Jump to content

Malwarebytes Keeps shutting down - Runs good in SafeMode


Recommended Posts

MalwareBytes, Spybot, and AVG run fine in Safemode and shows no problems found.

When I log in normally (out of safemode) and try to run MalwareBytes, Spybot, and AVG they all shut down with in a few minutes......

I see 4d in the log and have tried to shut it down several times - no luck. Any help would be appreciated

Here is the log WHEN I LOG IN NORMALLY:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:09:27 AM, on 6/26/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\QSWSRC\AAREMOTE\INSTAL~1.EXE

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\iPod\bin\iPodService.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = actsvr.comcastonline.com

O2 - BHO: (no name) - {345CCB55-A1AF-4E12-AB2E-A3C598AF7227} - c:\windows\system32\ipxfoev.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [spybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: VPN Client.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab

O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/VerizonWire...loadControl.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O20 - Winlogon Notify: wsosvcml - C:\WINDOWS\SYSTEM32\ipxfoev.dll

O23 - Service: Alerter AlerterALG (AlerterALG) - Unknown owner - C:\WINDOWS\TEMP\4D.tmp.exe (file missing)

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Cisco Systems, Inc. Installer service (CiscoVpnInstallService) - Unknown owner - C:\QSWSRC\AAREMOTE\INSTAL~1.EXE

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--

End of file - 5663 bytes

Here is the log when I'm in SAFE MODE:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:34:22 PM, on 6/25/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Safe mode with network support

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://maxsun.biz/in.cgi?9&key=portage...mon+pleas+court

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {345CCB55-A1AF-4E12-AB2E-A3C598AF7227} - c:\windows\system32\ipxfoev.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [spybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - Global Startup: VPN Client.lnk = ?

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab

O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/VerizonWire...loadControl.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O20 - Winlogon Notify: wsosvcml - C:\WINDOWS\SYSTEM32\ipxfoev.dll

O23 - Service: Alerter AlerterALG (AlerterALG) - Unknown owner - C:\WINDOWS\TEMP\4D.tmp.exe (file missing)

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Cisco Systems, Inc. Installer service (CiscoVpnInstallService) - Unknown owner - C:\QSWSRC\AAREMOTE\INSTAL~1.EXE

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--

End of file - 4727 bytes

hijackthis_06_26_09.txt

hijackthis__SAFEMODE.txt

hijackthis_06_26_09.txt

hijackthis__SAFEMODE.txt

Link to post
Share on other sites

I have attached the ipxfoev.dll as well as ipxfoev.dll.bak that I found in the system32 folder.

MalwareBytes, Spybot, and AVG run fine in Safemode and shows no problems found.

When I log in normally (out of safemode) and try to run MalwareBytes, Spybot, and AVG they all shut down with in a few minutes......

I see 4d in the log and have tried to shut it down several times - no luck. Any help would be appreciated

Here is the log WHEN I LOG IN NORMALLY:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:09:27 AM, on 6/26/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\QSWSRC\AAREMOTE\INSTAL~1.EXE

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\iPod\bin\iPodService.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = actsvr.comcastonline.com

O2 - BHO: (no name) - {345CCB55-A1AF-4E12-AB2E-A3C598AF7227} - c:\windows\system32\ipxfoev.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [spybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: VPN Client.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab

O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/VerizonWire...loadControl.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O20 - Winlogon Notify: wsosvcml - C:\WINDOWS\SYSTEM32\ipxfoev.dll

O23 - Service: Alerter AlerterALG (AlerterALG) - Unknown owner - C:\WINDOWS\TEMP\4D.tmp.exe (file missing)

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Cisco Systems, Inc. Installer service (CiscoVpnInstallService) - Unknown owner - C:\QSWSRC\AAREMOTE\INSTAL~1.EXE

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--

End of file - 5663 bytes

Here is the log when I'm in SAFE MODE:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:34:22 PM, on 6/25/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Safe mode with network support

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://maxsun.biz/in.cgi?9&key=portage...mon+pleas+court

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {345CCB55-A1AF-4E12-AB2E-A3C598AF7227} - c:\windows\system32\ipxfoev.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [spybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - Global Startup: VPN Client.lnk = ?

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab

O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/VerizonWire...loadControl.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O20 - Winlogon Notify: wsosvcml - C:\WINDOWS\SYSTEM32\ipxfoev.dll

O23 - Service: Alerter AlerterALG (AlerterALG) - Unknown owner - C:\WINDOWS\TEMP\4D.tmp.exe (file missing)

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Cisco Systems, Inc. Installer service (CiscoVpnInstallService) - Unknown owner - C:\QSWSRC\AAREMOTE\INSTAL~1.EXE

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--

End of file - 4727 bytes

ipxfoev.dll.zip

ipxfoev.dll.zip

Link to post
Share on other sites

Ok many thanks,

The file is Trojan.Boaxxe and i will be updating the DB shortly to target the variant on your pc :D

Next point of call is too check to see if it has its usual running mate(Rootkit.Sentinel) as this would go to some way to regular mode issue's.

I need some logs to examine the output from your computer.

1)Download and install Autoruns

http://technet.microsoft.com/en-us/sysinte...s/bb963902.aspx

When you first run it it will generate an extensive listing and the word "Ready" will appear in the bottom left of the sofware GUI.

At this point goto options and place check(tick) against verify coded signatures and hide Microsoft & windows entries.Next press F5 button to refresh.

Once Ready status by software is gained then goto File option.Select "Export as" and save output file as Autoruns.txt

Can you please then copy and paste the contents of that text file into your next reply for analysis.

2)Please dwonload and run RootRepeal>>>

http://rootrepeal.googlepages.com/

Run scan and check all box's except SSDT.

Please post back the contents of the output log generated.

Thanks in advance :)

Link to post
Share on other sites

Here is AUTORUNS.TXT

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

+ Adobe Reader Speed Launcher Adobe Acrobat SpeedLauncher (Verified) Adobe Systems, Incorporated c:\program files\adobe\reader 8.0\reader\reader_sl.exe

+ AVG8_TRAY AVG Tray Monitor (Verified) AVG Technologies c:\program files\avg\avg8\avgtray.exe

+ iTunesHelper iTunesHelper Module (Verified) Apple Inc. c:\program files\itunes\ituneshelper.exe

+ QuickTime Task QuickTime Task (Not verified) Apple Inc. c:\program files\quicktime\qttask.exe

+ SpybotSnD Spybot - Search & Destroy (Verified) Safer Networking Ltd. c:\program files\spybot - search & destroy\spybotsd.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

+ VPN Client.lnk c:\windows\installer\{ccbaa1f7-e5e1-48b2-9ed9-a79c6a37ce78}\icon3e5562ed7.ico

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

+ SpybotSD TeaTimer System settings protector (Verified) Safer Networking Ltd. c:\program files\spybot - search & destroy\teatimer.exe

HKLM\SOFTWARE\Classes\Protocols\Handler

+ linkscanner Safe Search pluggable protocol (Verified) AVG Technologies c:\program files\avg\avg8\avgpp.dll

HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components

+ 0 File not found: About:Home

HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers

+ AVG8 Shell Extension AVG Shell Extension (Verified) AVG Technologies c:\program files\avg\avg8\avgse.dll

HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers

+ MBAMShlExt Malwarebytes' Anti-Malware (Verified) Malwarebytes Corporation c:\program files\malwarebytes' anti-malware\mbamext.dll

HKLM\Software\Classes\Folder\Shellex\ColumnHandlers

+ PDF Shell Extension PDF Shell Extension (Not verified) Adobe Systems, Inc. c:\program files\common files\adobe\acrobat\activex\pdfshell.dll

HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers

+ AVG8 Shell Extension AVG Shell Extension (Verified) AVG Technologies c:\program files\avg\avg8\avgse.dll

+ MBAMShlExt Malwarebytes' Anti-Malware (Verified) Malwarebytes Corporation c:\program files\malwarebytes' anti-malware\mbamext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

+ AVG8 Shell Extension AVG Shell Extension (Verified) AVG Technologies c:\program files\avg\avg8\avgse.dll

+ Display Panning CPL Extension File not found: deskpan.dll

+ iTunes iTunes Mini Player DLL (Verified) Apple Inc. c:\program files\itunes\itunesminiplayer.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

+ Spybot-S&D IE Protection SBSD IE Protection (Verified) Safer Networking Ltd. c:\program files\spybot - search & destroy\sdhelper.dll

+ {345CCB55-A1AF-4E12-AB2E-A3C598AF7227} Windows Media Player (Not verified) Microsoft Corporation c:\windows\system32\ipxfoev.dll

Task Scheduler

+ AppleSoftwareUpdate.job Apple Software Update (Verified) Apple Inc. c:\program files\apple software update\softwareupdate.exe

+ At1.job Windows Media Player (Not verified) Microsoft Corporation c:\windows\system32\ipxfoev.dll

HKLM\System\CurrentControlSet\Services

+ AlerterALG File not found: C:\WINDOWS\TEMP\4D.tmp service

+ Apple Mobile Device Provides the interface to Apple mobile devices. (Not verified) Apple, Inc. c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe

+ AppMgmt Provides software installation services such as Assign, Publish, and Remove. File not found: C:\WINDOWS\System32\appmgmts.dll

+ avg8wd AVG Watchdog Service (Verified) AVG Technologies c:\program files\avg\avg8\avgwdsvc.exe

+ Bonjour Service Enables hardware devices and software services to automatically configure themselves on the network and advertise their presence, so that users can discover and use those services without any unnecessary manual setup or administration. (Not verified) Apple Inc. c:\program files\bonjour\mdnsresponder.exe

+ CiscoVpnInstallService c:\qswsrc\aaremote\installservice.exe

+ CVPND Cisco Systems VPN Client (Verified) Cisco Systems, Inc. c:\program files\cisco systems\vpn client\cvpnd.exe

+ gwywitjq Support for Intel® PRO Adapter (Not verified) Microsoft Corporation c:\windows\system32\ipxfoev.dll

+ iPod Service iPod hardware management services (Verified) Apple Inc. c:\program files\ipod\bin\ipodservice.exe

+ Itvsyotiazd File not found: \etjkivd.dll

HKLM\System\CurrentControlSet\Services

+ 64905f35 c:\windows\system32\drivers\64905f35.sys

+ AvgLdx86 AVG AVI Loader Driver (Verified) AVG Technologies c:\windows\system32\drivers\avgldx86.sys

+ AvgMfx86 AVG Resident Shield Minifilter Driver (Verified) AVG Technologies c:\windows\system32\drivers\avgmfx86.sys

+ AvgTdiX AVG Network connection watcher (Verified) AVG Technologies c:\windows\system32\drivers\avgtdix.sys

+ Changer File not found: C:\WINDOWS\System32\Drivers\Changer.sys

+ CVPNDRVA Cisco Systems VPN Client IPSec Driver (Not verified) Cisco Systems, Inc. c:\windows\system32\drivers\cvpndrva.sys

+ dmgowljn Parallel Technologies DirectParallel IO Library (Not verified) Parallel Technologies, Inc. c:\windows\system32\drivers\dmgowljn.sys

+ DMusic File not found: system32\drivers\DMusic.sys

+ GEARAspiWDM CD DVD Filter (Verified) GEAR Software Inc. c:\windows\system32\drivers\gearaspiwdm.sys

+ HPFECP06 c:\windows\system32\drivers\hpfecp06.sys

+ i2omgmt File not found: C:\WINDOWS\System32\Drivers\i2omgmt.sys

+ IntelC51 c:\windows\system32\drivers\intelc51.sys

+ IntelC52 c:\windows\system32\drivers\intelc52.sys

+ IntelC53 c:\windows\system32\drivers\intelc53.sys

+ Ip6Fw Provides intrusion prevention service for a home or small office network. c:\windows\system32\drivers\ip6fw.sys

+ IpFilterDriver IP Traffic Filter Driver c:\windows\system32\drivers\ipfltdrv.sys

+ lbrtfdc File not found: C:\WINDOWS\System32\Drivers\lbrtfdc.sys

+ PCIDump File not found: C:\WINDOWS\System32\Drivers\PCIDump.sys

+ PDCOMP File not found: C:\WINDOWS\System32\Drivers\PDCOMP.sys

+ PDFRAME File not found: C:\WINDOWS\System32\Drivers\PDFRAME.sys

+ PDRELI File not found: C:\WINDOWS\System32\Drivers\PDRELI.sys

+ PDRFRAME File not found: C:\WINDOWS\System32\Drivers\PDRFRAME.sys

+ vsdatant TrueVector Device Driver (Verified) Check Point Software Technologies Inc. c:\windows\system32\vsdatant.sys

+ WDICA File not found: C:\WINDOWS\System32\Drivers\WDICA.sys

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

+ avgrsstarter AVG Resident Shield Starter (Verified) AVG Technologies c:\windows\system32\avgrsstx.dll

+ wsosvcml Windows Media Player (Not verified) Microsoft Corporation c:\windows\system32\ipxfoev.dll

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors

+ HP Language Monitor c:\windows\system32\hpflpm06.dll

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages

+ bdoaus.dll File not found: bdoaus.dll

and here is ROOTREPEL: (there was no option to unselect SSDT)

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Time: 2009/06/29 11:10

Program Version: Version 1.3.0.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: ACPI.sys

Image Path: ACPI.sys

Address: 0xF7788000 Size: 187776 File Visible: - Signed: -

Status: -

Name: ACPI_HAL

Image Path: \Driver\ACPI_HAL

Address: 0x804D7000 Size: 2260992 File Visible: - Signed: -

Status: -

Name: afd.sys

Image Path: C:\WINDOWS\System32\drivers\afd.sys

Address: 0xEEE0D000 Size: 138496 File Visible: - Signed: -

Status: -

Name: atapi.sys

Image Path: atapi.sys

Address: 0xF7740000 Size: 96512 File Visible: - Signed: -

Status: -

Name: ATMFD.DLL

Image Path: C:\WINDOWS\System32\ATMFD.DLL

Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: -

Status: -

Name: audstub.sys

Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys

Address: 0xF7E8D000 Size: 3072 File Visible: - Signed: -

Status: -

Name: avgldx86.sys

Image Path: C:\WINDOWS\System32\Drivers\avgldx86.sys

Address: 0xEECFB000 Size: 321024 File Visible: - Signed: -

Status: -

Name: avgmfx86.sys

Image Path: C:\WINDOWS\System32\Drivers\avgmfx86.sys

Address: 0xF7B4F000 Size: 21120 File Visible: - Signed: -

Status: -

Name: avgtdix.sys

Image Path: C:\WINDOWS\System32\Drivers\avgtdix.sys

Address: 0xEEE7D000 Size: 101888 File Visible: - Signed: -

Status: -

Name: Beep.SYS

Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS

Address: 0xF7CF5000 Size: 4224 File Visible: - Signed: -

Status: -

Name: BOOTVID.dll

Image Path: C:\WINDOWS\system32\BOOTVID.dll

Address: 0xF7BE7000 Size: 12288 File Visible: - Signed: -

Status: -

Name: Cdfs.SYS

Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS

Address: 0xF7A47000 Size: 63744 File Visible: - Signed: -

Status: -

Name: cdrom.sys

Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys

Address: 0xF78E7000 Size: 62976 File Visible: - Signed: -

Status: -

Name: CLASSPNP.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS

Address: 0xF7817000 Size: 53248 File Visible: - Signed: -

Status: -

Name: CVPNDRVA.sys

Image Path: C:\WINDOWS\system32\Drivers\CVPNDRVA.sys

Address: 0xEE7C6000 Size: 589824 File Visible: - Signed: -

Status: -

Name: disk.sys

Image Path: disk.sys

Address: 0xF7807000 Size: 36352 File Visible: - Signed: -

Status: -

Name: dmgowljn.sys

Image Path: dmgowljn.sys

Address: 0xF7A57000 Size: 23424 File Visible: - Signed: -

Status: -

Name: dne2000.sys

Image Path: C:\WINDOWS\system32\DRIVERS\dne2000.sys

Address: 0xF734F000 Size: 121728 File Visible: - Signed: -

Status: -

Name: drmk.sys

Image Path: C:\WINDOWS\system32\drivers\drmk.sys

Address: 0xF7917000 Size: 61440 File Visible: - Signed: -

Status: -

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xEECE3000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF7D15000 Size: 8192 File Visible: No Signed: -

Status: -

Name: Dxapi.sys

Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys

Address: 0xF7CA3000 Size: 12288 File Visible: - Signed: -

Status: -

Name: dxg.sys

Image Path: C:\WINDOWS\System32\drivers\dxg.sys

Address: 0xBF9C3000 Size: 73728 File Visible: - Signed: -

Status: -

Name: dxgthk.sys

Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys

Address: 0xF7E9A000 Size: 4096 File Visible: - Signed: -

Status: -

Name: e100b325.sys

Image Path: C:\WINDOWS\system32\DRIVERS\e100b325.sys

Address: 0xF74BB000 Size: 145408 File Visible: - Signed: -

Status: -

Name: Fastfat.SYS

Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS

Address: 0xEDE36000 Size: 143744 File Visible: - Signed: -

Status: -

Name: fdc.sys

Image Path: C:\WINDOWS\system32\DRIVERS\fdc.sys

Address: 0xF7AE7000 Size: 27392 File Visible: - Signed: -

Status: -

Name: Fips.SYS

Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS

Address: 0xF79F7000 Size: 44544 File Visible: - Signed: -

Status: -

Name: flpydisk.sys

Image Path: C:\WINDOWS\system32\DRIVERS\flpydisk.sys

Address: 0xF7B17000 Size: 20480 File Visible: - Signed: -

Status: -

Name: fltmgr.sys

Image Path: fltmgr.sys

Address: 0xF7720000 Size: 129792 File Visible: - Signed: -

Status: -

Name: Fs_Rec.SYS

Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS

Address: 0xF7CF3000 Size: 7936 File Visible: - Signed: -

Status: -

Name: ftdisk.sys

Image Path: ftdisk.sys

Address: 0xF7758000 Size: 125056 File Visible: - Signed: -

Status: -

Name: GEARAspiWDM.sys

Image Path: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys

Address: 0xF7C7B000 Size: 9472 File Visible: - Signed: -

Status: -

Name: hal.dll

Image Path: C:\WINDOWS\system32\hal.dll

Address: 0x806FF000 Size: 134400 File Visible: - Signed: -

Status: -

Name: HIDCLASS.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS

Address: 0xF7A07000 Size: 36864 File Visible: - Signed: -

Status: -

Name: HIDPARSE.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS

Address: 0xF7B27000 Size: 28672 File Visible: - Signed: -

Status: -

Name: hidusb.sys

Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys

Address: 0xF7C67000 Size: 10368 File Visible: - Signed: -

Status: -

Name: HPFECP06.SYS

Image Path: C:\WINDOWS\System32\drivers\HPFECP06.SYS

Address: 0xEECD3000 Size: 38176 File Visible: - Signed: -

Status: -

Name: HTTP.sys

Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys

Address: 0xEE29B000 Size: 264832 File Visible: - Signed: -

Status: -

Name: ialmdd5.DLL

Image Path: C:\WINDOWS\System32\ialmdd5.DLL

Address: 0xBFA2E000 Size: 905216 File Visible: - Signed: -

Status: -

Name: ialmdev5.DLL

Image Path: C:\WINDOWS\System32\ialmdev5.DLL

Address: 0xBFA02000 Size: 180224 File Visible: - Signed: -

Status: -

Name: ialmdnt5.dll

Image Path: C:\WINDOWS\System32\ialmdnt5.dll

Address: 0xBF9E3000 Size: 126976 File Visible: - Signed: -

Status: -

Name: ialmnt5.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ialmnt5.sys

Address: 0xF7517000 Size: 804256 File Visible: - Signed: -

Status: -

Name: ialmrnt5.dll

Image Path: C:\WINDOWS\System32\ialmrnt5.dll

Address: 0xBF9D5000 Size: 57344 File Visible: - Signed: -

Status: -

Name: imapi.sys

Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys

Address: 0xF7907000 Size: 42112 File Visible: - Signed: -

Status: -

Name: intelide.sys

Image Path: intelide.sys

Address: 0xF7CDB000 Size: 5504 File Visible: - Signed: -

Status: -

Name: intelppm.sys

Image Path: C:\WINDOWS\system32\DRIVERS\intelppm.sys

Address: 0xF78C7000 Size: 36352 File Visible: - Signed: -

Status: -

Name: ipnat.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys

Address: 0xEEE57000 Size: 152832 File Visible: - Signed: -

Status: -

Name: ipsec.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys

Address: 0xEEEEF000 Size: 75264 File Visible: - Signed: -

Status: -

Name: isapnp.sys

Image Path: isapnp.sys

Address: 0xF77D7000 Size: 37248 File Visible: - Signed: -

Status: -

Name: kbdclass.sys

Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys

Address: 0xF7B07000 Size: 24576 File Visible: - Signed: -

Status: -

Name: kbdhid.sys

Image Path: C:\WINDOWS\system32\DRIVERS\kbdhid.sys

Address: 0xF7C73000 Size: 14592 File Visible: - Signed: -

Status: -

Name: KDCOM.DLL

Image Path: C:\WINDOWS\system32\KDCOM.DLL

Address: 0xF7CD7000 Size: 8192 File Visible: - Signed: -

Status: -

Name: ks.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys

Address: 0xF7484000 Size: 143360 File Visible: - Signed: -

Status: -

Name: KSecDD.sys

Image Path: KSecDD.sys

Address: 0xF7709000 Size: 92288 File Visible: - Signed: -

Status: -

Name: mnmdd.SYS

Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS

Address: 0xF7CF7000 Size: 4224 File Visible: - Signed: -

Status: -

Name: mouclass.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys

Address: 0xF7B0F000 Size: 23040 File Visible: - Signed: -

Status: -

Name: mouhid.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mouhid.sys

Address: 0xF7C6B000 Size: 12160 File Visible: - Signed: -

Status: -

Name: MountMgr.sys

Image Path: MountMgr.sys

Address: 0xF77E7000 Size: 42368 File Visible: - Signed: -

Status: -

Name: mrxdav.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys

Address: 0xEE946000 Size: 180608 File Visible: - Signed: -

Status: -

Name: mrxsmb.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

Address: 0xEED72000 Size: 455296 File Visible: - Signed: -

Status: -

Name: Msfs.SYS

Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS

Address: 0xF7B37000 Size: 19072 File Visible: - Signed: -

Status: -

Name: msgpc.sys

Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys

Address: 0xF7957000 Size: 35072 File Visible: - Signed: -

Status: -

Name: mssmbios.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys

Address: 0xF7C93000 Size: 15488 File Visible: - Signed: -

Status: -

Name: Mup.sys

Image Path: Mup.sys

Address: 0xF7635000 Size: 105344 File Visible: - Signed: -

Status: -

Name: NDIS.sys

Image Path: NDIS.sys

Address: 0xF764F000 Size: 182656 File Visible: - Signed: -

Status: -

Name: ndistapi.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys

Address: 0xF7C8B000 Size: 10112 File Visible: - Signed: -

Status: -

Name: ndisuio.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys

Address: 0xEEBEB000 Size: 14592 File Visible: - Signed: -

Status: -

Name: ndiswan.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys

Address: 0xF7316000 Size: 91520 File Visible: - Signed: -

Status: -

Name: NDProxy.SYS

Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS

Address: 0xF7987000 Size: 40576 File Visible: - Signed: -

Status: -

Name: netbios.sys

Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys

Address: 0xF79E7000 Size: 34688 File Visible: - Signed: -

Status: -

Name: netbt.sys

Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys

Address: 0xEEE2F000 Size: 162816 File Visible: - Signed: -

Status: -

Name: Npfs.SYS

Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS

Address: 0xF7B3F000 Size: 30848 File Visible: - Signed: -

Status: -

Name: Ntfs.sys

Image Path: Ntfs.sys

Address: 0xF767C000 Size: 574976 File Visible: - Signed: -

Status: -

Name: ntoskrnl.exe

Image Path: C:\WINDOWS\system32\ntoskrnl.exe

Address: 0x804D7000 Size: 2260992 File Visible: - Signed: -

Status: -

Name: Null.SYS

Image Path: C:\WINDOWS\System32\Drivers\Null.SYS

Address: 0xF7DF2000 Size: 2944 File Visible: - Signed: -

Status: -

Name: parport.sys

Image Path: C:\WINDOWS\system32\DRIVERS\parport.sys

Address: 0xF74A7000 Size: 80128 File Visible: - Signed: -

Status: -

Name: PartMgr.sys

Image Path: PartMgr.sys

Address: 0xF7A67000 Size: 19712 File Visible: - Signed: -

Status: -

Name: ParVdm.SYS

Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS

Address: 0xF7D4F000 Size: 6784 File Visible: - Signed: -

Status: -

Name: pci.sys

Image Path: pci.sys

Address: 0xF7777000 Size: 68224 File Visible: - Signed: -

Status: -

Name: pciide.sys

Image Path: pciide.sys

Address: 0xF7D9F000 Size: 3328 File Visible: - Signed: -

Status: -

Name: PCIIDEX.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS

Address: 0xF7A5F000 Size: 28672 File Visible: - Signed: -

Status: -

Name: PnpManager

Image Path: \Driver\PnpManager

Address: 0x804D7000 Size: 2260992 File Visible: - Signed: -

Status: -

Name: portcls.sys

Image Path: C:\WINDOWS\system32\drivers\portcls.sys

Address: 0xF7420000 Size: 147456 File Visible: - Signed: -

Status: -

Name: psched.sys

Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys

Address: 0xF7305000 Size: 69120 File Visible: - Signed: -

Status: -

Name: ptilink.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys

Address: 0xF7AF7000 Size: 17792 File Visible: - Signed: -

Status: -

Name: rasacd.sys

Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys

Address: 0xF7600000 Size: 8832 File Visible: - Signed: -

Status: -

Name: rasl2tp.sys

Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

Address: 0xF7927000 Size: 51328 File Visible: - Signed: -

Status: -

Name: raspppoe.sys

Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys

Address: 0xF7937000 Size: 41472 File Visible: - Signed: -

Status: -

Name: raspptp.sys

Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys

Address: 0xF7947000 Size: 48384 File Visible: - Signed: -

Status: -

Name: raspti.sys

Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys

Address: 0xF7AFF000 Size: 16512 File Visible: - Signed: -

Status: -

Name: RAW

Image Path: \FileSystem\RAW

Address: 0x804D7000 Size: 2260992 File Visible: - Signed: -

Status: -

Name: rdbss.sys

Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys

Address: 0xEEDE2000 Size: 175744 File Visible: - Signed: -

Status: -

Name: RDPCDD.sys

Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys

Address: 0xF7CF9000 Size: 4224 File Visible: - Signed: -

Status: -

Name: redbook.sys

Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys

Address: 0xF78F7000 Size: 57600 File Visible: - Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xEDDEB000 Size: 49152 File Visible: No Signed: -

Status: -

Name: senfilt.sys

Image Path: C:\WINDOWS\system32\drivers\senfilt.sys

Address: 0xF736D000 Size: 732928 File Visible: - Signed: -

Status: -

Name: serenum.sys

Image Path: C:\WINDOWS\system32\DRIVERS\serenum.sys

Address: 0xF7C77000 Size: 15744 File Visible: - Signed: -

Status: -

Name: serial.sys

Image Path: C:\WINDOWS\system32\DRIVERS\serial.sys

Address: 0xF78D7000 Size: 64512 File Visible: - Signed: -

Status: -

Name: smwdm.sys

Image Path: C:\WINDOWS\system32\drivers\smwdm.sys

Address: 0xF7444000 Size: 260352 File Visible: - Signed: -

Status: -

Name: srv.sys

Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys

Address: 0xEE624000 Size: 333952 File Visible: - Signed: -

Status: -

Name: swenum.sys

Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys

Address: 0xF7CE9000 Size: 4352 File Visible: - Signed: -

Status: -

Name: sysaudio.sys

Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys

Address: 0xEE9C3000 Size: 60800 File Visible: - Signed: -

Status: -

Name: tcpip.sys

Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys

Address: 0xEEE96000 Size: 361600 File Visible: - Signed: -

Status: -

Name: TDI.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS

Address: 0xF7AEF000 Size: 20480 File Visible: - Signed: -

Status: -

Name: termdd.sys

Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys

Address: 0xF7967000 Size: 40704 File Visible: - Signed: -

Status: -

Name: update.sys

Image Path: C:\WINDOWS\system32\DRIVERS\update.sys

Address: 0xF722A000 Size: 384768 File Visible: - Signed: -

Status: -

Name: usbccgp.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbccgp.sys

Address: 0xF7B47000 Size: 32128 File Visible: - Signed: -

Status: -

Name: USBD.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS

Address: 0xF7CED000 Size: 8192 File Visible: - Signed: -

Status: -

Name: usbehci.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys

Address: 0xF7ADF000 Size: 30208 File Visible: - Signed: -

Status: -

Name: usbhub.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys

Address: 0xF79A7000 Size: 59520 File Visible: - Signed: -

Status: -

Name: USBPORT.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS

Address: 0xF74DF000 Size: 147456 File Visible: - Signed: -

Status: -

Name: USBSTOR.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

Address: 0xF7BD7000 Size: 26368 File Visible: - Signed: -

Status: -

Name: usbuhci.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys

Address: 0xF7AD7000 Size: 20608 File Visible: - Signed: -

Status: -

Name: vga.sys

Image Path: C:\WINDOWS\System32\drivers\vga.sys

Address: 0xF7B2F000 Size: 20992 File Visible: - Signed: -

Status: -

Name: VIDEOPRT.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS

Address: 0xF7503000 Size: 81920 File Visible: - Signed: -

Status: -

Name: VolSnap.sys

Image Path: VolSnap.sys

Address: 0xF77F7000 Size: 52352 File Visible: - Signed: -

Status: -

Name: wanarp.sys

Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys

Address: 0xF79D7000 Size: 34560 File Visible: - Signed: -

Status: -

Name: watchdog.sys

Image Path: C:\WINDOWS\System32\watchdog.sys

Address: 0xF7B57000 Size: 20480 File Visible: - Signed: -

Status: -

Name: wdmaud.sys

Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys

Address: 0xEE761000 Size: 83072 File Visible: - Signed: -

Status: -

Name: Win32k

Image Path: \Driver\Win32k

Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -

Status: -

Name: win32k.sys

Image Path: C:\WINDOWS\System32\win32k.sys

Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -

Status: -

Name: WMILIB.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS

Address: 0xF7CD9000 Size: 8192 File Visible: - Signed: -

Status: -

Name: WMIxWDM

Image Path: \Driver\WMIxWDM

Address: 0x804D7000 Size: 2260992 File Visible: - Signed: -

Status: -

Name: ws2ifsl.sys

Image Path: C:\WINDOWS\System32\drivers\ws2ifsl.sys

Address: 0xF75F4000 Size: 12032 File Visible: - Signed: -

Status: -

Link to post
Share on other sites

Hi ya,

Ok and unfortunetly you do have Rootkit.Sentinel on board too and quite possibly a second rootkit also suspected.

Rootrepeal is incomplete log sorry my bad instructions but i will need the remainder of the output log to verify my suspicions.

Open Rootrepeal and goto *Report* button and select scan, uncheck SSDT and Drivers options but make sure the others are ticked.

Please copy and paste the report generated :D

Please also upload the me the following file(s).

+ dmgowljn Parallel Technologies DirectParallel IO Library (Not verified) Parallel Technologies, Inc. c:\windows\system32\drivers\dmgowljn.sys

Name: e100b325.sys*

Image Path: C:\WINDOWS\system32\DRIVERS\e100b325.sys

* I'm not sure if this file will copy and paste at this point but try that first and if not we will use RootRepeal to recover the file for examination.

Thanks in advance :)

Link to post
Share on other sites

Hi ya,

Ok and unfortunetly you do have Rootkit.Sentinel on board too and quite possibly a second rootkit also suspected.

Rootrepeal is incomplete log sorry my bad instructions but i will need the remainder of the output log to verify my suspicions.

Open Rootrepeal and goto *Report* button and select scan, uncheck SSDT and Drivers options but make sure the others are ticked.

Please copy and paste the report generated :D

Please also upload the me the following file(s).

+ dmgowljn Parallel Technologies DirectParallel IO Library (Not verified) Parallel Technologies, Inc. c:\windows\system32\drivers\dmgowljn.sys

Name: e100b325.sys*

Image Path: C:\WINDOWS\system32\DRIVERS\e100b325.sys

* I'm not sure if this file will copy and paste at this point but try that first and if not we will use RootRepeal to recover the file for examination.

Thanks in advance :)

Both the files should be attached and here is the complete ROOTREPEL log:

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Time: 2009/06/29 11:55

Program Version: Version 1.3.0.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xEECE3000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF7D15000 Size: 8192 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xEDDAB000 Size: 49152 File Visible: No Signed: -

Status: -

Hidden/Locked Files

-------------------

Path: C:\WINDOWS\system32\ipxfoev.dll.bak

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\09AVCDEB\main_6;sz=450x60;kl=N;!c=6;klg=en;kvid=M7DlRvPwdVo;ctb=1;khd=1;kt=K;ko=c;kpid=6;afc=1;kga=-1;kr=A;u=M7DlRvPwdVo_6;kgg=-1;kcr=us;kmpuonly=1;custp=9dG6z1l9mTBcZX66u51XDQ;dc_d[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\81UF8HUR\main_6;sz=300x250;kl=N;!c=6;k2=182;k2=592;klg=en;kvid=R7yfISlGLNU;ctb=1;kr=F;khd=1;kt=K;ko=c;kpid=6;

afc=1;kga=-1;kp=1;u=R7yfISlGLNU_6;kgg=-1;kcr=us;kmpuonly=1;custp=CHcEUks[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\81UF8HUR\main_6;sz=450x60;kl=N;!c=6;k2=182;k2=592;klg=en;kvid=R7yfISlGLNU;ctb=1;kr=F;khd=1;kt=K;ko=c;kpid=6;

afc=1;kga=-1;kp=1;u=R7yfISlGLNU_6;kgg=-1;kcr=us;kmpuonly=1;custp=CHcEUksS[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\81UF8HUR\main_6;sz=480x70;kl=N;!c=6;klg=en;kvid=M7DlRvPwdVo;ctb=1;khd=1;kt=K;ko=c;kpid=6;afc=1;kga=-1;kr=A;u=M7DlRvPwdVo_6;kgg=-1;kcr=us;kmpuonly=1;custp=9dG6z1l9mTBcZX66u51XDQ;dc_d[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\81UF8HUR\default;sz=300x250;kl=N;klg=en;kt=K;kga=-1;kr=F;kw=andy+samberg+i%27m+on+a+boat;kgg=-1;kcr=us;dc_dedup=1;kmyd=ad_creative_1;tile=1;dcopt=ist;ord=4803087230774012[2]

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\8HWEF2ZT\main_6;sz=300x250;kl=N;!c=6;klg=en;kvid=M7DlRvPwdVo;ctb=1;khd=1;kt=K;ko=c;kpid=6;afc=1;kga=-1;kr=A;u=M7DlRvPwdVo_6;kgg=-1;kcr=us;kmpuonly=1;custp=9dG6z1l9mTBcZX66u51XDQ;dc_[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\CPBNOWQ8\default;sz=300x250;kl=N;klg=en;kt=K;kga=-1;kr=F;kw=andy+samberg+jizz+in+my+pants;kgg=-1;kcr=us;dc_dedup=1;kmyd=ad_creative_1;tile=1;dcopt=ist;ord=2713925866545283[2].

5

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\CPBNOWQ8\main_6;sz=480x70;kl=N;!c=6;k2=182;k2=592;klg=en;kvid=R7yfISlGLNU;ctb=1;kr=F;khd=1;kt=K;ko=c;kpid=6;

afc=1;kga=-1;kp=1;u=R7yfISlGLNU_6;kgg=-1;kcr=us;kmpuonly=1;custp=CHcEUksS[1].htm

Status: Locked to the Windows API!

==EOF==

Both_SYS_Files.zip

Both_SYS_Files.zip

Link to post
Share on other sites

Great,

If just bear with me the first file was Rootkit.Sentinal so i'm just breaking it apart to code instructions for MBAM to remove it.

I will post back when the defs go live(updated to core DB) so MBAM will shread it :)

The 2nd file is legitimate,boy do i not love legitimate software that like to use random looking naming protocols :D

Link to post
Share on other sites

Hi,

Please update MBAM and run Quickscan,allow it to remove what it detects and reboot.

Defs were added as of DB 2532 to remove Boaxxe & Sentinel variants you have on your computer.

Please post back the MBAM log generated + fresh HJT log and whether you can now access regular mode.

Thanks in advance :D

Link to post
Share on other sites

Hi,

Please update MBAM and run Quickscan,allow it to remove what it detects and reboot.

Defs were added as of DB 2532 to remove Boaxxe & Sentinel variants you have on your computer.

Please post back the MBAM log generated + fresh HJT log and whether you can now access regular mode.

Thanks in advance :D

I first ran malwarebytes when logged in as a regular user after adding your new updates. It found SEVERAL more infections (THANK YOU!) I tried to do a repair and the program shut down automatically with out removing all the problems....I booted into safe mode and ran Malwarebytes again and 3 additional infections were found. I had the program repair those and booted back into regular mode and ran the program a third time...nothing found... Below are all three MWB logs as well as the Hijack this log.

Here is the First log (regular mode):

Malwarebytes' Anti-Malware 1.38

Database version: 2352

Windows 5.1.2600 Service Pack 3

6/29/2009 2:12:11 PM

mbam-log-2009-06-29 (14-12-11).txt

Scan type: Quick Scan

Objects scanned: 88091

Time elapsed: 5 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 10

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\idhjuzlp (Trojan.BHO) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gwywitjq (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gwywitjq (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gwywitjq (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{345ccb55-a1af-4e12-ab2e-a3c598af7227} (Trojan.BHO) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{345ccb55-a1af-4e12-ab2e-a3c598af7227} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{345ccb55-a1af-4e12-ab2e-a3c598af7227} (Trojan.BHO) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wsosvcml (Trojan.BHO) -> Delete on reboot.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AlerterALG (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\dmgowljn (Rootkit.Sentinel) -> Delete on reboot.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\ipxfoev.dll (Trojan.BHO) -> Delete on reboot.

c:\windows\system32\ipxfoev.dll.bak (Trojan.Boaxxe) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\drivers\dmgowljn.sys (Rootkit.Sentinel) -> Delete on reboot.

c:\WINDOWS\system32\drivers\vojctqsp.sys (Rootkit.Sentinel) -> Delete on reboot.

Here is the SECOND LOG (safemode):

Malwarebytes' Anti-Malware 1.38

Database version: 2352

Windows 5.1.2600 Service Pack 3

6/29/2009 2:55:53 PM

mbam-log-2009-06-29 (14-55-53).txt

Scan type: Quick Scan

Objects scanned: 87094

Time elapsed: 5 minute(s), 9 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\idhjuzlp (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{345ccb55-a1af-4e12-ab2e-a3c598af7227} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\dmgowljn (Rootkit.Sentinel) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Here is the THIRD log (regular mode):

Malwarebytes' Anti-Malware 1.38

Database version: 2352

Windows 5.1.2600 Service Pack 3

6/29/2009 3:27:10 PM

mbam-log-2009-06-29 (15-27-10).txt

Scan type: Quick Scan

Objects scanned: 87940

Time elapsed: 5 minute(s), 54 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

and Finally Here is the HIJACKTHIS log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:27:41 PM, on 6/29/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\QSWSRC\AAREMOTE\INSTAL~1.EXE

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\hkcmd.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = actsvr.comcastonline.com

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [spybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: VPN Client.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab

O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/VerizonWire...loadControl.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Cisco Systems, Inc. Installer service (CiscoVpnInstallService) - Unknown owner - C:\QSWSRC\AAREMOTE\INSTAL~1.EXE

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--

End of file - 5278 bytes

THANK YOU AGAIN!

Link to post
Share on other sites

That looks alot better :D

I just want you to run one more tool for me before we sound the all clear.

STEP 01

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:
You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.
Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

http://www.forospyware.com/sUBs/ComboFix.exe' rel="external nofollow">

Note:
The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.
Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt

Link to post
Share on other sites

Here is the Combofix Log:

ComboFix 09-06-29.07 - Owner 06/30/2009 13:27.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.418 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Administrator\Application Data\ncpfwyxr

c:\documents and settings\Administrator\Application Data\ncpfwyxr\profiles.ini

c:\documents and settings\Administrator\Application Data\ncpfwyxr\Profiles\x854qhkh.default\cert8.db

c:\documents and settings\Administrator\Application Data\ncpfwyxr\Profiles\x854qhkh.default\compatibility.ini

c:\documents and settings\Administrator\Application Data\ncpfwyxr\Profiles\x854qhkh.default\compreg.dat

c:\documents and settings\Administrator\Application Data\ncpfwyxr\Profiles\x854qhkh.default\cookies.sqlite

c:\documents and settings\Administrator\Application Data\ncpfwyxr\Profiles\x854qhkh.default\formhistory.sqlite

c:\documents and settings\Administrator\Application Data\ncpfwyxr\Profiles\x854qhkh.default\key3.db

c:\documents and settings\Administrator\Application Data\ncpfwyxr\Profiles\x854qhkh.default\localstore.rdf

c:\documents and settings\Administrator\Application Data\ncpfwyxr\Profiles\x854qhkh.default\permissions.sqlite

c:\documents and settings\Administrator\Application Data\ncpfwyxr\Profiles\x854qhkh.default\places.sqlite-journal

c:\documents and settings\Administrator\Application Data\ncpfwyxr\Profiles\x854qhkh.default\places.sqlite

c:\documents and settings\Administrator\Application Data\ncpfwyxr\Profiles\x854qhkh.default\pluginreg.dat

c:\documents and settings\Administrator\Application Data\ncpfwyxr\Profiles\x854qhkh.default\prefs.js

c:\documents and settings\Administrator\Application Data\ncpfwyxr\Profiles\x854qhkh.default\secmod.db

c:\documents and settings\Administrator\Application Data\ncpfwyxr\Profiles\x854qhkh.default\webappsstore.sqlite

c:\documents and settings\Administrator\Application Data\ncpfwyxr\Profiles\x854qhkh.default\xpti.dat

c:\documents and settings\Administrator\Local Settings\Application Data\ncpfwyxr

c:\documents and settings\Administrator\Local Settings\Application Data\ncpfwyxr\Profiles\x854qhkh.default\urlclassifier3.sqlite

c:\documents and settings\Administrator\Local Settings\Application Data\ncpfwyxr\Profiles\x854qhkh.default\XPC.mfl

c:\documents and settings\NetworkService\Application Data\ncpfwyxr

c:\documents and settings\NetworkService\Application Data\ncpfwyxr\profiles.ini

c:\documents and settings\NetworkService\Application Data\ncpfwyxr\Profiles\kf53966y.default\cert8.db

c:\documents and settings\NetworkService\Application Data\ncpfwyxr\Profiles\kf53966y.default\compatibility.ini

c:\documents and settings\NetworkService\Application Data\ncpfwyxr\Profiles\kf53966y.default\compreg.dat

c:\documents and settings\NetworkService\Application Data\ncpfwyxr\Profiles\kf53966y.default\cookies.sqlite

c:\documents and settings\NetworkService\Application Data\ncpfwyxr\Profiles\kf53966y.default\formhistory.sqlite

c:\documents and settings\NetworkService\Application Data\ncpfwyxr\Profiles\kf53966y.default\key3.db

c:\documents and settings\NetworkService\Application Data\ncpfwyxr\Profiles\kf53966y.default\localstore.rdf

c:\documents and settings\NetworkService\Application Data\ncpfwyxr\Profiles\kf53966y.default\parent.lock

c:\documents and settings\NetworkService\Application Data\ncpfwyxr\Profiles\kf53966y.default\permissions.sqlite

c:\documents and settings\NetworkService\Application Data\ncpfwyxr\Profiles\kf53966y.default\places.sqlite-journal

c:\documents and settings\NetworkService\Application Data\ncpfwyxr\Profiles\kf53966y.default\places.sqlite-stmtjrnl

c:\documents and settings\NetworkService\Application Data\ncpfwyxr\Profiles\kf53966y.default\places.sqlite

c:\documents and settings\NetworkService\Application Data\ncpfwyxr\Profiles\kf53966y.default\pluginreg.dat

c:\documents and settings\NetworkService\Application Data\ncpfwyxr\Profiles\kf53966y.default\prefs.js

c:\documents and settings\NetworkService\Application Data\ncpfwyxr\Profiles\kf53966y.default\secmod.db

c:\documents and settings\NetworkService\Application Data\ncpfwyxr\Profiles\kf53966y.default\webappsstore.sqlite

c:\documents and settings\NetworkService\Application Data\ncpfwyxr\Profiles\kf53966y.default\xpti.dat

c:\documents and settings\NetworkService\Local Settings\Application Data\ncpfwyxr

c:\documents and settings\NetworkService\Local Settings\Application Data\ncpfwyxr\Profiles\kf53966y.default\urlclassifier3.sqlite

c:\documents and settings\NetworkService\Local Settings\Application Data\ncpfwyxr\Profiles\kf53966y.default\XPC.mfl

c:\documents and settings\Owner\Application Data\ncpfwyxr

c:\documents and settings\Owner\Application Data\ncpfwyxr\profiles.ini

c:\documents and settings\Owner\Application Data\ncpfwyxr\Profiles\9esvjyjs.default\cert8.db

c:\documents and settings\Owner\Application Data\ncpfwyxr\Profiles\9esvjyjs.default\compatibility.ini

c:\documents and settings\Owner\Application Data\ncpfwyxr\Profiles\9esvjyjs.default\compreg.dat

c:\documents and settings\Owner\Application Data\ncpfwyxr\Profiles\9esvjyjs.default\cookies.sqlite

c:\documents and settings\Owner\Application Data\ncpfwyxr\Profiles\9esvjyjs.default\formhistory.sqlite

c:\documents and settings\Owner\Application Data\ncpfwyxr\Profiles\9esvjyjs.default\key3.db

c:\documents and settings\Owner\Application Data\ncpfwyxr\Profiles\9esvjyjs.default\localstore.rdf

c:\documents and settings\Owner\Application Data\ncpfwyxr\Profiles\9esvjyjs.default\permissions.sqlite

c:\documents and settings\Owner\Application Data\ncpfwyxr\Profiles\9esvjyjs.default\places.sqlite-journal

c:\documents and settings\Owner\Application Data\ncpfwyxr\Profiles\9esvjyjs.default\places.sqlite

c:\documents and settings\Owner\Application Data\ncpfwyxr\Profiles\9esvjyjs.default\pluginreg.dat

c:\documents and settings\Owner\Application Data\ncpfwyxr\Profiles\9esvjyjs.default\prefs.js

c:\documents and settings\Owner\Application Data\ncpfwyxr\Profiles\9esvjyjs.default\secmod.db

c:\documents and settings\Owner\Application Data\ncpfwyxr\Profiles\9esvjyjs.default\webappsstore.sqlite

c:\documents and settings\Owner\Application Data\ncpfwyxr\Profiles\9esvjyjs.default\xpti.dat

c:\documents and settings\Owner\Local Settings\Application Data\ncpfwyxr

c:\documents and settings\Owner\Local Settings\Application Data\ncpfwyxr\Profiles\9esvjyjs.default\urlclassifier3.sqlite

c:\documents and settings\Owner\Local Settings\Application Data\ncpfwyxr\Profiles\9esvjyjs.default\XPC.mfl

C:\rhydqq.exe

c:\windows\abuyegan.dll

c:\windows\adogovag.dll

c:\windows\agodiwon.dll

c:\windows\arosofihutaf.dll

c:\windows\clmsntm.dll

c:\windows\degaros.dll

c:\windows\disoct.dll

c:\windows\ejomuxudipotafa.dll

c:\windows\epoxeqetalajoqi.dll

c:\windows\etsjot.dll

c:\windows\ezeciluv.dll

c:\windows\gendprsk.dll

c:\windows\ixeteriw.dll

c:\windows\kbcaby.dll

c:\windows\mdsgfc.dll

c:\windows\mpiltse.dll

c:\windows\msestkbc.dll

c:\windows\ocetilarej.dll

c:\windows\odubefovahubimu.dll

c:\windows\ofeluyetofiwup.dll

c:\windows\okofaxacumi.dll

c:\windows\opexewot.dll

c:\windows\oqovaruyuqide.dll

c:\windows\otemezoc.dll

c:\windows\ovodasodefak.dll

c:\windows\system32\_004314_.tmp.dll

c:\windows\system32\_004316_.tmp.dll

c:\windows\system32\mlfcache.dat

c:\windows\ubupopegogajekum.dll

c:\windows\ufowogijanilerih.dll

c:\windows\ujaqejakokupu.dll

c:\windows\ukiyukejub.dll

c:\windows\umagofor.dll

c:\windows\upenazilekoconi.dll

c:\windows\upivarowige.dll

c:\windows\usoyofikaha.dll

c:\windows\uyisozoq.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_SFC

-------\Service_sfc

((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-30 )))))))))))))))))))))))))))))))

.

2009-06-29 16:08 . 2009-06-29 16:10 12 ----a-w- c:\documents and settings\Owner\settings.dat

2009-06-29 12:27 . 2009-06-29 12:27 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2009-06-25 15:21 . 2009-06-25 15:21 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-06-25 15:21 . 2009-06-25 15:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-06-25 14:42 . 2009-06-25 14:42 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2009-06-25 14:00 . 2009-06-29 20:25 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-06-25 14:00 . 2009-06-29 20:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-06-25 13:44 . 2009-06-25 13:44 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2009-06-25 13:44 . 2009-06-17 16:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-06-25 13:44 . 2009-06-25 15:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-06-25 13:44 . 2009-06-25 13:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-06-25 13:44 . 2009-06-17 16:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-06-25 13:27 . 2009-06-25 13:27 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-06-25 13:25 . 2009-06-25 13:25 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE

2009-06-25 13:23 . 2009-06-25 13:23 -------- d-sh--w- c:\documents and settings\Owner\IETldCache

2009-06-25 13:14 . 2009-06-25 13:15 -------- dc-h--w- c:\windows\ie8

2009-06-24 23:05 . 2009-06-24 23:05 -------- d-----w- c:\program files\Trend Micro

2009-06-24 22:57 . 2009-06-24 22:57 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer

2009-06-24 22:57 . 2009-06-24 22:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer

2009-06-22 19:55 . 2009-06-29 17:16 -------- d--h--w- C:\$AVG8.VAULT$

2009-06-22 19:13 . 2009-06-22 19:13 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-06-22 19:13 . 2009-06-22 19:13 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-06-22 19:13 . 2009-06-22 19:13 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-06-22 19:13 . 2009-06-22 19:13 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-06-22 19:12 . 2009-06-30 13:37 -------- d-----w- c:\windows\system32\drivers\Avg

2009-06-22 12:46 . 2008-06-10 08:00 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft Help

2009-06-22 12:46 . 2009-06-26 14:59 -------- d-----w- c:\documents and settings\Administrator

2009-06-22 12:21 . 2008-04-14 00:11 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll

2009-06-22 12:21 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll

2009-06-22 12:21 . 2008-04-13 18:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys

2009-06-22 12:21 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2009-06-22 12:20 . 2008-04-13 18:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys

2009-06-22 12:20 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-06-29 13:15 . 2009-06-22 19:12 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-06-22 19:12 . 2009-06-22 19:12 -------- d-----w- c:\program files\AVG

2009-06-22 19:03 . 2009-06-22 19:03 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG8

2009-06-22 18:44 . 2009-06-22 18:44 74240 ----a-w- c:\windows\system32\zlib.dll

2009-06-22 18:44 . 2009-06-22 18:44 102400 ----a-w- c:\windows\system32\bz2.dll

2009-06-22 18:44 . 2009-06-22 18:44 141312 ----a-w- c:\windows\system32\unrar.dll

2009-06-22 17:25 . 2009-05-27 05:00 17716 ----a-w- c:\windows\Internet Logs\tvDebug.zip

2009-06-22 17:14 . 2009-04-11 14:42 3107 ----a-w- c:\windows\Rhekopepacupo.dat

2009-06-22 12:44 . 2008-01-05 23:55 24744 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-06-09 23:27 . 2009-05-30 05:01 0 ----a-w- c:\windows\system32\drivers\64905f35.sys

2009-05-29 16:45 . 2009-04-11 14:42 0 ----a-w- c:\windows\Rxowume.bin

2009-05-14 08:00 . 2007-12-24 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-05-08 02:49 . 2009-05-08 01:41 -------- d-----w- c:\program files\PokerStars.NET

2009-05-06 02:52 . 2007-12-15 04:52 -------- d-----w- c:\program files\PartyGaming

2009-04-16 12:06 . 2009-04-16 12:06 4674 ----a-w- c:\windows\emelexah.dll

2009-04-16 11:14 . 2009-04-16 11:14 4674 ----a-w- c:\windows\dsnhopax.dll

2009-04-16 11:04 . 2009-04-16 11:04 4674 ----a-w- c:\windows\ilubucud.dll

2009-04-15 00:43 . 2007-12-14 10:08 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSnD"="c:\program files\Spybot - Search & Destroy\SpybotSD.exe" [2009-01-26 5365592]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-22 1948440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2008-3-20 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-06-22 19:13 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/22/2009 2:13 PM 327688]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/22/2009 2:13 PM 108552]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/22/2009 2:12 PM 298776]

R2 CiscoVpnInstallService;Cisco Systems, Inc. Installer service;c:\qswsrc\AAREMOTE\INSTAL~1.EXE [3/8/2008 10:12 AM 217215]

R2 HPFECP06;HPFECP06;c:\windows\system32\drivers\hpfecp06.sys [3/5/2008 7:33 PM 38176]

S1 64905f35;64905f35;c:\windows\system32\drivers\64905f35.sys [5/30/2009 12:01 AM 0]

S2 Itvsyotiazd;Itvsyotiazd;c:\windows\System32\svchost.exe -k netsvcs [2/28/2006 7:00 AM 14336]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

gwywitjq

Itvsyotiazd

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-06-30 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://google.com/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyServer = actsvr.comcastonline.com:8100

uInternet Settings,ProxyOverride = actsvr.comcastonline.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-06-30 13:31

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3476)

c:\windows\system32\ieframe.dll

c:\windows\system32\OneX.DLL

c:\windows\system32\eappprxy.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\windows\system32\wscntfy.exe

c:\program files\AVG\AVG8\avgtray.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2009-06-30 13:35 - machine was rebooted

ComboFix-quarantined-files.txt 2009-06-30 18:35

Pre-Run: 310,641,139,712 bytes free

Post-Run: 310,625,841,152 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

277 --- E O F --- 2009-05-14 08:00

Link to post
Share on other sites

Ok thats looking a lot better but we have a little bit more work todo.

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

File::

c:\windows\emelexah.dll

c:\windows\dsnhopax.dll

c:\windows\ilubucud.dll

c:\windows\system32\drivers\64905f35.sys

c:\windows\Rxowume.bin

Driver::

Itvsyotiazd

64905f35

NetSvc::

gwywitjq

Itvsyotiazd

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

post-1856-1246465010_thumb.png

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

post-1856-1246465010_thumb.png

Link to post
Share on other sites

Here is the new Combofix log:

ComboFix 09-07-01.01 - Owner 07/01/2009 12:06.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.441 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

Command switches used :: F:\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((( Files Created from 2009-06-01 to 2009-07-01 )))))))))))))))))))))))))))))))

.

2009-06-30 18:45 . 2009-06-30 18:45 -------- d-----w- c:\windows\ie8updates

2009-06-30 18:41 . 2009-06-30 18:41 -------- d-sh--w- c:\documents and settings\Default User\IETldCache

2009-06-30 18:38 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2009-06-30 18:38 . 2009-04-30 21:22 1985024 -c----w- c:\windows\system32\dllcache\iertutil.dll

2009-06-30 18:38 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2009-06-30 18:38 . 2009-04-30 21:22 11064832 -c----w- c:\windows\system32\dllcache\ieframe.dll

2009-06-29 16:08 . 2009-06-29 16:10 12 ----a-w- c:\documents and settings\Owner\settings.dat

2009-06-29 12:27 . 2009-06-29 12:27 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2009-06-25 15:21 . 2009-06-25 15:21 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-06-25 15:21 . 2009-06-25 15:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-06-25 14:42 . 2009-06-25 14:42 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2009-06-25 14:00 . 2009-06-29 20:25 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-06-25 14:00 . 2009-06-29 20:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-06-25 13:44 . 2009-06-25 13:44 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2009-06-25 13:44 . 2009-06-17 16:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-06-25 13:44 . 2009-06-25 15:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-06-25 13:44 . 2009-06-25 13:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-06-25 13:44 . 2009-06-17 16:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-06-25 13:27 . 2009-06-25 13:27 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-06-25 13:25 . 2009-06-25 13:25 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE

2009-06-25 13:23 . 2009-06-25 13:23 -------- d-sh--w- c:\documents and settings\Owner\IETldCache

2009-06-25 13:14 . 2009-06-25 13:15 -------- dc-h--w- c:\windows\ie8

2009-06-24 23:05 . 2009-06-24 23:05 -------- d-----w- c:\program files\Trend Micro

2009-06-24 22:57 . 2009-06-24 22:57 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer

2009-06-24 22:57 . 2009-06-24 22:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer

2009-06-22 19:55 . 2009-06-29 17:16 -------- d--h--w- C:\$AVG8.VAULT$

2009-06-22 19:13 . 2009-06-22 19:13 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-06-22 19:13 . 2009-06-22 19:13 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-06-22 19:13 . 2009-06-22 19:13 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-06-22 19:13 . 2009-06-22 19:13 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-06-22 19:12 . 2009-07-01 14:05 -------- d-----w- c:\windows\system32\drivers\Avg

2009-06-22 12:46 . 2008-06-10 08:00 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft Help

2009-06-22 12:46 . 2009-06-26 14:59 -------- d-----w- c:\documents and settings\Administrator

2009-06-22 12:21 . 2008-04-14 00:11 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll

2009-06-22 12:21 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll

2009-06-22 12:21 . 2008-04-13 18:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys

2009-06-22 12:21 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2009-06-22 12:20 . 2008-04-13 18:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys

2009-06-22 12:20 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-06-30 18:46 . 2007-12-24 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-06-29 13:15 . 2009-06-22 19:12 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-06-22 19:12 . 2009-06-22 19:12 -------- d-----w- c:\program files\AVG

2009-06-22 19:03 . 2009-06-22 19:03 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG8

2009-06-22 18:44 . 2009-06-22 18:44 74240 ----a-w- c:\windows\system32\zlib.dll

2009-06-22 18:44 . 2009-06-22 18:44 102400 ----a-w- c:\windows\system32\bz2.dll

2009-06-22 18:44 . 2009-06-22 18:44 141312 ----a-w- c:\windows\system32\unrar.dll

2009-06-22 17:25 . 2009-05-27 05:00 17716 ----a-w- c:\windows\Internet Logs\tvDebug.zip

2009-06-22 17:14 . 2009-04-11 14:42 3107 ----a-w- c:\windows\Rhekopepacupo.dat

2009-06-22 12:44 . 2008-01-05 23:55 24744 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-06-09 23:27 . 2009-05-30 05:01 0 ----a-w- c:\windows\system32\drivers\64905f35.sys

2009-05-29 16:45 . 2009-04-11 14:42 0 ----a-w- c:\windows\Rxowume.bin

2009-05-13 05:15 . 2006-02-28 12:00 915456 ----a-w- c:\windows\system32\wininet.dll

2009-05-08 02:49 . 2009-05-08 01:41 -------- d-----w- c:\program files\PokerStars.NET

2009-05-07 15:32 . 2006-02-28 12:00 345600 ----a-w- c:\windows\system32\localspl.dll

2009-05-06 02:52 . 2007-12-15 04:52 -------- d-----w- c:\program files\PartyGaming

2009-04-17 12:26 . 2006-02-28 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys

2009-04-16 12:06 . 2009-04-16 12:06 4674 ----a-w- c:\windows\emelexah.dll

2009-04-16 11:14 . 2009-04-16 11:14 4674 ----a-w- c:\windows\dsnhopax.dll

2009-04-16 11:04 . 2009-04-16 11:04 4674 ----a-w- c:\windows\ilubucud.dll

2009-04-15 14:51 . 2006-02-28 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll

2009-04-15 00:43 . 2007-12-14 10:08 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

.

((((((((((((((((((((((((((((( SnapShot@2009-06-30_18.31.42 )))))))))))))))))))))))))))))))))))))))))

.

+ 2006-02-28 12:00 . 2009-04-30 21:22 25600 c:\windows\system32\jsproxy.dll

- 2006-02-28 12:00 . 2009-03-08 09:33 25600 c:\windows\system32\jsproxy.dll

+ 2009-03-08 09:33 . 2009-04-30 21:22 25600 c:\windows\system32\dllcache\jsproxy.dll

- 2009-03-08 09:33 . 2009-03-08 09:33 25600 c:\windows\system32\dllcache\jsproxy.dll

- 2007-12-24 18:15 . 2009-05-14 08:00 35088 c:\windows\Installer\{91120000-0012-0000-0000-0000000FF1CE}\oisicon.exe

+ 2007-12-24 18:15 . 2009-06-30 18:46 35088 c:\windows\Installer\{91120000-0012-0000-0000-0000000FF1CE}\oisicon.exe

- 2007-12-24 18:15 . 2009-05-14 08:00 18704 c:\windows\Installer\{91120000-0012-0000-0000-0000000FF1CE}\mspicons.exe

+ 2007-12-24 18:15 . 2009-06-30 18:46 18704 c:\windows\Installer\{91120000-0012-0000-0000-0000000FF1CE}\mspicons.exe

- 2007-12-24 18:15 . 2009-05-14 08:00 20240 c:\windows\Installer\{91120000-0012-0000-0000-0000000FF1CE}\cagicon.exe

+ 2007-12-24 18:15 . 2009-06-30 18:46 20240 c:\windows\Installer\{91120000-0012-0000-0000-0000000FF1CE}\cagicon.exe

+ 2006-10-27 03:13 . 2006-10-27 03:13 72472 c:\windows\Installer\$PatchCache$\Managed\00002119210000000000000000F01FEC\12.0.4518\XL12CNVP.DLL

+ 2006-10-27 02:55 . 2006-10-27 02:55 55056 c:\windows\Installer\$PatchCache$\Managed\00002119210000000000000000F01FEC\12.0.4518\SCANOST.EXE

+ 2006-10-27 02:55 . 2006-10-27 02:55 76576 c:\windows\Installer\$PatchCache$\Managed\00002119210000000000000000F01FEC\12.0.4518\RM.DLL

+ 2006-10-27 02:55 . 2006-10-27 02:55 39208 c:\windows\Installer\$PatchCache$\Managed\00002119210000000000000000F01FEC\12.0.4518\RECALL.DLL

+ 2006-10-27 02:55 . 2006-10-27 02:55 53048 c:\windows\Installer\$PatchCache$\Managed\00002119210000000000000000F01FEC\12.0.4518\OUTLVBA.DLL

+ 2006-10-27 02:55 . 2006-10-27 02:55 21312 c:\windows\Installer\$PatchCache$\Managed\00002119210000000000000000F01FEC\12.0.4518\MLSHEXT.DLL

+ 2006-10-27 02:55 . 2006-10-27 02:55 35160 c:\windows\Installer\$PatchCache$\Managed\00002119210000000000000000F01FEC\12.0.4518\DUMPSTER.DLL

+ 2009-06-30 18:45 . 2009-03-08 09:33 12288 c:\windows\ie8updates\KB969897-IE8\xpshims.dll

+ 2009-06-30 18:45 . 2009-03-08 09:33 25600 c:\windows\ie8updates\KB969897-IE8\jsproxy.dll

+ 2006-02-28 12:00 . 2009-04-30 21:22 385536 c:\windows\system32\iedkcs32.dll

- 2006-02-28 12:00 . 2009-03-08 09:32 173056 c:\windows\system32\ie4uinit.exe

+ 2006-02-28 12:00 . 2009-04-30 11:21 173056 c:\windows\system32\ie4uinit.exe

+ 2007-12-14 01:57 . 2009-07-01 05:00 138056 c:\windows\system32\FNTCACHE.DAT

- 2007-12-14 01:57 . 2009-04-15 00:48 138056 c:\windows\system32\FNTCACHE.DAT

+ 2008-04-21 06:44 . 2009-05-13 05:15 915456 c:\windows\system32\dllcache\wininet.dll

+ 2009-04-15 14:51 . 2009-04-15 14:51 585216 c:\windows\system32\dllcache\rpcrt4.dll

+ 2009-05-07 15:32 . 2009-05-07 15:32 345600 c:\windows\system32\dllcache\localspl.dll

+ 2009-03-08 19:09 . 2009-04-30 21:22 385536 c:\windows\system32\dllcache\iedkcs32.dll

- 2009-03-08 09:32 . 2009-03-08 09:32 173056 c:\windows\system32\dllcache\ie4uinit.exe

+ 2009-03-08 09:32 . 2009-04-30 11:21 173056 c:\windows\system32\dllcache\ie4uinit.exe

- 2007-12-24 18:15 . 2009-05-14 08:00 888080 c:\windows\Installer\{91120000-0012-0000-0000-0000000FF1CE}\wordicon.exe

+ 2007-12-24 18:15 . 2009-06-30 18:46 888080 c:\windows\Installer\{91120000-0012-0000-0000-0000000FF1CE}\wordicon.exe

- 2007-12-24 18:15 . 2009-05-14 08:00 922384 c:\windows\Installer\{91120000-0012-0000-0000-0000000FF1CE}\pptico.exe

+ 2007-12-24 18:15 . 2009-06-30 18:46 922384 c:\windows\Installer\{91120000-0012-0000-0000-0000000FF1CE}\pptico.exe

+ 2007-12-24 18:15 . 2009-06-30 18:46 845584 c:\windows\Installer\{91120000-0012-0000-0000-0000000FF1CE}\outicon.exe

- 2007-12-24 18:15 . 2009-05-14 08:00 845584 c:\windows\Installer\{91120000-0012-0000-0000-0000000FF1CE}\outicon.exe

+ 2007-12-24 18:15 . 2009-06-30 18:46 217864 c:\windows\Installer\{91120000-0012-0000-0000-0000000FF1CE}\misc.exe

- 2007-12-24 18:15 . 2009-05-14 08:00 217864 c:\windows\Installer\{91120000-0012-0000-0000-0000000FF1CE}\misc.exe

+ 2006-10-27 21:16 . 2006-10-27 21:16 408880 c:\windows\Installer\$PatchCache$\Managed\00002119210000000000000000F01FEC\12.0.4518\RTFHTML.DLL

+ 2006-10-27 21:16 . 2006-10-27 21:16 138512 c:\windows\Installer\$PatchCache$\Managed\00002119210000000000000000F01FEC\12.0.4518\OUTLCTL.DLL

+ 2006-10-27 02:55 . 2006-10-27 02:55 254776 c:\windows\Installer\$PatchCache$\Managed\00002119210000000000000000F01FEC\12.0.4518\OLKFSTUB.DLL

+ 2006-10-27 02:55 . 2006-10-27 02:55 154960 c:\windows\Installer\$PatchCache$\Managed\00002119210000000000000000F01FEC\12.0.4518\ENVELOPE.DLL

+ 2006-10-27 02:55 . 2006-10-27 02:55 116544 c:\windows\Installer\$PatchCache$\Managed\00002119210000000000000000F01FEC\12.0.4518\EMABLT32.DLL

+ 2009-06-30 18:45 . 2009-03-08 09:34 914944 c:\windows\ie8updates\KB969897-IE8\wininet.dll

+ 2009-06-30 18:45 . 2008-07-09 07:38 382840 c:\windows\ie8updates\KB969897-IE8\spuninst\updspapi.dll

+ 2009-06-30 18:45 . 2007-11-30 12:39 231288 c:\windows\ie8updates\KB969897-IE8\spuninst\spuninst.exe

+ 2009-06-30 18:45 . 2009-03-08 09:33 246784 c:\windows\ie8updates\KB969897-IE8\ieproxy.dll

+ 2009-06-30 18:45 . 2009-03-08 19:09 391536 c:\windows\ie8updates\KB969897-IE8\iedkcs32.dll

+ 2009-06-30 18:45 . 2009-03-08 09:32 173056 c:\windows\ie8updates\KB969897-IE8\ie4uinit.exe

+ 2006-02-28 12:00 . 2009-04-30 21:22 1207808 c:\windows\system32\urlmon.dll

+ 2006-02-28 12:00 . 2009-05-13 05:15 5936128 c:\windows\system32\mshtml.dll

+ 2009-03-08 09:32 . 2009-04-30 21:22 1985024 c:\windows\system32\iertutil.dll

- 2009-03-08 09:32 . 2009-03-08 09:32 1985024 c:\windows\system32\iertutil.dll

+ 2008-10-14 21:46 . 2009-04-17 12:26 1847168 c:\windows\system32\dllcache\win32k.sys

+ 2008-06-26 08:15 . 2009-04-30 21:22 1207808 c:\windows\system32\dllcache\urlmon.dll

+ 2008-04-21 06:44 . 2009-05-13 05:15 5936128 c:\windows\system32\dllcache\mshtml.dll

+ 2007-12-24 18:15 . 2009-06-30 18:46 1172240 c:\windows\Installer\{91120000-0012-0000-0000-0000000FF1CE}\xlicons.exe

- 2007-12-24 18:15 . 2009-05-14 08:00 1172240 c:\windows\Installer\{91120000-0012-0000-0000-0000000FF1CE}\xlicons.exe

+ 2009-06-30 18:45 . 2009-03-08 09:34 1206784 c:\windows\ie8updates\KB969897-IE8\urlmon.dll

+ 2009-06-30 18:45 . 2009-03-08 09:41 5937152 c:\windows\ie8updates\KB969897-IE8\mshtml.dll

+ 2009-06-30 18:45 . 2009-03-08 09:32 1985024 c:\windows\ie8updates\KB969897-IE8\iertutil.dll

+ 2007-12-19 02:08 . 2009-06-01 16:51 23635392 c:\windows\system32\MRT.exe

+ 2009-03-08 09:39 . 2009-04-30 21:22 11064832 c:\windows\system32\ieframe.dll

+ 2009-06-30 18:45 . 2009-03-08 09:39 11063808 c:\windows\ie8updates\KB969897-IE8\ieframe.dll

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSnD"="c:\program files\Spybot - Search & Destroy\SpybotSD.exe" [2009-01-26 5365592]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-22 1948440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2008-3-20 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-06-22 19:13 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/22/2009 2:13 PM 327688]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/22/2009 2:13 PM 108552]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/22/2009 2:12 PM 298776]

R2 CiscoVpnInstallService;Cisco Systems, Inc. Installer service;c:\qswsrc\AAREMOTE\INSTAL~1.EXE [3/8/2008 10:12 AM 217215]

R2 HPFECP06;HPFECP06;c:\windows\system32\drivers\hpfecp06.sys [3/5/2008 7:33 PM 38176]

S1 64905f35;64905f35;c:\windows\system32\drivers\64905f35.sys [5/30/2009 12:01 AM 0]

S2 Itvsyotiazd;Itvsyotiazd;c:\windows\System32\svchost.exe -k netsvcs [2/28/2006 7:00 AM 14336]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

gwywitjq

Itvsyotiazd

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-06-30 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://google.com/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyServer = actsvr.comcastonline.com:8100

uInternet Settings,ProxyOverride = actsvr.comcastonline.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-01 12:09

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1688)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2009-07-01 12:11

ComboFix-quarantined-files.txt 2009-07-01 17:11

ComboFix2.txt 2009-06-30 18:35

Pre-Run: 310,222,483,456 bytes free

Post-Run: 310,212,644,864 bytes free

228 --- E O F --- 2009-06-30 18:46

Link to post
Share on other sites

Your welcome,

I will lock this help topic as resolved now but as a parting jesture :D

Here's some handy reading tho Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

We hope our application has helped you eradicate this malicious Malware.

If your current anti-virus solution let this infection through please consider purchasing the PRO version of Malwarebytes' Anti-Malware for additional protection against these types of malware.

Safe surfing :)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.