Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:08 PM, on 8/20/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18294)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\D4\D4.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Users\Mayank\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Mayank\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\mmc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Users\Mayank\AppData\Local\Google\Chrome\Application\chrome.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [Dimension4] C:\Program Files\D4\D4.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - C:\Program%20Files\Tweak%20Marketing\Advanced%20Email%20Extractor\AeeMSIE.dll (file missing)
O9 - Extra 'Tools' menuitem: Advanced Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - C:\Program%20Files\Tweak%20Marketing\Advanced%20Email%20Extractor\AeeMSIE.dll (file missing)
O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: COM Host (comHost) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe (file missing)
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Gizmo VoIP Service (Gizmo Plugin) - SIPphone, Inc. - C:\Program Files\GizmoPlugin\GizmoPlugin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iRemotePC Host (iRemotePC) - Athivision Inc - C:\Program Files\iRemotePC\iRemotePC.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Unknown owner - c:\Program Files\Norton Internet Security\isPwdSvc.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: PEVSystemStart - Unknown owner - cmd /k start /i "/dC:" "C:\ComboFix\HIDEC.exe" "C:\Windows\system32\CF27480.exe" /c RD /S/Q \$RECYCLE.bin \RECYCLER \RECYCLED (file missing)
O23 - Service: Symantec AppCore Service (SymAppCore) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe (file missing)
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\Windows\system32\UTSCSI.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 5119 bytes
MalwareBytes runs.. but it hangs in the middle. Gives Not Responding and even though i try to close it/kill it, the window stays with blank and no response.
Instead i ran superAntiSpyware, and the log is
LOG FROM LAST NIGHT (When It worked )
Malwarebytes' Anti-Malware 1.40
Database version: 2651
Windows 6.0.6001 Service Pack 1 (Safe Mode)
8/19/2009 10:41:46 PM
mbam-log-2009-08-19 (22-41-46).txt
Scan type: Full Scan (C:\|H:\|)
Objects scanned: 240590
Time elapsed: 26 minute(s), 47 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
LOG From Super Antispyware
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 08/20/2009 at 02:27 PM
Application Version : 4.27.1002
Core Rules Database Version : 4064
Trace Rules Database Version: 2004
Scan type : Quick Scan
Total Scan Time : 00:39:36
Memory items scanned : 581
Memory threats detected : 0
Registry items scanned : 588
Registry threats detected : 4
File items scanned : 16021
File threats detected : 2
Rootkit.Cloaked/Service-GEN
HKLM\system\controlset001\services\kbiwkmbctovvys
C:\WINDOWS\SYSTEM32\DRIVERS\KBIWKMQNDBCUTE.SYS
HKLM\system\controlset001\services\kbiwkmbwipvnqc
C:\WINDOWS\SYSTEM32\DRIVERS\KBIWKMRVQQPIBT.SYS
HKLM\system\controlset004\services\kbiwkmbctovvys
HKLM\system\controlset004\services\kbiwkmbwipvnqc
ROOTER LOG
Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows Vista Home Edition (6.0.6001) Service Pack 1
[32_bits] - x86 Family 6 Model 15 Stepping 2, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[MpsSvc] RUNNING (state:4)
Windows Firewall -> Enabled
Windows Defender -> Enabled
User Account Control (UAC) -> Disabled !
.
Internet Explorer 7.0.6001.18000
Mozilla Firefox 3.0.13 (en-US)
.
C:\ [Fixed-NTFS] .. ( Total:318 Go - Free:235 Go )
E:\ [CD_Rom]
H:\ [Fixed-NTFS] .. ( Total:147 Go - Free:105 Go )
.
Scan : 16:37.48
Path : C:\Users\MyComputer\Documents\Downloads\Rooter.exe
User : MyComputer ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
Locked System (4)
______ \SystemRoot\System32\smss.exe (472)
______ C:\Windows\system32\csrss.exe (552)
______ C:\Windows\system32\wininit.exe (596)
______ C:\Windows\system32\csrss.exe (608)
______ C:\Windows\system32\services.exe (640)
______ C:\Windows\system32\winlogon.exe (672)
______ C:\Windows\system32\lsass.exe (720)
______ C:\Windows\system32\lsm.exe (728)
______ C:\Windows\system32\svchost.exe (864)
______ C:\Windows\system32\svchost.exe (940)
______ C:\Windows\System32\svchost.exe (980)
______ C:\Windows\System32\svchost.exe (1100)
______ C:\Windows\System32\svchost.exe (1172)
______ C:\Windows\system32\svchost.exe (1192)
Locked audiodg.exe (1256)
______ C:\Windows\system32\SLsvc.exe (1328)
______ C:\Windows\system32\svchost.exe (1420)
______ C:\Windows\system32\svchost.exe (1552)
______ C:\Windows\system32\Dwm.exe (1880)
______ C:\Windows\System32\spoolsv.exe (1388)
______ C:\Windows\system32\taskeng.exe (860)
______ C:\Windows\system32\svchost.exe (1460)
______ C:\Windows\system32\svchost.exe (1704)
______ C:\Windows\System32\svchost.exe (2700)
______ C:\Windows\system32\svchost.exe (2780)
______ C:\Windows\system32\svchost.exe (2844)
______ C:\Windows\System32\svchost.exe (2988)
______ C:\Windows\system32\SearchIndexer.exe (3040)
______ C:\Windows\system32\taskeng.exe (3876)
______ C:\Windows\system32\svchost.exe (2348)
______ C:\Windows\system32\wuauclt.exe (3716)
______ C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (5724)
______ C:\PROGRA~1\AVG\AVG8\avgrsx.exe (5816)
______ C:\PROGRA~1\AVG\AVG8\avgnsx.exe (5824)
______ C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (6132)
______ C:\Program Files\Windows Media Player\wmpnetwk.exe (1692)
______ C:\Windows\explorer.exe (2144)
______ C:\Windows\system32\wbem\unsecapp.exe (4212)
______ C:\Windows\system32\wbem\wmiprvse.exe (4156)
______ C:\Users\MyComputer\AppData\Local\Google\Chrome\Application\chrome.exe (1972)
______ C:\Users\MyComputer\AppData\Local\Google\Chrome\Application\chrome.exe (4364)
______ C:\Users\MyComputer\AppData\Local\Google\Chrome\Application\chrome.exe (4380)
______ C:\Program Files\AVG\AVG8\avgui.exe (4972)
______ C:\Program Files\Notepad++\notepad++.exe (4644)
______ C:\Users\MyComputer\AppData\Local\Google\Chrome\Application\chrome.exe (1072)
______ C:\Windows\Explorer.exe (5716)
______ C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (316)
______ C:\Windows\system32\SearchProtocolHost.exe (4920)
______ C:\Windows\system32\SearchFilterHost.exe (5116)
______ C:\Windows\system32\DllHost.exe (5132)
______ C:\Users\MyComputer\Documents\Downloads\Rooter.exe (4656)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:341768577024)
\Device\Harddisk0\Partition2 (Start_Offset:341768667136 | Length:158338145792)
.
----------------------\\ Scheduled Tasks
.
C:\Windows\Tasks\GlaryInitialize.job
C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2962011118-3784428583-210714513-1000Core.job
C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2962011118-3784428583-210714513-1000UA.job
C:\Windows\Tasks\SA.DAT
C:\Windows\Tasks\SCHEDLGU.TXT
C:\Windows\Tasks\User_Feed_Synchronization-{637CF393-1361-456A-8A86-5B301AEA4B13}.job
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 16:38.06
.
C:\Rooter$\Rooter_1.txt - (20/08/2009 | 16:38.06)
ROOT REPEAL LOG
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/20 16:41
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP1
==================================================
Drivers
-------------------
Name: dump_dumpata.sys
Image Path: C:\Windows\System32\Drivers\dump_dumpata.sys
Address: 0x940F9000 Size: 45056 File Visible: No Signed: -
Status: -
Name: dump_msahci.sys
Image Path: C:\Windows\System32\Drivers\dump_msahci.sys
Address: 0x94104000 Size: 40960 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0xC45E6000 Size: 49152 File Visible: No Signed: -
Status: -
Processes
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!
Path: C:\Windows\System32\audiodg.exe
PID: 1256 Status: Locked to the Windows API!
Hidden Services
-------------------
Service Name: kbiwkmbctovvys
Image Path: C:\Windows\system32\drivers\kbiwkmvcxttmfx.sys
Service Name: kbiwkmbwipvnqc
Image Path: C:\Windows\system32\drivers\kbiwkmvsyclvod.sys
==EOF==
Pls help, i need my PC back!!! Thanks Malware removal team
