Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

malware MSIVXcount


  • This topic is locked This topic is locked
12 replies to this topic

#1 jbowman123

jbowman123

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 30 August 2009 - 01:26 PM

hi
i posted in the "am i infected" section and the person that was helping me sent me here. the link to that post is:
http://www.bleepingcomputer.com/forums/t/251892/i-think-im-infected/

i have ran all the reports that i was asked to run here is the dds report

DDS (Ver_09-07-30.01) - NTFSx86
Run by us at 13:59:44.95 on Sun 08/30/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2015.1606 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Documents and Settings\us\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\ievkbd.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe"
dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\SCIEPlgn.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\us\applic~1\mozilla\firefox\profiles\w4bjzvvi.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - component: c:\program files\mozilla firefox\extensions\{01a8ca0a-4c96-465b-a49b-65c46fad54f9}\components\Contribute.dll
FF - plugin: c:\documents and settings\us\application data\mozilla\plugins\npoctoshape.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npContribute.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 32784]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-8-24 213008]
R2 wwEngineSvc;Window Washer Engine;c:\program files\webroot\washer\WasherSvc.exe [2009-7-4 389448]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
S1 NGS;Norman General Security Driver;\??\c:\norman\nvc\bin\ngs.sys --> c:\norman\nvc\bin\ngs.sys [?]
S2 AVP;Kaspersky Anti-Virus;c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe [2008-7-29 206088]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 288112]

=============== Created Last 30 ================

2009-08-27 20:23 69 a------- c:\windows\NeroDigital.ini
2009-08-26 20:19 100,352 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-08-26 20:14 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-08-26 20:14 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-08-25 03:01 --d----- c:\program files\MSXML 4.0
2009-08-24 18:31 96,559 a------- c:\windows\system32\drivers\klin.dat
2009-08-24 18:31 87,855 a------- c:\windows\system32\drivers\klick.dat
2009-08-24 18:30 --d----- c:\program files\Kaspersky Lab
2009-08-24 18:30 --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-08-24 17:33 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-24 17:33 2,189,056 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-24 17:33 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-24 17:32 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-08-24 17:11 --d----- c:\docume~1\us\applic~1\Malwarebytes
2009-08-24 17:10 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-24 17:10 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-24 17:10 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-24 17:10 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-21 18:05 --d----- c:\program files\iPod
2009-08-21 18:05 --d----- c:\program files\iTunes
2009-08-20 21:24 482,304 ac------ c:\windows\system32\dllcache\pintlgnt.ime
2009-08-20 21:23 78,848 ac------ c:\windows\system32\dllcache\dayi.ime
2009-08-20 21:22 445,952 ac------ c:\windows\system32\dllcache\ieapfltr.dll
2009-08-20 21:22 59,904 ac------ c:\windows\system32\dllcache\icardie.dll
2009-08-20 21:22 1,985,536 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-08-20 21:22 55,296 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2009-08-20 21:22 13,824 -c------ c:\windows\system32\dllcache\ieudinit.exe
2009-08-20 21:22 3,698,584 ac------ c:\windows\system32\dllcache\ieapfltr.dat
2009-08-20 21:22 1,241,088 ac------ c:\windows\system32\dllcache\ieframe.dll.mui
2009-08-20 21:22 11,067,392 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-08-20 21:22 221,184 a------- c:\windows\system32\wmpns.dll
2009-08-20 21:21 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-08-20 21:21 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-08-20 21:21 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-08-20 21:21 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-08-20 21:21 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-08-20 21:21 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-08-20 21:20 16,384 ac------ c:\windows\system32\dllcache\isignup.exe
2009-08-20 21:05 27,165 a------- c:\windows\system32\drivers\fetnd5.sys
2009-08-20 17:15 --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-08-19 23:11 --d----- c:\program files\Nero
2009-08-19 23:11 --d----- c:\docume~1\alluse~1\applic~1\Nero
2009-08-19 22:34 --d----- c:\program files\MagicISO
2009-08-19 18:31 --d----- c:\windows\system32\appmgmt
2009-08-11 00:00 --d-h--- c:\windows\PIF
2009-08-10 20:30 --d----- c:\program files\Free Audio Pack

==================== Find3M ====================

2009-08-20 21:18 22,720 a------- c:\windows\system32\emptyregdb.dat
2009-08-19 21:42 87,608 a------- c:\docume~1\us\applic~1\inst.exe
2009-08-19 21:42 47,360 a------- c:\docume~1\us\applic~1\pcouffin.sys
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-29 00:37 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-29 00:37 81,920 a------- c:\windows\system32\fontsub.dll
2009-07-22 02:23 46 a------- C:\p2hhr.bat
2009-07-19 16:27 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-16 22:06 73,312 a------- c:\windows\system32\drivers\adfs.sys
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-04 19:50 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-02 13:24 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-06-29 19:52 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-06-12 08:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 08:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 10:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 02:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-05 11:42 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-06-03 15:12 1,291,264 a------- c:\windows\system32\quartz.dll

============= FINISH: 14:00:06.59 ===============



now the rootrepeal report:
ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/08/30 14:02
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB2604000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xB6211000 Size: 8192 File Visible: No Signed: -
Status: -

Name: MSIVXtoijeyxmlxbqujdlgdtonbohhcmjkvxj.sys
Image Path: C:\WINDOWS\system32\drivers\MSIVXtoijeyxmlxbqujdlgdtonbohhcmjkvxj.sys
Address: 0xB53A8000 Size: 184320 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: rftr.sys
Image Path: rftr.sys
Address: 0xF75F7000 Size: 61440 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB0FCC000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Avenger\MSIVXcount
Status: Invisible to the Windows API!

Path: C:\Avenger\MSIVXcount-ren-1596
Status: Invisible to the Windows API!

Path: C:\Avenger\MSIVXcount-ren-1614
Status: Invisible to the Windows API!

Path: C:\Avenger\MSIVXcount-ren-2447
Status: Invisible to the Windows API!

Path: C:\Avenger\MSIVXcount-ren-389
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\MSIVXcount
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\MSIVXnoqgqruhmikpiofoylbetwqmbirquvxt.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\MSIVXyuwlgmetqlmhvvagfingdyjdfrlqpsxw.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\$hf_mig$\{29F8DDC1-9487-49b8-B27E-3E0C3C1298FF}
Status: Locked to the Windows API!

Path: C:\Documents and Settings\us\Desktop\rootappeal.txt
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\MSIVXtoijeyxmlxbqujdlgdtonbohhcmjkvxj.sys
Status: Invisible to the Windows API!

SSDT
-------------------
#: 011 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586b81a

#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586bdc6

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586d82a

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586d1e0

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586af90

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586f18c

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586bbc2

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586b3d2

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586b5d2

#: 066 Function Name: NtDeviceIoControlFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586d4ec

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586f698

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586b6e8

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586b750

#: 084 Function Name: NtFsControlFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586d3a2

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586ec50

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586d03c

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586b0f2

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586b9e8

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586f1b6

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586b93e

#: 160 Function Name: NtQueryKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586b7b8

#: 161 Function Name: NtQueryMultipleValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586b4bc

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586b29a

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586eeb8

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586ac12

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586e0b4

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586ad74

#: 206 Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586f568

#: 207 Function Name: NtSaveKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586aa10

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586d6cc

#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586bcc0

#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586ed4a

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586f1e0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586b148

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586f2c4

#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586f3f0

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586eb7c

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586ba92

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586bb04

Stealth Objects
-------------------
Object: Hidden Module [Name: MSIVXyuwlgmetqlmhvvagfingdyjdfrlqpsxw.dll]
Process: svchost.exe (PID: 1216) Address: 0x10000000 Size: 57344

Hidden Services
-------------------
Service Name: MSIVXserv.sys
Image Path: C:\WINDOWS\system32\drivers\MSIVXtoijeyxmlxbqujdlgdtonbohhcmjkvxj.sys

Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586cf7c

#: 227 Function Name: NtGdiMaskBlt
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586cfdc

#: 237 Function Name: NtGdiPlgBlt
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586d00c

#: 292 Function Name: NtGdiStretchBlt
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586cfac

#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586c46c

#: 323 Function Name: NtUserCallOneParam
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586d638

#: 378 Function Name: NtUserFindWindowEx
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586c74a

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586c3ac

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586c40c

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586c3dc

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586eacc

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586eb24

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586eb50

#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586d5e2

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586c724

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586be1e

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586c036

==EOF==


i have installed kaspersky but cannot activate it. if you need anymore information i will try to answer as quickly as i can, i just dont know what else i need to post.


one thing i cannot do is see any of my hard drives in disk manager, the only thing i can see is the dvd drive. could this be because of the malware infecting my computer

thanks very much in advance :(

Attached Files


Edited by Orange Blossom, 31 August 2009 - 11:35 PM.
Activate link. ~ OB


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:53 AM

Posted 13 September 2009 - 05:18 PM

Hello jbowman123

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your Kaspersky Anti-Virus and Spybot Teatimer before running ComboFix, as they will prevent it from running.

To disable Kaspersky Antivirus:
Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
  • right click it-> select Pause Protection.
  • click on -> By User Request
  • a popup will claim that protection is now disabled and a sign like this: Posted Image will now be shown.
You succesfully disabled the Kaspersky Antivirus Guard.


Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 jbowman123

jbowman123
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 14 September 2009 - 07:29 PM

thank you for answering my post. i downloaded combofix and unistalled kaspersky and malwarebytes. i had to rename combofix on the desktop before i could go any further then the run section. i got it to run and this is the log that it created:

ComboFix 09-09-14.02 - us 09/14/2009 19:58.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2015.1708 [GMT -4:00]
Running from: c:\documents and settings\us\Desktop\john.exe
.
ADS - WINDOWS: deleted 48 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\us\Application Data\bcrypt.html
c:\documents and settings\us\Application Data\EurekaLog
c:\documents and settings\us\Application Data\inst.exe
c:\documents and settings\us\My Documents\reg.reg
C:\p2hhr.bat
c:\recycler\S-1-5-21-5108677579-0579884348-012560469-2783
c:\recycler\S-1-5-21-9730821249-7095346674-737109347-7031
c:\windows\Installer\c7d4354.msi
c:\windows\system32\drivers\MSIVXtoijeyxmlxbqujdlgdtonbohhcmjkvxj.sys
c:\windows\system32\MSIVXcount
c:\windows\system32\MSIVXnoqgqruhmikpiofoylbetwqmbirquvxt.dll
c:\windows\system32\MSIVXyuwlgmetqlmhvvagfingdyjdfrlqpsxw.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MSIVXserv.sys
-------\Legacy_MSIVXserv.sys
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-08-15 to 2009-09-15 )))))))))))))))))))))))))))))))
.

2009-08-27 00:19 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-08-27 00:14 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-08-27 00:14 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-25 07:01 . 2009-08-25 07:01 -------- d-----w- c:\program files\MSXML 4.0
2009-08-24 21:33 . 2009-02-06 11:06 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-24 21:33 . 2009-02-06 11:08 2189056 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-24 21:33 . 2009-02-06 10:32 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-24 21:32 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-08-24 21:30 . 2009-08-24 21:30 -------- d-----w- c:\program files\ERUNT
2009-08-24 21:11 . 2009-08-24 21:11 -------- d-----w- c:\documents and settings\us\Application Data\Malwarebytes
2009-08-24 21:10 . 2009-09-14 22:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-24 21:10 . 2009-08-24 21:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-21 22:05 . 2009-08-21 22:05 -------- d-----w- c:\program files\iPod
2009-08-21 22:05 . 2009-08-21 22:06 -------- d-----w- c:\program files\iTunes
2009-08-21 01:24 . 2008-04-14 08:00 70144 -c--a-w- c:\windows\system32\dllcache\pintlphr.exe
2009-08-21 01:23 . 2008-04-14 08:00 42496 -c--a-w- c:\windows\system32\dllcache\davcdata.exe
2009-08-21 01:22 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-08-21 01:22 . 2009-07-03 17:09 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-08-21 01:22 . 2009-06-29 11:07 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2009-08-21 01:22 . 2009-03-08 08:31 59904 -c--a-w- c:\windows\system32\dllcache\icardie.dll
2009-08-21 01:22 . 2009-03-08 08:11 445952 -c--a-w- c:\windows\system32\dllcache\ieapfltr.dll
2009-08-21 01:22 . 2009-02-07 01:07 3698584 -c--a-w- c:\windows\system32\dllcache\ieapfltr.dat
2009-08-21 01:22 . 2009-07-19 22:48 11067392 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-08-21 01:22 . 2008-04-14 08:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-08-21 01:20 . 2008-04-14 08:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2009-08-21 01:05 . 2001-08-17 20:13 27165 ----a-w- c:\windows\system32\drivers\fetnd5.sys
2009-08-21 00:58 . 2008-04-14 08:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2009-08-21 00:58 . 2008-04-14 08:00 13312 ----a-w- c:\windows\system32\irclass.dll
2009-08-21 00:58 . 2008-04-14 08:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2009-08-21 00:58 . 2008-04-14 08:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2009-08-21 00:56 . 2009-08-21 00:56 -------- d-sh--w- c:\windows\system32\config\systemprofile\History
2009-08-20 21:15 . 2009-08-20 21:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-08-20 03:11 . 2009-08-20 03:11 -------- d-----w- c:\program files\Nero
2009-08-20 03:11 . 2009-08-20 03:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-08-20 03:11 . 2009-08-20 03:39 -------- d-----w- c:\program files\Common Files\Ahead
2009-08-20 02:34 . 2009-08-20 02:41 -------- d-----w- c:\program files\MagicISO

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-14 22:51 . 2009-06-30 03:32 -------- d-----w- c:\documents and settings\us\Application Data\uTorrent
2009-08-21 22:05 . 2009-07-04 01:26 -------- d-----w- c:\program files\Common Files\Apple
2009-08-21 01:18 . 2009-06-29 22:57 22720 ----a-w- c:\windows\system32\emptyregdb.dat
2009-08-21 01:17 . 2009-06-29 22:56 -------- d-----w- c:\program files\Windows Media Connect 2
2009-08-20 01:43 . 2009-07-19 20:03 -------- d-----w- c:\program files\Elaborate Bytes
2009-08-20 01:43 . 2009-07-19 20:26 -------- d-----w- c:\program files\VSO
2009-08-20 01:42 . 2009-07-19 20:27 -------- d-----w- c:\documents and settings\us\Application Data\Vso
2009-08-20 01:42 . 2009-07-19 20:27 47360 ----a-w- c:\documents and settings\us\Application Data\pcouffin.sys
2009-08-11 03:22 . 2009-07-19 20:00 -------- d-----w- c:\documents and settings\us\Application Data\Ahead
2009-08-11 00:30 . 2009-08-11 00:30 -------- d-----w- c:\program files\Free Audio Pack
2009-08-05 09:01 . 2008-04-14 08:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-02 17:28 . 2009-08-02 17:28 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-07-29 04:37 . 2008-04-14 08:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2008-04-14 08:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-26 17:54 . 2009-07-04 05:50 -------- d-----w- c:\program files\RegCure
2009-07-23 06:41 . 2009-07-04 01:28 -------- d-----w- c:\documents and settings\us\Application Data\Apple Computer
2009-07-23 06:00 . 2009-07-23 05:48 -------- d-----w- c:\program files\iDump (Freeware)
2009-07-23 05:38 . 2009-07-23 05:38 -------- d-----w- c:\documents and settings\us\Application Data\iPod2PC3
2009-07-22 14:41 . 2009-07-22 14:41 -------- d-----w- c:\program files\Western Digital
2009-07-22 14:41 . 2009-07-01 23:28 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-22 14:31 . 2009-07-22 14:31 -------- d-----w- c:\program files\Western Digital Corporation
2009-07-22 14:09 . 2009-06-30 14:15 69552 ----a-w- c:\documents and settings\us\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-21 17:50 . 2009-07-21 17:50 -------- d-----w- c:\documents and settings\us\Application Data\Talkback
2009-07-21 17:50 . 2009-07-21 17:50 -------- d-----w- c:\documents and settings\us\Application Data\Thunderbird
2009-07-20 20:37 . 2009-07-20 20:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-20 20:34 . 2009-07-20 20:34 -------- d-----w- c:\program files\Microsoft Works
2009-07-20 20:33 . 2009-07-20 20:33 -------- d-----w- c:\program files\MSBuild
2009-07-19 21:53 . 2009-07-19 21:53 -------- d-----w- c:\documents and settings\All Users\Application Data\vsosdk
2009-07-19 20:27 . 2009-07-19 20:27 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-07-19 20:15 . 2009-07-19 20:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Elaborate Bytes
2009-07-19 20:03 . 2009-07-19 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SlySoft
2009-07-19 19:59 . 2009-07-19 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Ahead
2009-07-19 19:55 . 2009-07-19 19:55 -------- d-----w- c:\program files\SlySoft
2009-07-19 14:26 . 2009-07-19 14:26 -------- d-----w- c:\documents and settings\us\Application Data\DivX
2009-07-19 01:44 . 2009-07-19 01:44 -------- d-----w- c:\program files\DivX
2009-07-19 01:44 . 2009-07-19 01:44 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-07-17 19:01 . 2008-04-14 08:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 02:06 . 2008-08-14 11:57 73312 ----a-w- c:\windows\system32\drivers\adfs.sys
2009-07-14 03:43 . 2008-07-12 19:25 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-04 23:50 . 2009-07-04 23:50 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-03 17:09 . 2008-04-23 00:16 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-02 17:24 . 2009-07-02 17:24 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-06-30 17:33 . 2009-06-30 17:33 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-06-30 03:13 . 2009-06-30 03:13 0 ----a-w- c:\windows\nsreg.dat
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[-] 2008-07-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-07-19 288048]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2007-08-29 1347584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2009-03-11 611712]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-04 148888]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2007-04-16 577536]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-05 1626112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-11-1 576104]

[HKLM\~\startupfolder\C:^Documents and Settings^us^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Microsoft Office Groove Audit Service"=3 (0x3)
"Messenger"=2 (0x2)
"iPod Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Documents and Settings\\us\\Application Data\\Octoshape\\Octoshape Streaming Services\\OctoshapeClient.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server
"111:TCP"= 111:TCP:localhost

R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [7/4/2009 1:50 AM 389448]
S1 NGS;Norman General Security Driver;\??\c:\norman\nvc\bin\ngs.sys --> c:\norman\nvc\bin\ngs.sys [?]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 288112]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-15 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2007-10-16 08:20]

2009-09-10 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2007-10-16 08:20]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\us\Application Data\Mozilla\Firefox\Profiles\w4bjzvvi.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - component: c:\program files\Mozilla Firefox\extensions\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}\components\Contribute.dll
FF - plugin: c:\documents and settings\us\Application Data\Mozilla\plugins\npoctoshape.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npContribute.dll
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
AddRemove-CANONBJ_Deinstall_CNMCP61.DLL - c:\windows\system32\CNMCP61.exe -PRINTERNAMECanon PIXMA iP3000 -HELPERDLLc:\bjprinter\CNMWINDOWS\Canon PIXMA iP3000 Installer\Inst2\cnmis.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-14 20:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(3920)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\scardsvr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-15 20:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-15 00:17

Pre-Run: 50,706,030,592 bytes free
Post-Run: 51,456,864,256 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

256 --- E O F --- 2009-09-10 07:03



i hope you can make some sense out of this report and will be able to help me out. again thank you for your time and effort

how do i get rid of that norman driver so i can reinstall and activate kaspersky

Edited by jbowman123, 14 September 2009 - 07:31 PM.


#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:53 AM

Posted 14 September 2009 - 09:54 PM

Hi jbowman123,


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
c:\norman\nvc\bin\ngs.sys 

Driver:: 
NGS


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 jbowman123

jbowman123
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 15 September 2009 - 04:17 PM

i did as you requested and here is the report of the combofix

ComboFix 09-09-14.02 - us 09/15/2009 16:52.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2015.1601 [GMT -4:00]
Running from: c:\documents and settings\us\Desktop\john.exe
Command switches used :: c:\documents and settings\us\Desktop\CFScript.txt

FILE ::
"c:\norman\nvc\bin\ngs.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NGS
-------\Service_NGS


((((((((((((((((((((((((( Files Created from 2009-08-15 to 2009-09-15 )))))))))))))))))))))))))))))))
.

2009-08-27 00:19 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-08-27 00:14 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-08-27 00:14 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-25 07:01 . 2009-08-25 07:01 -------- d-----w- c:\program files\MSXML 4.0
2009-08-24 21:33 . 2009-02-06 11:06 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-24 21:33 . 2009-02-06 11:08 2189056 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-24 21:33 . 2009-02-06 10:32 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-24 21:32 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-08-24 21:30 . 2009-08-24 21:30 -------- d-----w- c:\program files\ERUNT
2009-08-24 21:11 . 2009-08-24 21:11 -------- d-----w- c:\documents and settings\us\Application Data\Malwarebytes
2009-08-24 21:10 . 2009-09-14 22:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-24 21:10 . 2009-08-24 21:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-21 22:05 . 2009-08-21 22:05 -------- d-----w- c:\program files\iPod
2009-08-21 22:05 . 2009-08-21 22:06 -------- d-----w- c:\program files\iTunes
2009-08-21 01:24 . 2008-04-14 08:00 70144 -c--a-w- c:\windows\system32\dllcache\pintlphr.exe
2009-08-21 01:23 . 2008-04-14 08:00 42496 -c--a-w- c:\windows\system32\dllcache\davcdata.exe
2009-08-21 01:22 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-08-21 01:22 . 2009-07-03 17:09 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-08-21 01:22 . 2009-06-29 11:07 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2009-08-21 01:22 . 2009-03-08 08:31 59904 -c--a-w- c:\windows\system32\dllcache\icardie.dll
2009-08-21 01:22 . 2009-03-08 08:11 445952 -c--a-w- c:\windows\system32\dllcache\ieapfltr.dll
2009-08-21 01:22 . 2009-02-07 01:07 3698584 -c--a-w- c:\windows\system32\dllcache\ieapfltr.dat
2009-08-21 01:22 . 2009-07-19 22:48 11067392 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-08-21 01:22 . 2008-04-14 08:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-08-21 01:20 . 2008-04-14 08:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2009-08-21 01:05 . 2001-08-17 20:13 27165 ----a-w- c:\windows\system32\drivers\fetnd5.sys
2009-08-21 00:58 . 2008-04-14 08:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2009-08-21 00:58 . 2008-04-14 08:00 13312 ----a-w- c:\windows\system32\irclass.dll
2009-08-21 00:58 . 2008-04-14 08:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2009-08-21 00:58 . 2008-04-14 08:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2009-08-21 00:56 . 2009-08-21 00:56 -------- d-sh--w- c:\windows\system32\config\systemprofile\History
2009-08-20 21:15 . 2009-08-20 21:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-08-20 03:11 . 2009-08-20 03:11 -------- d-----w- c:\program files\Nero
2009-08-20 03:11 . 2009-08-20 03:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-08-20 03:11 . 2009-08-20 03:39 -------- d-----w- c:\program files\Common Files\Ahead
2009-08-20 02:34 . 2009-08-20 02:41 -------- d-----w- c:\program files\MagicISO

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-15 00:15 . 2009-06-30 03:32 -------- d-----w- c:\documents and settings\us\Application Data\uTorrent
2009-08-21 22:05 . 2009-07-04 01:26 -------- d-----w- c:\program files\Common Files\Apple
2009-08-21 01:18 . 2009-06-29 22:57 22720 ----a-w- c:\windows\system32\emptyregdb.dat
2009-08-21 01:17 . 2009-06-29 22:56 -------- d-----w- c:\program files\Windows Media Connect 2
2009-08-20 01:43 . 2009-07-19 20:03 -------- d-----w- c:\program files\Elaborate Bytes
2009-08-20 01:43 . 2009-07-19 20:26 -------- d-----w- c:\program files\VSO
2009-08-20 01:42 . 2009-07-19 20:27 -------- d-----w- c:\documents and settings\us\Application Data\Vso
2009-08-20 01:42 . 2009-07-19 20:27 47360 ----a-w- c:\documents and settings\us\Application Data\pcouffin.sys
2009-08-11 03:22 . 2009-07-19 20:00 -------- d-----w- c:\documents and settings\us\Application Data\Ahead
2009-08-11 00:30 . 2009-08-11 00:30 -------- d-----w- c:\program files\Free Audio Pack
2009-08-05 09:01 . 2008-04-14 08:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-02 17:28 . 2009-08-02 17:28 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-07-29 04:37 . 2008-04-14 08:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2008-04-14 08:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-26 17:54 . 2009-07-04 05:50 -------- d-----w- c:\program files\RegCure
2009-07-23 06:41 . 2009-07-04 01:28 -------- d-----w- c:\documents and settings\us\Application Data\Apple Computer
2009-07-23 06:00 . 2009-07-23 05:48 -------- d-----w- c:\program files\iDump (Freeware)
2009-07-23 05:38 . 2009-07-23 05:38 -------- d-----w- c:\documents and settings\us\Application Data\iPod2PC3
2009-07-22 14:41 . 2009-07-22 14:41 -------- d-----w- c:\program files\Western Digital
2009-07-22 14:41 . 2009-07-01 23:28 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-22 14:31 . 2009-07-22 14:31 -------- d-----w- c:\program files\Western Digital Corporation
2009-07-22 14:09 . 2009-06-30 14:15 69552 ----a-w- c:\documents and settings\us\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-21 17:50 . 2009-07-21 17:50 -------- d-----w- c:\documents and settings\us\Application Data\Talkback
2009-07-21 17:50 . 2009-07-21 17:50 -------- d-----w- c:\documents and settings\us\Application Data\Thunderbird
2009-07-20 20:37 . 2009-07-20 20:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-20 20:34 . 2009-07-20 20:34 -------- d-----w- c:\program files\Microsoft Works
2009-07-20 20:33 . 2009-07-20 20:33 -------- d-----w- c:\program files\MSBuild
2009-07-19 21:53 . 2009-07-19 21:53 -------- d-----w- c:\documents and settings\All Users\Application Data\vsosdk
2009-07-19 20:27 . 2009-07-19 20:27 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-07-19 20:15 . 2009-07-19 20:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Elaborate Bytes
2009-07-19 20:03 . 2009-07-19 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SlySoft
2009-07-19 19:59 . 2009-07-19 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Ahead
2009-07-19 19:55 . 2009-07-19 19:55 -------- d-----w- c:\program files\SlySoft
2009-07-19 14:26 . 2009-07-19 14:26 -------- d-----w- c:\documents and settings\us\Application Data\DivX
2009-07-19 01:44 . 2009-07-19 01:44 -------- d-----w- c:\program files\DivX
2009-07-19 01:44 . 2009-07-19 01:44 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-07-17 19:01 . 2008-04-14 08:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 02:06 . 2008-08-14 11:57 73312 ----a-w- c:\windows\system32\drivers\adfs.sys
2009-07-14 03:43 . 2008-07-12 19:25 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-04 23:50 . 2009-07-04 23:50 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-03 17:09 . 2008-04-23 00:16 915456 ------w- c:\windows\system32\wininet.dll
2009-07-02 17:24 . 2009-07-02 17:24 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-06-30 17:33 . 2009-06-30 17:33 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-06-30 03:13 . 2009-06-30 03:13 0 ----a-w- c:\windows\nsreg.dat
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[-] 2008-07-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-09-15_00.12.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-15 21:04 . 2009-09-15 21:04 16384 c:\windows\temp\Perflib_Perfdata_2a4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-07-19 288048]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2007-08-29 1347584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2009-03-11 611712]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-04 148888]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2007-04-16 577536]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-05 1626112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-11-1 576104]

[HKLM\~\startupfolder\C:^Documents and Settings^us^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Microsoft Office Groove Audit Service"=3 (0x3)
"Messenger"=2 (0x2)
"iPod Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Documents and Settings\\us\\Application Data\\Octoshape\\Octoshape Streaming Services\\OctoshapeClient.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server
"111:TCP"= 111:TCP:localhost

R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [7/4/2009 1:50 AM 389448]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 288112]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-15 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2007-10-16 08:20]

2009-09-10 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2007-10-16 08:20]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\us\Application Data\Mozilla\Firefox\Profiles\w4bjzvvi.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - component: c:\program files\Mozilla Firefox\extensions\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}\components\Contribute.dll
FF - plugin: c:\documents and settings\us\Application Data\Mozilla\plugins\npoctoshape.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npContribute.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-15 17:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(3232)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\scardsvr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-09-15 17:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-15 21:10

Pre-Run: 51,437,977,600 bytes free
Post-Run: 51,404,279,808 bytes free

230 --- E O F --- 2009-09-10 07:03


I want to thank you for taking the time to help me i appreciate it very much :(

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:53 AM

Posted 15 September 2009 - 04:53 PM

Hi,

Now we look for stragglers.

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post even if it finds nothing.
You can refer to this animation by sundavis if needed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 jbowman123

jbowman123
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 20 September 2009 - 03:28 AM

hi sifu
sorry it took so long to get back to you, that scan seemed to take forever.
everytime i started it either my browser crashed or the elctric would go off but i fimally got it done and here is the log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, September 19, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, September 17, 2009 12:02:04
Records in database: 2838743
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
X:\
Z:\

Scan statistics:
Objects scanned: 314324
Threats found: 3
Infected objects found: 6
Suspicious objects found: 0
Scan duration: 34:40:12


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\MSIVXtoijeyxmlxbqujdlgdtonbohhcmjkvxj.sys.vir Infected: Packed.Win32.TDSS.z 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\MSIVXnoqgqruhmikpiofoylbetwqmbirquvxt.dll.vir Infected: Trojan.Win32.Agent2.kuh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\MSIVXyuwlgmetqlmhvvagfingdyjdfrlqpsxw.dll.vir Infected: Trojan.Win32.Agent2.kug 1
C:\System Volume Information\_restore{CB830441-C5A3-4208-AA5A-A74AD89F4635}\RP28\A0003005.dll Infected: Trojan.Win32.Agent2.kug 1
C:\System Volume Information\_restore{CB830441-C5A3-4208-AA5A-A74AD89F4635}\RP28\A0003006.sys Infected: Packed.Win32.TDSS.z 1
C:\System Volume Information\_restore{CB830441-C5A3-4208-AA5A-A74AD89F4635}\RP28\A0003007.dll Infected: Trojan.Win32.Agent2.kuh 1

Selected area has been scanned.

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:53 AM

Posted 20 September 2009 - 11:29 AM

Hi jbowman123,

Looks good. :(
Everything Kaspersky found was either previously quarantined files or previously deleted files stored in your system restore folder.

I think we have you clean.

How is your computer running?

We still have a clean up step to do.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 jbowman123

jbowman123
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 20 September 2009 - 06:10 PM

right now it seems to be running fine, and i can see all my hard drives in disk manager. i havent tried to reinstall kaspersky antivirus to see if it will let me activateit yet was waiting for you to let me know it was ok
thank you for all your help.

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:53 AM

Posted 20 September 2009 - 06:45 PM

Hi

You can reinstall kaspersky antivirus. Let me know how it goes.

We still have to do some program clean up.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 jbowman123

jbowman123
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 21 September 2009 - 06:05 PM

i reinstalled kaspersky and this time it let me activate it it updated like it was supposed too. i believe i am ready to make the finishing touches

thanks again for your time and patience and your knowledge. my daughters appreciate you and i appreciate you. they can finally play their games without any problems :(

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:53 AM

Posted 21 September 2009 - 08:12 PM

Hi jbowman123,

Your very welcome. :(

Now we do the program clean up.

You can delete RootRepeal from the desktop.


Remove Combofix now that we're done with it. I think you renamed it John.exe
  • Click on your Start Menu, then Run....
  • Now type John /u in the runbox and click OK. Notice the space between the "x" and "/".
    Posted Image
  • When shown the disclaimer, Select "2"
This will remove files/folders assoicated with combofix and uninstall it.


Please read and follow
How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes

If you want to improve speed/system performance after malware removal, take a look here.

Now your good to go! :(

Edited by SifuMike, 21 September 2009 - 08:16 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:53 AM

Posted 01 October 2009 - 01:52 PM

Since your problem appears to be resolved, this thread will now be closed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users