Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With a nasty TDSS variant rootkit


  • This topic is locked This topic is locked
34 replies to this topic

#1 stlleader

stlleader

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 23 August 2009 - 10:30 AM

This link is where i recieved help from rigel. http://www.bleepingcomputer.com/forums/t/249930/google-searches-are-redirected/ He told me to post on hijackthis log

Here are the logs

DDS LOG


DDS (Ver_09-07-30.01) - NTFSx86
Run by Everybody at 10:14:59.51 on Sun 08/23/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.363 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost -k DcomLaunch
svchost.exe
C:\windows\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\windows\System32\svchost.exe -k HPZ12
C:\windows\System32\svchost.exe -k HPZ12
C:\windows\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://att.my.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file://c:\program files\diner dash - flo on the go\images\stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1220132884358
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file://c:\program files\diner dash - flo on the go\images\armhelper.ocx
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://access1.andersonhospital.org/dana-cached/setup/JuniperSetupSP1.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\xy8tyjcc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - plugin: c:\documents and settings\administrator\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-8-8 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-30 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-8-30 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-8-30 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-8-30 907032]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-8-30 298776]
S2 gupdate1c9e4a25ae1ac06;Google Update Service (gupdate1c9e4a25ae1ac06);c:\program files\google\update\GoogleUpdate.exe [2009-6-3 133104]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2009-1-10 547744]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\2.tmp --> c:\windows\system32\2.tmp [?]

=============== Created Last 30 ================

2009-08-19 19:13 --d----- c:\program files\Sophos
2009-08-17 19:30 --d----- c:\documents and settings\administrator\DoctorWeb
2009-08-11 18:36 --d----- c:\windows\ServicePackFiles
2009-08-08 02:55 388,608 a------- c:\windows\system32\CF28617.exe
2009-08-08 02:47 --d----- C:\leexplore
2009-08-08 02:45 --d----- c:\docume~1\admini~1\applic~1\Reg Tool
2009-08-08 02:45 --d----- c:\program files\Reg Tool
2009-08-08 02:45 --d----- c:\program files\Downloaded Installers
2009-08-08 02:13 --d----- c:\program files\ESET
2009-08-08 02:08 15,688 a------- c:\windows\system32\lsdelete.exe
2009-08-08 02:05 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-08-08 02:05 -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-08-08 02:05 --d----- c:\program files\Lavasoft
2009-08-08 01:40 161,792 a------- c:\windows\SWREG.exe
2009-08-08 01:40 98,816 a------- c:\windows\sed.exe
2009-08-01 14:08 --d----- c:\program files\att-r9
2009-08-01 14:08 --d----- c:\program files\common files\Motive
2009-08-01 14:08 --d----- c:\program files\ATT-R9-WISE
2009-07-26 16:17 --d----- c:\program files\iPod
2009-07-26 16:17 --d----- c:\program files\iTunes

==================== Find3M ====================

2009-08-05 04:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-17 13:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 09:46 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-13 02:18 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-06-27 10:06 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-26 11:18 659,456 a------- c:\windows\system32\wininet.dll
2009-06-26 11:18 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-25 13:36 661,504 a------- c:\windows\system32\mqqm.dll
2009-06-25 13:36 517,120 a------- c:\windows\system32\mqsnap.dll
2009-06-25 13:36 471,552 a------- c:\windows\system32\mqutil.dll
2009-06-25 13:36 225,280 a------- c:\windows\system32\mqoa.dll
2009-06-25 13:36 186,880 a------- c:\windows\system32\mqtrig.dll
2009-06-25 13:36 177,152 a------- c:\windows\system32\mqrt.dll
2009-06-25 13:36 138,240 a------- c:\windows\system32\mqad.dll
2009-06-25 13:36 123,392 a------- c:\windows\system32\mqrtdep.dll
2009-06-25 13:36 95,744 a------- c:\windows\system32\mqsec.dll
2009-06-25 13:36 48,640 a------- c:\windows\system32\mqupgrd.dll
2009-06-25 13:36 47,104 a------- c:\windows\system32\mqdscli.dll
2009-06-25 13:36 16,896 a------- c:\windows\system32\mqise.dll
2009-06-22 06:49 117,248 a------- c:\windows\system32\mqtgsvc.exe
2009-06-22 06:49 19,968 a------- c:\windows\system32\mqbkup.exe
2009-06-22 06:49 4,608 a------- c:\windows\system32\mqsvc.exe
2009-06-16 09:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-12 06:50 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 06:50 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 09:21 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 01:32 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-05 02:42 655,872 a------- c:\windows\system32\mstscax.dll
2009-06-03 14:27 1,290,752 a------- c:\windows\system32\quartz.dll

============= FINISH: 10:15:41.75 ===============


ATTACH LOG


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 8/30/2008 6:40:38 PM
System Uptime: 8/23/2009 9:01:14 AM (1 hours ago)

Motherboard: Dell Inc. | | 0HJ054
Processor: Intel® Pentium® D CPU 2.80GHz | Microprocessor | 2793/800mhz
Processor: Intel® Pentium® D CPU 2.80GHz | Microprocessor | 2793/800mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 298 GiB total, 259.7 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: D-Link WDA-2320 Desktop Adapter
Device ID: PCI\VEN_168C&DEV_0013&SUBSYS_3A1B1186&REV_01\4&5855BE9&0&10F0
Manufacturer: D-Link
Name: D-Link WDA-2320 Desktop Adapter
PNP Device ID: PCI\VEN_168C&DEV_0013&SUBSYS_3A1B1186&REV_01\4&5855BE9&0&10F0
Service: A3AB

==== System Restore Points ===================

RP447: 5/14/2009 11:41:53 PM - Software Distribution Service 3.0
RP448: 5/15/2009 1:12:23 PM - Software Distribution Service 3.0
RP449: 5/15/2009 4:49:34 PM - Software Distribution Service 3.0
RP450: 5/15/2009 11:28:03 PM - Software Distribution Service 3.0
RP451: 5/16/2009 8:15:06 AM - Software Distribution Service 3.0
RP452: 5/16/2009 1:58:24 PM - Software Distribution Service 3.0
RP453: 5/16/2009 11:56:43 PM - Software Distribution Service 3.0
RP454: 5/17/2009 11:36:15 AM - Software Distribution Service 3.0
RP455: 5/17/2009 11:49:20 PM - Software Distribution Service 3.0
RP456: 5/17/2009 11:55:27 PM - Software Distribution Service 3.0
RP457: 5/18/2009 11:52:27 PM - Software Distribution Service 3.0
RP458: 5/19/2009 12:00:57 AM - Software Distribution Service 3.0
RP459: 5/19/2009 12:55:31 AM - Software Distribution Service 3.0
RP460: 5/19/2009 7:44:20 AM - Software Distribution Service 3.0
RP461: 5/19/2009 8:47:38 AM - Software Distribution Service 3.0
RP462: 5/20/2009 1:11:38 AM - Software Distribution Service 3.0
RP463: 5/20/2009 3:39:29 AM - Software Distribution Service 3.0
RP464: 5/20/2009 7:35:31 AM - Software Distribution Service 3.0
RP465: 5/20/2009 11:55:26 AM - Avg8 Update
RP466: 5/20/2009 11:57:40 AM - Avg8 Update
RP467: 5/20/2009 12:08:43 PM - Software Distribution Service 3.0
RP468: 5/20/2009 2:46:27 PM - Software Distribution Service 3.0
RP469: 5/20/2009 6:11:22 PM - Software Distribution Service 3.0
RP470: 5/20/2009 10:49:31 PM - Software Distribution Service 3.0
RP471: 5/20/2009 11:13:18 PM - Software Distribution Service 3.0
RP472: 5/21/2009 9:19:44 PM - Software Distribution Service 3.0
RP473: 5/21/2009 9:36:00 PM - Software Distribution Service 3.0
RP474: 5/21/2009 9:59:06 PM - Software Distribution Service 3.0
RP475: 5/22/2009 5:38:38 AM - Software Distribution Service 3.0
RP476: 5/22/2009 9:21:55 PM - Software Distribution Service 3.0
RP477: 5/22/2009 9:38:54 PM - Software Distribution Service 3.0
RP478: 5/22/2009 9:59:25 PM - Software Distribution Service 3.0
RP479: 5/23/2009 2:10:24 AM - Software Distribution Service 3.0
RP480: 5/23/2009 4:46:50 PM - Software Distribution Service 3.0
RP481: 5/24/2009 3:34:59 AM - Software Distribution Service 3.0
RP482: 5/24/2009 10:59:10 AM - Software Distribution Service 3.0
RP483: 5/24/2009 7:14:33 PM - Software Distribution Service 3.0
RP484: 5/24/2009 9:28:42 PM - Software Distribution Service 3.0
RP485: 5/24/2009 11:25:48 PM - Software Distribution Service 3.0
RP486: 5/25/2009 2:06:52 AM - Software Distribution Service 3.0
RP487: 5/25/2009 4:55:35 PM - Software Distribution Service 3.0
RP488: 5/25/2009 10:48:23 PM - Software Distribution Service 3.0
RP489: 5/26/2009 12:26:28 AM - Software Distribution Service 3.0
RP490: 5/26/2009 5:55:42 PM - Software Distribution Service 3.0
RP491: 5/26/2009 6:47:44 PM - Removed Acrobat.com
RP492: 5/26/2009 7:20:12 PM - Software Distribution Service 3.0
RP493: 5/26/2009 11:21:05 PM - Software Distribution Service 3.0
RP494: 5/28/2009 12:16:22 AM - System Checkpoint
RP495: 5/28/2009 1:05:34 AM - Software Distribution Service 3.0
RP496: 5/28/2009 4:40:59 PM - Software Distribution Service 3.0
RP497: 5/28/2009 5:18:29 PM - Software Distribution Service 3.0
RP498: 5/28/2009 7:51:10 PM - Software Distribution Service 3.0
RP499: 5/28/2009 9:02:57 PM - Software Distribution Service 3.0
RP500: 5/29/2009 7:14:59 AM - Software Distribution Service 3.0
RP501: 5/29/2009 6:25:15 PM - Software Distribution Service 3.0
RP502: 5/29/2009 11:08:15 PM - Software Distribution Service 3.0
RP503: 5/30/2009 1:10:55 PM - Software Distribution Service 3.0
RP504: 5/31/2009 12:47:03 AM - Software Distribution Service 3.0
RP505: 5/31/2009 2:29:26 AM - Software Distribution Service 3.0
RP506: 5/31/2009 9:15:23 PM - Software Distribution Service 3.0
RP507: 5/31/2009 10:28:15 PM - Software Distribution Service 3.0
RP508: 6/1/2009 2:12:47 AM - Software Distribution Service 3.0
RP509: 6/1/2009 11:36:23 PM - Software Distribution Service 3.0
RP510: 6/2/2009 4:46:56 AM - Software Distribution Service 3.0
RP511: 6/3/2009 4:16:06 AM - Software Distribution Service 3.0
RP512: 6/3/2009 5:02:45 PM - Software Distribution Service 3.0
RP513: 6/4/2009 2:32:05 AM - Software Distribution Service 3.0
RP514: 6/4/2009 10:32:49 AM - Software Distribution Service 3.0
RP515: 6/4/2009 6:59:31 PM - Software Distribution Service 3.0
RP516: 6/4/2009 10:01:44 PM - Software Distribution Service 3.0
RP517: 6/5/2009 1:32:40 AM - Software Distribution Service 3.0
RP518: 6/5/2009 8:26:45 AM - Software Distribution Service 3.0
RP519: 6/5/2009 10:35:30 PM - Software Distribution Service 3.0
RP520: 6/6/2009 12:36:50 AM - Software Distribution Service 3.0
RP521: 6/6/2009 5:25:54 PM - Software Distribution Service 3.0
RP522: 6/7/2009 5:35:08 AM - Software Distribution Service 3.0
RP523: 6/8/2009 1:28:28 AM - Software Distribution Service 3.0
RP524: 6/8/2009 8:05:03 AM - Software Distribution Service 3.0
RP525: 6/8/2009 11:14:10 PM - Software Distribution Service 3.0
RP526: 6/9/2009 12:40:59 AM - Software Distribution Service 3.0
RP527: 6/9/2009 11:51:37 AM - Software Distribution Service 3.0
RP528: 6/9/2009 9:59:46 PM - Software Distribution Service 3.0
RP529: 6/11/2009 2:38:11 PM - System Checkpoint
RP530: 6/11/2009 5:14:58 PM - Software Distribution Service 3.0
RP531: 6/11/2009 8:34:03 PM - Software Distribution Service 3.0
RP532: 6/11/2009 9:39:06 PM - Software Distribution Service 3.0
RP533: 6/12/2009 10:15:59 AM - Software Distribution Service 3.0
RP534: 6/12/2009 7:36:43 PM - Installed Windows Media Format Runtime
RP535: 6/12/2009 7:42:03 PM - Software Distribution Service 3.0
RP536: 6/12/2009 7:53:04 PM - Software Distribution Service 3.0
RP537: 6/12/2009 9:39:03 PM - Software Distribution Service 3.0
RP538: 6/13/2009 11:07:20 AM - Software Distribution Service 3.0
RP539: 6/13/2009 11:40:34 AM - Software Distribution Service 3.0
RP540: 6/13/2009 5:29:48 PM - Software Distribution Service 3.0
RP541: 6/13/2009 9:17:30 PM - Software Distribution Service 3.0
RP542: 6/14/2009 2:22:00 AM - Software Distribution Service 3.0
RP543: 6/14/2009 11:07:21 AM - Software Distribution Service 3.0
RP544: 6/14/2009 12:29:43 PM - Removed Apple Mobile Device Support
RP545: 6/14/2009 2:43:14 PM - Software Distribution Service 3.0
RP546: 6/14/2009 4:36:09 PM - Software Distribution Service 3.0
RP547: 6/14/2009 7:28:13 PM - Software Distribution Service 3.0
RP548: 6/14/2009 8:31:58 PM - Software Distribution Service 3.0
RP549: 6/15/2009 2:09:10 AM - Software Distribution Service 3.0

==== Installed Programs ======================

32 Bit HP CIO Components Installer
AAC Decoder
Acrobat.com
Ad-Aware
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 9
Adobe Shockwave Player
Advertisement Service
Any Video Converter 2.7.5
Apple Mobile Device Support
Apple Software Update
AT&T U-verse Setup
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AutoUpdate
AVG Free 8.5
AVS Update Manager 1.0
AVS Video Converter 6
AVS4YOU Software Navigator 1.3
Bonjour
BPD_Scan
BPDSoftware
CCleaner (remove only)
Conexant D850 56K V.9x DFVc Modem
Coupon Printer for Windows
Dell Resource CD
Diner Dash - Flo on the Go
Diner Dash 2 (remove only)
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
DriverMax 4
EA SPORTS online 2006
Enterprise
ESET Online Scanner v3
ExamView Pro
FIFA 06
Freelancer
Full Tilt Poker
GameSpy Arcade
Google Toolbar for Internet Explorer
Google Update Helper
H.264 Decoder
High Definition Audio Driver Package - KB835221
Hotfix for Windows XP (KB952287)
HP Officejet J5700 AiO Series Corporate Edition 8.0
Intel® PRO Network Connections Drivers
iTunes
Java™ 6 Update 4
Java™ 6 Update 7
Juniper Terminal Services Client
Malwarebytes' Anti-Malware
Microsoft Age of Empires Gold
Microsoft Game Studios Common Redistributables Pack 1
Microsoft Halo Trial
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft XML Parser
MKV Splitter
Move Media Player
Mozilla Firefox (3.5.2)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
OpenOffice.org 2.4
Pixillion Image Converter
Prism Video Converter
QuickTime
Reg Tool
Scan
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
SigmaTel Audio
Sophos Anti-Rootkit 1.5.0
Spybot - Search & Destroy
Update for Windows XP (KB898461)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.762
Veoh Web Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows XP Hotfix - KB839210

==== Event Viewer Messages From Past Week ========

8/17/2009 8:50:44 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
8/17/2009 7:37:54 PM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.
8/17/2009 7:30:33 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
8/17/2009 7:30:33 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
8/17/2009 7:30:33 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/17/2009 7:30:33 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/17/2009 7:30:33 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
8/17/2009 7:30:33 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/17/2009 7:30:33 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/17/2009 7:29:34 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/17/2009 10:31:13 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
8/16/2009 6:06:02 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Google Update Service (gupdate1c9e4a25ae1ac06) service to connect.
8/16/2009 6:06:02 PM, error: Service Control Manager [7000] - The Google Update Service (gupdate1c9e4a25ae1ac06) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/16/2009 6:05:11 PM, error: ipnathlp [30013] - The DHCP allocator has disabled itself on IP address 192.168.1.64, since the IP address is outside the 192.168.0.0/255.255.255.0 scope from which addresses are being allocated to DHCP clients. To enable the DHCP allocator on this IP address, please change the scope to include the IP address, or change the IP address to fall within the scope.
8/16/2009 3:56:19 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070003: Security Update for Windows XP (KB954600).

==== End Of File ===========================


ARK LOG

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/23 10:21
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\windows\System32\Drivers\dump_atapi.sys
Address: 0xF3D4E000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\windows\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A9B000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal2.sys
Image Path: C:\windows\system32\drivers\rootrepeal2.sys
Address: 0xF0C1C000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\sessionstore.js
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACldkktsrnnp.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACmvxewbmxes.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACsrtalrmtkl.db
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACswwxvrwcud.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACthewxnridw.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACuwqeeakqdt.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACxjspuxxnos.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC3f94.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC4215.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC55a1.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC8aa7.tmp
Status: Invisible to the Windows API!

Path: C:\Program Files\Yahoo! Games\Diner Dash 2\dinerdash2.exe:{F1705B93-F690-79BE-DA38-923A3E667457}
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\system32\drivers\UACbcetbdmdby.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\UAC931f.tmp
Status: Invisible to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: winlogon.exe (PID: 664) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: services.exe (PID: 708) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: lsass.exe (PID: 720) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: Ati2evxx.exe (PID: 896) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: svchost.exe (PID: 912) Address: 0x00740000 Size: 49152

Object: Hidden Module [Name: UACuwqeeakqdt.dll]
Process: svchost.exe (PID: 912) Address: 0x008e0000 Size: 73728

Object: Hidden Module [Name: UAC8aa7.tmpvrwcud.dll]
Process: svchost.exe (PID: 912) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UAC8aa7.tmpvrwcud.dll]
Process: svchost.exe (PID: 1172) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UAC8aa7.tmpvrwcud.dll]
Process: svchost.exe (PID: 1424) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UAC8aa7.tmpvrwcud.dll]
Process: svchost.exe (PID: 1596) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UAC8aa7.tmpvrwcud.dll]
Process: svchost.exe (PID: 1720) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: spoolsv.exe (PID: 1980) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: Explorer.EXE (PID: 436) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: GoogleToolbarNotifier.exe (PID: 992) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: jusched.exe (PID: 1068) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: avgtray.exe (PID: 1084) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: iTunesHelper.exe (PID: 1120) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: veohwebplayer.exe (PID: 1164) Address: 0x00ee0000 Size: 49152

Object: Hidden Module [Name: UAC8aa7.tmpvrwcud.dll]
Process: svchost.exe (PID: 1276) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: AppleMobileDeviceService.exe (PID: 1452) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: avgwdsvc.exe (PID: 1484) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: mDNSResponder.exe (PID: 1504) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: avgrsx.exe (PID: 208) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: avgnsx.exe (PID: 224) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UAC8aa7.tmpvrwcud.dll]
Process: svchost.exe (PID: 2040) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: McciCMService.exe (PID: 2024) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UAC8aa7.tmpvrwcud.dll]
Process: svchost.exe (PID: 384) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UAC8aa7.tmpvrwcud.dll]
Process: svchost.exe (PID: 1228) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UAC8aa7.tmpvrwcud.dll]
Process: svchost.exe (PID: 1192) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: avgemc.exe (PID: 336) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: avgcsrvx.exe (PID: 2104) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: iPodService.exe (PID: 2276) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: alg.exe (PID: 2892) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UAC8aa7.tmpvrwcud.dll]
Process: svchost.exe (PID: 3216) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UAC8aa7.tmpvrwcud.dll]
Process: firefox.exe (PID: 3756) Address: 0x01060000 Size: 217088

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: wuauclt.exe (PID: 3768) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: jucheck.exe (PID: 3396) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: notepad.exe (PID: 956) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: notepad.exe (PID: 1632) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: RootRepeal(2).exe (PID: 1936) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACswwxvrwcud.dll]
Process: Iexplore.exe (PID: 2972) Address: 0x10000000 Size: 217088

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\windows\system32\drivers\UACbcetbdmdby.sys

==EOF==

BC AdBot (Login to Remove)

 


#2 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:00 AM

Posted 03 September 2009 - 09:19 AM

Hello stlleader, and welcome to BleepingComputer.com! I will be handling your log to help you get cleaned up. :thumbup2:

We apologize for the delay in responding to your request for help. Here at BleepingComputer.com we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not, please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

If you do not make a reply witin the next 5 days, we will need to close your topic.

Please take note of some guidelines for this fix:
  • I will start working on your malware issues, this may or may not solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Refrain from making any changes to your computer including installing/uninstalling programs, deleting files, modifying the registry, and running extra scanners or fix programs not requested by me: doing so could change the results in the reports I request.
  • The process is not instant: even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I tell you your machine is clean. Just because a symptom disappears does not mean your system is clean. We do not want to clean you part-way, only to have the system re-infect itself.
  • If you do not understand any step(s) provided, please stop and ask your question(s) before proceeding with the fixes. I would much rather clarify instructions or explain them differently than have something important broken.
  • Please set aside enough time to complete all the steps in each post and follow the instructions in the order stated.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If for any reason you cannot complete instructions within that time, that's fine, but please let me know: just post back here so that I know you are still here. This is to ensure that your topic remains open and I don't close it to start a new post.
    NOTE: In the upper right hand corner of the topic you will see a button called Options. If you click on this button, a drop-down menu will expand. By choosing Track this topic and then choosing Immediate Email Notification, followed by clicking Proceed, you will be advised when I respond to your topic. This facilitates the cleaning procedure. The topics you are tracking can be found here.
  • Please reply to this thread using the Add Reply button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
  • Reviewing your log(s) requires an amount of research, so please be patient. However, if I have not posted back within 24 hours, feel free to send me a Personal Message (PM) with your topic link.


If you still require assistance, please post a new set of logs from DDS and a description of any remaining problems or symptoms you may still have.

If for any reason you did not post a DDS log please refer to this page and in step #6 there are instructions on downloading and running DDS. If you have any problems, just let me know in your next reply or simply post a HijackThis log.

Then, please check for rootkits with RootRepeal:

So for your next reply, I would like to see:
  • the DDS logs:
    • DDS.txt
    • Attach.txt (attached)
  • the RootRepeal report (RootRepeal.txt)
  • a description of any remaining problems
Thanks again and we apologize for the delay.

With kindest regards,

htv8
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#3 stlleader

stlleader
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 03 September 2009 - 07:32 PM

Thanks for the help. i know you guys have to help a lot of people.

DDS LOG


DDS (Ver_09-07-30.01) - NTFSx86
Run by Everybody at 19:18:17.96 on Thu 09/03/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.478 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost -k DcomLaunch
svchost.exe
C:\windows\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\windows\System32\svchost.exe -k HPZ12
C:\windows\System32\svchost.exe -k HPZ12
C:\windows\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\System32\svchost.exe -k HTTPFilter
C:\windows\system32\wuauclt.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\dds(3).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://att.my.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file://c:\program files\diner dash - flo on the go\images\stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1220132884358
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file://c:\program files\diner dash - flo on the go\images\armhelper.ocx
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://access1.andersonhospital.org/dana-cached/setup/JuniperSetupSP1.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\xy8tyjcc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - plugin: c:\documents and settings\administrator\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-8-8 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-30 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-8-30 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-8-30 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-8-30 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-8-30 297752]
S2 gupdate1c9e4a25ae1ac06;Google Update Service (gupdate1c9e4a25ae1ac06);c:\program files\google\update\GoogleUpdate.exe [2009-6-3 133104]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2009-1-10 547744]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\2.tmp --> c:\windows\system32\2.tmp [?]
S3 rootrepeal3;rootrepeal3;c:\windows\system32\drivers\rootrepeal3.sys [2009-8-23 34816]

=============== Created Last 30 ================

2009-09-01 21:15 <DIR> --d----- c:\program files\MSECache
2009-08-23 10:19 34,816 a------- c:\windows\system32\drivers\rootrepeal3.sys
2009-08-19 19:13 <DIR> --d----- c:\program files\Sophos
2009-08-17 19:30 <DIR> --d----- c:\documents and settings\administrator\DoctorWeb
2009-08-11 18:36 <DIR> --d----- c:\windows\ServicePackFiles
2009-08-08 02:55 388,608 a------- c:\windows\system32\CF28617.exe
2009-08-08 02:47 <DIR> --d----- C:\leexplore
2009-08-08 02:45 <DIR> --d----- c:\docume~1\admini~1\applic~1\Reg Tool
2009-08-08 02:45 <DIR> --d----- c:\program files\Reg Tool
2009-08-08 02:45 <DIR> --d----- c:\program files\Downloaded Installers
2009-08-08 02:13 <DIR> --d----- c:\program files\ESET
2009-08-08 02:08 15,688 a------- c:\windows\system32\lsdelete.exe
2009-08-08 02:05 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-08-08 02:05 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-08-08 02:05 <DIR> --d----- c:\program files\Lavasoft
2009-08-08 01:40 161,792 a------- c:\windows\SWREG.exe
2009-08-08 01:40 98,816 a------- c:\windows\sed.exe

==================== Find3M ====================

2009-08-24 16:09 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-24 16:09 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-05 04:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-17 13:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 02:18 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-06-26 11:18 659,456 a------- c:\windows\system32\wininet.dll
2009-06-26 11:18 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-25 13:36 661,504 a------- c:\windows\system32\mqqm.dll
2009-06-25 13:36 517,120 a------- c:\windows\system32\mqsnap.dll
2009-06-25 13:36 471,552 a------- c:\windows\system32\mqutil.dll
2009-06-25 13:36 225,280 a------- c:\windows\system32\mqoa.dll
2009-06-25 13:36 186,880 a------- c:\windows\system32\mqtrig.dll
2009-06-25 13:36 177,152 a------- c:\windows\system32\mqrt.dll
2009-06-25 13:36 138,240 a------- c:\windows\system32\mqad.dll
2009-06-25 13:36 123,392 a------- c:\windows\system32\mqrtdep.dll
2009-06-25 13:36 95,744 a------- c:\windows\system32\mqsec.dll
2009-06-25 13:36 48,640 a------- c:\windows\system32\mqupgrd.dll
2009-06-25 13:36 47,104 a------- c:\windows\system32\mqdscli.dll
2009-06-25 13:36 16,896 a------- c:\windows\system32\mqise.dll
2009-06-22 06:49 117,248 a------- c:\windows\system32\mqtgsvc.exe
2009-06-22 06:49 19,968 a------- c:\windows\system32\mqbkup.exe
2009-06-22 06:49 4,608 a------- c:\windows\system32\mqsvc.exe
2009-06-16 09:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-12 06:50 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 06:50 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 09:21 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 01:32 132,096 a------- c:\windows\system32\wkssvc.dll

============= FINISH: 19:19:01.03 ===============


Attach LOG


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 8/30/2008 6:40:38 PM
System Uptime: 9/3/2009 7:13:19 PM (0 hours ago)

Motherboard: Dell Inc. | | 0HJ054
Processor: Intel® Pentium® D CPU 2.80GHz | Microprocessor | 2793/800mhz
Processor: Intel® Pentium® D CPU 2.80GHz | Microprocessor | 2793/800mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 298 GiB total, 258.558 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: D-Link WDA-2320 Desktop Adapter
Device ID: PCI\VEN_168C&DEV_0013&SUBSYS_3A1B1186&REV_01\4&5855BE9&0&10F0
Manufacturer: D-Link
Name: D-Link WDA-2320 Desktop Adapter
PNP Device ID: PCI\VEN_168C&DEV_0013&SUBSYS_3A1B1186&REV_01\4&5855BE9&0&10F0
Service: A3AB

==== System Restore Points ===================

RP447: 5/14/2009 11:41:53 PM - Software Distribution Service 3.0
RP448: 5/15/2009 1:12:23 PM - Software Distribution Service 3.0
RP449: 5/15/2009 4:49:34 PM - Software Distribution Service 3.0
RP450: 5/15/2009 11:28:03 PM - Software Distribution Service 3.0
RP451: 5/16/2009 8:15:06 AM - Software Distribution Service 3.0
RP452: 5/16/2009 1:58:24 PM - Software Distribution Service 3.0
RP453: 5/16/2009 11:56:43 PM - Software Distribution Service 3.0
RP454: 5/17/2009 11:36:15 AM - Software Distribution Service 3.0
RP455: 5/17/2009 11:49:20 PM - Software Distribution Service 3.0
RP456: 5/17/2009 11:55:27 PM - Software Distribution Service 3.0
RP457: 5/18/2009 11:52:27 PM - Software Distribution Service 3.0
RP458: 5/19/2009 12:00:57 AM - Software Distribution Service 3.0
RP459: 5/19/2009 12:55:31 AM - Software Distribution Service 3.0
RP460: 5/19/2009 7:44:20 AM - Software Distribution Service 3.0
RP461: 5/19/2009 8:47:38 AM - Software Distribution Service 3.0
RP462: 5/20/2009 1:11:38 AM - Software Distribution Service 3.0
RP463: 5/20/2009 3:39:29 AM - Software Distribution Service 3.0
RP464: 5/20/2009 7:35:31 AM - Software Distribution Service 3.0
RP465: 5/20/2009 11:55:26 AM - Avg8 Update
RP466: 5/20/2009 11:57:40 AM - Avg8 Update
RP467: 5/20/2009 12:08:43 PM - Software Distribution Service 3.0
RP468: 5/20/2009 2:46:27 PM - Software Distribution Service 3.0
RP469: 5/20/2009 6:11:22 PM - Software Distribution Service 3.0
RP470: 5/20/2009 10:49:31 PM - Software Distribution Service 3.0
RP471: 5/20/2009 11:13:18 PM - Software Distribution Service 3.0
RP472: 5/21/2009 9:19:44 PM - Software Distribution Service 3.0
RP473: 5/21/2009 9:36:00 PM - Software Distribution Service 3.0
RP474: 5/21/2009 9:59:06 PM - Software Distribution Service 3.0
RP475: 5/22/2009 5:38:38 AM - Software Distribution Service 3.0
RP476: 5/22/2009 9:21:55 PM - Software Distribution Service 3.0
RP477: 5/22/2009 9:38:54 PM - Software Distribution Service 3.0
RP478: 5/22/2009 9:59:25 PM - Software Distribution Service 3.0
RP479: 5/23/2009 2:10:24 AM - Software Distribution Service 3.0
RP480: 5/23/2009 4:46:50 PM - Software Distribution Service 3.0
RP481: 5/24/2009 3:34:59 AM - Software Distribution Service 3.0
RP482: 5/24/2009 10:59:10 AM - Software Distribution Service 3.0
RP483: 5/24/2009 7:14:33 PM - Software Distribution Service 3.0
RP484: 5/24/2009 9:28:42 PM - Software Distribution Service 3.0
RP485: 5/24/2009 11:25:48 PM - Software Distribution Service 3.0
RP486: 5/25/2009 2:06:52 AM - Software Distribution Service 3.0
RP487: 5/25/2009 4:55:35 PM - Software Distribution Service 3.0
RP488: 5/25/2009 10:48:23 PM - Software Distribution Service 3.0
RP489: 5/26/2009 12:26:28 AM - Software Distribution Service 3.0
RP490: 5/26/2009 5:55:42 PM - Software Distribution Service 3.0
RP491: 5/26/2009 6:47:44 PM - Removed Acrobat.com
RP492: 5/26/2009 7:20:12 PM - Software Distribution Service 3.0
RP493: 5/26/2009 11:21:05 PM - Software Distribution Service 3.0
RP494: 5/28/2009 12:16:22 AM - System Checkpoint
RP495: 5/28/2009 1:05:34 AM - Software Distribution Service 3.0
RP496: 5/28/2009 4:40:59 PM - Software Distribution Service 3.0
RP497: 5/28/2009 5:18:29 PM - Software Distribution Service 3.0
RP498: 5/28/2009 7:51:10 PM - Software Distribution Service 3.0
RP499: 5/28/2009 9:02:57 PM - Software Distribution Service 3.0
RP500: 5/29/2009 7:14:59 AM - Software Distribution Service 3.0
RP501: 5/29/2009 6:25:15 PM - Software Distribution Service 3.0
RP502: 5/29/2009 11:08:15 PM - Software Distribution Service 3.0
RP503: 5/30/2009 1:10:55 PM - Software Distribution Service 3.0
RP504: 5/31/2009 12:47:03 AM - Software Distribution Service 3.0
RP505: 5/31/2009 2:29:26 AM - Software Distribution Service 3.0
RP506: 5/31/2009 9:15:23 PM - Software Distribution Service 3.0
RP507: 5/31/2009 10:28:15 PM - Software Distribution Service 3.0
RP508: 6/1/2009 2:12:47 AM - Software Distribution Service 3.0
RP509: 6/1/2009 11:36:23 PM - Software Distribution Service 3.0
RP510: 6/2/2009 4:46:56 AM - Software Distribution Service 3.0
RP511: 6/3/2009 4:16:06 AM - Software Distribution Service 3.0
RP512: 6/3/2009 5:02:45 PM - Software Distribution Service 3.0
RP513: 6/4/2009 2:32:05 AM - Software Distribution Service 3.0
RP514: 6/4/2009 10:32:49 AM - Software Distribution Service 3.0
RP515: 6/4/2009 6:59:31 PM - Software Distribution Service 3.0
RP516: 6/4/2009 10:01:44 PM - Software Distribution Service 3.0
RP517: 6/5/2009 1:32:40 AM - Software Distribution Service 3.0
RP518: 6/5/2009 8:26:45 AM - Software Distribution Service 3.0
RP519: 6/5/2009 10:35:30 PM - Software Distribution Service 3.0
RP520: 6/6/2009 12:36:50 AM - Software Distribution Service 3.0
RP521: 6/6/2009 5:25:54 PM - Software Distribution Service 3.0
RP522: 6/7/2009 5:35:08 AM - Software Distribution Service 3.0
RP523: 6/8/2009 1:28:28 AM - Software Distribution Service 3.0
RP524: 6/8/2009 8:05:03 AM - Software Distribution Service 3.0
RP525: 6/8/2009 11:14:10 PM - Software Distribution Service 3.0
RP526: 6/9/2009 12:40:59 AM - Software Distribution Service 3.0
RP527: 6/9/2009 11:51:37 AM - Software Distribution Service 3.0
RP528: 6/9/2009 9:59:46 PM - Software Distribution Service 3.0
RP529: 6/11/2009 2:38:11 PM - System Checkpoint
RP530: 6/11/2009 5:14:58 PM - Software Distribution Service 3.0
RP531: 6/11/2009 8:34:03 PM - Software Distribution Service 3.0
RP532: 6/11/2009 9:39:06 PM - Software Distribution Service 3.0
RP533: 6/12/2009 10:15:59 AM - Software Distribution Service 3.0
RP534: 6/12/2009 7:36:43 PM - Installed Windows Media Format Runtime
RP535: 6/12/2009 7:42:03 PM - Software Distribution Service 3.0
RP536: 6/12/2009 7:53:04 PM - Software Distribution Service 3.0
RP537: 6/12/2009 9:39:03 PM - Software Distribution Service 3.0
RP538: 6/13/2009 11:07:20 AM - Software Distribution Service 3.0
RP539: 6/13/2009 11:40:34 AM - Software Distribution Service 3.0
RP540: 6/13/2009 5:29:48 PM - Software Distribution Service 3.0
RP541: 6/13/2009 9:17:30 PM - Software Distribution Service 3.0
RP542: 6/14/2009 2:22:00 AM - Software Distribution Service 3.0
RP543: 6/14/2009 11:07:21 AM - Software Distribution Service 3.0
RP544: 6/14/2009 12:29:43 PM - Removed Apple Mobile Device Support
RP545: 6/14/2009 2:43:14 PM - Software Distribution Service 3.0
RP546: 6/14/2009 4:36:09 PM - Software Distribution Service 3.0
RP547: 6/14/2009 7:28:13 PM - Software Distribution Service 3.0
RP548: 6/14/2009 8:31:58 PM - Software Distribution Service 3.0
RP549: 6/15/2009 2:09:10 AM - Software Distribution Service 3.0

==== Installed Programs ======================

32 Bit HP CIO Components Installer
AAC Decoder
Acrobat.com
Ad-Aware
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 9
Adobe Shockwave Player
Advertisement Service
Any Video Converter 2.7.5
Apple Mobile Device Support
Apple Software Update
AT&T U-verse Setup
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AutoUpdate
AVG Free 8.5
AVS Update Manager 1.0
AVS Video Converter 6
AVS4YOU Software Navigator 1.3
Bonjour
BPD_Scan
BPDSoftware
CCleaner (remove only)
Compatibility Pack for the 2007 Office system
Conexant D850 56K V.9x DFVc Modem
Coupon Printer for Windows
Dell Resource CD
Diner Dash - Flo on the Go
Diner Dash 2 (remove only)
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
DriverMax 4
EA SPORTS online 2006
Enterprise
ESET Online Scanner v3
ExamView Pro
FIFA 06
Freelancer
Full Tilt Poker
GameSpy Arcade
Google Toolbar for Internet Explorer
Google Update Helper
H.264 Decoder
High Definition Audio Driver Package - KB835221
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
HP Officejet J5700 AiO Series Corporate Edition 8.0
Intel® PRO Network Connections Drivers
iTunes
Java™ 6 Update 4
Java™ 6 Update 7
Juniper Terminal Services Client
Malwarebytes' Anti-Malware
Microsoft Age of Empires Gold
Microsoft Game Studios Common Redistributables Pack 1
Microsoft Halo Trial
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft XML Parser
MKV Splitter
Move Media Player
Mozilla Firefox (3.5.2)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
OpenOffice.org 2.4
Pixillion Image Converter
Prism Video Converter
QuickTime
Reg Tool
Scan
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
SigmaTel Audio
Sophos Anti-Rootkit 1.5.0
Spybot - Search & Destroy
Update for Windows XP (KB898461)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.762
Veoh Web Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows XP Hotfix - KB839210

==== Event Viewer Messages From Past Week ========

8/28/2009 6:26:55 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Google Update Service (gupdate1c9e4a25ae1ac06) service to connect.
8/28/2009 6:26:55 PM, error: Service Control Manager [7000] - The Google Update Service (gupdate1c9e4a25ae1ac06) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/28/2009 6:26:05 PM, error: ipnathlp [30013] - The DHCP allocator has disabled itself on IP address 192.168.1.64, since the IP address is outside the 192.168.0.0/255.255.255.0 scope from which addresses are being allocated to DHCP clients. To enable the DHCP allocator on this IP address, please change the scope to include the IP address, or change the IP address to fall within the scope.
8/28/2009 5:26:32 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070003: Security Update for Windows XP (KB954600).

==== End Of File ===========================


RootRepeal log I wasnt able to close my spyware search and destroy. I wouldn't open at all but i think thats the virus

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/03 19:22
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\windows\System32\Drivers\dump_atapi.sys
Address: 0xF414C000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\windows\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A9F000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal5.sys
Image Path: C:\windows\system32\drivers\rootrepeal5.sys
Address: 0xF117A000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\Prefetch\SPYBOTSD.EXE-1344276B.pf
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACldkktsrnnp.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACmvxewbmxes.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACsrtalrmtkl.db
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACswwxvrwcud.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACthewxnridw.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACuwqeeakqdt.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACxjspuxxnos.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC3f94.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC4215.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC4a42.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC55a1.tmp
Status: Invisible to the Windows API!

Path: C:\Program Files\Yahoo! Games\Diner Dash 2\dinerdash2.exe:{F1705B93-F690-79BE-DA38-923A3E667457}
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\system32\drivers\UACbcetbdmdby.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\UAC931f.tmp
Status: Invisible to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: winlogon.exe (PID: 664) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: services.exe (PID: 708) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: lsass.exe (PID: 720) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: Ati2evxx.exe (PID: 896) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: svchost.exe (PID: 912) Address: 0x00740000 Size: 49152

Object: Hidden Module [Name: UACuwqeeakqdt.dll]
Process: svchost.exe (PID: 912) Address: 0x008e0000 Size: 73728

Object: Hidden Module [Name: UAC4a42.tmpvrwcud.dll]
Process: svchost.exe (PID: 912) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UAC4a42.tmpvrwcud.dll]
Process: svchost.exe (PID: 1148) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UAC4a42.tmpvrwcud.dll]
Process: svchost.exe (PID: 1428) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UAC4a42.tmpvrwcud.dll]
Process: svchost.exe (PID: 1656) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UAC4a42.tmpvrwcud.dll]
Process: svchost.exe (PID: 1788) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: spoolsv.exe (PID: 2032) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: Explorer.EXE (PID: 412) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: jusched.exe (PID: 612) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: avgtray.exe (PID: 628) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: iTunesHelper.exe (PID: 724) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: GoogleToolbarNotifier.exe (PID: 1000) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: veohwebplayer.exe (PID: 1008) Address: 0x00ee0000 Size: 49152

Object: Hidden Module [Name: UAC4a42.tmpvrwcud.dll]
Process: svchost.exe (PID: 1264) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: AppleMobileDeviceService.exe (PID: 1332) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: avgwdsvc.exe (PID: 1436) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: mDNSResponder.exe (PID: 1508) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: avgrsx.exe (PID: 1884) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: avgnsx.exe (PID: 1856) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UAC4a42.tmpvrwcud.dll]
Process: svchost.exe (PID: 1492) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: McciCMService.exe (PID: 1940) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UAC4a42.tmpvrwcud.dll]
Process: svchost.exe (PID: 1080) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UAC4a42.tmpvrwcud.dll]
Process: svchost.exe (PID: 1076) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UAC4a42.tmpvrwcud.dll]
Process: svchost.exe (PID: 1032) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: avgemc.exe (PID: 984) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: avgcsrvx.exe (PID: 2084) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: iPodService.exe (PID: 2292) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: alg.exe (PID: 2872) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UAC4a42.tmpvrwcud.dll]
Process: svchost.exe (PID: 3180) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: wuauclt.exe (PID: 3060) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACswwxvrwcud.dll]
Process: firefox.exe (PID: 3932) Address: 0x01060000 Size: 217088

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: jucheck.exe (PID: 3796) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: notepad.exe (PID: 3368) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: notepad.exe (PID: 420) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmvxewbmxes.dll]
Process: RootRepeal(5).exe (PID: 3284) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACswwxvrwcud.dll]
Process: Iexplore.exe (PID: 2692) Address: 0x10000000 Size: 217088

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\windows\system32\drivers\UACbcetbdmdby.sys

==EOF==

#4 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:00 AM

Posted 04 September 2009 - 05:42 AM

Hello there, stlleader.

:thumbup2:The TDSS Trojan Horse is a backdoor/rootkit trojan.:) Such a piece of malware allows hackers to remotely control your computer, steal critical system information and download and execute files.

Rootkits and backdoor trojans are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your antivirus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:

I would counsel you to immediately disconnect this PC from the Internet and from your network if it is on a network. Disconnect the infected computer until the computer can be cleaned. Then, access this information from a non-compromised computer to follow the steps needed.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Do NOT change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. (If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.) Banking and credit card institutions should be notified to apprise them of your situation (possible security breach). To protect your information that may have been compromised, I recommend reading these references:

Though the backdoor has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with such a piece of malware, the best course of action would be a reformat and clean reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:If you choose to format and reinstall, see these link for instructions: Reformatting Windows XP (by wng_z3ro), MIT IS&T - Windows XP: Clean Install. However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat. If you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful.

Please let me know what you have decided to do in your next post. Should you have any questions, please feel free to ask.

If you decide to go through with the cleanup, please proceed with the following steps.



Before we begin, you should save these instructions in Notepad to your Desktop, or print them, for easy reference and to make sure you don't get lost.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If at any point you have questions, or are unsure of the instructions, do not hesitate to post here and ask for clarification before proceeding with the fixes.


:cool: Uninstall some programs using Add or Remove Programs:
  • Click Start on the taskbar, then click on the Control Panel icon.
  • Double-click the Add or Remove Programs icon.
    • A list of programs installed will be "populated"; this may take a bit of time.
  • Uninstall the following programs by clicking on the following entries and selecting Remove (or Change/Remove):Advertisement Service
    AutoUpdate
:) Download and run sUBs' ComboFix:
  • Please download ComboFix from any of the links below. * IMPORTANT! Save ComboFix.exe to your Desktop but rename it to stlleader.exe
  • VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
  • Double-click stlleader.exe and follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    NOTE: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.Once installed, you should see a screen prompt that says: "The Recovery Console was successfully installed.".
  • Click Yes to allow ComboFix to continue scanning for malware.
    NOTE: Do NOT mouseclick ComboFix's window whilst it's running. That may cause your system to hang!
  • When finished, ComboFix shall produce a log for you (located at C:\ComboFix.txt). Post the entire contents of that report in your next reply for further review, along with the Add-Remove Programs.txt log which can be found at C:\Qoobox.

GENERAL WARNING: Do NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your Operating System such as preventing it from ever starting again. Also see ComboFix's disclaimer.




So in your next post, please let me know what you have decided to do. If you decided to go through with the cleanup, please post the entire contents of:
  • C:\ComboFix.txt (the ComboFix log)
  • C:\Qoobox\Add-Remove Programs.txt

If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#5 stlleader

stlleader
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 04 September 2009 - 12:20 PM

Ill clean the computer instead of reformating it.

When i went to add/remove programs for the Advertisement Service its said it may already be removed and asked me if i wanted to remove it from the list so i did so. There also wasnt an Auto Update but there was an AVS Update Manager 1.0. I didn't remove it though

Again I wasnt able to open my spyware search and destroy or my malwarebtyes anti malware. I wouldn't open at all but i think thats the virus

When i went to install the Microsoft Windows Recovery Console i got an error that said C:/Boot.ini is not correctly formated. I still went on with the scan. I also couldnt Find my XP CD to try and install the Microsoft Windows Recovery Console

Here is the Combofix log

ComboFix 09-09-03.02 - Everybody 09/04/2009 12:10.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.626 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\stlleader.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Downloaded Installers
c:\program files\Downloaded Installers\{007DD97C-36DC-4C25-9B1C-7D22AC483D50}\setup.msi
c:\windows\system32\drivers\UACbcetbdmdby.sys
c:\windows\system32\UACfvimhpkbpr.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACldkktsrnnp.dll
c:\windows\system32\UACmvxewbmxes.dll
c:\windows\system32\UACsrtalrmtkl.db
c:\windows\system32\UACswwxvrwcud.dll
c:\windows\system32\UACthewxnridw.log
c:\windows\system32\UACuwqeeakqdt.dll
c:\windows\system32\UACxjspuxxnos.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-08-04 to 2009-09-04 )))))))))))))))))))))))))))))))
.

2009-09-02 02:15 . 2009-09-02 02:15 -------- d-----w- c:\program files\MSECache
2009-08-23 15:19 . 2009-08-23 15:19 34816 ----a-w- c:\windows\system32\drivers\rootrepeal3.sys
2009-08-20 00:13 . 2009-08-20 00:13 -------- d-----w- c:\program files\Sophos
2009-08-18 00:30 . 2009-08-18 00:30 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb
2009-08-11 23:36 . 2009-08-11 23:36 -------- d-----w- c:\windows\ServicePackFiles
2009-08-08 07:47 . 2009-08-08 07:50 -------- d-----w- C:\leexplore
2009-08-08 07:45 . 2009-08-30 17:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\Reg Tool
2009-08-08 07:45 . 2009-08-30 17:00 -------- d-----w- c:\program files\Reg Tool
2009-08-08 07:13 . 2009-08-08 07:13 -------- d-----w- c:\program files\ESET
2009-08-08 07:08 . 2009-03-09 19:06 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-08-08 07:05 . 2009-03-09 19:06 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-08-08 07:05 . 2009-08-08 07:05 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-08-08 07:05 . 2009-08-08 07:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-08 07:05 . 2009-08-08 07:05 -------- d-----w- c:\program files\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-04 16:39 . 2009-03-18 23:42 -------- d-----w- c:\program files\Full Tilt Poker
2009-09-02 04:06 . 2008-12-21 23:46 70864 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-24 21:09 . 2008-08-30 22:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-24 21:09 . 2008-08-30 22:04 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-24 21:09 . 2008-08-30 22:04 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-16 06:54 . 2008-12-22 00:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-09 06:28 . 2008-08-30 22:00 -------- d-----w- c:\program files\Google
2009-08-07 17:42 . 2008-08-30 22:04 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-05 09:11 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 01:35 . 2009-01-28 01:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Move Networks
2009-08-03 18:36 . 2008-12-22 00:01 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 18:36 . 2008-12-22 00:01 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-01 19:11 . 2009-08-01 19:08 -------- d-----w- c:\program files\Common Files\Motive
2009-08-01 19:08 . 2009-08-01 19:08 -------- d-----w- c:\program files\att-r9
2009-08-01 19:08 . 2009-08-01 19:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2009-08-01 19:08 . 2009-08-01 19:08 -------- d-----w- c:\program files\ATT-R9-WISE
2009-07-31 14:16 . 2009-03-21 17:47 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-26 21:17 . 2009-07-26 21:17 -------- d-----w- c:\program files\iTunes
2009-07-26 21:17 . 2009-07-26 21:17 -------- d-----w- c:\program files\iPod
2009-07-26 21:17 . 2009-05-08 01:03 -------- d-----w- c:\program files\Common Files\Apple
2009-07-17 18:55 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 07:18 . 2004-08-04 10:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-08 13:05 . 2008-08-30 23:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2009-07-06 23:17 . 2009-07-02 01:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\Any Video Converter
2009-06-26 16:18 . 2006-03-04 03:33 659456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 18:36 . 2004-08-04 10:00 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2004-08-04 10:00 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2004-08-04 10:00 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2004-08-04 10:00 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2004-08-04 10:00 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2004-08-04 10:00 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2004-08-04 10:00 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2004-08-04 10:00 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2004-08-04 10:00 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2004-08-04 10:00 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2004-08-04 10:00 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 18:36 . 2004-08-04 10:00 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-22 11:49 . 2004-08-04 10:00 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2004-08-04 10:00 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2004-08-04 10:00 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2004-08-04 10:00 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-16 14:55 . 2004-08-04 10:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 11:50 . 2004-08-04 10:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 11:50 . 2004-08-04 10:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2004-08-04 10:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2004-08-04 10:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-17 68856]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-05-19 3561720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-24 2007832]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-24 21:09 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Documents and Settings\\Administrator\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/8/2009 2:05 AM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/30/2008 5:04 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/30/2008 5:04 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [8/30/2008 5:04 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/30/2008 5:04 PM 297752]
S2 gupdate1c9e4a25ae1ac06;Google Update Service (gupdate1c9e4a25ae1ac06);c:\program files\Google\Update\GoogleUpdate.exe [6/3/2009 6:23 PM 133104]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [1/10/2009 3:51 PM 547744]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 951632]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\2.tmp --> c:\windows\system32\2.tmp [?]
S3 rootrepeal3;rootrepeal3;c:\windows\system32\drivers\rootrepeal3.sys [8/23/2009 10:19 AM 34816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-08-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]

2009-08-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-03 23:23]

2009-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-03 23:23]

2009-09-02 c:\windows\Tasks\Reg Tool Scan.job
- c:\program files\Reg Tool\Reg Tool.exe [2009-07-22 11:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.my.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xy8tyjcc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - plugin: c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-04 12:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\2.tmp"
.
Completion time: 2009-09-04 12:16
ComboFix-quarantined-files.txt 2009-09-04 17:16
ComboFix2.txt 2009-08-08 07:50
ComboFix3.txt 2009-08-08 06:43

Pre-Run: 277,847,416,832 bytes free
Post-Run: 278,776,262,656 bytes free

190 --- E O F --- 2009-09-04 05:38


Here is the Add/Remove log

32 Bit HP CIO Components Installer
AAC Decoder
Acrobat.com
Ad-Aware
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 9
Adobe Shockwave Player
Any Video Converter 2.7.5
Apple Mobile Device Support
Apple Software Update
AT&T U-verse Setup
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AutoUpdate
AVG Free 8.5
AVS Update Manager 1.0
AVS Video Converter 6
AVS4YOU Software Navigator 1.3
Bonjour
BPD_Scan
BPDSoftware
CCleaner (remove only)
Compatibility Pack for the 2007 Office system
Conexant D850 56K V.9x DFVc Modem
Coupon Printer for Windows
Dell Resource CD
Diner Dash - Flo on the Go
Diner Dash 2 (remove only)
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
DriverMax 4
EA SPORTS online 2006
Enterprise
ESET Online Scanner v3
ExamView Pro
FIFA 06
Freelancer
Full Tilt Poker
GameSpy Arcade
Google Toolbar for Internet Explorer
Google Update Helper
H.264 Decoder
High Definition Audio Driver Package - KB835221
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
HP Officejet J5700 AiO Series Corporate Edition 8.0
Intel® PRO Network Connections Drivers
iTunes
Java™ 6 Update 4
Java™ 6 Update 7
Juniper Terminal Services Client
Malwarebytes' Anti-Malware
Microsoft Age of Empires Gold
Microsoft Game Studios Common Redistributables Pack 1
Microsoft Halo Trial
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft XML Parser
MKV Splitter
Move Media Player
Mozilla Firefox (3.5.2)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
OpenOffice.org 2.4
Pixillion Image Converter
Prism Video Converter
QuickTime
Reg Tool
Scan
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
SigmaTel Audio
Sophos Anti-Rootkit 1.5.0
Spybot - Search & Destroy
Update for Windows XP (KB898461)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.762
Veoh Web Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows XP Hotfix - KB839210

#6 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:00 AM

Posted 05 September 2009 - 01:50 AM

Hello again, stlleader. :) We're making good progress!

[..] There also wasnt an Auto Update [..]

Are you really 100% sure about that? Please look once more for AutoUpdate in Add or Remove Programs and if it is there, remove it following the instructions of my previous post. If you still aren't able to find it, you can just continue and we will try something else later on.



Before we begin, you should save these instructions in Notepad to your Desktop, or print them, for easy reference and to make sure you don't get lost.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If at any point you have questions, or are unsure of the instructions, do not hesitate to post here and ask for clarification before proceeding with the fixes.


:) Clean out some temporary data with ATF Cleaner:
  • Download ATF Cleaner by Atribune and save it to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under the Main tab (at the top of the screen) - Select Files to Delete, put a checkmark in the checkbox labelled "Select All".
  • Click on the Empty Selected button.

    If you use the Mozilla Firefox browser:
  • Click on the Firefox tab at the top and put a checkmark in the checkbox labelled "Select All".
  • Click on the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use the Opera browser:
  • Click on the Opera tab at the top and put a checkmark in the checkbox labelled "Select All".
  • Click on the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • Click the Exit button on the Main menu to close the program.

    For technical support, double-click the e-mail address located at the bottom of each menu.
:) Run a scan with Malwarebytes' Anti-Malware (MbAM), following these instructions:
  • IMPORTANT: MbAM may "make changes to the registry" as part of its disinfection routine. If using other security programs that detect registry changes (i.e., Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
    :thumbup2:
  • Using My Computer or Windows Explorer (Windows KEY+E), navigate to C:\Program Files\Malwarebytes' Anti-Malware
  • Within the Malwarebytes' Anti-Malware directory, rename mbam.exe to fluffybunny.exe (right-click -> Rename).
  • Make sure you are connected to the Internet.
  • Launch Malwarebytes' Anti-Malware by double-clicking fluffybunny.exe
  • Once the program is started, click the Update tab.
  • Click the Check for Updates button in order to update the program before performing a scan. If an update is found, the program will automatically update itself.
  • Once the program states that it has finished its update, press the OK button to close that information box and continue.
    NOTE: If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab, make sure the "Perform quick scan" option is selected; then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
    • The scan will begin and "Scan in progress (Scan type: Quick Scan)" will show at the top. It may take some time to complete, so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found."; click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.When removal is completed, a log report will open in Notepad. The log is automatically saved and can be viewed by clicking the Logs tab in MbAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MbAM's database version and your Operating System.
  • Exit MbAM when done.

    NOTE: If MbAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MbAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into Safe Mode) will prevent MbAM from removing all the malware.
:) Create a fresh RootRepeal report::cool: Create a log with SystemLook:
  • Download jpshortstuff's SystemLook from one of the links below and save it to your Desktop.
  • Close all applications and windows so that you have nothing open and are at your Desktop.
  • Double-click SystemLook.exe to run SystemLook.
  • Copy the entire contents inside the CODE box below into the box provided:
    :dir
    C:\leexplore /s
  • Click the Look button to start the scan.When finished, a Notepad window will open with the results of the scan.
  • Post the entire contents of the created log in your next reply. NOTE: The log can be found on your Desktop entitled SystemLook.txt
:) Open up the boot.ini file and provide its contents:
  • Go to Start -> Run... and in the "Open:" box that opens, copy & paste the following command (the entire blue-colored text):
    Notepad C:\Boot.ini
  • Click OK or press Enter.
  • Please provide the entire contents of the Notepad file that opens in your next reply.


In your next reply, please post the entire contents of:
  • the MbAM report
  • the fresh RootRepeal log
  • SystemLook.txt
  • C:\boot.ini
NOTE: Use several posts if necessary to include everything in your reply.

One more question: I can see that ComboFix has been run twice before. Did it find anything back then when it was ran?
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#7 stlleader

stlleader
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 05 September 2009 - 02:20 PM

The first two time the combofix didnt really do anything. That was probably due to the fact that i didn't know what i was doing

Here is the the MbAM report
Malwarebytes' Anti-Malware 1.40
Database version: 2745
Windows 5.1.2600 Service Pack 2

9/5/2009 1:57:58 PM
mbam-log-2009-09-05 (13-57-58).txt

Scan type: Quick Scan
Objects scanned: 87422
Time elapsed: 2 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 stlleader

stlleader
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 05 September 2009 - 02:21 PM

Heres the fresh RootRepeal log

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/05 14:00
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\windows\System32\Drivers\dump_atapi.sys
Address: 0xF4877000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\windows\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7ABF000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal6.sys
Image Path: C:\windows\system32\drivers\rootrepeal6.sys
Address: 0xF1526000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Program Files\Yahoo! Games\Diner Dash 2\dinerdash2.exe:{F1705B93-F690-79BE-DA38-923A3E667457}
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xf75b587e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xf75b5c10

==EOF==

Heres the SystemLook.txt

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 14:17 on 05/09/2009 by Everybody (Administrator - Elevation successful)

========== dir ==========

C:\leexplore - Parameters: "/s"

---Files---
None found.

No folders found.

-=End Of File=-

The C:\boot.ini was empty. The log was blank

#9 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:00 AM

Posted 06 September 2009 - 05:41 PM

Hello again, stlleader. :thumbup2:

How's the computer running? Running any better?

We are not done yet though. It looks like your boot.ini is corrupted/invalid, something that needs reparation. Question: Do you have the original Microsoft Windows XP Installation CD with you? Or do you instead have a system recovery CD (not a Microsoft CD)? Please let me know which one you've got.

Please also let me know if you were able to find/remove AutoUpdate within Add or Remove Programs this time.



Create a log with SystemLook:
  • Close all applications and windows so that you have nothing open and are at your Desktop.
  • Double-click SystemLook.exe to run jpshortstuff's SystemLook again.
  • Copy the entire contents inside the CODE box below into the box provided:
    :filefind
    boot.*
  • Click the Look button to start the scan.
    • When finished, a Notepad window will open with the results of the scan.
  • Post the entire contents of the created log in your next reply. NOTE: The log can be found on your Desktop entitled SystemLook.txt

Edited by htv8, 06 September 2009 - 05:42 PM.
typo

If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#10 stlleader

stlleader
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 07 September 2009 - 08:36 PM

The computer is running a lot better. It doesnt say google has experienced an error anymore. It also does redirect me to other sites

I still could find the auto update thing in add or remove programs.

I should have both CD's i just have to find them.

heres the log

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 20:31 on 07/09/2009 by Everybody (Administrator - Elevation successful)

========== filefind ==========

Searching for "boot.*"
C:\boot.ini ---hs- 211 bytes [16:29 30/08/2008] [22:55 21/12/2008] 4F77E9239AEAE4A2E6712352BED67091
C:\WINDOWS\pss\boot.ini.backup ------ 211 bytes [22:55 21/12/2008] [22:55 21/12/2008] 4F77E9239AEAE4A2E6712352BED67091

-=End Of File=-

#11 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:00 AM

Posted 08 September 2009 - 02:39 AM

Hello again!

[..] It also does redirect me to other sites

Does or does not?

I still could find the auto update thing in add or remove programs.

Could or couldn't?

With the instructions below, I want you to once more open up C:\boot.ini and provide its contents. After that, I would like to see the contents of the boot.ini.backup file to determine if we can restore the current boot.ini from that one... Please perform the instructions below.



Make sure to work through the instructions in the exact order in which they are mentioned below and do not miss any steps out. If at any point you have questions, or are unsure of the instructions, do not hesitate to post here and ask for clarification before proceeding with the fixes.

:) Open up the boot.ini file and provide its contents:
  • Go to Start -> Run... and in the "Open:" box that opens, copy & paste the following command (the entire blue-colored text):
    Notepad C:\boot.ini
  • Click OK or press Enter.
  • Please provide the entire contents of the Notepad file that opens in your next reply.
:thumbup2: Open up the boot.ini.backup file and provide its contents:
  • Go to Start -> Run... and in the "Open:" box that opens, copy & paste the following command (the entire blue-colored text):
    Notepad C:\WINDOWS\pss\boot.ini.backup
  • Click OK or press Enter.
  • Please provide the entire contents of the Notepad file that opens in your next reply.


In your next reply, please post the entire contents of:
  • boot.ini
  • boot.ini.backup

If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#12 stlleader

stlleader
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 08 September 2009 - 07:00 PM

Sorry for the mix up. it doesn't redirect me to other sites anymore
and i couldn't find the auto update

Both of the logs were blank

#13 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:00 AM

Posted 09 September 2009 - 12:18 PM

OK, please give me a bit of time to write up further instructions. I will get back to you as soon as possible. :thumbup2:
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#14 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:00 AM

Posted 10 September 2009 - 09:27 AM

Hello again. :)



Make sure to work through the instructions in the exact order in which they are mentioned below and do not miss any steps out. If at any point you have questions, or are unsure of the instructions, do not hesitate to post here and ask for clarification before proceeding with the fixes.

:cool: Reboot into the Recovery Console:
  • Insert the Windows XP CD into your computer.
  • Restart the computer and press any key when the computer prompts to press a key in order to boot from the CD. (NOTE: You may need to adjust the boot order in the computer's BIOS to let the CD boot before the hard drive. Check the system documentation or ask here for help if needed.)
  • Follow the setup prompts to load the basic Windows startup files, and at the "Welcome To Setup" screen press R to start the Recovery Console.
  • Enter the number (most likely 1) of the Windows installation you want to access from within the Recovery Console.
  • When prompted, type the Administrator password and press Enter. If you're using the Recovery Console on a system running Windows XP Home Edition, this password is blank by default, so just press Enter.
:) Rebuild the Windows boot.ini file from within the Recovery Console:
  • To start the boot.ini rebuild process, type the following at the Command Prompt and press Enter afterwards: bootcfg /rebuild
    NOTE: There is a space between "bootcfg" and "/rebuild".
  • When you receive a message that is similar to the following message, press Y and hit Enter:
    Total Identified Windows Installs: 1
    [1] C:\Windows
    Add installation to boot list? (Yes/No/All)
  • You receive a message that is similar to the following message:
    Enter Load Identifier
    This is the name of the Operating System. When you receive this message, type the name of your Operating System (either Microsoft Windows XP Professional or Microsoft Windows XP Home Edition, depending on your Operating System), and then press Enter.
  • You receive a message that is similar to the following:
    Enter OS Load options
    When you receive this message, type /fastdetect and then press Enter.
  • Once you have completed the boot.ini rebuild process and are back at the Command Prompt, type exit and then press Enter to reboot the computer; then take the Windows XP CD out of the drive.
    :thumbup2:
    NOTE: The instructions that appear on your screen may be different, depending on the configuration of your computer.
:) Open up the boot.ini file and provide its contents:
  • Once rebooted, go to Start -> Run... and in the "Open:" box that opens, copy & paste the following command (the entire blue-colored text):
    Notepad C:\boot.ini
  • Click OK or press Enter.
  • Please provide the entire contents of the Notepad file that opens in your next reply.

If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#15 stlleader

stlleader
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 13 September 2009 - 01:24 PM

Sorry for the late response i had to find the CD and i finally did. I will do exactly what you said later today when i get back home. Again sorry for the late response




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users