Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Programs closing


  • This topic is locked This topic is locked
19 replies to this topic

#1 Ryan12

Ryan12

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 04 February 2007 - 05:52 PM

- Xfire (gamer's messenger) closes after I log in with my username/pw
- Internet Explorer 6 and 7 both close after loading a webpage
- Windows Media Player closes instead of loading a movie
Other programs seem to function ok.

HijackThis log (I'm new to this):


Logfile of HijackThis v1.99.1
Scan saved at 2:50:08 PM, on 2/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\PROMon.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Stickies\Stickies.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\mIRC\mirc.exe
C:\hrock\mIRC\mirc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: TChkBHO Class - {9D77024E-8140-46AB-9924-EEB131EC8276} - (no file)
O3 - Toolbar: (no name) - {D79559E8-9991-41C5-AA2B-A96EC766F43F} - (no file)
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Stickies] C:\Program Files\Stickies\Stickies.exe
O4 - Startup: Stickies.lnk = C:\Program Files\Stickies\stickies.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.0.97.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134686968093
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 09 February 2007 - 06:57 PM

Welcome to Bleeping Computer Ryan12 :thumbsup:

First of all you've got two antivirus programs installed and active,Kaspersky Anti-Virus 6.0 and AVG Free.
This can lead to conflicts between the two,thus causing possible system slowdowns,false virus alerts,you should uninstall one of them.

======================

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".
This will change from what we know in 2006 read this article:
http://www.clickz.com/news/article.php/3561546

You are well advised to remove the program now.
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present:

Viewpoint
Viewpoint Manager
Viewpoint Media Player


Then reboot.

======================

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: TChkBHO Class - {9D77024E-8140-46AB-9924-EEB131EC8276} - (no file)
O3 - Toolbar: (no name) - {D79559E8-9991-41C5-AA2B-A96EC766F43F} - (no file)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Exit Hijackthis.

======================

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

======================

Please download Combofix and save to the desktop:
http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a log.
Post the C:\ComboFix.txt in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


Reboot,post the DrWeb.cvs report,the C:\ComboFix.txt,and a new Hijackthis log into your next reply.
Posted Image
Posted Image

#3 Ryan12

Ryan12
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 09 February 2007 - 10:52 PM

DrWeb.csv log:

mirc.exe;C:\hrock\mIRC;Program.mIRC.617;;
mirc.exe;C:\Program Files\mIRC;Program.mIRC.617;;

I use mIRC daily and unless it has been altered, I don't see how the scan could be correct. Sounds like it just mistook a .exe file it did not recognize for a virus?

C:\ComboFix.txt:

"Ryan" - 07-02-09 19:37:23 Service Pack 2
ComboFix 07-02-08.2 - Running from: "C:\Documents and Settings\Ryan\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2007-01-09 to 2007-02-09 ))))))))))))))))))))))))))))))))))


2007-02-09 17:12 <DIR> d-------- C:\DOCUME~1\Ryan\DoctorWeb
2007-02-06 20:45 <DIR> d-------- C:\DOCUME~1\Ryan\Application Data\TrojanHunter
2007-02-06 20:13 <DIR> d-------- C:\Program Files\TrojanHunter 4.6
2007-02-04 21:07 <DIR> d-------- C:\DOCUME~1\Ryan\Application Data\DivX
2007-02-04 21:04 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-02-04 21:04 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-02-04 21:04 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-02-04 21:04 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-02-04 21:04 116,472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-02-04 21:03 <DIR> d-------- C:\Program Files\DivX
2007-02-04 14:49 <DIR> d-------- C:\HijackThis
2007-02-04 10:19 <DIR> d-------- C:\01b8198275290b7d96e7
2007-02-03 15:12 <DIR> d-------- C:\DOCUME~1\Ryan\.housecall6.6
2007-02-03 15:05 <DIR> d-------- C:\Program Files\Java
2007-02-03 15:05 <DIR> d-------- C:\Program Files\Common Files\Java
2007-02-02 22:22 12,288,455 --------- C:\AVG7QT.DAT
2007-02-02 22:21 839,936 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2007-02-02 22:21 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2007-02-02 22:21 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2007-02-02 22:21 27,776 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2007-02-02 22:21 18,432 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2007-02-02 22:21 <DIR> d-------- C:\DOCUME~1\Ryan\Application Data\AVG7
2007-02-02 22:21 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Application Data\AVG7
2007-02-02 22:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Grisoft
2007-01-31 20:56 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-01-31 20:56 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-01-31 20:56 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-01-31 20:56 639,066 --a------ C:\WINDOWS\system32\DivX.dll
2007-01-31 20:00 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-01-31 19:37 <DIR> d-------- C:\kav
2007-01-31 18:45 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-31 13:27 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-01-30 15:15 118,784 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-01-29 21:03 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-01-29 21:03 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-01-29 21:03 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-01-29 20:56 73,728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-01-29 20:56 593,920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-01-29 20:56 57,344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-01-29 20:56 53,248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-01-29 20:56 344,064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-01-29 20:56 294,912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-01-29 20:56 294,912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-01-29 20:56 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-01-27 15:03 <DIR> d-------- C:\DOCUME~1\NETWOR~1\Application Data\Spyware Terminator
2007-01-26 16:10 3,100 --a------ C:\WINDOWS\system32\tmp.reg
2007-01-26 14:31 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-01-26 14:15 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Application Data\Spyware Terminator
2007-01-25 21:07 1,458 --a------ C:\smitfra.reg
2007-01-25 21:06 88,524 --a------ C:\smitfrau.reg
2007-01-25 21:06 3,451 --a------ C:\delfiles.cmd
2007-01-25 21:06 16,824 --a------ C:\replace.cmd
2007-01-25 20:22 <DIR> d-------- C:\Program Files\Registry Mechanic
2007-01-25 19:00 <DIR> d-------- C:\DOCUME~1\Ryan\Application Data\Axaware
2007-01-25 18:55 <DIR> d-------- C:\Program Files\Axaware
2007-01-24 23:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Adobe
2007-01-22 15:31 135,936 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2007-01-22 15:29 <DIR> d-------- C:\Program Files\WinClamAVShield
2007-01-22 15:23 <DIR> d-------- C:\Program Files\Spyware Terminator
2007-01-22 15:23 <DIR> d-------- C:\DOCUME~1\Ryan\Application Data\Spyware Terminator
2007-01-22 15:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Spyware Terminator
2007-01-20 13:04 <DIR> d-------- C:\DOCUME~1\Ryan\Application Data\Viewpoint
2007-01-19 18:18 <DIR> d-------- C:\Program Files\Media Resizer FREE
2007-01-14 00:54 <DIR> d-------- C:\DOCUME~1\Ryan\Application Data\ICQ6
2007-01-13 13:03 <DIR> d-------- C:\WINDOWS\ie7updates
2007-01-11 18:36 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-01-11 18:35 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-01-11 18:35 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver huy32 is present. A rootkit scan is required

2007-02-09 18:51 -------- d-------- C:\Program Files\mozilla firefox
2007-02-09 16:55 -------- d-------- C:\Program Files\mirc
2007-02-09 14:02 -------- d-------- C:\Program Files\mozilla thunderbird
2007-02-03 15:09 12158 --a--c--- C:\WINDOWS\mozver.dat
2007-01-31 19:50 -------- d-------- C:\DOCUME~1\Ryan\Application Data\xfire
2007-01-31 18:44 -------- d-------- C:\Program Files\grisoft
2007-01-29 21:03 36624 --------- C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-01-25 19:09 19476 --a------ C:\DOCUME~1\Ryan\Application Data\.googlewebacchosts
2007-01-24 22:52 -------- d-------- C:\DOCUME~1\Ryan\Application Data\adobeum
2007-01-21 18:34 -------- d--h----- C:\Program Files\installshield installation information
2007-01-20 11:00 -------- d---s---- C:\Program Files\xfire
2007-01-18 14:27 -------- d-------- C:\DOCUME~1\Ryan\Application Data\skype
2007-01-02 17:50 -------- d-------- C:\DOCUME~1\Ryan\Application Data\teamspeak2
2006-12-30 22:39 -------- d-------- C:\Program Files\Common Files\adobe
2006-12-15 07:01 -------- d-------- C:\Program Files\Common Files\aol
2006-12-14 14:19 -------- d-------- C:\Program Files\aim6
2006-12-13 14:47 -------- d-------- C:\Program Files\skype
2006-12-13 14:47 -------- d-------- C:\Program Files\Common Files\skype
2006-12-12 08:24 12288 --a------ C:\WINDOWS\system32\divxwmpexttype.dll
2006-12-06 22:40 2362184 --a------ C:\WINDOWS\system32\wmvcore.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Stickies"="C:\\Program Files\\Stickies\\Stickies.exe"
"Steam"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"PROMon.exe"="PROMon.exe"
"NeroCheck"="C:\\WINDOWS\\System32\\\\NeroCheck.exe"
"dwStart"=""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"IntelliType"="\"C:\\Program Files\\Microsoft Hardware\\Keyboard\\type32.exe\""
"OrderReminder"="C:\\Program Files\\Hewlett-Packard\\OrderReminder\\OrderReminder.exe"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"QuickTime Task"="\"C:\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"SpywareTerminator"="\"C:\\Program Files\\Spyware Terminator\\SpywareTerminatorShield.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.6\\THGuard.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NEWDOT~1"
"hkey"="HKLM"
"command"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~1.DLL,NewDotNetStartup"
"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0




~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070209-170417-417
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
backup-20070209-170416-642
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
backup-20070209-170415-440
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
backup-20070209-170415-348
O2 - BHO: TChkBHO Class - {9D77024E-8140-46AB-9924-EEB131EC8276} - (no file)
backup-20070209-170415-265
O3 - Toolbar: (no name) - {D79559E8-9991-41C5-AA2B-A96EC766F43F} - (no file)

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job


********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

HKLM\SYSTEM\CurrentControlSet\Services\i2ompmt

HKLM\SYSTEM\CurrentControlSet\Services\ImapierT

HKLM\SYSTEM\CurrentControlSet\Services\inetaccsvice

HKLM\SYSTEM\CurrentControlSet\Services\ini910us

HKLM\SYSTEM\CurrentControlSet\Services\Inportu

HKLM\SYSTEM\CurrentControlSet\Services\Ip6Fwppm

HKLM\SYSTEM\CurrentControlSet\Services\IpInIperDriver

HKLM\SYSTEM\CurrentControlSet\Services\IpNatp

HKLM\SYSTEM\CurrentControlSet\Services\IPSecService

HKLM\SYSTEM\CurrentControlSet\Services\isapnpearch

HKLM\SYSTEM\CurrentControlSet\Services\kmixerss

HKLM\SYSTEM\CurrentControlSet\Services\lbrtfdcorkstation

HKLM\SYSTEM\CurrentControlSet\Services\ldapfdc

HKLM\SYSTEM\CurrentControlSet\Services\LmHostsService

HKLM\SYSTEM\CurrentControlSet\Services\MDMosts

HKLM\SYSTEM\CurrentControlSet\Services\mnmddnger

HKLM\SYSTEM\CurrentControlSet\Services\Modemvc

HKLM\SYSTEM\CurrentControlSet\Services\mouhidss

HKLM\SYSTEM\CurrentControlSet\Services\MRxDAV5x

HKLM\SYSTEM\CurrentControlSet\Services\MSDTCb

HKLM\SYSTEM\CurrentControlSet\Services\MsfsC

HKLM\SYSTEM\CurrentControlSet\Services\MSKSSRVer

HKLM\SYSTEM\CurrentControlSet\Services\MSPQMOCK

HKLM\SYSTEM\CurrentControlSet\Services\Mupmbios

HKLM\SYSTEM\CurrentControlSet\Services\Ndisuioi

HKLM\SYSTEM\CurrentControlSet\Services\NetBTOS

HKLM\SYSTEM\CurrentControlSet\Services\Netlogondm

HKLM\SYSTEM\CurrentControlSet\Services\Netmanon

HKLM\SYSTEM\CurrentControlSet\Services\Nlaman

HKLM\SYSTEM\CurrentControlSet\Services\Npfsvc

HKLM\SYSTEM\CurrentControlSet\Services\NullSvc

HKLM\SYSTEM\CurrentControlSet\Services\osenkFwd

HKLM\SYSTEM\CurrentControlSet\Services\ParVdmr

HKLM\SYSTEM\CurrentControlSet\Services\PCIVdm

HKLM\SYSTEM\CurrentControlSet\Services\PCIIdep

HKLM\SYSTEM\CurrentControlSet\Services\PDRELIE

HKLM\SYSTEM\CurrentControlSet\Services\perc2AME

HKLM\SYSTEM\CurrentControlSet\Services\PerfNetk

HKLM\SYSTEM\CurrentControlSet\Services\PerfOSt

HKLM\SYSTEM\CurrentControlSet\Services\Processorort

HKLM\SYSTEM\CurrentControlSet\Services\PSchedtedStorage

HKLM\SYSTEM\CurrentControlSet\Services\ql108020

HKLM\SYSTEM\CurrentControlSet\Services\ql12400

HKLM\SYSTEM\CurrentControlSet\Services\RasManp

HKLM\SYSTEM\CurrentControlSet\Services\Rasptioe

HKLM\SYSTEM\CurrentControlSet\Services\Rdbssi

HKLM\SYSTEM\CurrentControlSet\Services\RDPDDD

HKLM\SYSTEM\CurrentControlSet\Services\redbookgr

HKLM\SYSTEM\CurrentControlSet\Services\RpcLocatorss

HKLM\SYSTEM\CurrentControlSet\Services\RpcSscator

HKLM\SYSTEM\CurrentControlSet\Services\RSVPs

HKLM\SYSTEM\CurrentControlSet\Services\SCardSvre

HKLM\SYSTEM\CurrentControlSet\Services\Secdrvrt

HKLM\SYSTEM\CurrentControlSet\Services\SENSogon

HKLM\SYSTEM\CurrentControlSet\Services\Serialm

HKLM\SYSTEM\CurrentControlSet\Services\Sfloppye

HKLM\SYSTEM\CurrentControlSet\Services\SimbadWDetection

HKLM\SYSTEM\CurrentControlSet\Services\Spoolerr

HKLM\SYSTEM\CurrentControlSet\Services\sp_rssrv2

HKLM\SYSTEM\CurrentControlSet\Services\sr_rssrv

HKLM\SYSTEM\CurrentControlSet\Services\Srvervice

HKLM\SYSTEM\CurrentControlSet\Services\stisvcVR

HKLM\SYSTEM\CurrentControlSet\Services\SwPrvi

HKLM\SYSTEM\CurrentControlSet\Services\swwdv

HKLM\SYSTEM\CurrentControlSet\Services\SYMTDInt

HKLM\SYSTEM\CurrentControlSet\Services\TapiSrvog

HKLM\SYSTEM\CurrentControlSet\Services\Tcpiprv

HKLM\SYSTEM\CurrentControlSet\Services\TDTCPE

HKLM\SYSTEM\CurrentControlSet\Services\Themesrvice

HKLM\SYSTEM\CurrentControlSet\Services\TSDDDs

HKLM\SYSTEM\CurrentControlSet\Services\UdfsD

HKLM\SYSTEM\CurrentControlSet\Services\UPSphost

HKLM\SYSTEM\CurrentControlSet\Services\usbhubi

HKLM\SYSTEM\CurrentControlSet\Services\usbscant

HKLM\SYSTEM\CurrentControlSet\Services\ViaIdee

HKLM\SYSTEM\CurrentControlSet\Services\VSSSnap

HKLM\SYSTEM\CurrentControlSet\Services\W3SVCme

HKLM\SYSTEM\CurrentControlSet\Services\WDICAp

HKLM\SYSTEM\CurrentControlSet\Services\winmgmtCESS

HKLM\SYSTEM\CurrentControlSet\Services\WmimPmSN

HKLM\SYSTEM\CurrentControlSet\Services\WS2IFSLv

HKLM\SYSTEM\CurrentControlSet\Services\wscsvcL

HKLM\SYSTEM\CurrentControlSet\Services\WudfPfrv

HKLM\SYSTEM\CurrentControlSet\Services\WZCSVCc

scanning hidden autostart entries ...

scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 84
hidden files: 0

********************************************************************

Completion time: 07-02-09 19:42:12



Logfile of HijackThis v1.99.1
Scan saved at 7:49:42 PM, on 2/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\PROMon.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Stickies\Stickies.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Stickies] C:\Program Files\Stickies\Stickies.exe
O4 - Startup: Stickies.lnk = C:\Program Files\Stickies\stickies.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.0.97.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134686968093
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

Removed trial version of Kaspersky today even though I intentionally used it in addition to AVG because I wanted to test what it would find.

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 10 February 2007 - 02:25 AM

Download rustbfix from Here and save it to your desktop.
Double click on rustbfix.exe to run the tool.
If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer.
The reboot will probably take quite a while, and perhaps 2 reboots will be needed.
But this will happen automatically.
After the reboot 2 logfiles will open (C\avenger.txt & C\rustbfix\pelog.txt).
Post the content of these logfiles along with a new HijackThis log.
Let me know how your pc is running now please.
Posted Image
Posted Image

#5 Ryan12

Ryan12
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 10 February 2007 - 01:52 PM

pelog.txt:

************************* Rustock.b-fix -- By ejvindh *************************
Sat 02/10/2007 10:39:49.15

******************* Pre-run Status of system *******************

Rootkit driver huy32 is found. Starting the unload-procedure....

Rustock.b-ADS attached to the System32-folder:
:huy32.sys 70570
Total size: 70570 bytes.
Attempting to remove ADS...
system32: deleted 70570 bytes in 1 streams.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************************* End of Logfile ********************************


avenger.txt:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\bodpumdw

*******************

Script file located at: \??\C:\Documents and Settings\hapmhnrc.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver huy32 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.


Logfile of HijackThis v1.99.1
Scan saved at 10:48:02 AM, on 2/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\PROMon.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Stickies\Stickies.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Stickies] C:\Program Files\Stickies\Stickies.exe
O4 - Startup: Stickies.lnk = C:\Program Files\Stickies\stickies.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.0.97.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134686968093
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

----

Things appear to be back in order. Thanks for your detailed instructions, could not have found assistance like this from other friends.

I'm going to restart and go back to IE7.

Can I delete all the files I downloaded in the repair process? Do some require a proper uninstallation?

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 10 February 2007 - 02:50 PM

Can I delete all the files I downloaded in the repair process?


No uninstalls required,just delete them all.

Your log is clean :thumbsup:
If all's ok,please do the following:

Turn off System Restore,then turn it back on again:
Help if needed:
http://www.pchell.com/virus/systemrestore.shtml

Create a new System Restore Point:
Help if needed:
Click on Start/All Programs/Accessories/System Tools/System Restore.
In the System Restore window,click "Create a Restore Point" button,then click 'Next'.
In the window that appears,enter a description,then click on "Create", then "Close".
The date and time is created automatically.

You should now go to Windows Update and install any available critical/high priority updates.

Read through the info found here,to help you prevent any possible future infections.
How did I get infected?
http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/

Please Note:
Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6.0'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
Posted Image
Posted Image

#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 21 February 2007 - 07:35 AM

Since your problem appears to be resolved, this thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 19 March 2007 - 07:31 AM

*Topic reopened at the request of Ryan12*
Posted Image
Posted Image

#9 Ryan12

Ryan12
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 19 March 2007 - 04:27 PM

Symptoms are returning.
AIM, IE, computer file search (accessed from start menu) close themselves.

Latest HJT log:

[quote]Logfile of HijackThis v1.99.1
Scan saved at 2:22:32 PM, on 3/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\PROMon.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Stickies\Stickies.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ryan\Local Settings\Temp\gmer.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\The All-Seeing Eye\eye.exe
C:\WINDOWS\explorer.exe
C:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [OrderReminder] "C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Stickies] "C:\Program Files\Stickies\Stickies.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Stickies.lnk = C:\Program Files\Stickies\stickies.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.0.97.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134686968093
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[/quote]



Gmer log:

[quote]GMER 1.0.12.12086 - http://www.gmer.net
Rootkit scan 2007-03-19 14:19:05
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT 86F301C8 ZwAllocateVirtualMemory
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwClose
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateProcess
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateProcessEx
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateSection
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateSymbolicLinkObject
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwDeleteKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwDeleteValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwDuplicateObject
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwEnumerateKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwEnumerateValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwFlushKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwInitializeRegistry
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwLoadKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwLoadKey2
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwNotifyChangeKey
SSDT kl1.sys ZwOpenFile
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwOpenKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwOpenProcess
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwOpenSection
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQueryKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQueryMultipleValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQuerySystemInformation
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQueryValueKey
SSDT 86F30240 ZwQueueApcThread
SSDT 86F2E020 ZwReadVirtualMemory
SSDT 86FAB210 ZwRenameKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwReplaceKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwRestoreKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwResumeThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSaveKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetContextThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationFile
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationProcess
SSDT 86F303A8 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetValueKey
SSDT 86F30510 ZwSuspendProcess
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSuspendThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwTerminateProcess
SSDT 86F30420 ZwTerminateThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwUnloadKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwWriteVirtualMemory
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[284]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[285]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[286]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[287]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[288]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[289]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[290]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[291]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[292]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[293]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[294]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[295]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[296]

Code \??\C:\WINDOWS\system32\drivers\klif.sys FsRtlCheckLockForReadAccess
Code \??\C:\WINDOWS\system32\drivers\klif.sys IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!KiDispatchInterrupt + BA 804DB92E 2 Bytes JMP AA374E10 \??\C:\WINDOWS\system32\drivers\klif.sys
.text ntoskrnl.exe!KiDispatchInterrupt + BD 804DB931 4 Bytes JMP D1DE495F
.text ntoskrnl.exe!_abnormal_termination + 170 804E27CC 2 Bytes [ 20, 9E ]
.text ntoskrnl.exe!_abnormal_termination + 173 804E27CF 1 Byte [ F7 ]
.text ntoskrnl.exe!IoIsOperationSynchronous 804E8752 5 Bytes JMP AA372B50 \??\C:\WINDOWS\system32\drivers\klif.sys
.text ntoskrnl.exe!FsRtlCheckLockForReadAccess 80503C29 5 Bytes JMP AA3726C0 \??\C:\WINDOWS\system32\drivers\klif.sys
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload F62C362C 5 Bytes JMP 864CC1C8

---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[1840] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ AB, FA, C3, 83 ]
.text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[1912] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ 03, FF, C3, 83 ]
.text C:\Program Files\Webroot\Spy Sweeper\ssu.exe[3564] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 0002FCB0 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
.text C:\Program Files\Webroot\Spy Sweeper\ssu.exe[3564] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0002FEDC C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
.text C:\Program Files\Webroot\Spy Sweeper\ssu.exe[3564] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 0002FE60 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
.text C:\Program Files\Webroot\Spy Sweeper\ssu.exe[3564] kernel32.dll!VirtualFree 7C809AE4 5 Bytes JMP 0002FEA0 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 86FD11E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 86FD11E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 86FD11E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 86FD11E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 86FD11E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 86FD11E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 86FD11E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 86FD11E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 86FD11E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 86FD11E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 86FD11E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 86FD11E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 86FD11E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 86FD11E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 86FD11E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 86FD11E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 86FD11E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 86FD11E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 86FD11E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 86FD11E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 86FD11E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 86FD11E8
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE 861AD420
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE 86124660
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE 86329730
Device \Driver\Tcpip \Device\Ip IRP_MJ_READ 86328198
Device \Driver\Tcpip \Device\Ip IRP_MJ_WRITE 863E31A0
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION 86327B00
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION 86327A88
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA 861A0FA8
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA 861A0F30
Device \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS 861A0EB8
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION 861A0E40
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION 861A0DC8
Device \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL 861A0D50
Device \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL 861A0CD8
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL 861A0C60
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL 861A0BE8
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN 861A0B70
Device \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL 861A0AF8
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP 861A0A80
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT 861A0A08
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY 861A0990
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY 861A0918
Device \Driver\Tcpip \Device\Ip IRP_MJ_POWER 861A08A0
Device \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL 861A0828
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE 861A07B0
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA 861A0738
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA 861A06C0
Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP 861A0648
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_CREATE 865691E8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_CLOSE 865691E8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_DEVICE_CONTROL 865691E8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 865691E8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_POWER 865691E8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_SYSTEM_CONTROL 865691E8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_PNP 865691E8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_CREATE 865691E8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_CLOSE 865691E8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_DEVICE_CONTROL 865691E8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 865691E8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_POWER 865691E8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_SYSTEM_CONTROL 865691E8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_PNP 865691E8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_CREATE 865691E8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_CLOSE 865691E8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_DEVICE_CONTROL 865691E8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_INTERNAL_DEVICE_CONTROL 865691E8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_POWER 865691E8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_SYSTEM_CONTROL 865691E8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_PNP 865691E8
Device \Driver\usbehci \Device\USBPDO-3 IRP_MJ_CREATE 865533E0
Device \Driver\usbehci \Device\USBPDO-3 IRP_MJ_CLOSE 865533E0
Device \Driver\usbehci \Device\USBPDO-3 IRP_MJ_DEVICE_CONTROL 865533E0
Device \Driver\usbehci \Device\USBPDO-3 IRP_MJ_INTERNAL_DEVICE_CONTROL 865533E0
Device \Driver\usbehci \Device\USBPDO-3 IRP_MJ_POWER 865533E0
Device \Driver\usbehci \Device\USBPDO-3 IRP_MJ_SYSTEM_CONTROL 865533E0
Device \Driver\usbehci \Device\USBPDO-3 IRP_MJ_PNP 865533E0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE 861AD420
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE 86124660
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE 86329730
Device \Driver\Tcpip \Device\Tcp IRP_MJ_READ 86328198
Device \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE 863E31A0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION 86327B00
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION 86327A88
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA 861A0FA8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA 861A0F30
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS 861A0EB8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION 861A0E40
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION 861A0DC8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL 861A0D50
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL 861A0CD8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL 861A0C60
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL 861A0BE8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN 861A0B70
Device \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL 861A0AF8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP 861A0A80
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT 861A0A08
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY 861A0990
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY 861A0918
Device \Driver\Tcpip \Device\Tcp IRP_MJ_POWER 861A08A0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL 861A0828
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE 861A07B0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA 861A0738
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA 861A06C0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP 861A0648
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 86FD31E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ 86FD31E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE 86FD31E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS 86FD31E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL 86FD31E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL 86FD31E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN 86FD31E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP 86FD31E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER 86FD31E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL 86FD31E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_PNP 86FD31E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 864891E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 864891E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 864891E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 864891E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 864891E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 864891E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 864891E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 864891E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 864891E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 864891E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP

#10 Ryan12

Ryan12
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 19 March 2007 - 04:30 PM

Looks like I haven't been able to paste the entire log here. I think this is most important though:

---- Registry - GMER 1.0.12 ----

Reg \Registry\USER\S-1-5-21-2052111302-861567501-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5B7ACBFD-4B7B-97CE-98D9-CD27310973A4}@abigpoedoadaldepbgjlldecplifdpmnib 0x61 0x61 0x00 0x00
Reg \Registry\USER\S-1-5-21-2052111302-861567501-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5B7ACBFD-4B7B-97CE-98D9-CD27310973A4}@bbigpoedoadaldepbgglafijiilhdeeogegp 0x61 0x61 0x00 0x00

---- EOF - GMER 1.0.12 ----[/quote]


The GMER person I emailed said these last two, the registry entries, are suspicious.

#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 19 March 2007 - 06:25 PM

Please download Sophos Anti-Rootkit,and save it on your desktop.
1. Double-click sarsfx.exe to extract the files and leave the default settings.
2. Open the folder C:\SOPHTEMP and double-click sargui.exe to start the program.
3. Make sure the following are checked:
- Running processes
- Windows Registry
- Local Hard Drives
4. Click the "Start Scan" button.
5. Click the "OK" button after you get the notification that the scan has finished and close the program.
6. Click on Start>Run and type, or copy and paste: %temp%\sarscan.log then press Enter.
7. This should open the log from the rootkit scan.
Post this log into your next reply.

Note:
If the scan is performed while the computer is in use, false positives may appear in the scan results.
This is caused by files or registry entries being deleted,including temporary files being deleted automatically.
It has also been reported that Trojan Hunter is detecting Sophos Anti-rootkit as Trojan.Dropper.Interlac.100
So if you have Trojan Hunter installed you will need to disable it prior to running a scan.
Posted Image
Posted Image

#12 Ryan12

Ryan12
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 19 March 2007 - 11:24 PM

Sophos Anti-Rootkit Version 1.2 (data 1.01) © 2006 Sophos Plc
Started logging on 3/19/2007 at 21:08:50 PM
Stopped logging on 3/19/2007 at 21:21:55 PM


--

Told me it found nothing.

#13 Ryan12

Ryan12
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 21 March 2007 - 04:13 PM

Where do I go from here?

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 24 March 2007 - 04:41 AM

You have got Norton Internet Security or Norton Antivirus installed,or you have had it installed at some point.
You have Kaspersky Anti-Virus 6.0 installed.
Not a good idea to have more than one antivirus program installed on your computer,or even the leftovers of a program you've uninstalled or tried to uninstall.
Each program may interpret the actions of the other as viral, therefore giving you false virus warnings about virus-related activities.
It could also lead to system slowdowns and other problems within the operating system,due to the two conflicting with each other.
You should uninstall one or the other as soon as possible.

Ok let me know whats happening now please,hows your pc running now.
Posted Image
Posted Image

#15 Ryan12

Ryan12
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 24 March 2007 - 06:20 PM

I still have the same symptoms.
I uninstalled Norton AV at least a year ago, and I'm not sure about the remnants. I only keep one active anti-virus program installed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users