Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

No luck after 4 days...need help...might be a rootkit

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: No luck after 4 days...need help...might be a rootkit

Unread postby joval43 » April 9th, 2009, 4:45 pm

Still waiting for the fan... May not come until the beginning of next week.
joval43
Active Member
 
Posts: 13
Joined: April 2nd, 2009, 9:50 am
Advertisement
Register to Remove

Re: No luck after 4 days...need help...might be a rootkit

Unread postby joval43 » April 13th, 2009, 5:01 pm

Fan should come tomorrow or the next day. It was shipped out Friday. I'm more than anxious to get it!! I'll be in touch!
joval43
Active Member
 
Posts: 13
Joined: April 2nd, 2009, 9:50 am

Re: No luck after 4 days...need help...might be a rootkit

Unread postby joval43 » April 16th, 2009, 3:47 pm

Heatsink fan is finally here and installed! I've done my malware removal work and here are the logs. I think you have finally gotten it. I don't have any strange dlls popping up yet in my msconfig startup. If you have gotten this thing out of the system, could you explain what step may have done it and what it was? I saw that the avenger log said no rootkits found so maybe that wasn't what it was? Thank you for your patience. I'll stop talking and let you check the logs....

Combofix Log

ComboFix 09-04-17.01 - Mike 04/16/2009 12:22.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.557 [GMT -6:00]
Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\oloxudipo.dll

.
((((((((((((((((((((((((( Files Created from 2009-03-16 to 2009-04-16 )))))))))))))))))))))))))))))))
.

2009-04-08 11:13 . 2009-04-16 18:09 0 ----a-w c:\windows\Oginul.bin
2009-04-08 11:13 . 2009-04-16 18:09 408 ----a-w c:\windows\Rkuhohaqitejig.dat
2009-04-08 11:13 . 2009-04-08 11:13 -------- d-----w c:\documents and settings\Mike\Local Settings\Application Data\{A16AB6F3-308C-4819-B08D-4A6E54D1147D}
2009-04-07 16:29 . 2009-04-07 16:29 -------- d-----w c:\documents and settings\Mike\Application Data\IObit
2009-04-05 17:22 . 2009-04-05 17:22 73728 ----a-w c:\windows\system32\javacpl.cpl
2009-04-05 17:22 . 2009-04-05 17:22 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-05 17:10 . 2009-04-05 17:10 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-03 16:46 . 2009-04-03 16:46 -------- d-----w c:\program files\MSXML 4.0
2009-04-03 02:01 . 2009-04-07 21:03 -------- d-----w c:\windows\system32\CatRoot_bak
2009-04-03 02:00 . 2008-06-13 13:10 272128 -c----w c:\windows\system32\dllcache\bthport.sys
2009-04-03 01:51 . 2008-05-01 14:30 331776 -c----w c:\windows\system32\dllcache\msadce.dll
2009-04-02 19:50 . 2009-04-02 19:50 153104 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-04-02 18:55 . 2009-04-02 19:10 250 ----a-w c:\windows\gmer.ini
2009-04-02 16:28 . 2009-04-02 16:28 -------- d-----w c:\windows\RestoreSafeDeleted
2009-04-02 00:06 . 2009-04-03 01:50 -------- d-----w c:\program files\UnHackMe
2009-04-01 20:41 . 2009-04-01 20:41 -------- d-----w c:\program files\LucasArts
2009-04-01 19:55 . 2009-04-01 19:52 49152 ----a-w c:\windows\system32\md5sum.exe
2009-04-01 04:05 . 2009-04-16 18:26 29988 ----a-w c:\windows\system32\BMXStateBkp-{00000000-00000000-0000000E-00001102-00000004-10031102}.rfx
2009-04-01 04:05 . 2009-04-16 18:26 29988 ----a-w c:\windows\system32\BMXState-{00000000-00000000-0000000E-00001102-00000004-10031102}.rfx
2009-04-01 04:05 . 2009-04-16 18:26 29760 ----a-w c:\windows\system32\BMXCtrlState-{00000000-00000000-0000000E-00001102-00000004-10031102}.rfx
2009-04-01 04:05 . 2009-04-16 18:26 29760 ----a-w c:\windows\system32\BMXBkpCtrlState-{00000000-00000000-0000000E-00001102-00000004-10031102}.rfx
2009-04-01 04:05 . 2009-04-16 18:26 292 ----a-w c:\windows\system32\DVCStateBkp-{00000000-00000000-0000000E-00001102-00000004-10031102}.dat
2009-04-01 04:05 . 2009-04-16 18:26 292 ----a-w c:\windows\system32\DVCState-{00000000-00000000-0000000E-00001102-00000004-10031102}.dat
2009-04-01 04:05 . 2009-04-16 18:26 1080 ----a-w c:\windows\system32\settingsbkup.sfm
2009-04-01 04:05 . 2009-04-16 18:26 1080 ----a-w c:\windows\system32\settings.sfm
2009-03-31 18:58 . 2009-03-31 18:58 -------- d-----w c:\documents and settings\Mike\Application Data\Uniblue
2009-03-31 16:49 . 2009-04-01 15:55 -------- d-----w c:\program files\Spyware Terminator
2009-03-29 18:38 . 2009-03-29 18:38 -------- d-----w c:\program files\Trend Micro
2009-03-28 03:10 . 2009-03-30 23:41 -------- d-----w c:\program files\Security Task Manager
2009-03-23 21:00 . 2009-03-23 21:00 -------- d-----w c:\documents and settings\Mike\Application Data\Media Player Classic
2009-03-23 20:57 . 2008-07-30 19:09 38 ----a-w c:\windows\avisplitter.ini
2009-03-23 20:57 . 2009-03-23 20:57 -------- d-----w c:\program files\K-Lite Codec Pack
2009-03-23 17:24 . 2009-03-25 21:03 -------- d-----w c:\program files\FlashGet
2009-03-23 17:13 . 2009-03-23 17:14 -------- d-----w c:\program files\Common Files\DivX Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-08 01:54 . 2007-12-25 20:27 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-05 17:22 . 2005-08-22 01:00 -------- d-----w c:\program files\Java
2009-04-05 17:10 . 2004-08-18 15:04 -------- d-----w c:\program files\Common Files\Adobe
2009-04-03 22:21 . 2005-10-03 00:08 -------- d-----w c:\program files\Microsoft Picture It! PhotoPub
2009-04-03 13:10 . 2009-01-11 16:49 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-02 01:50 . 2008-06-28 16:42 -------- d-----w c:\documents and settings\Mike\Application Data\Talkback
2009-04-02 01:50 . 2007-12-25 15:54 -------- d-----w c:\program files\iTunes
2009-04-01 20:37 . 2007-05-06 02:53 -------- d--h--w c:\documents and settings\Mike\Application Data\Move Networks
2009-04-01 00:40 . 2008-11-30 17:06 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-01 00:40 . 2008-11-30 17:06 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-29 18:05 . 2009-03-29 18:05 0 ----a-w C:\rundll32.txt
2009-03-26 22:49 . 2009-01-11 16:49 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 22:49 . 2009-01-11 16:49 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-26 20:01 . 2008-08-20 21:45 -------- d-----w c:\documents and settings\All Users\Application Data\Avg8
2009-03-26 12:16 . 2004-08-18 13:54 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-23 17:14 . 2008-01-08 19:19 -------- d-----w c:\program files\DivX
2009-03-05 00:37 . 2008-12-24 03:31 -------- d-----w c:\documents and settings\Mike\Application Data\U3
2009-03-05 00:36 . 2009-03-05 00:36 -------- d-----w c:\program files\Risk II
2009-02-28 01:38 . 2004-12-04 23:07 55 ----a-w C:\DVDPATH.TXT
2009-02-23 22:52 . 2009-02-22 17:54 -------- d-----w c:\documents and settings\Mike\Application Data\GetRightToGo
2009-02-09 10:19 . 2002-09-25 19:17 1846272 ----a-w c:\windows\system32\win32k.sys
2009-01-29 12:13 . 2008-08-20 21:50 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-01-27 01:34 . 2009-01-27 01:34 90112 ----a-w c:\windows\system32\dpl100.dll
2009-01-27 01:34 . 2009-01-27 01:34 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-01-27 01:34 . 2009-01-27 01:34 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-01-27 01:34 . 2009-01-27 01:34 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-01-27 01:34 . 2009-01-27 01:34 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-01-27 01:34 . 2009-01-27 01:34 684032 ----a-w c:\windows\system32\DivX.dll
2009-01-24 19:37 . 2008-07-02 17:40 34 ----a-w c:\documents and settings\Mike\jagex_runescape_preferences.dat
2008-10-16 21:41 . 2004-10-23 01:50 281888 ----a-w c:\documents and settings\Mike\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-01-13 13:27 . 2008-01-13 13:27 276808 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2005-09-28 16:27 . 2005-09-28 16:27 127 ----a-w c:\documents and settings\Mike\Local Settings\Application Data\fusioncache.dat
2004-08-30 13:21 . 2004-08-30 13:21 0 -c-ha-w c:\documents and settings\Mike\hpothb07.dat
2007-10-05 13:56 . 2007-10-04 13:40 81 --sh--r c:\windows\ICSET.BIN
2007-11-29 00:20 . 2007-11-29 00:19 24 -csha-w c:\windows\SC617931F.tmp
2002-08-01 01:55 . 2006-12-07 16:20 636 --sh--w c:\windows\WSYS049.SYS
2006-10-15 13:41 . 2006-10-15 13:39 80 --sh--r c:\windows\system32\7401C44507.dll
2007-06-10 03:39 . 2007-06-10 03:39 56 --sh--r c:\windows\system32\7401C44507.sys
2007-06-27 17:39 . 2007-06-10 03:39 1682 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2000-08-08 311350]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-29 1601304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-05 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2004-08-04 53760]

c:\documents and settings\Mike\Start Menu\Programs\Startup\
Webshots.lnk - c:\program files\Webshots\WebshotsTray.exe [2005-9-27 208896]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-8-8 24633]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-29 12:13 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL
"VIDC.SP54"= SP5X_32.DLL
"MSACM.MI-SC4"= MI-SC4.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ipsdifx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoStart IR.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoStart IR.lnk
backup=c:\windows\pss\AutoStart IR.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Instant Update Reminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Instant Update Reminder.lnk
backup=c:\windows\pss\Instant Update Reminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk
backup=c:\windows\pss\NkvMon.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mike^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Mike\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Mike^Start Menu^Programs^Startup^UltimateZip Quick Start.lnk]
path=c:\documents and settings\Mike\Start Menu\Programs\Startup\UltimateZip Quick Start.lnk
backup=c:\windows\pss\UltimateZip Quick Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-08-31 01:05 344064 ----a-w c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]
2002-09-30 05:00 45056 ----a-w c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
2002-10-29 13:18 49152 ----a-w c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-08-20 18:57 221184 ----a-w c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2003-07-25 14:14 188416 ----a-w c:\windows\System32\spool\drivers\w32x86\3\hpztsb09.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
2003-08-20 21:15 483328 ----a-r c:\windows\System32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2004-04-14 21:04 40960 ----a-w c:\program files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 10:40 218032 ----a-w c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-12-11 19:10 267048 ----a-w c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2003-09-14 03:36 50688 ----a-w c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MULTIMEDIA KEYBOARD]
2002-06-19 14:50 180224 ----a-w c:\program files\Netropa\Multimedia Keyboard\MMKeybd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 14:50 155648 ----a-w c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 9.0]
2004-07-29 08:41 1122304 ----a-w c:\program files\Symantec\Norton Ghost\Agent\GhostTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2004-07-01 08:12 4112384 ----a-r c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2004-07-01 08:12 81920 ----a-r c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2004-04-14 20:46 57393 ----a-w c:\program files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickCare2.2]
2007-05-04 13:21 198184 ----a-w c:\program files\Qwest\QuickCare\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool]
2005-06-20 22:53 1056768 ----a-r c:\program files\VIA\RAID\raid_tool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 23:42 32768 ----a-w c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBDrvDet]
2002-12-03 22:06 45056 ----a-w c:\program files\Creative\SB Drive Det\SBDrvDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2008-07-07 16:42 2156368 ------w c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 16:22 155648 ----a-r c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2004-11-09 03:50 180269 ----a-w c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 05:00 90112 ------w c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USRpdA]
2002-09-25 19:13 77891 ----a-w c:\windows\SYSTEM32\usrmlnka.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
2000-08-08 20:00 24576 ----a-w c:\program files\Microsoft Works\wkfud.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsioReg]
2003-04-11 21:33 118784 ----a-w c:\windows\system32\CTASIO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2003-04-10 16:36 28672 ----a-w c:\windows\system32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ptipbmf]
2003-06-20 19:06 118784 ----a-r c:\windows\system32\ptipbmf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"SupportSoft RemoteAssist"=3 (0x3)
"sprtlisten"=2 (0x2)
"Brother XP spl Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

R0 OCDE;ZTekWare Original CD Emulator Service; [x]
R2 Ca533av;Icatch(IV) Video Camera Device;c:\windows\system32\Drivers\Ca533av.sys [2002-10-21 515803]
R3 USBCamera;Icatch(IV) Still Camera Device;c:\windows\system32\Drivers\Bulk533.sys [2002-07-25 10986]
R4 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [2008-01-08 1213728]
S0 PQV2i;PQV2i; [x]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-01-29 325128]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-01-29 107272]
S1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\DRIVERS\msikbd2k.sys [2001-12-20 6656]
S1 PQIMount;PQIMount; [x]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-29 903960]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-29 298264]
S2 nhksrv;Netropa NHK Server;c:\program files\Netropa\Multimedia Keyboard\nhksrv.exe [2001-08-06 28672]
S3 HCWBT8xx;Hauppauge WinTV 848/9 WDM Video Driver;c:\windows\system32\drivers\HCWBT8XX.sys [2005-03-02 465988]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e9b2f0c-342d-11da-804d-000ea6c30cd5}]
\Shell\AutoRun\command - f:\jdsecure\Windows\JDSecure31.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer =
IE: Open with &ZipScan - c:\progra~1\ZIPSCA~1\zs_ie.htm
Trusted Zone: aol.com\free
Trusted Zone: wikia.com\starwars
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-16 12:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(760)
c:\windows\ipsdifx.dll

- - - - - - - > 'explorer.exe'(4004)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\ipsdifx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\gearsec.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\LxrJD31s.exe
c:\program files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\UAService7.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-16 12:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-16 18:32
ComboFix2.txt 2009-04-07 19:18

Pre-Run: 101,604,384,768 bytes free
Post-Run: 101,646,069,760 bytes free

290 --- E O F --- 2009-04-03 16:53


GMER Log

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-16 13:24:46
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT spul.sys ZwCreateKey [0xF72D30E0]
SSDT spul.sys ZwEnumerateKey [0xF72F0CA2]
SSDT spul.sys ZwEnumerateValueKey [0xF72F1030]
SSDT spul.sys ZwOpenKey [0xF72D30C0]
SSDT spul.sys ZwQueryKey [0xF72F1108]
SSDT spul.sys ZwQueryValueKey [0xF72F0F88]
SSDT spul.sys ZwSetValueKey [0xF72F119A]

INT 0x62 ? 86F6ABF8
INT 0x63 ? 86F6DBF8
INT 0x73 ? 86F6DBF8
INT 0x82 ? 86F6ABF8
INT 0x94 ? 85BA2BF8
INT 0x94 ? 85BA2BF8
INT 0x94 ? 85BA2BF8
INT 0x94 ? 85BA2BF8
INT 0x94 ? 85BA2BF8
INT 0x94 ? 85BA2BF8

Code \??\C:\DOCUME~1\Mike\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

? spul.sys The system cannot find the file specified. !
? Combo-Fix.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F63FC62C 5 Bytes JMP 85BA21D8
? C:\DOCUME~1\Mike\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F72D4046] spul.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F72D4142] spul.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F72D40C4] spul.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F72D47CE] spul.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F72D46A4] spul.sys
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F72DFD7A] spul.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 86F681F8

AttachedDevice \FileSystem\Ntfs \Ntfs PQV2i.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \FileSystem\Udfs \UdfsCdRom 85139368
Device \FileSystem\Udfs \UdfsDisk 85139368

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Ip ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)

Device \Driver\usbuhci \Device\USBPDO-0 85C7F1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 86FD91F8
Device \Driver\dmio \Device\DmControl\DmConfig 86FD91F8
Device \Driver\dmio \Device\DmControl\DmPnP 86FD91F8
Device \Driver\dmio \Device\DmControl\DmInfo 86FD91F8
Device \Driver\usbuhci \Device\USBPDO-1 85C7F1F8
Device \Driver\usbuhci \Device\USBPDO-2 85C7F1F8
Device \Driver\usbuhci \Device\USBPDO-3 85C7F1F8
Device \Driver\usbehci \Device\USBPDO-4 85C681F8

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)

Device \Driver\Ftdisk \Device\HarddiskVolume1 86F6B1F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 PQV2i.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\Cdrom \Device\CdRom0 85C8E1F8
Device \Driver\Cdrom \Device\CdRom1 85C8E1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 86F6A1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 86F6A1F8
Device \Driver\atapi \Device\Ide\IdePort0 86F6A1F8
Device \Driver\atapi \Device\Ide\IdePort1 86F6A1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f 86F6A1F8
Device \Driver\Cdrom \Device\CdRom2 85C8E1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 851C3500
Device \Driver\NetBT \Device\NetbiosSmb 851C3500

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)

Device \Driver\usbuhci \Device\USBFDO-0 85C7F1F8
Device \Driver\usbuhci \Device\USBFDO-1 85C7F1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 85198500
Device \Driver\usbuhci \Device\USBFDO-2 85C7F1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 85198500
Device \Driver\usbuhci \Device\USBFDO-3 85C7F1F8
Device \Driver\usbehci \Device\USBFDO-4 85C681F8
Device \Driver\Ftdisk \Device\FtControl 86F6B1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{B13D3B56-74AC-4161-BABC-D1C8860B70B7} 851C3500
Device \Driver\viamraid \Device\Scsi\viamraid1 86FD81F8
Device \Driver\fasttx2k \Device\Scsi\fasttx2k1 86F691F8
Device \Driver\fasttx2k \Device\Scsi\fasttx2k1Port3Path0Target4Lun0 86F691F8
Device \FileSystem\Cdfs \Cdfs 85A9C328

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x64 0x26 0xE2 0x10 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA3 0x27 0xE6 0x0C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x2B 0xBD 0xC0 0x4D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xEE 0x5F 0x6C 0xBA ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xEE 0x5F 0x6C 0xBA ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0xEE 0x5F 0x6C 0xBA ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x64 0x26 0xE2 0x10 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA3 0x27 0xE6 0x0C ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x2B 0xBD 0xC0 0x4D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xEE 0x5F 0x6C 0xBA ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xEE 0x5F 0x6C 0xBA ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0xEE 0x5F 0x6C 0xBA ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl (size mismatch) 8192/4096 bytes

---- EOF - GMER 1.0.15 ----


Gooredfix.txt

GooredFix v1.92 by jpshortstuff
Log created at 13:27 on 16/04/2009 running Option #1 (Mike)
Firefox version 2.0 (en-US)

=====Suspect Goored Entries=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{A16AB6F3-308C-4819-B08D-4A6E54D1147D}"="C:\Documents and Settings\Mike\Local Settings\Application Data\{A16AB6F3-308C-4819-B08D-4A6E54D1147D}"

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 2.0\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins" (Folder Missing)

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 2.0\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components" (Folder Missing)

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{A16AB6F3-308C-4819-B08D-4A6E54D1147D}"="C:\Documents and Settings\Mike\Local Settings\Application Data\{A16AB6F3-308C-4819-B08D-4A6E54D1147D}"


Avenger Log

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\WINDOWS\oloxudipo.dll" not found!
Deletion of file "C:\WINDOWS\oloxudipo.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not delete registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|csikib"
Deletion of registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|csikib" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.


Hijackthis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:36:45 PM, on 4/16/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Open with &ZipScan - C:\PROGRA~1\ZIPSCA~1\zs_ie.htm
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.creative.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Risk\Images\stg_drm.ocx
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesu ... .0.3.1.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/re ... NPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 4649266154
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4650865312
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - http://pictures06.aim.com/ygp/aol/plugi ... .5.1.7.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v ... b34246.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Risk\Images\armhelper.ocx
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

--
End of file - 8220 bytes
joval43
Active Member
 
Posts: 13
Joined: April 2nd, 2009, 9:50 am

Re: No luck after 4 days...need help...might be a rootkit

Unread postby Wi[k]! » April 18th, 2009, 7:01 am

Hi,

You do not have a rootkit but a vundo infection. However, we are not done yet as we have some things to take care of but it is a major improvement.

GooredFix-Option 2
Please double-click GooredFix.exe on your Desktop to run it.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.
--------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\ipsdifx.dll
c:\windows\SC617931F.tmp
c:\windows\Oginul.bin
c:\windows\Rkuhohaqitejig.dat

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
--------------------------------------------------

After running the above, do you experience any problems? Does malwarebytes find anything?

In your next reply include:

Gooredlog
Combofix.txt
Answer to my question
Wi[k]!
MRU Undergrad
MRU Undergrad
 
Posts: 554
Joined: August 4th, 2008, 9:49 am

Re: No luck after 4 days...need help...might be a rootkit

Unread postby joval43 » April 18th, 2009, 12:17 pm

I ran a Malwarebytes scan and came up clean. I noticed on the Goored Log, Firefox extensions came up. What is the story here? Is it better to stay away from Firefox? I have used it on and off as I've heard it's a safer browser. Anyway, here are my logs.

Gooredlog

GooredFix v1.92 by jpshortstuff
Log created at 09:36 on 18/04/2009 running Option #2 (Mike)
Firefox version 3.0.8 (en-US)

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{A16AB6F3-308C-4819-B08D-4A6E54D1147D}"="C:\Documents and Settings\Mike\Local Settings\Application Data\{A16AB6F3-308C-4819-B08D-4A6E54D1147D}"
->Backing up value... Done.
->Deleting value... Done.

C:\Documents and Settings\Mike\Local Settings\Application Data\{A16AB6F3-308C-4819-B08D-4A6E54D1147D}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"


Combofix

ComboFix 09-04-18.07 - Mike 04/18/2009 9:40.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.566 [GMT -6:00]
Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mike\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\ipsdifx.dll
c:\windows\Oginul.bin
c:\windows\Rkuhohaqitejig.dat
c:\windows\SC617931F.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\ipsdifx.dll
c:\windows\Oginul.bin
c:\windows\Rkuhohaqitejig.dat
c:\windows\SC617931F.tmp

.
((((((((((((((((((((((((( Files Created from 2009-03-18 to 2009-04-18 )))))))))))))))))))))))))))))))
.

2009-04-16 22:51 . 2009-04-16 22:51 -------- d-----w c:\documents and settings\Mike\Local Settings\Application Data\Mozilla
2009-04-16 18:42 . 2009-04-16 18:42 -------- d-----w C:\GMER
2009-04-16 18:11 . 2009-03-06 14:44 283648 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 18:11 . 2005-07-26 04:39 60416 -c----w c:\windows\system32\dllcache\colbact.dll
2009-04-16 18:11 . 2009-02-09 10:20 399360 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 18:11 . 2009-02-09 10:20 473088 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 18:11 . 2009-02-06 17:14 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 18:11 . 2009-02-06 16:39 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 18:11 . 2009-02-09 10:20 616960 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 18:11 . 2009-02-09 10:20 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 18:11 . 2009-02-09 10:20 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 18:09 . 2008-04-21 10:02 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-07 16:29 . 2009-04-07 16:29 -------- d-----w c:\documents and settings\Mike\Application Data\IObit
2009-04-05 17:22 . 2009-04-05 17:22 73728 ----a-w c:\windows\system32\javacpl.cpl
2009-04-05 17:22 . 2009-04-05 17:22 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-05 17:10 . 2009-04-05 17:10 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-03 16:46 . 2009-04-03 16:46 -------- d-----w c:\program files\MSXML 4.0
2009-04-03 16:45 . 2009-04-17 03:46 1374 ----a-w c:\windows\imsins.BAK
2009-04-03 02:01 . 2009-04-07 21:03 -------- d-----w c:\windows\system32\CatRoot_bak
2009-04-03 02:00 . 2008-06-13 13:10 272128 -c----w c:\windows\system32\dllcache\bthport.sys
2009-04-03 01:51 . 2008-05-01 14:30 331776 -c----w c:\windows\system32\dllcache\msadce.dll
2009-04-02 19:50 . 2009-04-02 19:50 153104 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-04-02 18:55 . 2009-04-02 19:10 250 ----a-w c:\windows\gmer.ini
2009-04-02 16:28 . 2009-04-02 16:28 -------- d-----w c:\windows\RestoreSafeDeleted
2009-04-02 00:06 . 2009-04-03 01:50 -------- d-----w c:\program files\UnHackMe
2009-04-01 20:41 . 2009-04-01 20:41 -------- d-----w c:\program files\LucasArts
2009-04-01 19:55 . 2009-04-01 19:52 49152 ----a-w c:\windows\system32\md5sum.exe
2009-04-01 04:05 . 2009-04-18 15:44 29988 ----a-w c:\windows\system32\BMXStateBkp-{00000000-00000000-0000000E-00001102-00000004-10031102}.rfx
2009-04-01 04:05 . 2009-04-18 15:44 29988 ----a-w c:\windows\system32\BMXState-{00000000-00000000-0000000E-00001102-00000004-10031102}.rfx
2009-04-01 04:05 . 2009-04-18 15:44 29760 ----a-w c:\windows\system32\BMXCtrlState-{00000000-00000000-0000000E-00001102-00000004-10031102}.rfx
2009-04-01 04:05 . 2009-04-18 15:44 29760 ----a-w c:\windows\system32\BMXBkpCtrlState-{00000000-00000000-0000000E-00001102-00000004-10031102}.rfx
2009-04-01 04:05 . 2009-04-18 15:44 292 ----a-w c:\windows\system32\DVCStateBkp-{00000000-00000000-0000000E-00001102-00000004-10031102}.dat
2009-04-01 04:05 . 2009-04-18 15:44 292 ----a-w c:\windows\system32\DVCState-{00000000-00000000-0000000E-00001102-00000004-10031102}.dat
2009-04-01 04:05 . 2009-04-18 15:44 1080 ----a-w c:\windows\system32\settingsbkup.sfm
2009-04-01 04:05 . 2009-04-18 15:44 1080 ----a-w c:\windows\system32\settings.sfm
2009-03-31 18:58 . 2009-03-31 18:58 -------- d-----w c:\documents and settings\Mike\Application Data\Uniblue
2009-03-31 16:49 . 2009-04-01 15:55 -------- d-----w c:\program files\Spyware Terminator
2009-03-29 18:38 . 2009-03-29 18:38 -------- d-----w c:\program files\Trend Micro
2009-03-28 03:10 . 2009-03-30 23:41 -------- d-----w c:\program files\Security Task Manager
2009-03-23 21:00 . 2009-03-23 21:00 -------- d-----w c:\documents and settings\Mike\Application Data\Media Player Classic
2009-03-23 20:57 . 2008-07-30 19:09 38 ----a-w c:\windows\avisplitter.ini
2009-03-23 20:57 . 2009-03-23 20:57 -------- d-----w c:\program files\K-Lite Codec Pack
2009-03-23 17:24 . 2009-03-25 21:03 -------- d-----w c:\program files\FlashGet
2009-03-23 17:13 . 2009-03-23 17:14 -------- d-----w c:\program files\Common Files\DivX Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-18 14:53 . 2004-08-18 15:04 -------- d-----w c:\program files\Common Files\Adobe
2009-04-16 19:35 . 2009-04-16 19:34 1900 ----a-w C:\avenger.txt
2009-04-08 01:54 . 2007-12-25 20:27 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-05 17:22 . 2005-08-22 01:00 -------- d-----w c:\program files\Java
2009-04-03 22:21 . 2005-10-03 00:08 -------- d-----w c:\program files\Microsoft Picture It! PhotoPub
2009-04-03 13:10 . 2009-01-11 16:49 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-02 01:50 . 2008-06-28 16:42 -------- d-----w c:\documents and settings\Mike\Application Data\Talkback
2009-04-02 01:50 . 2007-12-25 15:54 -------- d-----w c:\program files\iTunes
2009-04-01 20:37 . 2007-05-06 02:53 -------- d--h--w c:\documents and settings\Mike\Application Data\Move Networks
2009-04-01 00:40 . 2008-11-30 17:06 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-01 00:40 . 2008-11-30 17:06 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-29 18:05 . 2009-03-29 18:05 0 ----a-w C:\rundll32.txt
2009-03-26 22:49 . 2009-01-11 16:49 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 22:49 . 2009-01-11 16:49 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-26 20:01 . 2008-08-20 21:45 -------- d-----w c:\documents and settings\All Users\Application Data\Avg8
2009-03-26 12:16 . 2004-08-18 13:54 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-23 17:14 . 2008-01-08 19:19 -------- d-----w c:\program files\DivX
2009-03-06 14:44 . 2005-09-27 19:13 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-05 00:37 . 2008-12-24 03:31 -------- d-----w c:\documents and settings\Mike\Application Data\U3
2009-03-05 00:36 . 2009-03-05 00:36 -------- d-----w c:\program files\Risk II
2009-02-28 01:38 . 2004-12-04 23:07 55 ----a-w C:\DVDPATH.TXT
2009-02-23 22:52 . 2009-02-22 17:54 -------- d-----w c:\documents and settings\Mike\Application Data\GetRightToGo
2009-02-20 08:14 . 2005-09-27 19:15 668160 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:14 . 2005-09-27 19:51 81920 ------w c:\windows\system32\ieencode.dll
2009-02-09 10:20 . 2005-08-21 18:52 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2002-09-25 19:15 723456 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2002-09-25 19:16 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:20 . 2002-09-25 19:12 616960 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:19 . 2002-09-25 19:17 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-06 17:24 . 2002-09-25 19:16 2180480 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 17:14 . 2002-09-25 19:17 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 16:54 . 2002-09-25 19:17 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 16:49 . 2001-08-17 13:48 2057728 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2005-09-27 19:14 55808 ----a-w c:\windows\system32\secur32.dll
2009-01-29 12:13 . 2008-08-20 21:50 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-01-27 01:34 . 2009-01-27 01:34 90112 ----a-w c:\windows\system32\dpl100.dll
2009-01-27 01:34 . 2009-01-27 01:34 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-01-27 01:34 . 2009-01-27 01:34 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-01-27 01:34 . 2009-01-27 01:34 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-01-27 01:34 . 2009-01-27 01:34 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-01-27 01:34 . 2009-01-27 01:34 684032 ----a-w c:\windows\system32\DivX.dll
2009-01-24 19:37 . 2008-07-02 17:40 34 ----a-w c:\documents and settings\Mike\jagex_runescape_preferences.dat
2008-10-16 21:41 . 2004-10-23 01:50 281888 ----a-w c:\documents and settings\Mike\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-01-13 13:27 . 2008-01-13 13:27 276808 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2005-09-28 16:27 . 2005-09-28 16:27 127 ----a-w c:\documents and settings\Mike\Local Settings\Application Data\fusioncache.dat
2004-08-30 13:21 . 2004-08-30 13:21 0 -c-ha-w c:\documents and settings\Mike\hpothb07.dat
2007-10-05 13:56 . 2007-10-04 13:40 81 --sh--r c:\windows\ICSET.BIN
2002-08-01 01:55 . 2006-12-07 16:20 636 --sh--w c:\windows\WSYS049.SYS
2006-10-15 13:41 . 2006-10-15 13:39 80 --sh--r c:\windows\system32\7401C44507.dll
2007-06-10 03:39 . 2007-06-10 03:39 56 --sh--r c:\windows\system32\7401C44507.sys
2007-06-27 17:39 . 2007-06-10 03:39 1682 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-29 1601304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2004-08-04 53760]

c:\documents and settings\Mike\Start Menu\Programs\Startup\
Webshots.lnk - c:\program files\Webshots\WebshotsTray.exe [2005-9-27 208896]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-8-8 24633]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-29 12:13 10520 ----a-w c:\windows\system32\avgrsstx.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave2"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoStart IR.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoStart IR.lnk
backup=c:\windows\pss\AutoStart IR.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Instant Update Reminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Instant Update Reminder.lnk
backup=c:\windows\pss\Instant Update Reminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk
backup=c:\windows\pss\NkvMon.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mike^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Mike\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Mike^Start Menu^Programs^Startup^UltimateZip Quick Start.lnk]
path=c:\documents and settings\Mike\Start Menu\Programs\Startup\UltimateZip Quick Start.lnk
backup=c:\windows\pss\UltimateZip Quick Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"SupportSoft RemoteAssist"=3 (0x3)
"sprtlisten"=2 (0x2)
"Brother XP spl Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

R0 OCDE;ZTekWare Original CD Emulator Service; [x]
R2 Ca533av;Icatch(IV) Video Camera Device;c:\windows\system32\Drivers\Ca533av.sys [2002-10-21 515803]
R3 USBCamera;Icatch(IV) Still Camera Device;c:\windows\system32\Drivers\Bulk533.sys [2002-07-25 10986]
R4 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [2008-01-08 1213728]
S0 PQV2i;PQV2i; [x]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-01-29 325128]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-01-29 107272]
S1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\DRIVERS\msikbd2k.sys [2001-12-20 6656]
S1 PQIMount;PQIMount; [x]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-29 903960]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-29 298264]
S2 nhksrv;Netropa NHK Server;c:\program files\Netropa\Multimedia Keyboard\nhksrv.exe [2001-08-06 28672]
S3 HCWBT8xx;Hauppauge WinTV 848/9 WDM Video Driver;c:\windows\system32\drivers\HCWBT8XX.sys [2005-03-02 465988]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e9b2f0c-342d-11da-804d-000ea6c30cd5}]
\Shell\AutoRun\command - f:\jdsecure\Windows\JDSecure31.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer =
IE: Open with &ZipScan - c:\progra~1\ZIPSCA~1\zs_ie.htm
Trusted Zone: aol.com\free
Trusted Zone: wikia.com\starwars
FF - ProfilePath - c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\hs9qqd8x.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-18 09:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2612)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\gearsec.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\LxrJD31s.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
c:\windows\system32\UAService7.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-18 9:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-18 15:50
ComboFix2.txt 2009-04-16 18:32

Pre-Run: 100,971,941,888 bytes free
Post-Run: 101,340,266,496 bytes free

251 --- E O F --- 2009-04-17 14:26
joval43
Active Member
 
Posts: 13
Joined: April 2nd, 2009, 9:50 am

Re: No luck after 4 days...need help...might be a rootkit

Unread postby Wi[k]! » April 21st, 2009, 4:10 pm

Firefox is a much safer browser than Internet Explorer and I suggest you use it. The folders that were removed by Gooredfix were the ones causing redirections.

From your current logs every thing appears to be clean - congratulations :cheers: . Here are some tips so you stay that way.
--------------------------------------------------

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

Now after doing the above:

Download OTmoveitand save it to desktop. This tool will remove the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.
--------------------------------------------------
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Update your Anti-Virus Software - All antivirus programs will update themselves daily so ensure your antivirus does this each time you connect to the internet. If you do not update your antivirus software then it will not be able to catch any of the new variants that regularly appear.
  • Visit Microsoft's Update Site Frequently - It is important that you visit http://update.microsoft.com/ regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • Use a Firewall - Without a firewall your computer is susceptible to being hacked and taken over. If you use the Windows Firewall you might think that's sufficient but it only controls one way of the traffic (inbound). Simply using a Firewall in its default configuration can lower your risk greatly. I strongly recommend that you install a firewall that monitors traffic in both directions. Some free for personal use firewalls are:
  • Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. You can download it here: SpywareBlaster
  • Install WinPatrol - As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. You can download it from this website: WinPatrol
  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. Secunia Software Inspector can check your system for outdated programs, see here for details.
Wi[k]!
MRU Undergrad
MRU Undergrad
 
Posts: 554
Joined: August 4th, 2008, 9:49 am

Re: No luck after 4 days...need help...might be a rootkit

Unread postby joval43 » April 21st, 2009, 9:26 pm

I can't thank you enough. I will definitely follow your recommendations to prevent any future infections. I couldn't have done this without you guys...thanks so, so much! With a new fan and no infections, my computer is very happy! Best of luck in your future virus fighting.
joval43
Active Member
 
Posts: 13
Joined: April 2nd, 2009, 9:50 am

Re: No luck after 4 days...need help...might be a rootkit

Unread postby Wi[k]! » April 22nd, 2009, 7:39 am

Thank you for your kind words, best of luck to you as well.
Wi[k]!
MRU Undergrad
MRU Undergrad
 
Posts: 554
Joined: August 4th, 2008, 9:49 am

Re: No luck after 4 days...need help...might be a rootkit

Unread postby 'KotaGuy » April 22nd, 2009, 9:27 am

Due to your computer now being clean this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 294 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware