Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit and backdoor trojan


  • This topic is locked This topic is locked
1 reply to this topic

#1 kpigout

kpigout

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Location:San Antonio, TX.
  • Local time:03:23 AM

Posted 28 August 2009 - 04:11 PM

DaChew told me to post my logs here after identifying my problem on the "Am I Infected" forum.

DDS:


DDS (Ver_09-07-30.01) - NTFSx86
Run by Owner at 20:16:53.75 on Wed 08/26/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.111 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\REALTEK USB Wireless LAN Driver and Utility\RtWLan.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\documents and settings\owner\start menu\programs\startup\delrb.bat
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\realte~1.lnk - c:\program files\realtek usb wireless lan driver and utility\RtWLan.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238531930296
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\1j9gi6a9.default\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-1 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-7-1 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-7-1 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-2 297752]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2009-7-1 38144]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2009-7-1 235648]
RUnknown tqma;tqma; [x]

=============== Created Last 30 ================

2009-08-26 19:16 2,296 a------- c:\windows\system32\tmp.reg
2009-08-25 01:06 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-08-25 00:57 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-25 00:57 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-25 00:57 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-25 00:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-24 12:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-08-12 02:29 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 02:29 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-05 04:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll
2009-07-31 22:29 <DIR> --dsh--- c:\documents and settings\owner\PrivacIE

==================== Find3M ====================

2009-08-23 09:45 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-23 09:45 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-03 12:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-02 09:58 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-07-01 14:22 21,035 a------- c:\windows\system32\drivers\AegisP.sys
2009-06-16 09:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 07:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 07:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 09:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 01:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-03 14:09 1,291,264 a------- c:\windows\system32\quartz.dll

============= FINISH: 20:17:47.03 ===============




Attach.txt:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 3/31/2009 2:43:58 PM
System Uptime: 8/26/2009 7:55:19 PM (1 hours ago)

Motherboard: Dell Inc. | | 0G5611
Processor: Intel® Pentium® 4 CPU 2.80GHz | Microprocessor | 2795/800mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 75 GiB total, 66.852 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP18: 8/26/2009 7:55:55 PM - Installed REALTEK USB Wireless LAN Driver and Utility
RP19: 8/26/2009 7:55:56 PM - Installed Microsoft Office 2000 SR-1 Small Business
RP20: 8/26/2009 7:55:56 PM - Installed AVG Free 8.0
RP21: 8/26/2009 7:55:56 PM - Software Distribution Service 3.0
RP22: 8/26/2009 7:55:56 PM - Avg8 Update
RP23: 8/26/2009 7:55:56 PM - Avg8 Update
RP24: 8/26/2009 7:55:56 PM - Removed OpenOffice.org 3.0
RP25: 8/26/2009 7:55:56 PM - Installed OpenOffice.org 3.1
RP26: 8/26/2009 7:55:56 PM - Removed Microsoft Office 2000 SR-1 Small Business
RP27: 8/26/2009 7:55:57 PM - Installed Microsoft Office 2000 SR-1 Small Business
RP28: 8/26/2009 7:55:57 PM - Removed Microsoft Office 2000 SR-1 Small Business
RP29: 8/26/2009 7:55:57 PM - Installed Microsoft Office 2000 SR-1 Small Business
RP30: 8/26/2009 7:55:57 PM - Removed Microsoft Office 2000 SR-1 Small Business
RP31: 8/26/2009 7:55:57 PM - Installed Microsoft Office 2000 SR-1 Small Business
RP32: 8/26/2009 7:55:57 PM - System Checkpoint
RP33: 8/26/2009 7:55:57 PM - System Checkpoint
RP34: 8/26/2009 7:55:57 PM - System Checkpoint
RP35: 8/26/2009 7:55:57 PM - Software Distribution Service 3.0
RP36: 8/26/2009 7:55:57 PM - System Checkpoint
RP37: 8/26/2009 7:55:58 PM - System Checkpoint
RP38: 8/26/2009 7:55:58 PM - Avg8 Update
RP39: 8/26/2009 7:55:58 PM - Avg8 Update
RP40: 8/26/2009 7:55:58 PM - System Checkpoint
RP41: 8/26/2009 7:55:58 PM - System Checkpoint
RP42: 8/26/2009 7:55:58 PM - System Checkpoint
RP43: 8/26/2009 7:55:58 PM - System Checkpoint
RP44: 8/26/2009 7:55:58 PM - System Checkpoint
RP45: 8/26/2009 7:55:59 PM - Software Distribution Service 3.0
RP46: 8/26/2009 7:55:59 PM - System Checkpoint
RP47: 8/26/2009 7:55:59 PM - System Checkpoint
RP48: 8/26/2009 7:55:59 PM - System Checkpoint
RP49: 8/26/2009 7:55:59 PM - System Checkpoint
RP50: 8/26/2009 7:55:59 PM - System Checkpoint
RP51: 8/26/2009 7:55:59 PM - System Checkpoint
RP52: 8/26/2009 7:55:59 PM - System Checkpoint
RP53: 8/26/2009 7:55:59 PM - System Checkpoint
RP54: 8/26/2009 7:55:59 PM - System Checkpoint
RP55: 8/26/2009 7:55:59 PM - System Checkpoint
RP56: 8/26/2009 7:55:59 PM - System Checkpoint
RP57: 8/26/2009 7:55:59 PM - System Checkpoint
RP58: 8/26/2009 7:55:59 PM - System Checkpoint
RP59: 8/26/2009 7:55:59 PM - Software Distribution Service 3.0
RP60: 8/26/2009 7:56:00 PM - System Checkpoint
RP61: 8/26/2009 7:56:00 PM - System Checkpoint
RP62: 8/26/2009 7:56:00 PM - System Checkpoint
RP63: 8/26/2009 7:56:00 PM - System Checkpoint
RP64: 8/26/2009 7:56:00 PM - System Checkpoint
RP65: 8/26/2009 7:56:00 PM - System Checkpoint
RP66: 8/26/2009 7:56:00 PM - System Checkpoint
RP67: 8/26/2009 7:56:00 PM - System Checkpoint
RP68: 8/26/2009 7:56:00 PM - Avg8 Update
RP69: 8/26/2009 7:56:00 PM - System Checkpoint
RP70: 8/26/2009 7:56:00 PM - System Checkpoint
RP71: 8/26/2009 7:56:00 PM - System Checkpoint
RP72: 8/26/2009 7:56:00 PM - System Checkpoint
RP73: 8/26/2009 7:56:00 PM - Software Distribution Service 3.0
RP74: 8/26/2009 7:56:00 PM - System Checkpoint
RP75: 8/26/2009 7:56:00 PM - System Checkpoint
RP76: 8/26/2009 7:56:00 PM - System Checkpoint
RP77: 8/26/2009 7:56:00 PM - System Checkpoint
RP78: 8/26/2009 7:56:00 PM - System Checkpoint
RP79: 8/26/2009 7:56:00 PM - System Checkpoint
RP80: 8/26/2009 7:56:00 PM - System Checkpoint
RP81: 8/26/2009 7:56:00 PM - System Checkpoint
RP82: 8/26/2009 7:56:00 PM - System Checkpoint
RP83: 8/26/2009 7:56:00 PM - restore point 1

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.2
AVG Free 8.5
Broadcom Gigabit Integrated Controller
Critical Update for Windows Media Player 11 (KB959772)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Intel® Graphics Media Accelerator Driver
Java™ 6 Update 15
Java™ 6 Update 7
LimeWire 4.18.0
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Small Business
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.2)
Nero OEM
OpenOffice.org 3.1
Pac-Manic Worlds ver 1.0
Pacxon ver 1.0
PowerDVD
REALTEK USB Wireless LAN Driver and Utility
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
SoundMAX
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows XP (KB898461)
Update for Windows XP (KB943729)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows PowerShell™ 1.0
Windows Search 4.0
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

8/26/2009 7:14:54 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
8/26/2009 7:14:54 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
8/26/2009 7:14:54 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/26/2009 7:14:54 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/26/2009 7:14:54 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
8/26/2009 7:13:48 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
8/26/2009 7:05:03 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
8/26/2009 6:36:56 PM, error: Service Control Manager [7034] - The Terminal Services service terminated unexpectedly. It has done this 1 time(s).
8/26/2009 6:36:56 PM, error: Service Control Manager [7031] - The DCOM Server Process Launcher service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
8/24/2009 11:23:08 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
8/24/2009 10:56:41 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 Fips intelppm
8/24/2009 10:56:22 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

==== End Of File ===========================


Rootrepeal Log:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/26 20:19
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAAACA000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8A88000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAADE0000 Size: 49152 File Visible: No Signed: -
Status: -

Name: tfjwyg.sys
Image Path: C:\WINDOWS\system32\drivers\tfjwyg.sys
Address: 0xAADD0000 Size: 61440 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\UACcmjbrnboqo.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACcnqonpxrqc.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACdejoxqfvea.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACmtkyfulkss.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACqkatxgwfwd.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC5f61.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC77cb.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC7a7a.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACuulsxvaryt.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Temp\UACb967.tmp
Status: Invisible to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: UACcmjbrnboqo.dll]
Process: svchost.exe (PID: 1020) Address: 0x10000000 Size: 65536

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACuulsxvaryt.sys

==EOF==



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,608 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:23 AM

Posted 02 September 2009 - 09:38 PM

You have posted a hijackthis log here and are receiving assistance from me.

You should not post duplicate hijackthis logs at more than one forum. Nor should you ask for help from others while you are being instructed by someone helping you with a hijackthis log elsewhere. HJT Team helpers are all volunteers and the forums are extremely busy trying to assist members with malware removal. When you post duplicate logs at various sites this only adds to the already overextended workload and takes time away from others who too are seeking assistance but have to wait.

Further, following advice outside of that topic may cause confusion for the Helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer. Any actions or modifications you make afterwards can result in system changes which may not show it the log you already posted. If you followed any other advice already, please ensure you inform the HJT Helper who is assisting you with your log.

To avoid confusion, this topic is closed. If you still need assistance after your log has been reviewed and you have been cleared, please start a new topic. If you have any questions, please PM me or another moderator.

Thanks for your cooperation.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users