Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help with cliccker.cn redirect please (programs not loading)


  • This topic is locked This topic is locked
14 replies to this topic

#1 lucasbuck

lucasbuck

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 16 August 2009 - 03:31 PM

UPDATE: I ran Sophos Rootkit repair and found some reg keys and files that were vsfoce ones. I deleted the files, but I couldn't get rid of the reg keys because they are hidden. Isn't there supposed to be a tools drop down in regedit with folder options. I read where it may have been removed by the rootkit. When I restarted, windows went through a drive check (like when you don't shut down properly) and said the volume was dirty.

Needing help with the cliccker.cn redirect. Some notes:
- Running XP media edition on a laptop
- Redirects google and yahoo searches through Firefox
- IE hasn't worked in a long time, so I never use it. (ie. type in google.com and it does this
[url=http://www.daemon-search.com/search?q=google.com)]http://www.daemon-search.com/search?q=google.com)[/url]
I'm assuming the cliccker.cn doesn't have anything to do with that one, since it's been like that awhile.
- Hijackthis scans briefly, quits, then won't run again until reinstalled. Even changes the icon.
- Can't run combofix. Tried it every which way. Progress bar starts, fills, quits.
- Malwarebytes won't work. If you install fresh, it starts, begins a few seconds of a scan, then quits. Then something changes and you can't run it at all. Have to reinstall to get anything going. Changes icon after running.
- Ran vundofix with nothing found
- Tried malwarebytes and combofix in safe mode with no change
- Ran AVZ set to heal. Found stuff, but no change.

- I was able to run DSS. Report below, and attach attached.
- I ran gmer, and posted below. (Note: I did give me this when I loaded it)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\vsfocerilrmhsn.sys (*** hidden *** ) [SYSTEM] vsfoceilmkvdyi <-- ROOTKIT !!!


This computer is a wreck, I appreciate any help.

--------DSS

DDS (Ver_09-07-30.01) - NTFSx86
Run by User at 15:43:35.62 on Sun 08/16/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.752 [GMT -4:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}
FW: PC-cillin Internet Security - Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\mine\PROGRA~1\AVG8\avgwdsvc.exe
C:\mine\PROGRA~1\AVG8\avgfws8.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\mine\PROGRA~1\AVG8\avgam.exe
C:\mine\PROGRA~1\AVG8\avgrsx.exe
C:\mine\PROGRA~1\AVG8\avgnsx.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\mine\PROGRA~1\AVG8\avgtray.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\mine\program files\applications\DAEMON Tools\daemon.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Palm\Hotsync.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\MICROS~4\Office12\OUTLOOK.EXE
C:\mine\program files\AVG8\avgcsrvx.exe
C:\Documents and Settings\User\Desktop\dds\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Bar =
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070109
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = *.local
mWinlogon: Shell=Explorer.exe rundll32.exe tapi.nfo beforeglav
mWinlogon: Taskman=c:\recycler\s-1-5-21-1032111925-1151151513-412665214-1260\msimfo32.exe
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [OE_OEM] "c:\program files\trend micro\internet security 14\tmas_oe\TMAS_OEMon.exe"
uRun: [DAEMON Tools Pro Agent] "c:\mine\program files\applications\daemon tools pro\DTProAgent.exe"
uRun: [DAEMON Tools] "c:\mine\program files\applications\daemon tools\daemon.exe" -lang 1033
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [Steam] "c:\mine\program files\games\steam\Steam.exe" -silent
uRun: [<NO NAME>] c:\docume~1\user\locals~1\temp\ewp4dtds5.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [VoiceCenter] "c:\program files\creative\voicecenter\AndreaVC.exe" /tray
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 14\pccguide.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [HotSync] "c:\program files\palmsource\desktop\HotSync.exe" -AllUsers
mRun: [QuickTime Task] "c:\program files\quicktime alternative\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\mine\progra~1\avg8\avgtray.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\mine\program files\applications\malwarebytes\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
IE: &Download All with FlashGet - c:\mine\program files\applications\internet\flashget\jc_all.htm
IE: &Download with FlashGet - c:\mine\program files\applications\internet\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - c:\mine\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\mine\program files\applications\internet\flashget\FlashGet.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.3.102.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195519457687
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195519427578
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\mine\program files\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: csbdll - csbdll.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\hs7f3uhduhfukde.dll: {bd56a320-23f2-42ad-f4e4-00aac39caa53} - c:\windows\system32\hs7f3uhduhfukde.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\7v7rwb7r.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - component: c:\mine\program files\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\progra~1\palm\packag~1\NPInstal.dll
FF - plugin: c:\program files\google\google updater\2.4.1601.7122\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll

============= SERVICES / DRIVERS ===============

R0 avgrkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-8-16 12552]
R1 avgldx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-16 335240]
R1 avgmfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-16 27784]
R1 avgtdix;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-16 108552]
R2 avg8wd;AVG8 WatchDog;c:\mine\progra~1\avg8\avgwdsvc.exe [2009-8-16 297752]
R2 avgfws8;AVG8 Firewall;c:\mine\progra~1\avg8\avgfws8.exe [2009-8-16 1370488]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2006-9-25 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2006-9-25 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2006-9-25 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2006-9-25 566872]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-4-8 92008]
R3 avgfwdx;avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-8-16 29208]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2006-9-25 280392]
S1 a0db9e4d;a0db9e4d;c:\windows\system32\drivers\a0db9e4d.sys [2009-8-16 0]
S1 c4119ec4;c4119ec4;c:\windows\system32\drivers\c4119ec4.sys [2009-4-29 0]
S2 gupdate1c9f071daa0e81e;Google Update Service (gupdate1c9f071daa0e81e);c:\program files\google\update\GoogleUpdate.exe [2009-6-18 133104]
S3 avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-8-16 29208]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-12-23 50704]

=============== Created Last 30 ================

2009-08-16 14:35 388,608 a------- c:\windows\system32\CF19002.exe
2009-08-16 14:34 388,608 a------- c:\windows\system32\CF18950.exe
2009-08-16 14:25 <DIR> --d----- C:\VundoFix Backups
2009-08-16 12:07 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-08-16 11:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Downloaded Installations
2009-08-16 11:55 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-16 11:55 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-08-16 11:55 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-08-16 11:55 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-16 11:55 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-08-16 11:54 50,968 a------- c:\windows\system32\avgfwdx.dll
2009-08-16 11:54 29,208 a------- c:\windows\system32\drivers\avgfwdx.sys
2009-08-16 11:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-08-16 11:54 <DIR> --dsh--- c:\windows\Installer
2009-08-16 11:50 <DIR> --d----- c:\docume~1\user\applic~1\AVG8
2009-08-16 10:22 24,576 a------- c:\windows\system32\tapi.nfo
2009-08-16 10:21 0 a------- c:\windows\system32\drivers\a0db9e4d.sys
2009-08-16 10:21 36,352 a------- c:\windows\system32\csbdll.dll
2009-08-16 10:21 162,816 a------- C:\vcsodprv.exe
2009-08-16 10:21 121,344 a------- C:\jgwyq.exe
2009-08-16 10:21 104,448 a------- C:\cgmcs.exe
2009-08-16 10:06 3,140 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2009-08-16 10:06 8 ---shr-- c:\docume~1\alluse~1\applic~1\3367F36434.sys
2009-08-16 10:02 <DIR> --d----- c:\program files\common files\Corel
2009-08-16 10:02 <DIR> --d----- c:\program files\common files\Protexis
2009-08-16 10:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Corel
2009-08-14 19:09 <DIR> --d----- c:\docume~1\user\applic~1\Ascaron Entertainment
2009-08-07 20:17 <DIR> --d----- c:\docume~1\user\applic~1\Ubisoft
2009-08-05 17:04 413,696 a------- c:\windows\system32\wrap_oal.dll
2009-08-05 17:04 <DIR> --d----- c:\program files\OpenAL
2009-08-05 16:59 1,846,632 a------- c:\windows\system32\D3DCompiler_41.dll
2009-08-05 16:59 453,456 a------- c:\windows\system32\d3dx10_41.dll
2009-08-05 16:59 4,178,264 a------- c:\windows\system32\D3DX9_41.dll
2009-08-05 16:59 517,448 a------- c:\windows\system32\XAudio2_4.dll
2009-08-05 16:59 235,352 a------- c:\windows\system32\xactengine3_4.dll
2009-08-05 16:59 69,448 a------- c:\windows\system32\XAPOFX1_3.dll
2009-08-05 16:59 22,360 a------- c:\windows\system32\X3DAudio1_6.dll
2009-08-05 16:52 <DIR> --d----- c:\program files\Traction Software
2009-08-04 11:19 <DIR> --d----- c:\program files\GOG.com
2009-08-03 23:15 <DIR> --d----- c:\docume~1\user\applic~1\com.gog.downloader.87F90EC6C28C7E479115BE2E026DB87A08BC420D.1
2009-08-03 23:15 <DIR> --d----- c:\program files\GOG.com Downloader
2009-08-01 16:50 <DIR> --d----- c:\documents and settings\user\Logitech
2009-08-01 16:49 <DIR> --d----- c:\program files\common files\Remote Control Software Common
2009-08-01 16:49 <DIR> --d----- c:\program files\common files\Remote Control USB Driver
2009-07-28 16:50 10,752 a------- c:\windows\system32\icash.exe
2009-07-21 07:30 <DIR> --d----- c:\docume~1\user\applic~1\IDM

==================== Find3M ====================

2009-08-16 13:33 52,809 a------- c:\windows\system32\nvModes.dat
2009-08-06 23:09 281,760 a------- c:\windows\system32\drivers\atksgt.sys
2009-08-06 23:09 25,888 a------- c:\windows\system32\drivers\lirsgt.sys
2009-08-05 17:04 110,592 a------- c:\windows\system32\OpenAL32.dll
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-06 03:12 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-03-31 19:29 9 a------- c:\docume~1\alluse~1\applic~1\PM.dat
2009-02-20 18:26 87,608 a------- c:\docume~1\user\applic~1\inst.exe
2009-02-20 18:26 47,360 a------- c:\docume~1\user\applic~1\pcouffin.sys
2008-08-04 08:20 1,056 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 15:45:10.84 ===============

-------------------------------------------------------------------------------------------------------------------------------------
------- GMER

GMER 1.0.15.15020 [875blq8o.exe] - http://www.gmer.net
Rootkit scan 2009-08-16 18:04:35
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

Code 8A4271B0 ZwEnumerateKey
Code 8A4581B0 ZwFlushInstructionCache
Code 8A426216 ZwSaveKey
Code 8A3DFC36 ZwSaveKeyEx
Code 8A588526 IofCallDriver
Code 8A570D1E IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EF1A0 5 Bytes JMP 8A58852B
.text ntkrnlpa.exe!IofCompleteRequest 804EF230 5 Bytes JMP 8A570D23
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B5642 5 Bytes JMP 8A4581B4
PAGE ntkrnlpa.exe!ZwSaveKey 80620A4A 5 Bytes JMP 8A42621A
PAGE ntkrnlpa.exe!ZwSaveKeyEx 80620ADA 5 Bytes JMP 8A3DFC3A
PAGE ntkrnlpa.exe!ZwEnumerateKey 80622DE0 5 Bytes JMP 8A4271B4
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload B96FC68E 5 Bytes JMP 8A4DB1C8
? System32\Drivers\a2nqajah.SYS The system cannot find the path specified. !
? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Bonjour\mDNSResponder.exe[164] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[164] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[164] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe[212] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 0068000A
.text C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe[352] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 003B000A
.text C:\Program Files\NetWaiting\netWaiting.exe[360] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 00FA000A
.text C:\mine\program files\applications\DAEMON Tools\daemon.exe[408] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 003D000A
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[412] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 003C000A
.text ...
.text C:\WINDOWS\system32\winlogon.exe[524] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\WINDOWS\system32\winlogon.exe[524] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\WINDOWS\system32\winlogon.exe[524] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\WINDOWS\system32\services.exe[576] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 0064000A
.text C:\WINDOWS\system32\CTsvcCDA.exe[672] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 0067000A
.text C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe[748] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe[748] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe[748] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\WINDOWS\system32\svchost.exe[864] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\WINDOWS\system32\svchost.exe[864] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\WINDOWS\system32\svchost.exe[864] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\WINDOWS\system32\svchost.exe[968] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\WINDOWS\system32\svchost.exe[968] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\WINDOWS\system32\svchost.exe[968] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1040] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1040] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1040] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1224] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1224] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1224] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\mine\PROGRA~1\AVG8\avgtray.exe[1276] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 0107000A
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1300] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 0066000A
.text C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe[1336] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 0068000A
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1372] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 00A5000A
.text C:\WINDOWS\Explorer.exe[1416] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\WINDOWS\Explorer.exe[1416] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\WINDOWS\Explorer.exe[1416] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe[1456] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 00A2000A
.text C:\mine\PROGRA~1\AVG8\avgrsx.exe[1488] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 0070000A
.text C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe[1504] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 003E000A
.text C:\mine\PROGRA~1\AVG8\avgfws8.exe[1536] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 0084000A
.text C:\mine\PROGRA~1\AVG8\avgam.exe[1568] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 0075000A
.text C:\mine\PROGRA~1\AVG8\avgwdsvc.exe[1576] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\mine\PROGRA~1\AVG8\avgwdsvc.exe[1576] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\mine\PROGRA~1\AVG8\avgwdsvc.exe[1576] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[1724] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 006A000A
.text C:\WINDOWS\system32\svchost.exe[1772] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1772] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1772] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\mine\PROGRA~1\AVG8\avgnsx.exe[1800] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\mine\PROGRA~1\AVG8\avgnsx.exe[1800] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\mine\PROGRA~1\AVG8\avgnsx.exe[1800] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\WINDOWS\System32\SCardSvr.exe[1844] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 0064000A
.text C:\WINDOWS\system32\spoolsv.exe[1852] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\WINDOWS\system32\spoolsv.exe[1852] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\WINDOWS\system32\spoolsv.exe[1852] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1960] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1960] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1960] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\WINDOWS\eHome\ehRecvr.exe[1976] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 005E000A
.text C:\WINDOWS\eHome\ehSched.exe[2052] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\WINDOWS\eHome\ehSched.exe[2052] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\WINDOWS\eHome\ehSched.exe[2052] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe[2296] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe[2296] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe[2296] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\WINDOWS\ehome\ehtray.exe[2444] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 003E000A
.text C:\Program Files\Google\Update\GoogleUpdate.exe[2592] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 006A000A
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[2860] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 003D000A
.text C:\WINDOWS\system32\rundll32.exe[2896] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 00F1000A
.text C:\WINDOWS\system32\rundll32.exe[2976] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 00F1000A
.text ...
.text C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe[3140] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe[3140] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe[3140] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe[3200] ntdll.dll!LdrLoadDll 7C915CD3 3 Bytes JMP 0092000A
.text C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe[3200] ntdll.dll!LdrLoadDll + 4 7C915CD7 1 Byte [84]
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3220] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 0107000A
.text C:\Program Files\Creative\VoiceCenter\AndreaVC.exe[3244] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 00F7000A
.text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[3248] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 00D5000A
.text ...
.text C:\Program Files\Palm\Hotsync.exe[3748] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\Program Files\Palm\Hotsync.exe[3748] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\Program Files\Palm\Hotsync.exe[3748] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\WINDOWS\ehome\mcrdsvc.exe[3892] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\WINDOWS\ehome\mcrdsvc.exe[3892] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\WINDOWS\ehome\mcrdsvc.exe[3892] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\WINDOWS\system32\svchost.exe[3908] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\WINDOWS\system32\svchost.exe[3908] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\WINDOWS\system32\svchost.exe[3908] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\WINDOWS\system32\svchost.exe[4004] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 0065000A
.text C:\WINDOWS\system32\svchost.exe[4788] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\WINDOWS\system32\svchost.exe[4788] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\WINDOWS\system32\svchost.exe[4788] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\WINDOWS\eHome\ehmsas.exe[5204] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 00D8000A
.text C:\WINDOWS\system32\dllhost.exe[5620] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 0064000A
.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[5668] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 00E5000A
.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[5668] kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 5 Bytes JMP 3260531D C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)
.text C:\WINDOWS\System32\alg.exe[5708] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\WINDOWS\System32\alg.exe[5708] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\WINDOWS\System32\alg.exe[5708] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
.text C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[5716] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 00FA000A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[5776] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 0076000A
.text C:\mine\program files\AVG8\avgcsrvx.exe[5796] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 003A000A

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EBEAD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EBEC1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EBEB9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EBF748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EBF61E] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9ED429A] sptd.sys

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Bonjour\mDNSResponder.exe[164] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
IAT C:\Program Files\Bonjour\mDNSResponder.exe[164] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
IAT C:\WINDOWS\system32\winlogon.exe[524] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
IAT C:\WINDOWS\system32\winlogon.exe[524] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
IAT C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe[748] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
IAT C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe[748] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[864] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[864] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[968] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[968] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1040] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1040] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1224] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1224] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
IAT C:\WINDOWS\Explorer.exe[1416] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
IAT C:\WINDOWS\Explorer.exe[1416] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
IAT C:\mine\PROGRA~1\AVG8\avgwdsvc.exe[1576] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
IAT C:\mine\PROGRA~1\AVG8\avgwdsvc.exe[1576] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1772] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1772] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
IAT C:\mine\PROGRA~1\AVG8\avgnsx.exe[1800] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
IAT C:\mine\PROGRA~1\AVG8\avgnsx.exe[1800] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
IAT C:\WINDOWS\system32\spoolsv.exe[1852] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
IAT C:\WINDOWS\system32\spoolsv.exe[1852] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1960] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1960] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
IAT C:\WINDOWS\eHome\ehSched.exe[2052] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
IAT C:\WINDOWS\eHome\ehSched.exe[2052] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
IAT C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe[2296] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
IAT C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe[2296] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
IAT C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe[3140] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
IAT C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe[3140] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
IAT C:\Program Files\Palm\Hotsync.exe[3748] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
IAT C:\Program Files\Palm\Hotsync.exe[3748] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
IAT C:\WINDOWS\ehome\mcrdsvc.exe[3892] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
IAT C:\WINDOWS\ehome\mcrdsvc.exe[3892] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[3908] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[3908] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[4788] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[4788] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
IAT C:\WINDOWS\System32\alg.exe[5708] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll
IAT C:\WINDOWS\System32\alg.exe[5708] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A6181E8

AttachedDevice \FileSystem\Ntfs \Ntfs tmpreflt.sys (Pre-Filter For XP/Trend Micro Inc.)

Device \FileSystem\Fastfat \FatCdrom 8975B790

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\usbuhci \Device\USBPDO-0 8A57E568
Device \Driver\usbuhci \Device\USBPDO-1 8A57E568
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A68B1E8
Device \Driver\dmio \Device\DmControl\DmConfig 8A68B1E8
Device \Driver\dmio \Device\DmControl\DmPnP 8A68B1E8
Device \Driver\dmio \Device\DmControl\DmInfo 8A68B1E8
Device \Driver\usbuhci \Device\USBPDO-2 8A57E568
Device \Driver\usbuhci \Device\USBPDO-3 8A57E568
Device \Driver\usbehci \Device\USBPDO-4 8A5681E8

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Ftdisk \Device\HarddiskVolume1 8A61A1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A61A1E8
Device \Driver\Cdrom \Device\CdRom0 8A46E410
Device \Driver\atapi \Device\Ide\IdePort0 8A6191E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 8A6191E8
Device \Driver\atapi \Device\Ide\IdePort1 8A6191E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 8A6191E8
Device \Driver\Ftdisk \Device\HarddiskVolume4 8A61A1E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{E0C28588-3295-4BBD-BA6A-C4CAA270C56B} 896951E8
Device \Driver\Ftdisk \Device\HarddiskVolume5 8A61A1E8
Device \Driver\USBSTOR \Device\000000a7 896A6410
Device \Driver\USBSTOR \Device\000000a9 896A6410
Device \Driver\NetBT \Device\NetBt_Wins_Export 896951E8
Device \Driver\NetBT \Device\NetbiosSmb 896951E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{3DD29E40-74A4-4046-9789-5B393E33EC4D} 896951E8

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBFDO-0 8A57E568
Device \Driver\PCI_NTPNP7814 \Device\0000006c sptd.sys
Device \Driver\usbuhci \Device\USBFDO-1 8A57E568
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89677790
Device \Driver\usbuhci \Device\USBFDO-2 8A57E568
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89677790
Device \Driver\usbuhci \Device\USBFDO-3 8A57E568
Device \Driver\usbehci \Device\USBFDO-4 8A5681E8
Device \Driver\Ftdisk \Device\FtControl 8A61A1E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{32973BDA-35C0-48F3-AA2D-0467124C15BD} 896951E8
Device \Driver\a2nqajah \Device\Scsi\a2nqajah1Port2Path0Target0Lun0 8A4585F0
Device \Driver\a2nqajah \Device\Scsi\a2nqajah1 8A4585F0
Device \FileSystem\Fastfat \Fat 8975B790

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat tmpreflt.sys (Pre-Filter For XP/Trend Micro Inc.)

Device \FileSystem\Cdfs \Cdfs 891241E8
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll (*** hidden *** ) @ C:\Program Files\Bonjour\mDNSResponder.exe [164] 0x35670000
Library \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [524] 0x35670000
Library \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll (*** hidden *** ) @ C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe [748] 0x35670000
Library \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [864] 0x35670000
Library \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [968] 0x35670000
Library \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1040] 0x35670000
Library \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1224] 0x35670000
Library \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.exe [1416] 0x35670000
Library \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll (*** hidden *** ) @ C:\mine\PROGRA~1\AVG8\avgwdsvc.exe [1576] 0x35670000
Library \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1772] 0x35670000
Library \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll (*** hidden *** ) @ C:\mine\PROGRA~1\AVG8\avgnsx.exe [1800] 0x35670000
Library \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1852] 0x35670000
Library \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1960] 0x35670000
Library \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll (*** hidden *** ) @ C:\WINDOWS\eHome\ehSched.exe [2052] 0x35670000
Library \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll (*** hidden *** ) @ C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe [2296] 0x35670000
Library \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll (*** hidden *** ) @ C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe [3140] 0x35670000
Library \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll (*** hidden *** ) @ C:\Program Files\Palm\Hotsync.exe [3748] 0x35670000
Library \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll (*** hidden *** ) @ C:\WINDOWS\ehome\mcrdsvc.exe [3892] 0x35670000
Library \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [3908] 0x35670000
Library \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [4788] 0x35670000
Library \\?\globalroot\Device\__max++>\2C12ECF6.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [5708] 0x35670000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\vsfocerilrmhsn.sys (*** hidden *** ) [SYSTEM] vsfoceilmkvdyi <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xE8 0x9F 0x33 0x49 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\mine\program files\applications\DAEMON Tools Pro\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xD1 0xBE 0x8A 0x43 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x50 0xEE 0x9A 0xFB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\mine\program files\applications\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x21 0xC6 0x63 0x1C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x3C 0x53 0x2D 0xD6 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x9B 0x53 0x48 0xCD ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfoceilmkvdyi
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfoceilmkvdyi@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfoceilmkvdyi@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfoceilmkvdyi@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfoceilmkvdyi@imagepath \systemroot\system32\drivers\vsfocerilrmhsn.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfoceilmkvdyi\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfoceilmkvdyi\modules@vsfocerk.sys \systemroot\system32\drivers\vsfocerilrmhsn.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfoceilmkvdyi\modules@vsfoce.dat \systemroot\system32\vsfoceibqaiqcj.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfoceilmkvdyi\modules@vsfocelog.dat \systemroot\system32\vsfocexjctloul.dat
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xE8 0x9F 0x33 0x49 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\mine\program files\applications\DAEMON Tools Pro\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xD1 0xBE 0x8A 0x43 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x50 0xEE 0x9A 0xFB ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\mine\program files\applications\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x21 0xC6 0x63 0x1C ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x3C 0x53 0x2D 0xD6 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x9B 0x53 0x48 0xCD ...
Reg HKLM\SYSTEM\ControlSet003\Services\vsfoceilmkvdyi (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\vsfoceilmkvdyi@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\vsfoceilmkvdyi@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\vsfoceilmkvdyi@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\vsfoceilmkvdyi@imagepath \systemroot\system32\drivers\vsfocerilrmhsn.sys
Reg HKLM\SYSTEM\ControlSet003\Services\vsfoceilmkvdyi\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\vsfoceilmkvdyi\main@aid 10099
Reg HKLM\SYSTEM\ControlSet003\Services\vsfoceilmkvdyi\main@sid 3
Reg HKLM\SYSTEM\ControlSet003\Services\vsfoceilmkvdyi\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\vsfoceilmkvdyi\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\vsfoceilmkvdyi\main\injector@* vsfocewsp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\vsfoceilmkvdyi\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\vsfoceilmkvdyi\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\vsfoceilmkvdyi\modules@vsfocerk.sys \systemroot\system32\drivers\vsfocerilrmhsn.sys
Reg HKLM\SYSTEM\ControlSet003\Services\vsfoceilmkvdyi\modules@vsfocecmd.dll \systemroot\system32\vsfoceoxvxlktu.dll
Reg HKLM\SYSTEM\ControlSet003\Services\vsfoceilmkvdyi\modules@vsfocelog.dat \systemroot\system32\vsfoceirrntydu.dat
Reg HKLM\SYSTEM\ControlSet003\Services\vsfoceilmkvdyi\modules@vsfocewsp.dll \systemroot\system32\vsfocewprrskba.dll
Reg HKLM\SYSTEM\ControlSet003\Services\vsfoceilmkvdyi\modules@vsfoce.dat \systemroot\system32\vsfoceiyxduynm.dat
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1
Reg HKLM\SOFTWARE\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}@scansk 0x58 0x92 0xEF 0x89 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{67867c05-4985-4cc3-9ea8-eb31c07ff2cc}@Model 289
Reg HKLM\SOFTWARE\Classes\CLSID\{67867c05-4985-4cc3-9ea8-eb31c07ff2cc}@Therad 31
Reg HKLM\SOFTWARE\Classes\CLSID\{67867c05-4985-4cc3-9ea8-eb31c07ff2cc}@MData 0x2B 0x8F 0x78 0x29 ...

---- EOF - GMER 1.0.15 ----

Attached Files


Edited by lucasbuck, 17 August 2009 - 06:39 AM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 AM

Posted 17 August 2009 - 11:10 AM

Hello.

You have a nasty infection on board here. Let's see what we can do.

Instructions are below. Follow the steps exactly as written. Any problems/questions, please ask before continuing.

We need to first uninstall one of your security programs. You have two installed. Not only is this not good, it will also interfer with some of the tools we are going to use.

Why shouldn't you have 2 firewall/Anti-Virus software installed?

I do not recommend that you have more than one anti virus or firewall product installed and running on your computer at a time. In addition to wasting resources, if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:

1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

Please Uninstall either Trend Micro PC-cillin Internet Security 14 or AVG 8.5 via Add/Remove Programs.

---

Let's get a backup of your registry first, even before running anything.

Backup Registry with ERUNT

This tool will create a complete backup of your registry. A backup is created to ensure we have backup so encase anything goes wrong we can deal with it. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt


---

Download and Run Combofix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download ComboFix from this location:

* IMPORTANT !!! Place it on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, They may otherwise interfere with ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Usually via a right click on the System Tray icon and selecting "disable".
  • Refer to this page if you are not sure how.
  • Close any open windows, including this one.
If you can't disable your security programs properly or it can not be disabled properly, you may wish to uninstall it and then re-install it afterwards once it's done.
  • Double click on the file you just downloaded & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    Posted Image


    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

    The Recovery Console was successfully installed.

    Posted Image

    Click on Yes, to continue scanning for malware.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.

--

Any problems or issues please let me know.

Thanks.

With Regards,
Extremeboy

Edited by extremeboy, 18 August 2009 - 08:57 PM.
remove link

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 lucasbuck

lucasbuck
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 17 August 2009 - 04:38 PM

UPDATE: The redirects seem to have stopped after running combofix

Thank you SO much for the help. I'm trying to help a friend with their computer. I've seen the work you guys do for years, but never had to ask for help. It's great you give your time.
-----
When I started up this afternoon, I got this from AVG, if this helps.
File name: C:\WINDOWS\svchost.exe
Threat name: Trojan horse Downloader.Generic8.BINC
Detected on Open

(That was before downloading combofix that had been renamed BTW, I noticed that was named the same)
-----
I tried to uninstall AVG several times and it wouldn't. It kept saying it couldn't make a reg entry it needed to. I went into a safe command prompt, and just deleted the program that way (don't yell at me). So although the combofix log says it was running, I'm assuming that's from some reg entry left, because the program is gone.
-----
ComboFix Beta_09-08-16.01 - User 08/17/2009 17:15.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1449 [GMT -4:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}
FW: PC-cillin Internet Security - Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\22.tmp
c:\documents and settings\User\Application Data\inst.exe
c:\recycler\S-1-5-21-1032111925-1151151513-412665214-1260
c:\recycler\S-1-5-21-1032111925-1151151513-412665214-1260\Desktop.ini
c:\recycler\S-1-5-21-1032111925-1151151513-412665214-1260\msimfo32.exe
c:\windows\kb913800.exe
c:\windows\system32\6to4v32.dll
c:\windows\system32\Data
c:\windows\system32\Data\Data
c:\windows\system32\icash.exe
c:\windows\system32\QQ.dll
c:\windows\system32\tapi.nfo

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_QQ
-------\Legacy_vsfoceilmkvdyi
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_6to4
-------\Service_QQ
-------\Service_vsfoceilmkvdyi


((((((((((((((((((((((((( Files Created from 2009-07-17 to 2009-08-17 )))))))))))))))))))))))))))))))
.

2009-08-17 20:46 . 2009-08-17 20:46 -------- d-----w- C:\ERUNT
2009-08-16 15:56 . 2009-08-16 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-08-16 15:55 . 2009-08-16 15:55 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-16 15:55 . 2009-08-16 15:55 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-08-16 15:55 . 2009-08-16 15:55 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-08-16 15:55 . 2009-08-16 15:55 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-16 15:55 . 2009-08-16 15:55 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-16 15:55 . 2009-08-17 20:40 -------- d-----w- c:\windows\system32\drivers\Avg
2009-08-16 15:54 . 2009-08-16 15:54 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2009-08-16 15:54 . 2009-08-16 15:54 29208 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2009-08-16 15:54 . 2009-08-17 20:41 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-16 15:54 . 2009-08-16 18:07 -------- d-sh--w- c:\windows\Installer
2009-08-16 15:50 . 2009-08-16 15:50 -------- d-----w- c:\documents and settings\User\Application Data\AVG8
2009-08-16 15:25 . 2009-08-16 15:25 3942047 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-16 14:21 . 2009-08-16 16:52 0 ----a-w- c:\windows\system32\drivers\a0db9e4d.sys
2009-08-16 14:21 . 2009-08-16 14:21 36352 ----a-w- c:\windows\system32\csbdll.dll
2009-08-16 14:21 . 2009-08-16 14:21 121344 ----a-w- C:\jgwyq.exe
2009-08-16 14:06 . 2009-08-17 00:17 3192 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-08-16 14:06 . 2009-08-16 14:06 8 --sh--r- c:\documents and settings\All Users\Application Data\3367F36434.sys
2009-08-16 14:02 . 2009-08-16 14:02 -------- d-----w- c:\program files\Common Files\Corel
2009-08-16 14:02 . 2009-08-16 14:02 -------- d-----w- c:\program files\Common Files\Protexis
2009-08-16 14:02 . 2009-08-16 14:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel
2009-08-14 23:09 . 2009-08-14 23:09 -------- d-----w- c:\documents and settings\User\Application Data\Ascaron Entertainment
2009-08-08 00:17 . 2009-08-08 00:17 -------- d-----w- c:\documents and settings\User\Application Data\Ubisoft
2009-08-05 21:04 . 2009-08-05 21:04 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-08-05 21:04 . 2009-08-05 21:04 -------- d-----w- c:\program files\OpenAL
2009-08-05 20:59 . 2009-03-09 19:27 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2009-08-05 20:59 . 2009-03-09 19:27 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
2009-08-05 20:59 . 2009-03-09 19:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2009-08-05 20:59 . 2009-03-16 18:18 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-08-05 20:59 . 2009-03-16 18:18 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2009-08-05 20:59 . 2009-03-16 18:18 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2009-08-05 20:59 . 2009-03-16 18:18 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2009-08-05 20:52 . 2009-08-05 20:52 -------- d-----w- c:\program files\Traction Software
2009-08-04 15:19 . 2009-08-04 15:22 -------- d-----w- c:\program files\GOG.com
2009-08-04 03:15 . 2009-08-04 03:15 -------- d-----w- c:\documents and settings\User\Application Data\com.gog.downloader.87F90EC6C28C7E479115BE2E026DB87A08BC420D.1
2009-08-04 03:15 . 2009-08-04 03:15 -------- d-----w- c:\program files\GOG.com Downloader
2009-08-04 03:14 . 2009-08-04 03:14 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-01 20:50 . 2009-08-01 20:51 -------- d-----w- c:\documents and settings\User\Logitech
2009-08-01 20:49 . 2009-08-01 20:50 -------- d-----w- c:\program files\Common Files\Remote Control Software Common
2009-08-01 20:49 . 2009-08-01 20:49 -------- d-----w- c:\program files\Logitech
2009-08-01 20:49 . 2009-08-01 20:49 -------- d-----w- c:\program files\Common Files\Remote Control USB Driver
2009-07-21 11:30 . 2009-08-04 02:05 -------- d-----w- c:\documents and settings\User\Application Data\IDM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-17 20:44 . 2009-08-17 20:44 791393 ----a-w- C:\erunt-setup.exe
2009-08-17 03:54 . 2009-08-17 03:54 358400 ----a-w- c:\windows\isvchost.exe
2009-08-17 02:30 . 2009-08-17 02:30 1718784 ----a-w- C:\RRT.exe
2009-08-16 17:33 . 2007-01-09 17:36 52809 ----a-w- c:\windows\system32\nvModes.dat
2009-08-16 17:23 . 2009-08-16 17:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8
2009-08-16 17:19 . 2009-08-16 17:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-16 14:06 . 2008-03-29 22:31 -------- d-----w- c:\documents and settings\User\Application Data\Corel
2009-08-07 03:09 . 2007-11-29 04:09 281760 ----a-w- c:\windows\system32\drivers\atksgt.sys
2009-08-07 03:09 . 2007-11-29 04:09 25888 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2009-08-07 02:57 . 2007-01-09 17:53 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-05 21:04 . 2007-01-09 17:31 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2009-08-05 21:04 . 2007-11-26 19:16 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-05 21:03 . 2007-11-26 19:17 -------- d-----w- c:\program files\AGEIA Technologies
2009-08-03 17:36 . 2009-05-03 02:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2009-05-03 02:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-01 22:11 . 2008-09-16 22:16 -------- d-----w- c:\documents and settings\User\Application Data\DMCache
2009-08-01 02:23 . 2009-04-28 00:44 -------- d-----w- c:\program files\Palm
2009-07-10 12:31 . 2007-01-16 23:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-05 14:40 . 2009-07-05 14:40 11454 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{0FF55FD0-BEE0-46FA-AA5B-1D16405562CE}\_2cd672ae.exe
2009-07-05 14:40 . 2009-07-05 14:40 11454 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{0FF55FD0-BEE0-46FA-AA5B-1D16405562CE}\_294823.exe
2009-07-05 14:40 . 2009-07-05 14:40 11454 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{0FF55FD0-BEE0-46FA-AA5B-1D16405562CE}\_18be6784.exe
2009-07-05 14:40 . 2009-07-05 14:40 1078 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{0FF55FD0-BEE0-46FA-AA5B-1D16405562CE}\_69525f90.exe
2009-07-05 14:40 . 2009-07-05 14:40 1078 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{0FF55FD0-BEE0-46FA-AA5B-1D16405562CE}\_4ae13d6c.exe
2009-07-05 14:40 . 2009-07-05 14:40 1078 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{0FF55FD0-BEE0-46FA-AA5B-1D16405562CE}\_16496df1.exe
2009-07-05 14:33 . 2009-07-05 14:33 11502 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{BAE4D301-FE3F-4B41-813C-81165BD1FB30}\_3cec1c82.exe
2009-07-05 14:33 . 2009-07-05 14:33 11502 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{BAE4D301-FE3F-4B41-813C-81165BD1FB30}\_165d6e64.exe
2009-07-05 13:52 . 2009-07-05 13:52 10134 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{E601665F-7D55-4983-AA72-43551164FC03}\_52f6985.exe
2009-07-05 13:52 . 2009-07-05 13:52 10134 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{E601665F-7D55-4983-AA72-43551164FC03}\_261e27.exe
2009-07-05 13:52 . 2009-07-05 13:52 10134 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{E601665F-7D55-4983-AA72-43551164FC03}\_22972e15.exe
2009-07-02 20:17 . 2007-01-22 21:47 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-19 00:07 . 2007-01-09 18:06 -------- d-----w- c:\program files\Google
2009-06-19 00:06 . 2009-06-19 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-18 16:55 . 2009-08-17 02:31 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2009-06-06 07:12 . 2007-01-17 02:21 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-06-06 02:06 . 2009-06-06 02:06 10134 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-05-27 10:49 . 2009-05-27 10:49 46 ----a-w- c:\windows\system32\DonationCoder_urlsnooper_InstallInfo.dat
2008-08-04 12:20 . 2008-03-29 22:31 1056 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2008-04-14 00:11 56320 6D4FEB43EE538FC5428CC7F0565AA656 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\eventlog.dll

c:\windows\system32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 321040]
"DAEMON Tools"="c:\mine\program files\applications\DAEMON Tools\daemon.exe" [2007-11-17 171464]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Steam"="c:\mine\program files\games\Steam\Steam.exe" [2009-06-14 1217784]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-04-08 251240]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-19 39408]
"SetDefaultMIDI"="MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2004-12-22 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-01 7561216]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 602182]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-09-08 1036288]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-09 761947]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2006-02-16 1118208]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-05-02 184320]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-16 185872]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime Alternative\QTTask.exe" [2009-01-05 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"RRT-Auto"="C:\RRT.exe" [2009-08-17 1718784]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-05-01 1519616]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2006-05-01 73728]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-25 282624]

c:\documents and settings\User\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\erunt\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-5-24 622653]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-1-9 24576]
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2008-1-3 1392640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-16 15:55 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\csbdll]
2009-08-16 14:21 36352 ----a-w- c:\windows\system32\csbdll.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\mine\\program files\\applications\\internet\\flashget\\flashget.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\mine\\program files\\games\\Steam\\SteamApps\\common\\empire total war\\Empire.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4313:TCP"= 4313:TCP:emule1
"29072:UDP"= 29072:UDP:emule2
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 avgrkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [8/16/2009 11:55 AM 12552]
R1 avgldx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/16/2009 11:55 AM 335240]
R1 avgtdix;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/16/2009 11:55 AM 108552]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [8/16/2009 10:31 PM 18816]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [9/25/2006 5:26 PM 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [9/25/2006 5:26 PM 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [9/25/2006 5:26 PM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [9/25/2006 5:26 PM 566872]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [4/8/2009 6:38 AM 92008]
R3 avgfwdx;avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [8/16/2009 11:54 AM 29208]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [9/25/2006 5:26 PM 280392]
S1 a0db9e4d;a0db9e4d;c:\windows\system32\drivers\a0db9e4d.sys [8/16/2009 10:21 AM 0]
S1 c4119ec4;c4119ec4;c:\windows\system32\drivers\c4119ec4.sys [4/29/2009 6:35 PM 0]
S2 avg8wd;AVG8 WatchDog;c:\mine\PROGRA~1\AVG8\avgwdsvc.exe --> c:\mine\PROGRA~1\AVG8\avgwdsvc.exe [?]
S2 avgfws8;AVG8 Firewall;c:\mine\PROGRA~1\AVG8\avgfws8.exe --> c:\mine\PROGRA~1\AVG8\avgfws8.exe [?]
S2 gupdate1c9f071daa0e81e;Google Update Service (gupdate1c9f071daa0e81e);c:\program files\Google\Update\GoogleUpdate.exe [6/18/2009 8:06 PM 133104]
S2 NetLogin;Net Login;c:\windows\svchost.exe --> c:\windows\svchost.exe [?]
S3 avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [8/16/2009 11:54 AM 29208]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\27.tmp --> c:\windows\system32\27.tmp [?]
S3 netskt;netskt;c:\windows\system32\netskt.sys [8/16/2005 6:18 AM 2304]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [12/23/2008 11:35 AM 50704]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
aaburggm
.
Contents of the 'Scheduled Tasks' folder

2009-08-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-08-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-19 00:05]

2009-08-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-19 00:06]

2009-08-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-19 00:06]

2009-08-16 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\smartd~1\Messages\SDNotify.exe [2008-06-16 13:53]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DAEMON Tools Pro Agent - c:\mine\program files\applications\DAEMON Tools Pro\DTProAgent.exe
HKLM-Run-HotSync - c:\program files\PalmSource\Desktop\HotSync.exe
HKLM-Run-AVG8_TRAY - c:\mine\PROGRA~1\AVG8\avgtray.exe


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = *.local
IE: &Download All with FlashGet - c:\mine\program files\applications\internet\flashget\jc_all.htm
IE: &Download with FlashGet - c:\mine\program files\applications\internet\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - c:\mine\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\7v7rwb7r.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\progra~1\Palm\PACKAG~1\NPInstal.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1601.7122\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-17 17:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\27.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-414247857-928217203-69551525-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:4a,08,ea,3a,c1,19,9f,48,9b,14,e6,b5,a2,37,29,f5,fe,2f,04,7e,ef,11,ca,
af,5d,38,95,f1,1a,ac,6a,41,84,d3,2e,cb,b4,dd,3d,7e,10,1d,46,a0,56,b5,0c,71,\
"??"=hex:10,92,e7,05,48,db,78,52,a6,30,70,cd,4d,37,a6,81

[HKEY_USERS\S-1-5-21-414247857-928217203-69551525-1005\Software\SecuROM\License information*]
"datasecu"=hex:6c,5b,df,9b,62,5c,82,9f,09,8c,f7,d5,16,55,55,1c,ad,74,e1,75,da,
7e,14,7a,29,b7,63,b1,89,7b,31,81,fb,09,80,30,f0,99,9d,42,ea,e7,26,ab,83,f2,\
"rkeysecu"=hex:2c,67,1d,bb,d3,20,29,2f,f1,9c,74,55,a4,52,24,10

[HKEY_USERS\S-1-5-21-414247857-928217203-69551525-1005\Software\SuperWaba\appSettings\¨*´*`& ]
"Len"=dword:0000001b
"Value"=hex:31,30,2e,30,2e,31,2e,31,30,7c,34,30,39,36,7c,35,30,30,30,30,7c,38,
7c,37,7c,30,00

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):58,92,ef,89,30,f4,7f,56,00,97,2f,41,49,2a,a0,29,d1,bd,08,51,b1,
b7,a3,fc,bc,ec,c6,28,26,9b,13,c7,a9,85,9f,c3,ea,6c,2d,e7,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{67867c05-4985-4cc3-9ea8-eb31c07ff2cc}]
@Denied: (Full) (Everyone)
"Model"=dword:00000121
"Therad"=dword:0000001f
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(532)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\system32\csbdll.dll
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(3700)
c:\windows\system32\nview.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\windows\system32\nvsvc32.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\progra~1\TRENDM~1\INTERN~1\pccguide.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\windows\system32\dllhost.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
.
**************************************************************************
.
Completion time: 2009-08-17 17:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-17 21:28

Pre-Run: 11,535,392,768 bytes free
Post-Run: 11,398,107,136 bytes free

346 --- E O F --- 2009-08-17 21:24

Edited by lucasbuck, 17 August 2009 - 04:42 PM.


#4 lucasbuck

lucasbuck
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 17 August 2009 - 06:50 PM

One other question. This is a Dell laptop that came with something called PC Restore by Symantec. You're supposed to be able to hit some keys during startup and it wipes the partition and reinstalls everything back to when it originally shipped. Have you heard of this? My friend was thinking about reinstalling XP anyways, but I worry that the rootkit might have screwed up the Restore. I have no idea what the PC Restore is or how well it works.

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 AM

Posted 17 August 2009 - 09:10 PM

Hello again.

This is a Dell laptop that came with something called PC Restore by Symantec. You're supposed to be able to hit some keys during startup and it wipes the partition and reinstalls everything back to when it originally shipped. Have you heard of this?

Yes. Take a look and read here: http://www.goodells.net/dellrestore/fixes.htm

If you do wish to format, please let me know. Any problems or questions you wish to ask regarding how to format a machine you may start a new topic here: http://www.bleepingcomputer.com/forums/f/56/windows-xp-home-and-professional/

--

If you do wish to format and start over please let me know. You do have a dangerous and nasty infection on board here.

If not, please also let me know in your next reply so we can continue with the disinfection process.

--

I would like to see the contents of everything Combofix quarantined however.

Please navigate to the Qoobox folder.

C:\QooBox <- This folder

In that folder, there should be a log file called Add-Remove Programs.txt

Please post the contents of that log file in your next reply.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 lucasbuck

lucasbuck
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 17 August 2009 - 10:55 PM

Thank for the link. I'm kind of nervous resetting everything, as the laptop is used for work. Do you think it's going to be a pain to completely clean, or can it be completely cleaned? Here's the add\remove log. (BTW, are these items that have been removed? What is the list exactly?)
-----------
2007 Microsoft Office Suite Service Pack 1 (SP1)
3dsmax ancillary install
7-Zip 4.42
Acrobat.com
Adobe AIR
Adobe Anchor Service CS3
Adobe Anchor Service CS4
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge CS4
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS3
Adobe Device Central CS4
Adobe Digital Editions
Adobe Drive CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe Linguistics CS4
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS3
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Reader 9.1
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Shockwave Player 11
Adobe Stock Photos CS3
Adobe Type Support CS4
Adobe Update Manager CS3
Adobe Update Manager CS4
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
AiO_Scan_CDA
Andrea VoiceCenter
ANNO 1404
Any Video Converter 2.7.2
Apple Software Update
Autodesk 3ds Max 8
Autodesk 3ds Max 9 32-bit
Autodesk DWF Viewer 7
AVG 8.5
AviSynth 2.5
Backburner
Big Fish Games Client
BitPim 1.0.6
Bryce Lightning 2.0 b
Bryce Lightning 2.0 c
CCleaner (remove only)
Conexant HDA D110 MDC V.92 Modem
Connect
Content
Crazy Machines 2 v1.05 + Add-on
Creative Audio Pack
Creative MediaSource 5
Critical Update for Windows Media Player 11 (KB959772)
Dell Support 3.2.1
Dell System Restore
Digital Content Portal
Digital Line Detect
Documentation & Support Launcher
dsi_DinaV
Empire: Total War
ERUNT 1.1j
Fallout
FlashGet 1.9.6.1073
Forester
Freelancer
Freespace 2
Games, Music, & Photos Launcher
GOG.com Downloader
Google Earth
Google Update Helper
Google Updater
GrabIt 1.7.2 Beta 4 (build 997)
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 2.0 (KB918842)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB908673)
Hotfix for Windows XP (KB909095)
Hotfix for Windows XP (KB912024)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB914642)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
HP Photosmart, Officejet and Deskjet 7.0.A
IconHandler 32 bit
ImgBurn
Intel® PROSet/Wireless Software
Internet Service Offers Launcher
J2SE Runtime Environment 5.0 Update 6
kuler
Langauge
LG USB Modem driver
Logitech Harmony Remote Software 7
Malwarebytes' Anti-Malware
Manga Studio EX 3.0
mCore
mDrWiFi
MediaDirect
MediaJoin
mHlpDell
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Game Studios Common Redistributables Pack 1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft WSE 3.0 Runtime
Microsoft XML Parser
mIWA
mLogView
mMHouse
Mobipocket Creator 4.2
Mobipocket Reader 6.2
Modem Helper
Mozilla Firefox (3.0.13)
mPfMgr
mPfWiz
mProSafe
mSSO
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
mWlsSafe
mWMI
mXML
Mystery Case Files: Ravenhearst ™
Mystery Case Files: Return to Ravenhearst ™
mZConfig
NetWaiting
Norton Security Scan
Norton Security Scan (Symantec Corporation)
NVIDIA Drivers
NVIDIA PhysX v8.09.04
Object Fix Zip
OpenAL
Overlord
P3dO Explorer (remove only)
Palm Desktop by ACCESS
PDF Settings CS4
Photoshop Camera Raw
Plants vs. Zombies 1.0.0.1051
Port Royale 2
Poser 7
QFolder
QQM
Qualxserve Service Agreement
QuickPar 0.9
QuickSet
QuickTime
QuickTime Alternative 1.81
Quiz-Buddy 4.0
Rayman Raving Rabbids
RealPlayer
Remote Control USB Driver
Risk II
Roxio DLA
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Scan
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB960003)
Security Update for Microsoft Office Excel 2007 (KB959997)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Sid Meier's Civilization 4
Sid Meier's Civilization 4 - Beyond the Sword
Sid Meier's Civilization 4 - Warlords
Sid Meier's Railroads!
SmartDraw 2008
Sonic Activation Module
Sonic Encoders
Sonic Update Manager
Sophos Anti-Rootkit 1.5.0
Sound Blaster ADVANCED MB Drivers
Sound Blaster Audigy ADVANCED MB
Sound Blaster Audigy ADVANCED MB Product Registration
Star Wars® Knights of the Old Republic® II: The Sith Lords™
Steam
Suite Shared Configuration CS4
Suspects and Clues
Synaptics Pointing Device Driver
Terragen
The Battle for Middle-earth ™ II
The Lord of the Rings, The Rise of the Witch-king
The Sims™ 3
TomTom HOME 2.6.2.1586
TomTom HOME Visual Studio Merge Modules
Trend Micro PC-cillin Internet Security 14
TS3 Install Helper Monkey
TXTcollector 2.0.1
UEAW v4
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb968503)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Rollup 2 for Windows XP Media Center Edition 2005
URL Snooper v2.23.01
Video DVD Maker v3.16.0.34
WebFldrs XP
WIDCOMM Bluetooth Software
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows Movie Maker 2.0
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890927
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892627
Windows XP Hotfix - KB893056
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
WinPcap 4.1 beta5
WinRAR archiver
XP Codec Pack
YouTube Downloader App 1.02

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 AM

Posted 18 August 2009 - 10:59 AM

Hello.

Sorry about that, it was very late for me yesterday night and I was looking/viewing another thread/topic while I was responding to yours and seems I copied and pasted the wrong thing.

That log you just posted was the add/remove list, not what Combofix removed. It's good, that you posted a copy here, but I wanted to see the Combofix quarantined items. That was my error. I apologize.

Please navigate to the C:\Qoobox folder again.

This time, look for the ComboFix-quarantined-files.txt log file.

Please attach the contents of that log file in your next reply.

--

Please also re-run DDS and post back with the new DDS logs please.

--

Regarding the infection you had:

Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Tell me what you want to do.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 lucasbuck

lucasbuck
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 18 August 2009 - 05:41 PM

Let's see if we can reasonably get it cleaned up, and then once everything gets backed up I can run the PC Restore. I assume that will totally remove the rootkit?

Thanks again for the help, I attached the quarantine list below.

Attached Files



#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 AM

Posted 18 August 2009 - 06:03 PM

Hello.

The rootkit is already removed, but as I mentioned in my previous reply, I can not gurantee that it's 100% trustworthy anymore.

--

Please run the AVG uninstaller tool BEFORE doing anything else.

Go here: http://www.avg.com/download-tools

Download the AVG Remover(32bit) (avgremover.exe) package file.

Run it and restart your computer once done. Then follow the instructions below:



Let's run Combofix again, but this time with a CFScript.

Run ComboFix with CFScript

We will run ComboFix again. This time it will be slightly different from the initial run.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    http://www.bleepingcomputer.com/forums/t/250125/help-with-clicckercn-redirect-please-programs-not-loading/
    Collect::[68]
    c:\windows\system32\csbdll.dll
    c:\windows\svchost.exe 
    c:\windows\system32\netskt.sys
    c:\windows\isvchost.exe
    C:\jgwyq.exe
    File::
    c:\windows\system32\27.tmp
    c:\windows\system32\drivers\avgfwdx.sys 
    c:\windows\system32\drivers\a0db9e4d.sys
    c:\windows\system32\drivers\c4119ec4.sys
    Folder::
    c:\mine\PROGRA~1\AVG8
    Registry::
    [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
    NetSvc::
    aaburggm
    SRPeek::
    c:\windows\system32\eventlog.dll 
    RegLockDel::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{67867c05-4985-4cc3-9ea8-eb31c07ff2cc}]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
    Driver::
    netskt
    MEMSWEEP2
    NetLogin
    avgfwfd
    avg8wd
    avgfws8
    c4119ec4
    a0db9e4d
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe.
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"
  • Please post the contents of the Combofix log in your next reply.
Upload Samples by ComboFix

When Combofix finishes running, the ComboFix log will open along with a message box. With the above script, ComboFix captured some files to submit for analysis.
  • Important: Ensure you are connected to the internet before clicking OK on the message box.
  • A blue-screen would appear auto-uploading the zipped file I requested.
  • After the uploading is done you should see a message near the bottom saying "Upload was Succesfull".
**NOTE**
=================
  • IF for some reason Combofix fails to upload anything please do the following:
  • Go to Start >> My Computer > C:\
  • Then Navigate to the C:\Qoobox\Quarantine folder.
  • Find the archive zip file called "[68]-Submit_Date_Time.zip"
  • Simply go to This Channel and upload the submit.zip archive file to me.
  • Follow the instructions on that page to copy/paste/send the requested file.
Let me know how it goes and if the upload went successfully or not in your next reply.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.
    If it detects rootkit activity, you will receive a prompt (refer below) to run a full scan. Click NO..
    Posted Image
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • IAT/EAT
    • Registry
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries

For your next repy I would like to see:
-The Combofix log
-The GMER log


Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 lucasbuck

lucasbuck
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 18 August 2009 - 07:53 PM

I'll start working on this, but one quick question. Will the PC Restore put it back to trustworthy?

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 AM

Posted 18 August 2009 - 08:10 PM

Hello.

The PC Restore thing is more of Restoring Your Computer´s Software to the Factory Settings. Yes, that would work, but it's not as safe in terms of "secure", than a format using the Windows XP disk. In short to answer your question, yes that would work though and your PC would be trustworthy.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 AM

Posted 21 August 2009 - 08:01 AM

Hi again,

How's everything coming along?

Just making sure you're still here.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 lucasbuck

lucasbuck
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 24 August 2009 - 06:45 AM

I am, I wasn't able to go help my friend with it this weekend. It seems to be working okay, but he decided he wanted to go ahead with the restore and set it back to factory. Just to be safe. So I'll go this afternoon and help with that.
I really appreciate all the help. Thank you so much. At least he didn't lose anything, and was still able to use it for work for a bit.

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 AM

Posted 24 August 2009 - 12:06 PM

You're welcome.

Thanks for letting me know. :thumbup2:

--
Below is just some prevention tips hopefully it will help. I will close this topic off shortly afterwards.

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...


Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 AM

Posted 24 August 2009 - 12:11 PM

Hello.

Since the problem appears to be resolved, this topic is now Closed. Glad we could help :thumbup2:
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter

Everyone else please start a new topic in the Hijackthis-Malware Removal Forum.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users