Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Active rootkit problem


  • This topic is locked This topic is locked
23 replies to this topic

#1 jrizzle

jrizzle

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 30 August 2009 - 01:39 AM

Hello, I was redirected here from http://www.bleepingcomputer.com/forums/t/253527/help-wanted/. Like Blade said, I am unable to complete the DDS and full RootRepeal logs. Here is my partial RootRepeal log as well as my Win32kdiag log:


RootRepeal:


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/29 20:41
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: 1394BUS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS
Address: 0xBA128000 Size: 53248 File Visible: - Signed: -
Status: -

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xB9F79000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2142208 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xB7D65000 Size: 138368 File Visible: - Signed: -
Status: -

Name: Apfiltr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
Address: 0xB9406000 Size: 180224 File Visible: - Signed: -
Status: -

Name: APPDRV.SYS
Image Path: C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
Address: 0xB7EB8000 Size: 16128 File Visible: - Signed: -
Status: -

Name: arp1394.sys
Image Path: C:\WINDOWS\system32\DRIVERS\arp1394.sys
Address: 0xBA2C8000 Size: 60800 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xB9F31000 Size: 95360 File Visible: - Signed: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xBA747000 Size: 3072 File Visible: - Signed: -
Status: -

Name: avgldx86.sys
Image Path: C:\WINDOWS\System32\Drivers\avgldx86.sys
Address: 0xB7BB5000 Size: 328576 File Visible: - Signed: -
Status: -

Name: avgmfx86.sys
Image Path: C:\WINDOWS\System32\Drivers\avgmfx86.sys
Address: 0xBA498000 Size: 21120 File Visible: - Signed: -
Status: -

Name: avgtdix.sys
Image Path: C:\WINDOWS\System32\Drivers\avgtdix.sys
Address: 0xB7DD0000 Size: 101888 File Visible: - Signed: -
Status: -

Name: b57xp32.sys
Image Path: C:\WINDOWS\system32\DRIVERS\b57xp32.sys
Address: 0xB9497000 Size: 176128 File Visible: - Signed: -
Status: -

Name: BATTC.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\BATTC.SYS
Address: 0xBA4C0000 Size: 16384 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xBA5CE000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xBA4B8000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xBA318000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xBA1B8000 Size: 49536 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xBA0E8000 Size: 53248 File Visible: - Signed: -
Status: -

Name: CmBatt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\CmBatt.sys
Address: 0xBA578000 Size: 14080 File Visible: - Signed: -
Status: -

Name: compbatt.sys
Image Path: compbatt.sys
Address: 0xBA4BC000 Size: 9344 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xBA0D8000 Size: 36352 File Visible: - Signed: -
Status: -

Name: DLABMFSM.SYS
Image Path: C:\WINDOWS\System32\Drivers\DLABMFSM.SYS
Address: 0xBA3B0000 Size: 30720 File Visible: - Signed: -
Status: -

Name: DLABOIOM.SYS
Image Path: C:\WINDOWS\System32\Drivers\DLABOIOM.SYS
Address: 0xBA3B8000 Size: 26208 File Visible: - Signed: -
Status: -

Name: DLACDBHM.SYS
Image Path: DLACDBHM.SYS
Address: 0xBA5AC000 Size: 7936 File Visible: - Signed: -
Status: -

Name: DLADResM.SYS
Image Path: C:\WINDOWS\System32\Drivers\DLADResM.SYS
Address: 0xBA6A1000 Size: 2464 File Visible: - Signed: -
Status: -

Name: DLAIFS_M.SYS
Image Path: C:\WINDOWS\System32\Drivers\DLAIFS_M.SYS
Address: 0xB56F4000 Size: 102112 File Visible: - Signed: -
Status: -

Name: DLAOPIOM.SYS
Image Path: C:\WINDOWS\System32\Drivers\DLAOPIOM.SYS
Address: 0xBA3A8000 Size: 20576 File Visible: - Signed: -
Status: -

Name: DLAPoolM.SYS
Image Path: C:\WINDOWS\System32\Drivers\DLAPoolM.SYS
Address: 0xB7B99000 Size: 9664 File Visible: - Signed: -
Status: -

Name: DLARTL_M.SYS
Image Path: C:\WINDOWS\System32\Drivers\DLARTL_M.SYS
Address: 0xBA430000 Size: 23424 File Visible: - Signed: -
Status: -

Name: DLAUDF_M.SYS
Image Path: C:\WINDOWS\System32\Drivers\DLAUDF_M.SYS
Address: 0xB56C7000 Size: 91808 File Visible: - Signed: -
Status: -

Name: DLAUDFAM.SYS
Image Path: C:\WINDOWS\System32\Drivers\DLAUDFAM.SYS
Address: 0xB56DE000 Size: 86912 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xBA248000 Size: 61440 File Visible: - Signed: -
Status: -

Name: DRVMCDB.SYS
Image Path: DRVMCDB.SYS
Address: 0xB9E3C000 Size: 90976 File Visible: - Signed: -
Status: -

Name: DRVNDDM.SYS
Image Path: C:\WINDOWS\System32\Drivers\DRVNDDM.SYS
Address: 0xBA2F8000 Size: 43008 File Visible: - Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB7B75000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5F0000 Size: 8192 File Visible: No Signed: -
Status: -

Name: dwshd.sys
Image Path: dwshd.sys
Address: 0xB9D58000 Size: 183424 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xB934C000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxec02.sys
Image Path: C:\WINDOWS\system32\drivers\dxec02.sys
Address: 0xB809D000 Size: 103168 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF000000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xBA73F000 Size: 4096 File Visible: - Signed: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xBA2A8000 Size: 34944 File Visible: - Signed: -
Status: -

Name: fltMgr.sys
Image Path: fltMgr.sys
Address: 0xB9E53000 Size: 128896 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xBA5CA000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xB9F49000 Size: 125056 File Visible: - Signed: -
Status: -

Name: GEARAspiWDM.sys
Image Path: C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
Address: 0xBA56C000 Size: 9984 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806E2000 Size: 134400 File Visible: - Signed: -
Status: -

Name: HDAudBus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Address: 0xB95D5000 Size: 155648 File Visible: - Signed: -
Status: -

Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xBA2D8000 Size: 36864 File Visible: - Signed: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xBA440000 Size: 28672 File Visible: - Signed: -
Status: -

Name: hidusb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xB91FF000 Size: 9600 File Visible: - Signed: -
Status: -

Name: HSF_CNXT.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
Address: 0xB7EC4000 Size: 731136 File Visible: - Signed: -
Status: -

Name: HSF_DPV.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
Address: 0xB7F77000 Size: 989952 File Visible: - Signed: -
Status: -

Name: HSFHWAZL.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
Address: 0xB8069000 Size: 211200 File Visible: - Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xB4AFD000 Size: 262784 File Visible: - Signed: -
Status: -

Name: i2omgmt.SYS
Image Path: C:\WINDOWS\System32\Drivers\i2omgmt.SYS
Address: 0xBA5C6000 Size: 8192 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xBA188000 Size: 52736 File Visible: - Signed: -
Status: -

Name: iaStor.sys
Image Path: iaStor.sys
Address: 0xB9E73000 Size: 778240 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xBA1A8000 Size: 41856 File Visible: - Signed: -
Status: -

Name: intelppm.sys
Image Path: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Address: 0xBA148000 Size: 36096 File Visible: - Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xB7DAF000 Size: 134912 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xB7E69000 Size: 74752 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xBA0A8000 Size: 35840 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xBA398000 Size: 24576 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xBA5A8000 Size: 8192 File Visible: - Signed: -
Status: -

Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xB3CF5000 Size: 172416 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xB9368000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xB9E25000 Size: 92544 File Visible: - Signed: -
Status: -

Name: Lbd.sys
Image Path: Lbd.sys
Address: 0xBA0F8000 Size: 57472 File Visible: - Signed: -
Status: -

Name: mdmxsdk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
Address: 0xB539B000 Size: 12672 File Visible: - Signed: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xBA5D2000 Size: 4224 File Visible: - Signed: -
Status: -

Name: Modem.SYS
Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xBA410000 Size: 30080 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xBA390000 Size: 23040 File Visible: - Signed: -
Status: -

Name: mouhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Address: 0xB91F7000 Size: 12160 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xBA0B8000 Size: 42240 File Visible: - Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xB53A3000 Size: 179584 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xB7C06000 Size: 453632 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xBA458000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xBA208000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xBA59C000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xB9D10000 Size: 107904 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xB9D2B000 Size: 182912 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xBA588000 Size: 9600 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xB56B7000 Size: 12928 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xB9329000 Size: 91776 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xBA228000 Size: 38016 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xBA288000 Size: 34560 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xB7D87000 Size: 162816 File Visible: - Signed: -
Status: -

Name: nic1394.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nic1394.sys
Address: 0xBA158000 Size: 61824 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xBA468000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xB9D85000 Size: 574464 File Visible: - Signed: -
Status: -

Name: ntkrnlpa.exe
Image Path: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000 Size: 2142208 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xBA7A5000 Size: 2944 File Visible: - Signed: -
Status: -

Name: nv4_disp.dll
Image Path: C:\WINDOWS\System32\nv4_disp.dll
Address: 0xBF012000 Size: 5730304 File Visible: - Signed: -
Status: -

Name: nv4_mini.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
Address: 0xB9632000 Size: 6835744 File Visible: - Signed: -
Status: -

Name: ohci1394.sys
Image Path: ohci1394.sys
Address: 0xBA118000 Size: 61056 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xBA330000 Size: 18688 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xB9F68000 Size: 68224 File Visible: - Signed: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xBA670000 Size: 3328 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xBA328000 Size: 28672 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2142208 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xB80B7000 Size: 139264 File Visible: - Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xB9278000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xBA3D8000 Size: 17792 File Visible: - Signed: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xBA108000 Size: 36320 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xB9344000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xBA1D8000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xBA1E8000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xBA1F8000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xBA3E8000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2142208 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xB7C75000 Size: 174592 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xBA5D6000 Size: 4224 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xBA1C8000 Size: 57472 File Visible: - Signed: -
Status: -

Name: rimmptsk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
Address: 0xBA168000 Size: 61440 File Visible: - Signed: -
Status: -

Name: rimsptsk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
Address: 0xBA178000 Size: 56832 File Visible: - Signed: -
Status: -

Name: rixdptsk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
Address: 0xB9432000 Size: 331776 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB3DA0000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SASDIFSV.SYS
Image Path: C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
Address: 0xBA480000 Size: 24576 File Visible: - Signed: -
Status: -

Name: SASKUTIL.sys
Image Path: C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
Address: 0xB7CA0000 Size: 151552 File Visible: - Signed: -
Status: -

Name: sdbus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\sdbus.sys
Address: 0xB9483000 Size: 78720 File Visible: - Signed: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xB4F26000 Size: 333184 File Visible: - Signed: -
Status: -

Name: sthda.sys
Image Path: C:\WINDOWS\system32\drivers\sthda.sys
Address: 0xB80D9000 Size: 1169728 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xBA5B4000 Size: 4352 File Visible: - Signed: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xB555F000 Size: 60800 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xB7E11000 Size: 360320 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xBA3C8000 Size: 20480 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xBA218000 Size: 40704 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xB921F000 Size: 364160 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xBA5BC000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xBA378000 Size: 27264 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xBA238000 Size: 57600 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xB95FB000 Size: 143360 File Visible: - Signed: -
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Address: 0xBA368000 Size: 20480 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xBA448000 Size: 20992 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xB961E000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xBA0C8000 Size: 52352 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xBA2B8000 Size: 34560 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xBA3A0000 Size: 20480 File Visible: - Signed: -
Status: -

Name: Wdf01000.sys
Image Path: C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
Address: 0xB938B000 Size: 503808 File Visible: - Signed: -
Status: -

Name: WDFLDR.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS
Address: 0xBA198000 Size: 53248 File Visible: - Signed: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xB5366000 Size: 82944 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xBA3E0000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xB5865000 Size: 61440 File Visible: No Signed: -
Status: -

Name: wmiacpi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
Address: 0xBA580000 Size: 8832 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xBA5AA000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2142208 File Visible: - Signed: -
Status: -

Name: WudfPf.sys
Image Path: WudfPf.sys
Address: 0xB9E12000 Size: 77568 File Visible: - Signed: -
Status: -








Win32kDiag:


Log file is located at: C:\Documents and Settings\Alex\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\10\policy\policy

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\51\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\51\policy\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\52\policy\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Adobe\update\update

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\CatRoot_bak\CatRoot_bak

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\{DFF16927-88E6-4EAA-A097-460B7E65289B}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\InstallShield\ISEngine12.0\ISEngine12.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-1708537768-616249376-725345543-1003\S-1-5-21-1708537768-616249376-725345543-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-3793712576-3281783335-1419076999-1003\S-1-5-21-3793712576-3281783335-1419076999-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3793712576-3281783335-1419076999-1003\S-1-5-21-3793712576-3281783335-1419076999-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Adobe\Updater5\Install\Install

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\BVRP Software\NetWaiting\NetWaiting

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google Desktop\e221d2f98df9\e221d2f98df9

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\MediaDirect\IEPG\IEPG

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-1708537768-616249376-725345543-1003\S-1-5-21-1708537768-616249376-725345543-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-3793712576-3281783335-1419076999-1003\S-1-5-21-3793712576-3281783335-1419076999-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Works\Portfolio\Portfolio

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll





Sorry if this seems like a mess.

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:50 AM

Posted 03 September 2009 - 08:54 PM

Hi jrizzle,

Sorry for the delay, we have many logs backed up.

Please do the following.

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    :filefind 
    eventlog.dll
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 jrizzle

jrizzle
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 03 September 2009 - 11:27 PM

No worries, I understand you guys are very busy. Anyway, here is the log:

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 21:28 on 03/09/2009 by Alex (Administrator - Elevation successful)

========== filefind ==========

Searching for "eventlog.dll"
C:\i386\eventlog.dll --a--- 55808 bytes [06:40 05/07/2008] [10:00 04/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\eventlog.dll --a--- 56320 bytes [23:47 29/08/2008] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656
C:\WINDOWS\system32\eventlog.dll --a--- 62464 bytes [17:51 10/08/2004] [10:00 04/08/2004] (Unable to calculate MD5)

-=End Of File=-

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:50 AM

Posted 03 September 2009 - 11:36 PM

Hi jrizzle,

Let's begin....

==========

Step 1

Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r

==========

Step 2

Please do this:
  • Click on the Start button, then click on Run...
  • In the empty "Open:" box provided, type cmd and press Enter
    • This will launch a Command Prompt window (looks like DOS).
  • Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).

    copy C:\i386\eventlog.dll C:\ /y
  • In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.
  • Press Enter.When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
    NOTE[: If you didn't get this message, stop and tell me first. Executing The Avenger script (step #3) won't work if the file copy was not successful.
  • Exit the Command Prompt window.
==========

Step 3

:( Warning to others reading this thread!: The Avenger is a VERY POWERFUL program, and can easily be misused.
Certain misuses of this program can prevent your system from ever starting again.
For this reason, it is strongly recommended to use The Avenger only as directed and under qualified supervision.
We can accept no responsibility for damage caused by misuse of the program.
:(
  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
    Files to move:C:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.
==========

With your next post please provide:

* Win32kDiag.txt
* Avenger.txt
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 jrizzle

jrizzle
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 04 September 2009 - 02:20 PM

Oops... I accidentally deleted the Win32kDiag log because I thought it was an old one. When I tried to redo the scan, I got a different log. Sorry!

Win32kDiag:

Log file is located at: C:\Documents and Settings\Alex\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\system32\wbem\SETC.tmp

Attempting to restore permissions of : C:\WINDOWS\system32\wbem\SETC.tmp




Avenger:


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:50 AM

Posted 04 September 2009 - 02:25 PM

Hi jrizzle,


Please do the following:

Tell me the antivirus program you are running.
Are you running any registry protector (like Windows Defender or Spybot Teatimer)?

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    :filefind 
    eventlog.dll
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task

Edited by SifuMike, 04 September 2009 - 03:23 PM.
typo

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 jrizzle

jrizzle
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 04 September 2009 - 06:41 PM

I have many antivirus programs but I think AVG is the only one I have on at all times. I also have Spy-Bot and Super Anti Spyware but I'm not sure if I have teatimer. Log:


SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 16:38 on 04/09/2009 by Alex (Administrator - Elevation successful)

========== filefind ==========

Searching for "eventlog.dll"
C:\i386\eventlog.dll --a--- 55808 bytes [06:40 05/07/2008] [10:00 04/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\eventlog.dll --a--- 56320 bytes [23:47 29/08/2008] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656
C:\WINDOWS\system32\dllcache\eventlog.dll --a--- 55808 bytes [17:51 10/08/2004] [10:00 04/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\WINDOWS\system32\eventlog.dll --a--- 55808 bytes [17:51 10/08/2004] [10:00 04/08/2004] 82B24CB70E5944E6E34662205A2A5B78

-=End Of File=-

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:50 AM

Posted 04 September 2009 - 07:02 PM

Hi jrizzle,

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your AVG Antivirus before running ComboFix, as it will prevent it from running.

To disable AVG antivirus:
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.


Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Edited by SifuMike, 05 September 2009 - 04:24 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 jrizzle

jrizzle
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 05 September 2009 - 03:24 PM

ComboFix 09-09-05.01 - Alex 09/05/2009 13:16.1.2 - NTFSx86
Running from: c:\documents and settings\Alex\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\bold.log
c:\windows\system\SysSD.dll
c:\windows\system32\1.tmp
c:\windows\system32\2.tmp
c:\windows\system32\3.tmp
c:\windows\system32\6.tmp
c:\windows\system32\7.tmp
c:\windows\system32\8.tmp
c:\windows\system32\BKSrXyay.ini
c:\windows\system32\config\systemprofile\Start Menu\Programs\System Security
c:\windows\system32\config\systemprofile\Start Menu\Programs\System Security\System Security
c:\windows\system32\SKYNETjbhyewqm.dat
c:\windows\system32\SKYNETlgxqfhiq.dll
c:\windows\system32\SKYNETlog.dat
c:\windows\system32\SKYNETqomwqwbw.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SKYNETmywxiwpb
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_SKYNETmywxiwpb


((((((((((((((((((((((((( Files Created from 2009-08-05 to 2009-09-05 )))))))))))))))))))))))))))))))
.

2009-08-19 18:55 . 2009-08-19 18:55 967 ----a-w- c:\windows\ScUnin.pif
2009-08-19 18:55 . 2009-08-19 18:55 12852 ----a-w- c:\windows\scunin.dat
2009-08-19 18:55 . 2009-08-19 18:55 94208 ----a-w- c:\windows\ScUnin.exe
2009-08-19 18:54 . 2009-08-19 18:55 -------- d-----w- c:\program files\Starcraft
2009-08-17 00:10 . 2009-09-05 18:21 -------- d-----w- c:\program files\Steam
2009-08-12 08:02 . 2009-08-12 08:02 -------- d-----w- c:\windows\ServicePackFiles
2009-08-11 18:19 . 2009-06-05 07:42 655872 ------w- c:\windows\system32\dllcache\mstscax.dll
2009-08-10 20:50 . 2007-08-31 02:57 196608 ----a-w- c:\windows\system32\BNCSutil.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-05 07:29 . 2009-07-26 05:33 51528 ----a-w- c:\windows\system32\nvModes.dat
2009-09-05 06:53 . 2008-06-28 19:40 -------- d-----w- c:\program files\Warcraft III
2009-09-04 21:43 . 2008-11-02 17:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-03 04:31 . 2008-06-21 04:34 -------- d-----w- c:\documents and settings\Alex\Application Data\FrostWire
2009-09-01 19:26 . 2008-06-21 18:15 -------- d-----w- c:\documents and settings\Alex\Application Data\uTorrent
2009-08-29 23:58 . 2008-12-30 08:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-26 17:22 . 2009-01-05 06:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-25 18:29 . 2008-06-28 19:44 84876 ----a-w- c:\windows\War3Unin.dat
2009-08-17 16:28 . 2008-06-21 15:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-17 16:28 . 2008-06-21 15:42 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-17 16:28 . 2008-06-21 15:42 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-11 18:28 . 2008-06-21 04:34 -------- d-----w- c:\program files\FrostWire
2009-08-10 20:50 . 2008-11-14 23:42 -------- d-----w- c:\program files\DotA Gaming Network
2009-08-06 02:42 . 2008-12-12 06:25 -------- d-----w- c:\program files\Opera
2009-08-05 09:11 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 18:36 . 2009-01-05 06:00 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 18:36 . 2009-01-05 06:00 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-27 17:47 . 2009-07-27 17:47 -------- d-----w- c:\program files\Sophos
2009-07-27 01:06 . 2009-07-27 01:05 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-07-26 22:27 . 2009-07-26 22:27 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-26 22:27 . 2009-07-26 22:27 -------- d-----w- c:\documents and settings\Alex\Application Data\SUPERAntiSpyware.com
2009-07-26 06:07 . 2008-10-14 21:00 -------- d-----w- c:\program files\HP
2009-07-26 01:44 . 2008-06-21 04:50 -------- d-----w- c:\program files\Common Files\AOL
2009-07-26 01:38 . 2008-11-09 23:36 -------- d-----w- c:\program files\Blocktrix
2009-07-25 22:00 . 2009-07-23 02:57 -------- d-----w- c:\documents and settings\Alex\Application Data\Skype
2009-07-25 21:00 . 2009-07-23 02:59 -------- d-----w- c:\documents and settings\Alex\Application Data\skypePM
2009-07-25 07:30 . 2008-08-15 15:02 -------- d-----w- c:\program files\PokerStars
2009-07-24 04:26 . 2009-07-23 02:56 -------- d-----r- c:\program files\Skype
2009-07-23 04:17 . 2009-02-15 22:43 -------- d-----w- c:\program files\Diablo II
2009-07-23 02:59 . 2009-07-23 02:59 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-07-23 02:56 . 2009-07-23 02:56 -------- d-----w- c:\program files\Common Files\Skype
2009-07-23 02:56 . 2009-07-23 02:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-07-18 18:10 . 2009-07-18 18:03 -------- d-----w- c:\documents and settings\Alex\Application Data\Ventrilo
2009-07-18 18:02 . 2009-07-18 18:02 -------- d-----w- c:\program files\Ventrilo
2009-07-18 18:02 . 2009-07-18 18:02 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-17 18:55 . 2004-08-10 17:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-15 07:20 . 2008-06-21 15:42 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-13 07:18 . 2004-08-10 17:51 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-26 16:18 . 2004-08-10 17:51 659456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-08-10 17:51 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 08:17 . 2004-08-10 17:51 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:17 . 2004-08-10 17:51 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:17 . 2004-08-10 17:51 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:17 . 2004-08-10 17:51 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:17 . 2004-08-10 17:51 729600 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:17 . 2004-08-10 17:51 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-22 11:35 . 2004-08-10 17:51 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:55 . 2004-08-10 17:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2004-08-10 17:51 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 08:08 . 2009-01-05 07:01 2748 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-06-12 11:50 . 2004-08-10 17:51 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2004-08-10 17:50 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2004-08-10 17:51 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-08 06:12 . 2009-06-08 06:12 43344 ---ha-w- c:\windows\system32\mlfcache.dat
.

------- Sigcheck -------

[7] 2006-02-01 02:59 3073024 51C91AC189321A320FC4BC90B56255A3 c:\windows\$hf_mig$\KB912945\SP2QFE\mshtml.dll
[7] 2007-12-07 00:44 3066368 8A4DD074DEC1B0C063C8493ABF654CBC c:\windows\$hf_mig$\KB944533\SP2QFE\mshtml.dll
[7] 2008-04-21 06:56 3066880 083B967E6B0B2BB539CE6B08D45D631F c:\windows\$hf_mig$\KB950759\SP2QFE\mshtml.dll
[7] 2008-04-21 06:44 3066880 FE406DE0651C9E8201DCB0460609D739 c:\windows\$hf_mig$\KB950759\SP3GDR\mshtml.dll
[7] 2008-04-21 06:24 3067392 46A61BA430110F00DD990D058AA3D054 c:\windows\$hf_mig$\KB950759\SP3QFE\mshtml.dll
[7] 2008-06-23 16:11 3067392 1FC693A4EE1D9D9CD78DDA6C87232F6F c:\windows\$hf_mig$\KB953838\SP2QFE\mshtml.dll
[7] 2008-06-23 15:09 3067392 F433136C23D13B120412B300D1324A7E c:\windows\$hf_mig$\KB953838\SP3GDR\mshtml.dll
[7] 2008-06-25 04:24 3067904 04EEC0FF4DD3C7041628973CA6832C33 c:\windows\$hf_mig$\KB953838\SP3QFE\mshtml.dll
[7] 2008-08-20 05:33 3067392 20D44D1A5A406CD8E129D3D4F0B5717C c:\windows\$hf_mig$\KB956390\SP2QFE\mshtml.dll
[7] 2008-08-20 05:30 3067904 507BDA42F7DB8209C0F0B3556A043491 c:\windows\$hf_mig$\KB956390\SP3GDR\mshtml.dll
[7] 2008-08-20 04:58 3067904 BD45470B132A0F98596277323D9F2E5A c:\windows\$hf_mig$\KB956390\SP3QFE\mshtml.dll
[7] 2008-10-16 10:20 3067392 C99D8B48FC245D98E1A2BAB6594458C9 c:\windows\$hf_mig$\KB958215\SP2QFE\mshtml.dll
[7] 2008-10-16 01:00 3067904 B846C2DE341CF32B42AD297437233742 c:\windows\$hf_mig$\KB958215\SP3GDR\mshtml.dll
[7] 2008-10-16 12:34 3067904 CC5A2205D37AE67CE23AB7FD3E1FDACA c:\windows\$hf_mig$\KB958215\SP3QFE\mshtml.dll
[7] 2008-12-12 17:27 3067392 6D1D493622EA050DBAABD0C4C1DFADB5 c:\windows\$hf_mig$\KB960714\SP2QFE\mshtml.dll
[7] 2008-12-12 17:01 3067904 C828AA1C5469E72251F3D367005E589F c:\windows\$hf_mig$\KB960714\SP3GDR\mshtml.dll
[7] 2008-12-12 17:14 3067904 B6DAA74E2ED36C71B502945589A683AE c:\windows\$hf_mig$\KB960714\SP3QFE\mshtml.dll
[7] 2009-04-29 04:31 3068928 7BB862F4CBB8361551C34674291BA5EC c:\windows\$hf_mig$\KB969897\SP2QFE\mshtml.dll
[7] 2009-04-29 04:46 3068928 ABD8093E43E53AEA5898D2214B92E9BA c:\windows\$hf_mig$\KB969897\SP3GDR\mshtml.dll
[7] 2009-04-29 04:21 3069440 06CF679E3D24C3DF270556456A0F1EDA c:\windows\$hf_mig$\KB969897\SP3QFE\mshtml.dll
[7] 2009-07-18 16:00 3069440 9A878C4D12BE5598B598B27BFEA1B3C2 c:\windows\$hf_mig$\KB972260\SP2QFE\mshtml.dll
[7] 2009-07-18 16:05 3069440 7467941BE64DFC5F8E9F3DC1DE920806 c:\windows\$hf_mig$\KB972260\SP3GDR\mshtml.dll
[7] 2009-07-18 15:31 3069952 F3EE47F296295D08A97CB50EF57244D9 c:\windows\$hf_mig$\KB972260\SP3QFE\mshtml.dll
[7] 2008-04-21 07:03 3059712 C75C6AD32C28BCE0D14E1CA2AB4862DC c:\windows\$NtUninstallKB953838$\mshtml.dll
[7] 2008-06-23 15:38 3059712 74B5A84AC8FCF52C249B74C3D2A3E7B8 c:\windows\$NtUninstallKB956390$\mshtml.dll
[7] 2008-08-20 05:38 3060224 B83EB71C2052E05D13D690A224357441 c:\windows\$NtUninstallKB958215$\mshtml.dll
[7] 2008-10-16 10:37 3059712 9C2C058E341E6B627789EF88D3B98445 c:\windows\$NtUninstallKB960714$\mshtml.dll
[7] 2008-12-12 17:33 3060224 C8169B4320AC0CB8D1ED20454322E839 c:\windows\$NtUninstallKB969897$\mshtml.dll
[7] 2009-04-29 04:52 3060736 04AB92BFDDF275D50E3D42CDB4BF110E c:\windows\$NtUninstallKB972260$\mshtml.dll
[7] 2008-10-16 10:37 3059712 9C2C058E341E6B627789EF88D3B98445 c:\windows\SoftwareDistribution\Download\7bc58354ca50aa200544caaef7677c8a\SP2GDR\mshtml.dll
[7] 2008-10-16 10:20 3067392 C99D8B48FC245D98E1A2BAB6594458C9 c:\windows\SoftwareDistribution\Download\7bc58354ca50aa200544caaef7677c8a\SP2QFE\mshtml.dll
[7] 2008-10-16 01:00 3067904 B846C2DE341CF32B42AD297437233742 c:\windows\SoftwareDistribution\Download\7bc58354ca50aa200544caaef7677c8a\SP3GDR\mshtml.dll
[7] 2008-10-16 12:34 3067904 CC5A2205D37AE67CE23AB7FD3E1FDACA c:\windows\SoftwareDistribution\Download\7bc58354ca50aa200544caaef7677c8a\SP3QFE\mshtml.dll
[-] 2008-04-14 00:11 3066880 A706E122B398FE1AB85CB9B75D044223 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\mshtml.dll
[7] 2009-07-18 16:20 3062272 108F212B0E1B4439B014497EEC407981 c:\windows\system32\dllcache\mshtml.dll

c:\windows\system32\mshtml.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Steam\Steam.exe" [2009-08-17 1217784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-23 159744]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-11 2183168]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-17 2007832]
"MP10_EnsureFileVer"="c:\windows\inf\unregmp2.exe" [2004-08-04 208896]
"CTCheck"="c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-24 8466432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-08-01 81920]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2007-08-01 67584]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-08-01 1626112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-6-16 50688]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-17 16:28 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Digsby\\lib\\digsby-app.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\akuobar@yahoo.com\\counter-strike\\hl.exe"=

R2 fkpv;fkpv;c:\windows\system32\drivers\lvbdid.sys [x]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-06-23 7408]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-17 335240]
S1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-05-09 108552]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-06-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-06-23 72944]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-08-17 908056]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-17 297752]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

.
Contents of the 'Scheduled Tasks' folder

2009-08-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0DDFDB39-DF94-49AE-8453-BDE6595A8B41} - (no file)
BHO-{2C714CBD-0B3B-45AD-BEDD-D7DA2186DBE8} - (no file)
HKLM-Run-Dell QuickSet - c:\program files\Dell\QuickSet\quickset.exe
HKU-Default-Run-msiexec.exe - msiconf.exe
SafeBoot-Wdf01000.sys


.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.dell.com
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=4080616
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Alex\Application Data\Mozilla\Firefox\Profiles\zs6t86sr.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v2.00.13
FF - user.js: browser.sessionstore.resume_from_crash - false
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-05 13:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(940)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2616)
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\stacsv.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\hidfind.exe
c:\program files\DellTPad\ApntEx.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-09-05 13:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-05 18:24

Pre-Run: 215,424,565,248 bytes free
Post-Run: 215,308,763,136 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

284 --- E O F --- 2009-09-05 18:09

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:50 AM

Posted 05 September 2009 - 04:41 PM

Hi jrizzle,

You need to disable your AVG Antivirus before running ComboFix, as it will prevent it from running.

To disable AVG antivirus:
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

FCopy::
C:\WINDOWS\ServicePackFiles\i386\mshtml.dll | C:\WINDOWS\system32\mshtml.dll

File:: 
c:\windows\system32\drivers\lvbdid.sys 

Driver:: 
fkpv


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 jrizzle

jrizzle
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 05 September 2009 - 06:48 PM

Thanks for the quick replies Mike!





ComboFix 09-09-05.01 - Alex 09/05/2009 16:41.2.2 - NTFSx86
Running from: c:\documents and settings\Alex\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Alex\Desktop\cfscript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point

FILE ::
"c:\windows\system32\drivers\lvbdid.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Alex\LOCALS~1\Temp\~82.tmp
c:\documents and settings\Alex\Local Settings\Temp\~82.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FKPV
-------\Service_fkpv


((((((((((((((((((((((((( Files Created from 2009-08-05 to 2009-09-05 )))))))))))))))))))))))))))))))
.

2009-08-19 18:55 . 2009-08-19 18:55 967 ----a-w- c:\windows\ScUnin.pif
2009-08-19 18:55 . 2009-08-19 18:55 12852 ----a-w- c:\windows\scunin.dat
2009-08-19 18:55 . 2009-08-19 18:55 94208 ----a-w- c:\windows\ScUnin.exe
2009-08-19 18:54 . 2009-08-19 18:55 -------- d-----w- c:\program files\Starcraft
2009-08-17 00:10 . 2009-09-05 21:37 -------- d-----w- c:\program files\Steam
2009-08-12 08:02 . 2009-08-12 08:02 -------- d-----w- c:\windows\ServicePackFiles
2009-08-11 18:19 . 2009-06-05 07:42 655872 ------w- c:\windows\system32\dllcache\mstscax.dll
2009-08-10 20:50 . 2007-08-31 02:57 196608 ----a-w- c:\windows\system32\BNCSutil.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-05 21:45 . 2009-07-26 05:33 65606 ----a-w- c:\windows\system32\nvModes.dat
2009-09-05 21:31 . 2008-06-28 19:40 -------- d-----w- c:\program files\Warcraft III
2009-09-04 21:43 . 2008-11-02 17:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-03 04:31 . 2008-06-21 04:34 -------- d-----w- c:\documents and settings\Alex\Application Data\FrostWire
2009-09-01 19:26 . 2008-06-21 18:15 -------- d-----w- c:\documents and settings\Alex\Application Data\uTorrent
2009-08-29 23:58 . 2008-12-30 08:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-26 17:22 . 2009-01-05 06:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-25 18:29 . 2008-06-28 19:44 84876 ----a-w- c:\windows\War3Unin.dat
2009-08-17 16:28 . 2008-06-21 15:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-17 16:28 . 2008-06-21 15:42 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-17 16:28 . 2008-06-21 15:42 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-11 18:28 . 2008-06-21 04:34 -------- d-----w- c:\program files\FrostWire
2009-08-10 20:50 . 2008-11-14 23:42 -------- d-----w- c:\program files\DotA Gaming Network
2009-08-06 02:42 . 2008-12-12 06:25 -------- d-----w- c:\program files\Opera
2009-08-05 09:11 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 18:36 . 2009-01-05 06:00 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 18:36 . 2009-01-05 06:00 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-27 17:47 . 2009-07-27 17:47 -------- d-----w- c:\program files\Sophos
2009-07-27 01:06 . 2009-07-27 01:05 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-07-26 22:27 . 2009-07-26 22:27 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-26 22:27 . 2009-07-26 22:27 -------- d-----w- c:\documents and settings\Alex\Application Data\SUPERAntiSpyware.com
2009-07-26 06:07 . 2008-10-14 21:00 -------- d-----w- c:\program files\HP
2009-07-26 01:44 . 2008-06-21 04:50 -------- d-----w- c:\program files\Common Files\AOL
2009-07-26 01:38 . 2008-11-09 23:36 -------- d-----w- c:\program files\Blocktrix
2009-07-25 22:00 . 2009-07-23 02:57 -------- d-----w- c:\documents and settings\Alex\Application Data\Skype
2009-07-25 21:00 . 2009-07-23 02:59 -------- d-----w- c:\documents and settings\Alex\Application Data\skypePM
2009-07-25 07:30 . 2008-08-15 15:02 -------- d-----w- c:\program files\PokerStars
2009-07-24 04:26 . 2009-07-23 02:56 -------- d-----r- c:\program files\Skype
2009-07-23 04:17 . 2009-02-15 22:43 -------- d-----w- c:\program files\Diablo II
2009-07-23 02:59 . 2009-07-23 02:59 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-07-23 02:56 . 2009-07-23 02:56 -------- d-----w- c:\program files\Common Files\Skype
2009-07-23 02:56 . 2009-07-23 02:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-07-18 18:10 . 2009-07-18 18:03 -------- d-----w- c:\documents and settings\Alex\Application Data\Ventrilo
2009-07-18 18:02 . 2009-07-18 18:02 -------- d-----w- c:\program files\Ventrilo
2009-07-18 18:02 . 2009-07-18 18:02 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-17 18:55 . 2004-08-10 17:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-15 07:20 . 2008-06-21 15:42 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-13 07:18 . 2004-08-10 17:51 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-26 16:18 . 2004-08-10 17:51 659456 ------w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-08-10 17:51 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 08:17 . 2004-08-10 17:51 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:17 . 2004-08-10 17:51 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:17 . 2004-08-10 17:51 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:17 . 2004-08-10 17:51 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:17 . 2004-08-10 17:51 729600 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:17 . 2004-08-10 17:51 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-22 11:35 . 2004-08-10 17:51 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:55 . 2004-08-10 17:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2004-08-10 17:51 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 08:08 . 2009-01-05 07:01 2748 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-06-12 11:50 . 2004-08-10 17:51 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2004-08-10 17:50 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2004-08-10 17:51 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-08 06:12 . 2009-06-08 06:12 43344 ---ha-w- c:\windows\system32\mlfcache.dat
.

------- Sigcheck -------

[7] 2006-02-01 02:59 3073024 51C91AC189321A320FC4BC90B56255A3 c:\windows\$hf_mig$\KB912945\SP2QFE\mshtml.dll
[7] 2007-12-07 00:44 3066368 8A4DD074DEC1B0C063C8493ABF654CBC c:\windows\$hf_mig$\KB944533\SP2QFE\mshtml.dll
[7] 2008-04-21 06:56 3066880 083B967E6B0B2BB539CE6B08D45D631F c:\windows\$hf_mig$\KB950759\SP2QFE\mshtml.dll
[7] 2008-04-21 06:44 3066880 FE406DE0651C9E8201DCB0460609D739 c:\windows\$hf_mig$\KB950759\SP3GDR\mshtml.dll
[7] 2008-04-21 06:24 3067392 46A61BA430110F00DD990D058AA3D054 c:\windows\$hf_mig$\KB950759\SP3QFE\mshtml.dll
[7] 2008-06-23 16:11 3067392 1FC693A4EE1D9D9CD78DDA6C87232F6F c:\windows\$hf_mig$\KB953838\SP2QFE\mshtml.dll
[7] 2008-06-23 15:09 3067392 F433136C23D13B120412B300D1324A7E c:\windows\$hf_mig$\KB953838\SP3GDR\mshtml.dll
[7] 2008-06-25 04:24 3067904 04EEC0FF4DD3C7041628973CA6832C33 c:\windows\$hf_mig$\KB953838\SP3QFE\mshtml.dll
[7] 2008-08-20 05:33 3067392 20D44D1A5A406CD8E129D3D4F0B5717C c:\windows\$hf_mig$\KB956390\SP2QFE\mshtml.dll
[7] 2008-08-20 05:30 3067904 507BDA42F7DB8209C0F0B3556A043491 c:\windows\$hf_mig$\KB956390\SP3GDR\mshtml.dll
[7] 2008-08-20 04:58 3067904 BD45470B132A0F98596277323D9F2E5A c:\windows\$hf_mig$\KB956390\SP3QFE\mshtml.dll
[7] 2008-10-16 10:20 3067392 C99D8B48FC245D98E1A2BAB6594458C9 c:\windows\$hf_mig$\KB958215\SP2QFE\mshtml.dll
[7] 2008-10-16 01:00 3067904 B846C2DE341CF32B42AD297437233742 c:\windows\$hf_mig$\KB958215\SP3GDR\mshtml.dll
[7] 2008-10-16 12:34 3067904 CC5A2205D37AE67CE23AB7FD3E1FDACA c:\windows\$hf_mig$\KB958215\SP3QFE\mshtml.dll
[7] 2008-12-12 17:27 3067392 6D1D493622EA050DBAABD0C4C1DFADB5 c:\windows\$hf_mig$\KB960714\SP2QFE\mshtml.dll
[7] 2008-12-12 17:01 3067904 C828AA1C5469E72251F3D367005E589F c:\windows\$hf_mig$\KB960714\SP3GDR\mshtml.dll
[7] 2008-12-12 17:14 3067904 B6DAA74E2ED36C71B502945589A683AE c:\windows\$hf_mig$\KB960714\SP3QFE\mshtml.dll
[7] 2009-04-29 04:31 3068928 7BB862F4CBB8361551C34674291BA5EC c:\windows\$hf_mig$\KB969897\SP2QFE\mshtml.dll
[7] 2009-04-29 04:46 3068928 ABD8093E43E53AEA5898D2214B92E9BA c:\windows\$hf_mig$\KB969897\SP3GDR\mshtml.dll
[7] 2009-04-29 04:21 3069440 06CF679E3D24C3DF270556456A0F1EDA c:\windows\$hf_mig$\KB969897\SP3QFE\mshtml.dll
[7] 2009-07-18 16:00 3069440 9A878C4D12BE5598B598B27BFEA1B3C2 c:\windows\$hf_mig$\KB972260\SP2QFE\mshtml.dll
[7] 2009-07-18 16:05 3069440 7467941BE64DFC5F8E9F3DC1DE920806 c:\windows\$hf_mig$\KB972260\SP3GDR\mshtml.dll
[7] 2009-07-18 15:31 3069952 F3EE47F296295D08A97CB50EF57244D9 c:\windows\$hf_mig$\KB972260\SP3QFE\mshtml.dll
[7] 2008-04-21 07:03 3059712 C75C6AD32C28BCE0D14E1CA2AB4862DC c:\windows\$NtUninstallKB953838$\mshtml.dll
[7] 2008-06-23 15:38 3059712 74B5A84AC8FCF52C249B74C3D2A3E7B8 c:\windows\$NtUninstallKB956390$\mshtml.dll
[7] 2008-08-20 05:38 3060224 B83EB71C2052E05D13D690A224357441 c:\windows\$NtUninstallKB958215$\mshtml.dll
[7] 2008-10-16 10:37 3059712 9C2C058E341E6B627789EF88D3B98445 c:\windows\$NtUninstallKB960714$\mshtml.dll
[7] 2008-12-12 17:33 3060224 C8169B4320AC0CB8D1ED20454322E839 c:\windows\$NtUninstallKB969897$\mshtml.dll
[7] 2009-04-29 04:52 3060736 04AB92BFDDF275D50E3D42CDB4BF110E c:\windows\$NtUninstallKB972260$\mshtml.dll
[7] 2008-10-16 10:37 3059712 9C2C058E341E6B627789EF88D3B98445 c:\windows\SoftwareDistribution\Download\7bc58354ca50aa200544caaef7677c8a\SP2GDR\mshtml.dll
[7] 2008-10-16 10:20 3067392 C99D8B48FC245D98E1A2BAB6594458C9 c:\windows\SoftwareDistribution\Download\7bc58354ca50aa200544caaef7677c8a\SP2QFE\mshtml.dll
[7] 2008-10-16 01:00 3067904 B846C2DE341CF32B42AD297437233742 c:\windows\SoftwareDistribution\Download\7bc58354ca50aa200544caaef7677c8a\SP3GDR\mshtml.dll
[7] 2008-10-16 12:34 3067904 CC5A2205D37AE67CE23AB7FD3E1FDACA c:\windows\SoftwareDistribution\Download\7bc58354ca50aa200544caaef7677c8a\SP3QFE\mshtml.dll
[-] 2008-04-14 00:11 3066880 A706E122B398FE1AB85CB9B75D044223 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\mshtml.dll
[7] 2009-07-18 16:20 3062272 108F212B0E1B4439B014497EEC407981 c:\windows\system32\dllcache\mshtml.dll

c:\windows\system32\mshtml.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Steam\Steam.exe" [2009-08-17 1217784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-23 159744]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-11 2183168]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-17 2007832]
"MP10_EnsureFileVer"="c:\windows\inf\unregmp2.exe" [2004-08-04 208896]
"CTCheck"="c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-24 8466432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-08-01 81920]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2007-08-01 67584]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-08-01 1626112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-6-16 50688]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-17 16:28 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Digsby\\lib\\digsby-app.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\akuobar@yahoo.com\\counter-strike\\hl.exe"=

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-06-23 7408]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-17 335240]
S1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-05-09 108552]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-06-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-06-23 72944]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-08-17 908056]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-17 297752]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

.
Contents of the 'Scheduled Tasks' folder

2009-08-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.dell.com
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=4080616
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Alex\Application Data\Mozilla\Firefox\Profiles\zs6t86sr.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v2.00.13
FF - user.js: browser.sessionstore.resume_from_crash - false
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-05 16:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(940)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3136)
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\stacsv.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\hidfind.exe
c:\program files\DellTPad\ApntEx.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-09-05 16:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-05 21:50
ComboFix2.txt 2009-09-05 18:24

Pre-Run: 215,309,955,072 bytes free
Post-Run: 215,279,640,576 bytes free

259 --- E O F --- 2009-09-05 18:09

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:50 AM

Posted 05 September 2009 - 11:36 PM

Hi jrizzle,

Now we look for stragglers.

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post even if it finds nothing.
You can refer to this animation by sundavis if needed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 jrizzle

jrizzle
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 06 September 2009 - 04:00 AM

Sunday, September 6, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, September 06, 2009 07:09:00
Records in database: 2751843
Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes
Scan area My Computer
C:\
D:\
Scan statistics
Objects scanned 71876
Threats found 2
Infected objects found 2
Suspicious objects found 0
Scan duration 01:29:52

File name Threat Threats count
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETlgxqfhiq.dll.vir Infected: Trojan.Win32.Tdss.aobw 1
Selected area has been scanned.

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:50 AM

Posted 06 September 2009 - 11:55 AM

Hi jrizzle,

Looks like your clean. :(

How is the computer running?

We still need to do some program clean up.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 jrizzle

jrizzle
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 06 September 2009 - 01:51 PM

I am still unable to use any of my anti-virus programs. It says I don't have appropriate permission to access the program. Is it supposed to stay that way? Also, what is this:

C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETlgxqfhiq.dll.vir Infected: Trojan.Win32.Tdss.aobw 1


Either way, thanks for the help so far Mike!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users