Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

rootkit.agent and desktop hijacker remedy

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

rootkit.agent and desktop hijacker remedy

Unread postby d00m » June 21st, 2009, 4:37 pm

Well, I've had this very burly virus for about a week or so and can't seem to remove it.
I tried doing some research and discovered I had some version of Desktop Hijack and rootkit.agent/gen
Any help would be greatly appreciated.
Here's my Log file.

Logfile of HijackThis v1.99.1
Scan saved at 1:30:08 PM, on 6/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\iPod Access for Windows\iPAHelper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: nCleaner.lnk = C:\Program Files\nCleaner\nCleaner.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCo ... taller.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 8677731609
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: urqronl - urqronl.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - %fystemRoot%\System32\svchost.exe (file missing)
O23 - Service: Eset HTTP Server (ehttpsrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: iPAHelper.exe - Unknown owner - C:\Program Files\iPod Access for Windows\iPAHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
d00m
Active Member
 
Posts: 9
Joined: June 21st, 2009, 4:11 pm
Advertisement
Register to Remove

Re: rootkit.agent and desktop hijacker remedy

Unread postby Axephilic » June 22nd, 2009, 4:52 pm

Welcome to the Malware Removal Forums! My name is Adam and I will be assisting you with getting the malware off of your computer. Please observe the following points before we start:
  1. If at any point you don't understand something, please let me know and I will be glad to explain or go more into depth for you. :)
  2. Please remember, I am a volunteer and I have a personal life. I go to school full time, have a part time job, and I do sports. A lot of this takes a lot of time.
  3. Please keep all of your replies in this topic/thread and do not make a new topic/thread, thanks!
  4. Please stick with this, don't stop responding because the symptoms are gone, the infection could still be there. Keep replying to my posts until I give you the All Clean message. ;)
  5. If you don't reply within five days after my last instructions this topic will be closed. If you will not be able to reply within five days please tell me so the topic will not be closed.
  6. Please do not run other tools to remove the malware unless I ask you to until I give you the all clean. They will just mess up my fixes and make things more complicated, not fix the problem.

RSIT
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: rootkit.agent and desktop hijacker remedy

Unread postby d00m » June 22nd, 2009, 11:02 pm

Ok,here is my LOG.txt



Logfile of random's system information tool 1.06 (written by random/random)
Run by DOOM at 2009-06-22 19:57:43
Microsoft Windows XP Professional Service Pack 3
System drive C: has 10 GB (8%) free of 131 GB
Total RAM: 1534 MB (64% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:59:26 PM, on 6/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\iPod Access for Windows\iPAHelper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Documents and Settings\DOOM\Desktop\RSIT.exe
C:\Program Files\trend micro\DOOM.exe
C:\WINDOWS\system32\taskmgr.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: nCleaner.lnk = C:\Program Files\nCleaner\nCleaner.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCo ... taller.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 8677731609
O20 - Winlogon Notify: urqronl - urqronl.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Eset HTTP Server (ehttpsrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: iPAHelper.exe - Unknown owner - C:\Program Files\iPod Access for Windows\iPAHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe (file missing)
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 5415 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\XoftSpySE 2.job
C:\WINDOWS\tasks\XoftSpySE.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}]
BitComet Helper - C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll [2008-08-11 656696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{32099AAC-C132-4136-9E9A-4E364A424E17} - DAEMON Tools Toolbar - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll [2008-07-17 691656]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2005-05-13 67584]
"Logitech Utility"=C:\WINDOWS\Logi_MwX.Exe [2003-11-07 19968]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-05-16 13529088]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2008-05-16 86016]
"egui"=C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2008-08-18 1447168]
"KernelFaultCheck"=C:\WINDOWS\system32\dumprep 0 -k []
"UnlockerAssistant"=C:\Program Files\Unlocker\UnlockerAssistant.exe [2008-05-01 15872]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"FreeRAM XP"=C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe [2006-03-23 1591808]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2007-02-07 71216]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avast!Antivirus"=2

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
nCleaner.lnk - C:\Program Files\nCleaner\nCleaner.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\urqronl]
urqronl.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BED7C2B4-3DA5-4F4F-84F7-07CAB3418E5F}"= []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=
scecli
scecli
scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"SynchronousMachineGroupPolicy"=0
"SynchronousUserGroupPolicy"=0
"InternetOpenWith"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"Start_ShowMyComputer"=1
"Start_ShowMyDocs"=0
"Start_ShowMyMusic"=1
"Start_ShowMyPics"=1
"Start_ShowSearch"=0
"Start_ShowRun"=1
"StartMenuFavorites"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"
"C:\Program Files\Xfire\Xfire.exe"="C:\Program Files\Xfire\Xfire.exe:*:Enabled:Xfire"
"C:\Program Files\EA GAMES\MOHAA\MOHAA.exe"="C:\Program Files\EA GAMES\MOHAA\MOHAA.exe:*:Enabled:Medal of Honor Allied Assault"
"C:\Program Files\Valve\Steam\SteamApps\slayerasskickery\counter-strike source\hl2.exe"="C:\Program Files\Valve\Steam\SteamApps\slayerasskickery\counter-strike source\hl2.exe:*:Enabled:hl2"
"C:\Documents and Settings\DOOM\My Documents\The Gui\The Gui\tspeakfp.exe"="C:\Documents and Settings\DOOM\My Documents\The Gui\The Gui\tspeakfp.exe:*:Enabled:tspeakfp"
"C:\Program Files\SoulseekNS\slsk.exe"="C:\Program Files\SoulseekNS\slsk.exe:*:Enabled:SoulSeek"
"C:\Program Files\GigaTribe\gigatribe.exe"="C:\Program Files\GigaTribe\gigatribe.exe:*:Enabled:gigatribe"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c8fdccc-44d4-11de-b42e-0040caa86c47}]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL equal.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d8c263ca-e036-11dc-8ebc-0040caa86c47}]
shell\AutoRun\command - C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff47946d-0a77-11dd-b3d5-80a131e99319}]
shell\Auto\command - RavMonE.exe e
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e


======List of files/folders created in the last 1 months======

2009-06-22 19:57:43 ----D---- C:\rsit
2009-06-21 13:28:22 ----D---- C:\Program Files\Hijackthis
2009-06-21 13:22:23 ----D---- C:\Program Files\Trend Micro
2009-06-21 10:15:02 ----D---- C:\WINDOWS\ERUNT
2009-06-21 10:13:38 ----D---- C:\SDFix
2009-06-20 09:54:54 ----A---- C:\WINDOWS\system32\Copy of UAClqlsldnlesrbcco.dll
2009-06-20 09:54:54 ----A---- C:\WINDOWS\system32\Copy of uacinit.dll
2009-06-13 12:31:02 ----D---- C:\MRI_Updates
2009-06-12 16:34:38 ----D---- C:\Documents and Settings\DOOM\Application Data\Desktopicon
2009-06-12 16:34:36 ----D---- C:\Program Files\Unlocker
2009-06-12 11:30:13 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-06-10 09:17:01 ----D---- C:\Documents and Settings\DOOM\Application Data\FileZilla
2009-06-10 09:16:50 ----D---- C:\Program Files\FileZilla FTP Client
2009-06-09 15:32:10 ----D---- C:\Documents and Settings\DOOM\Application Data\ChemTable Software
2009-06-09 15:32:06 ----D---- C:\Program Files\Reg Organizer
2009-06-09 15:21:06 ----A---- C:\resetlog.txt
2009-06-09 15:09:56 ----A---- C:\WINDOWS\system32\msxml3a.dll
2009-06-09 15:09:45 ----D---- C:\Program Files\Service+
2009-06-08 21:47:35 ----HD---- C:\Program Files\Uninstall Information
2009-06-08 21:47:12 ----D---- C:\WINDOWS\system32\CatRoot2
2009-06-08 21:46:56 ----HD---- C:\Program Files\WindowsUpdate
2009-06-07 22:02:17 ----D---- C:\Documents and Settings\DOOM\Application Data\SUPERAntiSpyware.com
2009-06-07 21:44:33 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-07 21:44:01 ----D---- C:\Program Files\SUPERAntiSpyware Pro
2009-06-07 21:35:53 ----A---- C:\WINDOWS\system32\SSubTmr6.dll
2009-06-07 21:35:53 ----A---- C:\WINDOWS\system32\ServiceRepair.exe
2009-06-07 21:35:51 ----D---- C:\Program Files\XP Smoker Pro
2009-06-07 21:34:31 ----A---- C:\WINDOWS\system32\w32apiw.dll
2009-06-07 21:34:28 ----D---- C:\Program Files\nCleaner
2009-06-07 21:26:37 ----D---- C:\Program Files\UltimateDefrag2008
2009-06-07 21:06:41 ----D---- C:\WINDOWS\Temp
2009-06-07 20:53:53 ----D---- C:\Documents and Settings\DOOM\Application Data\WinPatrol
2009-06-07 20:53:47 ----D---- C:\Program Files\WinPatrol
2009-06-07 20:35:41 ----D---- C:\Documents and Settings\All Users\Application Data\Geek Squad
2009-06-07 19:03:47 ----A---- C:\WINDOWS\irc.txt
2009-06-05 13:51:17 ----D---- C:\Documents and Settings\DOOM\Application Data\Move Networks
2009-05-30 23:54:42 ----D---- C:\Program Files\AVG
2009-05-30 22:39:51 ----D---- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files

======List of files/folders modified in the last 1 months======

2009-06-22 19:58:56 ----D---- C:\WINDOWS\system32
2009-06-22 19:56:49 ----D---- C:\Program Files\Mozilla Firefox
2009-06-21 13:28:22 ----D---- C:\Program Files
2009-06-21 11:46:32 ----D---- C:\WINDOWS\system32\drivers
2009-06-21 11:45:39 ----D---- C:\WINDOWS
2009-06-21 10:22:13 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-06-20 09:55:16 ----SHD---- C:\RECYCLER
2009-06-20 01:13:03 ----D---- C:\Program Files\Registry Mechanic
2009-06-19 21:11:21 ----D---- C:\WINDOWS\system32\config
2009-06-19 18:28:25 ----D---- C:\WINDOWS\Prefetch
2009-06-19 17:11:12 ----D---- C:\WINDOWS\Minidump
2009-06-19 06:14:56 ----D---- C:\Program Files\Modem Assistant
2009-06-19 06:09:27 ----D---- C:\Program Files\Guitar Pro 5
2009-06-18 00:03:30 ----D---- C:\Documents and Settings\All Users\Application Data\Viewpoint
2009-06-17 23:56:25 ----D---- C:\Program Files\AIM6
2009-06-17 23:55:46 ----SHD---- C:\WINDOWS\Installer
2009-06-17 23:55:46 ----SHD---- C:\Config.Msi
2009-06-17 23:55:46 ----D---- C:\WINDOWS\WinSxS
2009-06-16 09:26:57 ----D---- C:\Downloads
2009-06-16 08:57:06 ----D---- C:\Documents and Settings\DOOM\Application Data\Adobe
2009-06-16 08:55:13 ----D---- C:\Program Files\Common Files\Adobe
2009-06-16 08:53:20 ----D---- C:\Program Files\Adobe
2009-06-16 08:53:20 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-06-16 08:47:53 ----D---- C:\Program Files\BitComet
2009-06-13 16:47:27 ----D---- C:\Program Files\DivX
2009-06-13 16:46:27 ----D---- C:\Program Files\Common Files\DivX Shared
2009-06-13 15:46:27 ----D---- C:\Program Files\Common Files
2009-06-13 14:09:41 ----D---- C:\Program Files\TabIt
2009-06-13 14:08:12 ----D---- C:\Program Files\iPod Access for Windows
2009-06-12 16:23:52 ----D---- C:\WINDOWS\Help
2009-06-12 11:42:36 ----D---- C:\Program Files\Teamspeak2_RC2
2009-06-12 11:42:36 ----D---- C:\Program Files\Microsoft GIF Animator
2009-06-12 11:42:36 ----D---- C:\Program Files\DriverCleanerDotNET
2009-06-12 11:42:36 ----D---- C:\Program Files\Autokick
2009-06-12 11:42:36 ----D---- C:\Multimedia Files
2009-06-12 11:42:35 ----D---- C:\Program Files\Dvd-cloner
2009-06-12 11:26:17 ----D---- C:\WINDOWS\Debug
2009-06-11 22:18:36 ----D---- C:\Program Files\XoftSpySE
2009-06-11 21:48:01 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-06-11 14:29:11 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-11 14:13:52 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-06-11 14:09:50 ----D---- C:\Program Files\Windows Media Player
2009-06-11 14:09:50 ----A---- C:\WINDOWS\win.ini
2009-06-09 16:18:57 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-06-09 15:13:47 ----D---- C:\WINDOWS\system32\Restore
2009-06-08 21:47:29 ----D---- C:\WINDOWS\system32\CatRoot
2009-06-08 19:33:41 ----D---- C:\WINDOWS\Registration
2009-06-08 19:29:00 ----AD---- C:\Documents and Settings\All Users\Application Data\temp
2009-06-07 22:01:49 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-06-07 21:20:32 ----HD---- C:\WINDOWS\inf
2009-06-07 21:06:29 ----D---- C:\WINDOWS\SoftwareDistribution
2009-06-07 21:00:48 ----SD---- C:\WINDOWS\Tasks
2009-06-06 22:11:58 ----D---- C:\Documents and Settings\DOOM\Application Data\Xfire
2009-06-04 21:36:14 ----D---- C:\Program Files\Xfire
2009-05-26 20:15:17 ----D---- C:\Documents and Settings\All Users\Application Data\Soulseek

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 easdrv;easdrv; C:\WINDOWS\system32\DRIVERS\easdrv.sys [2008-08-18 53256]
R1 epfwtdir;epfwtdir; C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-08-18 34312]
R1 NetworkX;NetworkX; C:\WINDOWS\system32\ckldrv.sys [2006-01-09 31846]
R1 nvport;NVIDIA PORT IO Control Driver; \??\C:\WINDOWS\system32\Drivers\nvport.sys []
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware Pro\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware Pro\SASKUTIL.sys []
R1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2007-08-06 33052]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-23 12032]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B}; \??\C:\Program Files\CyberLink\PowerDVD\000.fcl []
R2 eamon;EAMON; C:\WINDOWS\system32\DRIVERS\eamon.sys [2008-08-18 39944]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-17 13059]
R3 ALCXSENS;Service for WDM 3D Audio Driver; C:\WINDOWS\system32\drivers\ALCXSENS.SYS [2005-05-13 400384]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2005-05-13 626977]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2004-06-17 1041536]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys [2004-06-17 220032]
R3 LHidFlt2;Logitech HID/USB Mouse Filter Driver; C:\WINDOWS\System32\DRIVERS\LHidFlt2.Sys [2003-11-07 25502]
R3 LHidUsb;Logitech USB Receiver device driver; C:\WINDOWS\System32\Drivers\LHidUsb.Sys [2003-11-07 37884]
R3 LMouFlt2;Logitech Mouse Class Filter Driver; C:\WINDOWS\System32\DRIVERS\LMouFlt2.Sys [2003-11-07 70798]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-05-16 6557408]
R3 pcouffin;VSO Software pcouffin; C:\WINDOWS\System32\Drivers\pcouffin.sys [2008-02-23 47360]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2006-03-29 9856]
R3 RTL8023;Realtek RTL8139/810x/8169/8110 all in one NDIS NT Driver; C:\WINDOWS\System32\DRIVERS\Rtlnic51.sys [2005-05-13 65280]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware Pro\SASENUM.SYS []
R3 SunkFilt;Alcor Micro Corp Reader; \??\C:\WINDOWS\System32\Drivers\sunkfilt.sys []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-14 20608]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2004-06-17 685056]
S2 npkcrypt;npkcrypt; C:\WINDOWS\system32\drivers\npkcrypt.sys []
S3 a1emgegp;a1emgegp; C:\WINDOWS\system32\drivers\a1emgegp.sys []
S3 catchme;catchme; \??\C:\DOCUME~1\DOOM\LOCALS~1\Temp\catchme.sys []
S3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-14 10368]
S3 MREMPR5;MREMPR5 NDIS Protocol Driver; C:\WINDOWS\system32\drivers\MREMPR5.sys []
S3 MRENDIS5;MRENDIS5 NDIS Protocol Driver; C:\WINDOWS\system32\drivers\MRENDIS5.sys []
S3 RivaTuner32;RivaTuner32; \??\C:\Program Files\RivaTuner v2.06\RivaTuner32.sys []
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 S3chipid;S3chipid; \??\C:\cabs\D00253-002-001\s3chipid.sys []
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem; C:\WINDOWS\system32\DRIVERS\usb8023.sys [2008-04-14 12800]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-11-07 32000]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-14 60032]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-14 32128]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\System32\DRIVERS\sr.sys [2008-04-14 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ekrn;Eset Service; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2007-12-21 468224]
R2 iPAHelper.exe;iPAHelper.exe; C:\Program Files\iPod Access for Windows\iPAHelper.exe [2007-04-05 1543614]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2003-06-20 322120]
R2 UxTuneUp;TuneUp Design Expansion; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe -service -config C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf []
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2008-02-23 72704]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 ehttpsrv;Eset HTTP Server; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2008-08-18 19200]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
S3 O&O Defrag;O&O Defrag; C:\WINDOWS\system32\oodag.exe [2007-05-11 1050120]
S3 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared files\RichVideo.exe [2007-02-07 173616]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S4 Crypkey License;Crypkey License; C:\WINDOWS\system32\crypserv.exe [2006-02-28 69632]

-----------------EOF-----------------





And here is my INFO.txt


info.txt logfile of random's system information tool 1.06 2009-06-22 19:59:28

======Uninstall list======

-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acrobat.com-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Audition 3.0-->msiexec /I {53C141BA-4F9E-43FB-B4F9-0C01BB716FA8}
Adobe Bridge 1.0-->MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player 9 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Photoshop CS2-->msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 9.1.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A91000000001}
AIM 6-->C:\Program Files\AIM6\uninst.exe
Apple Mobile Device Support-->MsiExec.exe /I{EC4455AB-F155-4CC1-A4C5-88F3777F9886}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Ashampoo Burning Studio 7-->"C:\Program Files\Ashampoo\Ashampoo Burning Studio 7\unins000.exe"
Audacity 1.2.6-->"C:\Program Files\Audacity\unins000.exe"
A-Z Video Converter Ultimate 7.57-->"C:\Program Files\A-Z\A-Z Video Converter Ultimate\unins000.exe"
Bejeweled 2-->C:\PROGRA~1\GAMEHO~1\Bejeweled 2\UNWISE.EXE /U C:\PROGRA~1\GAMEHO~1\Bejeweled 2\INSTALL.LOG
BitComet 1.07-->C:\Program Files\BitComet\uninst.exe
Blasterball 3-->"C:\Program Files\WildGames\Blasterball 3\Uninstall.exe"
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
ClearType Tuning Control Panel Applet-->MsiExec.exe /I{C9E4932C-8417-4E4C-A0E3-EE534810AB4D}
Collab-->C:\Program Files\Image-Line\Collab\uninstall.exe
Counter-Strike-->"C:\Program Files\Valve\Steam\steam.exe" steam://uninstall/10
Crow King's Autokick 1.2 Beta-->C:\WINDOWS\st6unst.exe -n "C:\Program Files\Autokick\ST6UNST.LOG"
DAEMON Tools Toolbar-->C:\Program Files\DAEMON Tools Toolbar\uninst.exe
Dedicated Server-->"C:\Program Files\Valve\Steam\steam.exe" steam://uninstall/5
DH Driver Cleaner.NET-->C:\Program Files\DriverCleanerDotNET\Uninstall.exe
Digital Media Reader-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{81EED1A1-AE78-4B11-BE47-C6AE9F5E87F1}
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Plus DirectShow Filters-->C:\Program Files\DivX\DivXDSFiltersUninstall.exe /DSFILTERS
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Dream Aquarium-->"C:\Program Files\Dream Aquarium\UnInstall.exe"
DVD Decrypter (Remove Only)-->"C:\Program Files\DVD Decrypter\uninstall.exe"
DVD-CLONER V6.00 Build 977-->"C:\Program Files\Dvd-cloner\unins000.exe"
ESET NOD32 Antivirus-->MsiExec.exe /I{1A3D8A23-3215-46B7-AB97-E304ADABFC18}
FileZilla Client 3.2.4.1-->C:\Program Files\FileZilla FTP Client\uninstall.exe
FL Studio 6-->C:\Program Files\Image-Line\FL Studio 6\uninstall.exe
Free M4a to MP3 Converter 6.0-->"C:\Program Files\Free M4a to MP3 Converter\unins000.exe"
Fruity Loops Studio Producer Edition XXL v6.04 Patcher-->C:\PROGRA~1\Image-Line\FL Studio 6\UNWISE.EXE C:\PROGRA~1\Image-Line\FL Studio 6\INSTALL.LOG
GameHouse-->"C:\Program Files\RealArcade\Installer\bin\gameinstaller.exe" "C:\Program Files\RealArcade\Installer\installerMain.clf" "C:\Program Files\RealArcade\Installer\uninstall\GameHouse.rguninst" "AddRemove"
GigaTribe 2.52-->"C:\Program Files\GigaTribe\unins000.exe"
GTK+ 2.10.6-1 runtime environment-->"C:\Program Files\Common Files\GTK\2.0\setup\unins000.exe"
Guitar Pro 5.2-->"C:\Program Files\Guitar Pro 5\unins000.exe"
Gutterball 2-->C:\PROGRA~1\GAMEHO~1\GUTTER~1\UNWISE.EXE /U C:\PROGRA~1\GAMEHO~1\GUTTER~1\INSTALL.LOG
Half-Life Dedicated Server Update Tool-->C:\srcds\UNWISE.EXE C:\srcds\INSTALL.LOG
Half-Life(R) 2-->MsiExec.exe /I{D45EC259-4A19-4656-B588-C2C360DD18EA}
Hijackthis 1.99.1-->"C:\Program Files\Hijackthis\unins000.exe"
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
ImgBurn-->"C:\Program Files\ImgBurn\uninstall.exe"
InterActual Player-->C:\Program Files\InterActual\InterActual Player\inuninst.exe
iPod Access for Windows v4.0.4-->"C:\Program Files\iPod Access for Windows\unins000.exe"
iTunes-->MsiExec.exe /I{318AB667-3230-41B5-A617-CB3BF748D371}
Java(TM) 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216012FF}
Last.fm 1.5.4.24567-->"C:\Program Files\Last.fm\unins000.exe"
Logitech MouseWare 9.79 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5809E7CF-4DCF-11D4-9875-00105ACE7734}\setup.exe" -l0x9 -l0009 UNINSTALL
Logitech Resource Center-->C:\PROGRA~1\Logitech\RESOUR~1\rem\UNWISE.EXE C:\PROGRA~1\Logitech\RESOUR~1\rem\INSTALL.LOG
Magic DVD Ripper V5.4-->"C:\Program Files\MagicDVDRipper\unins000.exe"
Medal of Honor Allied Assault-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0DEA94ED-915A-4834-A87E-388D012C8E02}\Setup.exe" -l0x9
Mega Manager-->C:\Program Files\InstallShield Installation Information\{3B6E3FC6-274C-4B6C-BC85-5C3B15DE18E2}\setup.exe -runfromtemp -l0x0009 -removeonly
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft GIF Animator-->C:\Program Files\Microsoft GIF Animator\setup\GifACME.exe
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office XP Professional with FrontPage-->MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft VC9 runtime libraries-->MsiExec.exe /I{C4124E95-5061-4776-8D5D-E3D931C778E1}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (3.0.11)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
nCleaner second 2.3.4.0-->C:\Program Files\nCleaner\uninstall.exe
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
NVIDIA PureVideo Decoder-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{055FEF8E-4B86-400F-A5C6-8FAC0042DCD9}\setup.exe" -l0x9 -uninstall
O&O Defrag Server Edition-->MsiExec.exe /I{534803E0-2E75-4FBD-AAEF-BE410330B6AA}
Portal-->"C:\Program Files\Valve\Steam\steam.exe" steam://uninstall/400
PowerDVD-->"C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -l0x000409 /z-uninstall
PowerISO-->"C:\Program Files\PowerISO\uninstall.exe"
QuickTime-->MsiExec.exe /I{F958CA02-BB40-4007-894B-258729456EE4}
Realtek AC'97 Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
REALTEK Gigabit and Fast Ethernet NIC Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\Setup.exe" -l0x9 REMOVE
Reg Organizer 4.23-->"C:\Program Files\Reg Organizer\unins000.exe"
Registry Mechanic 7.0-->"C:\Program Files\Registry Mechanic\unins000.exe"
RivaTuner v2.06-->"C:\Program Files\RivaTuner v2.06\uninstall.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Service+-->C:\Program Files\Service+\Service+\setup.exe /UNINSTALL /SERVICE+
SoftV92 Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1\HXFSETUP.EXE -U -IURSLST5K.inf
SoulSeek 157 NS 13c-->"C:\Program Files\SoulseekNS\uninstall.exe"
Source Dedicated Server-->"C:\Program Files\Valve\Steam\steam.exe" steam://uninstall/205
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Steam(TM)-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe
TabIt version 2.03-->"C:\Program Files\TabIt\unins000.exe"
TeamSpeak 2 RC2-->"C:\Program Files\Teamspeak2_RC2\unins000.exe"
TuneUp Utilities 2007-->MsiExec.exe /I{C8BB4912-12D9-42AE-B571-E580D8CD1B5B}
U3Launcher-->MsiExec.exe /I{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}
UltimateDefrag 2008 Trial-->C:\Program Files\UltimateDefrag2008\Uninstall.EXE /u:"UltimateDefrag 2008 Trial"
Unlocker 1.8.7-->C:\Program Files\Unlocker\uninst.exe
VC80CRTRedist - 8.0.50727.762-->MsiExec.exe /I{767CC44C-9BBC-438D-BAD3-FD4595DD148B}
VCRedistSetup-->MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
Verizon Broadband Toolbar (IE only)-->C:\Program Files\verizon_broad\uninstall.exe
Verizon Online DSL-->C:\Program Files\Common Files\SupportSoft\Verizon\vzuninstall.exe /starthidden
Winamp Toolbar-->"C:\Program Files\Winamp Toolbar\uninstall.exe"
Winamp-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Live installer-->MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger-->MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
WinZip-->"C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Xfire (remove only)-->"C:\Program Files\Xfire\uninst.exe"
XoftSpySE-->C:\Program Files\XoftSpySE\uninstall.exe
XviD MPEG-4 Codec-->"C:\Program Files\XviD\UninstXviD.exe"

======Hosts File======

127.0.0.1 localhost

======Security center information======

AV: ESET NOD32 Antivirus 3.0 (outdated)

======System event log======

Computer Name: KEVIN
Event Code: 275
Message: AddDevice() unsupported underlying device driver.

Record Number: 11805
Source Name: SscVF
Time Written: 20090609150820.000000-420
Event Type: warning
User:

Computer Name: KEVIN
Event Code: 7003
Message: The DHCP Client service depends on the following nonexistent service: dhcpsrv

Record Number: 11804
Source Name: Service Control Manager
Time Written: 20090609143045.000000-420
Event Type: error
User:

Computer Name: KEVIN
Event Code: 7001
Message: The Universal Plug and Play Device Host service depends on the SSDP Discovery Service service which failed to start because of the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.


Record Number: 11800
Source Name: Service Control Manager
Time Written: 20090609134718.000000-420
Event Type: error
User:

Computer Name: KEVIN
Event Code: 10005
Message: DCOM got error "%1068" attempting to start the service upnphost with arguments ""
in order to run the server:
{204810B9-73B2-11D4-BF42-00B0D0118B56}

Record Number: 11799
Source Name: DCOM
Time Written: 20090609134718.000000-420
Event Type: error
User: KEVIN\DOOM

Computer Name: KEVIN
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Record Number: 11798
Source Name: W32Time
Time Written: 20090609092000.000000-420
Event Type: warning
User:

=====Application event log=====

Computer Name: KEVIN
Event Code: 1000
Message: Faulting application freeram xp pro.exe, version 1.5.1.0, faulting module freeram xp pro.exe, version 1.5.1.0, fault address 0x000230ec.

Record Number: 589
Source Name: Application Error
Time Written: 20081102215414.000000-480
Event Type: error
User:

Computer Name: KEVIN
Event Code: 1517
Message: Windows saved user KEVIN\DOOM registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 585
Source Name: Userenv
Time Written: 20081102113158.000000-480
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: KEVIN
Event Code: 1
Message:
Record Number: 573
Source Name: nview_info
Time Written: 20081015130955.000000-420
Event Type: error
User:

Computer Name: KEVIN
Event Code: 1000
Message: Faulting application gta_sa.exe, version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x36caafec.

Record Number: 572
Source Name: Application Error
Time Written: 20081010202918.000000-420
Event Type: error
User:

Computer Name: KEVIN
Event Code: 1000
Message: Faulting application gta_sa.exe, version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x36caafec.

Record Number: 570
Source Name: Application Error
Time Written: 20081005215139.000000-420
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Ringz Studio\Storm Codec\QTSystem\;C:\Program Files\Common Files\DivX Shared\;C:\Program Files\Common Files\GTK\2.0\bin
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 44 Stepping 0, AuthenticAMD
"PROCESSOR_REVISION"=2c00
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"CLASSPATH"=.;C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QTJava.zip
"QTJAVA"=C:\Program Files\Ringz Studio\Storm Codec\QTSystem\QTJava.zip
"DEVMGR_SHOW_DETAILS"=1
"DEVMGR_SHOW_NONPRESENT_DEVICES"=1

-----------------EOF-----------------
d00m
Active Member
 
Posts: 9
Joined: June 21st, 2009, 4:11 pm

Re: rootkit.agent and desktop hijacker remedy

Unread postby Axephilic » June 22nd, 2009, 11:30 pm

Hi there,

P2P Warning!

With reference to Malware Removal's P2P Programs Policy, please uninstall the following programs before we continue:

  1. Click on Start > Control Panel and double click on Add/Remove Programs.
  2. Locate the following programs and click on the Change/Remove button to uninstall them.

    BitComet 1.07
  3. Close Add/Remove Programs and Control Panel when done.

Validate Windows XP
  1. Please download this tool from Microsoft.
  2. Double click on MGADiag.exe to run it.
  3. Click Continue.
  4. The program will run. It takes a while to finish the diagnosis, please be patient.
  5. Once done, click on Copy.
  6. Open Notepad and paste the contents in. Save this file and post it in your next reply.

In your next reply, please include:
  1. Validation log
  2. A new HijackThis log

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: rootkit.agent and desktop hijacker remedy

Unread postby d00m » June 22nd, 2009, 11:45 pm

Ok, I uninstalled Bitcomet.

Here is my Validation Log:

Diagnostic Report (1.9.0006.1):
-----------------------------------------
WGA Data-->
Validation Status: Genuine
Validation Code: 0
Online Validation Code: N/A
Cached Validation Code: N/A
Windows Product Key: *****-*****-6TP32-MHQXJ-QYCXT
Windows Product Key Hash: 4CZQLuYmENPC9xQEReTs5OCuU5M=
Windows Product ID: 55274-005-6038022-22301
Windows Product ID Type: 5
Windows License Type: Retail
Windows OS version: 5.1.2600.2.00010100.3.0.pro
ID: {CCE71DB5-E9CA-4E3D-B43F-6C66B5E63F4A}(3)
Is Admin: Yes
TestCab: 0x0
WGA Version: Registered, 1.9.9.1
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

WGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: Yes
Version: 1.8.31.9
WgaTray.exe Signed By: Microsoft
WgaLogon.dll Signed By: Microsoft

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
WGATray.exe Signed By: Microsoft
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 114 Blocked VLK 2
Microsoft Office XP Professional with FrontPage - 114 Blocked VLK 2
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{CCE71DB5-E9CA-4E3D-B43F-6C66B5E63F4A}</UGUID><Version>1.9.0006.1</Version><OS>5.1.2600.2.00010100.3.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-QYCXT</PKey><PID>55274-005-6038022-22301</PID><PIDType>5</PIDType><SID>S-1-5-21-861567501-1957994488-725345543</SID><SYSTEM><Manufacturer>Gateway</Manufacturer><Model>T3302</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version>6.00 PG</Version><SMBIOSVersion major="2" minor="3"/><Date>20050726000000.000000+000</Date></BIOS><HWID>930C396F01842E7D</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Pacific Standard Time(GMT-08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification><File Name="WgaTray.exe" Version="1.8.31.9"/><File Name="WgaLogon.dll" Version="1.8.31.9"/></GANotification></MachineData><Software><Office><Result>114</Result><Products><Product GUID="{90280409-6000-11D3-8CFE-0050048383C9}"><LegitResult>114</LegitResult><Name>Microsoft Office XP Professional with FrontPage</Name><Ver>10</Ver><Val>39476F84C4B4004</Val><Hash>4iCnywwNW1w4s9ukTIwGMGxyGic=</Hash><Pid>54185-640-0000025-17632</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="10" Result="114"/><App Id="16" Version="10" Result="114"/><App Id="17" Version="10" Result="114"/><App Id="18" Version="10" Result="114"/><App Id="1A" Version="10" Result="114"/><App Id="1B" Version="10" Result="114"/></Applications></Office></Software></GenuineResults>

Licensing Data-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 1DB70:emachines inc|1DB70:Gateway, Inc
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

OEM Activation 2.0 Data-->
N/A



And here is my new Hijackthis Log:

Logfile of HijackThis v1.99.1
Scan saved at 8:44:50 PM, on 6/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\iPod Access for Windows\iPAHelper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\taskmgr.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: nCleaner.lnk = C:\Program Files\nCleaner\nCleaner.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCo ... taller.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 8677731609
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: urqronl - urqronl.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - %fystemRoot%\System32\svchost.exe (file missing)
O23 - Service: Eset HTTP Server (ehttpsrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: iPAHelper.exe - Unknown owner - C:\Program Files\iPod Access for Windows\iPAHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
d00m
Active Member
 
Posts: 9
Joined: June 21st, 2009, 4:11 pm

Re: rootkit.agent and desktop hijacker remedy

Unread postby Axephilic » June 22nd, 2009, 11:59 pm

Hello,

Thank you for those.

Uninstall Bad Programs
We are going to uninstall some bad stuff now.
  • Click Start
  • Go to Control Panel
  • Go to Add/Remove Programs
  • Find and click Remove for the following (if found):

    DAEMON Tools Toolbar

Now you can close Add/Remove Programs.

Fix HijackThis lines

  • Run HijackThis!
  • Click on Do a System Scan only
  • Place a tick next to the following lines:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O20 - Winlogon Notify: urqronl - urqronl.dll (file missing)
Close all open windows and click on Fix checked and when you get a popup window click on Yes.

Flash Disinfector
  1. Please download Flash_Disinfector and save it to your desktop.
  2. Double click to run it.
  3. You will be prompted to plug in your flash drive. Plug it in.
  4. Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
  5. When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
  6. Click on File > New Task (Run...). Type in explorer.exe and press Enter. Your desktop should now appear.

Kaspersky Online Scanner
Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.

In your next reply, please include:
  1. Kaspersky report
  2. A new HijackThis log

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: rootkit.agent and desktop hijacker remedy

Unread postby d00m » June 23rd, 2009, 10:27 am

Ok. I removed Daemon Tools. Fixed the Hijackthis lines.
However, line
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
Wasn't there because of the uninstall I believe.

I ran Flash Disinfector
and the Kapersky Scan
Here is the Kapersky report.


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Tuesday, June 23, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, June 23, 2009 06:19:56
Records in database: 2382141
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 170283
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 02:07:21


File name / Threat name / Threats count
C:\Documents and Settings\DOOM\Desktop\Craagle\Craagle v3.0.exe Infected: not-a-virus:AdWare.Win32.Craagle.b 1
C:\WINDOWS\system32\Copy of UAClqlsldnlesrbcco.dll Infected: Trojan.Win32.TDSS.aegg 1

The selected area was scanned.


And here is my new Hijackthis Log:


Logfile of HijackThis v1.99.1
Scan saved at 7:26:37 AM, on 6/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\iPod Access for Windows\iPAHelper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\DOOM\Local Settings\Temp\jkos-DOOM\binaries\ScanningProcess.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: nCleaner.lnk = C:\Program Files\nCleaner\nCleaner.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCo ... taller.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 8677731609
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - %fystemRoot%\System32\svchost.exe (file missing)
O23 - Service: Eset HTTP Server (ehttpsrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: iPAHelper.exe - Unknown owner - C:\Program Files\iPod Access for Windows\iPAHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
d00m
Active Member
 
Posts: 9
Joined: June 21st, 2009, 4:11 pm

Re: rootkit.agent and desktop hijacker remedy

Unread postby Axephilic » June 23rd, 2009, 1:02 pm

Hi there,

Download and Run ComboFix
Please visit this page to download and run Combofix - http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Save it to your desktop.

  • Double click on ComboFix.exe & follow the prompts.
  • As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. You will see the following message if Microsoft Windows Recovery Console is not installed.

    Image

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Image

Click on Yes to continue scanning for malware.

When finished, a log will be produced. Please post this log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: rootkit.agent and desktop hijacker remedy

Unread postby d00m » June 23rd, 2009, 1:55 pm

It did not prompt me to install Microsoft Windows Recovery Console.
And, it said that the version of Combofix may be tainted.
It did however scan and here is the LOG file.

ComboFix 09-06-22.0E - DOOM 06/23/2009 10:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1534.1177 [GMT -7:00]
Running from: c:\documents and settings\DOOM\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\UACfxduyyrrklksirnvs.sys
c:\windows\system32\nGpxx16
c:\windows\system32\Plugins
c:\windows\system32\UACircfjpxmwuwswwxwh.dll
C:\Autorun.inf
c:\windows\Install.txt
c:\windows\irc.txt
c:\windows\system32\certstore.dat
c:\windows\system32\drivers\UACfxduyyrrklksirnvs.sys
c:\windows\system32\Install.txt
c:\windows\system32\kungsfdlukfysu.dat
c:\windows\system32\Plugins\Hoster\aCallbackMethods.dll
c:\windows\system32\Plugins\Hoster\archivto.dll
c:\windows\system32\Plugins\Hoster\dataupde.dll
c:\windows\system32\Plugins\Hoster\fastloadnet.dll
c:\windows\system32\Plugins\Hoster\fastshareorg.dll
c:\windows\system32\Plugins\Hoster\fileuploadnet.dll
c:\windows\system32\Plugins\Hoster\megauploadcom.dll
c:\windows\system32\Plugins\Hoster\meinuploadcom.dll
c:\windows\system32\Plugins\Hoster\moosharede.dll
c:\windows\system32\Plugins\Hoster\myvideode.dll
c:\windows\system32\Plugins\Hoster\PluginSettings.ini
c:\windows\system32\Plugins\Hoster\qsharecom.dll
c:\windows\system32\Plugins\Hoster\rapidsharecom.dll
c:\windows\system32\Plugins\Hoster\shareonlinebiz.dll
c:\windows\system32\Plugins\Hoster\shareplacecom.dll
c:\windows\system32\Plugins\Hoster\silofilescom.dll
c:\windows\system32\Plugins\Hoster\speedysharecom.dll
c:\windows\system32\Plugins\Hoster\yourfilesbiz.dll
c:\windows\system32\Plugins\Hoster\youtubecom.dll
c:\windows\system32\Plugins\YouCrypt\callbackmethods.dll
c:\windows\system32\Plugins\YouCrypt\captcha.dll
c:\windows\system32\Plugins\YouCrypt\datenbankorg.dll
c:\windows\system32\Plugins\YouCrypt\datenschleuder.dll
c:\windows\system32\Plugins\YouCrypt\ddlscene.dll
c:\windows\system32\Plugins\YouCrypt\dreidl.dll
c:\windows\system32\Plugins\YouCrypt\dxpdivxvidorg.dll
c:\windows\system32\Plugins\YouCrypt\gameblog.dll
c:\windows\system32\Plugins\YouCrypt\gamezam.dll
c:\windows\system32\Plugins\YouCrypt\gapping.dll
c:\windows\system32\Plugins\YouCrypt\gwarez.dll
c:\windows\system32\Plugins\YouCrypt\linkbank.dll
c:\windows\system32\Plugins\YouCrypt\linksafe.dll
c:\windows\system32\Plugins\YouCrypt\LinkSave.dll
c:\windows\system32\Plugins\YouCrypt\lix.dll
c:\windows\system32\Plugins\YouCrypt\mirrorit.dll
c:\windows\system32\Plugins\YouCrypt\netfolderin.dll
c:\windows\system32\Plugins\YouCrypt\onekh.dll
c:\windows\system32\Plugins\YouCrypt\rapidfolder.dll
c:\windows\system32\Plugins\YouCrypt\rapidlayer.dll
c:\windows\system32\Plugins\YouCrypt\rapidsafede.dll
c:\windows\system32\Plugins\YouCrypt\rapidsafenet.dll
c:\windows\system32\Plugins\YouCrypt\relinkus.dll
c:\windows\system32\Plugins\YouCrypt\RScomLinkList.dll
c:\windows\system32\Plugins\YouCrypt\rslayer.dll
c:\windows\system32\Plugins\YouCrypt\saveraidrush.dll
c:\windows\system32\Plugins\YouCrypt\secured.dll
c:\windows\system32\Plugins\YouCrypt\securnet.dll
c:\windows\system32\Plugins\YouCrypt\serienjunkies.dll
c:\windows\system32\Plugins\YouCrypt\shareonall.dll
c:\windows\system32\Plugins\YouCrypt\shareprotect.dll
c:\windows\system32\Plugins\YouCrypt\stealth.dll
c:\windows\system32\Plugins\YouCrypt\tinyurl.dll
c:\windows\system32\Plugins\YouCrypt\UndergroundCMS.dll
c:\windows\system32\Plugins\YouCrypt\uppicoasis.dll
c:\windows\system32\Plugins\YouCrypt\urlcash.dll
c:\windows\system32\Plugins\YouCrypt\usercashcom.dll
c:\windows\system32\Plugins\YouCrypt\xlinkin.dll
c:\windows\system32\UACircfjpxmwuwswwxwh.dll
c:\windows\system32\w32apiw.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_AVAST!ANTIVIRUS
-------\Service_kungsfwoxwkuai


((((((((((((((((((((((((( Files Created from 2009-05-23 to 2009-06-23 )))))))))))))))))))))))))))))))
.

2009-06-23 03:40 . 2009-06-23 03:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-06-23 02:57 . 2009-06-23 02:59 -------- d-----w- C:\rsit
2009-06-21 20:22 . 2009-06-23 02:59 -------- d-----w- c:\program files\Trend Micro
2009-06-21 17:22 . 2009-06-21 17:22 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-06-21 17:15 . 2009-06-21 17:15 -------- d-----w- c:\windows\ERUNT
2009-06-21 17:13 . 2009-06-21 17:37 -------- d-----w- C:\SDFix
2009-06-20 16:54 . 2009-06-19 15:43 6270 ----a-w- c:\windows\system32\Copy of uacinit.dll
2009-06-20 16:54 . 2009-06-19 15:39 66560 ----a-w- c:\windows\system32\Copy of UAClqlsldnlesrbcco.dll
2009-06-18 22:08 . 2009-06-18 22:08 51712 ----a-w- c:\windows\system32\drivers\UACebtkdbfqfhvudal.sys
2009-06-16 04:17 . 2006-10-12 16:29 83504 ----a-w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\TEMP\ProgUpd.dll
2009-06-13 19:31 . 2009-06-13 19:31 -------- d-----w- C:\MRI_Updates
2009-06-12 23:34 . 2009-06-12 23:34 -------- d-----w- c:\documents and settings\DOOM\Application Data\Desktopicon
2009-06-12 23:34 . 2009-06-12 23:44 -------- d-----w- c:\program files\Unlocker
2009-06-10 16:17 . 2009-06-16 02:22 -------- d-----w- c:\documents and settings\DOOM\Application Data\FileZilla
2009-06-10 16:16 . 2009-06-10 16:16 -------- d-----w- c:\program files\FileZilla FTP Client
2009-06-09 22:32 . 2009-06-09 22:32 -------- d-----w- c:\documents and settings\DOOM\Local Settings\Application Data\ChemTable Software
2009-06-09 22:32 . 2009-06-09 22:32 -------- d-----w- c:\documents and settings\DOOM\Application Data\ChemTable Software
2009-06-09 22:32 . 2009-06-09 22:32 -------- d-----w- c:\program files\Reg Organizer
2009-06-09 22:09 . 2009-06-09 22:09 24576 ----a-w- c:\windows\system32\msxml3a.dll
2009-06-09 22:09 . 2009-06-09 22:09 -------- d-----w- c:\program files\Service+
2009-06-09 04:47 . 2009-06-23 17:12 -------- d-----w- c:\windows\system32\CatRoot2
2009-06-08 05:03 . 2009-06-21 18:47 117760 ----a-w- c:\documents and settings\DOOM\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-08 05:02 . 2009-06-08 05:02 -------- d-----w- c:\documents and settings\DOOM\Application Data\SUPERAntiSpyware.com
2009-06-08 04:44 . 2009-06-08 04:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-08 04:44 . 2009-06-21 18:47 -------- d-----w- c:\program files\SUPERAntiSpyware Pro
2009-06-08 04:35 . 2005-10-20 17:30 32768 ----a-w- c:\windows\system32\ServiceRepair.exe
2009-06-08 04:35 . 2004-04-25 21:39 53248 ----a-w- c:\windows\system32\SSubTmr6.dll
2009-06-08 04:35 . 2003-08-05 22:38 492 ----a-w- c:\windows\system32\outfix.reg
2009-06-08 04:35 . 2009-06-19 13:30 -------- d-----w- c:\program files\XP Smoker Pro
2009-06-08 04:34 . 2009-06-08 04:34 -------- d-----w- c:\program files\nCleaner
2009-06-08 04:26 . 2009-06-13 23:01 -------- d-----w- c:\program files\UltimateDefrag2008
2009-06-08 04:02 . 2009-06-08 04:02 361344 -c--a-w- c:\windows\system32\dllcache\TCPIP.SYS
2009-06-08 04:01 . 2008-03-06 17:02 3002 ----a-w- c:\windows\zone_correction.reg
2009-06-08 04:01 . 2007-10-18 16:05 300 ----a-w- c:\windows\totals.reg
2009-06-08 04:01 . 2007-10-18 16:04 9422664 ----a-w- c:\windows\ie-ads.reg
2009-06-08 04:01 . 2006-03-13 16:41 674 ----a-w- c:\windows\ie-ads-uninst.reg
2009-06-08 03:53 . 2008-02-21 04:08 0 ----a-w- c:\documents and settings\DOOM\Application Data\WinPatrol\Config.sys
2009-06-08 03:53 . 2009-06-08 03:53 -------- d-----w- c:\documents and settings\DOOM\Application Data\WinPatrol
2009-06-08 03:53 . 2008-02-21 04:08 0 ----a-w- c:\documents and settings\DOOM\Application Data\WinPatrol\Autoexec.bat
2009-06-08 03:53 . 2009-06-09 23:13 -------- d-----w- c:\program files\WinPatrol
2009-06-08 03:35 . 2009-06-08 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Geek Squad
2009-06-08 02:18 . 2009-06-08 02:19 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-06-05 20:51 . 2009-06-05 20:51 -------- d-----w- c:\documents and settings\DOOM\Application Data\Move Networks
2009-06-05 20:51 . 2009-02-12 18:41 973312 ----a-w- c:\documents and settings\DOOM\Application Data\Mozilla\Firefox\Profiles\5mt9mos1.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
2009-05-31 06:54 . 2009-05-31 06:54 -------- d-----w- c:\program files\AVG
2009-05-31 05:39 . 2009-05-31 05:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-23 04:10 . 2008-11-03 15:06 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-06-23 03:37 . 2008-12-05 23:30 -------- d-----w- c:\program files\BitComet
2009-06-19 13:14 . 2008-02-22 04:56 -------- d-----w- c:\program files\Modem Assistant
2009-06-19 13:09 . 2008-11-03 06:04 -------- d-----w- c:\program files\Guitar Pro 5
2009-06-18 07:03 . 2008-12-05 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-06-18 06:56 . 2008-12-03 23:16 -------- d-----w- c:\program files\AIM6
2009-06-17 01:30 . 2008-03-19 06:24 26 ----a-w- c:\windows\popcinfo.dat
2009-06-16 15:55 . 2008-02-24 03:25 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-13 23:47 . 2008-02-24 03:32 -------- d-----w- c:\program files\DivX
2009-06-13 23:46 . 2009-03-23 03:14 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-06-13 21:09 . 2009-05-11 18:37 -------- d-----w- c:\program files\TabIt
2009-06-13 21:08 . 2008-03-11 06:17 -------- d-----w- c:\program files\iPod Access for Windows
2009-06-13 20:40 . 2001-08-23 12:00 182656 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-06-12 18:42 . 2009-04-29 22:28 -------- d-----w- c:\program files\DriverCleanerDotNET
2009-06-12 18:42 . 2009-04-21 02:29 -------- d-----w- c:\program files\Teamspeak2_RC2
2009-06-12 18:42 . 2009-02-15 18:47 -------- d-----w- c:\program files\Microsoft GIF Animator
2009-06-12 18:42 . 2008-12-06 20:07 -------- d-----w- c:\program files\Autokick
2009-06-12 18:42 . 2009-02-23 05:17 -------- d-----w- c:\program files\Dvd-cloner
2009-06-12 05:18 . 2008-12-04 23:14 -------- d-----w- c:\program files\XoftSpySE
2009-06-12 04:48 . 2008-12-20 20:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-11 21:29 . 2008-12-20 20:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-09 02:29 . 2008-12-03 21:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\temp
2009-06-08 05:01 . 2008-02-21 15:06 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-08 04:02 . 2009-06-08 04:02 361344 ----a-w- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-06-08 04:02 . 2001-08-23 12:00 361344 ----a-w- c:\windows\system32\drivers\TCPIP.SYS
2009-06-07 05:11 . 2008-12-04 23:28 -------- d-----w- c:\documents and settings\DOOM\Application Data\Xfire
2009-06-05 04:36 . 2008-12-04 23:28 -------- d-----w- c:\program files\Xfire
2009-05-27 03:15 . 2008-12-08 04:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Soulseek
2009-05-21 22:51 . 2009-05-21 22:51 41808 ----a-w- c:\windows\system32\xfcodec.dll
2009-05-05 02:34 . 2009-05-05 02:34 -------- d-----w- c:\documents and settings\All Users\Application Data\WildTangent
2009-05-05 02:34 . 2009-05-05 02:34 -------- d-----w- c:\program files\WildGames
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-05-01 21:02 . 2009-05-01 21:02 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-05-01 21:02 . 2009-05-01 21:02 811008 ----a-w- c:\windows\system32\divx_xx16.dll
2009-05-01 21:02 . 2009-05-01 21:02 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-05-01 21:02 . 2009-05-01 21:02 685056 ----a-w- c:\windows\system32\DivX.dll
2009-04-29 23:41 . 2009-02-05 22:56 8 ----a-w- c:\windows\system32\nvModes.dat
2009-04-29 23:40 . 2009-04-29 23:40 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-04-29 23:36 . 2009-04-29 23:35 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-04-29 23:36 . 2009-04-29 23:36 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-04-29 23:36 . 2009-02-02 15:31 -------- d-----w- c:\program files\SystemRequirementsLab
2009-04-29 23:35 . 2009-02-02 15:31 -------- d-----w- c:\documents and settings\DOOM\Application Data\SystemRequirementsLab
2009-04-29 23:35 . 2009-04-29 23:35 290816 ----a-w- c:\documents and settings\DOOM\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
2009-04-29 23:35 . 2009-04-29 23:35 290816 ----a-w- c:\documents and settings\DOOM\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
2009-04-29 23:35 . 2009-04-29 23:35 290816 ----a-w- c:\documents and settings\DOOM\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
2009-04-29 23:35 . 2009-04-29 23:35 290816 ----a-w- c:\documents and settings\DOOM\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
2009-04-29 23:12 . 2009-04-29 23:12 472576 ----a-w- c:\windows\Nvidia Omega Drivers v2.169.21 Uninstall.exe
2009-04-29 22:50 . 2009-04-29 22:50 472576 ----a-w- c:\windows\Nvidia Omega Drivers v1.169.25 Uninstall.exe
2009-04-29 03:26 . 2009-03-11 15:10 -------- d-----w- c:\program files\Winamp
2009-04-15 18:30 . 2009-04-15 18:30 207872 ----a-w- c:\documents and settings\DOOM\Application Data\SystemRequirementsLab\SRLProxy_srl_4.dll
2009-04-15 18:30 . 2009-04-15 18:30 207872 ----a-w- c:\documents and settings\DOOM\Application Data\SystemRequirementsLab\SRLProxy_srl_3.dll
2009-04-15 18:30 . 2009-04-15 18:30 207872 ----a-w- c:\documents and settings\DOOM\Application Data\SystemRequirementsLab\SRLProxy_srl_2.dll
2009-04-15 18:30 . 2009-04-15 18:30 207872 ----a-w- c:\documents and settings\DOOM\Application Data\SystemRequirementsLab\SRLProxy_srl_1.dll
2009-04-09 11:32 . 2009-04-09 11:32 89088 ----a-w- c:\documents and settings\DOOM\Application Data\Desktopicon\eBayShortcuts.exe
2009-04-04 18:03 . 2009-04-04 18:03 152576 ----a-w- c:\documents and settings\DOOM\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-03-28 09:18 . 2009-03-28 09:18 159 ----a-w- C:\Delme.bat
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-02-24 03:38 . 2008-02-24 03:33 104 --sh--r- c:\windows\system32\B37F7A6319.sys
2009-02-15 18:49 . 2008-02-24 03:33 10856 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[7] 2004-08-04 07:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-04-14 08:50 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\TCPIP.SYS
[-] 2009-06-08 04:02 361344 68F06FE0021B01E670AF37B8C5964FDF c:\windows\system32\dllcache\TCPIP.SYS
[-] 2009-06-08 04:02 361344 68F06FE0021B01E670AF37B8C5964FDF c:\windows\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeRAM XP"="c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 1591808]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-08-18 1447168]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-05-13 67584]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-11-07 19968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
nCleaner.lnk - c:\program files\nCleaner\nCleaner.exe [2007-7-5 710656]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
"InternetOpenWith"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Start_ShowMyComputer"= 1 (0x1)
"Start_ShowMyDocs"= 0 (0x0)
"Start_ShowMyMusic"= 1 (0x1)
"Start_ShowMyPics"= 1 (0x1)
"Start_ShowSearch"= 0 (0x0)
"Start_ShowRun"= 1 (0x1)
"StartMenuFavorites"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonui.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avast!Antivirus"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" /background
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"OODefragTray"=c:\windows\system32\oodtray.exe
"PWRISOVM.EXE"=c:\program files\PowerISO\PWRISOVM.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\slayerasskickery\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\GigaTribe\\gigatribe.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"17104:TCP"= 17104:TCP:BitComet 17104 TCP
"17104:UDP"= 17104:UDP:BitComet 17104 UDP
"57762:TCP"= 57762:TCP:Pando Media Booster
"57762:UDP"= 57762:UDP:Pando Media Booster
"3728:TCP"= 3728:TCP:Gigatribe

R0 SscVF;SscVF;c:\windows\system32\drivers\sscvf.sys [8/30/2008 10:15 PM 70016]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [8/18/2008 1:27 PM 34312]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware Pro\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware Pro\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [12/21/2007 8:21 AM 468224]
S3 S3chipid;S3chipid;c:\cabs\D00253-002-001\s3chipid.sys [1/23/2003 11:01 AM 3712]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware Pro\SASENUM.SYS [5/26/2009 10:05 AM 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - WUAUSERV

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-06-20 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2006-12-20 00:53]

2009-06-23 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2008-07-31 23:16]

2009-06-23 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2008-07-31 23:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-23 10:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SKYNETjrrcwuko]
"imagepath"="\systemroot\system32\drivers\SKYNETxrrkbhrw.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SKYNETtuewtuqx]
"imagepath"="\systemroot\system32\drivers\SKYNETnoraptoh.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="69167093DEBE90DA27414516C754650DB8E0F99288ED16BCB7609BEE3B41FDE85C69CFDE6F33B5748C1F9AFCC50021E8882B404023AF1390211BAB376CD5845DF80A661D532ECE226121AA393879069FBD61F50F97B6D6537B3FB75D8625F92916128B6F459938EE2ECE82415A26FA9E32957F6AC087EE76158C20E02AEEB862108DB58B47173433FE21559EAE244A2642CF6A51C35D50C03AB7E8D7B8ACFCF5C6FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A2D97226D213B5558EDD5E5BE2F6E6675D575E7D6A3B980833746F31C10529C1BECB6148C29E5BCE5FFDBDB4472526F743B579541C0CAA7A5A1D0DBB77DA56F9F70EFCB5FB230E04BB4AA3D08DFE24A8D0C2D97F762827A076F8DE47DC96F2845F619BFA84B69A10DEE5371066A626FCE36AF276911095E8C5E9DA8A6403BB46E0A04A938B6DE56A8046B8CFDC9B5320A2D8D897F44C03CC7C770F0632CFC3AB5B4B2ABD7240250FCE837DB0B03E283B276137045DC54F4A414C97FB209170A124056E7C518B63FD69DB6F95D4D2F2817E77CB9F3C4A2F622FB7A9723C3D7B9C02976098F0907FB9E52F8B267005D9A6AA386895B48EAB9B55AC0CB248AFF29232ED5B9AD0712C4BCC836350E0E052E323DF755120A7A200B541994AB8A8B77D64974FD4A2B7F0BC9C801BC3B558A8F3CF506A850B8FC39B4832438DB7CB00DC3D4941584E51A71F45F2EDF4AFBFFD9A909057A535A51480F7DB0A91A39E57B253D9C9FB6D0CFE84ABCDA79948D1451AB7C85E6C152BEB46244386300D8E1806334594DB4E9EFA86A923A9312B2BC53B89C735D5504778839E0EE308B869F6615DAB6257741F70408B2EE9F9B74D9BCCC0FEA5A3C584BBD83008617A2264F853C5D20611950C8CD092C9F0F7809D371C8B06105A05D087E4929E51AE7595766FD31F69701C454CDA7479DCF4CDE5DB818C94644452FE8750F4E69D0E94F81FCAE39E8820A60E0309D8DF5EFA1C5420D1580A2A6EA746B7437A963E47156C7380C602738F8810D7835D47BA5C98F7726DF9E67BA830BE676ABA08C4CC3FB54AAF3F9BCEF24857457D139ACBAA2AC79032EFD206894CE83DF8C03B53D3937B4DFB0663D2BF1FD419A700EC7EC0E49D8E062B968DE891A531250A522156C048F88947F54A317C5BF7BA9C72D2399536D451129F6665483D10A68B94FA94AD0C9F8523931747032557725404E0733C321E017E01FB5EEBD7F9BC2BECBE8D731BE79DAC1FADC5084E820F8A9FCF950D18FB053F70CCFAAE85E5A7C3E9DF0B5F2B4B04EBA0953218D518D292E35D876D51505396C76A23F3B81A2EA5BEE514F3D797EE5EC46A5970A08A85B517DAF37A2AD3E23884FB84D3C6359A92426CF765A16D1AF25A5EC884F7A1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2800)
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\iPod Access for Windows\iPAHelper.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE
.
**************************************************************************
.
Completion time: 2009-06-23 10:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-23 17:51

Pre-Run: 10,545,467,392 bytes free
Post-Run: 10,527,346,688 bytes free

337 --- E O F --- 2008-12-11 23:37
d00m
Active Member
 
Posts: 9
Joined: June 21st, 2009, 4:11 pm

Re: rootkit.agent and desktop hijacker remedy

Unread postby Axephilic » June 23rd, 2009, 2:39 pm

Hello,

Run ComboFix
Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System

Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Image


Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

  • At the next prompt, click 'Yes' to run the full ComboFix scan.

    Image

  • When the tool is finished, it will produce a report for you. Just ignore this log, I won't be needing it.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
File::
c:\windows\system32\Copy of uacinit.dll
c:\windows\system32\Copy of UAClqlsldnlesrbcco.dll
c:\windows\system32\drivers\UACebtkdbfqfhvudal.sys
Folder::
c:\program files\DAEMON Tools Toolbar
c:\program files\BitComet
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"17104:TCP"=-
"17104:UDP"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c8fdccc-44d4-11de-b42e-0040caa86c47}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff47946d-0a77-11dd-b3d5-80a131e99319}]
Driver::
UACebtkdbfqfhvudal


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: rootkit.agent and desktop hijacker remedy

Unread postby d00m » June 24th, 2009, 11:38 am

Ok. I ran Combofix with the Windows Bootdisk and now have the Recovery Console.
During that first scan it detected a rootkit called "Skynet," it was installed in my system32 and system32/drivers. I do believe however, that they were deleted.
Here is my LOG file from the second scan with the "CFScript.txt"

ComboFix 09-06-23.01 - DOOM 06/24/2009 8:27.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1534.1127 [GMT -7:00]
Running from: c:\documents and settings\DOOM\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\DOOM\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FILE ::
"c:\windows\system32\Copy of uacinit.dll"
"c:\windows\system32\Copy of UAClqlsldnlesrbcco.dll"
"c:\windows\system32\drivers\UACebtkdbfqfhvudal.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\BitComet
c:\program files\DAEMON Tools Toolbar
c:\program files\BitComet\archive\02d876a513197f6b4a177998767800c180087006.torrent
c:\program files\BitComet\archive\166c417fa634acec332c180d8fbde735ab470caf.torrent
c:\program files\BitComet\archive\356130c17ff8af07760edf01bdba51b3c332ba94.torrent
c:\program files\BitComet\archive\3b99623ed982c1e25f11481fdd97868d5639e283.torrent
c:\program files\BitComet\archive\615bd6391f3edb9d9423f7a6cdb7b0db5a772eb6.torrent
c:\program files\BitComet\archive\93e91e2d3d41cc3f44338a7564a09b031b5b1a50.torrent
c:\program files\BitComet\archive\b0a368f8445fe2a4e87b29febc1fcdc577393cc4.torrent
c:\program files\BitComet\archive\d6628dc0bbab188f43b3bc6b026a7e5d602bf09f.torrent
c:\program files\BitComet\archive\e6ab4e34199d60df1bad2f779c97f3d05620e17e.torrent
c:\program files\BitComet\archive\ee4d7fe3c1f4b16f1ffa290fcafd3f7435f518af.torrent
c:\program files\BitComet\BitComet.xml
c:\program files\BitComet\Downloads.xml
c:\program files\BitComet\Downloads.xml.bak
c:\program files\BitComet\rules\dhtnodes.dat
c:\program files\BitComet\share\my_shares.xml
c:\program files\BitComet\torrents\Adobe.Audition.v3.WinAll.Cracked-NoPE.torrent
c:\program files\BitComet\torrents\Call of Duty 4 Modern Warfare Full-Rip Skullptura.torrent
c:\program files\BitComet\torrents\Candlemass - Death Magic Doom (2009) [www.heavytorrents.org].torrent
c:\program files\BitComet\torrents\Guitar Pro 5.2 + RSE + Over 120.000 Tabs.rar.torrent
c:\program files\BitComet\torrents\Ice_Diablo.torrent
c:\program files\BitComet\torrents\ImageLine Fruity Loops XXL v6.04.torrent
c:\program files\BitComet\torrents\Propellerheads.Reason.v4.0.HYBRID.DVDR-AiRISO.torrent
c:\program files\BitComet\torrents\Radiohead Discography @ 320Kbps.torrent
c:\program files\BitComet\torrents\Radiohead Discography @ 320Kbps[0].torrent
c:\program files\BitComet\torrents\The Doors - Studio Discography.torrent
c:\program files\DAEMON Tools Toolbar\_DTLite.xml
c:\windows\system32\Copy of uacinit.dll
c:\windows\system32\Copy of UAClqlsldnlesrbcco.dll
c:\windows\system32\drivers\UACebtkdbfqfhvudal.sys
c:\windows\system32\w32apiw.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-06-24 )))))))))))))))))))))))))))))))
.

2009-06-23 17:47 . 2009-06-23 17:47 -------- dc----w- c:\windows\system32\dllcache\cache
2009-06-23 03:40 . 2009-06-23 03:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-06-23 02:57 . 2009-06-23 02:59 -------- d-----w- C:\rsit
2009-06-21 20:22 . 2009-06-23 02:59 -------- d-----w- c:\program files\Trend Micro
2009-06-21 17:22 . 2009-06-21 17:22 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-06-21 17:15 . 2009-06-21 17:15 -------- d-----w- c:\windows\ERUNT
2009-06-21 17:13 . 2009-06-21 17:37 -------- d-----w- C:\SDFix
2009-06-16 04:17 . 2006-10-12 16:29 83504 ----a-w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\TEMP\ProgUpd.dll
2009-06-13 19:31 . 2009-06-13 19:31 -------- d-----w- C:\MRI_Updates
2009-06-12 23:34 . 2009-06-12 23:34 -------- d-----w- c:\documents and settings\DOOM\Application Data\Desktopicon
2009-06-12 23:34 . 2009-06-12 23:44 -------- d-----w- c:\program files\Unlocker
2009-06-10 16:17 . 2009-06-16 02:22 -------- d-----w- c:\documents and settings\DOOM\Application Data\FileZilla
2009-06-10 16:16 . 2009-06-10 16:16 -------- d-----w- c:\program files\FileZilla FTP Client
2009-06-09 22:32 . 2009-06-09 22:32 -------- d-----w- c:\documents and settings\DOOM\Local Settings\Application Data\ChemTable Software
2009-06-09 22:32 . 2009-06-09 22:32 -------- d-----w- c:\documents and settings\DOOM\Application Data\ChemTable Software
2009-06-09 22:32 . 2009-06-09 22:32 -------- d-----w- c:\program files\Reg Organizer
2009-06-09 22:09 . 2009-06-09 22:09 24576 ----a-w- c:\windows\system32\msxml3a.dll
2009-06-09 22:09 . 2009-06-09 22:09 -------- d-----w- c:\program files\Service+
2009-06-09 04:47 . 2009-06-24 15:27 -------- d-----w- c:\windows\system32\CatRoot2
2009-06-08 05:03 . 2009-06-21 18:47 117760 ----a-w- c:\documents and settings\DOOM\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-08 05:02 . 2009-06-08 05:02 -------- d-----w- c:\documents and settings\DOOM\Application Data\SUPERAntiSpyware.com
2009-06-08 04:44 . 2009-06-08 04:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-08 04:44 . 2009-06-21 18:47 -------- d-----w- c:\program files\SUPERAntiSpyware Pro
2009-06-08 04:35 . 2005-10-20 17:30 32768 ----a-w- c:\windows\system32\ServiceRepair.exe
2009-06-08 04:35 . 2004-04-25 21:39 53248 ----a-w- c:\windows\system32\SSubTmr6.dll
2009-06-08 04:35 . 2003-08-05 22:38 492 ----a-w- c:\windows\system32\outfix.reg
2009-06-08 04:35 . 2009-06-19 13:30 -------- d-----w- c:\program files\XP Smoker Pro
2009-06-08 04:34 . 2009-06-08 04:34 -------- d-----w- c:\program files\nCleaner
2009-06-08 04:26 . 2009-06-13 23:01 -------- d-----w- c:\program files\UltimateDefrag2008
2009-06-08 04:02 . 2009-06-08 04:02 361344 -c--a-w- c:\windows\system32\dllcache\TCPIP.SYS
2009-06-08 04:01 . 2008-03-06 17:02 3002 ----a-w- c:\windows\zone_correction.reg
2009-06-08 04:01 . 2007-10-18 16:05 300 ----a-w- c:\windows\totals.reg
2009-06-08 04:01 . 2007-10-18 16:04 9422664 ----a-w- c:\windows\ie-ads.reg
2009-06-08 04:01 . 2006-03-13 16:41 674 ----a-w- c:\windows\ie-ads-uninst.reg
2009-06-08 03:53 . 2008-02-21 04:08 0 ----a-w- c:\documents and settings\DOOM\Application Data\WinPatrol\Config.sys
2009-06-08 03:53 . 2009-06-08 03:53 -------- d-----w- c:\documents and settings\DOOM\Application Data\WinPatrol
2009-06-08 03:53 . 2008-02-21 04:08 0 ----a-w- c:\documents and settings\DOOM\Application Data\WinPatrol\Autoexec.bat
2009-06-08 03:53 . 2009-06-09 23:13 -------- d-----w- c:\program files\WinPatrol
2009-06-08 03:35 . 2009-06-08 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Geek Squad
2009-06-08 02:18 . 2009-06-08 02:19 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-06-05 20:51 . 2009-06-05 20:51 -------- d-----w- c:\documents and settings\DOOM\Application Data\Move Networks
2009-06-05 20:51 . 2009-02-12 18:41 973312 ----a-w- c:\documents and settings\DOOM\Application Data\Mozilla\Firefox\Profiles\5mt9mos1.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
2009-05-31 06:54 . 2009-05-31 06:54 -------- d-----w- c:\program files\AVG
2009-05-31 05:39 . 2009-05-31 05:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-19 13:14 . 2008-02-22 04:56 -------- d-----w- c:\program files\Modem Assistant
2009-06-19 13:09 . 2008-11-03 06:04 -------- d-----w- c:\program files\Guitar Pro 5
2009-06-18 07:03 . 2008-12-05 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-06-18 06:56 . 2008-12-03 23:16 -------- d-----w- c:\program files\AIM6
2009-06-17 01:30 . 2008-03-19 06:24 26 ----a-w- c:\windows\popcinfo.dat
2009-06-16 15:55 . 2008-02-24 03:25 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-13 23:47 . 2008-02-24 03:32 -------- d-----w- c:\program files\DivX
2009-06-13 23:46 . 2009-03-23 03:14 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-06-13 21:09 . 2009-05-11 18:37 -------- d-----w- c:\program files\TabIt
2009-06-13 21:08 . 2008-03-11 06:17 -------- d-----w- c:\program files\iPod Access for Windows
2009-06-13 20:40 . 2001-08-23 12:00 182656 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-06-12 18:42 . 2009-04-29 22:28 -------- d-----w- c:\program files\DriverCleanerDotNET
2009-06-12 18:42 . 2009-04-21 02:29 -------- d-----w- c:\program files\Teamspeak2_RC2
2009-06-12 18:42 . 2009-02-15 18:47 -------- d-----w- c:\program files\Microsoft GIF Animator
2009-06-12 18:42 . 2008-12-06 20:07 -------- d-----w- c:\program files\Autokick
2009-06-12 18:42 . 2009-02-23 05:17 -------- d-----w- c:\program files\Dvd-cloner
2009-06-12 05:18 . 2008-12-04 23:14 -------- d-----w- c:\program files\XoftSpySE
2009-06-12 04:48 . 2008-12-20 20:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-11 21:29 . 2008-12-20 20:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-09 02:29 . 2008-12-03 21:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\temp
2009-06-08 05:01 . 2008-02-21 15:06 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-08 04:02 . 2009-06-08 04:02 361344 ----a-w- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-06-08 04:02 . 2001-08-23 12:00 361344 ----a-w- c:\windows\system32\drivers\TCPIP.SYS
2009-06-07 05:11 . 2008-12-04 23:28 -------- d-----w- c:\documents and settings\DOOM\Application Data\Xfire
2009-06-05 04:36 . 2008-12-04 23:28 -------- d-----w- c:\program files\Xfire
2009-05-27 03:15 . 2008-12-08 04:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Soulseek
2009-05-21 22:51 . 2009-05-21 22:51 41808 ----a-w- c:\windows\system32\xfcodec.dll
2009-05-05 02:34 . 2009-05-05 02:34 -------- d-----w- c:\documents and settings\All Users\Application Data\WildTangent
2009-05-05 02:34 . 2009-05-05 02:34 -------- d-----w- c:\program files\WildGames
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-05-01 21:02 . 2009-05-01 21:02 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-05-01 21:02 . 2009-05-01 21:02 811008 ----a-w- c:\windows\system32\divx_xx16.dll
2009-05-01 21:02 . 2009-05-01 21:02 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-05-01 21:02 . 2009-05-01 21:02 685056 ----a-w- c:\windows\system32\DivX.dll
2009-04-29 23:41 . 2009-02-05 22:56 8 ----a-w- c:\windows\system32\nvModes.dat
2009-04-29 23:40 . 2009-04-29 23:40 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-04-29 23:36 . 2009-04-29 23:35 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-04-29 23:36 . 2009-04-29 23:36 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-04-29 23:36 . 2009-02-02 15:31 -------- d-----w- c:\program files\SystemRequirementsLab
2009-04-29 23:35 . 2009-02-02 15:31 -------- d-----w- c:\documents and settings\DOOM\Application Data\SystemRequirementsLab
2009-04-29 23:35 . 2009-04-29 23:35 290816 ----a-w- c:\documents and settings\DOOM\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
2009-04-29 23:35 . 2009-04-29 23:35 290816 ----a-w- c:\documents and settings\DOOM\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
2009-04-29 23:35 . 2009-04-29 23:35 290816 ----a-w- c:\documents and settings\DOOM\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
2009-04-29 23:35 . 2009-04-29 23:35 290816 ----a-w- c:\documents and settings\DOOM\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
2009-04-29 23:12 . 2009-04-29 23:12 472576 ----a-w- c:\windows\Nvidia Omega Drivers v2.169.21 Uninstall.exe
2009-04-29 22:50 . 2009-04-29 22:50 472576 ----a-w- c:\windows\Nvidia Omega Drivers v1.169.25 Uninstall.exe
2009-04-29 03:26 . 2009-03-11 15:10 -------- d-----w- c:\program files\Winamp
2009-04-15 18:30 . 2009-04-15 18:30 207872 ----a-w- c:\documents and settings\DOOM\Application Data\SystemRequirementsLab\SRLProxy_srl_4.dll
2009-04-15 18:30 . 2009-04-15 18:30 207872 ----a-w- c:\documents and settings\DOOM\Application Data\SystemRequirementsLab\SRLProxy_srl_3.dll
2009-04-15 18:30 . 2009-04-15 18:30 207872 ----a-w- c:\documents and settings\DOOM\Application Data\SystemRequirementsLab\SRLProxy_srl_2.dll
2009-04-15 18:30 . 2009-04-15 18:30 207872 ----a-w- c:\documents and settings\DOOM\Application Data\SystemRequirementsLab\SRLProxy_srl_1.dll
2009-04-09 11:32 . 2009-04-09 11:32 89088 ----a-w- c:\documents and settings\DOOM\Application Data\Desktopicon\eBayShortcuts.exe
2009-04-04 18:03 . 2009-04-04 18:03 152576 ----a-w- c:\documents and settings\DOOM\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-03-28 09:18 . 2009-03-28 09:18 159 ----a-w- C:\Delme.bat
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-02-24 03:38 . 2008-02-24 03:33 104 --sh--r- c:\windows\system32\B37F7A6319.sys
2009-02-15 18:49 . 2008-02-24 03:33 10856 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[7] 2004-08-04 07:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-04-14 08:50 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\TCPIP.SYS
[-] 2009-06-08 04:02 361344 68F06FE0021B01E670AF37B8C5964FDF c:\windows\system32\dllcache\TCPIP.SYS
[-] 2009-06-08 04:02 361344 68F06FE0021B01E670AF37B8C5964FDF c:\windows\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((( SnapShot@2009-06-23_17.45.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-23 17:47 . 2008-10-16 22:09 51224 c:\windows\system32\dllcache\cache\wuauclt.exe
+ 2009-06-23 17:47 . 2008-04-14 13:42 82432 c:\windows\system32\dllcache\cache\ws2_32.dll
+ 2009-06-23 17:47 . 2008-04-14 13:42 26112 c:\windows\system32\dllcache\cache\userinit.exe
+ 2009-06-23 17:47 . 2008-04-14 13:42 14336 c:\windows\system32\dllcache\cache\svchost.exe
+ 2009-06-23 17:47 . 2008-04-14 13:42 57856 c:\windows\system32\dllcache\cache\spoolsv.exe
+ 2009-06-23 17:47 . 2008-04-14 13:42 17408 c:\windows\system32\dllcache\cache\powrprof.dll
+ 2009-06-23 17:47 . 2008-04-14 13:42 13312 c:\windows\system32\dllcache\cache\lsass.exe
+ 2009-06-23 17:47 . 2008-04-14 08:09 24576 c:\windows\system32\dllcache\cache\kbdclass.sys
+ 2009-06-23 17:47 . 2008-04-14 08:23 36608 c:\windows\system32\dllcache\cache\ip6fw.sys
+ 2009-06-23 17:47 . 2008-04-14 13:42 15360 c:\windows\system32\dllcache\cache\ctfmon.exe
+ 2009-06-23 17:47 . 2008-04-14 13:42 507904 c:\windows\system32\dllcache\cache\winlogon.exe
+ 2009-06-23 17:47 . 2008-10-16 20:38 826368 c:\windows\system32\dllcache\cache\wininet.dll
+ 2009-06-23 17:47 . 2008-04-14 13:42 578560 c:\windows\system32\dllcache\cache\user32.dll
+ 2009-06-23 17:47 . 2008-04-14 13:42 295424 c:\windows\system32\dllcache\cache\termsrv.dll
+ 2009-06-23 17:47 . 2008-04-14 13:42 108544 c:\windows\system32\dllcache\cache\services.exe
+ 2009-06-23 17:47 . 2009-06-13 20:40 182656 c:\windows\system32\dllcache\cache\ndis.sys
+ 2009-06-23 17:47 . 2008-04-14 13:41 989696 c:\windows\system32\dllcache\cache\kernel32.dll
+ 2009-06-23 17:47 . 2008-04-14 13:41 110080 c:\windows\system32\dllcache\cache\imm32.dll
+ 2009-06-23 17:47 . 2008-04-14 13:41 167936 c:\windows\system32\dllcache\cache\appmgmts.dll
+ 2009-06-23 17:47 . 2008-04-14 13:42 1614848 c:\windows\system32\dllcache\cache\sfcfiles.dll
+ 2009-06-23 17:47 . 2008-08-14 10:11 2189184 c:\windows\system32\dllcache\cache\ntoskrnl.exe
+ 2009-06-23 17:47 . 2008-08-14 09:33 2066048 c:\windows\system32\dllcache\cache\ntkrnlpa.exe
+ 2009-06-23 17:47 . 2008-04-14 13:42 1033728 c:\windows\system32\dllcache\cache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeRAM XP"="c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 1591808]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-08-18 1447168]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-05-13 67584]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-11-07 19968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
nCleaner.lnk - c:\program files\nCleaner\nCleaner.exe [2007-7-5 710656]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
"InternetOpenWith"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Start_ShowMyComputer"= 1 (0x1)
"Start_ShowMyDocs"= 0 (0x0)
"Start_ShowMyMusic"= 1 (0x1)
"Start_ShowMyPics"= 1 (0x1)
"Start_ShowSearch"= 0 (0x0)
"Start_ShowRun"= 1 (0x1)
"StartMenuFavorites"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonui.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avast!Antivirus"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" /background
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"OODefragTray"=c:\windows\system32\oodtray.exe
"PWRISOVM.EXE"=c:\program files\PowerISO\PWRISOVM.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\slayerasskickery\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\GigaTribe\\gigatribe.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57762:TCP"= 57762:TCP:Pando Media Booster
"57762:UDP"= 57762:UDP:Pando Media Booster
"3728:TCP"= 3728:TCP:Gigatribe

R0 SscVF;SscVF;c:\windows\system32\drivers\sscvf.sys [8/30/2008 10:15 PM 70016]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [8/18/2008 1:27 PM 34312]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware Pro\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware Pro\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [12/21/2007 8:21 AM 468224]
S3 S3chipid;S3chipid;c:\cabs\D00253-002-001\s3chipid.sys [1/23/2003 11:01 AM 3712]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware Pro\SASENUM.SYS [5/26/2009 10:05 AM 7408]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-06-20 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2006-12-20 00:53]

2009-06-24 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2008-07-31 23:16]

2009-06-23 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2008-07-31 23:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-24 08:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="69167093DEBE90DA27414516C754650DB8E0F99288ED16BCB7609BEE3B41FDE85C69CFDE6F33B5748C1F9AFCC50021E8882B404023AF1390211BAB376CD5845DF80A661D532ECE226121AA393879069FBD61F50F97B6D6537B3FB75D8625F92916128B6F459938EE2ECE82415A26FA9E32957F6AC087EE76158C20E02AEEB862108DB58B47173433FE21559EAE244A2642CF6A51C35D50C03AB7E8D7B8ACFCF5C6FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A2D97226D213B5558EDD5E5BE2F6E6675D575E7D6A3B980833746F31C10529C1BECB6148C29E5BCE5FFDBDB4472526F743B579541C0CAA7A5A1D0DBB77DA56F9F70EFCB5FB230E04BB4AA3D08DFE24A8D0C2D97F762827A076F8DE47DC96F2845F619BFA84B69A10DEE5371066A626FCE36AF276911095E8C5E9DA8A6403BB46E0A04A938B6DE56A8046B8CFDC9B5320A2D8D897F44C03CC7C770F0632CFC3AB5B4B2ABD7240250FCE837DB0B03E283B276137045DC54F4A414C97FB209170A124056E7C518B63FD69DB6F95D4D2F2817E77CB9F3C4A2F622FB7A9723C3D7B9C02976098F0907FB9E52F8B267005D9A6AA386895B48EAB9B55AC0CB248AFF29232ED5B9AD0712C4BCC836350E0E052E323DF755120A7A200B541994AB8A8B77D64974FD4A2B7F0BC9C801BC3B558A8F3CF506A850B8FC39B4832438DB7CB00DC3D4941584E51A71F45F2EDF4AFBFFD9A909057A535A51480F7DB0A91A39E57B253D9C9FB6D0CFE84ABCDA79948D1451AB7C85E6C152BEB46244386300D8E1806334594DB4E9EFA86A923A9312B2BC53B89C735D5504778839E0EE308B869F6615DAB6257741F70408B2EE9F9B74D9BCCC0FEA5A3C584BBD83008617A2264F853C5D20611950C8CD092C9F0F7809D371C8B06105A05D087E4929E51AE7595766FD31F69701C454CDA7479DCF4CDE5DB818C94644452FE8750F4E69D0E94F81FCAE39E8820A60E0309D8DF5EFA1C5420D1580A2A6EA746B7437A963E47156C7380C602738F8810D7835D47BA5C98F7726DF9E67BA830BE676ABA08C4CC3FB54AAF3F9BCEF24857457D139ACBAA2AC79032EFD206894CE83DF8C03B53D3937B4DFB0663D2BF1FD419A700EC7EC0E49D8E062B968DE891A531250A522156C048F88947F54A317C5BF7BA9C72D2399536D451129F6665483D10A68B94FA94AD0C9F8523931747032557725404E0733C321E017E01FB5EEBD7F9BC2BECBE8D731BE79DAC1FADC5084E820F8A9FCF950D18FB053F70CCFAAE85E5A7C3E9DF0B5F2B4B04EBA0953218D518D292E35D876D51505396C76A23F3B81A2EA5BEE514F3D797EE5EC46A5970A08A85B517DAF37A2AD3E23884FB84D3C6359A92426CF765A16D1AF25A5EC884F7A1"
.
Completion time: 2009-06-24 8:34
ComboFix-quarantined-files.txt 2009-06-24 15:34
ComboFix2.txt 2009-06-24 15:25
ComboFix3.txt 2009-06-23 17:51

Pre-Run: 10,501,165,056 bytes free
Post-Run: 10,487,975,936 bytes free

296 --- E O F --- 2008-12-11 23:37
d00m
Active Member
 
Posts: 9
Joined: June 21st, 2009, 4:11 pm

Re: rootkit.agent and desktop hijacker remedy

Unread postby Axephilic » June 24th, 2009, 1:46 pm

Hi there,

Looking good, it looks like ComboFix took out most of it.

Run GMER
Please download gmer.zip from Gmer and save it to your desktop.

  1. Right click on gmer.zip and select Extract All....
  2. Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  3. Click on the Browse button. Click on Desktop. Then click OK.
  4. Click Next. It will start extracting.
  5. Once done, check (tick) the Show extracted files box and click Finish.
  6. Double click on gmer.exe to run it.
  7. Select the Rootkit tab.
  8. On the right hand side, check all the items to be scanned, but leave Show All box unchecked.
  9. Select all drives that are connected to your system to be scanned.
  10. Click on the Scan button.
  11. When the scan is finished, click Copy to save the scan log to the Windows clipboard.
  12. Open Notepad or a similar text editor.
  13. Paste the clipboard contents into the text editor.
  14. Save the Gmer scan log and post it in your next reply.
  15. Close Gmer.
  16. Open Command Prompt by going to Start > Run and type in cmd. Press Enter.
  17. In Command Prompt, type in net stop gmer. Press Enter.
  18. Type in exit to close Command Prompt.

Note: Do not run any programs while Gmer is running.

Eset Online Scanner

Please go to Eset website to perform an online scan. Please use Internet Explorer as it uses ActiveX.

  1. Check (tick) this box: YES, I accept the Terms of Use.
  2. Click on the Start button next to it.
  3. When prompted to run ActiveX. click Yes.
  4. You will be asked to install an ActiveX. Click Install.
  5. Once installed, the scanner will be initialized.
  6. After the scanner is initialized, click Start.
  7. Uncheck (untick) Remove found threats box.
  8. Check (tick) Scan unwanted applications.
  9. Click on Scan.
  10. It will start scanning. Please be patient.
  11. Once the scan is done, you will find a log in C:\Program Files\esetonlinescanner\log.txt. Please post this log in your next reply.

In your next reply, please include:
  1. GMER log
  2. ESET log
  3. A new HijackThis log

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: rootkit.agent and desktop hijacker remedy

Unread postby d00m » June 24th, 2009, 3:21 pm

Ok I ran GMER exactly as you said but when I opened up command prompt to use the net stop command
I got an error from that said:
"System Error 1060 Occured.
The specified service does not exist as an installed service."
Here is the GMER log.



GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-24 11:28:48
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT spbg.sys ZwCreateKey [0xBA6A80E0]
SSDT spbg.sys ZwEnumerateKey [0xBA6C6CA2]
SSDT spbg.sys ZwEnumerateValueKey [0xBA6C7030]
SSDT spbg.sys ZwOpenKey [0xBA6A80C0]
SSDT spbg.sys ZwQueryKey [0xBA6C7108]
SSDT spbg.sys ZwQueryValueKey [0xBA6C6F88]
SSDT spbg.sys ZwSetValueKey [0xBA6C719A]

INT 0x62 ? 89A6CBF8
INT 0x82 ? 89A6CBF8
INT 0x83 ? 89A6CBF8
INT 0xB4 ? 898D0BF8
INT 0xB4 ? 898D0BF8
INT 0xB4 ? 898D0BF8
INT 0xB4 ? 898D0BF8
INT 0xB4 ? 898D0BF8
INT 0xB4 ? 898D0BF8

Code \??\C:\DOCUME~1\DOOM\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

? spbg.sys The system cannot find the file specified. !
? Combo-Fix.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B95828AC 5 Bytes JMP 898D01D8
.text a18pt08n.SYS B9416386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text a18pt08n.SYS B94163AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text a18pt08n.SYS B94163C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text a18pt08n.SYS B94163C9 1 Byte [2E]
.text a18pt08n.SYS B94163C9 11 Bytes [2E, 00, 00, 00, 5A, 02, 00, ...]
.text ...
? C:\DOCUME~1\DOOM\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1140] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 4 Bytes [C2, 04, 00, 00]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6A9040] spbg.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6A913C] spbg.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6A90BE] spbg.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6A97FC] spbg.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6A96D2] spbg.sys
IAT \SystemRoot\System32\Drivers\a18pt08n.SYS[HAL.dll!KfAcquireSpinLock] C0840CEC
IAT \SystemRoot\System32\Drivers\a18pt08n.SYS[HAL.dll!READ_PORT_UCHAR] 053C0D74
IAT \SystemRoot\System32\Drivers\a18pt08n.SYS[HAL.dll!KeGetCurrentIrql] 57B80974
IAT \SystemRoot\System32\Drivers\a18pt08n.SYS[HAL.dll!KfRaiseIrql] 8B000000
IAT \SystemRoot\System32\Drivers\a18pt08n.SYS[HAL.dll!KfLowerIrql] 56C35DE5
IAT \SystemRoot\System32\Drivers\a18pt08n.SYS[HAL.dll!HalGetInterruptVector] 8D08758B
IAT \SystemRoot\System32\Drivers\a18pt08n.SYS[HAL.dll!HalTranslateBusAddress] 8D51FC4D
IAT \SystemRoot\System32\Drivers\a18pt08n.SYS[HAL.dll!KeStallExecutionProcessor] 8D52FD55
IAT \SystemRoot\System32\Drivers\a18pt08n.SYS[HAL.dll!KfReleaseSpinLock] 8D51FE4D
IAT \SystemRoot\System32\Drivers\a18pt08n.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 8D52FF55
IAT \SystemRoot\System32\Drivers\a18pt08n.SYS[HAL.dll!READ_PORT_USHORT] 8D51F84D
IAT \SystemRoot\System32\Drivers\a18pt08n.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 5052F455
IAT \SystemRoot\System32\Drivers\a18pt08n.SYS[HAL.dll!WRITE_PORT_UCHAR] EACAE856
IAT \SystemRoot\System32\Drivers\a18pt08n.SYS[WMILIB.SYS!WmiSystemControl] 0FC08520
IAT \SystemRoot\System32\Drivers\a18pt08n.SYS[WMILIB.SYS!WmiCompleteRequest] 0001B185
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [BA6B9048] spbg.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 89A6B1F8

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

Device \Driver\PCI_PNP8356 \Device\00000050 spbg.sys
Device \Driver\usbuhci \Device\USBPDO-0 898C21F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 89AD91F8
Device \Driver\dmio \Device\DmControl\DmConfig 89AD91F8
Device \Driver\dmio \Device\DmControl\DmPnP 89AD91F8
Device \Driver\dmio \Device\DmControl\DmInfo 89AD91F8
Device \Driver\usbuhci \Device\USBPDO-1 898C21F8
Device \Driver\usbuhci \Device\USBPDO-2 898C21F8
Device \Driver\usbuhci \Device\USBPDO-3 898C21F8
Device \Driver\usbehci \Device\USBPDO-4 898951F8

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys

Device \Driver\Ftdisk \Device\HarddiskVolume1 89A6D1F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 SscVF.sys (Volume filter driver (5.1 on x86)/SuperSpeed LLC)

Device \Driver\Cdrom \Device\CdRom0 899111F8
Device \Driver\Cdrom \Device\CdRom1 899111F8
Device \Driver\usbstor \Device\00000073 895BB500
Device \Driver\usbstor \Device\00000075 895BB500
Device \Driver\usbstor \Device\00000076 895BB500
Device \Driver\NetBT \Device\NetBt_Wins_Export 89603500
Device \Driver\usbstor \Device\00000077 895BB500
Device \Driver\usbstor \Device\00000078 895BB500
Device \Driver\NetBT \Device\NetbiosSmb 89603500
Device \Driver\NetBT \Device\NetBT_Tcpip_{9084CBAE-20B8-47A8-9D7A-17F1173483D7} 89603500
Device \Driver\usbuhci \Device\USBFDO-0 898C21F8
Device \Driver\usbuhci \Device\USBFDO-1 898C21F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 895F0500
Device \Driver\usbuhci \Device\USBFDO-2 898C21F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 895F0500
Device \Driver\usbuhci \Device\USBFDO-3 898C21F8
Device \Driver\Ftdisk \Device\FtControl 89A6D1F8
Device \Driver\usbehci \Device\USBFDO-4 898951F8
Device \Driver\a18pt08n \Device\Scsi\a18pt08n1 89887500
Device \Driver\a18pt08n \Device\Scsi\a18pt08n1Port4Path0Target0Lun0 89887500
Device \Driver\sptd \Device\1854127106 spbg.sys
Device \FileSystem\Cdfs \Cdfs 89646500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xD5 0x87 0x37 0xE1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xB4 0x3E 0x9B 0x18 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xDC 0x29 0x5F 0xAD ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xD5 0x87 0x37 0xE1 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xB4 0x3E 0x9B 0x18 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xDC 0x29 0x5F 0xAD ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xD5 0x87 0x37 0xE1 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xB4 0x3E 0x9B 0x18 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x82 0xDA 0x4A 0x09 ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG10.00.00.01WORKSTATION 69167093DEBE90DA27414516C754650DB8E0F99288ED16BCB7609BEE3B41FDE85C69CFDE6F33B5748C1F9AFCC50021E8882B404023AF1390211BAB376CD5845DF80A661D532ECE226121AA393879069FBD61F50F97B6D6537B3FB75D8625F92916128B6F459938EE2ECE82415A26FA9E32957F6AC087EE76158C20E02AEEB862108DB58B47173433FE21559EAE244A2642CF6A51C35D50C03AB7E8D7B8ACFCF5C6FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A2D97226D213B5558EDD5E5BE2F6E6675D575E7D6A3B980833746F31C10529C1BECB6148C29E5BCE5FFDBDB4472526F743B579541C0CAA7A5A1D0DBB77DA56F9F70EFCB5FB230E04BB4AA3D08DFE24A8D0C2D97F762827A076F8DE47DC96F2845F619BFA84B69A10DEE5371066A626FCE36AF276911095E8C5E9DA8A6403BB46E0A04A938B6DE56A8046B8CFDC9B5320A2D8D897F44C03CC7C770F0632CFC3AB5B4B2ABD7240250FCE837DB0B03E283B276137045DC54F4A414C97FB209170A124056E7C518B63FD69DB6F95D4D2F2817E77CB9F3C4A2F622FB7A9723C3D7B9C02976098F0907FB9E52F8B267005D9A6AA386895B48EAB9B55AC0CB248AFF29232ED5B9AD0712C4BCC836350E0E052E323DF755120A7A200B541994AB8A8B77D64974FD4A2B7F

---- EOF - GMER 1.0.15 ----


And here is the eset online scan LOG.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=7.00.6000.16762 (vista_gdr.081013-1507)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=bc1fe44c7554c94f95221f463fe5cc06
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-06-24 07:15:29
# local_time=2009-06-24 12:15:29 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8196 37 100 97 124277812500
# scanned=169776
# found=0
# cleaned=0
# scan_time=2233
# nod_component=v3 Build:0x30000000


And here is the new Hijackthis LOG.

Logfile of HijackThis v1.99.1
Scan saved at 12:21:23 PM, on 6/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\iPod Access for Windows\iPAHelper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: nCleaner.lnk = C:\Program Files\nCleaner\nCleaner.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCo ... taller.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 8677731609
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Eset HTTP Server (ehttpsrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: iPAHelper.exe - Unknown owner - C:\Program Files\iPod Access for Windows\iPAHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
d00m
Active Member
 
Posts: 9
Joined: June 21st, 2009, 4:11 pm

Re: rootkit.agent and desktop hijacker remedy

Unread postby Axephilic » June 24th, 2009, 4:24 pm

Congratulations, you are now all clean! To help to prevent from becoming reinfected, please follow the instructions below in order. If you have any questions, please feel free to ask them. If after 48 hours you have not responded to this, then I will assume you have no questions and have the topic closed.

First, lets uninstall ComboFix:

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

You may now also delete any other tools we used.

Flush the system restore points

  1. Right click on My Computer and select Properties.
  2. Select the System Restore tab.
  3. Check (tick) Turn off system restore on all drives box.
  4. Click Apply.
  5. Uncheck (untick) Turn off system restore on all drives box.
  6. Click OK.
  7. Restart your computer.
Note: Do this only ONCE, don't flush it regularly.

Keep your system updated

Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Please ensure that you visit the following websites regularly or do update your system regularly.

Install the updates immediately if they are found. Reboot your computer if necessary, revisit Windows Update and Office update sites until there are no more updates to be installed.

To update Windows and office

Go to Start > All Programs > Microsoft Update


Alternatively, you can visit the link below to update Windows and Office products.

Microsoft Update

I also recommend, if it's not already on, to enable Automatic updates. It will notify you whenever there are new updates available. Here's how:

  1. Go to Start > Control Panel > Automatic Updates
  2. Select Automatic (recommended) radio button if you want the updates to be downloaded and installed without prompting you.
  3. Select Download updates for me, but let me chose when to install them radio button if you want the updates to be downloaded automatically but to be installed at another time.
  4. Select Notify me but don't automatically download or install them radio button if you want to be notified of the updates.

Besides Windows that needs regular updating, antivirus, anti-spyware and firewall programs update regularly too.

Please make sure that you update your antivirus, firewall and anti-spyware programs at least once a week.

Surf safely

Many of the exploits are directed to users of Internet Explorer and Firefox.

Using Firefox with NoScript add-on helps to prevent most exploits from running as NoScript by default disables all scripts on all websites. If you trust the website, you can manually allow it.

If you prefer to use Internet Explorer, here are some settings to change to improve the security of Internet Explorer.

For Internet Explorer 7

Please read this article to configure Internet Explorer 7 properly.

Backup regularly

You never know when your PC will become unstable or become so infected that you can't recover it. Follow this Microsoft article to learn how to backup. Follow this article by Microsoft to restore your backups.

Alternatively, you can use 3rd-party programs to back up your data. One example can be found at Bleeping Computer.

Avoid P2P

P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. If you do need to use them, use them sparingly. Check this list of clean and infected P2P programs if you need to use one.

Prevent a re-infection

  1. Winpatrol
    Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

    You can get a free copy of Winpatrol or use the Plus version for more features.

    You can read Winpatrol's FAQ if you run into problems.

  2. Hosts File
    A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your PC will look up the website's IP address before you can view the website.

    Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

    Here are some Hosts files:

    MVPS Hosts File
    Bluetack's Hosts File
    Bluetack's Host Manager
    hpHosts

    A tutorial about Hosts File can be found at Malware Removal.

  3. Spybot Search and Destroy
    Spybot Search & Destroy is another program for scanning spywares and adwares. Not only so, it has other preventive options as well. You are strongly encouraged to run a scan at least once per week.

    Spybot Search & Destroy can be downloaded from here.

    If you need help in using Spybot Search & Destroy, you can read Spybot Search and Destroy tutorial at Bleeping Computer.

    Before downloading any anti-spyware programs, always check the Rogue/Suspect list of anti-spyware programs and Malwarebytes RogueNET. This will save you from a lot of trouble. If in doubt, don't ever download it.

  4. SiteHound Toolbar
    SiteHound is a toolbar that warns you if you go to a site that is known to scam people, that has potentially lots of viruses or spywares or has questionable contents. If you know the site, you can enter it; if you don't, it will bring you back to the previous page. Currently, SiteHound works for Internet Explorer and Firefox only.


Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Happy surfing and stay clean!

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: rootkit.agent and desktop hijacker remedy

Unread postby d00m » June 24th, 2009, 4:53 pm

Thank you so much.
I do have a question though.
After running all these programs and getting the virus off.
For some reason when I tried to access my C:/ from My Computer it would redirect me to My Documents.
And now.
When I press any Drive letter it prompts me with a "What program would you like to open this with?"
How can I fix that?
d00m
Active Member
 
Posts: 9
Joined: June 21st, 2009, 4:11 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 52 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware