Jump to content

Problems removing Rootkit.Agent virus


Recommended Posts

Hello. I have been recently been trying to remove a bunch of problems from my comp and have finally made it down to these four files files. Malewarebyte picked them up as:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> No action taken.

C:\WINDOWS\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> No action taken.

C:\WINDOWS\system32\kwave.sys (Trojan.Agent) -> No action taken.

Now the program always removes the two HKEY files with no problem, but the other ones cause problems. Every time I try to remove the other two infections, I get a message that says the program could not remove these problems and will remove them on a reboot. However, every time I reboot my computer Malewayebytes fails to remove them and shows up again when I scan my comp, and the two HKEY infections that the program removed before I restarted my comp return. Any help with as how to remove these problems would be greatly appreciated. Thanks.

Here is the registry log from when i ran Hijackthis:

Logfile of HijackThis v1.99.1

Scan saved at 20:32, on 2009-03-07

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\ASUS\PC Probe II\Probe2.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\ASUS\AASP\1.00.80\aaCenter.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Will\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Launch PC Probe II] "C:\Program Files\ASUS\PC Probe II\Probe2.exe" 1

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188462803156

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1221873608937

O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

Link to post
Share on other sites

Hi DemonXoX, Welcome to Malwarebytes'

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

Here is the log ComboFix came up with.

ComboFix 09-03-06.02 - Will 2009-03-07 21:10:36.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2456 [GMT -5:00]

Running from: c:\documents and settings\Will\Desktop\ComboFix.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)

FW: Symantec Client Firewall *enabled*

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\windows\system32\1000.exe

c:\windows\system32\drivers\mrxdavv.sys

c:\windows\system32\drivers\senekaeejkmcja.sys

c:\windows\system32\init32.exe

c:\windows\system32\kwave.sys

c:\windows\system32\senekaihbroyei.dll

c:\windows\system32\senekanwwodxnf.dll

c:\windows\system32\senekaojkjejqp.dat

c:\windows\system32\senekauoeoiyps.dat

c:\windows\system32\senekavpppxisx.dll

c:\windows\system32\win32hlp.cnf

c:\windows\system32\zavidegu.dll

c:\windows\system32\zitijawo.dll

----- BITS: Possible infected sites -----

hxxp://82.98.235.205

Infected copy of c:\windows\system32\userinit.exe was found and disinfected

Restored copy from - c:\windows\$NtServicePackUninstall$\userinit.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_seneka

((((((((((((((((((((((((( Files Created from 2009-02-08 to 2009-03-08 )))))))))))))))))))))))))))))))

.

2009-03-05 22:30 . 2009-03-05 22:33 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP

2009-03-05 22:29 . 2009-03-05 22:29 95 --a------ c:\windows\wininit.ini

2009-03-05 21:21 . 2009-03-05 21:21 119,761 --ahs---- c:\windows\system32\zurufalo.dll

2009-03-05 20:46 . 2009-03-05 20:46 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-03-05 20:46 . 2009-03-05 20:46 <DIR> d-------- c:\documents and settings\Will\Application Data\Malwarebytes

2009-03-05 20:46 . 2009-03-05 20:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-03-05 20:46 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-05 20:46 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-02-28 00:39 . 2009-02-28 00:39 <DIR> d-------- c:\program files\LucasArts

2009-02-23 16:04 . 2009-02-23 16:14 <DIR> d-------- C:\ARENA

2009-02-23 16:01 . 2009-02-23 16:14 <DIR> d-------- c:\program files\DOSBox-0.72

2009-02-23 15:07 . 2009-02-23 15:07 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Apple Computer

2009-02-22 23:04 . 2009-02-22 23:04 8,784 --a------ c:\windows\system32\drivers\InCDPass.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-08 00:21 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-03-06 23:52 --------- d-----w c:\program files\World of Warcraft

2009-03-06 23:14 34 ----a-w c:\documents and settings\Will\jagex_runescape_preferences.dat

2009-03-04 21:57 64,160 ----a-w c:\windows\system32\drivers\Lbd.sys

2009-02-28 05:39 --------- d--h--w c:\program files\InstallShield Installation Information

2009-02-27 18:59 --------- d-----w c:\program files\Microsoft Silverlight

2009-02-16 23:59 --------- d-----w c:\documents and settings\Will\Application Data\Bioshock

2009-02-16 05:02 --------- d-----w c:\program files\Spybot - Search & Destroy

2009-02-16 05:02 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-02-15 20:57 --------- d-----w c:\program files\The Witcher

2009-02-15 17:35 --------- d-----w c:\program files\Bethesda Softworks

2009-02-06 04:23 --------- d-----w c:\program files\Game_Maker7

2009-02-03 22:34 --------- d-----w c:\documents and settings\All Users\Application Data\Electronic Arts

2009-01-29 23:53 22,328 ----a-w c:\windows\system32\drivers\PnkBstrK.sys

2009-01-29 23:53 22,328 ----a-w c:\documents and settings\Will\Application Data\PnkBstrK.sys

2009-01-26 21:56 --------- dc-h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}

2009-01-26 21:56 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft

2009-01-26 21:55 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-01-25 22:34 --------- d-----w c:\program files\Microsoft Games for Windows - LIVE

2009-01-18 23:30 --------- d-----w c:\program files\Windows Live Safety Center

2009-01-15 01:06 --------- d-----w c:\program files\Electronic Arts

2009-01-15 01:02 --------- d-----w c:\program files\Common Files\InstallShield

2009-01-14 07:14 3,455,488 ----a-w c:\windows\system32\drivers\ati2mtag.sys

2009-01-14 03:43 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll

2009-01-10 18:01 --------- d-----w c:\program files\ASUS

1601-01-01 00:12 79,872 --sha-w c:\windows\system32\denekilo.dll

1601-01-01 00:12 84,992 --sha-w c:\windows\system32\pifaresi.dll

1601-01-01 00:12 79,872 --sha-w c:\windows\system32\witefame.dll

1601-01-01 00:12 84,992 --sha-w c:\windows\system32\zumunope.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-11-10 94208]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-01-09 3321856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"vptray"="c:\progra~1\SYMANT~1\SYMANT~2\VPTray.exe" [2006-09-27 125168]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 813912]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-15 136600]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"Launch PC Probe II"="c:\program files\ASUS\PC Probe II\Probe2.exe" [2008-11-11 2142720]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-04 515416]

"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]

"RTHDCPL"="RTHDCPL.EXE" [2007-01-30 c:\windows\RTHDCPL.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-02-11 1273488]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"<NO NAME>"= 1

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\yidufore.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\InCDPass.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=

"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=

"d:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=

"d:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=

"d:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=

"%windir%\\system32\\drivers\\svchost.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-01-26 64160]

R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-07-20 84992]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-27 101936]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951120]

S3 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [2006-09-27 116464]

.

Contents of the 'Scheduled Tasks' folder

2009-03-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-04 16:57]

2009-03-04 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Will\Application Data\Mozilla\Firefox\Profiles\2mg20j1n.default\

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-07 21:15:19

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1390067357-1960408961-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:be,64,93,ca,39,f2,ab,86,14,61,61,0d,81,39,35,e2,67,c6,7e,89,d2,66,a2,

03,86,7e,77,82,df,62,be,22,38,28,42,ca,e1,e0,21,8d,38,aa,38,59,ba,71,d6,ab,\

"??"=hex:9d,6d,62,c7,7e,94,d3,01,62,72,da,46,cb,d1,2f,38

[HKEY_USERS\S-1-5-21-1390067357-1960408961-839522115-1003\Software\SecuROM\License information*]

"datasecu"=hex:52,08,22,7d,b4,cc,d1,05,84,d1,5b,57,99,f5,9a,8b,57,0e,ac,32,e4,

47,b4,be,aa,03,55,5a,3b,f5,55,58,12,00,31,ad,7d,9d,bf,55,e6,e8,cc,d8,00,99,\

"rkeysecu"=hex:82,c3,15,4f,bb,1d,3b,7f,84,f5,53,93,76,d6,d1,ff

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{40886FA5-87BC-FDA7-0C1FAC01C243999B}\{19E564B2-522B-7AA8-1ACCCD0705265332}\{1F2DE655-6E2E-2DD5-8638E8D01A513D14}*]

"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,51,32,35,

86,5a,91,25,0f,38,eb,af,5c,42,56,f6,d2,c1,9e,95,a8,a1,17,53,ca,34,54,bf,67,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A211FD50-104A-552A-E783321B77B5C9DA}\{4E700FFC-D5B6-D24A-08D9C51A05E3FA14}\{72F82311-8741-4D82-9043D22F7FAD5282}*]

"PK3IM51V2WPW5YOPIRJ365XEIG1"=hex:01,00,01,00,00,00,00,00,c3,a2,73,89,0b,39,ad,

69,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(796)

c:\windows\system32\Ati2evxx.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\windows\system32\ati2evxx.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Common Files\Symantec Shared\ccProxy.exe

c:\program files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe

c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\PnkBstrA.exe

c:\windows\system32\PnkBstrB.exe

c:\program files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

c:\program files\Common Files\Symantec Shared\SNDSrvc.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\ASUS\AASP\1.00.80\aaCenter.exe

.

**************************************************************************

.

Completion time: 2009-03-07 21:23:47 - machine was rebooted [Will]

ComboFix-quarantined-files.txt 2009-03-08 02:23:44

Pre-Run: 117,254,692,864 bytes free

Post-Run: 117,480,001,536 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

230 --- E O F --- 2009-02-26 20:09:09

Link to post
Share on other sites

Step #1

Please

1. Go to Start->Run and type in notepad and hit OK.

2. Then copy and paste the content of the following codebox into Notepad:

MD "%USERPROFILE%"\desktop\malware

xcopy "c:\windows\system32\zurufalo.dll" "%USERPROFILE%"\desktop\malware /c /q /r /h /y

xcopy "c:\windows\system32\denekilo.dll" "%USERPROFILE%"\desktop\malware /c /q /r /h /y

xcopy "c:\windows\system32\pifaresi.dll" "%USERPROFILE%"\desktop\malware /c /q /r /h /y

xcopy "c:\windows\system32\zumunope.dll" "%USERPROFILE%"\desktop\malware /c /q /r /h /y

xcopy "c:\windows\system32\witefame.dll" "%USERPROFILE%"\desktop\malware /c /q /r /h /y

Attrib -s -r -h "%USERPROFILE%"\desktop\malware\*.*

3. Save the file as Run.bat. Make sure to save it with the quotation marks.

4. Double click Run.bat.

5. Please go to this thread

http://www.malwarebytes.org/forums/index.php?showforum=55

and create a new topic

6. Attach the Malware folder on your desktop to the topic then post it, so we can analyze those files to include in Malwarebytes' detection.

Step #2

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Collect::

c:\windows\system32\zurufalo.dll

c:\windows\system32\denekilo.dll

c:\windows\system32\pifaresi.dll

c:\windows\system32\zumunope.dll

c:\windows\system32\witefame.dll

Registry::

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=""

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Here is the log you requested:

ComboFix 09-03-06.02 - Will 2009-03-07 22:08:17.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2664 [GMT -5:00]

Running from: c:\documents and settings\Will\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Will\Desktop\CFScript.txt

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)

FW: Symantec Client Firewall *enabled*

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\denekilo.dll

c:\windows\system32\drivers\mrxdavv.sys

c:\windows\system32\kwave.sys

c:\windows\system32\pifaresi.dll

c:\windows\system32\witefame.dll

c:\windows\system32\zumunope.dll

c:\windows\system32\zurufalo.dll

.

((((((((((((((((((((((((( Files Created from 2009-02-08 to 2009-03-08 )))))))))))))))))))))))))))))))

.

2009-03-05 22:30 . 2009-03-05 22:33 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP

2009-03-05 22:29 . 2009-03-05 22:29 95 --a------ c:\windows\wininit.ini

2009-03-05 20:46 . 2009-03-05 20:46 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-03-05 20:46 . 2009-03-05 20:46 <DIR> d-------- c:\documents and settings\Will\Application Data\Malwarebytes

2009-03-05 20:46 . 2009-03-05 20:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-03-05 20:46 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-05 20:46 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-02-28 00:39 . 2009-02-28 00:39 <DIR> d-------- c:\program files\LucasArts

2009-02-23 16:04 . 2009-02-23 16:14 <DIR> d-------- C:\ARENA

2009-02-23 16:01 . 2009-02-23 16:14 <DIR> d-------- c:\program files\DOSBox-0.72

2009-02-23 15:07 . 2009-02-23 15:07 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Apple Computer

2009-02-22 23:04 . 2009-02-22 23:04 8,784 --a------ c:\windows\system32\drivers\InCDPass.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-08 00:21 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-03-06 23:52 --------- d-----w c:\program files\World of Warcraft

2009-03-06 23:14 34 ----a-w c:\documents and settings\Will\jagex_runescape_preferences.dat

2009-03-04 21:57 64,160 ----a-w c:\windows\system32\drivers\Lbd.sys

2009-02-28 05:39 --------- d--h--w c:\program files\InstallShield Installation Information

2009-02-27 18:59 --------- d-----w c:\program files\Microsoft Silverlight

2009-02-16 23:59 --------- d-----w c:\documents and settings\Will\Application Data\Bioshock

2009-02-16 05:02 --------- d-----w c:\program files\Spybot - Search & Destroy

2009-02-16 05:02 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-02-15 20:57 --------- d-----w c:\program files\The Witcher

2009-02-15 17:35 --------- d-----w c:\program files\Bethesda Softworks

2009-02-06 04:23 --------- d-----w c:\program files\Game_Maker7

2009-02-03 22:34 --------- d-----w c:\documents and settings\All Users\Application Data\Electronic Arts

2009-01-29 23:53 22,328 ----a-w c:\windows\system32\drivers\PnkBstrK.sys

2009-01-29 23:53 22,328 ----a-w c:\documents and settings\Will\Application Data\PnkBstrK.sys

2009-01-26 21:56 --------- dc-h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}

2009-01-26 21:56 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft

2009-01-26 21:55 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-01-25 22:34 --------- d-----w c:\program files\Microsoft Games for Windows - LIVE

2009-01-18 23:30 --------- d-----w c:\program files\Windows Live Safety Center

2009-01-15 01:06 --------- d-----w c:\program files\Electronic Arts

2009-01-15 01:02 --------- d-----w c:\program files\Common Files\InstallShield

2009-01-14 07:14 3,455,488 ----a-w c:\windows\system32\drivers\ati2mtag.sys

2009-01-14 03:43 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll

2009-01-10 18:01 --------- d-----w c:\program files\ASUS

.

((((((((((((((((((((((((((((( SnapShot@2009-03-07_21.23.22.54 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-03-08 03:12:34 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_510.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-11-10 94208]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-01-09 3321856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"vptray"="c:\progra~1\SYMANT~1\SYMANT~2\VPTray.exe" [2006-09-27 125168]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 813912]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-15 136600]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"Launch PC Probe II"="c:\program files\ASUS\PC Probe II\Probe2.exe" [2008-11-11 2142720]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-04 515416]

"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]

"RTHDCPL"="RTHDCPL.EXE" [2007-01-30 c:\windows\RTHDCPL.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-02-11 1273488]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"<NO NAME>"= 1

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\InCDPass.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=

"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=

"d:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=

"d:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=

"d:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=

"%windir%\\system32\\drivers\\svchost.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-01-26 64160]

R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-07-20 84992]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-27 101936]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951120]

S3 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [2006-09-27 116464]

.

Contents of the 'Scheduled Tasks' folder

2009-03-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-04 16:57]

2009-03-04 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Will\Application Data\Mozilla\Firefox\Profiles\2mg20j1n.default\

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-07 22:12:59

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1390067357-1960408961-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:be,64,93,ca,39,f2,ab,86,14,61,61,0d,81,39,35,e2,67,c6,7e,89,d2,66,a2,

03,86,7e,77,82,df,62,be,22,38,28,42,ca,e1,e0,21,8d,38,aa,38,59,ba,71,d6,ab,\

"??"=hex:9d,6d,62,c7,7e,94,d3,01,62,72,da,46,cb,d1,2f,38

[HKEY_USERS\S-1-5-21-1390067357-1960408961-839522115-1003\Software\SecuROM\License information*]

"datasecu"=hex:52,08,22,7d,b4,cc,d1,05,84,d1,5b,57,99,f5,9a,8b,57,0e,ac,32,e4,

47,b4,be,aa,03,55,5a,3b,f5,55,58,12,00,31,ad,7d,9d,bf,55,e6,e8,cc,d8,00,99,\

"rkeysecu"=hex:82,c3,15,4f,bb,1d,3b,7f,84,f5,53,93,76,d6,d1,ff

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{40886FA5-87BC-FDA7-0C1FAC01C243999B}\{19E564B2-522B-7AA8-1ACCCD0705265332}\{1F2DE655-6E2E-2DD5-8638E8D01A513D14}*]

"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,51,32,35,

86,5a,91,25,0f,38,eb,af,5c,42,56,f6,d2,c1,9e,95,a8,a1,17,53,ca,34,54,bf,67,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A211FD50-104A-552A-E783321B77B5C9DA}\{4E700FFC-D5B6-D24A-08D9C51A05E3FA14}\{72F82311-8741-4D82-9043D22F7FAD5282}*]

"PK3IM51V2WPW5YOPIRJ365XEIG1"=hex:01,00,01,00,00,00,00,00,c3,a2,73,89,0b,39,ad,

69,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)

c:\windows\system32\Ati2evxx.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\windows\system32\ati2evxx.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Common Files\Symantec Shared\ccProxy.exe

c:\program files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe

c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\PnkBstrA.exe

c:\windows\system32\PnkBstrB.exe

c:\program files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

c:\program files\Common Files\Symantec Shared\SNDSrvc.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\ASUS\AASP\1.00.80\aaCenter.exe

.

**************************************************************************

.

Completion time: 2009-03-07 22:21:41 - machine was rebooted

ComboFix-quarantined-files.txt 2009-03-08 03:21:38

ComboFix2.txt 2009-03-08 02:23:48

Pre-Run: 117,519,450,112 bytes free

Post-Run: 117,502,889,984 bytes free

207 --- E O F --- 2009-02-26 20:09:09

Link to post
Share on other sites

Thanks for uploading the files!

Launch Malwarebytes' Anti-Malware

  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Please click here to download AVP Tool by Kaspersky.

  • Save it to your desktop.
  • Reboot your computer into SafeMode.

    You can do this by restarting your computer and continually tapping the
    F8
    key until a menu appears.

    Use your up arrow key to highlight SafeMode then hit
    enter
    .


  • Double click the setup file to run it.
  • Click Next to continue.
  • It will by default install it to your desktop folder.Click Next.
  • Hit ok at the prompt for scanning in Safe Mode.
  • It will then open a box There will be a tab that says Automatic scan.
  • Under Automatic scan make sure these are checked.
  • System Memory

  • Startup Objects

  • Disk Boot Sectors.

  • My Computer.

  • Also any other drives (Removable that you may have)

After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.

Then choose OK again then you are back to the main screen.

  • Then click on Scan at the to right hand Corner.
  • It will automatically Neutralize any objects found.
  • If some objects are left un-neutralized then click the button that says Neutralize all
  • If it says it cannot be Neutralized then chooose The delete option when prompted.
  • After that is done click on the reports button at the bottom and save it to file name it Kas.
  • Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

    Note: This tool will self uninstall when you close it so please save the log before closing it.

Link to post
Share on other sites

I don't know if this will help at all but ever since my comp got infected with the rootkit, startup has been abnormally slow, stopping at my background for a while and then the other icons and stuff load onto my desktop. Maybe the rootkit is exploiting startup? Idk just a thought.

Anyway here is the log from Malewarebytes:

Malwarebytes' Anti-Malware 1.34

Database version: 1829

Windows 5.1.2600 Service Pack 3

2009-03-09 21:08:05

mbam-log-2009-03-09 (21-08-05).txt

Scan type: Quick Scan

Objects scanned: 64574

Time elapsed: 2 minute(s), 32 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot.

C:\WINDOWS\system32\kwave.sys (Trojan.Agent) -> Delete on reboot.

Still did not delete those two.

And here the selected stuff from the log of the program you asked me to download:

Detected

--------

Status Object

------ ------

deleted: Trojan program Trojan.Win32.Agent.bpna File: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A2C0001.VBN//CryptZ

deleted: Trojan program Trojan.Win32.Inject.osp File: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F680000.VBN//CryptZ

deleted: Trojan program Trojan.Win32.Agent.bpgp File: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D340000\4DBDCFAA.VBN//CryptZ

deleted: Trojan program Trojan.Win32.Monder.blso File: C:\Documents and Settings\Will\Desktop\malware.zip/malware/witefame.dll

deleted: Trojan program Trojan-Spy.Win32.Agent.acnc File: C:\Documents and Settings\Will\Desktop\malware.zip/malware/zumunope.dll

deleted: Trojan program Trojan.Win32.Monder.blso File: C:\Documents and Settings\Will\Desktop\malware\witefame.dll

deleted: Trojan program Trojan-Spy.Win32.Agent.acnc File: C:\Documents and Settings\Will\Desktop\malware\zumunope.dll

deleted: Trojan program Trojan.Win32.Monder.blso File: C:\Qoobox\Quarantine\[4]-Submit_2009-03-07@22.08.zip/witefame.dll

deleted: Trojan program Trojan-Spy.Win32.Agent.acnc File: C:\Qoobox\Quarantine\[4]-Submit_2009-03-07@22.08.zip/zumunope.dll

deleted: Trojan program Trojan-Downloader.Win32.Agent.bjsk File: C:\Qoobox\Quarantine\C\WINDOWS\system32\1000.exe.vir

deleted: Trojan program Trojan-Dropper.Win32.Agent.aiub File: C:\Qoobox\Quarantine\C\WINDOWS\system32\userinit.exe.vir

Link to post
Share on other sites

I don't know if this will help at all but ever since my comp got infected with the rootkit, startup has been abnormally slow, stopping at my background for a while and then the other icons and stuff load onto my desktop. Maybe the rootkit is exploiting startup? Idk just a thought.

Possibility. Good news is the infections found by AVP Tool are in quarantine and not live. I would recommend removing the infections you have in Symantec AntiVirus Corporate Edition Quarantine.

Download RootRepeal.zip and unzip it to your Desktop.

  • Double click RootRepeal.exe to start the program

  • Click on the Report tab at the bottom of the program window

  • Click the Scan button

  • In the Select Scan dialog, check:
    • Drivers

    • Files

    • Processes

    • SSDT

    • Stealth Objects

    • Hidden Services

    [*]Click the OK button

    [*]In the next dialog, select all drives showing

    [*]Click OK to start the scan

    Note: The scan can take some time.
    DO NOT
    run any other programs while the scan is running

    [*]When the scan is complete, the Save Report button will become available

    [*]Click this and save the report to your Desktop as RootRepeal.txt

    [*]Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:

  • Click Add Reply

  • Under the reply panel is the Attachments Panel

  • Browse for the attachment file you want to upload, then click the green Upload button

  • Once it has uploaded, click the Manage Current Attachments drop down box

  • Click on attach_add.png to insert the attachment into your post

Link to post
Share on other sites

FWI the rootkit is pissing me off with all its weppage rediirections lol

Anyway heres the log:

ROOTREPEAL © AD, 2007-2008

==================================================

Scan Time: 2009/03/10 22:24

Program Version: Version 1.2.3.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: 32872487.sys

Image Path: C:\WINDOWS\system32\DRIVERS\32872487.sys

Address: 0xAC1C2000 Size: 163840 File Visible: No

Status: -

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xABE68000 Size: 98304 File Visible: No

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xBA616000 Size: 8192 File Visible: No

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xA8D1E000 Size: 45056 File Visible: No

Status: -

Hidden/Locked Files

-------------------

Path: C:\WINDOWS\ServicePackFiles\i386\avc.sys

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Will\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρϴϱЄϱЃϵϳЅ

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Will\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρЂϻϵЉЃϵϳЅ

Status: Locked to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090227.004\EraserUtilRebootDrv.sys

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Will\Desktop\Virus Removal Tool\is-7G11K\report\detected.idx

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Will\Desktop\Virus Removal Tool\is-7G11K\report\detected.rpt

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Will\Desktop\Virus Removal Tool\is-7G11K\report\eventlog.rpt

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Will\Desktop\Virus Removal Tool\is-7G11K\report\report.rpt

Status: Locked to the Windows API!

SSDT

-------------------

#: 031 Function Name: NtConnectPort

Status: Hooked by "<unknown>" at address 0x8aeba220

#: 041 Function Name: NtCreateKey

Status: Hooked by "Lbd.sys" at address 0xba0f887e

#: 065 Function Name: NtDeleteValueKey

Status: Hooked by "C:\Program Files\Symantec\SYMEVENT.SYS" at address 0xaca48350

#: 177 Function Name: NtQueryValueKey

Status: Hooked by "<unknown>" at address 0x8a339208

#: 206 Function Name: NtResumeThread

Status: Hooked by "<unknown>" at address 0x8ae39b18

#: 247 Function Name: NtSetValueKey

Status: Hooked by "C:\Program Files\Symantec\SYMEVENT.SYS" at address 0xaca48580

Stealth Objects

-------------------

Object: Hidden Module [Name: LOG.Foundation.Implementation.DLL]

Process: MOM.exe (PID: 2868) Address: 0x00d60000 Size: 69632

Object: Hidden Module [Name: LOG.Foundation.DLL]

Process: MOM.exe (PID: 2868) Address: 0x00ce0000 Size: 45056

Object: Hidden Module [Name: MOM.Implementation.DLL]

Process: MOM.exe (PID: 2868) Address: 0x00cb0000 Size: 118784

Object: Hidden Module [Name: LOG.Foundation.Private.DLL]

Process: MOM.exe (PID: 2868) Address: 0x00d50000 Size: 45056

Object: Hidden Module [Name: MOM.Foundation.DLL]

Process: MOM.exe (PID: 2868) Address: 0x00e80000 Size: 28672

Object: Hidden Module [Name: LOG.Foundation.Implementation.Private.DLL]

Process: MOM.exe (PID: 2868) Address: 0x01110000 Size: 28672

Object: Hidden Module [Name: NEWAEM.Foundation.DLL]

Process: MOM.exe (PID: 2868) Address: 0x03280000 Size: 36864

Object: Hidden Module [Name: CCC.Implementation.DLL]

Process: MOM.exe (PID: 2868) Address: 0x03bc0000 Size: 36864

Object: Hidden Module [Name: CLI.Aspect.MMVideo.Graphics.Shared.DLL]

Process: ccc.exe (PID: 3660) Address: 0x04f30000 Size: 61440

Object: Hidden Module [Name: AEM.Actions.CCAA.Shared.DLL]

Process: ccc.exe (PID: 3660) Address: 0x049c0000 Size: 28672

Object: Hidden Module [Name: CLI.Foundation.DLL]

Process: ccc.exe (PID: 3660) Address: 0x00d40000 Size: 69632

Object: Hidden Module [Name: CCC.Implementation.DLL]

Process: ccc.exe (PID: 3660) Address: 0x00d00000 Size: 36864

Object: Hidden Module [Name: LOG.Foundation.DLL]

Process: ccc.exe (PID: 3660) Address: 0x00d20000 Size: 45056

Object: Hidden Module [Name: MOM.Foundation.DLL]

Process: ccc.exe (PID: 3660) Address: 0x00d30000 Size: 28672

Object: Hidden Module [Name: LOG.Foundation.Implementation.DLL]

Process: ccc.exe (PID: 3660) Address: 0x00d80000 Size: 69632

Object: Hidden Module [Name: LOG.Foundation.Implementation.Private.DLL]

Process: ccc.exe (PID: 3660) Address: 0x00d60000 Size: 28672

Object: Hidden Module [Name: LOG.Foundation.Private.DLL]

Process: ccc.exe (PID: 3660) Address: 0x00da0000 Size: 45056

Object: Hidden Module [Name: MOM.Implementation.DLL]

Process: ccc.exe (PID: 3660) Address: 0x01230000 Size: 118784

Object: Hidden Module [Name: CLI.Component.SkinFactory.DLL]

Process: ccc.exe (PID: 3660) Address: 0x01260000 Size: 61440

Object: Hidden Module [Name: LOCALIZATION.Foundation.Private.DLL]

Process: ccc.exe (PID: 3660) Address: 0x038c0000 Size: 28672

Object: Hidden Module [Name: CLI.Foundation.XManifest.DLL]

Process: ccc.exe (PID: 3660) Address: 0x03850000 Size: 36864

Object: Hidden Module [Name: CLI.Component.Runtime.Shared.Private.DLL]

Process: ccc.exe (PID: 3660) Address: 0x038b0000 Size: 53248

Object: Hidden Module [Name: CLI.Component.Runtime.DLL]

Process: ccc.exe (PID: 3660) Address: 0x038e0000 Size: 77824

Object: Hidden Module [Name: AxInterop.WBOCXLib.DLL]

Process: ccc.exe (PID: 3660) Address: 0x038d0000 Size: 36864

Object: Hidden Module [Name: CLI.Foundation.Private.DLL]

Process: ccc.exe (PID: 3660) Address: 0x03900000 Size: 53248

Object: Hidden Module [Name: ATICCCom.DLL]

Process: ccc.exe (PID: 3660) Address: 0x03930000 Size: 45056

Object: Hidden Module [Name: CLI.Component.Runtime.Shared.DLL]

Process: ccc.exe (PID: 3660) Address: 0x03920000 Size: 28672

Object: Hidden Module [Name: AEM.Server.DLL]

Process: ccc.exe (PID: 3660) Address: 0x03940000 Size: 53248

Object: Hidden Module [Name: NEWAEM.Foundation.DLL]

Process: ccc.exe (PID: 3660) Address: 0x039b0000 Size: 36864

Object: Hidden Module [Name: Interop.WBOCXLib.DLL]

Process: ccc.exe (PID: 3660) Address: 0x03aa0000 Size: 36864

Object: Hidden Module [Name: LOCALIZATION.Foundation.Implementation.DLL]

Process: ccc.exe (PID: 3660) Address: 0x03d10000 Size: 36864

Object: Hidden Module [Name: AEM.Plugin.Source.Kit.Server.DLL]

Process: ccc.exe (PID: 3660) Address: 0x04250000 Size: 53248

Object: Hidden Module [Name: AEM.Server.Shared.DLL]

Process: ccc.exe (PID: 3660) Address: 0x04240000 Size: 28672

Object: Hidden Module [Name: DEM.Foundation.DLL]

Process: ccc.exe (PID: 3660) Address: 0x043e0000 Size: 28672

Object: Hidden Module [Name: AEM.Plugin.WinMessages.Shared.DLL]

Process: ccc.exe (PID: 3660) Address: 0x042c0000 Size: 28672

Object: Hidden Module [Name: AEM.Plugin.Hotkeys.Shared.DLL]

Process: ccc.exe (PID: 3660) Address: 0x04290000 Size: 28672

Object: Hidden Module [Name: AEM.Plugin.DPPE.Shared.DLL]

Process: ccc.exe (PID: 3660) Address: 0x04270000 Size: 28672

Object: Hidden Module [Name: DEM.Graphics.I0601.DLL]

Process: ccc.exe (PID: 3660) Address: 0x043d0000 Size: 53248

Object: Hidden Module [Name: ATIDEMGX.dll]

Process: ccc.exe (PID: 3660) Address: 0x04400000 Size: 438272

Object: Hidden Module [Name: DEM.Graphics.DLL]

Process: ccc.exe (PID: 3660) Address: 0x043f0000 Size: 28672

Object: Hidden Module [Name: DEM.OS.I0602.DLL]

Process: ccc.exe (PID: 3660) Address: 0x04920000 Size: 28672

Object: Hidden Module [Name: CLI.Caste.Graphics.Shared.DLL]

Process: ccc.exe (PID: 3660) Address: 0x048f0000 Size: 61440

Object: Hidden Module [Name: CLI.Caste.Graphics.Runtime.DLL]

Process: ccc.exe (PID: 3660) Address: 0x04890000 Size: 274432

Object: Hidden Module [Name: ACE.Graphics.DisplaysManager.Shared.DLL]

Process: ccc.exe (PID: 3660) Address: 0x04910000 Size: 36864

Object: Hidden Module [Name: ATIDEMOS.DLL]

Process: ccc.exe (PID: 3660) Address: 0x04970000 Size: 77824

Object: Hidden Module [Name: DEM.Graphics.I0709.dll]

Process: ccc.exe (PID: 3660) Address: 0x04950000 Size: 28672

Object: Hidden Module [Name: DEM.OS.DLL]

Process: ccc.exe (PID: 3660) Address: 0x04930000 Size: 28672

Object: Hidden Module [Name: AEM.Plugin.GD.Shared.DLL]

Process: ccc.exe (PID: 3660) Address: 0x049b0000 Size: 28672

Object: Hidden Module [Name: DEM.Graphics.I0804.dll]

Process: ccc.exe (PID: 3660) Address: 0x049f0000 Size: 28672

Object: Hidden Module [Name: DEM.Graphics.I0805.dll]

Process: ccc.exe (PID: 3660) Address: 0x04bf0000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.DeviceCV.Graphics.Shared.DLL]

Process: ccc.exe (PID: 3660) Address: 0x04bb0000 Size: 53248

Object: Hidden Module [Name: CLI.Aspect.HotkeysHandling.Graphics.Runtime.DLL]

Process: ccc.exe (PID: 3660) Address: 0x04a50000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.HotkeysHandling.Graphics.Shared.DLL]

Process: ccc.exe (PID: 3660) Address: 0x04a60000 Size: 28672

Object: Hidden Module [Name: CLI.Caste.Graphics.Runtime.Shared.Private.DLL]

Process: ccc.exe (PID: 3660) Address: 0x04a70000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.DeviceCV.Graphics.Runtime.DLL]

Process: ccc.exe (PID: 3660) Address: 0x04b90000 Size: 77824

Object: Hidden Module [Name: CLI.Aspect.CustomFormats.Graphics.Shared.DLL]

Process: ccc.exe (PID: 3660) Address: 0x04bd0000 Size: 36864

Object: Hidden Module [Name: CLI.Aspect.DeviceProperty.Graphics.Runtime.DLL]

Process: ccc.exe (PID: 3660) Address: 0x04bc0000 Size: 45056

Object: Hidden Module [Name: DEM.Graphics.I0706.DLL]

Process: ccc.exe (PID: 3660) Address: 0x04c20000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.DeviceProperty.Graphics.Shared.DLL]

Process: ccc.exe (PID: 3660) Address: 0x04c30000 Size: 45056

Object: Hidden Module [Name: CLI.Aspect.DeviceTV.Graphics.Shared.DLL]

Process: ccc.exe (PID: 3660) Address: 0x04c70000 Size: 77824

Object: Hidden Module [Name: CLI.Aspect.DeviceTV.Graphics.Runtime.DLL]

Process: ccc.exe (PID: 3660) Address: 0x04c50000 Size: 86016

Object: Hidden Module [Name: CLI.Aspect.DeviceCRT.Graphics.Shared.DLL]

Process: ccc.exe (PID: 3660) Address: 0x04d30000 Size: 61440

Object: Hidden Module [Name: CLI.Aspect.DisplaysOptions.Graphics.Shared.DLL]

Process: ccc.exe (PID: 3660) Address: 0x04cf0000 Size: 36864

Object: Hidden Module [Name: CLI.Aspect.DisplaysColour2.Graphics.Runtime.DLL]

Process: ccc.exe (PID: 3660) Address: 0x04ca0000 Size: 53248

Object: Hidden Module [Name: CLI.Aspect.DisplaysColour2.Graphics.Shared.DLL]

Process: ccc.exe (PID: 3660) Address: 0x04cb0000 Size: 36864

Object: Hidden Module [Name: CLI.Aspect.DisplaysOptions.Graphics.Runtime.DLL]

Process: ccc.exe (PID: 3660) Address: 0x04ce0000 Size: 45056

Object: Hidden Module [Name: CLI.Aspect.DeviceCRT.Graphics.Runtime.DLL]

Process: ccc.exe (PID: 3660) Address: 0x04d10000 Size: 53248

Object: Hidden Module [Name: CLI.Aspect.DeviceDFP.Graphics.Runtime.DLL]

Process: ccc.exe (PID: 3660) Address: 0x04d70000 Size: 69632

Object: Hidden Module [Name: CLI.Aspect.DeviceLCD.Graphics.Runtime.DLL]

Process: ccc.exe (PID: 3660) Address: 0x04d50000 Size: 45056

Object: Hidden Module [Name: CLI.Aspect.DeviceLCD.Graphics.Shared.DLL]

Process: ccc.exe (PID: 3660) Address: 0x04d60000 Size: 36864

Object: Hidden Module [Name: DEM.Graphics.I0712.dll]

Process: ccc.exe (PID: 3660) Address: 0x04da0000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.DeviceDFP.Graphics.Shared.DLL]

Process: ccc.exe (PID: 3660) Address: 0x04d90000 Size: 61440

Object: Hidden Module [Name: CLI.Aspect.OverDrive5.Graphics.Shared.DLL]

Process: ccc.exe (PID: 3660) Address: 0x04e60000 Size: 69632

Object: Hidden Module [Name: CLI.Aspect.VPURecover.Graphics.Shared.DLL]

Process: ccc.exe (PID: 3660) Address: 0x04df0000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.VPURecover.Graphics.Runtime.DLL]

Process: ccc.exe (PID: 3660) Address: 0x04de0000 Size: 36864

Object: Hidden Module [Name: DEM.Graphics.I0703.DLL]

Process: ccc.exe (PID: 3660) Address: 0x04e50000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.OverDrive5.Graphics.Runtime.DLL]

Process: ccc.exe (PID: 3660) Address: 0x04e20000 Size: 86016

Object: Hidden Module [Name: CLI.Aspect.Radeon3D.Graphics.Runtime.DLL]

Process: ccc.exe (PID: 3660) Address: 0x04ea0000 Size: 69632

Object: Hidden Module [Name: CLI.Aspect.Radeon3D.Graphics.Shared.DLL]

Process: ccc.exe (PID: 3660) Address: 0x04ec0000 Size: 61440

Object: Hidden Module [Name: CLI.Aspect.MMVideo.Graphics.Runtime.DLL]

Process: ccc.exe (PID: 3660) Address: 0x04f00000 Size: 86016

Object: Hidden Module [Name: CLI.Component.Client.Shared.Private.DLL]

Process: ccc.exe (PID: 3660) Address: 0x05580000 Size: 53248

Object: Hidden Module [Name: APM.Server.DLL]

Process: ccc.exe (PID: 3660) Address: 0x05070000 Size: 69632

Object: Hidden Module [Name: APM.Foundation.DLL]

Process: ccc.exe (PID: 3660) Address: 0x04f50000 Size: 28672

Object: Hidden Module [Name: AEM.Plugin.EEU.Shared.DLL]

Process: ccc.exe (PID: 3660) Address: 0x053f0000 Size: 28672

Object: Hidden Module [Name: CLI.Component.Runtime.Extension.EEU.DLL]

Process: ccc.exe (PID: 3660) Address: 0x052d0000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.VPURecover.Graphics.Dashboard.DLL]

Process: ccc.exe (PID: 3660) Address: 0x050a0000 Size: 118784

Object: Hidden Module [Name: CLI.Aspect.OverDrive5.Graphics.Dashboard.DLL]

Process: ccc.exe (PID: 3660) Address: 0x051c0000 Size: 479232

Object: Hidden Module [Name: CLI.Component.Systemtray.DLL]

Process: ccc.exe (PID: 3660) Address: 0x05500000 Size: 487424

Object: Hidden Module [Name: CLI.Component.Wizard.Shared.Private.DLL]

Process: ccc.exe (PID: 3660) Address: 0x05760000 Size: 36864

Object: Hidden Module [Name: CLI.Component.Wizard.DLL]

Process: ccc.exe (PID: 3660) Address: 0x056a0000 Size: 405504

Object: Hidden Module [Name: CLI.Component.Wizard.Shared.DLL]

Process: ccc.exe (PID: 3660) Address: 0x05730000 Size: 28672

Object: Hidden Module [Name: CLI.Component.Client.Shared.DLL]

Process: ccc.exe (PID: 3660) Address: 0x05720000 Size: 28672

Object: Hidden Module [Name: Branding.dll]

Process: ccc.exe (PID: 3660) Address: 0x05740000 Size: 28672

Object: Hidden Module [Name: CLI.Caste.Graphics.Wizard.DLL]

Process: ccc.exe (PID: 3660) Address: 0x05750000 Size: 53248

Object: Hidden Module [Name: CLI.Caste.Graphics.Wizard.Shared.DLL]

Process: ccc.exe (PID: 3660) Address: 0x05870000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.InfoCentre.Graphics.Wizard.DLL]

Process: ccc.exe (PID: 3660) Address: 0x05880000 Size: 217088

Object: Hidden Module [Name: CLI.Aspect.TransCode.Graphics.Wizard.DLL]

Process: ccc.exe (PID: 3660) Address: 0x058e0000 Size: 495616

Object: Hidden Module [Name: CLI.Aspect.TransCode.Graphics.Shared.DLL]

Process: ccc.exe (PID: 3660) Address: 0x058d0000 Size: 53248

Object: Hidden Module [Name: atixclib.DLL]

Process: ccc.exe (PID: 3660) Address: 0x05970000 Size: 28672

Object: Hidden Module [Name: CLI.Caste.Graphics.Dashboard.DLL]

Process: ccc.exe (PID: 3660) Address: 0x06770000 Size: 86016

Object: Hidden Module [Name: CLI.Aspect.DisplaysManager.Graphics.Wizard.DLL]

Process: ccc.exe (PID: 3660) Address: 0x05b60000 Size: 1699840

Object: Hidden Module [Name: CLI.Aspect.Radeon3D.Graphics.Wizard.DLL]

Process: ccc.exe (PID: 3660) Address: 0x059a0000 Size: 102400

Object: Hidden Module [Name: CLI.Aspect.MMVideo.Graphics.Wizard.DLL]

Process: ccc.exe (PID: 3660) Address: 0x06200000 Size: 413696

Object: Hidden Module [Name: CLI.Component.Dashboard.Shared.DLL]

Process: ccc.exe (PID: 3660) Address: 0x06650000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.DeviceCV.Graphics.Wizard.DLL]

Process: ccc.exe (PID: 3660) Address: 0x064a0000 Size: 700416

Object: Hidden Module [Name: CLI.Aspect.DeviceTV.Graphics.Wizard.DLL]

Process: ccc.exe (PID: 3660) Address: 0x06390000 Size: 372736

Object: Hidden Module [Name: CLI.Component.Dashboard.DLL]

Process: ccc.exe (PID: 3660) Address: 0x06550000 Size: 1036288

Object: Hidden Module [Name: CLI.Component.Dashboard.Shared.Private.DLL]

Process: ccc.exe (PID: 3660) Address: 0x06660000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.InfoCentre.Graphics.Dashboard.DLL]

Process: ccc.exe (PID: 3660) Address: 0x067e0000 Size: 233472

Object: Hidden Module [Name: CLI.Caste.Graphics.Dashboard.Shared.DLL]

Process: ccc.exe (PID: 3660) Address: 0x067a0000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.Welcome.Graphics.Dashboard.DLL]

Process: ccc.exe (PID: 3660) Address: 0x067b0000 Size: 143360

Object: Hidden Module [Name: CLI.Aspect.DeviceCRT.Graphics.Dashboard.DLL]

Process: ccc.exe (PID: 3660) Address: 0x068b0000 Size: 446464

Object: Hidden Module [Name: CLI.Aspect.DisplaysOptions.Graphics.Dashboard.DLL]

Process: ccc.exe (PID: 3660) Address: 0x06890000 Size: 126976

Object: Hidden Module [Name: CLI.Aspect.DisplaysManager.Graphics.Dashboard.DLL]

Process: ccc.exe (PID: 3660) Address: 0x06820000 Size: 446464

Object: Hidden Module [Name: CLI.Aspect.DeviceCV.Graphics.Dashboard.DLL]

Process: ccc.exe (PID: 3660) Address: 0x069d0000 Size: 684032

Object: Hidden Module [Name: CLI.Aspect.DeviceDFP.Graphics.Dashboard.DLL]

Process: ccc.exe (PID: 3660) Address: 0x06930000 Size: 462848

Object: Hidden Module [Name: CLI.Aspect.Radeon3D.Graphics.Dashboard.DLL]

Process: ccc.exe (PID: 3660) Address: 0x06cd0000 Size: 364544

Object: Hidden Module [Name: CLI.Aspect.DeviceTV.Graphics.Dashboard.DLL]

Process: ccc.exe (PID: 3660) Address: 0x06c00000 Size: 806912

Object: Hidden Module [Name: CLI.Aspect.MMVideo.Graphics.Dashboard.DLL]

Process: ccc.exe (PID: 3660) Address: 0x06ea0000 Size: 823296

Object: Hidden Module [Name: CLI.Aspect.DisplaysColour2.Graphics.Dashboard.DLL]

Process: ccc.exe (PID: 3660) Address: 0x06d30000 Size: 602112

Link to post
Share on other sites

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::

C:\WINDOWS\system32\DRIVERS\32872487.sys

RegNull::

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{40886FA5-87BC-FDA7-0C1FAC01C243999B}\{19E564B2-522B-7AA8-1ACCCD0705265332}\{1F2DE655-6E2E-2DD5-8638E8D01A513D14}*]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A211FD50-104A-552A-E783321B77B5C9DA}\{4E700FFC-D5B6-D24A-08D9C51A05E3FA14}\{72F82311-8741-4D82-9043D22F7FAD5282}*]

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

I think that did it.

Log:

ComboFix 09-03-10.03 - Will 2009-03-11 17:39:07.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2663 [GMT -4:00]

Running from: c:\documents and settings\Will\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Will\Desktop\CFScript.txt

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)

FW: Symantec Client Firewall *enabled*

* Created a new restore point

FILE ::

c:\windows\system32\DRIVERS\32872487.sys

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\drivers\mrxdavv.sys

c:\windows\system32\kwave.sys

.

((((((((((((((((((((((((( Files Created from 2009-02-11 to 2009-03-11 )))))))))))))))))))))))))))))))

.

2009-03-11 03:00 . 2004-08-04 08:00 221,184 --a------ c:\windows\system32\wmpns.dll

2009-03-10 20:19 . 2009-03-11 17:46 14,854,176 --ahs---- c:\windows\system32\drivers\fidbox.dat

2009-03-10 20:19 . 2009-03-11 17:42 174,560 --ahs---- c:\windows\system32\drivers\fidbox.idx

2009-03-09 21:22 . 2008-07-08 13:54 148,496 --a------ c:\windows\system32\drivers\02104168.sys

2009-03-05 23:30 . 2009-03-05 23:33 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP

2009-03-05 23:29 . 2009-03-05 23:29 95 --a------ c:\windows\wininit.ini

2009-03-05 21:46 . 2009-03-05 21:46 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-03-05 21:46 . 2009-03-05 21:46 <DIR> d-------- c:\documents and settings\Will\Application Data\Malwarebytes

2009-03-05 21:46 . 2009-03-05 21:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-03-05 21:46 . 2009-02-11 11:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-05 21:46 . 2009-02-11 11:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-03-04 18:02 . 2009-03-04 18:02 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\Apple Computer

2009-02-28 01:39 . 2009-02-28 01:39 <DIR> d-------- c:\program files\LucasArts

2009-02-23 17:04 . 2009-02-23 17:14 <DIR> d-------- C:\ARENA

2009-02-23 17:01 . 2009-02-23 17:14 <DIR> d-------- c:\program files\DOSBox-0.72

2009-02-23 16:07 . 2009-02-23 16:07 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Apple Computer

2009-02-23 00:04 . 2009-02-23 00:04 8,784 --a------ c:\windows\system32\drivers\InCDPass.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-08 00:21 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-03-06 23:52 --------- d-----w c:\program files\World of Warcraft

2009-03-06 23:14 34 ----a-w c:\documents and settings\Will\jagex_runescape_preferences.dat

2009-03-04 21:57 64,160 ----a-w c:\windows\system32\drivers\Lbd.sys

2009-02-28 05:39 --------- d--h--w c:\program files\InstallShield Installation Information

2009-02-27 18:59 --------- d-----w c:\program files\Microsoft Silverlight

2009-02-16 23:59 --------- d-----w c:\documents and settings\Will\Application Data\Bioshock

2009-02-16 05:02 --------- d-----w c:\program files\Spybot - Search & Destroy

2009-02-16 05:02 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-02-15 20:57 --------- d-----w c:\program files\The Witcher

2009-02-15 17:35 --------- d-----w c:\program files\Bethesda Softworks

2009-02-06 04:23 --------- d-----w c:\program files\Game_Maker7

2009-02-03 22:34 --------- d-----w c:\documents and settings\All Users\Application Data\Electronic Arts

2009-01-29 23:53 22,328 ----a-w c:\windows\system32\drivers\PnkBstrK.sys

2009-01-29 23:53 22,328 ----a-w c:\documents and settings\Will\Application Data\PnkBstrK.sys

2009-01-26 21:56 --------- dc-h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}

2009-01-26 21:56 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft

2009-01-26 21:55 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-01-25 22:34 --------- d-----w c:\program files\Microsoft Games for Windows - LIVE

2009-01-18 23:30 --------- d-----w c:\program files\Windows Live Safety Center

2009-01-15 01:06 --------- d-----w c:\program files\Electronic Arts

2009-01-15 01:02 --------- d-----w c:\program files\Common Files\InstallShield

2009-01-14 07:14 3,455,488 ----a-w c:\windows\system32\drivers\ati2mtag.sys

2009-01-14 03:43 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-03-07_21.23.22.54 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-02-09 11:08:53 1,847,552 ----a-w c:\windows\$hf_mig$\KB958690\SP3QFE\win32k.sys

+ 2008-07-09 07:38:24 17,272 ----a-w c:\windows\$hf_mig$\KB958690\spmsg.dll

+ 2008-07-09 07:38:25 231,288 ----a-w c:\windows\$hf_mig$\KB958690\spuninst.exe

+ 2008-07-09 07:38:24 26,488 ----a-w c:\windows\$hf_mig$\KB958690\update\spcustom.dll

+ 2008-07-09 07:38:29 755,576 ----a-w c:\windows\$hf_mig$\KB958690\update\update.exe

+ 2008-07-09 07:38:37 382,840 ----a-w c:\windows\$hf_mig$\KB958690\update\updspapi.dll

+ 2008-12-05 06:58:08 144,896 ----a-w c:\windows\$hf_mig$\KB960225\SP3QFE\schannel.dll

+ 2007-11-30 11:18:51 17,272 ----a-w c:\windows\$hf_mig$\KB960225\spmsg.dll

+ 2007-11-30 11:18:51 231,288 ----a-w c:\windows\$hf_mig$\KB960225\spuninst.exe

+ 2007-11-30 11:18:51 26,488 ----a-w c:\windows\$hf_mig$\KB960225\update\spcustom.dll

+ 2007-11-30 12:39:22 755,576 ----a-w c:\windows\$hf_mig$\KB960225\update\update.exe

+ 2007-11-30 12:39:22 382,840 ----a-w c:\windows\$hf_mig$\KB960225\update\updspapi.dll

- 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE

+ 2005-10-21 00:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE

- 2009-02-12 08:01:23 593,920 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe

+ 2009-03-11 07:01:21 593,920 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe

- 2009-02-12 08:01:23 12,288 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe

+ 2009-03-11 07:01:21 12,288 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe

- 2009-02-12 08:01:23 86,016 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe

+ 2009-03-11 07:01:21 86,016 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe

- 2009-02-12 08:01:23 135,168 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe

+ 2009-03-11 07:01:20 135,168 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe

- 2009-02-12 08:01:23 11,264 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe

+ 2009-03-11 07:01:21 11,264 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe

- 2009-02-12 08:01:23 27,136 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe

+ 2009-03-11 07:01:21 27,136 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe

- 2009-02-12 08:01:23 4,096 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe

+ 2009-03-11 07:01:21 4,096 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe

- 2009-02-12 08:01:24 794,624 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe

+ 2009-03-11 07:01:21 794,624 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe

- 2009-02-12 08:01:23 249,856 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe

+ 2009-03-11 07:01:21 249,856 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe

- 2009-02-12 08:01:23 61,440 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe

+ 2009-03-11 07:01:20 61,440 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe

- 2009-02-12 08:01:24 23,040 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe

+ 2009-03-11 07:01:21 23,040 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe

- 2009-02-12 08:01:23 286,720 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe

+ 2009-03-11 07:01:20 286,720 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe

- 2009-02-12 08:01:23 409,600 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe

+ 2009-03-11 07:01:20 409,600 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe

- 2000-08-31 13:00:00 29,696 ----a-w c:\windows\NIRCMD.exe

+ 2000-08-31 12:00:00 29,696 ----a-w c:\windows\NIRCMD.exe

- 2000-08-31 13:00:00 161,792 ----a-w c:\windows\SWREG.exe

+ 2000-08-31 12:00:00 161,792 ----a-w c:\windows\SWREG.exe

+ 2008-12-05 06:54:55 144,896 -c----w c:\windows\system32\dllcache\schannel.dll

- 2008-09-15 12:12:56 1,846,400 -c----w c:\windows\system32\dllcache\win32k.sys

+ 2009-02-09 11:13:27 1,846,784 -c----w c:\windows\system32\dllcache\win32k.sys

- 2007-06-12 03:51:12 10,834,944 -c--a-w c:\windows\system32\dllcache\wmp.dll

+ 2008-11-11 22:34:42 10,838,016 -c--a-w c:\windows\system32\dllcache\wmp.dll

- 2008-12-02 02:16:50 1,534,176 ----a-w c:\windows\system32\FNTCACHE.DAT

+ 2009-03-11 07:07:40 1,534,176 ----a-w c:\windows\system32\FNTCACHE.DAT

- 2009-01-29 23:58:52 71,434 ----a-w c:\windows\system32\perfc009.dat

+ 2009-03-09 11:29:23 71,434 ----a-w c:\windows\system32\perfc009.dat

- 2009-01-29 23:58:52 439,792 ----a-w c:\windows\system32\perfh009.dat

+ 2009-03-09 11:29:23 439,792 ----a-w c:\windows\system32\perfh009.dat

- 2008-04-14 00:12:05 144,384 ----a-w c:\windows\system32\schannel.dll

+ 2008-12-05 06:54:55 144,896 ----a-w c:\windows\system32\schannel.dll

- 2008-07-09 07:38:24 17,272 ------w c:\windows\system32\spmsg.dll

+ 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll

- 2007-08-11 00:46:18 26,488 ----a-w c:\windows\system32\spupdsvc.exe

+ 2007-07-27 13:41:38 26,488 ----a-w c:\windows\system32\spupdsvc.exe

- 2008-09-15 12:12:56 1,846,400 ----a-w c:\windows\system32\win32k.sys

+ 2009-02-09 11:13:27 1,846,784 ----a-w c:\windows\system32\win32k.sys

- 2007-06-12 03:51:12 10,834,944 ----a-w c:\windows\system32\wmp.dll

+ 2008-11-11 22:34:42 10,838,016 ----a-w c:\windows\system32\wmp.dll

+ 2009-03-11 21:45:00 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_504.dat

+ 2008-04-15 17:47:33 1,724,416 ----a-w c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4\GdiPlus.dll

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-11-10 94208]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-01-09 3321856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"vptray"="c:\progra~1\SYMANT~1\SYMANT~2\VPTray.exe" [2006-09-27 125168]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 813912]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-15 136600]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"Launch PC Probe II"="c:\program files\ASUS\PC Probe II\Probe2.exe" [2008-11-11 2142720]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-04 515416]

"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]

"RTHDCPL"="RTHDCPL.EXE" [2007-01-30 c:\windows\RTHDCPL.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"<NO NAME>"= 1

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\InCDPass.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=

"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=

"d:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=

"d:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=

"d:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=

"%windir%\\system32\\drivers\\svchost.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-01-26 64160]

R1 is-VCEJPdrv;is-VCEJPdrv;c:\windows\system32\drivers\02104168.sys [2009-03-09 21:22:05 148496]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951632]

R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-07-20 84992]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-27 101936]

S3 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [2006-09-27 116464]

.

Contents of the 'Scheduled Tasks' folder

2009-03-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-04 17:57]

2009-03-11 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Will\Application Data\Mozilla\Firefox\Profiles\2mg20j1n.default\

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-11 17:45:27

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1390067357-1960408961-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:be,64,93,ca,39,f2,ab,86,14,61,61,0d,81,39,35,e2,67,c6,7e,89,d2,66,a2,

03,86,7e,77,82,df,62,be,22,38,28,42,ca,e1,e0,21,8d,38,aa,38,59,ba,71,d6,ab,\

"??"=hex:9d,6d,62,c7,7e,94,d3,01,62,72,da,46,cb,d1,2f,38

[HKEY_USERS\S-1-5-21-1390067357-1960408961-839522115-1003\Software\SecuROM\License information*]

"datasecu"=hex:52,08,22,7d,b4,cc,d1,05,84,d1,5b,57,99,f5,9a,8b,57,0e,ac,32,e4,

47,b4,be,aa,03,55,5a,3b,f5,55,58,12,00,31,ad,7d,9d,bf,55,e6,e8,cc,d8,00,99,\

"rkeysecu"=hex:82,c3,15,4f,bb,1d,3b,7f,84,f5,53,93,76,d6,d1,ff

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(792)

c:\windows\system32\Ati2evxx.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\windows\system32\ati2evxx.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Common Files\Symantec Shared\ccProxy.exe

c:\program files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe

c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\PnkBstrA.exe

c:\windows\system32\PnkBstrB.exe

c:\program files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

c:\program files\Common Files\Symantec Shared\SNDSrvc.exe

c:\windows\system32\wbem\unsecapp.exe

c:\program files\ASUS\AASP\1.00.80\aaCenter.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2009-03-11 17:54:17 - machine was rebooted [Will]

ComboFix-quarantined-files.txt 2009-03-11 21:54:14

ComboFix2.txt 2009-03-08 03:21:42

ComboFix3.txt 2009-03-08 02:23:48

Pre-Run: 116,853,223,424 bytes free

Post-Run: 117,065,396,224 bytes free

271 --- E O F --- 2009-03-11 07:01:24

Link to post
Share on other sites

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::

c:\windows\system32\drivers\02104168.sys

Driver::

is-VCEJPdrv

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.