Jump to content

dnm5164

Members
 View Profile  See their activity

  • Posts

    19

  • Joined

  • Last visited

Reputation

0 Neutral
  1. dnm5164
    Hello Extremeboy, Ran the sfc/scannow but the dos window opened up for a fraction of second and was closed, nothing after that. Also ran the combofix as well. Do you want me to post it online? btw, thank you so much for working with me in fixing the issues on my computer. Thanks Dilip
  2. dnm5164
    there you go. thx dm ComboFix 09-10-01.05 - Geovision 10/02/2009 17:59.8.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1016.725 [GMT -5:00] Running from: c:\documents and settings\Geovision\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Geovision\Desktop\CFScript.txt AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\comres.dll . . . is infected!! c:\windows\system32\drivers\asyncmac.sys . . . is missing!! . ((((((((((((((((((((((((( Files Created from 2009-09-02 to 2009-10-02 ))))))))))))))))))))))))))))))) . 2009-10-01 00:44 . 2009-10-01 00:44 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat 2009-10-01 00:42 . 2009-10-01 00:49 95259 ----a-w- c:\windows\system32\drivers\klick.dat 2009-10-01 00:42 . 2009-10-01 00:49 107547 ----a-w- c:\windows\system32\drivers\klin.dat 2009-10-01 00:41 . 2009-10-02 23:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab 2009-10-01 00:41 . 2009-10-01 00:41 -------- d-----w- c:\program files\Kaspersky Lab 2009-09-30 22:44 . 2009-09-30 22:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files 2009-09-30 21:09 . 2009-09-30 21:09 -------- d-----w- c:\windows\Sun 2009-09-30 21:04 . 2009-07-31 14:23 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-09-30 21:04 . 2009-09-30 22:32 -------- d-----w- c:\program files\Java 2009-09-22 00:23 . 2009-09-22 00:23 0 ----a-w- c:\documents and settings\Geovision\settings.dat 2009-09-06 20:53 . 2008-10-16 13:06 268648 ----a-w- c:\windows\system32\mucltui.dll 2009-09-06 13:52 . 2009-09-06 13:52 -------- d-sh--w- c:\documents and settings\Geovision\IECompatCache 2009-09-06 13:44 . 2009-09-06 13:44 -------- d-sh--w- c:\documents and settings\Geovision\PrivacIE . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-01 00:36 . 2009-07-31 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-09-02 16:19 . 2009-09-02 16:19 -------- d-----w- c:\program files\Trend Micro 2009-08-31 10:44 . 2009-08-31 10:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-08-29 19:06 . 2009-08-29 19:06 -------- d-----w- c:\documents and settings\Geovision\Application Data\Malwarebytes 2009-08-29 19:06 . 2009-08-29 19:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-29 19:05 . 2009-08-29 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-08-21 05:40 . 2009-04-14 21:05 -------- d-----w- c:\program files\Google 2009-08-03 12:36 . 2009-08-29 19:05 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-03 12:36 . 2009-08-29 19:05 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-07-31 00:46 . 2009-07-31 00:39 1106 ----a-w- c:\windows\system32\info.dat 2009-07-23 11:57 . 2009-07-23 11:57 661352 ----a-w- C:\autoruns.exe 2009-07-23 11:57 . 2009-07-23 11:57 553832 ----a-w- C:\autorunsc.exe 2008-12-25 01:59 . 2008-12-25 01:59 60516 -c--a-w- c:\program files\mozilla firefox\components\jar50.dll 2008-12-25 01:59 . 2008-12-25 01:59 49246 -c--a-w- c:\program files\mozilla firefox\components\jsd3250.dll 2008-12-25 01:59 . 2008-12-25 01:59 165990 -c--a-w- c:\program files\mozilla firefox\components\xpinstal.dll . ------- Sigcheck ------- [-] 2006-01-06 . 2A4818AEA80ACD2C95D7D92D2F3155F8 . 360448 . . [5.1.2600.2688] . . c:\windows\system32\drivers\tcpip.sys [-] 2006-01-09 . C3B84871DECE94E335B96FAFD756316C . 2187904 . . [5.1.2600.2765] . . c:\windows\system32\ntoskrnl.exe [-] 2006-01-06 . 2DEACA71A7FD77205F59D48D76B2F565 . 1075200 . . [6.00.2900.2649] . . c:\windows\explorer.exe c:\windows\system32\drivers\asyncmac.sys ... is missing !! c:\windows\system32\qmgr.dll ... is missing !! c:\windows\system32\userinit.exe ... is missing !! . ((((((((((((((((((((((((((((( SnapShot@2009-09-08_16.49.48 ))))))))))))))))))))))))))))))))))))))))) . + 2009-10-02 23:06 . 2009-10-02 23:06 16384 c:\windows\temp\Perflib_Perfdata_7f8.dat + 2004-09-01 08:00 . 2009-10-01 00:39 59992 c:\windows\system32\perfc009.dat - 2004-09-01 08:00 . 2009-03-30 17:59 59992 c:\windows\system32\perfc009.dat + 2009-07-03 20:45 . 2009-07-03 20:45 27507 c:\windows\system32\drivers\klopp.dat + 2009-05-17 01:59 . 2009-05-17 01:59 19472 c:\windows\system32\drivers\klmouflt.sys + 2009-05-13 22:46 . 2009-05-13 22:46 31760 c:\windows\system32\drivers\klim5.sys + 2008-12-16 01:41 . 2008-12-16 01:41 33808 c:\windows\system32\drivers\klbg.sys - 2004-09-01 08:00 . 2009-03-30 17:59 395862 c:\windows\system32\perfh009.dat + 2004-09-01 08:00 . 2009-10-01 00:39 395862 c:\windows\system32\perfh009.dat + 2009-07-03 20:48 . 2009-07-03 20:48 219664 c:\windows\system32\klogon.dll + 2009-09-30 22:32 . 2009-07-31 14:23 149280 c:\windows\system32\javaws.exe + 2009-09-30 22:32 . 2009-07-31 14:23 145184 c:\windows\system32\javaw.exe + 2009-09-30 22:32 . 2009-07-31 14:23 145184 c:\windows\system32\java.exe + 2009-10-01 00:41 . 2009-10-01 00:41 296976 c:\windows\system32\drivers\klif.sys + 2009-06-15 19:01 . 2009-06-15 19:01 128016 c:\windows\system32\drivers\kl1.sys + 2009-09-30 21:04 . 2009-09-30 21:04 536576 c:\windows\Installer\73c30.msi + 2009-10-01 00:42 . 2009-10-01 00:42 3341312 c:\windows\Installer\46a42.msi . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280] "avp"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe" [2009-07-03 303376] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-09-01 44544] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="c:\windows\explorer.exe," [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "443:TCP"= 443:TCP:ooVoo TCP port 443 "443:UDP"= 443:UDP:ooVoo UDP port 443 "37674:TCP"= 37674:TCP:ooVoo TCP port 37674 "37674:UDP"= 37674:UDP:ooVoo UDP port 37674 "37675:UDP"= 37675:UDP:ooVoo UDP port 37675 R3 AGV;AGV;c:\windows\system32\drivers\AGV.sys [2006-12-04 189112] R3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2008-12-08 533344] R3 GV800S;GV800S;c:\windows\system32\drivers\GV800S.sys [2007-03-29 82224] S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-12-16 33808] S2 fssfltr;fssfltr;c:\windows\system32\DRIVERS\fssfltr_tdi.sys [2008-12-08 55136] S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2009-05-13 31760] S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-05-17 19472] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html uSearchURL,(Default) = hxxp://www.google.com/keyword/%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Geovision\Application Data\Mozilla\Firefox\Profiles\oryvhb3o.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties"); . - - - - ORPHANS REMOVED - - - - Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-10-02 18:06 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(2148) c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Java\jre6\bin\jqs.exe c:\program files\Maxtor\Sync\SyncServices.exe c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe . ************************************************************************** . Completion time: 2009-10-02 18:47 - machine was rebooted ComboFix-quarantined-files.txt 2009-10-02 23:32 ComboFix2.txt 2009-09-26 01:36 ComboFix3.txt 2009-09-22 00:17 ComboFix4.txt 2009-09-19 15:40 ComboFix5.txt 2009-10-02 22:58 Pre-Run: 1,913,561,088 bytes free Post-Run: 1,885,384,704 bytes free 175
  3. dnm5164
    Sorry for the delayed response, Extremeboy. Tried running Kaspersky online scanner but wouldnt run (key expired error). So downloaded trial version and ran the software. Here are the details Thx dm -------------------------------- Quick Scan: completed 2 hours ago (events: 2, objects: 2037, time: 00:01:16) 9/30/2009 8:08:25 PM Task completed 9/30/2009 8:07:08 PM Task started Objects Scan: completed 5 minutes ago (events: 32, objects: 423874, time: 02:01:00) 9/30/2009 8:11:05 PM Task started 9/30/2009 8:11:18 PM Detected: Trojan-Downloader.JS.Agent.dok c:\sa.txt 9/30/2009 8:11:53 PM Deleted: Trojan-Downloader.JS.Agent.dok c:\sa.txt 9/30/2009 8:52:00 PM Detected: Trojan.Win32.Scar.nve c:\Qoobox\Quarantine\C\WINDOWS\RYM531DN0T07.EXE.vir 9/30/2009 8:52:00 PM Detected: Trojan.Win32.Scar.nef c:\Qoobox\Quarantine\C\WINDOWS\SWEPVWJ17OXH.EXE.vir 9/30/2009 8:52:00 PM Detected: Trojan.Win32.Scar.nef c:\Qoobox\Quarantine\C\WINDOWS\PAXHCD0A.EXE.vir 9/30/2009 8:52:00 PM Detected: Trojan-Downloader.Win32.BHO.oit c:\Qoobox\Quarantine\[68]-Submit_2009-09-09_21.25.41.zip/TUIKNKMV.dll 9/30/2009 8:52:02 PM Deleted: Trojan-Downloader.Win32.BHO.oit c:\Qoobox\Quarantine\[68]-Submit_2009-09-09_21.25.41.zip/TUIKNKMV.dll 9/30/2009 8:52:03 PM Detected: Trojan-Downloader.Win32.BHO.oit c:\Qoobox\Quarantine\[68]-Submit_2009-09-09_21.25.41.zip/VOEMAQZCTCLF.dll 9/30/2009 8:52:03 PM Deleted: Trojan-Downloader.Win32.BHO.oit c:\Qoobox\Quarantine\[68]-Submit_2009-09-09_21.25.41.zip/VOEMAQZCTCLF.dll 9/30/2009 8:53:02 PM Deleted: Trojan.Win32.Scar.nef c:\Qoobox\Quarantine\C\WINDOWS\PAXHCD0A.EXE.vir 9/30/2009 8:53:03 PM Detected: Backdoor.Win32.Bifrose.bomo c:\Qoobox\Quarantine\C\WINDOWS\UDXVHFM16.EXE.vir 9/30/2009 8:53:03 PM Deleted: Trojan.Win32.Scar.nef c:\Qoobox\Quarantine\C\WINDOWS\SWEPVWJ17OXH.EXE.vir 9/30/2009 8:53:03 PM Detected: Trojan.Win32.Scar.nef c:\Qoobox\Quarantine\C\WINDOWS\W2UQ75.EXE.vir 9/30/2009 8:53:03 PM Deleted: Trojan.Win32.Scar.nve c:\Qoobox\Quarantine\C\WINDOWS\RYM531DN0T07.EXE.vir 9/30/2009 8:53:04 PM Detected: Trojan.Win32.Scar.nef c:\Qoobox\Quarantine\C\WINDOWS\YB0Q1N1141.EXE.vir 9/30/2009 8:53:04 PM Deleted: Trojan.Win32.Scar.nef c:\Qoobox\Quarantine\C\WINDOWS\W2UQ75.EXE.vir 9/30/2009 8:53:04 PM Detected: Backdoor.Win32.Bifrose.bomo c:\Qoobox\Quarantine\C\WINDOWS\YLWVOVCCQP.EXE.vir 9/30/2009 8:53:04 PM Deleted: Backdoor.Win32.Bifrose.bomo c:\Qoobox\Quarantine\C\WINDOWS\UDXVHFM16.EXE.vir 9/30/2009 8:53:04 PM Detected: Trojan.Win32.Scar.nve c:\Qoobox\Quarantine\C\WINDOWS\ZZCWNB.EXE.vir 9/30/2009 8:53:04 PM Deleted: Trojan.Win32.Scar.nef c:\Qoobox\Quarantine\C\WINDOWS\YB0Q1N1141.EXE.vir 9/30/2009 8:53:05 PM Deleted: Backdoor.Win32.Bifrose.bomo c:\Qoobox\Quarantine\C\WINDOWS\YLWVOVCCQP.EXE.vir 9/30/2009 8:53:05 PM Detected: Trojan-GameThief.Win32.Magania.cakv c:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\UYTbcaZtxE23MEzKGQ.cur.vir/PE_Patch.UPX/UPX 9/30/2009 8:53:06 PM Deleted: Trojan.Win32.Scar.nve c:\Qoobox\Quarantine\C\WINDOWS\ZZCWNB.EXE.vir 9/30/2009 8:53:06 PM Deleted: Trojan-GameThief.Win32.Magania.cakv c:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\UYTbcaZtxE23MEzKGQ.cur.vir 9/30/2009 8:55:43 PM Detected: Trojan.Win32.Scar.nef c:\System Volume Information\_restore{84584035-382A-4A86-BAB7-12FC15AFCE07}\RP6\A0001120.EXE 9/30/2009 8:55:43 PM Detected: Backdoor.Win32.Bifrose.bomo c:\System Volume Information\_restore{84584035-382A-4A86-BAB7-12FC15AFCE07}\RP6\A0001122.EXE 9/30/2009 8:56:03 PM Deleted: Trojan.Win32.Scar.nef c:\System Volume Information\_restore{84584035-382A-4A86-BAB7-12FC15AFCE07}\RP6\A0001120.EXE 9/30/2009 8:56:04 PM Deleted: Backdoor.Win32.Bifrose.bomo c:\System Volume Information\_restore{84584035-382A-4A86-BAB7-12FC15AFCE07}\RP6\A0001122.EXE 9/30/2009 9:02:18 PM Detected: Trojan-Downloader.Win32.Small.jmn c:\WINDOWS\system32\userinit.exe.bat.old 9/30/2009 9:02:43 PM Deleted: Trojan-Downloader.Win32.Small.jmn c:\WINDOWS\system32\userinit.exe.bat.old 9/30/2009 10:12:05 PM Task completed Rootkit Scan: completed 1 hour ago (events: 2, objects: 414, time: 00:11:19) 9/30/2009 8:29:36 PM Task started 9/30/2009 8:40:59 PM Task completed ---------------------------------------- Here is the log file for SysProtlog SysProt AntiRootkit v1.0.1.0 by swatkat ******************************************************************************** ********** ******************************************************************************** ********** Process: Name: [system Idle Process] PID: 0 Hidden: No Window Visible: No Name: System PID: 4 Hidden: No Window Visible: No Name: C:\WINDOWS\system32\smss.exe PID: 844 Hidden: No Window Visible: No Name: C:\WINDOWS\system32\csrss.exe PID: 940 Hidden: No Window Visible: No Name: C:\WINDOWS\system32\winlogon.exe PID: 964 Hidden: No Window Visible: No Name: C:\WINDOWS\system32\services.exe PID: 1012 Hidden: No Window Visible: No Name: C:\WINDOWS\system32\lsass.exe PID: 1024 Hidden: No Window Visible: No Name: C:\WINDOWS\system32\svchost.exe PID: 1188 Hidden: No Window Visible: No Name: C:\WINDOWS\system32\svchost.exe PID: 1280 Hidden: No Window Visible: No Name: C:\WINDOWS\system32\svchost.exe PID: 1408 Hidden: No Window Visible: No Name: C:\WINDOWS\system32\svchost.exe PID: 1492 Hidden: No Window Visible: No Name: C:\WINDOWS\system32\svchost.exe PID: 1648 Hidden: No Window Visible: No Name: C:\WINDOWS\explorer.exe PID: 1876 Hidden: No Window Visible: No Name: C:\WINDOWS\system32\spoolsv.exe PID: 496 Hidden: No Window Visible: No Name: C:\Program Files\Java\jre6\bin\jusched.exe PID: 344 Hidden: No Window Visible: No Name: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe PID: 328 Hidden: No Window Visible: No Name: C:\WINDOWS\system32\ctfmon.exe PID: 320 Hidden: No Window Visible: No Name: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe PID: 212 Hidden: No Window Visible: No Name: C:\Program Files\Java\jre6\bin\jqs.exe PID: 644 Hidden: No Window Visible: No Name: C:\Program Files\Maxtor\Sync\SyncServices.exe PID: 688 Hidden: No Window Visible: No Name: C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe PID: 1104 Hidden: No Window Visible: No Name: C:\WINDOWS\system32\alg.exe PID: 2220 Hidden: No Window Visible: No Name: C:\Program Files\Mozilla Firefox\firefox.exe PID: 2484 Hidden: No Window Visible: No Name: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtblfs.exe PID: 1416 Hidden: No Window Visible: No Name: C:\Documents and Settings\Geovision\Desktop\SysProt\SysProt\SysProt.exe PID: 3784 Hidden: No Window Visible: Yes ******************************************************************************** ********** ******************************************************************************** ********** Kernel Modules: Module Name: \??\C:\Documents and Settings\Geovision\Desktop\SysProt\SysProt\SysProtDrv.sys Service Name: SysProtDrv.sys Module Base: ECEC0000 Module End: ECECB000 Hidden: No Module Name: \WINDOWS\system32\ntoskrnl.exe Service Name: --- Module Base: 804D7000 Module End: 806ED280 Hidden: No Module Name: \WINDOWS\system32\hal.dll Service Name: --- Module Base: 806EE000 Module End: 8070E280 Hidden: No Module Name: \WINDOWS\system32\KDCOM.DLL Service Name: --- Module Base: F79B6000 Module End: F79B8000 Hidden: No Module Name: \WINDOWS\system32\BOOTVID.dll Service Name: --- Module Base: F78C6000 Module End: F78C9000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\ACPI.sys Service Name: ACPI Module Base: F7467000 Module End: F7495000 Hidden: No Module Name: \WINDOWS\system32\DRIVERS\WMILIB.SYS Service Name: --- Module Base: F79B8000 Module End: F79BA000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\pci.sys Service Name: PCI Module Base: F7456000 Module End: F7467000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\isapnp.sys Service Name: isapnp Module Base: F74B6000 Module End: F74BF000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\pciide.sys Service Name: PCIIde Module Base: F7A7E000 Module End: F7A7F000 Hidden: No Module Name: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS Service Name: --- Module Base: F7736000 Module End: F773D000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys Service Name: MountMgr Module Base: F74C6000 Module End: F74D1000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys Service Name: Disk Module Base: F7437000 Module End: F7456000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\dmload.sys Service Name: dmload Module Base: F79BA000 Module End: F79BC000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\dmio.sys Service Name: dmio Module Base: F7411000 Module End: F7437000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys Service Name: PartMgr Module Base: F773E000 Module End: F7743000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys Service Name: VolSnap Module Base: F74D6000 Module End: F74E3000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\atapi.sys Service Name: atapi Module Base: F73F9000 Module End: F7411000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\disk.sys Service Name: --- Module Base: F74E6000 Module End: F74EF000 Hidden: No Module Name: \WINDOWS\system32\DRIVERS\CLASSPNP.SYS Service Name: --- Module Base: F74F6000 Module End: F7503000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\fltMgr.sys Service Name: FltMgr Module Base: F73DA000 Module End: F73F9000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\sr.sys Service Name: sr Module Base: F73C8000 Module End: F73DA000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\klbg.sys Service Name: klbg Module Base: F7506000 Module End: F7511000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys Service Name: KSecDD Module Base: F73B1000 Module End: F73C8000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys Service Name: Ntfs Module Base: F7324000 Module End: F73B1000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\NDIS.sys Service Name: NDIS Module Base: F72F7000 Module End: F7324000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\Mup.sys Service Name: Mup Module Base: F72DD000 Module End: F72F7000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\kl1.sys Service Name: kl1 Module Base: F6DBD000 Module End: F72DD000 Hidden: No Module Name: \WINDOWS\system32\drivers\TDI.SYS Service Name: --- Module Base: F7746000 Module End: F774B000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\intelppm.sys Service Name: intelppm Module Base: F76F6000 Module End: F76FF000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\ialmnt5.sys Service Name: ialm Module Base: F6CB0000 Module End: F6D75000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS Service Name: --- Module Base: F6B48000 Module End: F6B5C000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\usbuhci.sys Service Name: usbuhci Module Base: F786E000 Module End: F7873000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS Service Name: --- Module Base: F6B25000 Module End: F6B48000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\usbehci.sys Service Name: usbehci Module Base: F7876000 Module End: F787D000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys Service Name: RTL8023xp Module Base: F6B11000 Module End: F6B25000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\fdc.sys Service Name: Fdc Module Base: F7886000 Module End: F788D000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\parport.sys Service Name: Parport Module Base: F6AFD000 Module End: F6B11000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\serial.sys Service Name: Serial Module Base: F7726000 Module End: F7736000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\serenum.sys Service Name: serenum Module Base: F79AA000 Module End: F79AE000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\i8042prt.sys Service Name: i8042prt Module Base: F7536000 Module End: F7543000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\kbdclass.sys Service Name: Kbdclass Module Base: F789E000 Module End: F78A4000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\klmouflt.sys Service Name: klmouflt Module Base: F7546000 Module End: F754F000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\mouclass.sys Service Name: Mouclass Module Base: F78A6000 Module End: F78AC000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\gameenum.sys Service Name: gameenum Module Base: F6D99000 Module End: F6D9C000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\imapi.sys Service Name: Imapi Module Base: F7556000 Module End: F7561000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\cdrom.sys Service Name: Cdrom Module Base: F7566000 Module End: F7573000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\redbook.sys Service Name: redbook Module Base: F7576000 Module End: F7585000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\ks.sys Service Name: --- Module Base: F6A30000 Module End: F6A53000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\ALCXWDM.SYS Service Name: ALCXWDM Module Base: F694D000 Module End: F6A30000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\portcls.sys Service Name: --- Module Base: F6911000 Module End: F6935000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\drmk.sys Service Name: --- Module Base: F7586000 Module End: F7595000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\klim5.sys Service Name: klim5 Module Base: F7596000 Module End: F75A0000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\audstub.sys Service Name: audstub Module Base: F7B62000 Module End: F7B63000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys Service Name: Rasl2tp Module Base: F75A6000 Module End: F75B3000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\ndistapi.sys Service Name: NdisTapi Module Base: F6D85000 Module End: F6D88000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\ndiswan.sys Service Name: NdisWan Module Base: F68FA000 Module End: F6911000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\raspppoe.sys Service Name: RasPppoe Module Base: F75B6000 Module End: F75C1000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\raspptp.sys Service Name: PptpMiniport Module Base: F75C6000 Module End: F75D2000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\psched.sys Service Name: PSched Module Base: F6849000 Module End: F685A000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\msgpc.sys Service Name: Gpc Module Base: F75E6000 Module End: F75EF000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\ptilink.sys Service Name: Ptilink Module Base: F7766000 Module End: F776B000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\raspti.sys Service Name: Raspti Module Base: F776E000 Module End: F7773000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\rdpdr.sys Service Name: rdpdr Module Base: F5B60000 Module End: F5B91000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\termdd.sys Service Name: TermDD Module Base: F75F6000 Module End: F7600000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\swenum.sys Service Name: swenum Module Base: F79F8000 Module End: F79FA000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\update.sys Service Name: Update Module Base: F5B2C000 Module End: F5B60000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\mssmbios.sys Service Name: mssmbios Module Base: F7956000 Module End: F795A000 Hidden: No Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS Service Name: NDProxy Module Base: F7616000 Module End: F7620000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\usbhub.sys Service Name: usbhub Module Base: F7646000 Module End: F7655000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\USBD.SYS Service Name: --- Module Base: F7A4E000 Module End: F7A50000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\flpydisk.sys Service Name: Flpydisk Module Base: F77BE000 Module End: F77C3000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\klif.sys Service Name: KLIF Module Base: ED63B000 Module End: ED689000 Hidden: No Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS Service Name: Fs_Rec Module Base: ED7B2000 Module End: ED7B4000 Hidden: No Module Name: C:\WINDOWS\System32\Drivers\Null.SYS Service Name: Null Module Base: F7ACB000 Module End: F7ACC000 Hidden: No Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS Service Name: Beep Module Base: ED7B0000 Module End: ED7B2000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS Service Name: --- Module Base: F77D6000 Module End: F77DD000 Hidden: No Module Name: C:\WINDOWS\System32\drivers\vga.sys Service Name: VgaSave Module Base: F77DE000 Module End: F77E4000 Hidden: No Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS Service Name: mnmdd Module Base: ED7AE000 Module End: ED7B0000 Hidden: No Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys Service Name: RDPCDD Module Base: ED7AC000 Module End: ED7AE000 Hidden: No Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS Service Name: Msfs Module Base: F77E6000 Module End: F77EB000 Hidden: No Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS Service Name: Npfs Module Base: F77EE000 Module End: F77F6000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\rasacd.sys Service Name: RasAcd Module Base: ED744000 Module End: ED747000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\ipsec.sys Service Name: IPSec Module Base: ED5AC000 Module End: ED5BF000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\tcpip.sys Service Name: Tcpip Module Base: ED52E000 Module End: ED586000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\netbt.sys Service Name: NetBT Module Base: ED4CC000 Module End: ED4F4000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\ipnat.sys Service Name: IpNat Module Base: ED47C000 Module End: ED49D000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\wanarp.sys Service Name: Wanarp Module Base: F76A6000 Module End: F76AF000 Hidden: No Module Name: C:\WINDOWS\System32\drivers\afd.sys Service Name: AFD Module Base: ED45A000 Module End: ED47C000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\netbios.sys Service Name: NetBIOS Module Base: F76B6000 Module End: F76BF000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\rdbss.sys Service Name: Rdbss Module Base: ED42F000 Module End: ED45A000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys Service Name: MRxSmb Module Base: ED3C0000 Module End: ED42F000 Hidden: No Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS Service Name: Fips Module Base: F76C6000 Module End: F76CF000 Hidden: No Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS Service Name: Cdfs Module Base: F68DA000 Module End: F68EA000 Hidden: No Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys Service Name: --- Module Base: ED3A8000 Module End: ED3C0000 Hidden: Yes Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS Service Name: --- Module Base: ED7A0000 Module End: ED7A2000 Hidden: Yes Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys Service Name: --- Module Base: ED6D4000 Module End: ED6D7000 Hidden: No Module Name: C:\WINDOWS\System32\watchdog.sys Service Name: --- Module Base: F7846000 Module End: F784B000 Hidden: No Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys Service Name: --- Module Base: F7B78000 Module End: F7B79000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys Service Name: fssfltr Module Base: F76E6000 Module End: F76F2000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\ndisuio.sys Service Name: Ndisuio Module Base: EDA90000 Module End: EDA94000 Hidden: No Module Name: C:\WINDOWS\System32\Drivers\Fastfat.SYS Service Name: Fastfat Module Base: ED064000 Module End: ED088000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys Service Name: wdmaud Module Base: ED04F000 Module End: ED064000 Hidden: No Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys Service Name: sysaudio Module Base: ED200000 Module End: ED20F000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\mrxdav.sys Service Name: MRxDAV Module Base: ECF82000 Module End: ECFAF000 Hidden: No Module Name: C:\WINDOWS\System32\Drivers\ParVdm.SYS Service Name: ParVdm Module Base: F7A0C000 Module End: F7A0E000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\srv.sys Service Name: Srv Module Base: ECEE0000 Module End: ECF32000 Hidden: No Module Name: C:\WINDOWS\system32\DRIVERS\secdrv.sys Service Name: Secdrv Module Base: ECD78000 Module End: ECDA0000 Hidden: No Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys Service Name: HTTP Module Base: ECA8D000 Module End: ECACE000 Hidden: No ******************************************************************************** ********** ******************************************************************************** ********** SSDT: Function Name: ZwAdjustPrivilegesToken Address: ED65A36E Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwClose Address: ED65AA86 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwConnectPort Address: ED65B60C Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwCreateEvent Address: ED65BB40 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwCreateFile Address: ED65AD78 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwCreateKey Address: ED659460 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwCreateMutant Address: ED65BA18 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwCreateNamedPipeFile Address: ED658D0A Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwCreatePort Address: ED65B8D4 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwCreateSection Address: ED65A102 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwCreateSemaphore Address: ED65BC72 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwCreateSymbolicLinkObject Address: ED65D40E Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwCreateThread Address: ED65A886 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwCreateWaitablePort Address: ED65B976 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwDeleteKey Address: ED659A20 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwDeleteValueKey Address: ED659CF8 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwDeviceIoControlFile Address: ED65B21C Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwDuplicateObject Address: ED65D980 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwEnumerateKey Address: ED659E3A Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwEnumerateValueKey Address: ED659EE4 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwFsControlFile Address: ED65B016 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwLoadDriver Address: ED65CEA6 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwLoadKey Address: ED65943C Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwLoadKey2 Address: ED65944E Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwNotifyChangeKey Address: ED65A030 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwOpenEvent Address: ED65BBE2 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwOpenFile Address: ED65AB08 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwOpenKey Address: ED659604 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwOpenMutant Address: ED65BAB0 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwOpenProcess Address: ED65A56E Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwOpenSection Address: ED65D438 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwOpenSemaphore Address: ED65BD14 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwOpenThread Address: ED65A492 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwQueryKey Address: ED659F8E Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwQueryMultipleValueKey Address: ED659BB6 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwQueryValueKey Address: ED6598BC Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwQueueApcThread Address: ED65D128 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwRenameKey Address: ED659B34 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwReplaceKey Address: ED6590C2 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwReplyPort Address: ED65C09E Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwReplyWaitReceivePort Address: ED65BF64 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwRequestWaitReplyPort Address: ED65CC30 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwRestoreKey Address: ED659224 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwResumeThread Address: ED65D860 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwSaveKey Address: ED658EC4 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwSecureConnectPort Address: ED65B312 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwSetContextThread Address: ED65A984 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwSetInformationToken Address: ED65C5F2 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwSetSecurityObject Address: ED65CFA0 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwSetSystemInformation Address: ED65D4C2 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwSetValueKey Address: ED659744 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwSuspendProcess Address: ED65D5A6 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwSuspendThread Address: ED65D6D2 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwSystemDebugControl Address: ED65CDD2 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwTerminateProcess Address: ED65A6EA Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwTerminateThread Address: ED65A63C Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys Function Name: ZwWriteVirtualMemory Address: ED65A7C8 Driver Base: ED63B000 Driver End: ED689000 Driver Name: \SystemRoot\system32\DRIVERS\klif.sys ******************************************************************************** ********** ******************************************************************************** ********** No Kernel Hooks found ******************************************************************************** ********** ******************************************************************************** ********** No IRP Hooks found ******************************************************************************** ********** ******************************************************************************** ********** Ports: Local Address: TEST:1033 Remote Address: CDS10.LON9.MSECN.NET:HTTP Type: TCP Process: C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe State: CLOSE_WAIT Local Address: TEST:NETBIOS-SSN Remote Address: 0.0.0.0:0 Type: TCP Process: System State: LISTENING Local Address: TEST:5152 Remote Address: LOCALHOST:1346 Type: TCP Process: C:\Program Files\Java\jre6\bin\jqs.exe State: CLOSE_WAIT Local Address: TEST:5152 Remote Address: 0.0.0.0:0 Type: TCP Process: C:\Program Files\Java\jre6\bin\jqs.exe State: LISTENING Local Address: TEST:1110 Remote Address: LOCALHOST:1336 Type: TCP Process: [system Idle Process] State: TIME_WAIT Local Address: TEST:1110 Remote Address: LOCALHOST:1331 Type: TCP Process: [system Idle Process] State: TIME_WAIT Local Address: TEST:1110 Remote Address: LOCALHOST:1330 Type: TCP Process: [system Idle Process] State: TIME_WAIT Local Address: TEST:1110 Remote Address: LOCALHOST:1328 Type: TCP Process: [system Idle Process] State: TIME_WAIT Local Address: TEST:1110 Remote Address: LOCALHOST:1302 Type: TCP Process: [system Idle Process] State: TIME_WAIT Local Address: TEST:1054 Remote Address: LOCALHOST:1110 Type: TCP Process: C:\Program Files\Java\jre6\bin\jusched.exe State: CLOSE_WAIT Local Address: TEST:1035 Remote Address: 0.0.0.0:0 Type: TCP Process: C:\WINDOWS\system32\alg.exe State: LISTENING Local Address: TEST:19780 Remote Address: 0.0.0.0:0 Type: TCP Process: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe State: LISTENING Local Address: TEST:1110 Remote Address: 0.0.0.0:0 Type: TCP Process: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe State: LISTENING Local Address: TEST:MICROSOFT-DS Remote Address: 0.0.0.0:0 Type: TCP Process: System State: LISTENING Local Address: TEST:EPMAP Remote Address: 0.0.0.0:0 Type: TCP Process: C:\WINDOWS\system32\svchost.exe State: LISTENING Local Address: TEST:1900 Remote Address: NA Type: UDP Process: C:\WINDOWS\system32\svchost.exe State: NA Local Address: TEST:138 Remote Address: NA Type: UDP Process: System State: NA Local Address: TEST:NETBIOS-NS Remote Address: NA Type: UDP Process: System State: NA Local Address: TEST:123 Remote Address: NA Type: UDP Process: C:\WINDOWS\system32\svchost.exe State: NA Local Address: TEST:1900 Remote Address: NA Type: UDP Process: C:\WINDOWS\system32\svchost.exe State: NA Local Address: TEST:123 Remote Address: NA Type: UDP Process: C:\WINDOWS\system32\svchost.exe State: NA Local Address: TEST:4500 Remote Address: NA Type: UDP Process: C:\WINDOWS\system32\lsass.exe State: NA Local Address: TEST:1031 Remote Address: NA Type: UDP Process: C:\WINDOWS\system32\svchost.exe State: NA Local Address: TEST:500 Remote Address: NA Type: UDP Process: C:\WINDOWS\system32\lsass.exe State: NA Local Address: TEST:MICROSOFT-DS Remote Address: NA Type: UDP Process: System State: NA ******************************************************************************** ********** ******************************************************************************** ********** Hidden files/folders: Object: C:\System Volume Information\MountPointManagerRemoteDatabase Status: Access denied Object: C:\System Volume Information\tracking.log Status: Access denied Object: C:\System Volume Information\_restore{84584035-382A-4A86-BAB7-12FC15AFCE07} Status: Access denied SysProtLog.txt
  4. dnm5164
    Tried using the techique to scan the computer but nothing happened. Ran the new combofix and here is the log file. thx dm ComboFix 09-09-25.01 - Geovision 09/26/2009 1:15.7.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1016.675 [GMT 1:00] Running from: c:\documents and settings\Geovision\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\comres.dll . . . is infected!! c:\windows\system32\drivers\asyncmac.sys . . . is missing!! . ((((((((((((((((((((((((( Files Created from 2009-08-26 to 2009-09-26 ))))))))))))))))))))))))))))))) . 2009-09-22 00:23 . 2009-09-22 00:23 0 ----a-w- c:\documents and settings\Geovision\settings.dat 2009-09-19 14:39 . 2006-01-06 20:57 1075200 ----a-w- c:\windows\system32\userinit.exe 2009-09-06 20:53 . 2008-10-16 13:06 268648 ----a-w- c:\windows\system32\mucltui.dll 2009-09-06 13:52 . 2009-09-06 13:52 -------- d-sh--w- c:\documents and settings\Geovision\IECompatCache 2009-09-06 13:44 . 2009-09-06 13:44 -------- d-sh--w- c:\documents and settings\Geovision\PrivacIE 2009-09-02 16:19 . 2009-09-02 16:19 -------- d-----w- c:\program files\Trend Micro 2009-08-31 10:44 . 2009-08-31 10:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-08-29 19:06 . 2009-08-29 19:06 -------- d-----w- c:\documents and settings\Geovision\Application Data\Malwarebytes 2009-08-29 19:05 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-29 19:05 . 2009-08-29 19:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-29 19:05 . 2009-08-29 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-08-29 19:05 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-08 16:26 . 2009-07-31 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-09-06 20:46 . 2009-07-31 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar 2009-08-23 07:21 . 2009-07-31 01:22 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-08-23 07:21 . 2009-07-31 01:21 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-08-23 07:21 . 2009-07-31 01:21 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-08-21 05:40 . 2009-04-14 21:05 -------- d-----w- c:\program files\Google 2009-07-31 01:22 . 2009-07-31 01:22 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-07-31 01:21 . 2009-07-31 01:21 -------- d-----w- c:\program files\AVG 2009-07-31 01:15 . 2009-07-29 03:49 -------- d-----w- c:\documents and settings\Geovision\Application Data\U3 2009-07-31 00:46 . 2009-07-31 00:39 1106 ----a-w- c:\windows\system32\info.dat 2009-07-23 11:57 . 2009-07-23 11:57 661352 ----a-w- C:\autoruns.exe 2009-07-23 11:57 . 2009-07-23 11:57 553832 ----a-w- C:\autorunsc.exe 2009-07-03 21:45 . 2008-12-26 11:36 66144 -c--a-w- c:\documents and settings\Geovision\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2008-12-25 01:59 . 2008-12-25 01:59 60516 -c--a-w- c:\program files\mozilla firefox\components\jar50.dll 2008-12-25 01:59 . 2008-12-25 01:59 49246 -c--a-w- c:\program files\mozilla firefox\components\jsd3250.dll 2008-12-25 01:59 . 2008-12-25 01:59 165990 -c--a-w- c:\program files\mozilla firefox\components\xpinstal.dll . ------- Sigcheck ------- [-] 2006-01-06 . 2A4818AEA80ACD2C95D7D92D2F3155F8 . 360448 . . [5.1.2600.2688] . . c:\windows\system32\drivers\tcpip.sys [-] 2006-01-09 . C3B84871DECE94E335B96FAFD756316C . 2187904 . . [5.1.2600.2765] . . c:\windows\system32\ntoskrnl.exe [-] 2006-01-06 20:57 . 742BFCF5861C2FD593EEC5D0C17588A5 . 1075200 . . [------] . . c:\windows\system32\userinit.exe [-] 2006-01-06 . 2DEACA71A7FD77205F59D48D76B2F565 . 1075200 . . [6.00.2900.2649] . . c:\windows\explorer.exe c:\windows\system32\drivers\asyncmac.sys ... is missing !! c:\windows\system32\qmgr.dll ... is missing !! . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816] [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}] 2009-07-24 08:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-23 2007832] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-09-01 44544] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="c:\windows\explorer.exe," [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-23 07:21 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "443:TCP"= 443:TCP:ooVoo TCP port 443 "443:UDP"= 443:UDP:ooVoo UDP port 443 "37674:TCP"= 37674:TCP:ooVoo TCP port 37674 "37674:UDP"= 37674:UDP:ooVoo UDP port 37674 "37675:UDP"= 37675:UDP:ooVoo UDP port 37675 R3 AGV;AGV;c:\windows\system32\drivers\AGV.sys [2006-12-04 189112] R3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2008-12-08 533344] R3 GV800S;GV800S;c:\windows\system32\drivers\GV800S.sys [2007-03-29 82224] S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-23 335240] S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-07-31 108552] S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-23 297752] S2 fssfltr;fssfltr;c:\windows\system32\DRIVERS\fssfltr_tdi.sys [2008-12-08 55136] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html uSearchURL,(Default) = hxxp://www.google.com/keyword/%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Geovision\Application Data\Mozilla\Firefox\Profiles\oryvhb3o.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties"); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-26 01:20 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3536) c:\windows\system32\msi.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . Completion time: 2009-09-26 2:36 ComboFix-quarantined-files.txt 2009-09-26 01:36 ComboFix2.txt 2009-09-22 00:17 ComboFix3.txt 2009-09-19 15:40 ComboFix4.txt 2009-09-19 14:28 ComboFix5.txt 2009-09-26 00:14 Pre-Run: 2,529,951,744 bytes free Post-Run: 2,506,010,624 bytes free 156
  5. dnm5164
    Extremeboy, The contents from combofix should be posted online as it got uploaded automatically. Here is the combfix log file. The rootrepeal log file is after that. Lemme know if you need anything else. thanks dm ComboFix 09-09-20.04 - Geovision 09/22/2009 1:08.6.1 - NTFSx86 Running from: c:\documents and settings\Geovision\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Geovision\Desktop\CFScript.txt AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} file zipped: c:\windows\system32\userinit.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\comres.dll . . . is infected!! c:\windows\system32\drivers\asyncmac.sys . . . is missing!! . ((((((((((((((((((((((((( Files Created from 2009-08-22 to 2009-09-22 ))))))))))))))))))))))))))))))) . 2009-09-19 14:39 . 2006-01-06 20:57 1075200 ----a-w- c:\windows\system32\userinit.exe 2009-09-06 20:53 . 2008-10-16 13:06 268648 ----a-w- c:\windows\system32\mucltui.dll 2009-09-06 13:52 . 2009-09-06 13:52 -------- d-sh--w- c:\documents and settings\Geovision\IECompatCache 2009-09-06 13:44 . 2009-09-06 13:44 -------- d-sh--w- c:\documents and settings\Geovision\PrivacIE 2009-09-02 16:19 . 2009-09-02 16:19 -------- d-----w- c:\program files\Trend Micro 2009-08-31 10:44 . 2009-08-31 10:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-08-29 19:06 . 2009-08-29 19:06 -------- d-----w- c:\documents and settings\Geovision\Application Data\Malwarebytes 2009-08-29 19:05 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-29 19:05 . 2009-08-29 19:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-29 19:05 . 2009-08-29 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-08-29 19:05 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-08 16:26 . 2009-07-31 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-09-06 20:46 . 2009-07-31 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar 2009-08-23 07:21 . 2009-07-31 01:22 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-08-23 07:21 . 2009-07-31 01:21 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-08-23 07:21 . 2009-07-31 01:21 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-08-21 05:40 . 2009-04-14 21:05 -------- d-----w- c:\program files\Google 2009-07-31 01:22 . 2009-07-31 01:22 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-07-31 01:21 . 2009-07-31 01:21 -------- d-----w- c:\program files\AVG 2009-07-31 01:15 . 2009-07-29 03:49 -------- d-----w- c:\documents and settings\Geovision\Application Data\U3 2009-07-31 00:46 . 2009-07-31 00:39 1106 ----a-w- c:\windows\system32\info.dat 2009-07-23 11:57 . 2009-07-23 11:57 661352 ----a-w- C:\autoruns.exe 2009-07-23 11:57 . 2009-07-23 11:57 553832 ----a-w- C:\autorunsc.exe 2009-07-03 21:45 . 2008-12-26 11:36 66144 -c--a-w- c:\documents and settings\Geovision\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2008-12-25 01:59 . 2008-12-25 01:59 60516 -c--a-w- c:\program files\mozilla firefox\components\jar50.dll 2008-12-25 01:59 . 2008-12-25 01:59 49246 -c--a-w- c:\program files\mozilla firefox\components\jsd3250.dll 2008-12-25 01:59 . 2008-12-25 01:59 165990 -c--a-w- c:\program files\mozilla firefox\components\xpinstal.dll . ------- Sigcheck ------- [-] 2006-01-06 . 2A4818AEA80ACD2C95D7D92D2F3155F8 . 360448 . . [5.1.2600.2688] . . c:\windows\system32\drivers\tcpip.sys [-] 2006-01-09 . C3B84871DECE94E335B96FAFD756316C . 2187904 . . [5.1.2600.2765] . . c:\windows\system32\ntoskrnl.exe [-] 2006-01-06 20:57 . 742BFCF5861C2FD593EEC5D0C17588A5 . 1075200 . . [------] . . c:\windows\system32\userinit.exe [-] 2006-01-06 . 2DEACA71A7FD77205F59D48D76B2F565 . 1075200 . . [6.00.2900.2649] . . c:\windows\explorer.exe c:\windows\system32\drivers\asyncmac.sys ... is missing !! c:\windows\system32\qmgr.dll ... is missing !! . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816] [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}] 2009-07-24 08:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-23 2007832] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-09-01 44544] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="c:\windows\explorer.exe," [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-23 07:21 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "443:TCP"= 443:TCP:ooVoo TCP port 443 "443:UDP"= 443:UDP:ooVoo UDP port 443 "37674:TCP"= 37674:TCP:ooVoo TCP port 37674 "37674:UDP"= 37674:UDP:ooVoo UDP port 37674 "37675:UDP"= 37675:UDP:ooVoo UDP port 37675 R3 AGV;AGV;c:\windows\system32\drivers\AGV.sys [2006-12-04 189112] R3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2008-12-08 533344] R3 GV800S;GV800S;c:\windows\system32\drivers\GV800S.sys [2007-03-29 82224] S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-23 335240] S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-07-31 108552] S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-23 297752] S2 fssfltr;fssfltr;c:\windows\system32\DRIVERS\fssfltr_tdi.sys [2008-12-08 55136] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html uSearchURL,(Default) = hxxp://www.google.com/keyword/%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Geovision\Application Data\Mozilla\Firefox\Profiles\oryvhb3o.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties"); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-22 01:12 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3700) c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . Completion time: 2009-09-22 1:16 ComboFix-quarantined-files.txt 2009-09-22 00:16 ComboFix2.txt 2009-09-19 15:40 ComboFix3.txt 2009-09-19 14:28 ComboFix4.txt 2009-09-15 21:21 ComboFix5.txt 2009-09-22 00:06 Pre-Run: 2,571,632,640 bytes free Post-Run: 2,546,651,136 bytes free 155 Upload was successful Here is the rootrepeal log file ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/09/22 06:16 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP2 ================================================== Drivers ------------------- Name: ACPI.sys Image Path: ACPI.sys Address: 0xF7587000 Size: 187776 File Visible: - Signed: - Status: - Name: ACPI_HAL Image Path: \Driver\ACPI_HAL Address: 0x804D7000 Size: 2187904 File Visible: - Signed: - Status: - Name: afd.sys Image Path: C:\WINDOWS\System32\drivers\afd.sys Address: 0xEED5B000 Size: 138496 File Visible: - Signed: - Status: - Name: ALCXWDM.SYS Image Path: C:\WINDOWS\system32\drivers\ALCXWDM.SYS Address: 0xF718B000 Size: 926816 File Visible: - Signed: - Status: - Name: atapi.sys Image Path: atapi.sys Address: 0xF7519000 Size: 95616 File Visible: - Signed: - Status: - Name: audstub.sys Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys Address: 0xF7BCF000 Size: 3072 File Visible: - Signed: - Status: - Name: avgldx86.sys Image Path: C:\WINDOWS\System32\Drivers\avgldx86.sys Address: 0xEEC70000 Size: 328576 File Visible: - Signed: - Status: - Name: avgmfx86.sys Image Path: C:\WINDOWS\System32\Drivers\avgmfx86.sys Address: 0xF7926000 Size: 21120 File Visible: - Signed: - Status: - Name: avgtdix.sys Image Path: C:\WINDOWS\System32\Drivers\avgtdix.sys Address: 0xEEDC6000 Size: 101888 File Visible: - Signed: - Status: - Name: Beep.SYS Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS Address: 0xF7AE6000 Size: 4224 File Visible: - Signed: - Status: - Name: BOOTVID.dll Image Path: C:\WINDOWS\system32\BOOTVID.dll Address: 0xF79E6000 Size: 12288 File Visible: - Signed: - Status: - Name: catchme.sys Image Path: C:\DOCUME~1\GEOVIS~1\LOCALS~1\Temp\catchme.sys Address: 0xF792E000 Size: 31744 File Visible: No Signed: - Status: - Name: Cdfs.SYS Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS Address: 0xF7816000 Size: 63744 File Visible: - Signed: - Status: - Name: cdrom.sys Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys Address: 0xF7686000 Size: 49536 File Visible: - Signed: - Status: - Name: CLASSPNP.SYS Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS Address: 0xF7616000 Size: 53248 File Visible: - Signed: - Status: - Name: disk.sys Image Path: disk.sys Address: 0xF7606000 Size: 36352 File Visible: - Signed: - Status: - Name: dmio.sys Image Path: dmio.sys Address: 0xF7531000 Size: 153344 File Visible: - Signed: - Status: - Name: dmload.sys Image Path: dmload.sys Address: 0xF7ADA000 Size: 5888 File Visible: - Signed: - Status: - Name: drmk.sys Image Path: C:\WINDOWS\system32\drivers\drmk.sys Address: 0xF76A6000 Size: 61440 File Visible: - Signed: - Status: - Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xEEC58000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF7B04000 Size: 8192 File Visible: No Signed: - Status: - Name: Dxapi.sys Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys Address: 0xEEE82000 Size: 12288 File Visible: - Signed: - Status: - Name: dxg.sys Image Path: C:\WINDOWS\System32\drivers\dxg.sys Address: 0xBF9C2000 Size: 73728 File Visible: - Signed: - Status: - Name: dxgthk.sys Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys Address: 0xF7CC0000 Size: 4096 File Visible: - Signed: - Status: - Name: Fastfat.SYS Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS Address: 0xEE3A8000 Size: 143616 File Visible: - Signed: - Status: - Name: fdc.sys Image Path: C:\WINDOWS\system32\DRIVERS\fdc.sys Address: 0xF78AE000 Size: 27392 File Visible: - Signed: - Status: - Name: Fips.SYS Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS Address: 0xF7786000 Size: 34944 File Visible: - Signed: - Status: - Name: flpydisk.sys Image Path: C:\WINDOWS\system32\DRIVERS\flpydisk.sys Address: 0xF78E6000 Size: 20480 File Visible: - Signed: - Status: - Name: fltMgr.sys Image Path: fltMgr.sys Address: 0xF74FA000 Size: 124800 File Visible: - Signed: - Status: - Name: Fs_Rec.SYS Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS Address: 0xF7AE4000 Size: 7936 File Visible: - Signed: - Status: - Name: fssfltr_tdi.sys Image Path: C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys Address: 0xF7806000 Size: 48128 File Visible: - Signed: - Status: - Name: ftdisk.sys Image Path: ftdisk.sys Address: 0xF7557000 Size: 125056 File Visible: - Signed: - Status: - Name: gameenum.sys Image Path: C:\WINDOWS\system32\DRIVERS\gameenum.sys Address: 0xF7A6A000 Size: 10624 File Visible: - Signed: - Status: - Name: hal.dll Image Path: C:\WINDOWS\system32\hal.dll Address: 0x806EE000 Size: 131712 File Visible: - Signed: - Status: - Name: HIDPARSE.SYS Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS Address: 0xF78F6000 Size: 28672 File Visible: - Signed: - Status: - Name: HTTP.sys Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys Address: 0xEE2ED000 Size: 262272 File Visible: - Signed: - Status: - Name: i8042prt.sys Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys Address: 0xF7666000 Size: 52736 File Visible: - Signed: - Status: - Name: ialmdd5.DLL Image Path: C:\WINDOWS\System32\ialmdd5.DLL Address: 0xBFA2D000 Size: 905216 File Visible: - Signed: - Status: - Name: ialmdev5.DLL Image Path: C:\WINDOWS\System32\ialmdev5.DLL Address: 0xBFA01000 Size: 180224 File Visible: - Signed: - Status: - Name: ialmdnt5.dll Image Path: C:\WINDOWS\System32\ialmdnt5.dll Address: 0xBF9E2000 Size: 126976 File Visible: - Signed: - Status: - Name: ialmnt5.sys Image Path: C:\WINDOWS\system32\DRIVERS\ialmnt5.sys Address: 0xF72F0000 Size: 804256 File Visible: - Signed: - Status: - Name: ialmrnt5.dll Image Path: C:\WINDOWS\System32\ialmrnt5.dll Address: 0xBF9D4000 Size: 57344 File Visible: - Signed: - Status: - Name: imapi.sys Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys Address: 0xF7676000 Size: 41984 File Visible: - Signed: - Status: - Name: intelppm.sys Image Path: C:\WINDOWS\system32\DRIVERS\intelppm.sys Address: 0xF7646000 Size: 36096 File Visible: - Signed: - Status: - Name: ipnat.sys Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys Address: 0xEEDA5000 Size: 134912 File Visible: - Signed: - Status: - Name: ipsec.sys Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys Address: 0xEEE37000 Size: 74752 File Visible: - Signed: - Status: - Name: isapnp.sys Image Path: isapnp.sys Address: 0xF75D6000 Size: 35840 File Visible: - Signed: - Status: - Name: kbdclass.sys Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys Address: 0xF78B6000 Size: 24576 File Visible: - Signed: - Status: - Name: KDCOM.DLL Image Path: C:\WINDOWS\system32\KDCOM.DLL Address: 0xF7AD6000 Size: 8192 File Visible: - Signed: - Status: - Name: ks.sys Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys Address: 0xF726E000 Size: 143360 File Visible: - Signed: - Status: - Name: KSecDD.sys Image Path: KSecDD.sys Address: 0xF74D1000 Size: 92032 File Visible: - Signed: - Status: - Name: mnmdd.SYS Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS Address: 0xF7AE8000 Size: 4224 File Visible: - Signed: - Status: - Name: mouclass.sys Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys Address: 0xF78BE000 Size: 23040 File Visible: - Signed: - Status: - Name: MountMgr.sys Image Path: MountMgr.sys Address: 0xF75E6000 Size: 42240 File Visible: - Signed: - Status: - Name: mrxdav.sys Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys Address: 0xEE933000 Size: 181248 File Visible: - Signed: - Status: - Name: mrxsmb.sys Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys Address: 0xEECC1000 Size: 452864 File Visible: - Signed: - Status: - Name: Msfs.SYS Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS Address: 0xF7906000 Size: 19072 File Visible: - Signed: - Status: - Name: msgpc.sys Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys Address: 0xF76E6000 Size: 35072 File Visible: - Signed: - Status: - Name: mssmbios.sys Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys Address: 0xF7A8E000 Size: 15488 File Visible: - Signed: - Status: - Name: Mup.sys Image Path: Mup.sys Address: 0xF73FD000 Size: 105088 File Visible: - Signed: - Status: - Name: NDIS.sys Image Path: NDIS.sys Address: 0xF7417000 Size: 182912 File Visible: - Signed: - Status: - Name: ndistapi.sys Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys Address: 0xF7A72000 Size: 9600 File Visible: - Signed: - Status: - Name: ndisuio.sys Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys Address: 0xEEBA4000 Size: 14592 File Visible: - Signed: - Status: - Name: ndiswan.sys Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys Address: 0xF713F000 Size: 91776 File Visible: - Signed: - Status: - Name: NDProxy.SYS Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS Address: 0xF7716000 Size: 38016 File Visible: - Signed: - Status: - Name: netbios.sys Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys Address: 0xF7776000 Size: 34560 File Visible: - Signed: - Status: - Name: netbt.sys Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys Address: 0xEED7D000 Size: 162816 File Visible: - Signed: - Status: - Name: Npfs.SYS Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS Address: 0xF790E000 Size: 30848 File Visible: - Signed: - Status: - Name: Ntfs.sys Image Path: Ntfs.sys Address: 0xF7444000 Size: 574592 File Visible: - Signed: - Status: - Name: ntoskrnl.exe Image Path: C:\WINDOWS\system32\ntoskrnl.exe Address: 0x804D7000 Size: 2187904 File Visible: - Signed: - Status: - Name: Null.SYS Image Path: C:\WINDOWS\System32\Drivers\Null.SYS Address: 0xF7C29000 Size: 2944 File Visible: - Signed: - Status: - Name: parport.sys Image Path: C:\WINDOWS\system32\DRIVERS\parport.sys Address: 0xF7291000 Size: 80128 File Visible: - Signed: - Status: - Name: PartMgr.sys Image Path: PartMgr.sys Address: 0xF785E000 Size: 18688 File Visible: - Signed: - Status: - Name: ParVdm.SYS Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS Address: 0xF7B3E000 Size: 6784 File Visible: - Signed: - Status: - Name: pci.sys Image Path: pci.sys Address: 0xF7576000 Size: 68224 File Visible: - Signed: - Status: - Name: pciide.sys Image Path: pciide.sys Address: 0xF7B9E000 Size: 3328 File Visible: - Signed: - Status: - Name: PCIIDEX.SYS Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS Address: 0xF7856000 Size: 28672 File Visible: - Signed: - Status: - Name: PnpManager Image Path: \Driver\PnpManager Address: 0x804D7000 Size: 2187904 File Visible: - Signed: - Status: - Name: portcls.sys Image Path: C:\WINDOWS\system32\drivers\portcls.sys Address: 0xF7167000 Size: 147456 File Visible: - Signed: - Status: - Name: PROCEXP90.SYS Image Path: C:\WINDOWS\system32\Drivers\PROCEXP90.SYS Address: 0xF7B58000 Size: 6464 File Visible: No Signed: - Status: - Name: psched.sys Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys Address: 0xF712E000 Size: 69120 File Visible: - Signed: - Status: - Name: ptilink.sys Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys Address: 0xF78D6000 Size: 17792 File Visible: - Signed: - Status: - Name: rasacd.sys Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys Address: 0xF6FA8000 Size: 8832 File Visible: - Signed: - Status: - Name: rasl2tp.sys Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys Address: 0xF76B6000 Size: 51328 File Visible: - Signed: - Status: - Name: raspppoe.sys Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys Address: 0xF76C6000 Size: 41472 File Visible: - Signed: - Status: - Name: raspptp.sys Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys Address: 0xF76D6000 Size: 48384 File Visible: - Signed: - Status: - Name: raspti.sys Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys Address: 0xF78DE000 Size: 16512 File Visible: - Signed: - Status: - Name: RAW Image Path: \FileSystem\RAW Address: 0x804D7000 Size: 2187904 File Visible: - Signed: - Status: - Name: rdbss.sys Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys Address: 0xEED30000 Size: 174592 File Visible: - Signed: - Status: - Name: RDPCDD.sys Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys Address: 0xF7AEA000 Size: 4224 File Visible: - Signed: - Status: - Name: rdpdr.sys Image Path: C:\WINDOWS\system32\DRIVERS\rdpdr.sys Address: 0xF70FD000 Size: 196864 File Visible: - Signed: - Status: - Name: redbook.sys Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys Address: 0xF7696000 Size: 57472 File Visible: - Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xEE7E1000 Size: 49152 File Visible: No Signed: - Status: - Name: Rtnicxp.sys Image Path: C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys Address: 0xF72A5000 Size: 78720 File Visible: - Signed: - Status: - Name: secdrv.sys Image Path: C:\WINDOWS\system32\DRIVERS\secdrv.sys Address: 0xEE729000 Size: 163584 File Visible: - Signed: - Status: - Name: serenum.sys Image Path: C:\WINDOWS\system32\DRIVERS\serenum.sys Address: 0xF7A66000 Size: 15488 File Visible: - Signed: - Status: - Name: serial.sys Image Path: C:\WINDOWS\system32\DRIVERS\serial.sys Address: 0xF7656000 Size: 64896 File Visible: - Signed: - Status: - Name: sr.sys Image Path: sr.sys Address: 0xF74E8000 Size: 73472 File Visible: - Signed: - Status: - Name: srv.sys Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys Address: 0xEE891000 Size: 332544 File Visible: - Signed: - Status: - Name: swenum.sys Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys Address: 0xF7AE0000 Size: 4352 File Visible: - Signed: - Status: - Name: sysaudio.sys Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys Address: 0xF77D6000 Size: 60800 File Visible: - Signed: - Status: - Name: tcpip.sys Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys Address: 0xEEDDF000 Size: 360448 File Visible: - Signed: - Status: - Name: TDI.SYS Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS Address: 0xF78C6000 Size: 20480 File Visible: - Signed: - Status: - Name: termdd.sys Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys Address: 0xF7706000 Size: 40704 File Visible: - Signed: - Status: - Name: update.sys Image Path: C:\WINDOWS\system32\DRIVERS\update.sys Address: 0xF70A1000 Size: 209280 File Visible: - Signed: - Status: - Name: USBD.SYS Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS Address: 0xF7AE2000 Size: 8192 File Visible: - Signed: - Status: - Name: usbehci.sys Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys Address: 0xF78A6000 Size: 27008 File Visible: - Signed: - Status: - Name: usbhub.sys Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys Address: 0xF7746000 Size: 57856 File Visible: - Signed: - Status: - Name: USBPORT.SYS Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS Address: 0xF72B9000 Size: 143360 File Visible: - Signed: - Status: - Name: usbuhci.sys Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys Address: 0xF789E000 Size: 20480 File Visible: - Signed: - Status: - Name: vga.sys Image Path: C:\WINDOWS\System32\drivers\vga.sys Address: 0xF78FE000 Size: 20992 File Visible: - Signed: - Status: - Name: VIDEOPRT.SYS Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS Address: 0xF72DC000 Size: 81920 File Visible: - Signed: - Status: - Name: VolSnap.sys Image Path: VolSnap.sys Address: 0xF75F6000 Size: 52352 File Visible: - Signed: - Status: - Name: wanarp.sys Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys Address: 0xF7766000 Size: 34560 File Visible: - Signed: - Status: - Name: watchdog.sys Image Path: C:\WINDOWS\System32\watchdog.sys Address: 0xF7946000 Size: 20480 File Visible: - Signed: - Status: - Name: wdmaud.sys Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys Address: 0xEE624000 Size: 82944 File Visible: - Signed: - Status: - Name: Win32k Image Path: \Driver\Win32k Address: 0xBF800000 Size: 1843200 File Visible: - Signed: - Status: - Name: win32k.sys Image Path: C:\WINDOWS\System32\win32k.sys Address: 0xBF800000 Size: 1843200 File Visible: - Signed: - Status: - Name: WMILIB.SYS Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS Address: 0xF7AD8000 Size: 8192 File Visible: - Signed: - Status: - Name: WMIxWDM Image Path: \Driver\WMIxWDM Address: 0x804D7000 Size: 2187904 File Visible: - Signed: - Status: -
  6. dnm5164
    you are correct, I was not allowed to upload any of those files. Here are the results from combofix after changing the userint.exe file to userinit.exe.bat thx dm ComboFix 09-09-18.02 - Geovision 09/19/2009 15:19.4.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1016.663 [GMT 1:00] Running from: c:\documents and settings\Geovision\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\comres.dll . . . is infected!! c:\windows\system32\drivers\asyncmac.sys . . . is missing!! . ((((((((((((((((((((((((( Files Created from 2009-08-19 to 2009-09-19 ))))))))))))))))))))))))))))))) . 2009-09-19 14:19 . 2006-01-06 20:57 1075200 ----a-w- c:\windows\system32\userinit.exe 2009-09-06 20:53 . 2008-10-16 13:06 268648 ----a-w- c:\windows\system32\mucltui.dll 2009-09-06 13:52 . 2009-09-06 13:52 -------- d-sh--w- c:\documents and settings\Geovision\IECompatCache 2009-09-06 13:44 . 2009-09-06 13:44 -------- d-sh--w- c:\documents and settings\Geovision\PrivacIE 2009-09-02 16:19 . 2009-09-02 16:19 -------- d-----w- c:\program files\Trend Micro 2009-08-31 10:44 . 2009-08-31 10:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-08-29 19:06 . 2009-08-29 19:06 -------- d-----w- c:\documents and settings\Geovision\Application Data\Malwarebytes 2009-08-29 19:05 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-29 19:05 . 2009-08-29 19:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-29 19:05 . 2009-08-29 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-08-29 19:05 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-21 05:36 . 2009-08-21 05:36 -------- dc-h--w- c:\windows\ie8 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-08 16:26 . 2009-07-31 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-09-06 20:46 . 2009-07-31 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar 2009-08-23 07:21 . 2009-07-31 01:22 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-08-23 07:21 . 2009-07-31 01:21 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-08-23 07:21 . 2009-07-31 01:21 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-08-21 05:40 . 2009-04-14 21:05 -------- d-----w- c:\program files\Google 2009-07-31 01:22 . 2009-07-31 01:22 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-07-31 01:21 . 2009-07-31 01:21 -------- d-----w- c:\program files\AVG 2009-07-31 01:15 . 2009-07-29 03:49 -------- d-----w- c:\documents and settings\Geovision\Application Data\U3 2009-07-31 00:46 . 2009-07-31 00:39 1106 ----a-w- c:\windows\system32\info.dat 2009-07-23 11:57 . 2009-07-23 11:57 661352 ----a-w- C:\autoruns.exe 2009-07-23 11:57 . 2009-07-23 11:57 553832 ----a-w- C:\autorunsc.exe 2009-07-03 21:45 . 2008-12-26 11:36 66144 -c--a-w- c:\documents and settings\Geovision\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2008-12-25 01:59 . 2008-12-25 01:59 60516 -c--a-w- c:\program files\mozilla firefox\components\jar50.dll 2008-12-25 01:59 . 2008-12-25 01:59 49246 -c--a-w- c:\program files\mozilla firefox\components\jsd3250.dll 2008-12-25 01:59 . 2008-12-25 01:59 165990 -c--a-w- c:\program files\mozilla firefox\components\xpinstal.dll . ------- Sigcheck ------- [-] 2006-01-06 . 2A4818AEA80ACD2C95D7D92D2F3155F8 . 360448 . . [5.1.2600.2688] . . c:\windows\system32\drivers\tcpip.sys [-] 2006-01-09 . C3B84871DECE94E335B96FAFD756316C . 2187904 . . [5.1.2600.2765] . . c:\windows\system32\ntoskrnl.exe [-] 2006-01-06 . 2DEACA71A7FD77205F59D48D76B2F565 . 1075200 . . [6.00.2900.2649] . . c:\windows\system32\userinit.exe [-] 2006-01-06 . 2DEACA71A7FD77205F59D48D76B2F565 . 1075200 . . [6.00.2900.2649] . . c:\windows\explorer.exe c:\windows\system32\drivers\asyncmac.sys ... is missing !! c:\windows\system32\qmgr.dll ... is missing !! . ((((((((((((((((((((((((((((( SnapShot@2009-09-08_16.49.48 ))))))))))))))))))))))))))))))))))))))))) . + 2004-09-01 08:00 . 2004-09-01 08:00 24576 c:\windows\system32\userinit.exe.bat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816] [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}] 2009-07-24 08:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-23 2007832] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-09-01 44544] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="c:\windows\explorer.exe," [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-23 07:21 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "443:TCP"= 443:TCP:ooVoo TCP port 443 "443:UDP"= 443:UDP:ooVoo UDP port 443 "37674:TCP"= 37674:TCP:ooVoo TCP port 37674 "37674:UDP"= 37674:UDP:ooVoo UDP port 37674 "37675:UDP"= 37675:UDP:ooVoo UDP port 37675 R3 AGV;AGV;c:\windows\system32\drivers\AGV.sys [2006-12-04 189112] R3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2008-12-08 533344] R3 GV800S;GV800S;c:\windows\system32\drivers\GV800S.sys [2007-03-29 82224] S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-23 335240] S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-07-31 108552] S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-23 297752] S2 fssfltr;fssfltr;c:\windows\system32\DRIVERS\fssfltr_tdi.sys [2008-12-08 55136] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html uSearchURL,(Default) = hxxp://www.google.com/keyword/%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Geovision\Application Data\Mozilla\Firefox\Profiles\oryvhb3o.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties"); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-19 15:24 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3980) c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . Completion time: 2009-09-19 15:28 ComboFix-quarantined-files.txt 2009-09-19 14:28 ComboFix2.txt 2009-09-15 21:21 ComboFix3.txt 2009-09-08 16:57 Pre-Run: 2,609,426,432 bytes free Post-Run: 2,584,231,936 bytes free 157
  7. dnm5164
    Extremeboy. could not find the comres.dll file in the c:\windows\system32\ folder. Thanks DM
  8. dnm5164
    I do have the windows xp professional sp2 disk. Will also scan the comres.dll file tonite. Thanks DM
  9. dnm5164
    Tried running the upload.bat but it again did not generate any zip file. Ran the other things that you requested and have attached the results of the online scan as well as the dds.txt and attach.txt. Please let me know if i missed anything. seems like the userinit.exe is the culprit. Thanks DM Results_explore_exe.txt results_ntokrnl_exe.txt results_tcpip_sys.txt resultsuserinit_exe.txt DDS.txt Attach.txt
  10. dnm5164
    There you go. Thx dm ComboFix 09-09-14.02 - Geovision 09/15/2009 22:12.3.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1016.670 [GMT 1:00] Running from: c:\documents and settings\Geovision\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\comres.dll . . . is infected!! c:\windows\system32\drivers\asyncmac.sys . . . is missing!! . ((((((((((((((((((((((((( Files Created from 2009-08-15 to 2009-09-15 ))))))))))))))))))))))))))))))) . 2009-09-06 20:53 . 2008-10-16 13:06 268648 ----a-w- c:\windows\system32\mucltui.dll 2009-09-06 13:52 . 2009-09-06 13:52 -------- d-sh--w- c:\documents and settings\Geovision\IECompatCache 2009-09-06 13:44 . 2009-09-06 13:44 -------- d-sh--w- c:\documents and settings\Geovision\PrivacIE 2009-09-02 16:19 . 2009-09-02 16:19 -------- d-----w- c:\program files\Trend Micro 2009-08-31 10:44 . 2009-08-31 10:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-08-29 19:06 . 2009-08-29 19:06 -------- d-----w- c:\documents and settings\Geovision\Application Data\Malwarebytes 2009-08-29 19:05 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-29 19:05 . 2009-08-29 19:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-29 19:05 . 2009-08-29 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-08-29 19:05 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-21 05:36 . 2009-08-21 05:36 -------- dc-h--w- c:\windows\ie8 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-08 16:26 . 2009-07-31 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-09-06 20:46 . 2009-07-31 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar 2009-08-23 07:21 . 2009-07-31 01:22 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-08-23 07:21 . 2009-07-31 01:21 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-08-23 07:21 . 2009-07-31 01:21 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-08-21 05:40 . 2009-04-14 21:05 -------- d-----w- c:\program files\Google 2009-07-31 01:22 . 2009-07-31 01:22 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-07-31 01:21 . 2009-07-31 01:21 -------- d-----w- c:\program files\AVG 2009-07-31 01:15 . 2009-07-29 03:49 -------- d-----w- c:\documents and settings\Geovision\Application Data\U3 2009-07-31 00:46 . 2009-07-31 00:39 1106 ----a-w- c:\windows\system32\info.dat 2009-07-23 11:57 . 2009-07-23 11:57 661352 ----a-w- C:\autoruns.exe 2009-07-23 11:57 . 2009-07-23 11:57 553832 ----a-w- C:\autorunsc.exe 2009-07-18 23:16 . 2009-07-18 23:16 -------- d-----w- c:\program files\Common Files\Thunder Network 2009-07-18 23:15 . 2009-07-18 23:15 -------- d-----w- c:\program files\Common Files\Java 2009-07-18 23:14 . 2009-07-18 23:14 -------- d-----w- c:\program files\Intel 2009-07-18 23:06 . 2009-07-18 23:06 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo! 2009-07-18 23:06 . 2009-07-18 23:06 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo! 2009-07-03 21:45 . 2008-12-26 11:36 66144 -c--a-w- c:\documents and settings\Geovision\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2008-12-25 01:59 . 2008-12-25 01:59 60516 -c--a-w- c:\program files\mozilla firefox\components\jar50.dll 2008-12-25 01:59 . 2008-12-25 01:59 49246 -c--a-w- c:\program files\mozilla firefox\components\jsd3250.dll 2008-12-25 01:59 . 2008-12-25 01:59 165990 -c--a-w- c:\program files\mozilla firefox\components\xpinstal.dll . ------- Sigcheck ------- [-] 2006-01-06 . 2A4818AEA80ACD2C95D7D92D2F3155F8 . 360448 . . [5.1.2600.2688] . . c:\windows\system32\drivers\tcpip.sys [-] 2006-01-09 . C3B84871DECE94E335B96FAFD756316C . 2187904 . . [5.1.2600.2765] . . c:\windows\system32\ntoskrnl.exe [-] 2004-09-01 . 1C08FD2DA2E9D11916BB07982ADB69D1 . 24576 . . [5.1.2600.2180] . . c:\windows\system32\userinit.exe [-] 2006-01-06 . 2DEACA71A7FD77205F59D48D76B2F565 . 1075200 . . [6.00.2900.2649] . . c:\windows\explorer.exe c:\windows\system32\drivers\asyncmac.sys ... is missing !! c:\windows\system32\qmgr.dll ... is missing !! . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816] [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}] 2009-07-24 08:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-23 2007832] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-09-01 44544] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="c:\windows\explorer.exe," [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-23 07:21 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "443:TCP"= 443:TCP:ooVoo TCP port 443 "443:UDP"= 443:UDP:ooVoo UDP port 443 "37674:TCP"= 37674:TCP:ooVoo TCP port 37674 "37674:UDP"= 37674:UDP:ooVoo UDP port 37674 "37675:UDP"= 37675:UDP:ooVoo UDP port 37675 R3 AGV;AGV;c:\windows\system32\drivers\AGV.sys [2006-12-04 189112] R3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2008-12-08 533344] R3 GV800S;GV800S;c:\windows\system32\drivers\GV800S.sys [2007-03-29 82224] S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-23 335240] S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-07-31 108552] S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-23 297752] S2 fssfltr;fssfltr;c:\windows\system32\DRIVERS\fssfltr_tdi.sys [2008-12-08 55136] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html uSearchURL,(Default) = hxxp://www.google.com/keyword/%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Geovision\Application Data\Mozilla\Firefox\Profiles\oryvhb3o.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties"); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-15 22:17 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(2272) c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . Completion time: 2009-09-15 22:21 ComboFix-quarantined-files.txt 2009-09-15 21:21 ComboFix2.txt 2009-09-08 16:57 Pre-Run: 2,645,417,984 bytes free Post-Run: 2,623,598,592 bytes free 156
  11. dnm5164
    here is the log file for GMER. Couldnt run zip.bat. Thx dm GMER 1.0.15.15077 [wpoxrsiq.exe] - http://www.gmer.net Rootkit scan 2009-09-14 07:27:01 Windows 5.1.2600 Service Pack 2 ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation) AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Udp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation) AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\RawIp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation) AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- EOF - GMER 1.0.15 ---- SystemLook.zip
  12. dnm5164
    the zip.bat file is not generating any zip file. not sure why. any idea
  13. dnm5164
    Thanks Extremeboy, I ll run these and post the information as directed tonight. Please do not get me wrong, I have no intention of reformatting it after going thru these steps. I only threw out that option not knowing that this will work. Thanks for the continued support. Regards dm
  14. dnm5164
    Extremeboy, I ll try to use your help in getting the viruses out and if that doesnt work then i ll reformat it. And I appreciate your patience. Here is the combofix file. I have posted the zip file using the info you provided. I have also attached the malwarebytes log file and systemlook log file. Please let me know if I missed anything. Thanks dm ComboFix 09-09-09.04 - Geovision 09/09/2009 21:25.2.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1016.613 [GMT 1:00] Running from: c:\documents and settings\Geovision\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Geovision\Desktop\CFScript.txt AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} file zipped: c:\windows\BUBJDXQUGSPAB.dll file zipped: c:\windows\TUIKNKMV.dll file zipped: c:\windows\VOEMAQZCTCLF.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\273LIR c:\program files\4DXJGE43B1O2 c:\program files\awdnjfsk c:\program files\bftrruzlyibxxk c:\program files\byrinwwuvlcnloe c:\program files\jtpwnpuqnkr c:\program files\jwtpcqkoxymeir c:\program files\jxtsibzbmrtjzeo c:\program files\lewtfsevdhz c:\program files\nnxxkutfvrltyt c:\program files\oopyrxlgnb c:\program files\pvldytpnxyuv c:\program files\qgpecipqynjo c:\program files\qivjdqaeppeknv c:\program files\R0974Q3IE c:\program files\sbcdvlmmy c:\program files\sbinnjeyevse c:\program files\tbxnlphnqljx c:\program files\uhkjyhzmxgtl c:\program files\vlyyontpvnkho c:\program files\vnwnxfcza c:\program files\vqievceso c:\program files\vxjovzxwqcxqgw c:\program files\wkdxkkcw c:\program files\WMUGAXR c:\program files\xczafrbzth c:\program files\xeowhdzltjh c:\program files\xgzqugwmrstoxl c:\program files\XIKWTHRW0S c:\program files\xnsjkdiacqsb c:\program files\zdvqqnbivm c:\program files\zqsghlco c:\windows\BUBJDXQUGSPAB.dll c:\windows\Downloaded Program Files\UYTBcaztxe23mezkgq.cur c:\windows\SWEPVWJ17OXH.EXE c:\windows\TUIKNKMV.dll c:\windows\UDXVHFM16.EXE c:\windows\VOEMAQZCTCLF.dll c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\comres.dll . . . is infected!! c:\windows\system32\drivers\asyncmac.sys . . . is missing!! . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_BNETROIGHV -------\Legacy_CAZXE -------\Legacy_DASNO -------\Legacy_DBSNO -------\Legacy_DDSNO -------\Legacy_DESNO -------\Legacy_DFSNO -------\Legacy_DGSNO -------\Legacy_DKJNO -------\Legacy_DOJNO -------\Legacy_DSJNO -------\Legacy_DTENO -------\Legacy_DTJEALQPIJXFZJ -------\Legacy_GERBASSMN -------\Legacy_H3KJ16M -------\Legacy_HKYOULBZKASGLLW -------\Legacy_JMOTUQYW -------\Legacy_JTESM -------\Legacy_JZCHQIGCZUPKMO -------\Legacy_NBJYAQOLMAMR -------\Legacy_NCKHNMFSH -------\Legacy_PCIEDUMP -------\Legacy_PVCOFBBDCPIAWRE -------\Legacy_PXJUZIMZC -------\Legacy_QTENO -------\Legacy_RISUUZIJHGUSCJNSFE -------\Legacy_RLQYNXWWAJY -------\Legacy_SEJNO -------\Legacy_SKSNO -------\Legacy_SPQOYDYGCCNS -------\Legacy_SSSNO -------\Legacy_STENO -------\Legacy_TTENO -------\Legacy_UEWZZRJRC -------\Legacy_UKAQJMBMFGJ -------\Legacy_UUCRIMQLGQCYX -------\Legacy_VALJSXFK -------\Legacy_WQTESM -------\Legacy_WRMKJJNTGJPCI -------\Legacy_YASNP -------\Legacy_ZXFRLDOILNL -------\Service_bnetroighv -------\Service_CAZXE -------\Service_dasno -------\Service_dbsno -------\Service_ddsno -------\Service_desno -------\Service_dfsno -------\Service_dgsno -------\Service_dkjno -------\Service_dojno -------\Service_dsjno -------\Service_dteno -------\Service_dtjealqpijxfzj -------\Service_gerbassmn -------\Service_H3KJ16M -------\Service_hkyoulbzkasgllw -------\Service_jmotuqyw -------\Service_jtesm -------\Service_jzchqigczupkmo -------\Service_nbjyaqolmamr -------\Service_nckhnmfsh -------\Service_PCIEDump -------\Service_pvcofbbdcpiawre -------\Service_pxjuzimzc -------\Service_qteno -------\Service_Risuuzijhguscjnsfe -------\Service_rlqynxwwajy -------\Service_sejno -------\Service_sksno -------\Service_spqoydygccns -------\Service_sssno -------\Service_steno -------\Service_tteno -------\Service_uewzzrjrc -------\Service_ukaqjmbmfgj -------\Service_uucrimqlgqcyx -------\Service_valjsxfk -------\Service_wqtesm -------\Service_wrmkjjntgjpci -------\Service_yasnp -------\Service_zxfrldoilnl ((((((((((((((((((((((((( Files Created from 2009-08-09 to 2009-09-09 ))))))))))))))))))))))))))))))) . 2009-09-06 20:53 . 2008-10-16 13:06 268648 ----a-w- c:\windows\system32\mucltui.dll 2009-09-06 13:52 . 2009-09-06 13:52 -------- d-sh--w- c:\documents and settings\Geovision\IECompatCache 2009-09-06 13:44 . 2009-09-06 13:44 -------- d-sh--w- c:\documents and settings\Geovision\PrivacIE 2009-09-02 16:19 . 2009-09-02 16:19 -------- d-----w- c:\program files\Trend Micro 2009-08-31 10:44 . 2009-08-31 10:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-08-29 19:06 . 2009-08-29 19:06 -------- d-----w- c:\documents and settings\Geovision\Application Data\Malwarebytes 2009-08-29 19:05 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-29 19:05 . 2009-08-29 19:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-29 19:05 . 2009-08-29 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-08-29 19:05 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-21 05:36 . 2009-08-21 05:36 -------- dc-h--w- c:\windows\ie8 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-08 16:26 . 2009-07-31 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-09-06 20:46 . 2009-07-31 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar 2009-08-23 07:21 . 2009-07-31 01:22 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-08-23 07:21 . 2009-07-31 01:21 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-08-23 07:21 . 2009-07-31 01:21 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-08-21 05:40 . 2009-04-14 21:05 -------- d-----w- c:\program files\Google 2009-07-31 01:22 . 2009-07-31 01:22 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-07-31 01:21 . 2009-07-31 01:21 -------- d-----w- c:\program files\AVG 2009-07-31 01:15 . 2009-07-29 03:49 -------- d-----w- c:\documents and settings\Geovision\Application Data\U3 2009-07-31 00:46 . 2009-07-31 00:39 1106 ----a-w- c:\windows\system32\info.dat 2009-07-23 11:57 . 2009-07-23 11:57 661352 ----a-w- C:\autoruns.exe 2009-07-23 11:57 . 2009-07-23 11:57 553832 ----a-w- C:\autorunsc.exe 2009-07-18 23:16 . 2009-07-18 23:16 -------- d-----w- c:\program files\Common Files\Thunder Network 2009-07-18 23:15 . 2009-07-18 23:15 -------- d-----w- c:\program files\Common Files\Java 2009-07-18 23:14 . 2009-07-18 23:14 -------- d-----w- c:\program files\Intel 2009-07-18 23:06 . 2009-07-18 23:06 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo! 2009-07-18 23:06 . 2009-07-18 23:06 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo! 2009-07-03 21:45 . 2008-12-26 11:36 66144 -c--a-w- c:\documents and settings\Geovision\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2008-12-25 01:59 . 2008-12-25 01:59 60516 -c--a-w- c:\program files\mozilla firefox\components\jar50.dll 2008-12-25 01:59 . 2008-12-25 01:59 49246 -c--a-w- c:\program files\mozilla firefox\components\jsd3250.dll 2008-12-25 01:59 . 2008-12-25 01:59 165990 -c--a-w- c:\program files\mozilla firefox\components\xpinstal.dll . (((((((((((((((((((((((((((((((((((((((((( SR_Search )))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ------- Sigcheck ------- [-] 2006-01-06 . 2A4818AEA80ACD2C95D7D92D2F3155F8 . 360448 . . [5.1.2600.2688] . . c:\windows\system32\drivers\tcpip.sys [-] 2006-01-09 . C3B84871DECE94E335B96FAFD756316C . 2187904 . . [5.1.2600.2765] . . c:\windows\system32\ntoskrnl.exe [-] 2004-09-01 . 1C08FD2DA2E9D11916BB07982ADB69D1 . 24576 . . [5.1.2600.2180] . . c:\windows\system32\userinit.exe [-] 2006-01-06 . 2DEACA71A7FD77205F59D48D76B2F565 . 1075200 . . [6.00.2900.2649] . . c:\windows\explorer.exe c:\windows\system32\drivers\asyncmac.sys ... is missing !! c:\windows\system32\qmgr.dll ... is missing !! . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816] [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}] 2009-07-24 08:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-23 2007832] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-09-01 44544] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="c:\windows\explorer.exe," [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-23 07:21 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "443:TCP"= 443:TCP:ooVoo TCP port 443 "443:UDP"= 443:UDP:ooVoo UDP port 443 "37674:TCP"= 37674:TCP:ooVoo TCP port 37674 "37674:UDP"= 37674:UDP:ooVoo UDP port 37674 "37675:UDP"= 37675:UDP:ooVoo UDP port 37675 R3 AGV;AGV;c:\windows\system32\drivers\AGV.sys [2006-12-04 189112] R3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2008-12-08 533344] R3 GV800S;GV800S;c:\windows\system32\drivers\GV800S.sys [2007-03-29 82224] S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-23 335240] S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-07-31 108552] S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-23 297752] S2 fssfltr;fssfltr;c:\windows\system32\DRIVERS\fssfltr_tdi.sys [2008-12-08 55136] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html uSearchURL,(Default) = hxxp://www.google.com/keyword/%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Geovision\Application Data\Mozilla\Firefox\Profiles\oryvhb3o.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties"); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-09 21:34 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3596) c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Maxtor\Sync\SyncServices.exe c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\program files\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe . ************************************************************************** . Completion time: 2009-09-09 21:37 - machine was rebooted ComboFix-quarantined-files.txt 2009-09-09 20:37 ComboFix2.txt 2009-09-08 16:57 Pre-Run: 2,674,049,024 bytes free Post-Run: 2,654,560,256 bytes free 293 ====== SystemLook.txt mbam_log_2009_09_10__11_23_25_.txt
  15. dnm5164
    There you go Extremeboy. I have attached is as well. thx dm ComboFix 09-09-08.02 - Geovision 09/08/2009 17:41.1.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1016.654 [GMT 1:00] Running from: c:\documents and settings\Geovision\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\desktop.ini C:\RECYC.exe c:\windows\AppPatch\AcXtrnel.dll c:\windows\Downloaded Program Files\2yhusbzAYuevSnXtW.Ttf c:\windows\Downloaded Program Files\CgMnxhFV2Qa68TsVz.Ttf c:\windows\Downloaded Program Files\JjedvMTDtPyqp9ZTrgw.Ttf c:\windows\Downloaded Program Files\NFesCyNNswv2Crfru.Ttf c:\windows\Downloaded Program Files\u9A2PqtvjkJkzBcJxZbPc.Ttf c:\windows\Downloaded Program Files\uMub3WCE6aZ3nFgrYRX.Ttf c:\windows\Downloaded Program Files\xW6JeYmCY9e3yf5KD.Ttf c:\windows\Downloaded Program Files\ZK26EzBfBUG8P9s8d.Ttf c:\windows\Fonts\2knxWtVjbWXmUdGG.Ttf c:\windows\Fonts\6e6EUdxVeWUYJynN.Ttf c:\windows\Fonts\AjrMtd1HXvFm.Ttf c:\windows\Fonts\AP2aBkXfCnZZwkTu.Ttf c:\windows\Fonts\avJ9SdDwMd9Qzt.Ttf c:\windows\Fonts\CcKKcpwJmND4.Ttf c:\windows\Fonts\cD9KArZZUHxCqnyM.Ttf c:\windows\Fonts\cFDPmh3MDPjcHMPd.Ttf c:\windows\Fonts\CRp3uYCmcxMp3qQn9.Ttf c:\windows\Fonts\CSzZ3gVtf.Ttf c:\windows\Fonts\du3Q2JXbHYGxcSAe.Ttf c:\windows\Fonts\e38H8kRkk.Ttf c:\windows\Fonts\EEUJgNKN6xmNqKr6.Ttf c:\windows\Fonts\eSEWZRdrSK3NeEJVy4.Ttf c:\windows\Fonts\FCvvnT2B.Ttf c:\windows\Fonts\FRSUApxKxh4aqhh4TnMqpe.Ttf c:\windows\Fonts\FTQ3Xu3wZEZsJ358S.Ttf c:\windows\Fonts\G8qZ5hBX7H.Ttf c:\windows\Fonts\GanWM9z57VChEAfV.Ttf c:\windows\Fonts\GbWrTV56WV24M.Ttf c:\windows\Fonts\GD9xUjmZ8vHS5Vj.Ttf c:\windows\Fonts\gfq7ymgpkp.Ttf c:\windows\Fonts\HXxfduw9KeQTCeP6Z.Ttf c:\windows\Fonts\jcPMKqwuVC7J.Ttf c:\windows\Fonts\K7XaTBMWp8TPrYgw.Ttf c:\windows\Fonts\KzAMjdYaws6f395.Ttf c:\windows\Fonts\pDuuqr4BgFn65AeW.Ttf c:\windows\Fonts\PeMTdMfqzpGTb5ps.Ttf c:\windows\Fonts\pqgXk4S6U25v6f.Ttf c:\windows\Fonts\qP2N8HTHkmGRq5.Ttf c:\windows\Fonts\Qq3qg7RGSp9raxWW.Ttf c:\windows\Fonts\qWskzsQA6.Ttf c:\windows\Fonts\RCZbVbjCY6wYszD3.Ttf c:\windows\Fonts\Rfs3DRdsUfkma5.Ttf c:\windows\Fonts\rgBuFNZP2MWF7WQjA.Ttf c:\windows\Fonts\S8a8cnEuaydPJGg8.Ttf c:\windows\Fonts\sUfa6DfmrK.Ttf c:\windows\Fonts\T8EkDVD578wpyAdP.Ttf c:\windows\Fonts\tBeuadwPppCBnDUPgJH7P6.Ttf c:\windows\Fonts\uawyv9Pr.Ttf c:\windows\Fonts\urgU7WBMQ.Ttf c:\windows\Fonts\usMywhxbgf5N8e9u6.Ttf c:\windows\Fonts\uytczRnGV8NUp.Ttf c:\windows\Fonts\VDcvXDH5px.Ttf c:\windows\Fonts\Vx53f7Scj63HVHDE.Ttf c:\windows\Fonts\vztr58qstaca8y8j.Ttf c:\windows\Fonts\WD7eC3pJvgmYQYNwrVP.Ttf c:\windows\Fonts\WFsARAucm7DAuX8.Ttf c:\windows\Fonts\Wt2KuAXTXmrRUbAq.Ttf c:\windows\Fonts\xSvCE2272aekx.Ttf c:\windows\Fonts\yGMHUAj5Npydj8FZ.Ttf c:\windows\Fonts\yHguCdqt6hp2.Ttf c:\windows\Fonts\yrMyUq1ke.Ttf c:\windows\Fonts\YywxhF7TSnkktrJw.Ttf c:\windows\Fonts\Z3tcgfaZ.Ttf c:\windows\PAXHCD0A.EXE c:\windows\RYM531DN0T07.EXE c:\windows\Tasks\SgF9z49Ph7g5UNpM.ico c:\windows\W2UQ75.EXE c:\windows\YB0Q1N1141.EXE c:\windows\YLWVOVCCQP.EXE c:\windows\ZZCWNB.EXE c:\windows\system32\userinit.exe . . . is infected!! c:\windows\system32\comres.dll . . . is infected!! c:\windows\system32\drivers\asyncmac.sys . . . is missing!! . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_6TO4 -------\Legacy_IAS -------\Legacy_IPRIP -------\Legacy_KLAN -------\Legacy_NWCWORKSTATION -------\Legacy_NWSAPAGENT -------\Legacy_PORTING -------\Legacy_WMISVC -------\Service_6to4 -------\Service_Ias -------\Service_Iprip -------\Service_NWCWorkstation -------\Service_Nwsapagent ((((((((((((((((((((((((( Files Created from 2009-08-08 to 2009-09-08 ))))))))))))))))))))))))))))))) . 2009-09-06 20:53 . 2008-10-16 13:06 268648 ----a-w- c:\windows\system32\mucltui.dll 2009-09-06 13:52 . 2009-09-06 13:52 -------- d-sh--w- c:\documents and settings\Geovision\IECompatCache 2009-09-06 13:44 . 2009-09-06 13:44 -------- d-sh--w- c:\documents and settings\Geovision\PrivacIE 2009-09-02 16:19 . 2009-09-02 16:19 -------- d-----w- c:\program files\Trend Micro 2009-08-31 10:44 . 2009-08-31 10:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-08-29 19:06 . 2009-08-29 19:06 -------- d-----w- c:\documents and settings\Geovision\Application Data\Malwarebytes 2009-08-29 19:05 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-29 19:05 . 2009-08-29 19:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-29 19:05 . 2009-08-29 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-08-29 19:05 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-21 05:36 . 2009-08-21 05:36 -------- dc-h--w- c:\windows\ie8 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-08 16:26 . 2009-07-31 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-09-06 20:46 . 2009-07-31 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar 2009-08-23 07:21 . 2009-07-31 01:22 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-08-23 07:21 . 2009-07-31 01:21 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-08-23 07:21 . 2009-07-31 01:21 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-08-21 05:40 . 2009-04-14 21:05 -------- d-----w- c:\program files\Google 2009-08-09 00:22 . 2009-08-01 16:00 -------- d-----w- c:\program files\xnsjkdiacqsb 2009-08-09 00:22 . 2009-07-22 23:36 -------- d-----w- c:\program files\XIKWTHRW0S 2009-08-09 00:22 . 2009-08-03 20:32 -------- d-----w- c:\program files\wkdxkkcw 2009-08-09 00:22 . 2009-07-31 02:07 -------- d-----w- c:\program files\xgzqugwmrstoxl 2009-08-09 00:22 . 2009-07-22 22:53 -------- d-----w- c:\program files\WMUGAXR 2009-08-09 00:20 . 2009-08-03 21:05 -------- d-----w- c:\program files\vqievceso 2009-08-09 00:20 . 2009-07-31 00:30 -------- d-----w- c:\program files\vnwnxfcza 2009-08-09 00:20 . 2009-07-31 02:13 -------- d-----w- c:\program files\tbxnlphnqljx 2009-08-09 00:20 . 2009-07-31 01:48 -------- d-----w- c:\program files\uhkjyhzmxgtl 2009-08-09 00:20 . 2009-07-20 21:08 -------- d-----w- c:\program files\R0974Q3IE 2009-08-09 00:20 . 2009-07-18 23:14 -------- d-----w- c:\program files\sbcdvlmmy 2009-08-09 00:20 . 2009-07-31 01:00 -------- d-----w- c:\program files\qivjdqaeppeknv 2009-08-09 00:20 . 2009-07-21 00:01 -------- d-----w- c:\program files\qgpecipqynjo 2009-08-09 00:20 . 2009-07-31 01:52 -------- d-----w- c:\program files\oopyrxlgnb 2009-08-09 00:20 . 2009-07-20 18:47 -------- d-----w- c:\program files\nnxxkutfvrltyt 2009-08-09 00:14 . 2009-08-01 16:06 -------- d-----w- c:\program files\jxtsibzbmrtjzeo 2009-08-09 00:14 . 2009-07-31 20:59 -------- d-----w- c:\program files\jwtpcqkoxymeir 2009-08-09 00:09 . 2009-07-31 02:28 -------- d-----w- c:\program files\bftrruzlyibxxk 2009-08-09 00:09 . 2009-07-29 03:38 -------- d-----w- c:\program files\awdnjfsk 2009-08-09 00:09 . 2009-07-25 07:19 -------- d-----w- c:\program files\byrinwwuvlcnloe 2009-08-09 00:09 . 2009-07-22 22:57 -------- d-----w- c:\program files\273LIR 2009-08-09 00:09 . 2009-07-20 23:41 -------- d-----w- c:\program files\4DXJGE43B1O2 2009-08-06 00:44 . 2009-07-22 22:22 -------- d-----w- c:\program files\zqsghlco 2009-08-06 00:44 . 2009-07-21 21:56 -------- d-----w- c:\program files\xczafrbzth 2009-08-06 00:44 . 2009-07-25 07:22 -------- d-----w- c:\program files\xeowhdzltjh 2009-08-06 00:44 . 2009-07-20 20:38 -------- d-----w- c:\program files\vlyyontpvnkho 2009-08-06 00:44 . 2009-07-21 22:10 -------- d-----w- c:\program files\vxjovzxwqcxqgw 2009-08-06 00:44 . 2009-07-21 22:03 -------- d-----w- c:\program files\sbinnjeyevse 2009-08-06 00:44 . 2009-07-25 19:19 -------- d-----w- c:\program files\jtpwnpuqnkr 2009-08-06 00:44 . 2009-07-22 17:33 -------- d-----w- c:\program files\zdvqqnbivm 2009-08-06 00:43 . 2009-07-29 03:45 -------- d-----w- c:\program files\pvldytpnxyuv 2009-08-06 00:43 . 2009-07-23 18:59 -------- d-----w- c:\program files\lewtfsevdhz 2009-07-31 01:22 . 2009-07-31 01:22 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-07-31 01:21 . 2009-07-31 01:21 -------- d-----w- c:\program files\AVG 2009-07-31 01:15 . 2009-07-29 03:49 -------- d-----w- c:\documents and settings\Geovision\Application Data\U3 2009-07-31 00:46 . 2009-07-31 00:39 1106 ----a-w- c:\windows\system32\info.dat 2009-07-23 11:57 . 2009-07-23 11:57 661352 ----a-w- C:\autoruns.exe 2009-07-23 11:57 . 2009-07-23 11:57 553832 ----a-w- C:\autorunsc.exe 2009-07-22 22:57 . 2009-07-22 22:57 28672 ----a-w- c:\windows\BUBJDXQUGSPAB.dll 2009-07-22 22:53 . 2009-07-22 22:53 28672 ----a-w- c:\windows\VOEMAQZCTCLF.dll 2009-07-20 21:08 . 2009-07-20 21:08 28672 ----a-w- c:\windows\TUIKNKMV.dll 2009-07-18 23:16 . 2009-07-18 23:16 -------- d-----w- c:\program files\Common Files\Thunder Network 2009-07-18 23:15 . 2009-07-18 23:15 -------- d-----w- c:\program files\Common Files\Java 2009-07-18 23:14 . 2009-07-18 23:14 -------- d-----w- c:\program files\Intel 2009-07-18 23:06 . 2009-07-18 23:06 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo! 2009-07-03 21:45 . 2008-12-26 11:36 66144 -c--a-w- c:\documents and settings\Geovision\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2008-12-25 01:59 . 2008-12-25 01:59 60516 -c--a-w- c:\program files\mozilla firefox\components\jar50.dll 2008-12-25 01:59 . 2008-12-25 01:59 49246 -c--a-w- c:\program files\mozilla firefox\components\jsd3250.dll 2008-12-25 01:59 . 2008-12-25 01:59 165990 -c--a-w- c:\program files\mozilla firefox\components\xpinstal.dll . ------- Sigcheck ------- [-] 2006-01-06 . 2A4818AEA80ACD2C95D7D92D2F3155F8 . 360448 . . [5.1.2600.2688] . . c:\windows\system32\drivers\tcpip.sys [-] 2006-01-09 . C3B84871DECE94E335B96FAFD756316C . 2187904 . . [5.1.2600.2765] . . c:\windows\system32\ntoskrnl.exe [-] 2006-01-06 . 2DEACA71A7FD77205F59D48D76B2F565 . 1075200 . . [6.00.2900.2649] . . c:\windows\explorer.exe [-] 2004-09-01 . 1C08FD2DA2E9D11916BB07982ADB69D1 . 24576 . . [5.1.2600.2180] . . c:\windows\system32\userinit.exe c:\windows\system32\comres.dll ... is missing !! c:\windows\system32\qmgr.dll ... is missing !! c:\windows\system32\drivers\asyncmac.sys ... is missing !! c:\windows\system32\mspmsnsv.dll ... is missing !! . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816] [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{21910D9A-058E-95F2-642F-95A6E221C648}] 2009-07-20 21:08 28672 ----a-w- c:\windows\TUIKNKMV.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{84CA70D3-777F-2BFF-136F-DC274F669D53}] 2009-07-22 22:57 28672 ----a-w- c:\windows\BUBJDXQUGSPAB.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}] 2009-07-24 08:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE9A750-3BC5-5D98-B423-C38B641E10F3}] 2009-07-22 22:53 28672 ----a-w- c:\windows\VOEMAQZCTCLF.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-23 2007832] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "nlsf"="move" [X] "tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-09-01 44544] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoLogoff"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{4894F5C2-169D-4DAC-A982-444B9BDB3AC4}"= "c:\windows\Downloaded Program Files\UYTbcaZtxE23MEzKGQ.cur" [2009-09-08 22016] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="c:\windows\explorer.exe," [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-23 07:21 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "443:TCP"= 443:TCP:ooVoo TCP port 443 "443:UDP"= 443:UDP:ooVoo UDP port 443 "37674:TCP"= 37674:TCP:ooVoo TCP port 37674 "37674:UDP"= 37674:UDP:ooVoo UDP port 37674 "37675:UDP"= 37675:UDP:ooVoo UDP port 37675 R2 bnetroighv;bnetroighv;c:\program files\byrinwwuvlcnloe\iqsvpyqnfipbg.exe [x] R2 CAZXE;CAZXE;c:\program files\XIKWTHRW0S\0RICFOB.EXE [x] R2 dasno;dasno;c:\windows\system32\dasno.exe [x] R2 dbsno;dbsno;c:\windows\system32\dbsno.exe [x] R2 ddsno;ddsno;c:\windows\system32\ddsno.exe [x] R2 desno;desno;c:\windows\system32\desno.exe [x] R2 dfsno;dfsno;c:\windows\system32\dfsno.exe [x] R2 dgsno;dgsno;c:\windows\system32\dgsno.exe [x] R2 dkjno;dkjno;c:\windows\system32\dkjno.exe [x] R2 dojno;dojno;c:\windows\system32\dojno.exe [x] R2 dsjno;dsjno;c:\windows\system32\dsjno.exe [x] R2 dteno;dteno;c:\windows\system32\dtesm.exe [x] R2 dtjealqpijxfzj;dtjealqpijxfzj;c:\program files\lewtfsevdhz\swpzyugw.exe [x] R2 gerbassmn;Intcrface Pdby Prohdure;c:\windows\system32\Miekcsr.exe [x] R2 H3KJ16M;H3KJ16M;c:\program files\4DXJGE43B1O2\7MWZ6KDVV.EXE [x] R2 hkyoulbzkasgllw;hkyoulbzkasgllw;c:\program files\pvldytpnxyuv\wnfiaujgh.exe [x] R2 jmotuqyw;jmotuqyw;c:\program files\zdvqqnbivm\gvpdspdjxjblfph.exe [x] R2 jtesm;jtesm;c:\windows\system32\jtesm.exe [x] R2 jzchqigczupkmo;jzchqigczupkmo;c:\program files\jtpwnpuqnkr\qlikorojp.exe [x] R2 nbjyaqolmamr;nbjyaqolmamr;c:\program files\vnwnxfcza\cnptyhwsbnauoy.exe [x] R2 nckhnmfsh;nckhnmfsh;c:\program files\nnxxkutfvrltyt\ufrklvnzeox.exe [x] R2 PCIEDump;PCIEDump;c:\windows\system32\drivers\qqrrftfx.sys [x] R2 pvcofbbdcpiawre;pvcofbbdcpiawre;c:\program files\qgpecipqynjo\xhirdkrka.exe [x] R2 pxjuzimzc;pxjuzimzc;c:\program files\qivjdqaeppeknv\xbpxxscgrmr.exe [x] R2 qteno;qteno;c:\windows\system32\otesm.exe [x] R2 Risuuzijhguscjnsfe;Ris tptfypuwcgweo;c:\program files\Intel\phvuhaxaeaz.EXE lwqrdbdfqzcdphn [x] R2 rlqynxwwajy;rlqynxwwajy;c:\program files\awdnjfsk\hwwtlhmdywmpgb.exe [x] R2 sejno;sejno;c:\windows\system32\syjno.exe [x] R2 sksno;sksno;c:\windows\system32\sksno.exe [x] R2 spqoydygccns;spqoydygccns;c:\program files\sbcdvlmmy\ztwjwnonapcdihg.exe [x] R2 sssno;sssno;c:\windows\system32\sssno.exe [x] R2 steno;steno;c:\windows\system32\stesm.exe [x] R2 tteno;tteno;c:\windows\system32\wtesm.exe [x] R2 uewzzrjrc;uewzzrjrc;c:\program files\vxjovzxwqcxqgw\cpcbxbzxazj.exe [x] R2 ukaqjmbmfgj;ukaqjmbmfgj;c:\program files\sbinnjeyevse\kwhthdjtcsxgu.exe [x] R2 uucrimqlgqcyx;uucrimqlgqcyx;c:\program files\xeowhdzltjh\ewhjifbf.exe [x] R2 valjsxfk;valjsxfk;c:\program files\vlyyontpvnkho\kerdqpvjed.exe [x] R2 wqtesm;wqtesm;c:\windows\system32\wqtesm.exe [x] R2 wrmkjjntgjpci;wrmkjjntgjpci;c:\program files\xczafrbzth\eusfhsdavwdfgiu.exe [x] R2 yasnp;yasnp;c:\windows\system32\yasnp.exe [x] R2 zxfrldoilnl;zxfrldoilnl;c:\program files\zqsghlco\gimtjnepaazlr.exe [x] R3 AGV;AGV;c:\windows\system32\drivers\AGV.sys [2006-12-04 189112] R3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2008-12-08 533344] R3 GV800S;GV800S;c:\windows\system32\drivers\GV800S.sys [2007-03-29 82224] S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-23 335240] S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-07-31 108552] S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-23 297752] S2 fssfltr;fssfltr;c:\windows\system32\DRIVERS\fssfltr_tdi.sys [2008-12-08 55136] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . - - - - ORPHANS REMOVED - - - - SSODL-MSNServiceObj-{AD26AC5F-8421-419C-8692-ED0FE1FE74D8} - c:\program files\Messenger\msmsgs.dll . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html uSearchURL,(Default) = hxxp://www.google.com/keyword/%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Geovision\Application Data\Mozilla\Firefox\Profiles\oryvhb3o.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties"); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-08 17:49 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(2252) c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Maxtor\Sync\SyncServices.exe c:\program files\AVG\AVG8\avgrsx.exe c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2009-09-08 17:57 - machine was rebooted ComboFix-quarantined-files.txt 2009-09-08 16:57 Pre-Run: 2,750,029,824 bytes free Post-Run: 2,685,046,784 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 351 ComboFix.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.