Jump to content

mrxdavv.sys and kwave.sys


Recommended Posts

I'm having trouble getting rid of these files, and would highly appreciate some help! After running malwarebytes and anti-virus software, it's existence contiues to be persistent. Now I find that my AVG no longer works and I'm assuming it's related to this... ?

My malwarebytes and hijackthis log:

Malwarebytes' Anti-Malware 1.36

Database version: 2066

Windows 5.1.2600 Service Pack 2

5/1/2009 11:49:40 PM

mbam-log-2009-05-01 (23-49-40).txt

Scan type: Quick Scan

Objects scanned: 89345

Time elapsed: 3 minute(s), 49 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot.

C:\WINDOWS\system32\kwave.sys (Trojan.Agent) -> Delete on reboot.

----------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:51:20 PM, on 5/1/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\Analog Devices\SoundMAX\smax4.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe

C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe

C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Hotspot Shield\bin\openvpnas.exe

C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe

O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [DL32] DL32

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1207267437000

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe

O23 - Service: Hotspot Shield Helper Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--

End of file - 5277 bytes

Link to post
Share on other sites

  • Root Admin

Sorry for the delay - currently the site is just too busy for us to handle all of the requests for help. Some other sites are now posting a wait time of up to 10 days.

If you're still there and need assistance please let me know and I'll help you out.

Thanks.

Link to post
Share on other sites

Since I last posted my malwarebytes log, I think I may have been affected with something else that keeps reappearing after I reboot (ld08.exe), but anyway here is my haxfix log:

HAXFIX logfile - by Marckie

version 5.076

Fri 05/08/2009 7:59:42.95

running from C:\HaxFix

--- Checking for Haxdoor ---

checking for a3d files

a3d files not found

checking for matching notify keys

no matching notify keys found

checking for matching services

no matching services found

checking for matching safeboot services

no matching safeboot services found

--- Checking for Goldun - Spybanker ---

checking for SSODL keys

no ssodl keys found

checking for notify keys

no notify keys found

checking for services

no services found

checking for random used files and services

-- these files are not necessarily malicious

-- scanning all folders

C:\Documents and Settings\ena\Desktop\Dramas\FIX YOUR FACE\Thumbs.db

C:\Documents and Settings\ena\Desktop\new music\Camp Rock\Thumbs.db

C:\Documents and Settings\ena\Local Settings\Temp\webscarab1377.tmp\conversations\5-response

C:\Documents and Settings\ena\My Documents\My Pictures\Picasa Exports\Ceyona\Thumbs.db

C:\Lxk3100Series\drivers\scan\ENGLISH\lxbrtemp.dl_

C:\Program Files\DAEMON Tools Lite\Plugins\Images\iszmount.dll

C:\Program Files\Java\jdk1.6.0_07\demo\jvmti\waiters\lib\waiters.dll

C:\Program Files\Java\jdk1.6.0_07\demo\management\FullThreadDump\FullThreadDump.jar

C:\Program Files\Lexmark 3100 Series\Drivers\English\lxbrtemp.dl_

C:\Program Files\Microsoft Office\CLIPART\PUB60COR\AN00965_.WMF

C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0107658.WMF

C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00191_.WMF

C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0285822.WMF

C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0285820.WMF

C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA01152_.WMF

C:\Program Files\Microsoft Office\OFFICE11\1033\OWHTOC.XML

C:\Program Files\Microsoft Office\Office12\1033\PROTTPLN.XLS

C:\Program Files\Microsoft Office\Office12\1033\PROTTPLV.XLS

C:\Program Files\QuickTime\QTSystem\QuickTimeAudioSupport.Resources\QuickTimeAudioSupport.qtr

C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.Resources\da.lproj\QuickTime3GPPLocalized.qtr

C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.Resources\de.lproj\QuickTime3GPPLocalized.qtr

C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.Resources\en.lproj\QuickTime3GPPLocalized.qtr

C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.Resources\fi.lproj\QuickTime3GPPLocalized.qtr

C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.Resources\it.lproj\QuickTime3GPPLocalized.qtr

C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.Resources\ko.lproj\QuickTime3GPPLocalized.qtr

C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.Resources\nb.lproj\QuickTime3GPPLocalized.qtr

C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.Resources\pl.lproj\QuickTime3GPPLocalized.qtr

C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.Resources\pt_PT.lproj\QuickTime3GPPLocalized.qtr

C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.Resources\ru.lproj\QuickTime3GPPLocalized.qtr

C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.Resources\sv.lproj\QuickTime3GPPLocalized.qtr

C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.Resources\zh_CN.lproj\QuickTime3GPPLocalized.qtr

C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.Resources\zh_TW.lproj\QuickTime3GPPLocalized.qtr

C:\Program Files\QuickTime\QTSystem\QuickTimeAudioSupport.Resources\ko.lproj\QuickTimeAudioSupportLocalized.qtr

C:\Program Files\QuickTime\QTSystem\QuickTimeAudioSupport.Resources\zh_TW.lproj\QuickTimeAudioSupportLocalized.qtr

C:\WINDOWS\Fonts\ega40857.fon

C:\WINDOWS\Fonts\modern.fon

C:\WINDOWS\inf\netel90a.inf

C:\WINDOWS\inf\netel980.inf

C:\WINDOWS\inf\netdf650.PNF

C:\WINDOWS\inf\mtxvideo.PNF

C:\WINDOWS\system32\eventvwr.exe

C:\WINDOWS\system32\vidccleaner.exe

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\eula.1044.txt

C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_3187.xml

C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\dlttape.sys

C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\fxsperf.dll

C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\mscortim.dll

C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\snmptrap.exe

C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\tty.dll

C:\WINDOWS\system32\dllcache\eventvwr.exe

C:\WINDOWS\system32\dllcache\fxsperf.dll

C:\WINDOWS\system32\dllcache\infoctrs.dll

C:\WINDOWS\system32\dllcache\modern.fon

C:\WINDOWS\system32\dllcache\snmptrap.exe

C:\WINDOWS\system32\drivers\Rtlnicxp.sys

C:\WINDOWS\system32\drivers\sptd.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RTL8023xp

Imagepath REG_EXPAND_SZ system32\DRIVERS\Rtlnicxp.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd

Imagepath REG_EXPAND_SZ System32\Drivers\sptd.sys

checking for browser helper objects

no known browser helper objects found

checking for appinit files

no files found

checking for possible infected files

please submit these file here: http://www.bleepingcomputer.com/submit-mal....php?channel=11

C:\WINDOWS\system32\smshell.dll] 593F7AFE30B3E0E007565086606A39C7

checking for Active Setup Installed Components

no known Active Setup Installed Components found

checking iexplore.exe

iexplore.exe is not infected

--- Checking for other Goldun, Spybanker and Haxdoor files ---

C:\WINDOWS\system32\dz1.txt

C:\WINDOWS\system32\p1.txt

C:\WINDOWS\system32\r24.txt

C:\WINDOWS\system32\kwave.sys --- rootkitfile

C:\WINDOWS\system32\drivers\mrxdavv.sys --- rootkitfile

--- Catchme logfile - thank you Gmer ---

catchme 0.3.1380.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-08 08:10:12

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"p0"="C:\Program Files\DAEMON Tools Lite\"

"h0"=dword:00000000

"khjeh"=hex:be,d7,8b,85,b3,47,23,15,65,97,cd,01,97,fa,50,4b,61,89,65,0a,8f,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"a0"=hex:20,01,00,00,55,e7,0f,a1,63,f9,07,bb,95,dc,94,93,f3,0e,da,4e,2b,..

"khjeh"=hex:fe,a3,36,de,a0,10,d1,d1,7a,8b,32,bb,1d,a6,2d,6e,ab,f5,7c,b4,64,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:b7,5e,9a,ce,de,64,d6,6c,6c,2e,17,55,e4,9d,e4,93,44,ac,ab,43,3c,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"p0"="C:\Program Files\DAEMON Tools Lite\"

"h0"=dword:00000000

"khjeh"=hex:be,d7,8b,85,b3,47,23,15,65,97,cd,01,97,fa,50,4b,61,89,65,0a,8f,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"a0"=hex:20,01,00,00,55,e7,0f,a1,63,f9,07,bb,95,dc,94,93,f3,0e,da,4e,2b,..

"khjeh"=hex:fe,a3,36,de,a0,10,d1,d1,7a,8b,32,bb,1d,a6,2d,6e,ab,f5,7c,b4,64,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:b7,5e,9a,ce,de,64,d6,6c,6c,2e,17,55,e4,9d,e4,93,44,ac,ab,43,3c,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

--- Analysing Catchme logfile ---

no matching regkeys found

Finished!

Link to post
Share on other sites

  • Root Admin

STEP 01

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

STEP 02

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
dds.scr
to run the tool.

When done, the
DDS.txt
will open.

Click Yes at the next prompt for Optional Scan.
    When done, DDS will open two (2) logs:

  1. DDS.txt
  2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

STEP 03

    Please create a BOOTLOG
  • Delete the following file if it exists. C:\Windows\ntbtlog.txt
  • Restart the computer and press F8 when Windows start booting. This will bring up the startup options.
  • Select "Enable Boot Logging" option and press enter.
  • Windows prompts you to select a Windows Installation (even if there is only one windows installation)
  • This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows
Link to post
Share on other sites

Ah. I got ahead of myself, failing to read that I had to disable my antivirus' Resident Shield, and just closed AVG on my system tray. So I actually ran Combo Fix with AVG still enabled :S. Should I post the log that I received from that run, or will I have to do it again or do something differently?

Link to post
Share on other sites

ComboFix log

ComboFix 09-05-08.03 - ena 05/08/2009 16:32.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.632 [GMT -5:00]

Running from: c:\documents and settings\ena\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\ena\Application Data\wiaserva.log

c:\windows\ld08.exe

c:\windows\system32\drivers\mrxdavv.sys

c:\windows\system32\dz1.txt

c:\windows\system32\inform.dat

c:\windows\system32\kjs

c:\windows\system32\kwave.sys

c:\windows\system32\monqAJlm.ini

c:\windows\system32\monqAJlm.ini2

c:\windows\system32\msvqkrqc.ini

c:\windows\system32\p1.txt

c:\windows\system32\pAGilnmp.ini

c:\windows\system32\pAGilnmp.ini2

c:\windows\system32\qihxnogn.ini

c:\windows\system32\r24.txt

c:\windows\system32\StwGNXbc.ini

c:\windows\system32\StwGNXbc.ini2

c:\windows\system32\SYS32DLL.exe

c:\windows\system32\tqhdlbst.ini

c:\windows\system32\wbem\grpconv.exe

.

((((((((((((((((((((((((( Files Created from 2009-04-08 to 2009-05-08 )))))))))))))))))))))))))))))))

.

2009-05-08 21:24 . 2009-05-08 21:24 410984 ----a-w c:\windows\system32\deploytk.dll

2009-05-08 12:59 . 2009-05-08 12:58 517246 ----a-w C:\HaxFix.exe

2009-05-08 12:59 . 2009-05-08 13:12 -------- d-----w C:\HaxFix

2009-05-08 12:57 . 2009-05-08 12:57 2 ---h--w c:\windows\t55ft2692f44.dat

2009-05-08 12:56 . 2009-05-08 12:56 16896 ----a-w c:\windows\st_1241806698.exe

2009-05-07 21:38 . 2009-05-07 21:38 33792 ----a-w c:\windows\system32\fagw32.dll

2009-05-06 05:16 . 2009-05-07 03:36 -------- d-----w c:\documents and settings\ena\Application Data\AVGTOOLBAR

2009-05-06 04:53 . 2009-05-06 04:53 -------- d-----w c:\program files\CCleaner

2009-05-02 04:38 . 2009-05-02 04:38 -------- d-----w c:\program files\Trend Micro

2009-05-02 02:51 . 2009-05-02 02:51 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-05-02 02:40 . 2009-05-02 02:40 -------- d-----w c:\documents and settings\ena\DoctorWeb

2009-04-30 05:34 . 2009-04-30 05:34 -------- d-----w c:\documents and settings\ena\Application Data\Malwarebytes

2009-04-30 05:34 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-04-30 05:34 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-30 05:34 . 2009-04-30 05:34 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

2009-04-30 05:34 . 2009-04-30 05:34 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-04-29 20:39 . 2009-05-01 15:04 11952 ----a-w c:\windows\system32\avgrsstx.dll

2009-04-29 20:39 . 2009-05-01 15:03 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys

2009-04-29 20:39 . 2009-05-01 15:04 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys

2009-04-29 20:39 . 2009-05-08 21:09 -------- d-----w c:\windows\system32\drivers\Avg

2009-04-28 18:32 . 2009-04-29 20:34 7 ----a-w c:\windows\system32\nar.bin

2009-04-28 17:37 . 2009-04-28 17:37 8768 ----a-w c:\windows\system32\drivers\Rtlnicxp.sys

2009-04-28 17:37 . 2009-04-28 17:37 4707 ----a-w c:\windows\system32\z98a.bin

2009-04-10 05:45 . 2009-03-11 03:18 453512 ----a-w c:\windows\system32\KB905474\wgasetup.exe

2009-04-10 05:45 . 2009-03-11 03:26 1403264 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe

2009-04-10 05:45 . 2009-04-10 05:45 -------- d-----w c:\windows\system32\KB905474

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-08 21:24 . 2008-04-04 05:12 -------- d-----w c:\program files\Java

2009-04-28 17:37 . 2008-05-04 23:02 8768 ----a-w c:\windows\system32\drivers\sptd.sys

2009-03-20 22:27 . 2009-03-20 22:27 27136 ----a-w c:\windows\system32\drivers\tapvpn.sys

2009-03-06 14:44 . 2004-08-04 01:07 283648 ----a-w c:\windows\system32\pdh.dll

2009-02-25 05:35 . 2008-04-07 05:54 47592 ----a-w c:\documents and settings\ena\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-02-22 04:36 . 2009-02-22 04:37 102664 ----a-w c:\windows\system32\drivers\tmcomm.sys

2009-02-20 08:30 . 2004-08-04 01:07 81920 ----a-w c:\windows\system32\ieencode.dll

2009-02-20 08:30 . 2004-08-04 01:07 659456 ----a-w c:\windows\system32\wininet.dll

2009-02-15 04:12 . 2009-02-15 04:12 843 ----a-w C:\changekey.vbs

2009-02-09 10:20 . 2004-08-04 01:07 723456 ----a-w c:\windows\system32\lsasrv.dll

2009-02-09 10:20 . 2004-08-04 01:07 399360 ----a-w c:\windows\system32\rpcss.dll

2009-02-09 10:20 . 2004-08-04 01:07 714752 ----a-w c:\windows\system32\ntdll.dll

2009-02-09 10:20 . 2004-08-04 01:07 616960 ----a-w c:\windows\system32\advapi32.dll

2009-02-09 10:19 . 2004-08-04 01:07 1846272 ----a-w c:\windows\system32\win32k.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DL32"="DL32" [X]

"SYS32DLL"="SYS32DLL" [X]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-01 1368064]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-08 148888]

"LXBRKsk"="c:\progra~1\LEXMAR~1\LXBRKsk.exe" [2003-06-13 294912]

"Lexmark 3100 Series"="c:\program files\Lexmark 3100 Series\lxbrbmgr.exe" [2003-07-29 106496]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]

"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-06 1947928]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-05 1626112]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"EnableProfileQuota"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2007-04-19 18:41 294912 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-05-01 15:04 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Rtlnicxp.sys]

@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=

"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager 1.0\\MediaManager.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/29/2009 3:39 PM 325896]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/29/2009 3:39 PM 108552]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/29/2008 5:03 PM 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/29/2008 5:03 PM 51440]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/6/2009 12:16 AM 298776]

R3 m4cxw2k3;NDIS5.1 Miniport Driver for D-Link PCI Express Ethernet Controller;c:\windows\system32\drivers\m4cxw2k3.sys [2/15/2007 9:04 AM 250752]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 5:51 PM 4096]

S3 sk98xwin;NDIS5 Miniport Driver for SysKonnect SK-98xx Gigabit Ethernet Server Adapter (SK-NET GE);c:\windows\system32\drivers\sk98xwin.SYS [2/14/2009 4:18 PM 94698]

S3 SkFpWin;SysKonnect FDDI PCI Adapter Driver;c:\windows\system32\drivers\SkFpWin.SYS [2/14/2009 4:05 PM 91294]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{901A929E-1477-4b67-94FA-7A8EE43ED159}]

rundll32 fagw32.dll,InitO

.

Contents of the 'Scheduled Tasks' folder

2009-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:34]

2009-05-08 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-04-10 03:18]

.

- - - - ORPHANS REMOVED - - - -

BHO-{BE83C3B6-0F77-436c-88B1-A56124A743CB} - (no file)

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local;<local>

uInternet Settings,ProxyServer = http=localhost:7171

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\ena\Application Data\Mozilla\Firefox\Profiles\0sd3pd9a.default\

FF - prefs.js: browser.startup.homepage - www.google.com

FF - prefs.js: network.proxy.ftp - localhost

FF - prefs.js: network.proxy.ftp_port - 8008

FF - prefs.js: network.proxy.gopher - localhost

FF - prefs.js: network.proxy.gopher_port - 8008

FF - prefs.js: network.proxy.http - localhost

FF - prefs.js: network.proxy.http_port - 7171

FF - prefs.js: network.proxy.socks - localhost

FF - prefs.js: network.proxy.socks_port - 8008

FF - prefs.js: network.proxy.ssl - localhost

FF - prefs.js: network.proxy.ssl_port - 8008

FF - prefs.js: network.proxy.type - 1

FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll

FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-08 16:37

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3268)

c:\windows\system32\shdoclc.dll

c:\program files\SUPERAntiSpyware\SASSEH.DLL

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Lavasoft\Ad-Aware\aawservice.exe

c:\windows\system32\LEXBCES.EXE

c:\windows\system32\LEXPPS.EXE

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\windows\system32\rundll32.exe

c:\program files\Lexmark 3100 Series\lxbrbmon.exe

c:\windows\system32\rundll32.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Lexmark 3100 Series\lxbrcmon.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\program files\AVG\AVG8\avgcsrvx.exe

.

**************************************************************************

.

Completion time: 2009-05-08 16:40 - machine was rebooted

ComboFix-quarantined-files.txt 2009-05-08 21:40

Pre-Run: 141,390,057,472 bytes free

Post-Run: 142,864,666,624 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

211 --- E O F --- 2009-04-30 08:00

HiJackThis Log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:07:11 PM, on 5/8/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe

C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe

C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O2 - BHO: (no name) - {BE83C3B6-0F77-436c-88B1-A56124A743CB} - (no file)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe

O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [DL32] DL32

O4 - HKCU\..\Run: [sYS32DLL] SYS32DLL

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1207267437000

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--

End of file - 5969 bytes

Link to post
Share on other sites

DDS.txt

DDS (Ver_09-03-16.01) - NTFSx86

Run by ena at 17:09:23.60 on Fri 05/08/2009

Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.665 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe

C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe

C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe

C:\WINDOWS\system32\rundll32.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

svchost

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\ena\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local;<local>

uInternet Settings,ProxyServer = http=localhost:7171

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll

BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL

BHO: {BE83C3B6-0F77-436c-88B1-A56124A743CB} - No File

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [DL32] DL32

uRun: [sYS32DLL] SYS32DLL

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [soundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [LXBRKsk] c:\progra~1\lexmar~1\LXBRKsk.exe

mRun: [Lexmark 3100 Series] "c:\program files\lexmark 3100 series\lxbrbmgr.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe

uPolicies-system: EnableProfileQuota = 1 (0x1)

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1207267437000

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll

Notify: avgrsstarter - avgrsstx.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ena\applic~1\mozilla\firefox\profiles\0sd3pd9a.default\

FF - prefs.js: browser.startup.homepage - www.google.com

FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll

FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-29 325896]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-29 27784]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-29 108552]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-2-29 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-2-29 51440]

R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-6 298776]

S3 m4cxw2k3;NDIS5.1 Miniport Driver for D-Link PCI Express Ethernet Controller;c:\windows\system32\drivers\m4cxw2k3.sys [2007-2-15 250752]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]

S3 sk98xwin;NDIS5 Miniport Driver for SysKonnect SK-98xx Gigabit Ethernet Server Adapter (SK-NET GE);c:\windows\system32\drivers\sk98xwin.SYS [2009-2-14 94698]

S3 SkFpWin;SysKonnect FDDI PCI Adapter Driver;c:\windows\system32\drivers\SkFpWin.SYS [2009-2-14 91294]

=============== Created Last 30 ================

2009-05-08 17:06 244 a---h--- C:\sqmnoopt13.sqm

2009-05-08 17:06 232 a---h--- C:\sqmdata13.sqm

2009-05-08 16:49 244 a---h--- C:\sqmnoopt12.sqm

2009-05-08 16:49 232 a---h--- C:\sqmdata12.sqm

2009-05-08 16:32 <DIR> a-dshr-- C:\cmdcons

2009-05-08 16:30 161,792 a------- c:\windows\SWREG.exe

2009-05-08 16:30 98,816 a------- c:\windows\sed.exe

2009-05-08 16:24 410,984 a------- c:\windows\system32\deploytk.dll

2009-05-08 16:22 244 a---h--- C:\sqmnoopt11.sqm

2009-05-08 16:22 232 a---h--- C:\sqmdata11.sqm

2009-05-08 07:59 517,246 a------- C:\HaxFix.exe

2009-05-08 07:59 <DIR> --d----- C:\HaxFix

2009-05-08 07:57 232 a---h--- C:\sqmdata10.sqm

2009-05-08 07:57 244 a---h--- C:\sqmnoopt10.sqm

2009-05-08 07:57 2 ----h--- c:\windows\t55ft2692f44.dat

2009-05-08 07:56 16,896 a------- c:\windows\st_1241806698.exe

2009-05-08 07:54 244 a---h--- C:\sqmnoopt09.sqm

2009-05-08 07:54 232 a---h--- C:\sqmdata09.sqm

2009-05-07 23:54 232 a---h--- C:\sqmdata08.sqm

2009-05-07 23:54 244 a---h--- C:\sqmnoopt08.sqm

2009-05-07 21:51 244 a---h--- C:\sqmnoopt07.sqm

2009-05-07 21:51 232 a---h--- C:\sqmdata07.sqm

2009-05-07 21:49 244 a---h--- C:\sqmnoopt06.sqm

2009-05-07 21:49 232 a---h--- C:\sqmdata06.sqm

2009-05-07 21:37 244 a---h--- C:\sqmnoopt05.sqm

2009-05-07 21:37 232 a---h--- C:\sqmdata05.sqm

2009-05-07 16:38 33,792 a------- c:\windows\system32\fagw32.dll

2009-05-07 16:38 77,698 a------- c:\windows\system32\mjwa

2009-05-06 00:16 <DIR> --d----- c:\docume~1\ena\applic~1\AVGTOOLBAR

2009-05-05 23:53 <DIR> --d----- c:\program files\CCleaner

2009-05-01 23:38 <DIR> --d----- c:\program files\Trend Micro

2009-05-01 21:40 <DIR> --d----- c:\documents and settings\ena\DoctorWeb

2009-04-30 00:34 <DIR> --d----- c:\docume~1\ena\applic~1\Malwarebytes

2009-04-30 00:34 15,504 a------- c:\windows\system32\drivers\mbam.sys

2009-04-30 00:34 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-30 00:34 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-04-30 00:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-04-29 15:39 11,952 a------- c:\windows\system32\avgrsstx.dll

2009-04-29 15:39 108,552 a------- c:\windows\system32\drivers\avgtdix.sys

2009-04-29 15:39 325,896 a------- c:\windows\system32\drivers\avgldx86.sys

2009-04-29 15:39 <DIR> --d----- c:\windows\system32\drivers\Avg

2009-04-28 13:32 7 a------- c:\windows\system32\nar.bin

2009-04-28 12:37 8,768 a------- c:\windows\system32\drivers\Rtlnicxp.sys

2009-04-28 12:37 4,707 a------- c:\windows\system32\z98a.bin

2009-04-10 00:45 <DIR> --d----- c:\windows\system32\KB905474

2009-04-08 21:55 244 a---h--- C:\sqmnoopt04.sqm

2009-04-08 21:55 232 a---h--- C:\sqmdata04.sqm

==================== Find3M ====================

2009-04-28 12:37 8,768 a------- c:\windows\system32\drivers\sptd.sys

2009-03-20 17:27 27,136 a------- c:\windows\system32\drivers\tapvpn.sys

2009-03-06 09:44 283,648 a------- c:\windows\system32\pdh.dll

2009-02-20 03:30 659,456 a------- c:\windows\system32\wininet.dll

2009-02-20 03:30 81,920 a------- c:\windows\system32\ieencode.dll

2009-02-14 23:12 843 a------- C:\changekey.vbs

2009-02-09 05:20 723,456 a------- c:\windows\system32\lsasrv.dll

2009-02-09 05:20 399,360 a------- c:\windows\system32\rpcss.dll

2009-02-09 05:20 714,752 a------- c:\windows\system32\ntdll.dll

2009-02-09 05:20 616,960 a------- c:\windows\system32\advapi32.dll

2009-02-09 05:19 1,846,272 a------- c:\windows\system32\win32k.sys

============= FINISH: 17:09:37.32 ===============

Attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume2

Install Date: 4/3/2008 2:21:02 PM

System Uptime: 5/8/2009 4:50:40 PM (1 hours ago)

Motherboard: ASUSTeK Computer Inc. | | P5P800

Processor: Intel® Pentium® 4 CPU 3.20GHz | Socket 775 | 3207/200mhz

Processor: Intel® Pentium® 4 CPU 3.20GHz | Socket 775 | 3207/200mhz

==== Disk Partitions =========================

A: is Removable

C: is FIXED (NTFS) - 234 GiB total, 133.064 GiB free.

D: is CDROM ()

E: is FIXED (NTFS) - 75 GiB total, 6.686 GiB free.

F: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: D-Link DGE-530T V.B1 Gigabit Ethernet Adapter

Device ID: PCI\VEN_1186&DEV_4B01&SUBSYS_4B011186&REV_11\4&2E98101C&0&60F0

Manufacturer: D-Link Corporation

Name: D-Link DGE-530T V.B1 Gigabit Ethernet Adapter

PNP Device ID: PCI\VEN_1186&DEV_4B01&SUBSYS_4B011186&REV_11\4&2E98101C&0&60F0

Service: m4cxw2k3

==== System Restore Points ===================

RP209: 2/3/2009 7:40:41 PM - System Checkpoint

RP210: 2/4/2009 8:28:17 PM - System Checkpoint

RP211: 2/6/2009 7:06:18 PM - System Checkpoint

RP212: 2/8/2009 9:24:24 AM - System Checkpoint

RP213: 2/9/2009 8:12:10 PM - System Checkpoint

RP214: 2/10/2009 7:51:30 PM - Avg8 Update

RP215: 2/13/2009 2:46:04 AM - System Checkpoint

RP216: 2/13/2009 5:46:32 PM - Avg8 Update

RP217: 2/14/2009 2:42:44 PM - Installed REALTEK Gigabit and Fast Ethernet NIC Driver

RP218: 2/14/2009 2:43:53 PM - Installed REALTEK Gigabit and Fast Ethernet NIC Driver

RP219: 2/14/2009 2:50:37 PM - Installed REALTEK Gigabit and Fast Ethernet NIC Driver

RP220: 2/14/2009 2:53:02 PM - Installed REALTEK Gigabit and Fast Ethernet NIC Driver

RP221: 2/14/2009 2:53:34 PM - Installed REALTEK Gigabit and Fast Ethernet NIC Driver

RP222: 2/14/2009 2:55:40 PM - Removed REALTEK Gigabit and Fast Ethernet NIC Driver

RP223: 2/14/2009 3:00:14 PM - Installed REALTEK Gigabit and Fast Ethernet NIC Driver

RP224: 2/14/2009 3:05:56 PM - Installed REALTEK Gigabit and Fast Ethernet NIC Driver

RP225: 2/14/2009 3:23:38 PM - Removed REALTEK Gigabit and Fast Ethernet NIC Driver

RP226: 2/14/2009 3:25:50 PM - Installed REALTEK Gigabit and Fast Ethernet NIC Driver

RP227: 2/14/2009 3:32:38 PM - Installed REALTEK Gigabit and Fast Ethernet NIC Driver

RP228: 2/14/2009 3:33:34 PM - Removed REALTEK Gigabit and Fast Ethernet NIC Driver

RP229: 2/14/2009 3:33:45 PM - Installed REALTEK Gigabit and Fast Ethernet NIC Driver

RP230: 2/14/2009 4:16:02 PM - Removed REALTEK Gigabit and Fast Ethernet NIC Driver

RP231: 2/14/2009 4:16:38 PM - Installed REALTEK Gigabit and Fast Ethernet NIC Driver

RP232: 2/14/2009 5:56:38 PM - Installed Samsung USB Driver

RP233: 2/14/2009 5:57:53 PM - Removed REALTEK Gigabit and Fast Ethernet NIC Driver

RP234: 2/14/2009 5:59:11 PM - Installed D-Link DGE-530T

RP235: 2/14/2009 6:46:35 PM - Software Distribution Service 3.0

RP236: 2/14/2009 9:36:40 PM - Software Distribution Service 3.0

RP237: 2/16/2009 6:27:24 PM - Software Distribution Service 3.0

RP238: 2/17/2009 1:30:26 AM - Software Distribution Service 3.0

RP239: 2/18/2009 5:23:57 PM - Software Distribution Service 3.0

RP240: 2/21/2009 1:55:34 PM - System Checkpoint

RP241: 2/22/2009 2:03:35 PM - System Checkpoint

RP242: 2/25/2009 8:23:54 PM - Software Distribution Service 3.0

RP243: 3/1/2009 7:13:22 PM - System Checkpoint

RP244: 3/3/2009 7:03:36 PM - System Checkpoint

RP245: 3/6/2009 7:07:54 AM - Software Distribution Service 3.0

RP246: 3/7/2009 5:51:09 PM - System Checkpoint

RP247: 3/9/2009 5:39:18 PM - System Checkpoint

RP248: 3/10/2009 7:12:42 PM - System Checkpoint

RP249: 3/11/2009 1:24:07 AM - Software Distribution Service 3.0

RP250: 3/12/2009 5:50:02 PM - System Checkpoint

RP251: 3/13/2009 8:53:50 PM - System Checkpoint

RP252: 3/15/2009 10:05:27 PM - System Checkpoint

RP253: 3/17/2009 5:43:27 PM - Avg8 Update

RP254: 3/17/2009 5:44:46 PM - Avg8 Update

RP255: 3/21/2009 10:41:41 AM - Software Distribution Service 3.0

RP256: 3/23/2009 9:47:07 PM - System Checkpoint

RP257: 3/25/2009 4:05:21 AM - System Checkpoint

RP258: 3/25/2009 4:53:44 PM - Avg8 Update

RP259: 3/25/2009 4:54:47 PM - Avg8 Update

RP260: 3/26/2009 5:08:03 PM - Avg8 Update

RP261: 3/28/2009 12:17:36 PM - System Checkpoint

RP262: 3/29/2009 4:23:17 PM - System Checkpoint

RP263: 3/30/2009 8:29:37 PM - Software Distribution Service 3.0

RP264: 3/31/2009 11:34:36 PM - System Checkpoint

RP265: 4/5/2009 12:31:47 AM - System Checkpoint

RP266: 4/6/2009 9:59:34 PM - System Checkpoint

RP267: 4/7/2009 5:22:59 PM - Avg8 Update

RP268: 4/9/2009 9:51:52 PM - Avg8 Update

RP269: 4/10/2009 12:45:08 AM - Software Distribution Service 3.0

RP270: 4/11/2009 9:01:07 PM - System Checkpoint

RP271: 4/13/2009 7:33:46 PM - System Checkpoint

RP272: 4/15/2009 7:18:28 AM - Software Distribution Service 3.0

RP273: 4/16/2009 11:19:43 PM - System Checkpoint

RP274: 4/19/2009 1:17:24 PM - System Checkpoint

RP275: 4/22/2009 9:37:22 AM - System Checkpoint

RP276: 4/26/2009 5:36:27 PM - System Checkpoint

RP277: 4/29/2009 11:34:22 AM - Avg8 Update

RP278: 4/29/2009 11:36:09 AM - Avg8 Update

RP279: 4/29/2009 12:49:30 PM - Removed AVG 8.5

RP280: 4/29/2009 12:51:21 PM - Installed AVG 8.5

RP281: 4/29/2009 12:56:17 PM - Installed AVG Free 8.0

RP282: 4/29/2009 3:26:21 PM - Removed AVG Free 8.0

RP283: 4/29/2009 3:29:14 PM - Installed AVG Free 8.0

RP284: 4/29/2009 3:39:12 PM - Installed AVG Free 8.5

RP285: 4/30/2009 3:00:21 AM - Software Distribution Service 3.0

RP286: 4/30/2009 12:46:26 PM - Avg8 Update

RP287: 5/1/2009 10:02:49 AM - Avg8 Update

RP288: 5/1/2009 10:04:28 AM - Avg8 Update

RP289: 5/2/2009 10:28:34 AM - System Checkpoint

RP290: 5/3/2009 6:58:20 PM - System Checkpoint

RP291: 5/6/2009 12:16:13 AM - Installed AVG Free 8.5

RP292: 5/6/2009 12:19:27 AM - Avg8 Update

RP293: 5/7/2009 8:02:58 PM - System Checkpoint

RP294: 5/8/2009 4:24:08 PM - Installed Java 6 Update 13

==== Installed Programs ======================

AAC Decoder

Ad-Aware

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)

Adobe Flash Player ActiveX

Adobe Flash Player Plugin

Adobe Reader 8.1.2

Adobe Reader 8.1.2 Security Update 1 (KB403742)

Adobe Shockwave Player

Apple Mobile Device Support

Apple Software Update

Audacity 1.2.6

AutoUpdate

Avanquest update

AVG Free 8.5

Bonjour

CCleaner (remove only)

Compatibility Pack for the 2007 Office system

CutePDF Writer 2.7

D-Link DGE-530T

DeepBurner v1.8.0.224

DivX Codec

DivX Converter

DivX Player

DivX Plus DirectShow Filters

DivX Version Checker

DivX Web Player

Free YouTube to Mp3 Converter version 3.1

FUJIFILM USB Driver

Graphmatica

H.264 Decoder

HijackThis 2.0.2

Hotfix for Windows XP (KB952287)

iTunes

Java DB 10.3.1.4

Java 6 Update 13

Java 6 Update 5

Java 6 Update 7

Java SE Development Kit 6 Update 7

JMP Student Edition

K-Lite Codec Pack 3.8.5 Full

Lexmark 3100 Series

Macromedia Fireworks 8

Malwarebytes' Anti-Malware

Marvell Miniport Driver

Microsoft .NET Framework 2.0

Microsoft Office Professional Edition 2003

Microsoft Reader

Microsoft Visual C++ 2005 Redistributable

Microsoft XML Parser

MKV Splitter

Mozilla Firefox (3.0.10)

MSXML 4.0 SP2 (KB954430)

Music Rescue 3.1.6

MyPhoneExplorer

neroxml

NVIDIA Drivers

Picasa 3

QuickTime

Real Alternative 1.9.0

Samsung Master

Samsung USB Driver

Security Update for Windows Media Player (KB952069)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB944338-v2)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958215)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960714)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB963027)

Sony Ericsson DRM Packager 1.35

Sony Ericsson Media Manager 1.0

Sony Ericsson PC Suite 3.209.00

SoundMAX

Spybot - Search & Destroy

SUPERAntiSpyware Free Edition

TextPad 4.7

Uninstall 1.0.0.0

Update for Windows XP (KB898461)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update Service

VC80CRTRedist - 8.0.50727.762

VCRedistSetup

Veoh Web Player Beta

WebFldrs XP

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Installer 3.1 (KB893803)

Windows Live installer

Windows Live Messenger

Windows Live Sign-in Assistant

WinRAR archiver

World of Warcraft

==== Event Viewer Messages From Past Week ========

5/8/2009 4:29:50 PM, error: Service Control Manager [7031] - The AVG Free8 WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.

5/8/2009 12:01:15 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX Fips IntelIde intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss RTL8023xp SASDIFSV SASKUTIL Tcpip

5/5/2009 9:21:45 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: RTL8023xp

5/5/2009 9:21:45 AM, error: Service Control Manager [7000] - The AVG Free8 WatchDog service failed to start due to the following error: The system cannot find the file specified.

5/4/2009 10:16:13 PM, error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\D.

5/2/2009 9:59:08 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde RTL8023xp

5/2/2009 7:00:21 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

5/2/2009 12:35:48 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss RTL8023xp SASDIFSV SASKUTIL Tcpip

5/2/2009 12:35:48 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.

5/2/2009 12:35:48 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.

5/2/2009 12:35:48 PM, error: Service Control Manager [7001] - The Hotspot Shield Service service depends on the DHCP Client service which failed to start because of the following error: The dependency service or group failed to start.

5/2/2009 12:35:48 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

5/2/2009 12:35:48 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

5/2/2009 12:35:48 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

5/2/2009 12:35:48 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

5/2/2009 12:35:14 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

==== End Of File ===========================

Link to post
Share on other sites

  • Root Admin

STEP 01

If you did not set this Proxy server then have HJT remove it. If you're using a proxy server on purpose then leave it.

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171

With all other applications closed (Taskbar empty), open HijackThis again

and run Do a system scan only and place a check mark on the following items.

  • R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
    Then Quit All Browsers including the one you're reading this in now.
    Then click on Fix checked and then quit HJT

STEP 02

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

AtJob::

File::
c:\windows\t55ft2692f44.dat
c:\windows\st_1241806698.exe
c:\windows\system32\fagw32.dll
c:\windows\system32\nar.bin
c:\windows\system32\drivers\Rtlnicxp.sys
c:\windows\system32\z98a.bin
C:\changekey.vbs


Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DL32"=-
"SYS32DLL"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableProfileQuota"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Rtlnicxp.sys]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{901A929E-1477-4b67-94FA-7A8EE43ED159}]

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 03

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

Link to post
Share on other sites

Thanks for the quick reply, here are my logs:

ComboFix 09-05-08.03 - ena 05/09/2009 0:31.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.639 [GMT -5:00]

Running from: c:\documents and settings\ena\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\ena\Desktop\CFscript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

FILE ::

C:\changekey.vbs

c:\windows\st_1241806698.exe

c:\windows\system32\drivers\Rtlnicxp.sys

c:\windows\system32\fagw32.dll

c:\windows\system32\nar.bin

c:\windows\system32\z98a.bin

c:\windows\t55ft2692f44.dat

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\changekey.vbs

c:\windows\system32\drivers\mrxdavv.sys

c:\windows\system32\drivers\Rtlnicxp.sys

c:\windows\system32\fagw32.dll

c:\windows\system32\kwave.sys

c:\windows\system32\nar.bin

c:\windows\system32\z98a.bin

c:\windows\t55ft2692f44.dat

.

((((((((((((((((((((((((( Files Created from 2009-04-09 to 2009-05-09 )))))))))))))))))))))))))))))))

.

2009-05-06 04:53 . 2009-05-06 04:53 -------- d-----w c:\program files\CCleaner

2009-05-02 04:38 . 2009-05-02 04:38 -------- d-----w c:\program files\Trend Micro

2009-05-02 02:51 . 2009-05-02 02:51 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-05-02 02:40 . 2009-05-02 02:40 -------- d-----w c:\documents and settings\ena\DoctorWeb

2009-04-30 05:34 . 2009-04-30 05:34 -------- d-----w c:\documents and settings\ena\Application Data\Malwarebytes

2009-04-30 05:34 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-04-30 05:34 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-30 05:34 . 2009-04-30 05:34 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

2009-04-30 05:34 . 2009-04-30 05:34 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-04-29 20:39 . 2009-05-01 15:04 11952 ----a-w c:\windows\system32\avgrsstx.dll

2009-04-29 20:39 . 2009-05-01 15:03 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys

2009-04-29 20:39 . 2009-05-01 15:04 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys

2009-04-29 20:39 . 2009-05-08 21:09 -------- d-----w c:\windows\system32\drivers\Avg

2009-04-10 05:45 . 2009-03-11 03:18 453512 ----a-w c:\windows\system32\KB905474\wgasetup.exe

2009-04-10 05:45 . 2009-03-11 03:26 1403264 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe

2009-04-10 05:45 . 2009-04-10 05:45 -------- d-----w c:\windows\system32\KB905474

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-08 21:24 . 2009-05-08 21:24 410984 ----a-w c:\windows\system32\deploytk.dll

2009-05-08 21:24 . 2008-04-04 05:12 -------- d-----w c:\program files\Java

2009-05-08 12:58 . 2009-05-08 12:59 517246 ----a-w C:\HaxFix.exe

2009-04-28 17:37 . 2008-05-04 23:02 8768 ----a-w c:\windows\system32\drivers\sptd.sys

2009-03-20 22:27 . 2009-03-20 22:27 27136 ----a-w c:\windows\system32\drivers\tapvpn.sys

2009-03-06 14:44 . 2004-08-04 01:07 283648 ----a-w c:\windows\system32\pdh.dll

2009-02-25 05:35 . 2008-04-07 05:54 47592 ----a-w c:\documents and settings\ena\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-02-22 04:36 . 2009-02-22 04:37 102664 ----a-w c:\windows\system32\drivers\tmcomm.sys

2009-02-20 08:30 . 2004-08-04 01:07 81920 ----a-w c:\windows\system32\ieencode.dll

2009-02-20 08:30 . 2004-08-04 01:07 659456 ----a-w c:\windows\system32\wininet.dll

2009-02-09 10:20 . 2004-08-04 01:07 723456 ----a-w c:\windows\system32\lsasrv.dll

2009-02-09 10:20 . 2004-08-04 01:07 399360 ----a-w c:\windows\system32\rpcss.dll

2009-02-09 10:20 . 2004-08-04 01:07 714752 ----a-w c:\windows\system32\ntdll.dll

2009-02-09 10:20 . 2004-08-04 01:07 616960 ----a-w c:\windows\system32\advapi32.dll

2009-02-09 10:19 . 2004-08-04 01:07 1846272 ----a-w c:\windows\system32\win32k.sys

.

((((((((((((((((((((((((((((( SnapShot@2009-05-08_21.37.56 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-05-09 05:34 . 2009-05-09 05:34 40960 c:\windows\temp\rtdrvmon.exe

- 2009-05-08 21:37 . 2009-05-08 21:37 40960 c:\windows\Temp\rtdrvmon.exe

+ 2009-05-09 05:34 . 2009-05-09 05:34 16384 c:\windows\temp\Perflib_Perfdata_7c.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-01 1368064]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-08 148888]

"LXBRKsk"="c:\progra~1\LEXMAR~1\LXBRKsk.exe" [2003-06-13 294912]

"Lexmark 3100 Series"="c:\program files\Lexmark 3100 Series\lxbrbmgr.exe" [2003-07-29 106496]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]

"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-06 1947928]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-05 1626112]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2007-04-19 18:41 294912 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-05-01 15:04 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=

"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager 1.0\\MediaManager.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/29/2009 3:39 PM 325896]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/29/2009 3:39 PM 108552]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/29/2008 5:03 PM 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/29/2008 5:03 PM 51440]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/6/2009 12:16 AM 298776]

S3 m4cxw2k3;NDIS5.1 Miniport Driver for D-Link PCI Express Ethernet Controller;c:\windows\system32\drivers\m4cxw2k3.sys [2/15/2007 9:04 AM 250752]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 5:51 PM 4096]

S3 sk98xwin;NDIS5 Miniport Driver for SysKonnect SK-98xx Gigabit Ethernet Server Adapter (SK-NET GE);c:\windows\system32\drivers\sk98xwin.SYS [2/14/2009 4:18 PM 94698]

S3 SkFpWin;SysKonnect FDDI PCI Adapter Driver;c:\windows\system32\drivers\SkFpWin.SYS [2/14/2009 4:05 PM 91294]

.

Contents of the 'Scheduled Tasks' folder

2009-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:34]

2009-05-09 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-04-10 03:18]

.

- - - - ORPHANS REMOVED - - - -

BHO-{BE83C3B6-0F77-436c-88B1-A56124A743CB} - (no file)

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local;<local>

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\ena\Application Data\Mozilla\Firefox\Profiles\0sd3pd9a.default\

FF - prefs.js: browser.startup.homepage - www.google.com

FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll

FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-09 00:34

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(492)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Lavasoft\Ad-Aware\aawservice.exe

c:\windows\system32\LEXBCES.EXE

c:\windows\system32\LEXPPS.EXE

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\program files\AVG\AVG8\avgcsrvx.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\rundll32.exe

c:\program files\Lexmark 3100 Series\lxbrbmon.exe

c:\program files\Lexmark 3100 Series\lxbrcmon.exe

.

**************************************************************************

.

Completion time: 2009-05-09 0:36 - machine was rebooted

ComboFix-quarantined-files.txt 2009-05-09 05:36

ComboFix2.txt 2009-05-08 21:40

Pre-Run: 142,777,688,064 bytes free

Post-Run: 142,803,173,376 bytes free

176 --- E O F --- 2009-04-30 08:00

Malwarebytes' Anti-Malware 1.36

Database version: 2097

Windows 5.1.2600 Service Pack 2

5/9/2009 12:41:25 AM

mbam-log-2009-05-09 (00-41-25).txt

Scan type: Quick Scan

Objects scanned: 78056

Time elapsed: 2 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot.

C:\WINDOWS\system32\kwave.sys (Trojan.Agent) -> Delete on reboot.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:43:59 AM, on 5/9/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe

C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe

C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe

O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1207267437000

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--

End of file - 5677 bytes

Link to post
Share on other sites

  • Root Admin

You may have corrupted files on your disk. Please try running the following.

First close ALL Applications as this routine will automatically restart your computer.

Click on START - RUN and copy / paste the following entry into the box and click OK

CMD /C ECHO Y|CHKDSK C: /F | SHUTDOWN /R /T 30

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply
    Then look for the following Java folders and if found delete them.
    C:\Program Files\Java
    C:\Program Files\Common Files\Java
    C:\Windows\Sun
    C:\Documents and Settings\All Users\Application Data\Java
    C:\Documents and Settings\All Users\Application Data\Sun\Java
    C:\Documents and Settings\username\Application Data\Java
    C:\Documents and Settings\username\Application Data\Sun\Java
    Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup219.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"
  • Click finish when done and close ALL PROGRAMS
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts

Please download to your Desktop: Dr.Web CureIt

  • After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
  • Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click on the Complete scan radio button.
  • Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
  • Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
  • On the File types tab ensure you select All files
  • Click on the Actions tab and set the following:
    • Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
    • Infected packages Archive = Move, E-mails = Report, Containers = Move
    • Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
    • Do not change the Rename extension - default is: #??
    • Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
    • Leave prompt on Action checked

    [*]On the Log file tab leave the Log to file checked.

    [*]Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log

    [*]Log mode = Append

    [*]Encoding = ANSI

    [*]Details Leave Names of file packers and Statistics checked.

    [*]Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.

    [*]On the General tab leave the Scan Priority on High

    [*]Click the Apply button at the bottom, and then the OK button.

    [*]On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.

    [*]In this mode it will scan Boot sectors of all disks, All removable media, and all local drives

    [*]The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.

    [*]When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.

    [*]Click 'Yes to all' if it asks if you want to cure/move the files.

    [*]This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)

    [*]After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list

    [*]Save the report to your Desktop. The report will be called DrWeb.csv

    [*]Close Dr.Web Cureit.

    [*]Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

    [*]After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log.

    drweb.jpg

Link to post
Share on other sites

JavaRa 1.13 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Sat May 09 02:20:11 2009

Found and removed: Software\JavaSoft\Java2D\1.6.0_01

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_05\

------------------------------------

Finished reporting.

Dr. Web Report

ComboFix.exe/data002\32788R22FWJFW\FIND3M.bat;C:\Documents and Settings\ena\Desktop\ComboFix.exe/data002;Probably BATCH.Virus;;

ComboFix.exe/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\ena\Desktop\ComboFix.exe/data002;Program.PsExec.171;;

data002;C:\Documents and Settings\ena\Desktop;Archive contains infected objects;;

ComboFix.exe;C:\Documents and Settings\ena\Desktop;Container contains infected objects;;

process.exe;C:\HaxFix;Tool.Prockill;;

A0091523.EXE;C:\System Volume Information\_restore{3B368BE6-F27A-4202-9236-6865F21B5B89}\RP294;Program.PsExec.170;;

A0091552.bat;C:\System Volume Information\_restore{3B368BE6-F27A-4202-9236-6865F21B5B89}\RP294;Probably BATCH.Virus;;

A0091615.exe;C:\System Volume Information\_restore{3B368BE6-F27A-4202-9236-6865F21B5B89}\RP294;Trojan.DownLoad.36180;Deleted.;

A0091654.bat;C:\System Volume Information\_restore{3B368BE6-F27A-4202-9236-6865F21B5B89}\RP294;Probably BATCH.Virus;;

A0091723.EXE;C:\System Volume Information\_restore{3B368BE6-F27A-4202-9236-6865F21B5B89}\RP294;Program.PsExec.170;;

A0091754.bat;C:\System Volume Information\_restore{3B368BE6-F27A-4202-9236-6865F21B5B89}\RP294;Probably BATCH.Virus;;

HiJackThis

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:36:34 PM, on 5/9/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe

C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe

C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe

O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1207267437000

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--

End of file - 5183 bytes

Thanks.

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.36

Database version: 2104

Windows 5.1.2600 Service Pack 2

5/10/2009 9:16:46 AM

mbam-log-2009-05-10 (09-16-46).txt

Scan type: Quick Scan

Objects scanned: 78308

Time elapsed: 3 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot.

C:\WINDOWS\system32\kwave.sys (Trojan.Agent) -> Delete on reboot.

Link to post
Share on other sites

  • Root Admin

Okay let's try this from the start again now that much of the other Malware has been removed.

STEP 01

    Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup219.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"
  • Click finish when done and close ALL PROGRAMS
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts

Now RESTART THE COMPUTER

When it reboots DELETE the file: C:\Windows\ntbtlog.txt

STEP 02

Delete your current copy of Combofix.exe and download a NEW fresh copy. This time though rename it to STUFFING.EXE before running it.

Additional links to download the tool:

ComboFix.exe

ComboFix.exe

ComboFix.exe

STEP 03

Now that Combofix has run as STUFFING.EXE it should have rebooted the computer at least once thus creating a new BootLog file.

If it did not reboot the computer then go ahead and reboot it ONCE only and DO NOT reboot it anymore until I reply back because these files rename themselves on each restart.

Please open and copy / paste the new C:\Windows\ntbtlog.txt log here.

STEP 04

Delete your current copy of RootRepeal and donwload a new copy. Make sure you close down EVERYTHING before running it, including your Anti-Virus and other Security software.

RootRepeal - Rootkit Detector

    Close ALL applications and as many items in the task tray that will stop and exit.
  • Please download the following tool:
    RootRepeal - Rootkit Detector

  • Direct download link is here:
    RootRepeal.rar

  • If you don't already have a program to open a .RAR compressed file you can download a trial version from here:
    WinRAR

  • Extract the program file to a new folder such as
    C:\RootRepeal

  • Run the program
    RootRepeal.exe
    and go to the
    REPORT
    tab and click on the
    Scan
    button

  • Select
    ALL
    of the checkboxes and then click
    OK
    and it will start scanning your system.

  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.

  • When done, click on
    Save Report

  • Save it to the same location where you ran it from, such as
    C:\RootRepeal

  • Save it as
    your_name_rootrepeal.txt
    - where your_name is your
    forum name

  • This makes it more easy to track who the log belongs to.

  • Then open that log and select all and copy/paste it back on your next reply please.

  • Quit the RootRepeal program.

Link to post
Share on other sites

Hm, is it odd that my ntbtlog.txt file is so short?

ntbtlog.txt

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \??\C:\DOCUME~1\ena\LOCALS~1\Temp\catchme.sys

Loaded driver \??\C:\WINDOWS\system32\Drivers\PROCEXP90.SYS

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

RootRepeal

ROOTREPEAL © AD, 2007-2008

==================================================

Scan Time: 2009/05/12 12:21

Program Version: Version 1.2.3.0

Windows Version: Windows XP SP2

==================================================

Drivers

-------------------

Name: catchme.sys

Image Path: C:\DOCUME~1\ena\LOCALS~1\Temp\catchme.sys

Address: 0xF7B47000 Size: 31744 File Visible: No

Status: -

Name: Combo-Fix.sys

Image Path: Combo-Fix.sys

Address: 0xF788F000 Size: 60416 File Visible: No

Status: -

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xF486C000 Size: 98304 File Visible: No

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF7D5F000 Size: 8192 File Visible: No

Status: -

Name: PROCEXP90.SYS

Image Path: C:\WINDOWS\system32\Drivers\PROCEXP90.SYS

Address: 0xF7DC1000 Size: 6464 File Visible: No

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xBAB80000 Size: 45056 File Visible: No

Status: -

Hidden/Locked Files

-------------------

Path: C:\WINDOWS\Prefetch\ROOTREPEAL.EXE-144523E2.pf

Status: Size mismatch (API: 12774, Raw: 12600)

Path: C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\avc.sys

Status: Locked to the Windows API!

Path: C:\Documents and Settings\ena\Local Settings\Application Data\Microsoft\Messenger\rowiez@hotmail.com\SharingMetadata\ayamae@hotmail.com\DFSR\Staging\CS{5B8B6424-B385-AE5A-D2D4-B1E83F2B0830}\01\36-{5B8B6424-B385-AE5A-D2D4-B1E83F2B0830}-v1-{251B9360-3069-4D1F-B555-CCE3C159A310}-v36-Downloaded.frx

Status: Locked to the Windows API!

Path: C:\Documents and Settings\ena\Local Settings\Application Data\Microsoft\Messenger\rowiez@hotmail.com\SharingMetadata\ayamae@hotmail.com\DFSR\Staging\CS{5B8B6424-B385-AE5A-D2D4-B1E83F2B0830}\11\42-{08529F05-2D20-4FED-A50D-F02719AFD183}-v11-{251B9360-3069-4D1F-B555-CCE3C159A310}-v42-Downloaded.frx

Status: Locked to the Windows API!

Path: C:\Documents and Settings\ena\Local Settings\Application Data\Microsoft\Messenger\rowiez@hotmail.com\SharingMetadata\ayamae@hotmail.com\DFSR\Staging\CS{5B8B6424-B385-AE5A-D2D4-B1E83F2B0830}\12\12-{08~2.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\ena\Local Settings\Application Data\Microsoft\Messenger\rowiez@hotmail.com\SharingMetadata\ayamae@hotmail.com\DFSR\Staging\CS{5B8B6424-B385-AE5A-D2D4-B1E83F2B0830}\12\12-{08~2.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\ena\Local Settings\Application Data\Microsoft\Messenger\rowiez@hotmail.com\SharingMetadata\ayamae@hotmail.com\DFSR\Staging\CS{5B8B6424-B385-AE5A-D2D4-B1E83F2B0830}\13\13-{08529F05-2D20-4FED-A50D-F02719AFD183}-v13-{08529F05-2D20-4FED-A50D-F02719AFD183}-v13-Downloaded.frx

Status: Locked to the Windows API!

Path: C:\Documents and Settings\ena\Local Settings\Application Data\Microsoft\Messenger\rowiez@hotmail.com\SharingMetadata\hazel_nut2@hotmail.com\DFSR\Staging\CS{11C05E7A-671B-EACF-0B94-2CC4623FF713}\01\23-{11C05E7A-671B-EACF-0B94-2CC4623FF713}-v1-{251B9360-3069-4D1F-B555-CCE3C159A310}-v23-Downloaded.frx

Status: Locked to the Windows API!

Path: C:\Documents and Settings\ena\Local Settings\Application Data\Microsoft\Messenger\rowiez@hotmail.com\SharingMetadata\marlene_rivera@hotmail.com\DFSR\Staging\CS{1B105880-66AC-A74B-283C-92260023F0C4}\01\10-{1B105880-66AC-A74B-283C-92260023F0C4}-v1-{251B9360-3069-4D1F-B555-CCE3C159A310}-v10-Downloaded.frx

Status: Locked to the Windows API!

Path: C:\Documents and Settings\ena\Local Settings\Application Data\Microsoft\Messenger\rowiez@hotmail.com\SharingMetadata\marlene_rivera@hotmail.com\DFSR\Staging\CS{1B105880-66AC-A74B-283C-92260023F0C4}\11\11-{251B9360-3069-4D1F-B555-CCE3C159A310}-v11-{251B9360-3069-4D1F-B555-CCE3C159A310}-v11-Downloaded.frx

Status: Locked to the Windows API!

Path: C:\Documents and Settings\ena\Local Settings\Application Data\Microsoft\Messenger\rowiez@hotmail.com\SharingMetadata\marlene_rivera@hotmail.com\DFSR\Staging\CS{1B105880-66AC-A74B-283C-92260023F0C4}\12\12-{251B9360-3069-4D1F-B555-CCE3C159A310}-v12-{251B9360-3069-4D1F-B555-CCE3C159A310}-v12-Downloaded.frx

Status: Locked to the Windows API!

Path: C:\Documents and Settings\ena\Local Settings\Application Data\Microsoft\Messenger\rowiez@hotmail.com\SharingMetadata\marlene_rivera@hotmail.com\DFSR\Staging\CS{1B105880-66AC-A74B-283C-92260023F0C4}\13\13-{251B9360-3069-4D1F-B555-CCE3C159A310}-v13-{251B9360-3069-4D1F-B555-CCE3C159A310}-v13-Downloaded.frx

Status: Locked to the Windows API!

Path: C:\Documents and Settings\ena\Local Settings\Application Data\Microsoft\Messenger\rowiez@hotmail.com\SharingMetadata\marlene_rivera@hotmail.com\DFSR\Staging\CS{1B105880-66AC-A74B-283C-92260023F0C4}\14\14-{251B9360-3069-4D1F-B555-CCE3C159A310}-v14-{251B9360-3069-4D1F-B555-CCE3C159A310}-v14-Downloaded.frx

Status: Locked to the Windows API!

Path: C:\Documents and Settings\ena\Local Settings\Application Data\Microsoft\Messenger\rowiez@hotmail.com\SharingMetadata\marlene_rivera@hotmail.com\DFSR\Staging\CS{1B105880-66AC-A74B-283C-92260023F0C4}\15\15-{251B9360-3069-4D1F-B555-CCE3C159A310}-v15-{251B9360-3069-4D1F-B555-CCE3C159A310}-v15-Downloaded.frx

Status: Locked to the Windows API!

Path: C:\Documents and Settings\ena\Local Settings\Application Data\Microsoft\Messenger\rowiez@hotmail.com\SharingMetadata\marlene_rivera@hotmail.com\DFSR\Staging\CS{1B105880-66AC-A74B-283C-92260023F0C4}\16\16-{251B9360-3069-4D1F-B555-CCE3C159A310}-v16-{251B9360-3069-4D1F-B555-CCE3C159A310}-v16-Downloaded.frx

Status: Locked to the Windows API!

Path: C:\Documents and Settings\ena\Local Settings\Application Data\Microsoft\Messenger\rowiez@hotmail.com\SharingMetadata\marlene_rivera@hotmail.com\DFSR\Staging\CS{1B105880-66AC-A74B-283C-92260023F0C4}\17\17-{251B9360-3069-4D1F-B555-CCE3C159A310}-v17-{251B9360-3069-4D1F-B555-CCE3C159A310}-v17-Downloaded.frx

Status: Locked to the Windows API!

Path: C:\Documents and Settings\ena\Local Settings\Application Data\Microsoft\Messenger\rowiez@hotmail.com\SharingMetadata\marlene_rivera@hotmail.com\DFSR\Staging\CS{1B105880-66AC-A74B-283C-92260023F0C4}\18\18-{251B9360-3069-4D1F-B555-CCE3C159A310}-v18-{251B9360-3069-4D1F-B555-CCE3C159A310}-v18-Downloaded.frx

Status: Locked to the Windows API!

Path: C:\Documents and Settings\ena\Local Settings\Application Data\Microsoft\Messenger\rowiez@hotmail.com\SharingMetadata\marlene_rivera@hotmail.com\DFSR\Staging\CS{1B105880-66AC-A74B-283C-92260023F0C4}\19\19-{251B9360-3069-4D1F-B555-CCE3C159A310}-v19-{251B9360-3069-4D1F-B555-CCE3C159A310}-v19-Downloaded.frx

Status: Locked to the Windows API!

Path: C:\Documents and Settings\ena\Local Settings\Application Data\Microsoft\Messenger\rowiez@hotmail.com\SharingMetadata\marlene_rivera@hotmail.com\DFSR\Staging\CS{1B105880-66AC-A74B-283C-92260023F0C4}\20\20-{251B9360-3069-4D1F-B555-CCE3C159A310}-v20-{251B9360-3069-4D1F-B555-CCE3C159A310}-v20-Downloaded.frx

Status: Locked to the Windows API!

Path: C:\Documents and Settings\ena\Local Settings\Application Data\Microsoft\Messenger\rowiez@hotmail.com\SharingMetadata\marlene_rivera@hotmail.com\DFSR\Staging\CS{1B105880-66AC-A74B-283C-92260023F0C4}\21\21-{251B9360-3069-4D1F-B555-CCE3C159A310}-v21-{251B9360-3069-4D1F-B555-CCE3C159A310}-v21-Downloaded.frx

Status: Locked to the Windows API!

Path: C:\Documents and Settings\ena\Local Settings\Application Data\Microsoft\Messenger\rowiez@hotmail.com\SharingMetadata\marlene_rivera@hotmail.com\DFSR\Staging\CS{1B105880-66AC-A74B-283C-92260023F0C4}\22\22-{251B9360-3069-4D1F-B555-CCE3C159A310}-v22-{251B9360-3069-4D1F-B555-CCE3C159A310}-v22-Downloaded.frx

Status: Locked to the Windows API!

Link to post
Share on other sites

  • Root Admin

Well I guess I missed putting it in the steps, but I need the log from STUFFING.EXE

And you should have had a reboot in there which should recreate the entire file again.

Please post the CF log.

Then reboot and post the Bootlog file again.

Root Repeal shows you have Messenger running, please exit that before running along with all other applets in the tray that can close.

Then run Root Repeal again with nothing running and post back that log.

Thanks.

Link to post
Share on other sites

Yeah, there was a reboot when I ran CF the first time. Just to clarify things, should I be posting the CF log that I received before, and rebooting and posting a new bootlog?

Or should I repeat steps 1-4 again, and run CF to produce a new log?

Link to post
Share on other sites

  • Root Admin

Click on START - RUN and type in MSCONFIG and hit OK

Then look on the BOOT.INI tab and make sure there is a check mark on the /BOOTLOG option.

Then restart the computer again and it should now create one.

Yes the combofix log after it was run and rebooted is the one I want.

We'll try them as you have them and see if we can track it down. If not then we'll need to try another method.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.