Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack.WindowsUpdates and Rootkit problem


  • This topic is locked This topic is locked
4 replies to this topic

#1 blue_guitar

blue_guitar

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 19 September 2009 - 06:56 AM

Hi all

following instructions to use "wipe file" to remove C:\WINDOWS\system32\drivers\623ef727.sys via RootRepeal. In addition to repeated attempt to remove with Malwarebyteswith no joy

I have now been advised to post my RootRepeal and HijackThis logs here




___HJT LOG___


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:22:09, on 17/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\bcmwltry.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
G:\BitComet\BitComet.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [RemoveCpl] RemoveCpl.exe
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.rapidshare.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service (lavasoft ad-aware service) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: M-Audio Audiophile Installer (MAudioAudiophileService) - Unknown owner - C:\Program Files\M-Audio\Audiophile USB\MAUSBAPInst.exe (file missing)
O23 - Service: mbamservice - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: ReaConverter scheduler service (rcp_service) - ReaSoft - C:\Program Files\ReaConverter 5.5 Pro\rcp_scheduler.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - C:\Program Files\Windows Live\Messenger\usnsvc.exe (file missing)
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 11466 bytes


___RootRepea Log___



ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/15 00:28
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: 623ef727.sys
Image Path: C:\WINDOWS\System32\drivers\623ef727.sys
Address: 0xA88C8000 Size: 89472 File Visible: No Signed: -
Status: -

Name: awf8kaq1.SYS
Image Path: C:\WINDOWS\System32\Drivers\awf8kaq1.SYS
Address: 0xB9468000 Size: 303104 File Visible: No Signed: -
Status: -

Name: azfg18dj.SYS
Image Path: C:\WINDOWS\System32\Drivers\azfg18dj.SYS
Address: 0xB9401000 Size: 421888 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA87ED000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79BF000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_HAL
Image Path: \Driver\PCI_HAL
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: PCI_NTPNP6896
Image Path: \Driver\PCI_NTPNP6896
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA7040000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\windows\$ntservicepackuninstall$\ndis.sys
Status: Size mismatch (API: 182656, Raw: 182912)

Path: c:\windows\system32\dllcache\ndis.sys
Status: Size mismatch (API: 182656, Raw: 212224)

Path: C:\WINDOWS\system32\drivers\623ef727.sys
Status: Locked to the Windows API!

Path: c:\windows\system32\drivers\ndis.sys
Status: Size mismatch (API: 182656, Raw: 212224)

Path: c:\windows\system32\drivers\btwdndis.sys
Status: Size mismatch (API: 182656, Raw: 148040)

Path: c:\program files\belkin\bluetooth software\bin\btwdndis.sys
Status: Size mismatch (API: 182656, Raw: 148040)

Path: C:\Documents and Settings\Andi\Application Data\Mozilla\Firefox\Profiles\vieeyh96.default\sessionstore.js
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Andi\Application Data\Macromedia\Flash Player\#SharedObjects\RUW5QJFD\void.snocap.com\s
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\Andi\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\Andi\Local Settings\Application Data\Microsoft\Messenger\""@hotmail.com\SharingMetadata\@hotmail.com\DFSR\Staging\CS{84DA029C-1CF0-33C9-5D50-FFB988005A90}\51\54-{B2~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Andi\Local Settings\Application Data\Microsoft\Messenger\""@hotmail.com\SharingMetadata\@hotmail.com\DFSR\Staging\CS{84DA029C-1CF0-33C9-5D50-FFB988005A90}\57\57-{B2~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Andi\Local Settings\Application Data\Microsoft\Messenger\"".com\SharingMetadata\@hotmail.com\DFSR\Staging\CS{84DA029C-1CF0-33C9-5D50-FFB988005A90}\88\88-{B2~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Andi\Local Settings\Application Data\Microsoft\Messenger\""@hotmail.com\SharingMetadata\@hotmail.com\DFSR\Staging\CS{64B52F20-5482-94B6-5230-8DB63D85EDAF}\90\90-{B2A4E617-30D1-41AC-9EC8-40764E720D0F}-v90-{B2A4E617-30D1-41AC-9EC8-40764E720D0F}-v90-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Andi\Local Settings\Application Data\Microsoft\Messenger\""@hotmail.com\SharingMetadata\@hotmail.com\DFSR\Staging\CS{64B52F20-5482-94B6-5230-8DB63D85EDAF}\91\91-{B2~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Andi\Local Settings\Application Data\Microsoft\Messenger\""@hotmail.com\SharingMetadata\@hotmail.com\DFSR\Staging\CS{64B52F20-5482-94B6-5230-8DB63D85EDAF}\93\93-{B2A4E617-30D1-41AC-9EC8-40764E720D0F}-v93-{B2A4E617-30D1-41AC-9EC8-40764E720D0F}-v93-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Andi\Local Settings\Application Data\Microsoft\Messenger\""@hotmail.com\SharingMetadata\@hotmail.com\DFSR\Staging\CS{64B52F20-5482-94B6-5230-8DB63D85EDAF}\96\96-{B2A4E617-30D1-41AC-9EC8-40764E720D0F}-v96-{B2A4E617-30D1-41AC-9EC8-40764E720D0F}-v96-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 035 Function Name: NtCreateEvent
Status: Hooked by "C:\WINDOWS\System32\drivers\623ef727.sys" at address 0xa88ce915

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\drivers\623ef727.sys" at address 0xa88cc905

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "sptd.sys" at address 0xf74f2fb2

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "sptd.sys" at address 0xf74f3340

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\drivers\623ef727.sys" at address 0xa88cc9c5

#: 160 Function Name: NtQueryKey
Status: Hooked by "sptd.sys" at address 0xf74f3418

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "sptd.sys" at address 0xf74f3298

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xf7667bfe

Stealth Objects
-------------------
Object: Hidden Module [Name: svchost.exe]
Process: svchost.exe (PID: 2992) Address: 0x01000000 Size: 20480

Object: Hidden Module [Name: svchost.exe]
Process: svchost.exe (PID: 672) Address: 0x01000000 Size: 20480

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8ab031e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8ab031e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8ab031e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8ab031e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8ab031e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8ab031e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8ab031e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8ab031e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8ab031e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8ab031e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8ab031e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8ab031e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ab031e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8ab031e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8ab031e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8ab031e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8ab031e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8ab031e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8ab031e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8ab031e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8ab031e8 Size: 121

Object: Hidden Code [Driver: azfg18djȅ敓摓ȁఅ瑎獆錐訠, IRP_MJ_CREATE]
Process: System Address: 0x8a8f2790 Size: 121

Object: Hidden Code [Driver: azfg18djȅ敓摓ȁఅ瑎獆錐訠, IRP_MJ_CLOSE]
Process: System Address: 0x8a8f2790 Size: 121

Object: Hidden Code [Driver: azfg18djȅ敓摓ȁఅ瑎獆錐訠, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8f2790 Size: 121

Object: Hidden Code [Driver: azfg18djȅ敓摓ȁఅ瑎獆錐訠, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8f2790 Size: 121

Object: Hidden Code [Driver: azfg18djȅ敓摓ȁఅ瑎獆錐訠, IRP_MJ_POWER]
Process: System Address: 0x8a8f2790 Size: 121

Object: Hidden Code [Driver: azfg18djȅ敓摓ȁఅ瑎獆錐訠, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8f2790 Size: 121

Object: Hidden Code [Driver: azfg18djȅ敓摓ȁఅ瑎獆錐訠, IRP_MJ_PNP]
Process: System Address: 0x8a8f2790 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8a8ef1e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8a8ef1e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8a8ef1e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8a8ef1e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a8ef1e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8ef1e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8ef1e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a8ef1e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8a8ef1e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8ef1e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8a8ef1e8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE]
Process: System Address: 0x8a7c1368 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CLOSE]
Process: System Address: 0x8a7c1368 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_READ]
Process: System Address: 0x8a7c1368 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_WRITE]
Process: System Address: 0x8a7c1368 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a7c1368 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a7c1368 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_POWER]
Process: System Address: 0x8a7c1368 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a7c1368 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_PNP]
Process: System Address: 0x8a7c1368 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x8ab061e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x8ab061e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x8ab061e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x8ab061e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8ab061e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ab061e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8ab061e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8ab061e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x8ab061e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8ab061e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x8ab061e8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x8a9005d0 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x8a9005d0 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a9005d0 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a9005d0 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x8a9005d0 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a9005d0 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x8a9005d0 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8ab071e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8ab071e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8ab071e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8ab071e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ab071e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8ab071e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8ab071e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8ab071e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8ab071e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8ab071e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8ab071e8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x8a817790 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x8a817790 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a817790 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a817790 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x8a817790 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x8a817790 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x8a8dd1e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x8a8dd1e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8dd1e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8dd1e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x8a8dd1e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8dd1e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x8a8dd1e8 Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_CREATE]
Process: System Address: 0x8a6c61e8 Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_CLOSE]
Process: System Address: 0x8a6c61e8 Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a6c61e8 Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a6c61e8 Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_POWER]
Process: System Address: 0x8a6c61e8 Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a6c61e8 Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_PNP]
Process: System Address: 0x8a6c61e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x8a967468 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a967468 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x8a967468 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x8a967468 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x8a967468 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a967468 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a967468 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a967468 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x8a967468 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a967468 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a967468 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a967468 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a967468 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a967468 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a967468 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a967468 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a967468 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a967468 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x8a967468 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a967468 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a967468 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a967468 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x8a967468 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a967468 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a967468 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a967468 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a967468 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x8a967468 Size: 121

Object: Hidden Code [Driver: CdfsЅఐ奓䅓v, IRP_MJ_CREATE]
Process: System Address: 0x8a7613e8 Size: 121

Object: Hidden Code [Driver: CdfsЅఐ奓䅓v, IRP_MJ_CLOSE]
Process: System Address: 0x8a7613e8 Size: 121

Object: Hidden Code [Driver: CdfsЅఐ奓䅓v, IRP_MJ_READ]
Process: System Address: 0x8a7613e8 Size: 121

Object: Hidden Code [Driver: CdfsЅఐ奓䅓v, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a7613e8 Size: 121

Object: Hidden Code [Driver: CdfsЅఐ奓䅓v, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a7613e8 Size: 121

Object: Hidden Code [Driver: CdfsЅఐ奓䅓v, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a7613e8 Size: 121

Object: Hidden Code [Driver: CdfsЅఐ奓䅓v, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a7613e8 Size: 121

Object: Hidden Code [Driver: CdfsЅఐ奓䅓v, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a7613e8 Size: 121

Object: Hidden Code [Driver: CdfsЅఐ奓䅓v, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a7613e8 Size: 121

Object: Hidden Code [Driver: CdfsЅఐ奓䅓v, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a7613e8 Size: 121

Object: Hidden Code [Driver: CdfsЅఐ奓䅓v, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a7613e8 Size: 121

Object: Hidden Code [Driver: CdfsЅఐ奓䅓v, IRP_MJ_CLEANUP]
Process: System Address: 0x8a7613e8 Size: 121

Object: Hidden Code [Driver: CdfsЅఐ奓䅓v, IRP_MJ_PNP]
Process: System Address: 0x8a7613e8 Size: 121

Hidden Services
-------------------
Service Name: 623ef727
Image Path: C:\WINDOWS\System32\drivers\623ef727.sys

==EOF==





_____________________



thanks in advance for assistance



blue_guitar

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:37 PM

Posted 20 September 2009 - 11:55 AM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 blue_guitar

blue_guitar
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 24 September 2009 - 05:03 AM

Hi Sam

thanks for your help and assistance . Ran Combofix and the C:\WINDOWS\System32\drivers\623ef727.sys problem i was having, has successfully been disinfected.

I then ran a quickscan with Malwarebytes. And found the problems with hijack.windows.updates still appear to be present.



Relative info can be found in my Malwarebytes log (included below)



_____Combofix Log______


ComboFix 09-09-22.03 - Andi 23/09/2009 13:08.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1328 [GMT 1:00]
Running from: c:\documents and settings\Andi\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.


c:\documents and settings\Andi\Application Data\IUpd721
c:\documents and settings\Andi\Application Data\IUpd721\Logs\scns.log
c:\documents and settings\Andi\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\INSTALL.LOG
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\temp\DIV55
c:\temp\DIV55\xDb.log
C:\test.txt
c:\windows\Installer\10b53c.msi
c:\windows\Installer\1326b3f.msi
c:\windows\Installer\3822f6.msi
c:\windows\Installer\39aa803.msp
c:\windows\Installer\39aa804.msp
c:\windows\Installer\39aa805.msp
c:\windows\Installer\39aa806.msp
c:\windows\Installer\39aa807.msp
c:\windows\Installer\39aa808.msp
c:\windows\Installer\39aa809.msp
c:\windows\Installer\39aa80a.msp
c:\windows\Installer\39aa80b.msp
c:\windows\Installer\40e467.msi
c:\windows\Installer\40e46e.msi
c:\windows\Installer\40e475.msi
c:\windows\Installer\40e47c.msi
c:\windows\Installer\40e483.msi
c:\windows\Installer\5b761.msi
c:\windows\Installer\659dee9.msi
c:\windows\Installer\73a4a.msi
c:\windows\Installer\83b6b.msi
c:\windows\Installer\9f357.msi
c:\windows\Installer\9f35c.msi
c:\windows\run.log
c:\windows\system32\bsrmgcv.dll
c:\windows\system32\bsrmgps.dll
c:\windows\system32\drivers\623ef727.sys
c:\windows\system32\drivers\npf.sys
c:\windows\system32\fakugupu.dll
c:\windows\system32\jegulufo.dll
c:\windows\system32\kvkqkrlk.ini
c:\windows\system32\msvcsv60.dll
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\riwumagu.dll
c:\windows\system32\scvpyqmf.ini
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\UA000106.DLL
G:\autorun.inf

Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\ndis.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF
-------\Service_623ef727


((((((((((((((((((((((((( Files Created from 2009-08-23 to 2009-09-23 )))))))))))))))))))))))))))))))
.

2009-09-17 16:21 . 2009-09-17 16:21 -------- d-----w- c:\program files\Trend Micro
2009-09-13 08:16 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-13 07:39 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-13 07:39 . 2009-09-13 07:39 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-08 12:56 . 2009-09-08 12:56 182656 -c--a-w- c:\windows\system32\dllcache\ndis.sys
2009-09-04 16:15 . 2009-09-04 16:15 -------- d-----w- c:\documents and settings\Andi\Local Settings\Application Data\{47B65E0C-2685-4213-A6A3-6F8688B40858}
2009-09-01 11:27 . 2009-09-01 11:27 -------- d-----w- c:\program files\LittleWing

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-23 07:08 . 2008-01-16 02:51 -------- d-----w- c:\documents and settings\Andi\Application Data\Skype
2009-09-15 09:28 . 2008-10-12 07:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-13 07:38 . 2007-10-06 21:13 -------- d-----w- c:\program files\Lavasoft
2009-09-13 07:38 . 2007-10-06 21:12 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-10 13:54 . 2008-10-12 07:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 13:53 . 2008-10-12 07:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-08 12:56 . 2006-02-28 12:00 182656 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-09-02 12:23 . 2007-09-14 02:30 37010 ----a-w- c:\documents and settings\Andi\Application Data\wklnhst.dat
2009-08-16 02:33 . 2007-09-10 23:26 46520 ----a-w- c:\documents and settings\Andi\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-16 02:11 . 2009-08-16 02:11 -------- d-----w- c:\program files\MSBuild
2009-08-16 02:11 . 2009-08-16 02:11 -------- d-----w- c:\program files\Reference Assemblies
2009-08-15 08:24 . 2009-04-08 01:39 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-15 08:24 . 2009-04-08 01:39 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-15 08:24 . 2009-04-08 01:39 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-05 09:01 . 2006-02-28 12:00 204800 ------w- c:\windows\system32\mswebdvd.dll
2009-07-27 14:30 . 2007-09-10 23:10 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-26 21:34 . 2007-09-11 11:57 192 ----a-w- c:\windows\msocreg32.dat
2009-07-17 19:01 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2006-02-28 12:00 286208 ------w- c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2006-02-28 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2006-02-28 12:00 17408 ------w- c:\windows\system32\corpol.dll
2007-11-26 15:36 . 2008-08-23 12:59 17546280 ----a-w- c:\program files\Service Center Setup.exe
2007-11-01 10:04 . 2008-08-18 08:22 9470 ----a-w- c:\program files\Readme.txt
2007-10-31 15:19 . 2008-05-20 21:21 47129 ----a-w- c:\program files\licencereg.txt
2007-09-14 21:10 . 2007-09-14 21:10 2873 ----a-w- c:\program files\unins000.dat
2007-09-14 21:09 . 2007-09-14 21:10 678682 ----a-w- c:\program files\unins000.exe
2005-09-14 10:58 . 2005-09-09 12:08 20480 ----a-w- c:\program files\Common Files\UninstallDrv.exe
.

------- Sigcheck -------

[-] 2009-09-08 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ndis.sys
[-] 2009-09-08 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ndis.sys
[7] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ndis.sys
[-] 2006-02-28 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\$NtServicePackUninstall$\ndis.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-02 761948]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"tsnp2std"="c:\windows\tsnp2std.exe" [2005-08-17 90112]
"snp2std"="c:\windows\vsnp2std.exe" [2005-08-16 339968]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-05 185872]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-15 2007832]
"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2006-12-09 61440]
"UVS12 Preload"="c:\program files\Corel\Corel VideoStudio 12\uvPL.exe" [2008-06-09 397456]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-09-10 420176]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-03-21 16126464]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"bcmwltry"="bcmwltry.exe" - c:\windows\system32\bcmwltry.exe [2003-07-25 462848]
"RemoveCpl"="RemoveCpl.exe" - c:\windows\system32\RemoveCpl.exe [2003-01-14 24576]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\Andi\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\Belkin\Bluetooth Software\BTTray.exe [2005-8-24 577597]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-11-17 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 02:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-15 08:24 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave"=DrvTrNTm.dll
"mixer"=DrvTrNTm.dll
"midi3"=KORGUMDD.DRV
"midi2"=usbnp4x4.dll
"MIDI10"=diomidi.dll
"wave10"=Digi32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lavasoft ad-aware service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:3\\BitComet_0.63\\BitComet.exe"=
"g:\\BitComet\\BitComet.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\RadLight Company\\RadLight 4.0\\rlkernel.exe"=
"C:2\\BitComet\\BitComet.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:7\\BitComet\\BitComet.exe"=
"c:\\Program Files\\NextUp-Acapela\\bin\\acatel_srv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18993:TCP"= 18993:TCP:BitComet 18993 TCP
"18993:UDP"= 18993:UDP:BitComet 18993 UDP
"24063:TCP"= 24063:TCP:BitComet 24063 TCP
"24063:UDP"= 24063:UDP:BitComet 24063 UDP
"18508:TCP"= 18508:TCP:BitComet 18508 TCP
"18508:UDP"= 18508:UDP:BitComet 18508 UDP
"19690:TCP"= 19690:TCP:BitComet 19690 TCP
"19690:UDP"= 19690:UDP:BitComet 19690 UDP
"16716:TCP"= 16716:TCP:BitComet 16716 TCP
"16716:UDP"= 16716:UDP:BitComet 16716 UDP
"12193:TCP"= 12193:TCP:BitComet 12193 TCP
"12193:UDP"= 12193:UDP:BitComet 12193 UDP
"12047:TCP"= 12047:TCP:BitComet 12047 TCP
"12047:UDP"= 12047:UDP:BitComet 12047 UDP
"8819:TCP"= 8819:TCP:BitComet 8819 TCP
"8819:UDP"= 8819:UDP:BitComet 8819 UDP
"21516:TCP"= 21516:TCP:BitComet 21516 TCP
"21516:UDP"= 21516:UDP:BitComet 21516 UDP
"10640:TCP"= 10640:TCP:BitComet 10640 TCP
"10640:UDP"= 10640:UDP:BitComet 10640 UDP
"11392:TCP"= 11392:TCP:BitComet 11392 TCP
"11392:UDP"= 11392:UDP:BitComet 11392 UDP
"18061:TCP"= 18061:TCP:BitComet 18061 TCP
"18061:UDP"= 18061:UDP:BitComet 18061 UDP
"23021:TCP"= 23021:TCP:BitComet 23021 TCP
"23021:UDP"= 23021:UDP:BitComet 23021 UDP
"18707:TCP"= 18707:TCP:BitComet 18707 TCP
"18707:UDP"= 18707:UDP:BitComet 18707 UDP
"15842:TCP"= 15842:TCP:BitComet 15842 TCP
"15842:UDP"= 15842:UDP:BitComet 15842 UDP
"25508:TCP"= 25508:TCP:BitComet 25508 TCP
"25508:UDP"= 25508:UDP:BitComet 25508 UDP
"26521:TCP"= 26521:TCP:BitComet 26521 TCP
"26521:UDP"= 26521:UDP:BitComet 26521 UDP
"16059:TCP"= 16059:TCP:BitComet 16059 TCP
"16059:UDP"= 16059:UDP:BitComet 16059 UDP
"26071:TCP"= 26071:TCP:BitComet 26071 TCP
"26071:UDP"= 26071:UDP:BitComet 26071 UDP

R0 lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [13/09/2009 08:39 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [08/04/2009 02:39 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [08/04/2009 02:39 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [08/04/2009 02:37 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [08/04/2009 02:37 297752]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [11/04/2009 18:35 11776]
R2 lavasoft ad-aware service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 15:49 1029456]
R2 mbamservice;mbamservice;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/10/2008 08:53 269648]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
R3 mbamprotector;mbamprotector;c:\windows\system32\drivers\mbam.sys [12/10/2008 08:53 19160]
S2 MAudioAudiophileService;M-Audio Audiophile Installer;c:\program files\M-Audio\Audiophile USB\MAUSBAPInst.exe --> c:\program files\M-Audio\Audiophile USB\MAUSBAPInst.exe [?]
S3 Hpnrava;Hpnrava; [x]
S3 KORGUMDS;KORG USB-MIDI Driver for Windows XP;c:\windows\system32\drivers\KORGUMDS.SYS [12/07/2004 02:05 12544]
S3 ma763003;M-Audio Audiophile;c:\windows\system32\drivers\MA763003.sys --> c:\windows\system32\drivers\MA763003.sys [?]
S3 MADFU003;MADFU003;c:\windows\system32\drivers\MADFU003.sys [05/10/2008 00:24 75912]
S3 MAUSBAP;Service for M-Audio Audiophile (WDM);c:\windows\system32\DRIVERS\mausbap.sys --> c:\windows\system32\DRIVERS\mausbap.sys [?]
S3 rcp_service;ReaConverter scheduler service;c:\program files\ReaConverter 5.5 Pro\rcp_scheduler.exe [30/11/2007 12:27 558592]
S3 USBNP4X4;M-Audio Audiophile USB Midi;c:\windows\system32\drivers\usbnp4x4.sys --> c:\windows\system32\drivers\usbnp4x4.sys [?]
S3 WDM_Capture_220A;DVB-T TV Receiver;c:\windows\system32\drivers\WDM_Capture_220A.sys [15/09/2007 00:11 18432]
S3 WDM_Loader_220A;DVB-T TV Loader;c:\windows\system32\drivers\WDM_Loader_220A.sys [15/09/2007 00:10 15488]
S4 Dhcsippcfmws;Dhcsippcfmws; [x]
S4 Wan61exauiwh;Wan61exauiwh; [x]
.
Contents of the 'Scheduled Tasks' folder

2009-09-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2008-10-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-09-23 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Andi.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2008-10-12 13:53]

2009-09-23 c:\windows\Tasks\Malwarebytes' Scheduled Update for Andi.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2008-10-12 13:53]

2009-09-23 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: &d&ownload &with bitcomet - g:\bitcomet\BitComet.exe/AddLink.htm
IE: &d&ownload all video with bitcomet - g:\bitcomet\BitComet.exe/AddVideo.htm
IE: &d&ownload all with bitcomet - g:\bitcomet\BitComet.exe/AddAllLink.htm
IE: Download All by FlashGet - c:\program files\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\program files\FlashGet\jc_link.htm
IE: Send To &Bluetooth - c:\program files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: rapidshare.com
FF - ProfilePath - c:\documents and settings\Andi\Application Data\Mozilla\Firefox\Profiles\vieeyh96.default\
FF - prefs.js: browser.startup.homepage - hxxp://uk.yahoo.com/?p=us
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XUL Cache: {47B65E0C-2685-4213-A6A3-6F8688B40858} - c:\documents and settings\Andi\Local Settings\Application Data\{47B65E0C-2685-4213-A6A3-6F8688B40858}\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{F7E5369E-BB20-4574-AEBA-F02E7CAF6F6D} - c:\windows\system32\winel77.dll
AddRemove-Microsoft .NET Framework 2.0 - c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe




**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-23 13:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1275210071-2025429265-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{270CB4B0-7574-9487-F8EC-70DE6FC0D339}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"eafmaapdjc"=hex:66,61,64,6d,61,6a,6e,6e,6d,6c,69,6f,00,31
"dammhocn"=hex:64,62,6a,6b,67,62,6b,6c,6f,6d,6b,67,63,6a,64,61,65,69,64,69,6f,
6e,6d,62,63,6a,63,68,64,64,6d,6f,62,6f,61,70,62,69,63,66,00,00
"ianiaigmhhckjjgoni"=hex:6a,61,63,69,6e,61,6a,67,66,63,63,63,65,67,64,6f,6c,62,
6c,64,00,00
"halkcabegfkibcbi"=hex:6a,61,63,69,6b,61,69,65,62,6e,64,64,6f,62,6e,67,64,67,
6b,70,00,f0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="1C3B3EFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933FEBC9E127BECC74CC038D530D6EB3452BA7FD869164D67948186571881A43CDDB83F2C58CF2EDF5A9D4A0B4C9BC2EA53823D769317A4867F3D430B8D781AA248CC0C217AB3C763121F92FD5DBA5B1B45DAB19AB4598ED134C20A70871A6B66C69D31E03B3CF03080BCBE2539BAF7424A8297D06DE1F52E9A8699658A7784E55EC10D74A26E421E3FCC68501132FCD1B1B0E55333762C46D442E82CEE2643A3A412B0458FCFC7AA7A6BDDB466B6C1E0DAE2C73FCBDF78E519F21E6B63BFFA48462EE0A4B26C01F2F177A26A906416263BD89C16D3E91400315A97AD66E1F29D0276184414D0E2BCFA936C6CB95BB97EDD96F8BCBB652EABFBFC6461CDAE66122A92833D0B1054EFFC27A59DE03F60EB5FE3A37E46A66621EC254959C1CA833927EB840AC6C1B297745DEC415937B4136F4C19860B87D43E885D404AC061EE4AF431B10AC880CB64F1A5957FC96F533B55A207E6F7E203076879F3CF991F3E9F21D4D101E6E9E5291A3325652D17CD54E8F75216C99B6F9F3D8DC569F1B57CB6CE8B6695CA22385FA37C5762D1E1A8EC9827936B96150B5147724B77425BA835B7509D54714EEE22DC3C994BD9885CBA644A13A6C4373C0CDE464BC158C8B6E0A462DEABAD1A2A3124F28ED8BCC4D596624253679070DDE0EBE9C272533C0DA57742426F25B3FC6FEEE38C27C557777D3C3307348AAFBC056D80E296A9F6878FA0B696D6D1CDF06744941FB613839511AE0694F515EA9BD2F6F68FA2A23F74D3A8C9DC7D81207FC2C25204EB1792F9948B6598F9E81AAF482EF661EB5C5E96482A49CA6354E39C52982AAE101ACD5F7137C262F191B9A4074C74A5ACC622A4E85648CA6AC258A80A8A70C34D3586F8B42BD076F2EECA1755A022DA04275CCA54ED1D77DB94BFFD8271BC9FB6D70FEB90F4890BF634521A1D8D7AB8F315E1A7CC4AE0A561E7616775B969D0BE454050D736A88B5AEAD8336B093AA4627E0ECDB9D572D88BAE072544639497BE14F5B205242D975F6C6A5B749C633D9A243C45A510F2CB4C2F806C738124ECF2AD8E94B4875B042BE918020B67B9524A9ACF08400BC96B7D821F63293EBC7AFA526EEA263D3CD6C6667609AB9C486705CA2D05DBF020D8D896BAA632D44B1F5C95FC9F40389C4DA03B1EC57201D937BFF0BFA06FF9E46AFD2E2EC77F95FDEC7F5B25108B7C0B540A12AB82226E81ACD41FF3AF9476CAA9EFDDD6C824E3472A3061598AB4235C91B6EB40FD2055936805B83B808CCA46D2171018A2D6BADF529E358AD68CD8A9DCC21D80E877B529406FF60CCE39EB1358BD815841F4A34212DF39B0AC08E14D3FA84C146BD4289FBA1DE65F4FA168ADE014C403"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(988)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(2524)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Belkin\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\oodag.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2009-09-23 13:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-23 12:54

Pre-Run: 11,288,104,960 bytes free
Post-Run: 11,598,659,584 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
409 --- E O F --- 2009-09-02 02:01







________________________________________________________






_____Malwarebytes Log_____


Malwarebytes' Anti-Malware 1.41
Database version: 2845
Windows 5.1.2600 Service Pack 3

23/09/2009 14:31:47
mbam-log-2009-09-23 (14-31-47).txt

Scan type: Quick Scan
Objects scanned: 102926
Time elapsed: 3 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:37 PM

Posted 24 September 2009 - 03:22 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Driver::
Hpnrava
Dhcsippcfmws
Wan61exauiwh
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


====================


Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:37 PM

Posted 14 October 2009 - 08:03 AM

Unfortunately there has been no response. :(
This thread will now be closed.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users