Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with TR/Rootkit.Gen Trojan


  • This topic is locked This topic is locked
7 replies to this topic

#1 josh_rt

josh_rt

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 10 December 2009 - 03:59 PM

My Antivirus (Avira AntiVir Personal Free) keeps detecting this Trojan (TR/Rootkit.Gen)
in C:\Documents and Settings\Owner\Local Settings\Temp\dxdiag.sys (looked at the folder, nothing is there.. hidden objects enabled)
tried the antivirus options of moving it to quarantine, deleting and denying access.. keeps popping back up.

DDS logs and RootRepeal logs below

Also malwarebytes caught something i deleted it... thinking it was over.. then i started to get these popups. Rescanned with malware and nothing.



DDS (Ver_09-06-26.01) - NTFSx86
Run by Owner at 15:41:21.01 on Thu 12/10/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1219 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\program files\steam\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Owner\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\ESEA\ESEA Client\eseaclient.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0unattached&bm=ho_central
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - c:\windows\system32\dvmurl.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Octoshape Streaming Services] "c:\documents and settings\owner\application data\octoshape\octoshape streaming services\OctoshapeClient.exe" -inv:bootrun
uRun: [EPSON Stylus Photo RX595 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticla.exe /fu "c:\windows\temp\E_S107.tmp" /EF "HKCU"
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [<NO NAME>]
mRun: [CHotkey] zHotkey.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [RivaTunerStartupDaemon] "c:\program files\rivatuner v2.22\RivaTuner.exe" /S
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [EasyTuneVI] c:\program files\gigabyte\et6\ETcall.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Verizon_McciTrayApp] c:\program files\verizon\McciTrayApp.exe
mRun: [VerizonServicepoint.exe] "c:\program files\verizon\vsp\VerizonServicepoint.exe" /AUTORUN
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\instal~1.lnk - c:\program files\sifxinst\SIFXINST.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} - hxxp://download.gigabyte.com.tw/object/Dldrv.ocx
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll
LSA: Authentication Packages = msv1_0 nwprovau
LSA: Notification Packages = scecli modfxtl.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\wggs1506.default\
FF - prefs.js: browser.startup.homepage - hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0unattached&bm=ho_central
FF - plugin: c:\documents and settings\owner\application data\mozilla\plugins\npoctoshape.dll
FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: XUL Cache: {A8362A30-DA8F-485B-9A77-05D9BA819320} - c:\documents and settings\owner\local settings\application data\{A8362A30-DA8F-485B-9A77-05D9BA819320}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-2 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-2 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-2 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-2 56816]
R2 GEST Service;GEST Service for program management.;c:\program files\gigabyte\energysaver\GSvr.exe [2009-2-7 68136]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2007-2-7 14336]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-2-8 38224]
S3 cpuz130;cpuz130;\??\c:\docume~1\owner\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\owner\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 CyUsb;Cypress Generic USB Driver;c:\windows\system32\drivers\CYUSB.sys [2009-9-5 31104]
S3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2009-9-5 22784]
S3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;c:\windows\system32\drivers\rt2500usb.sys [2009-8-15 79616]
SUnknown GVTDrv;GVTDrv; [x]

=============== Created Last 30 ================

2009-12-01 16:57 <DIR> --d----- c:\docume~1\owner\applic~1\Xilisoft Corporation
2009-12-01 15:54 <DIR> --d----- c:\program files\Call of Duty Modern Warfare 2
2009-12-01 15:44 <DIR> --d----- c:\program files\PowerISO
2009-11-28 19:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PMB Files
2009-11-28 19:09 <DIR> --d----- c:\program files\Pando Networks
2009-11-20 19:55 <DIR> --d----- c:\program files\Fear-Otaku Software
2009-11-13 15:08 <DIR> --d----- c:\program files\PFPortChecker

==================== Find3M ====================

2009-12-10 14:40 24,944 a------- c:\windows\system32\drivers\GVTDrv.sys
2009-12-10 14:40 16,608 a------- c:\windows\gdrv.sys
2009-12-07 17:49 56,816 a------- c:\windows\system32\drivers\avgntflt.sys
2009-12-03 16:14 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 16:13 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-11-08 22:21 59,388 a------- c:\windows\system32\drivers\scdemu.sys
2009-10-29 20:39 143,872 a------- c:\windows\system32\drivers\usbport.sys
2009-10-29 20:38 55,808 a------- c:\windows\devcon.exe
2009-06-30 19:30 103,720 a------- c:\documents and settings\owner\GoToAssistDownloadHelper.exe

============= FINISH: 15:42:13.98 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 josh_rt

josh_rt
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 12 December 2009 - 03:37 AM

bump

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:12 AM

Posted 21 December 2009 - 11:09 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems just let me know in your next reply or simply post a Hijackthis log.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 josh_rt

josh_rt
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 24 December 2009 - 02:59 PM

DDS (Ver_09-06-26.01) - NTFSx86
Run by Owner at 14:44:20.96 on Thu 12/24/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1430 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\program files\steam\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\ESEA\ESEA Client\eseaclient.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0unattached&bm=ho_central
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - c:\windows\system32\dvmurl.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EPSON Stylus Photo RX595 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticla.exe /fu "c:\windows\temp\E_S107.tmp" /EF "HKCU"
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [<NO NAME>]
mRun: [CHotkey] zHotkey.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [RivaTunerStartupDaemon] "c:\program files\rivatuner v2.22\RivaTuner.exe" /S
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [EasyTuneVI] c:\program files\gigabyte\et6\ETcall.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Verizon_McciTrayApp] c:\program files\verizon\McciTrayApp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\instal~1.lnk - c:\program files\sifxinst\SIFXINST.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} - hxxp://download.gigabyte.com.tw/object/Dldrv.ocx
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll
LSA: Authentication Packages = msv1_0 nwprovau
LSA: Notification Packages = scecli modfxtl.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\wggs1506.default\
FF - prefs.js: browser.startup.homepage - hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0unattached&bm=ho_central
FF - plugin: c:\documents and settings\owner\application data\mozilla\plugins\npoctoshape.dll
FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: XUL Cache: {A8362A30-DA8F-485B-9A77-05D9BA819320} - c:\documents and settings\owner\local settings\application data\{A8362A30-DA8F-485B-9A77-05D9BA819320}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-2 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-2 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-2 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-2 56816]
R2 GEST Service;GEST Service for program management.;c:\program files\gigabyte\energysaver\GSvr.exe [2009-2-7 68136]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2007-2-7 14336]
R2 WUSB54Gv42SVC;WUSB54Gv42SVC;c:\program files\linksys wireless-g usb wireless network monitor\WLService.exe [2009-12-22 53307]
S3 cpuz130;cpuz130;\??\c:\docume~1\owner\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\owner\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 CyUsb;Cypress Generic USB Driver;c:\windows\system32\drivers\CYUSB.sys [2009-9-5 31104]
S3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2009-9-5 22784]
S3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;c:\windows\system32\drivers\rt2500usb.sys [2009-8-15 245376]
SUnknown GVTDrv;GVTDrv; [x]

=============== Created Last 30 ================

2009-12-22 20:46 20,747 a------- c:\windows\system32\drivers\AegisP.sys
2009-12-22 20:46 374,752 a------- c:\windows\system32\WUSBGXP.sys
2009-12-22 20:46 339,488 a------- c:\windows\system32\WUSB20XP.sys
2009-12-22 20:46 245,376 a------- c:\windows\system32\rt2500usb.sys
2009-12-22 20:46 8,090 a------- c:\windows\system32\WUSB54G.cat
2009-12-22 20:46 8,022 a------- c:\windows\system32\rt2500usb.cat
2009-12-22 20:46 7,846 a------- c:\windows\system32\WUSB54GV2.cat
2009-12-22 20:46 17,992 a------- c:\windows\system32\drivers\bcm42rly.sys
2009-12-22 20:46 17,992 a------- c:\windows\system32\bcm42rly.sys
2009-12-22 20:46 <DIR> --d----- c:\program files\Linksys Wireless-G USB Wireless Network Monitor
2009-12-22 20:45 <DIR> --d----- C:\Linksys Driver
2009-12-15 14:47 2,036,576 a------- c:\windows\system32\D3DCompiler_40.dll
2009-12-15 14:47 452,440 a------- c:\windows\system32\d3dx10_40.dll
2009-12-15 14:47 4,379,984 a------- c:\windows\system32\D3DX9_40.dll
2009-12-15 14:47 81,768 a------- c:\windows\system32\xinput1_3.dll
2009-12-15 14:47 <DIR> --d----- c:\windows\Logs
2009-12-15 14:47 <DIR> --d----- c:\program files\Heroes of Newerth
2009-12-01 16:57 <DIR> --d----- c:\docume~1\owner\applic~1\Xilisoft Corporation
2009-12-01 15:54 <DIR> --d----- c:\program files\Call of Duty Modern Warfare 2
2009-12-01 15:44 <DIR> --d----- c:\program files\PowerISO
2009-11-28 19:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PMB Files
2009-11-28 19:09 <DIR> --d----- c:\program files\Pando Networks

==================== Find3M ====================

2009-12-24 14:39 24,944 a------- c:\windows\system32\drivers\GVTDrv.sys
2009-12-24 14:39 16,608 a------- c:\windows\gdrv.sys
2009-12-07 17:49 56,816 a------- c:\windows\system32\drivers\avgntflt.sys
2009-12-03 16:14 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 16:13 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-11-08 22:21 59,388 a------- c:\windows\system32\drivers\scdemu.sys
2009-10-29 20:39 143,872 a------- c:\windows\system32\drivers\usbport.sys
2009-10-29 20:38 55,808 a------- c:\windows\devcon.exe
2009-06-30 19:30 103,720 a------- c:\documents and settings\owner\GoToAssistDownloadHelper.exe

============= FINISH: 14:44:36.73 ===============













It happens when i open eseaclient.exe which is an anticheat client for this game called Counterstrike 1.6. The people on www.esportsea.com / www.esea.net claim its a false positive but this also popups on Mcafee according to the worried people in their forums

So i open esea client
i get the virus rootkit.gen popup
and keeps popping up in intervals... making me disable my AntiVir Guard since its really annoying

Attached Files



#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:12 AM

Posted 24 December 2009 - 03:11 PM

Hello.

Yes you indeed have a few infections going on.

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.

Download and Run GooredFix

Please download GooredFix and save it to your Desktop if you lost your copy.
Alternative Download Mirror #1

Please make sure all instances of Firefox are closed at this point before proceeding.
  • Ensure all Firefox windows are closed at this time.
  • Please double-click GooredFix.exe on your Desktop to run it. If you are using Vista, please right-click and select run as administartor
  • When prompted to run the scan, click Yes.
  • The removal process will begin, please be paitent until it finishes.
  • A log will open with the file after completion, please post the contents of that log in your next reply
*Note: The log can also be found on your desktop called GooredFix.txt
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 josh_rt

josh_rt
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 26 December 2009 - 06:21 PM

my internet went out at the time of combofix... hope that won't matter much

ComboFix 09-12-26.01 - Owner 12/26/2009 17:20:54.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1337 [GMT -5:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Local Settings\Application Data\{A8362A30-DA8F-485B-9A77-05D9BA819320}
c:\documents and settings\Owner\Local Settings\Application Data\{A8362A30-DA8F-485B-9A77-05D9BA819320}\chrome.manifest
c:\documents and settings\Owner\Local Settings\Application Data\{A8362A30-DA8F-485B-9A77-05D9BA819320}\chrome\content\_cfg.js
c:\documents and settings\Owner\Local Settings\Application Data\{A8362A30-DA8F-485B-9A77-05D9BA819320}\chrome\content\c.js
c:\documents and settings\Owner\Local Settings\Application Data\{A8362A30-DA8F-485B-9A77-05D9BA819320}\chrome\content\overlay.xul
c:\documents and settings\Owner\Local Settings\Application Data\{A8362A30-DA8F-485B-9A77-05D9BA819320}\install.rdf
c:\recycler\S-1-5-21-802070912-1676176509-3194758254-500
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-11-26 to 2009-12-26 )))))))))))))))))))))))))))))))
.

2009-12-23 01:46 . 2009-12-23 01:46 20747 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-12-23 01:46 . 2005-10-18 00:50 245376 ----a-w- c:\windows\system32\rt2500usb.sys
2009-12-23 01:46 . 2004-04-24 03:43 374752 ----a-w- c:\windows\system32\WUSBGXP.sys
2009-12-23 01:46 . 2004-01-07 22:04 339488 ----a-w- c:\windows\system32\WUSB20XP.sys
2009-12-23 01:46 . 2009-12-23 01:46 -------- d-----w- c:\program files\Linksys Wireless-G USB Wireless Network Monitor
2009-12-23 01:46 . 2005-02-01 23:18 17992 ----a-w- c:\windows\system32\drivers\bcm42rly.sys
2009-12-23 01:46 . 2005-02-01 23:18 17992 ----a-w- c:\windows\system32\bcm42rly.sys
2009-12-23 01:45 . 2009-12-23 01:45 -------- d-----w- C:\Linksys Driver
2009-12-15 19:47 . 2008-10-10 09:52 452440 ----a-w- c:\windows\system32\d3dx10_40.dll
2009-12-15 19:47 . 2008-10-10 09:52 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2009-12-15 19:47 . 2008-10-10 09:52 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll
2009-12-15 19:47 . 2007-04-04 23:53 81768 ----a-w- c:\windows\system32\xinput1_3.dll
2009-12-15 19:47 . 2009-12-15 19:47 -------- d-----w- c:\windows\Logs
2009-12-15 19:47 . 2009-12-19 03:12 -------- d-----w- c:\program files\Heroes of Newerth
2009-12-01 21:57 . 2009-12-01 21:57 -------- d-----w- c:\documents and settings\Owner\Application Data\Xilisoft Corporation
2009-12-01 20:54 . 2009-12-25 22:33 -------- d-----w- c:\program files\Call of Duty Modern Warfare 2
2009-12-01 20:44 . 2009-12-01 20:44 -------- d-----w- c:\program files\PowerISO
2009-11-29 00:11 . 2009-12-26 22:27 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PMB Files
2009-11-29 00:11 . 2009-11-29 00:14 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2009-11-29 00:09 . 2009-11-29 00:09 -------- d-----w- c:\program files\Pando Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-26 22:30 . 2009-02-07 02:05 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys
2009-12-26 22:30 . 2009-01-30 07:44 -------- d-----w- c:\program files\Steam
2009-12-26 22:30 . 2009-02-07 14:22 16608 ----a-w- c:\windows\gdrv.sys
2009-12-23 01:46 . 2009-01-30 05:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-23 01:25 . 2009-01-30 07:43 -------- d-----w- c:\program files\mIRC
2009-12-22 22:57 . 2009-01-30 07:43 -------- d-----w- c:\documents and settings\Owner\Application Data\mIRC
2009-12-22 04:56 . 2009-03-11 04:50 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-12-16 01:13 . 2009-06-25 02:01 -------- d-----w- c:\program files\Verizon
2009-12-14 05:54 . 2009-01-31 16:32 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2009-12-14 01:15 . 2009-02-04 01:15 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-12-13 02:24 . 2009-12-13 02:24 648704 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv3052a-0912021-0-main.dll
2009-12-10 21:53 . 2009-01-30 07:47 -------- d-----w- c:\program files\ESEA
2009-12-10 05:54 . 2009-02-09 03:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-10 05:54 . 2009-11-13 20:14 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-07 22:49 . 2009-05-02 18:51 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-03 21:14 . 2009-02-09 03:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13 . 2009-02-09 03:24 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-21 00:55 . 2009-11-21 00:55 -------- d-----w- c:\program files\Fear-Otaku Software
2009-11-13 20:13 . 2009-04-26 01:03 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-13 20:08 . 2009-11-13 20:08 -------- d-----w- c:\program files\PFPortChecker
2009-11-09 03:21 . 2009-11-09 03:21 59388 ----a-w- c:\windows\system32\drivers\scdemu.sys
2009-11-02 06:16 . 2009-11-02 06:16 -------- d-----w- c:\program files\Samsung
2009-10-30 19:39 . 2009-09-26 04:03 -------- d-----w- c:\documents and settings\Owner\Application Data\gtk-2.0
2009-10-30 01:39 . 2007-02-08 01:53 143872 ----a-w- c:\windows\system32\drivers\usbport.sys
2009-10-30 01:38 . 2009-10-30 01:38 55808 ----a-w- c:\windows\devcon.exe
2009-10-16 15:09 . 2009-10-16 15:09 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2009-12-22 1217808]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-01-30 133104]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2009-11-29 2923192]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"CHotkey"="zHotkey.exe" [2005-05-03 543232]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"nwiz"="nwiz.exe" [2009-01-15 1657376]
"RivaTunerStartupDaemon"="c:\program files\RivaTuner v2.22\RivaTuner.exe" [2008-12-29 2732032]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-23 16804864]
"SoundMan"="SOUNDMAN.EXE" [2008-06-18 77824]
"AlcWzrd"="ALCWZRD.EXE" [2008-06-19 2808832]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-11-19 1966080]
"EasyTuneVI"="c:\program files\GIGABYTE\ET6\ETcall.exe" [2007-07-26 20480]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-09-28 936960]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-11-09 180224]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Install Pending Files.LNK - c:\program files\SIFXINST\SIFXINST.EXE [2009-1-30 729088]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Octoshape Streaming Services]
2009-01-08 13:44 70936 ----a-w- c:\documents and settings\Owner\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Steam\\steamapps\\rtlock_josh\\counter-strike\\hl.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Documents and Settings\\Owner\\Application Data\\Octoshape\\Octoshape Streaming Services\\OctoshapeClient.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Documents and Settings\\Owner\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\PFPortChecker\\PFPortChecker.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead 2 demo\\left4dead2.exe"=
"c:\\Program Files\\Call of Duty Modern Warfare 2\\iw4sp.exe"=
"c:\\Program Files\\Heroes of Newerth\\hon.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56802:TCP"= 56802:TCP:Pando Media Booster
"56802:UDP"= 56802:UDP:Pando Media Booster

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/2/2009 1:51 PM 108289]
R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [2/7/2009 9:24 AM 68136]
R2 WUSB54Gv42SVC;WUSB54Gv42SVC;c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe [12/22/2009 8:46 PM 53307]
S3 cpuz130;cpuz130;\??\c:\docume~1\Owner\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\Owner\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 CyUsb;Cypress Generic USB Driver;c:\windows\system32\drivers\CYUSB.sys [9/5/2009 1:35 PM 31104]
S3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [9/5/2009 1:35 PM 22784]
S3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;c:\windows\system32\drivers\rt2500usb.sys [8/15/2009 5:47 PM 245376]
SUnknown GVTDrv;GVTDrv; [x]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\Installer.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - 1
.
------- Supplementary Scan -------
.
uStart Page = hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0unattached&bm=ho_central
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\wggs1506.default\
FF - prefs.js: browser.startup.homepage - hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0unattached&bm=ho_central
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\npoctoshape.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-26 17:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(936)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
c:\windows\zHotkey.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\RTHDCPL.EXE
c:\windows\SOUNDMAN.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-12-26 17:36:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-26 22:35

Pre-Run: 107,789,336,576 bytes free
Post-Run: 107,883,876,352 bytes free

- - End Of File - - 61BD584978E11A6A9009FC71C55C9458

Attached Files


Edited by extremeboy, 26 December 2009 - 07:19 PM.


#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:12 AM

Posted 26 December 2009 - 07:26 PM

Hello.

Looks clean.

Update Java to Version 6 Update 17
Your current version of Java is outdated. Malware creators can exploit the lesser security of older versions. Please uninstall your current version through Add/Remove Programs. Remove all instances of Java, J2SE Runtime, Java Runtime, and Java Runtime Environment. Restart your computer after uninstalling.

Please download the installer here. Choose "Windows".

Delete the installer after use.

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.
  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select Critical Areas.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.


Please then take a new DDS log. Tell me of any problems you still have.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:12 AM

Posted 01 January 2010 - 01:21 PM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users