Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help! Avload32.dll


  • This topic is locked This topic is locked
11 replies to this topic

#1 johnnydeath

johnnydeath

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 09 July 2006 - 06:59 PM

Here's the log (i think i'm supposed to copy and paste it), i don't know how to remove the avload32 file!@ HELP!!!!



Logfile of HijackThis v1.99.1
Scan saved at 7:57:50 PM, on 7/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\??stem\winspool.exe
C:\WINDOWS\system32\MBOLS~1\dexplore.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\AIM\aim.exe
C:\WINDOWS\ALCXMNTR.EXE
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R3 - URLSearchHook: (no name) - {4F0F6278-FCE0-FA64-C6AC-F18ADDABF8CA} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [LimeShop] C:\Program Files\LimeShop\LimeShoprun.exe /cp:p "C:\Program Files\LimeShop\System\Code" Main lp: "C:\Program Files\LimeShop"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [LaunchList] C:\Program Files\Pinnacle\Studio 9\LaunchList.exe
O4 - HKLM\..\Run: [0sis0ijw.dll] RUNDLL32.EXE 0sis0ijw.dll,b 29111953
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [Microsoft Windows® System Manager] windrv32.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Vdz] C:\WINDOWS\system32\??stem\winspool.exe
O4 - HKCU\..\Run: [Microsoft Windows® System Manager] windrv32.exe
O4 - HKCU\..\Run: [Scbu] "C:\WINDOWS\system32\MBOLS~1\dexplore.exe" -vt ndrv
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{36E36835-2870-4050-8458-55C65BC254F7}: NameServer = 167.206.245.6,167.206.245.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{36E36835-2870-4050-8458-55C65BC254F7}: NameServer = 167.206.245.6,167.206.245.5
O20 - AppInit_DLLs: C:\WINDOWS\system32\winlogon.dll
O20 - Winlogon Notify: avload32 - C:\WINDOWS\SYSTEM32\avload32.dll
O20 - Winlogon Notify: htproc - htproc32.dll (file missing)
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\i8jq0i15e8.dll (file missing)
O20 - Winlogon Notify: ssldr - ssldr32.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:23 PM

Posted 10 July 2006 - 02:18 AM

Welcome to BleepingComputer!

Download haxfix.exe
and save it to your desktop.
  • Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
  • Checkmark "Create a desktop icon"
  • Click "Next"
  • When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
  • Click "Finish"
A red "dos window" (dos box) will open with options:
1. Make logfile
2. Run auto fix
3. Run manual fix
E. Exit Haxfix
  • Select option 1. Make logfile by typing 1 and then pressing Enter
  • Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt > (c:\haxfix.txt)
  • Copy the contents of that logfile and paste it into this thread.
David

#3 johnnydeath

johnnydeath
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 10 July 2006 - 01:24 PM

um, i did?

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:23 PM

Posted 10 July 2006 - 02:12 PM

Please complete my instructions in Post #2.
David

#5 johnnydeath

johnnydeath
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 10 July 2006 - 08:32 PM

i'm sorry i'm new to this, but i scanned with hackthis, did i not post the log?

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:23 PM

Posted 11 July 2006 - 11:13 AM

I see what the problem is, don't worry about it.
Hijackthis and Haxfix are completey different programs.
You originally posted a Hijackthis log, now I need a haxfix log.
David :thumbsup:

#7 johnnydeath

johnnydeath
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 11 July 2006 - 01:31 PM

here's the log, it's rather bland.



HAXFIX logfile - by Marckie
______________
version 3.06
Tue 07/11/2006 14:32:40.87

checking for haxdoor
--------------------
checking for a3d files....
a3d files not found

checking for matching notify keys....
no matching notify keys found

checking for matching services....
no matching services found

checking for matching safeboot services....
no matching safeboot services found


Checking for goldun
-------------------
checking for notify keys....
no notify keys found

checking for services....
no services found


Finished

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:23 PM

Posted 11 July 2006 - 04:31 PM

Download GMER from Here
Right Click the Zip and Select "Extract All"
Double Click gmer.exe to launch the program.
Click on the Rootkit Tab and then click Scan.
It takes a while to run, once complete, copy the results to notepad and save them somewhere safe.
Post those results in the next reply.
David

#9 johnnydeath

johnnydeath
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 12 July 2006 - 02:46 PM

well, here goes.





GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-07-12 15:44:38
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.10 ----

SSDT \??\C:\WINDOWS\system32\xdrive9.sys

ZwCreateProcess <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\system32\xdrive9.sys

ZwCreateProcessEx <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\system32\xdrive9.sys

ZwQueryDirectoryFile <-- ROOTKIT !!!

---- Devices - GMER 1.0.10 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN

[F7B3485A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN

[F7B3485A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN

[F7B3485A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN

[F7B3485A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN

[F7B3485A] avgtdi.sys
---- Processes - GMER 1.0.10 ----

Library C:\WINDOWS\system32\avload32.dll (*** hidden *** ) @ C:\WINDOWS\arservice.exe [112]

0x007D0000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\avload32.dll (*** hidden *** ) @ C:\Program Files\Winamp\winampa.exe [132]

0x003C0000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\ (*** hidden *** ) @ C:\WINDOWS\system32\??stem\winspool.exe [136]

0x00400000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\avload32.dll (*** hidden *** ) @ C:\WINDOWS\system32\??stem\winspool.exe [136]

0x00370000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\avload32.dll (*** hidden *** ) @ C:\Program Files\iTunes\iTunesHelper.exe [208]

0x00370000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\avload32.dll (*** hidden *** ) @ C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe [240]

0x00B00000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\avload32.dll (*** hidden *** ) @ C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe [352]

0x00AF0000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\avload32.dll (*** hidden *** ) @ C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe [428]

0x00840000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\avload32.dll (*** hidden *** ) @ C:\WINDOWS\system32\ctfmon.exe [580]

0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\avload32.dll (*** hidden *** ) @ C:\WINDOWS\eHome\ehRecvr.exe [596]

0x005A0000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\avload32.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [628]

0x01DA0000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\avload32.dll (*** hidden *** ) @ C:\WINDOWS\system32\MBOLS~1\dexplore.exe [896]

0x00380000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\avload32.dll (*** hidden *** ) @ C:\WINDOWS\eHome\ehSched.exe [1024]

0x00580000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\avload32.dll (*** hidden *** ) @ C:\Program Files\Common Files\Microsoft

Shared\VS7DEBUG\MDM.EXE [1164] 0x009A0000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\avload32.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1248]

0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\avload32.dll (*** hidden *** ) @ C:\Program Files\Common Files\LightScribe\LSSrvc.exe

[1268] 0x006F0000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\avload32.dll (*** hidden *** ) @ C:\Program Files\Compaq

Connections\5577497\Program\Compaq Connections.exe [1416] 0x00C70000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\avload32.dll (*** hidden *** ) @ C:\WINDOWS\system32\Ati2evxx.exe [1444]

0x00B10000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\avload32.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1532]

0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\avload32.dll (*** hidden *** ) @ c:\windows\system\hpsysdrv.exe [1596]

0x00370000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\avload32.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1608]

0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\avload32.dll (*** hidden *** ) @ C:\Program Files\AIM\aim.exe [1784]

0x00AF0000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\avload32.dll (*** hidden *** ) @ C:\WINDOWS\ehome\ehtray.exe [1816]

0x00830000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\avload32.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1840]

0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\avload32.dll (*** hidden *** ) @ C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

[1868] 0x003C0000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\avload32.dll (*** hidden *** ) @ C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[2016] 0x00380000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\avload32.dll (*** hidden *** ) @ C:\WINDOWS\ehome\mcrdsvc.exe [2096]

0x00590000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\avload32.dll (*** hidden *** ) @ C:\WINDOWS\ALCXMNTR.EXE [2456]

0x00A00000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\avload32.dll (*** hidden *** ) @ C:\Program Files\iPod\bin\iPodService.exe [2492]

0x00740000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\avload32.dll (*** hidden *** ) @ C:\WINDOWS\eHome\ehmsas.exe [2500]

0x00820000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\avload32.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [2896]

0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\avload32.dll (*** hidden *** ) @ C:\WINDOWS\system32\dllhost.exe [3184]

0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\avload32.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [3640]

0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\avload32.dll (*** hidden *** ) @ C:\Program Files\Winamp\winamp.exe [4036]

0x00390000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\avload32.dll (*** hidden *** ) @ C:\HP\KBD\KBD.EXE [4092]

0x00AA0000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\avload32.dll (*** hidden *** ) @ C:\Documents and

Settings\Compaq_Administrator\Desktop\gmer.exe [7104] 0x003C0000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\avload32.dll (*** hidden *** ) @ C:\PROGRA~1\MOZILL~1\FIREFOX.EXE [7220]

0x003A0000 <-- ROOTKIT !!!

---- Registry - GMER 1.0.10 ----

Reg

\Registry\MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel

Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@

C:\WINDOWS\system32\OLE32.DLL
Reg

\Registry\MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af16476

44e76e06692b 0x2E 0xE8 0xE1 0x00 ...
Reg

\Registry\MACHINE\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel

Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@

C:\WINDOWS\system32\OLE32.DLL
Reg

\Registry\MACHINE\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2

ecedcc62c59b 0x71 0x3B 0x04 0x66 ...
Reg

\Registry\MACHINE\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel

Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@

C:\WINDOWS\system32\OLE32.DLL
Reg

\Registry\MACHINE\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e805257302

3a60d06dd016 0x25 0xDA 0xEC 0x7E ...
Reg

\Registry\MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel

Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@

C:\WINDOWS\system32\OLE32.DLL
Reg

\Registry\MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be

06337561aa48 0x86 0x8C 0x21 0x01 ...
Reg

\Registry\MACHINE\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel

Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@

C:\WINDOWS\system32\OLE32.DLL
Reg

\Registry\MACHINE\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9

686d4b818472 0xE9 0x02 0x6C 0xFA ...
Reg

\Registry\MACHINE\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel

Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@

C:\WINDOWS\system32\OLE32.DLL
Reg

\Registry\MACHINE\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b

74b2b4522f5d 0xDF 0x20 0x58 0x62 ...
Reg

\Registry\MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel

Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@

C:\WINDOWS\system32\OLE32.DLL
Reg

\Registry\MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623

e232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg

\Registry\MACHINE\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel

Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@

C:\WINDOWS\system32\OLE32.DLL
Reg

\Registry\MACHINE\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477e

b204b76f993d 0x01 0x3A 0x48 0xFC ...
Reg

\Registry\MACHINE\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel

Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@

C:\WINDOWS\system32\OLE32.DLL
Reg

\Registry\MACHINE\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0

a51804d844a3 0x51 0xFA 0x6E 0x91 ...
Reg

\Registry\MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel

Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@

C:\WINDOWS\system32\OLE32.DLL
Reg

\Registry\MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fb

e080bb27835b 0xB1 0xCD 0x45 0x5A ...
Reg

\Registry\MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel

Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@

C:\WINDOWS\system32\OLE32.DLL
Reg

\Registry\MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5

a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...
Reg

\Registry\MACHINE\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel

Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@

C:\WINDOWS\system32\OLE32.DLL
Reg

\Registry\MACHINE\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a38561

6fbc86791ec2 0x6C 0x43 0x2D 0x1E ...

---- Files - GMER 1.0.10 ----

File C:\System Volume Information\MountPointManagerRemoteDatabase


File C:\System Volume Information\tracking.log


File C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}


File C:\WINDOWS\system32\avload32.dll


File C:\WINDOWS\system32\xdrive9.sys

<-- ROOTKIT !!!

---- Services - GMER 1.0.10 ----

Service C:\WINDOWS\system32\xdrive9.sys

[SYSTEM] xdrive9 <-- ROOTKIT !!!

---- EOF - GMER 1.0.10 ----

#10 johnnydeath

johnnydeath
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 16 July 2006 - 02:04 PM

ANYONE???????????????!

#11 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:23 PM

Posted 17 July 2006 - 03:17 AM

Hey johnnydeath,
Sorry for the delay in getting back to you.

* Download KillBox from here
- Click killbox.exe.
- Select the option "Delete on reboot".
- Click the button: All Files (!important!)
- Now it should flash green.

Now copy the next bold part:

C:\WINDOWS\system32\xdrive9.sys
C:\WINDOWS\system32\avload32.dll


- Open 'file' in the killboxmenu on top and choose Paste from clipboard
- Then press the button that looks like a red circle with a white X in it.
- Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES
- If you don't get that message, reboot manually.
- Your computer should reboot now.

Ignore the errors you'll get after reboot, that's normal, they will be gone after performing next steps..

Double Click gmer.exe to launch the program.
Click on the Rootkit Tab and then click Scan.
It takes a while to run, once complete, copy the results to notepad and save them somewhere safe.
Post those results in the next reply.

David

#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:23 PM

Posted 10 August 2006 - 05:27 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending me
a PM with the address of the thread using the link here. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users