a------- c:windowssystem32dllcachemsfeedsbs.dll
2009-07-03 10:09 1,985,536 a------- c:windowssystem32dllcacheiertutil.dll
2009-07-03 10:09 25,600 a------- c:windowssystem32dllcachejsproxy.dll
2009-07-03 10:09 184,320 a------- c:windowssystem32dllcacheiepeers.dll
2009-07-03 10:09 246,272 -------- c:windowssystem32dllcacheieproxy.dll
2009-07-03 10:09 386,048 a------- c:windowssystem32dllcacheiedkcs32.dll
2009-07-03 04:01 173,056 a------- c:windowssystem32dllcacheie4uinit.exe
2009-07-02 03:12 335,752 a------- c:windowssystem32driversavgldx86.sys
2009-06-29 02:59 11,952 a------- c:windowssystem32avgrsstx.dll
2009-06-16 07:36 119,808 a------- c:windowssystem32t2embed.dll
2009-06-16 07:36 81,920 a------- c:windowssystem32fontsub.dll
2009-06-16 07:36 119,808 -------- c:windowssystem32dllcachet2embed.dll
2009-06-16 07:36 81,920 -------- c:windowssystem32dllcachefontsub.dll
2009-06-03 12:09 1,291,264 a------- c:windowssystem32quartz.dll
2009-06-03 12:09 1,291,264 -------- c:windowssystem32dllcachequartz.dll
2009-05-11 22:11 102,912 -------- c:windowssystem32dllcacheiecompat.dll
2009-05-08 17:08 472,576 a------- c:windowsRadeon Omega Drivers v4.8.442 Uninstall.exe
2009-01-25 02:00 256 a------- c:documents and settingsmoonknight.moonsworldpool.bin
2009-01-15 19:32 0 a------- c:documents and settingsmoonknight.moonsworldOFXLOG.DAT
2008-12-06 13:33 60,744 a------- c:documents and settingsmoonknight.moonsworldg2mdlhlpx.exe

============= FINISH: 20:58:41.20 ===============

Should also add that I cannot run any spyware removal tools at all as they run for a few seconds then crash. If you try to reopen after it states:

Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

If you reinstall the program it wil run once then crash and same issue.

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 05 August 2009 - 11:18 PM.


BC AdBot (Login to Remove)

 


#2 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:09 AM

Posted 06 August 2009 - 02:53 AM

Hello :thumbup2:

OTMoveIt3
  • Download OTMoveIt3 and save it to your desktop. Then run it.
  • Copy and paste the lines in the code box below into the input field at the bottom left corner:
    :processes
    explorer.exe
    
    :services
    cel90xbe
    
    :files
    C:\program files\Smart Virus Remover
    c:\docume~1\moonkn~1\locals~1\temp\cel90xbe.sys
    
    :commands
    [emptytemp]
    [start explorer]
    [reboot]
  • Now click the red button that says MoveIt!
  • To the right, the results show up. Copy and paste them all into a notepad file and post the notepad file in your next reply.
OtMoveIt will reboot your computer. You can save the report after rebooting.

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post OtMoveIt report, Kaspresky results and a fresh DDS logs back here :)
Posted Image

#3 MoonKnight

MoonKnight
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 06 August 2009 - 11:02 PM

Ran OTMoveIt3 - rebooted.

Tried to run the Online scanner and it just crashes.

here is the new DDS report.


DDS (Ver_09-07-30.01) - NTFSx86
Run by MoonKnight at 21:01:02.62 on Thu 08/06/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.298 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\AMD\PowerNow!\GemServ.exe
C:\Program Files\AMD\PowerNow!\gemback.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\MoonKnight.MOONSWORLD\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.wowmb.net/
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [AtiPTA] atiptaxx.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Mirabilis ICQ] c:\progra~1\icq\ICQNet.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [combofix] c:\windows\system32\cf12433.exe /c c:\combofix\Combobatch.bat
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {A3A5A466-739D-4685-95EA-40123927F975} = 10.0.0.254,10.0.0.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: RadExeExt Class: {35b2861b-2b26-4691-9ff0-09083722c736} - c:\windows\system32\RadExe.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R1 atitray;atitray;c:\program files\radeon omega drivers\v4.8.442\ati tray tools\atitray.sys [2009-5-8 17952]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-19 335752]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-10-28 27784]
R1 gemwdm;AMD PowerNow! ™ Technology;c:\windows\system32\drivers\gemwdm.sys [2004-12-30 11456]
R1 SSHDRV65;SSHDRV65;c:\windows\system32\drivers\SSHDRV65.sys [2004-4-21 120320]
R1 SSHDRV76;SSHDRV76;c:\windows\system32\drivers\SSHDRV76.sys [2004-4-21 53760]
R1 SSHDRV77;SSHDRV77;c:\windows\system32\drivers\SSHDRV77.sys [2004-7-24 79360]
R1 SSHDRV85;SSHDRV85;c:\windows\system32\drivers\SSHDRV85.sys [2006-2-18 78848]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-5-19 298776]
R2 PStrip;PSTRIP;c:\windows\system32\drivers\pstrip.sys [2007-7-14 27992]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 AMDMSRIO;AMDMSRIO;\??\c:\docume~1\moonkn~1\locals~1\temp\safe to delete 3_0_4_8\amdmsrio.sys --> c:\docume~1\moonkn~1\locals~1\temp\safe to delete 3_0_4_8\AMDMSRIO.sys [?]
S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys --> c:\windows\system32\drivers\BCGAME.SYS [?]
S3 bcgbus;Nostromo USB Device Driver;c:\windows\system32\drivers\bcgbus.sys --> c:\windows\system32\drivers\BCGBUS.SYS [?]
S3 SUSTUCAM;Susteen USB Cable Modem Driver;c:\windows\system32\drivers\sustucam.sys [2006-4-12 38016]
S3 SUSTUCAP;Susteen USB Cable Port Driver;c:\windows\system32\drivers\sustucap.sys [2006-4-12 38016]
S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;c:\windows\system32\drivers\SWUSBFLT.SYS [2004-8-8 3968]

=============== Created Last 30 ================

2009-08-06 19:27 <DIR> --d----- C:\_OTM
2009-08-05 05:19 <DIR> --d----- C:\WINDOWS.0
2009-08-05 02:02 <DIR> a-dshr-- C:\cmdcons
2009-08-05 01:52 219,648 a------- c:\windows\PEV.exe
2009-08-05 01:52 161,792 a------- c:\windows\SWREG.exe
2009-08-05 01:52 98,816 a------- c:\windows\sed.exe
2009-08-05 01:52 389,120 a------- c:\windows\system32\CF12433.exe
2009-08-05 01:52 <DIR> --ds---- C:\ComboFix
2009-08-05 00:26 0 a------- c:\documents and settings\moonknight.moonsworld\settings.dat
2009-08-04 23:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-08-04 23:56 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-08-04 23:56 <DIR> --d----- c:\docume~1\moonkn~1.moo\applic~1\SUPERAntiSpyware.com
2009-08-04 23:46 <DIR> --d----- c:\windows\system32\CatRoot

==================== Find3M ====================

2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-19 18:48 11,067,392 a------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 06:18 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-03 10:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-03 10:09 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 10:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 10:09 1,208,832 a------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 10:09 206,848 a------- c:\windows\system32\dllcache\occache.dll
2009-07-03 10:09 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-03 10:09 55,296 a------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-03 10:09 1,985,536 a------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 10:09 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 10:09 184,320 a------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 10:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 10:09 386,048 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 04:01 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-07-02 03:12 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-29 02:59 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-16 07:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 07:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 07:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 12:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 12:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2009-05-11 22:11 102,912 -------- c:\windows\system32\dllcache\iecompat.dll
2009-01-25 02:00 256 a------- c:\documents and settings\moonknight.moonsworld\pool.bin
2009-01-15 19:32 0 a------- c:\documents and settings\moonknight.moonsworld\OFXLOG.DAT
2008-12-06 13:33 60,744 a------- c:\documents and settings\moonknight.moonsworld\g2mdlhlpx.exe

============= FINISH: 21:01:13.43 ===============

Also added the OTMoveIt3 report.

Attached Files


Edited by MoonKnight, 06 August 2009 - 11:04 PM.


#4 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:09 AM

Posted 06 August 2009 - 11:10 PM

Hello

Can you update and do full scan with Malwarebytes' Anti-Malware?

If you can do it, please post its results and a fresh HijackThis log here :thumbup2:
Posted Image

#5 MoonKnight

MoonKnight
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 06 August 2009 - 11:27 PM

:thumbup2: Nope. Both crash within seconds of starting the scan. After running each of the I get the error that I recieved above -


Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

Also should add that my browser redirects me everytime I click a link.

Edited by MoonKnight, 06 August 2009 - 11:29 PM.


#6 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:09 AM

Posted 06 August 2009 - 11:29 PM

Ok.

Let's try run Gmer.

Download gmer.zip and save to your desktop.
alternate download site 1
alternate download site 2
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click on "Settings", then check the first five settings:
    *System Protection and Tracing
    *Processes
    *Save created processes to the log
    *Drivers
    *Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan..

Post Gmer log and a fresh HijackThis log back here.
If you can't run Gmer, try run HijackThis and post the log here :thumbup2:
Posted Image

#7 MoonKnight

MoonKnight
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 07 August 2009 - 07:19 PM

Unable to run gmer. After almost 3 hours the program drops and I am unable to save the information. Still unable to run HiJack This also.

#8 MoonKnight

MoonKnight
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 07 August 2009 - 09:36 PM

Was able to copy some of the data before the crash.

GMER 1.0.15.15011 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-08-07 17:43:51
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT sptd.sys ZwCreateKey [0xF72F90B0]
SSDT sptd.sys ZwEnumerateKey [0xF72FE84C]
SSDT sptd.sys ZwEnumerateValueKey [0xF72FEBEC]
SSDT sptd.sys ZwOpenKey [0xF72F9090]
SSDT sptd.sys ZwQueryKey [0xF72FECC4]
SSDT sptd.sys ZwQueryValueKey [0xF72FEB44]
SSDT sptd.sys ZwSetValueKey [0xF72FED56]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2480 8082ACB8 4 Bytes CALL DC61A3EC
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload F5A9D8AC 5 Bytes JMP 83D8A960
? System32\Drivers\a62jrhkf.SYS The system cannot find the path specified. !
? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F72F9ABA] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F72F9C00] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F72F9B82] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F72FA72E] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F72FA604] sptd.sys
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F730CB9A] sptd.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 83F641D8
Device \FileSystem\Fastfat \FatCdrom 8373B1D8
Device \Driver\usbstor \Device\0000009c 837C5980
Device \Driver\usbstor \Device\0000009c sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\usbstor \Device\0000009d 837C5980
Device \Driver\usbstor \Device\0000009d sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\usbstor \Device\0000009e 837C5980
Device \Driver\usbstor \Device\0000009e sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\usbstor \Device\0000009f 837C5980
Device \Driver\usbstor \Device\0000009f sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\usbuhci \Device\USBPDO-0 83DB1980
Device \Driver\dmio \Device\DmControl\DmIoDaemon 83FD41D8
Device \Driver\dmio \Device\DmControl\DmConfig 83FD41D8
Device \Driver\dmio \Device\DmControl\DmPnP 83FD41D8
Device \Driver\dmio \Device\DmControl\DmInfo 83FD41D8
Device \Driver\usbuhci \Device\USBPDO-1 83DB1980
Device \Driver\usbuhci \Device\USBPDO-2 83DB1980
Device \Driver\usbehci \Device\USBPDO-3 83DA5980
Device \Driver\00000042 \Device\00000063 sptd.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 83F661D8
Device \Driver\NetBT \Device\NetBT_Tcpip_{A3A5A466-739D-4685-95EA-40123927F975} 838521D8
Device \Driver\Cdrom \Device\CdRom0 83E031D8
Device \Driver\Cdrom \Device\CdRom1 83E031D8
Device \Driver\atapi \Device\Ide\IdePort0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\NetBT \Device\NetBt_Wins_Export 838521D8
Device \Driver\NetBT \Device\NetBT_Tcpip_{293F959A-F759-43A6-BDAD-DE0609DC7A97} 838521D8
Device \Driver\NetBT \Device\NetbiosSmb 838521D8
Device \Driver\usbuhci \Device\USBFDO-0 83DB1980
Device \Driver\usbuhci \Device\USBFDO-1 83DB1980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 837CF1D8
Device \Driver\usbuhci \Device\USBFDO-2 83DB1980
Device \FileSystem\MRxSmb \Device\LanmanRedirector 837CF1D8
Device \Driver\usbehci \Device\USBFDO-3 83DA5980
Device \Driver\Ftdisk \Device\FtControl 83F661D8
Device \Driver\a62jrhkf \Device\Scsi\a62jrhkf1 83DC91D8
Device \Driver\a62jrhkf \Device\Scsi\a62jrhkf1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\a62jrhkf \Device\Scsi\a62jrhkf1Port2Path0Target0Lun0 83DC91D8
Device \Driver\a62jrhkf \Device\Scsi\a62jrhkf1Port2Path0Target0Lun0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \FileSystem\Fastfat \Fat 8373B1D8

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 837D4980
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\A8DCAC18.x86.dll (*** hidden *** ) @ C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe [432] 0x35670000
Library \\?\globalroot\Device\__max++>\A8DCAC18.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [844] 0x35670000
Library \\?\globalroot\Device\__max++>\A8DCAC18.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [1012] 0x35670000
Library \\?\globalroot\Device\__max++>\A8DCAC18.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1376] 0x35670000
Library \\?\globalroot\Device\__max++>\A8DCAC18.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1556] 0x35670000
Library \\?\globalroot\Device\__max++>\A8DCAC18.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1620] 0x35670000
Library \\?\globalroot\Device\__max++>\A8DCAC18.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1812] 0x35670000
Library \\?\globalroot\Device\__max++>\A8DCAC18.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [2436] 0x35670000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x35 0x65 0x41 0x1F ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x01 0x11 0x0C 0xC1 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x1B 0xAD 0x83 0x97 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x26 0x32 0x5F 0xA0 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x01 0x11 0x0C 0xC1 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x28 0xD0 0x18 0x97 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x26 0x32 0x5F 0xA0 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x01 0x11 0x0C 0xC1 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x28 0xD0 0x18 0x97 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x35 0x65 0x41 0x1F ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x01 0x11 0x0C 0xC1 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x1B 0xAD 0x83 0x97 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -1279824592
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 1477726179
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x35 0x65 0x41 0x1F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x01 0x11 0x0C 0xC1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x1B 0xAD 0x83 0x97 ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@NoChange 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Classes\CLSID\{188C7B14-02ED-BE63-7A31-CE75523FF1FB}\InprocServer32@ C:\Program Files\Common Files\Microsoft Shared\DAO\dao360.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{188C7B14-02ED-BE63-7A31-CE75523FF1FB}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{188C7B14-02ED-BE63-7A31-CE75523FF1FB}\InprocServer32@RuntimeVersion v1.0.3705
Reg HKLM\SOFTWARE\Classes\CLSID\{188C7B14-02ED-BE63-7A31-CE75523FF1FB}\InprocServer32@Class dao.UserClass
Reg HKLM\SOFTWARE\Classes\CLSID\{188C7B14-02ED-BE63-7A31-CE75523FF1FB}\InprocServer32@Assembly dao, Version=10.0.4504.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35
Reg HKLM\SOFTWARE\Classes\CLSID\{188C7B14-02ED-BE63-7A31-CE75523FF1FB}\ProgID@ DAO.User.36
Reg HKLM\SOFTWARE\Classes\CLSID\{46B0219A-C6D0-21D1-5516-8D72250DA2A7}\InprocServer32@Assembly Microsoft.Vbe.Interop, Version=11.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c
Reg HKLM\SOFTWARE\Classes\CLSID\{46B0219A-C6D0-21D1-5516-8D72250DA2A7}\InprocServer32@Class Microsoft.Vbe.Interop.VBProjectsClass
Reg HKLM\SOFTWARE\Classes\CLSID\{46B0219A-C6D0-21D1-5516-8D72250DA2A7}\InprocServer32@RuntimeVersion v1.1.4322
Reg HKLM\SOFTWARE\Classes\CLSID\{46B0219A-C6D0-21D1-5516-8D72250DA2A7}\InprocServer32\11.0.0.0
Reg HKLM\SOFTWARE\Classes\CLSID\{46B0219A-C6D0-21D1-5516-8D72250DA2A7}\InprocServer32\11.0.0.0@Class Microsoft.Vbe.Interop.VBProjectsClass
Reg HKLM\SOFTWARE\Classes\CLSID\{46B0219A-C6D0-21D1-5516-8D72250DA2A7}\InprocServer32\11.0.0.0@RuntimeVersion v1.1.4322
Reg HKLM\SOFTWARE\Classes\CLSID\{46B0219A-C6D0-21D1-5516-8D72250DA2A7}\InprocServer32\11.0.0.0@Assembly Microsoft.Vbe.Interop, Version=11.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c
Reg HKLM\SOFTWARE\Classes\CLSID\{B96D6426-036D-EAC7-AAC5-717F05FE051E}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{B96D6426-036D-EAC7-AAC5-717F05FE051E}\InprocServer32@ C:\PROGRA~1\MICROS~4\OFFICE11\OUTLCTL.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{B96D6426-036D-EAC7-AAC5-717F05FE051E}\InprocServer32@Assembly Microsoft.Office.Interop.OutlookViewCtl, Version=11.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c
Reg HKLM\SOFTWARE\Classes\CLSID\{B96D6426-036D-EAC7-AAC5-717F05FE051E}\InprocServer32@RuntimeVersion v1.1.4322
Reg HKLM\SOFTWARE\Classes\CLSID\{B96D6426-036D-EAC7-AAC5-717F05FE051E}\InprocServer32@Class Microsoft.Office.Interop.OutlookViewCtl.DataCtlClass
Reg HKLM\SOFTWARE\Classes\CLSID\{B96D6426-036D-EAC7-AAC5-717F05FE051E}\InprocServer32\11.0.0.0
Reg HKLM\SOFTWARE\Classes\CLSID\{B96D6426-036D-EAC7-AAC5-717F05FE051E}\InprocServer32\11.0.0.0@Class Microsoft.Office.Interop.OutlookViewCtl.DataCtlClass
Reg HKLM\SOFTWARE\Classes\CLSID\{B96D6426-036D-EAC7-AAC5-717F05FE051E}\InprocServer32\11.0.0.0@Assembly Microsoft.Office.Interop.OutlookViewCtl, Version=11.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c
Reg HKLM\SOFTWARE\Classes\CLSID\{B96D6426-036D-EAC7-AAC5-717F05FE051E}\InprocServer32\11.0.0.0@RuntimeVersion v1.1.4322
Reg HKLM\SOFTWARE\Classes\CLSID\{B96D6426-036D-EAC7-AAC5-717F05FE051E}\ProgID@ DataCtl.DataCtl.1
Reg HKLM\SOFTWARE\Classes\CLSID\{B96D6426-036D-EAC7-AAC5-717F05FE051E}\VersionIndependentProgID@ DataCtl.DataCtl
Reg HKLM\SOFTWARE\Classes\CLSID\{DADD8BC9-8F67-1A11-D9C5-8903FBDDA8D3}\Control@
Reg HKLM\SOFTWARE\Classes\CLSID\{DADD8BC9-8F67-1A11-D9C5-8903FBDDA8D3}\Implemented Categories@
Reg HKLM\SOFTWARE\Classes\CLSID\{DADD8BC9-8F67-1A11-D9C5-8903FBDDA8D3}\Implemented Categories\{F2BB56D1-DB07-11D1-AA6B-006097DB9539}
Reg HKLM\SOFTWARE\Classes\CLSID\{DADD8BC9-8F67-1A11-D9C5-8903FBDDA8D3}\Implemented Categories\{F2BB56D1-DB07-11D1-AA6B-006097DB9539}@
Reg HKLM\SOFTWARE\Classes\CLSID\{DADD8BC9-8F67-1A11-D9C5-8903FBDDA8D3}\InprocServer32@ C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DADD8BC9-8F67-1A11-D9C5-8903FBDDA8D3}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DADD8BC9-8F67-1A11-D9C5-8903FBDDA8D3}\MiscStatus@ 0
Reg HKLM\SOFTWARE\Classes\CLSID\{DADD8BC9-8F67-1A11-D9C5-8903FBDDA8D3}\MiscStatus\1
Reg HKLM\SOFTWARE\Classes\CLSID\{DADD8BC9-8F67-1A11-D9C5-8903FBDDA8D3}\MiscStatus\1@ 131473
Reg HKLM\SOFTWARE\Classes\CLSID\{DADD8BC9-8F67-1A11-D9C5-8903FBDDA8D3}\ProgID@ OWC10.Spreadsheet.10
Reg HKLM\SOFTWARE\Classes\CLSID\{DADD8BC9-8F67-1A11-D9C5-8903FBDDA8D3}\Programmable@
Reg HKLM\SOFTWARE\Classes\CLSID\{DADD8BC9-8F67-1A11-D9C5-8903FBDDA8D3}\ToolboxBitmap32@ C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL, 1003
Reg HKLM\SOFTWARE\Classes\CLSID\{DADD8BC9-8F67-1A11-D9C5-8903FBDDA8D3}\TypeLib@ {0002E550-0000-0000-C000-000000000046}
Reg HKLM\SOFTWARE\Classes\CLSID\{DADD8BC9-8F67-1A11-D9C5-8903FBDDA8D3}\Verb@
Reg HKLM\SOFTWARE\Classes\CLSID\{DADD8BC9-8F67-1A11-D9C5-8903FBDDA8D3}\Verb\1
Reg HKLM\SOFTWARE\Classes\CLSID\{DADD8BC9-8F67-1A11-D9C5-8903FBDDA8D3}\Verb\1@ &Show,0,2
Reg HKLM\SOFTWARE\Classes\CLSID\{DADD8BC9-8F67-1A11-D9C5-8903FBDDA8D3}\Verb\2
Reg HKLM\SOFTWARE\Classes\CLSID\{DADD8BC9-8F67-1A11-D9C5-8903FBDDA8D3}\Verb\2@ &Edit,0,2
Reg HKLM\SOFTWARE\Classes\CLSID\{DADD8BC9-8F67-1A11-D9C5-8903FBDDA8D3}\Version@ 1.1
Reg HKLM\SOFTWARE\Classes\CLSID\{DADD8BC9-8F67-1A11-D9C5-8903FBDDA8D3}\VersionIndependentProgID@ OWC10.Spreadsheet
Reg HKLM\SOFTWARE\Classes\Install.Install\CLSID@ {205FF73B-CA67-11D5-99DD-444553540011}
Reg HKLM\SOFTWARE\Classes\Install.Install\CurVer@ Install.Install.1
Reg HKLM\SOFTWARE\Classes\Install.Install.1\CLSID@ {205FF73B-CA67-11D5-99DD-444553540011}



Sorry I can't get anymore...everything freaks out after it crashes.

#9 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:09 AM

Posted 08 August 2009 - 02:28 AM

Hello

Run gmer.exe
Click the tab called Processes and click the Safe... button. The computer will reboot and the Gmer screen will open.
Click Files... and browse to the following file:
globalroot\Device\__max++>\A8DCAC18.x86.dll
Now click Delete

Reboot your computer.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Install Recovery Console and Run ComboFix
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Please post Combofix log and a fresh Gmer log back here :thumbup2:
Posted Image

#10 MoonKnight

MoonKnight
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 08 August 2009 - 02:28 PM

Run gmer.exe
Click the tab called Processes and click the Safe... button. The computer will reboot and the Gmer screen will open.
Click Files... and browse to the following file:
globalroot\Device\__max++>\A8DCAC18.x86.dll
Now click Delete


The Processes Tab does not have a Safe button.

Under files I do not see anything that says "globalroot\Device\__max++>\A8DCAC18.x86.dll". I am unable to see anything that says globalroot at all.

#11 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:09 AM

Posted 08 August 2009 - 02:28 PM

Ok. You can jump over that part of instructions. :thumbup2:

Edited by Baabiouz, 08 August 2009 - 02:28 PM.

Posted Image

#12 MoonKnight

MoonKnight
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 08 August 2009 - 02:34 PM

Combofix comes up. Goes through the first little window then never starts. You see the little combofix box start and then nothing. Watched in Task Manager as the file started.

Had renamed the file so saw the exe file start then n.pif started then they both dropped and nothing.

Acts just like HiJack and Malwarebytes programs did.

Edited by MoonKnight, 08 August 2009 - 02:35 PM.


#13 MoonKnight

MoonKnight
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 08 August 2009 - 07:21 PM

Any other suggestions at this point. Seems that all or most of the tools are unable to remove. Could use another step to take as it is still not working.

#14 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:09 AM

Posted 08 August 2009 - 11:46 PM

Hello

Let's try run Combo-fix in safe mode with command prompt.

First move Combo-fix.exe to your C drive. (C:\Combo-fix.exe)

Reboot and just before the Windows XP splash screen shown above appears, press the F8 key to enter the Windows Advanced Options Menu. Select Safe mode with command prompt.

When you are in safe mode with command prompt, first type in:
cd/
and press enter.

Then type in:
Combo-fix.exe
and press enter.

Now Combofix should start. Follow the prompts and if Combofix reboots your computer, remember reboot back to Safe mode with command prompt so Combofix can finish.
After running Combofix, reboot your computer normally and post Combofix log C:\Combofix.txt here :thumbup2:

Edited by Baabiouz, 08 August 2009 - 11:47 PM.

Posted Image

#15 MoonKnight

MoonKnight
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 09 August 2009 - 11:03 PM

Nope. Same thing. Seems like all the software has been stopped from running as they all fail within a few seconds.

Edited by MoonKnight, 09 August 2009 - 11:06 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users