Jump to content

Problem with UACinit.dll + UAC rootkit


Recommended Posts

About 3-4 weeks ago, A nasty virus got ahold of my computer. It wouldnt let me open any .exe's or connect to the internet. After downloading MBAM on another computer, renaming it and running it on the infected computer it got rid of alot of different viruses as well as other spyware. I can now open .exe's (but not all, it wont let me open up certain antispyware/antivirus programs whose names havent been changed) and I still cannot connect to the internet through any browser (I usually use Firefox, and i installed opera to verify the lack of internet connectivity.) Any help would be appreciated in resolving my problems.

Current MBAM log

Malwarebytes' Anti-Malware 1.40

Database version: 2551

Windows 5.1.2600 Service Pack 3

8/13/2009 4:04:09 PM

mbam-log-2009-08-13 (16-04-04).txt

Scan type: Quick Scan

Objects scanned: 105440

Time elapsed: 6 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> No action taken.

_______HJT log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:04:23 PM, on 8/13/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\arservice.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\lxdkcoms.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\ehome\mcrdsvc.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\ARPWRMSG.EXE

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\Program Files\Unlocker\UnlockerAssistant.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Lexmark 5300 Series\lxdkmon.exe

C:\Program Files\Lexmark 5300 Series\lxdkamon.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\HP\KBD\KBD.EXE

C:\WINDOWS\SOUNDMAN.EXE

c:\windows\system\hpsysdrv.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir....&bm=yh_home

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE

O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [unlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [lxdkmon.exe] "C:\Program Files\Lexmark 5300 Series\lxdkmon.exe"

O4 - HKLM\..\Run: [lxdkamon] "C:\Program Files\Lexmark 5300 Series\lxdkamon.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\fun.exe" /runcleanupscript

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKUS\S-1-5-18\..\RunOnce: [RealUpgradeHelper] "C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RealUpgradeHelper] "C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0" (User 'Default user')

O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Google Updater.lnk.disabled

O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://*.trymedia.com (HKLM)

O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings...vzTCPConfig.CAB

O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/games/ricochet-los...bGameLoader.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1140892258757

O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -

O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab

O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_...tupv2.0.0.9.cab?

O16 - DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} (AMI DicomDir TreeView Control 2.1) - file:///E:/CDVIEWER/CdViewer.cab

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O20 - AppInit_DLLs: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\190992921745mxx.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: lxdkCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdkserv.exe

O23 - Service: lxdk_device - - C:\WINDOWS\system32\lxdkcoms.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 14145 bytes

Edited by Maurice Naggar
Edited title for more specifics
Link to post
Share on other sites

Hello and welcome to MalwareBytes forums,

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

eusa_hand.gif

If you are a casual viewer, do NOT try this on your system!

If you are not thehippestcat and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gif Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

Right click the Spybot Icon in the system tray (notification area).

  • If you have the new version, click once on Resident Protection and make sure it is Unchecked.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
    If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
    Exit Spybot S&D when done and reboot the system so the changes are in effect.

=

Right click on the Ad-Watch icon in the system tray.

At the bottom of the screen there will be two checkable items called "Active" and "Automatic".

Active: This will turn Ad-Watch On\Off without closing it.

Automatic: Suspicious activity will be blocked automatically.

Uncheck both of those boxes.

=

Next,

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

=

1. Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

=

Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe

  • Please double-click OTL.exe otlDesktopIcon.png to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy all the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :files
    C:\WINDOWS\system32\uacinit.dll
    C:\WINDOWS\system32\drivers\uac*.*
    C:\recycler
    D:\recycler
    e:\recycler
    f:\recycler
    g:\recycler
    h:\recycler

    :Commands
    [purity]
    [emptytemp]
    [reboot]


  • Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.

If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

=

Start HijackThis. Look for these lines and place a checkmark against each of the following, if still present

O20 - AppInit_DLLs: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\190992921745mxx.dll
Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer (& or any other window) is closed when you click Fix Checked!

=

Download RootRepeal:

http://rootrepeal.googlepages.com/RootRepeal.zip

  • Extract the archive to a folder you create such as C:\RootRepeal
  • Double-click RootRepeal.exe to launch the program (Vista users should right-click and select "Run as Administrator).
  • Click the "File" tab (located at the bottom of the RootRepeal screen)
  • Click the "Scan" button
  • In the popup dialog, check the drives to be scanned - making sure to check your primary operating system drive - normally C:
  • Click OK and the file scan will begin
  • When the scan is done, there will be files listed, but most if not all of them will be legitimate
  • Click the "Save Report" Button
  • Save the log file to your Documents folder
  • Post the content of the RootRepeal file scan log in your next reply.

=

Download Security Check by screen317 and save it to your Desktop: here or here

  • Run Security Check
  • Follow the onscreen instructions inside of the command window.
  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

eusa_hand.gifIf one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Then copy/paste the following into your post (in order):

  • the contents of OTL MovedFiles log;
  • the contents of Rootrepeal log ; and
  • the contents of checkup.txt

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.

Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

Link to post
Share on other sites

All processes killed

========== FILES ==========

File\Folder C:\WINDOWS\system32\uacinit.dll not found.

File\Folder C:\WINDOWS\system32\drivers\uac*.* not found.

C:\RECYCLER\S-1-5-21-2386330855-2385140882-2528244212-500 moved successfully.

C:\RECYCLER\S-1-5-21-2386330855-2385140882-2528244212-1008 moved successfully.

C:\RECYCLER moved successfully.

File\Folder D:\recycler not found.

File\Folder e:\recycler not found.

File\Folder f:\recycler not found.

File\Folder g:\recycler not found.

File\Folder h:\recycler not found.

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 118040 bytes

->Temporary Internet Files folder emptied: 428620 bytes

->FireFox cache emptied: 39979339 bytes

User: All Users

User: Compaq_Administrator

->Temp folder emptied: 47875509 bytes

->Temporary Internet Files folder emptied: 10431283 bytes

->Java cache emptied: 34887570 bytes

->FireFox cache emptied: 58503329 bytes

->Google Chrome cache emptied: 100591880 bytes

->Apple Safari cache emptied: 288245 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 32902 bytes

User: LocalService

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.

->Temp folder emptied: 65984 bytes

->Temporary Internet Files folder emptied: 24411670 bytes

->FireFox cache emptied: 3769041 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 90340772 bytes

%systemdrive% .tmp files removed: 0 bytes

C:\WINDOWS\msdownld.tmp folder deleted successfully.

%systemroot% .tmp files removed: 19569 bytes

%systemroot%\System32 .tmp files removed: 7039297 bytes

Windows Temp folder emptied: 17048 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 399.40 mb

OTL by OldTimer - Version 3.0.10.7 log created on 08142009_174605

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

RootRepeal

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/08/14 18:32

Program Version: Version 1.3.5.0

Windows Version: Windows XP Media Center Edition SP3

==================================================

Hidden/Locked Files

-------------------

Path: C:\hiberfil.sys

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\UACajrttnucajqtchc.dat

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACbutrpjbwhjwxvkm.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACdnkvlwtdevmmuxo.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACnohskbujudtsdll.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACrpkequackhwxonr.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uactmp.db

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACwyaurfwjfhimihg.db

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACxadvnoltlvbjxcx.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC8529.tmp

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACccxyrpsxkyvhbod.sys

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temp\UACafe3.tmp

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Quarantine\uacnohskbujudtsdll.dll.f376ca4a672e76102b96ef6c3247e0.aawqff

Status: Invisible to the Windows API!

Results of screen317's Security Check version 0.98.7

Windows XP Service Pack 3

``````````````````````````````

Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!

Windows Firewall Enabled!

avast! Antivirus

Norton 360

Antivirus out of date! (On Access scanning disabled!)

``````````````````````````````

Anti-malware/Other Utilities Check:

Out of date Spybot installed!

Ad-Aware

Spybot - Search & Destroy 1.5.2.20

Spyware Doctor 6.0

Spybot - Search & Destroy

Malwarebytes' Anti-Malware

HijackThis 2.0.2

Java 6 Update 11

Java 6 Update 6

Out of date Java installed!

Adobe Flash Player 10

Adobe Reader 8.1.2

Out of date Adobe Reader installed!

``````````````````````````````

Process Check:

objlist.exe by Laurent

Norton ccSvcHst.exe

Ad-Aware AAWService.exe

Ad-Aware AAWTray.exe is disabled!

``````````````````````````````

DNS Vulnerability Check:

GREAT! (Very random)

`````````End of Log```````````

Link to post
Share on other sites

Please download the attached file named CFScript.txt and Save it to your Desktop.

The procedure to SAVE it is: Right-click on the CFScript.txt link at bottom, select Save target as, name it CFScript.txt, and save it to your DESKTOP.

icon_arrow.gifIf you are not this member, do NOT follow these directions as they could damage the workings of your system.

icon_exclaim.gifDelete any prior copy of ComboFix.exe and download a fresh copy.

Download and SAVE ComboFix to your Desktop Do NOT run the program straight away from download.

Download this file -- And RENAME it to Combo-fix.exe from one of these sources:

Link 1

Link 2

Link 3

Now, Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

CFScriptB-4.gif

Next Referring to the picture above, drag CFScript.txt onto ComboFix.exe (on your Desktop)

  • icon_exclaim.gif Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • A window may open with a warning. Type "1" (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

When finished, it will produce a log for you at C:\ComboFix.txt which I will need in your next reply.

RE-Enable your AntiVirus and AntiSpyware applications.

* Note: The above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Edited by Maurice Naggar
removed CFScript
Link to post
Share on other sites

I ran combofix, and it said that it needed to perform a task on reboot. It has rebooted and the window now says that it is preparing the log report. But since it restarted , so did Teatimer, which is now telling me that KernelFaultCheck has been deleted (%systemroot%\system32\dumprep 0-k). Combofix is hanging on the "Preparing log report step". Any thoughts?

Link to post
Share on other sites

If it has been say, more than 30 minutes already..... use CTRL+ALT+DEL keys to restart the system. When logged in, see if there is a file at C:\Combofix.txt

If there, copy all its lines, and paste them in a reply here.

Also, get Spybot's Tea Timer out of the way.

Right click the Spybot Icon in the system tray (notification area).

  • If you have the new version, click once on Resident Protection and make sure it is Unchecked.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
    If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
    Exit Spybot S&D when done and reboot the system so the changes are in effect.

=

Right-click on RootRepeal.exe and choose "Run as Administrator" Click on the Report tab and then click on Scan. A Windows will open asking what to include in the scan. Check all of the below and then click Ok.

Drivers

Files

Processes

SSDT

Stealth Objects

Hidden Services

You will then be asked which drive to scan. Check C: (or the drive your operating system is installed on if not C) and click Ok again. The scan will start. It will take a little while so please be patient. When the scan has finished, click on Save Report. Name the log RootRepeal.txt and save it to your Documents folder (it should default there). When you have done this, please copy and paste it in this thread.

Reply with copy of C:\Combofix.txt (if found)

and the latest RootRepeal.txt

Link to post
Share on other sites

Apparently the log finished loading about 5 minutes after I posted that :rolleyes:

Anyways heres the completed Combofix log

ComboFix 09-08-10.06 - Compaq_Administrator 08/15/2009 8:41.1.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.604 [GMT -4:00]

Running from: c:\documents and settings\Compaq_Administrator\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Compaq_Administrator\Desktop\CFScript.txt

AV: avast! antivirus 4.8.1229 [VPS 080830-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

AV: Norton 360 *On-access scanning enabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

FILE ::

"c:\documents and settings\Compaq_Administrator\Local Settings\Temp\UACafe3.tmp"

"c:\windows\system32\drivers\UACccxyrpsxkyvhbod.sys"

"c:\windows\system32\UACajrttnucajqtchc.dat"

"c:\windows\system32\UACbutrpjbwhjwxvkm.dll"

"c:\windows\system32\UACdnkvlwtdevmmuxo.dll"

"c:\windows\system32\uacinit.dll"

"c:\windows\system32\UACnohskbujudtsdll.dll"

"c:\windows\system32\UACrpkequackhwxonr.dll"

"c:\windows\system32\uactmp.db"

"c:\windows\system32\UACwyaurfwjfhimihg.db"

"c:\windows\system32\UACxadvnoltlvbjxcx.dll"

"c:\windows\Temp\UAC8529.tmp"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Compaq_Administrator\Local Settings\Temp\UACafe3.tmp

c:\windows\Install.txt

c:\windows\kb913800.exe

c:\windows\run.log

c:\windows\system32\drivers\UACccxyrpsxkyvhbod.sys

c:\windows\system32\Install.txt

c:\windows\system32\UACajrttnucajqtchc.dat

c:\windows\system32\UACbutrpjbwhjwxvkm.dll

c:\windows\system32\UACdnkvlwtdevmmuxo.dll

c:\windows\system32\uacinit.dll

c:\windows\system32\UACnohskbujudtsdll.dll

c:\windows\system32\UACrpkequackhwxonr.dll

c:\windows\system32\uactmp.db

c:\windows\system32\UACwyaurfwjfhimihg.db

c:\windows\system32\UACxadvnoltlvbjxcx.dll

c:\windows\Temp\UAC8529.tmp

D:\Autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_UACd.sys

-------\Legacy_UACd.sys

-------\Legacy_MSNCACHE

-------\Legacy_SOPIDKC

((((((((((((((((((((((((( Files Created from 2009-07-15 to 2009-08-15 )))))))))))))))))))))))))))))))

.

2009-08-14 21:46 . 2009-08-14 21:46 -------- d-----w- C:\_OTL

2009-08-14 21:40 . 2009-08-14 21:40 -------- d-----w- c:\program files\ERUNT

2009-08-12 23:45 . 2009-08-12 23:45 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2009-08-12 02:07 . 2009-08-12 02:07 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Malwarebytes

2009-08-12 02:00 . 2009-08-12 02:00 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2009-08-12 01:58 . 2008-11-06 06:03 -------- d-----w- C:\SDFix

2009-08-12 00:56 . 2009-08-12 00:56 -------- d-sh--w- c:\documents and settings\Compaq_Administrator\PrivacIE

2009-08-12 00:56 . 2009-08-12 00:56 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-08-12 00:53 . 2009-08-12 00:53 -------- d-sh--w- c:\documents and settings\Compaq_Administrator\IETldCache

2009-08-12 00:31 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2009-08-12 00:31 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll

2009-08-12 00:31 . 2009-08-12 00:31 -------- d-----w- c:\windows\ie8updates

2009-08-12 00:31 . 2009-07-01 07:08 101376 ------w- c:\windows\system32\dllcache\iecompat.dll

2009-08-12 00:28 . 2009-08-12 00:30 -------- dc-h--w- c:\windows\ie8

2009-08-12 00:20 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

2009-08-11 22:07 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-11 22:07 . 2009-08-13 20:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-11 22:07 . 2009-08-11 22:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-11 22:07 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-11 21:49 . 2009-08-11 21:49 -------- d-----w- c:\program files\Trend Micro

2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll

2009-07-29 04:37 . 2009-07-29 04:37 81920 ------w- c:\windows\system32\dllcache\fontsub.dll

2009-07-29 04:37 . 2009-07-29 04:37 119808 ------w- c:\windows\system32\dllcache\t2embed.dll

2009-07-17 19:01 . 2009-07-17 19:01 58880 ------w- c:\windows\system32\dllcache\atl.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-15 00:03 . 2006-12-09 14:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2009-08-14 21:36 . 2009-07-08 20:39 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-08-05 09:01 . 2004-08-10 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-29 04:37 . 2004-08-10 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-07-29 04:37 . 2004-08-10 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-07-17 19:01 . 2004-08-10 12:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 03:43 . 2004-08-10 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-10 01:28 . 2009-07-10 01:28 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe

2009-07-10 01:28 . 2009-07-10 01:28 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll

2009-07-10 01:28 . 2009-07-10 01:28 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll

2009-07-10 01:28 . 2009-07-10 01:28 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll

2009-07-10 01:28 . 2009-07-10 01:28 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe

2009-07-10 01:28 . 2009-07-09 10:00 15688 ----a-w- c:\windows\system32\lsdelete.exe

2009-07-10 01:28 . 2009-07-10 01:28 298336 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll

2009-07-10 01:28 . 2009-07-10 01:28 84832 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll

2009-07-09 21:03 . 2009-07-09 21:01 -------- d-----w- c:\program files\Spyware Doctor

2009-07-09 21:01 . 2009-07-09 21:01 -------- d-----w- c:\program files\Common Files\PC Tools

2009-07-09 21:01 . 2009-07-09 21:01 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\PC Tools

2009-07-09 21:01 . 2009-07-09 21:01 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2009-07-09 20:19 . 2006-02-25 23:40 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\LimeWire

2009-07-08 23:45 . 2009-07-08 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-07-08 23:43 . 2009-07-08 02:49 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}

2009-07-08 23:43 . 2006-02-25 19:44 -------- d-----w- c:\program files\Lavasoft

2009-07-07 19:54 . 2005-11-11 21:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-07-05 16:01 . 2007-09-08 17:26 -------- d-----w- c:\program files\Steam

2009-07-03 22:11 . 2008-02-07 00:12 -------- d-----w- c:\program files\AIM6

2009-07-03 22:11 . 2006-02-25 19:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint

2009-07-03 22:10 . 2009-07-03 22:10 -------- d-----w- c:\documents and settings\All Users\Application Data\acccore

2009-07-03 17:09 . 2004-08-10 12:00 915456 ----a-w- c:\windows\system32\wininet.dll

2009-06-26 20:31 . 2005-11-11 21:44 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-06-18 15:36 . 2006-07-26 01:05 1878984 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe

2009-05-19 05:36 . 2009-06-15 21:11 2884832 ----a-w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\vwpt.exe

2009-05-19 05:36 . 2009-06-15 21:11 28 ----a-w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\unregister.bat

2009-05-19 05:36 . 2009-06-15 21:11 25 ----a-w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\register.bat

2009-05-19 05:36 . 2009-06-15 21:11 1484856 ----a-w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\toolbar.exe

2009-05-19 05:36 . 2009-06-15 21:11 97072 ----a-w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\bsetutil.exe

2009-05-19 05:36 . 2009-06-15 21:11 142040 ----a-w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\alsetup.exe

2009-05-19 05:36 . 2009-06-18 01:34 30512 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\Uninstaller.exe

2009-05-19 05:36 . 2009-06-15 21:11 30512 ----a-w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\Uninstaller.exe

2009-05-19 05:36 . 2009-06-18 01:34 111920 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\AOLSearch.dll

2009-05-19 05:36 . 2009-06-15 21:11 111920 ----a-w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\AOLSearch.dll

2006-06-03 19:04 . 2006-06-03 19:04 56 --sh--r- c:\windows\system32\E94347B703.sys

2007-04-16 18:15 . 2006-06-03 19:04 1682 --sha-w- c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 2097488]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-01 68856]

"Google Update"="c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-03-08 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]

"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016]

"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-05-06 6656]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]

"lxdkmon.exe"="c:\program files\Lexmark 5300 Series\lxdkmon.exe" [2007-06-22 455344]

"lxdkamon"="c:\program files\Lexmark 5300 Series\lxdkamon.exe" [2007-06-01 20480]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-05 136600]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-10 520024]

"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-03 77312]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-05 1626112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RealUpgradeHelper"="c:\program files\Common Files\Real\Update_OB\upgrdhlp.exe" [2008-10-20 136768]

c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Google Updater.lnk.disabled [2007-6-3 928]

HP Digital Imaging Monitor.lnk.disabled [2006-6-28 1816]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"ctfmon.exe"=c:\windows\system32\ctfmon.exe

"Aim6"=

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

"Steam"="c:\program files\steam\steam.exe" -silent

"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

"PeerGuardian"=c:\program files\PeerGuardian2\pg2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"<NO NAME>"=

"ehTray"=c:\windows\ehome\ehtray.exe

"PC Pitstop Optimize Scheduler"=c:\program files\PCPitstop\Optimize\PCPOptimize.exe -boot

"PCPitstop Optimize Registration Reminder"=c:\program files\PCPitstop\Optimize\Reminder.exe

"NWEReboot"=

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" /s

"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

"DISCover"=c:\program files\DISC\DISCover.exe

"DiscUpdateManager"=c:\program files\DISC\DiscUpdateMgr.exe

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

"PWRISOVM.EXE"=c:\program files\PowerISO\PWRISOVM.EXE

"Lexmark 5300 Series Fax Server"="c:\program files\Lexmark 5300 Series\fm3032.exe" /s

"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN

"Verizon_McciTrayApp"=c:\program files\Verizon\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\DISC\\DISCover.exe"=

"c:\\Program Files\\DISC\\DiscStreamHub.exe"=

"c:\\Program Files\\DISC\\myFTP.exe"=

"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Documents and Settings\\Compaq_Administrator\\Desktop\\utorrent.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\eMule\\emule.exe"=

"c:\\Documents and Settings\\Compaq_Administrator\\My Documents\\My Downloads\\UT1.6.1.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Steam\\steamapps\\hitmansteve007\\counter-strike source\\hl2.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\Lexmark 5300 Series\\lxdkmon.exe"=

"c:\\WINDOWS\\system32\\lxdkcoms.exe"=

"c:\\Program Files\\Lexmark 5300 Series\\lxdkamon.exe"=

"c:\\Program Files\\Lexmark 5300 Series\\FRun.exe"=

"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\scan\\scanman6.exe"=

"c:\\Program Files\\Lexmark 5300 Series\\lxdkfax.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkpswx.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdktime.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkjswx.exe"=

"c:\\Program Files\\Starcraft\\StarCraft.exe"=

"c:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=

"c:\\Program Files\\Steam\\steamapps\\hitmansteve007\\day of defeat source\\hl2.exe"=

"c:\\Program Files\\Adobe\\Adobe Photoshop CS2\\Photoshop.exe"=

"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=

"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=

"c:\\Program Files\\Steam\\steamapps\\boober947\\team fortress 2\\hl2.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\Steam\\steamapps\\hitmansteve007\\half-life\\hl.exe"=

"c:\\Program Files\\Steam\\steamapps\\hitmansteve007\\counter-strike\\hl.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"80:UDP"= 80:UDP:*:Disabled:http2

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/8/2009 7:44 PM 64160]

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [7/9/2009 5:01 PM 130424]

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [7/2/2008 10:55 AM 78416]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/2/2008 10:55 AM 20560]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]

R2 lxdk_device;lxdk_device;c:\windows\system32\lxdkcoms.exe -service --> c:\windows\system32\lxdkcoms.exe -service [?]

R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [12/25/2006 2:20 PM 2368]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 6:43 PM 24652]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/26/2009 1:31 PM 101936]

S2 lxdkCATSCustConnectService;lxdkCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdkserv.exe [1/13/2008 5:07 PM 99248]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [7/9/2009 5:01 PM 348752]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-08-12 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 01:27]

2009-08-14 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-08-15 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-26 15:27]

2009-08-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2386330855-2385140882-2528244212-1008Core.job

- c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-08 18:45]

2009-08-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2386330855-2385140882-2528244212-1008UA.job

- c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-08 18:45]

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)

HKLM-Run-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

HKLM-Run-PCDrProfiler - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=yahoo_v.1_ie&bm=yh_home

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000

Trusted Zone: trymedia.com

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB

DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} - file:///E:/CDVIEWER/CdViewer.cab

FF - ProfilePath - c:\documents and settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\9cjsfy2t.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFFab&query=

FF - plugin: c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-15 08:57

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(812)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2684)

c:\windows\system32\WININET.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\IEFRAME.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Symantec Shared\ccSvcHst.exe

c:\program files\Alwil Software\Avast4\aswUpdSv.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\windows\arservice.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\ehome\ehrecvr.exe

c:\windows\ehome\ehSched.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\windows\system32\lxdkcoms.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\nvsvc32.exe

c:\windows\system32\HPZipm12.exe

c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\wbem\unsecapp.exe

c:\windows\system32\dllhost.exe

c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

c:\hp\KBD\kbd.exe

.

**************************************************************************

.

Completion time: 2009-08-15 9:13 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-15 13:13

Pre-Run: 6,409,248,768 bytes free

Post-Run: 6,225,313,792 bytes free

341 --- E O F --- 2009-08-12 02:04

Link to post
Share on other sites

Very good results from Combofix. There's a few more (mostly quick) things to do.

If you did not run RootRepeal, I need you to run it (as per prior reply).

If you did run it, I need a copy of RootRepeal.txt in next reply.

Do these next things also:

Place your USB flash drives in-place so that some of these programs will be able to find them.

I'm going to have you get and run two utilities.

The first stops automatic use of the AutoRun feature of XP. The second will write to any connected devices a Read-only, System protected Autorun.inf file on all of your hard drives, and all connected removable storage devices.

Download and Install Microsoft's TweakUI:

http://www.microsoft.com/windowsxp/downloa...ppowertoys.mspx

Obtain and install TweakUI (part of the PowerToys for Windows XP package), and then start TweakUI.

Expand the My Computer branch, then the AutoPlay branch, and then select Drives.

Turn off the checkbox next to every drive letter to disable AutoPlay -- except your CD/DVD drive letters.

Download and run "Flash Drive Disinfector" by sUBs. It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.

http://download.bleepingcomputer.com/sUBs/...Disinfector.exe

There is no GUI interface or log file produced.

=

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:

  • Double-click on cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable". (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

=

Right click the Spybot Icon in the system tray (notification area).

  • If you have the new version, click once on Resident Protection and make sure it is Unchecked.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
    If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
    Exit Spybot S&D when done and reboot the system so the changes are in effect.

=

Right click on the Ad-Watch icon in the system tray.

At the bottom of the screen there will be two checkable items called "Active" and "Automatic".

Active: This will turn Ad-Watch On\Off without closing it.

Automatic: Suspicious activity will be blocked automatically.

Uncheck both of those boxes.

=

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

At this time of posting, the current definitions are # 2635 or later. The latest program version is 1.40

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

=

javaicon.gif See this topic in the AumHa Security forum and get the latest Java run-time

http://aumha.net/viewtopic.php?f=26&t=41698

Start HijackThis. Do a Scan and Save log.

Reply with copy of RootRepeal.txt

copy of DrWeb-CureIt log

MBAM scan log

the new Hijackthis log

and tell me, How is your system now?

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You'll likely have to do more than 1 reply.

Link to post
Share on other sites

If the STOP code was documented by you OR it is still on-screen, then let me know the code + any description.

In any event, force a restart/reboot of your system, login to normal mode. And proceed with the next steps I listed that followed the DRweb Cure-it. Do not run DrWebCure-It another time.

No, sorry, but I cannot tell why there was a hitch.

We can substitute a Kaspersky online scan instead.

Scan the system with the Kaspersky Online Scanner

http://www.kaspersky.com/virusscanner

icon_arrow.gifAttention: Kaspersky Online Scanner 7.0 may not run successfully while another antivirus program is running. If you have Anti-Virus software installed, please temporarily disable your AV protection before running the Kaspersky Online Scanner. Reenable it after the scan is finished.

During this run, make sure your browser does not block popup windows. Have patience while some screens populate.

1) Click the Kapersky Online Scanner button. You'll see a popup window.

2) Accept the agreement

3) Accept the installation of the required ActiveX object ( XP SP2-SP3 will show this in the Information Bar )

4) For XP SP2-SP3, click the Install button when prompted

5) The necessary files will be downloaded and installed. Please have plenty of patience.

6) After Kaspersky AntiVirus Database is updated, look at the Scan box.

7) Click the My Computer line

8 ) Be infinetely patient, the scan is comprehensive and, unlike other online antivirus scanners, will detect all malwares

9) When the scan is completed there will be an option to Save report as a .txt file. Click that button. Copy and paste the report into your reply.

( To see an animated tutorial-how-to on the scan, see >>this link<<)

Re-enable your antivirus program after Kaspersky has finished.

Kapersky Online Scanner can be uninstalled later on from Add or Remove Programs in the Control Panel, if desired.

Do not be alarmed if Kaspersky tags items that are already in quarantine by MBAM, or ComboFix's Qoobox & quarantine.

Kaspersky is a report only and does not remove files.

Post back with copies of the Kaspersky.txt report.

How is your system now :?:

Link to post
Share on other sites

stop: 0x0000008e (0xC0000005, 0xBF8BC003, 0xF7812B94, 0x00000000

*** win32k.sys - Address BF8BC003 base at BF800000 DateStamp 49e87572

= RootRepeal txt log

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/08/16 12:04

Program Version: Version 1.3.5.0

Windows Version: Windows XP Media Center Edition SP3

==================================================

Hidden/Locked Files

-------------------

Path: C:\hiberfil.sys

Status: Locked to the Windows API!

===

Also, I am still unable to connect to the Internet through the normal windows mode. In safe mode with networking I can, but not in normal mode. Its strange though, because under the network connections window, it shows LAN 6 (the adapter I use) as connected, and it is sending and receiving packets. Here is a log from the IE network connectivity diagnostic

Last diagnostic run time: 08/16/09 20:55:20 Network Adapter Diagnostic

Network location detection

info Using home Internet connection

Network adapter identification

info Network connection: Name=Local Area Connection 3, Device=Realtek RTL8139/810x Family Fast Ethernet NIC, MediaType=LAN, SubMediaType=LAN

info Network connection: Name=Local Area Connection 6, Device=D-Link DFE-530TX+ PCI Fast Ethernet Adapter (rev.F), MediaType=LAN, SubMediaType=LAN

info Network connection: Name=1394 Connection, Device=1394 Net Adapter, MediaType=LAN, SubMediaType=1394

warn This machine has more than one Ethernet or more than one Wireless adapter

info Redirecting user to support call

HTTP, HTTPS, FTP Diagnostic

HTTP, HTTPS, FTP connectivity

warn FTP (Passive): Error 12029 connecting to ftp.microsoft.com: A connection with the server could not be established

warn FTP (Active): Error 12029 connecting to ftp.microsoft.com: A connection with the server could not be established

warn HTTPS: Error 12029 connecting to www.microsoft.com: A connection with the server could not be established

warn HTTP: Error 12029 connecting to www.microsoft.com: A connection with the server could not be established

warn HTTPS: Error 12029 connecting to www.passport.net: A connection with the server could not be established

warn HTTP: Error 12029 connecting to www.hotmail.com: A connection with the server could not be established

error Could not make an HTTP connection.

error Could not make an HTTPS connection.

error Could not make an FTP connection.

I'll start the Kapersky scanner in safe mode and Post the results of that aas well as the other logs you needed

===

Link to post
Share on other sites

Your logs showed some peer-to-peer filesharing apps. I do not recommend their use since such filesharing/downloading from unknown sources is one of the leading causes of transmission of malware.

"File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

Whilst we are still trying to remove malwares, de-install emule, LimeWire, uTorrent, and any other "torrent" or filesharing app on this system. And confirm that for me.

Continue forward with the Kaspersky scan.

I would ask for a new run of RootRepeal since the last did not produce a complete log:

Double click on RootRepeal.exe

Click on the Report tab and then click on Scan.

A Windows will open asking what to include in the scan.

Check all of the below and then click Ok.

Drivers

Files

Processes

SSDT

Stealth Objects

Hidden Services

You will then be asked which drive to scan. Check C: (or the drive your operating system is installed on if not C) and click Ok again.

The scan will start. It will take a little while so please be patient. When the scan has finished, click on Save Report. Name the log RootRepeal.txt and save it to your Documents folder (it should default there). When you have done this, please copy and paste it in this thread.

Link to post
Share on other sites

Ok I uninstalled all p2p related applications.

Kapersky Scan Report

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Monday, August 17, 2009

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Monday, August 17, 2009 03:23:03

Records in database: 2638378

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

E:\

G:\

H:\

I:\

J:\

K:\

L:\

Scan statistics:

Objects scanned: 214424

Threats found: 6

Infected objects found: 14

Suspicious objects found: 0

Scan duration: 07:23:29

File name / Threat / Threats count

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACccxyrpsxkyvhbod.sys.vir Infected: Rootkit.Win32.Agent.mih 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACbutrpjbwhjwxvkm.dll.vir Infected: Packed.Win32.Tdss.m 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACdnkvlwtdevmmuxo.dll.vir Infected: Trojan.Win32.Tdss.anrc 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACnohskbujudtsdll.dll.vir Infected: Trojan.Win32.Tdss.anrd 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACrpkequackhwxonr.dll.vir Infected: Packed.Win32.Tdss.m 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACxadvnoltlvbjxcx.dll.vir Infected: Trojan.Win32.Tdss.anre 1

C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP1207\A0204282.sys Infected: Rootkit.Win32.Agent.mih 1

C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP1207\A0204283.dll Infected: Packed.Win32.Tdss.m 1

C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP1207\A0204284.dll Infected: Trojan.Win32.Tdss.anrc 1

C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP1207\A0204285.dll Infected: Packed.Win32.Tdss.m 1

C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP1207\A0204286.dll Infected: Trojan.Win32.Tdss.anre 1

C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP1207\A0204287.dll Infected: Trojan.Win32.Tdss.anrd 1

D:\I386\Apps\APP15894\src\CompaqPresario_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 1

D:\I386\Apps\APP15894\src\HPPavillion_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 1

Selected area has been scanned.

===

Root Repeal log

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/08/17 06:30

Program Version: Version 1.3.5.0

Windows Version: Windows XP Media Center Edition SP3

==================================================

Drivers

-------------------

Name:

Image Path:

Address: 0xF7517000 Size: 98304 File Visible: No Signed: -

Status: -

Name:

Image Path:

Address: 0x00000000 Size: 0 File Visible: No Signed: -

Status: -

Name: 00000439

Image Path: \Driver\00000439

Address: 0x00000000 Size: 0 File Visible: No Signed: -

Status: -

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xF6E90000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF7C15000 Size: 8192 File Visible: No Signed: -

Status: -

Name: giveio.sys

Image Path: giveio.sys

Address: 0xF7CAC000 Size: 1664 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xF68EE000 Size: 49152 File Visible: No Signed: -

Status: -

SSDT

-------------------

#: 025 Function Name: NtClose

Status: Hooked by "Vax347b.sys" at address 0xf75c0c58

#: 041 Function Name: NtCreateKey

Status: Hooked by "PCTCore.sys" at address 0xf745c506

#: 045 Function Name: NtCreatePagingFile

Status: Hooked by "Vax347b.sys" at address 0xf75b4c70

#: 047 Function Name: NtCreateProcess

Status: Hooked by "PCTCore.sys" at address 0xf744b240

#: 048 Function Name: NtCreateProcessEx

Status: Hooked by "PCTCore.sys" at address 0xf744b432

#: 063 Function Name: NtDeleteKey

Status: Hooked by "PCTCore.sys" at address 0xf745ccc8

#: 065 Function Name: NtDeleteValueKey

Status: Hooked by "PCTCore.sys" at address 0xf745cf88

#: 071 Function Name: NtEnumerateKey

Status: Hooked by "Vax347b.sys" at address 0xf75b54fe

#: 073 Function Name: NtEnumerateValueKey

Status: Hooked by "Vax347b.sys" at address 0xf75c0d50

#: 119 Function Name: NtOpenKey

Status: Hooked by "PCTCore.sys" at address 0xf745b3ec

#: 160 Function Name: NtQueryKey

Status: Hooked by "Vax347b.sys" at address 0xf75b551e

#: 177 Function Name: NtQueryValueKey

Status: Hooked by "Vax347b.sys" at address 0xf75c0ca6

#: 192 Function Name: NtRenameKey

Status: Hooked by "PCTCore.sys" at address 0xf745d3ec

#: 241 Function Name: NtSetSystemPowerState

Status: Hooked by "Vax347b.sys" at address 0xf75c04f0

#: 247 Function Name: NtSetValueKey

Status: Hooked by "PCTCore.sys" at address 0xf745c7b8

#: 257 Function Name: NtTerminateProcess

Status: Hooked by "PCTCore.sys" at address 0xf744aef0

Stealth Objects

-------------------

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]

Process: System Address: 0x873895d0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]

Process: System Address: 0x873895d0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]

Process: System Address: 0x873895d0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]

Process: System Address: 0x873895d0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x873895d0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x873895d0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]

Process: System Address: 0x873895d0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]

Process: System Address: 0x873895d0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x873895d0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x873895d0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x873895d0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x873895d0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x873895d0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x873895d0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]

Process: System Address: 0x873895d0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x873895d0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]

Process: System Address: 0x873895d0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]

Process: System Address: 0x873895d0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]

Process: System Address: 0x873895d0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]

Process: System Address: 0x873895d0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]

Process: System Address: 0x873895d0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]

Process: System Address: 0x873895d0 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]

Process: System Address: 0x86cf10e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]

Process: System Address: 0x86cf10e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]

Process: System Address: 0x86d4b710 Size: 11

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]

Process: System Address: 0x86cf10e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x86cf10e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x86cf10e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]

Process: System Address: 0x86cf10e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]

Process: System Address: 0x86cf10e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x86cf10e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x86cf10e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x86cf10e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x86cf10e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x86cf10e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x86cf10e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]

Process: System Address: 0x86cf10e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x86cf10e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]

Process: System Address: 0x86cf10e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]

Process: System Address: 0x86cf10e8 Size: 15

Object: Hidden Code [Driver: dtscsi, IRP_MJ_CREATE]

Process: System Address: 0x86e1dd50 Size: 99

Object: Hidden Code [Driver: dtscsi, IRP_MJ_CREATE_NAMED_PIPE]

Process: System Address: 0x86e1dd50 Size: 99

Object: Hidden Code [Driver: dtscsi, IRP_MJ_CLOSE]

Process: System Address: 0x86e1dd50 Size: 99

Object: Hidden Code [Driver: dtscsi, IRP_MJ_READ]

Process: System Address: 0x86e1dd50 Size: 99

Object: Hidden Code [Driver: dtscsi, IRP_MJ_WRITE]

Process: System Address: 0x86e1dd50 Size: 99

Object: Hidden Code [Driver: dtscsi, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x86e1dd50 Size: 99

Object: Hidden Code [Driver: dtscsi, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x86e1dd50 Size: 99

Object: Hidden Code [Driver: dtscsi, IRP_MJ_QUERY_EA]

Process: System Address: 0x86e1dd50 Size: 99

Object: Hidden Code [Driver: dtscsi, IRP_MJ_SET_EA]

Process: System Address: 0x86e1dd50 Size: 99

Object: Hidden Code [Driver: dtscsi, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x86e1dd50 Size: 99

Object: Hidden Code [Driver: dtscsi, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x86e1dd50 Size: 99

Object: Hidden Code [Driver: dtscsi, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x86e1dd50 Size: 99

Object: Hidden Code [Driver: dtscsi, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x86e1dd50 Size: 99

Object: Hidden Code [Driver: dtscsi, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x86e1dd50 Size: 99

Object: Hidden Code [Driver: dtscsi, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x86e1dd50 Size: 99

Object: Hidden Code [Driver: dtscsi, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x86e1dd50 Size: 99

Object: Hidden Code [Driver: dtscsi, IRP_MJ_SHUTDOWN]

Process: System Address: 0x86e1dd50 Size: 99

Object: Hidden Code [Driver: dtscsi, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x86e1dd50 Size: 99

Object: Hidden Code [Driver: dtscsi, IRP_MJ_CLEANUP]

Process: System Address: 0x86e1dd50 Size: 99

Object: Hidden Code [Driver: dtscsi, IRP_MJ_CREATE_MAILSLOT]

Process: System Address: 0x86e1dd50 Size: 99

Object: Hidden Code [Driver: dtscsi, IRP_MJ_QUERY_SECURITY]

Process: System Address: 0x86e1dd50 Size: 99

Object: Hidden Code [Driver: dtscsi, IRP_MJ_SET_SECURITY]

Process: System Address: 0x86e1dd50 Size: 99

Object: Hidden Code [Driver: dtscsi, IRP_MJ_POWER]

Process: System Address: 0x86e1dd50 Size: 99

Object: Hidden Code [Driver: dtscsi, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x86e1dd50 Size: 99

Object: Hidden Code [Driver: dtscsi, IRP_MJ_DEVICE_CHANGE]

Process: System Address: 0x86e1dd50 Size: 99

Object: Hidden Code [Driver: dtscsi, IRP_MJ_QUERY_QUOTA]

Process: System Address: 0x86e1dd50 Size: 99

Object: Hidden Code [Driver: dtscsi, IRP_MJ_SET_QUOTA]

Process: System Address: 0x86e1dd50 Size: 99

Object: Hidden Code [Driver: dtscsi, IRP_MJ_PNP]

Process: System Address: 0x86e1dd50 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]

Process: System Address: 0x86eb7438 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_NAMED_PIPE]

Process: System Address: 0x86eb7438 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]

Process: System Address: 0x86eb7438 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]

Process: System Address: 0x86eb7438 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]

Process: System Address: 0x86eb7438 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x86eb7438 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x86eb7438 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_EA]

Process: System Address: 0x86eb7438 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_EA]

Process: System Address: 0x86eb7438 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x86eb7438 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x86eb7438 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x86eb7438 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x86eb7438 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x86eb7438 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x86eb7438 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x86eb7438 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]

Process: System Address: 0x86eb7438 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x86eb7438 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLEANUP]

Process: System Address: 0x86eb7438 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_MAILSLOT]

Process: System Address: 0x86eb7438 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_SECURITY]

Process: System Address: 0x86eb7438 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_SECURITY]

Process: System Address: 0x86eb7438 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]

Process: System Address: 0x86eb7438 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x86eb7438 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CHANGE]

Process: System Address: 0x86eb7438 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_QUOTA]

Process: System Address: 0x86eb7438 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_QUOTA]

Process: System Address: 0x86eb7438 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]

Process: System Address: 0x86eb7438 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]

Process: System Address: 0x86ed8330 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_NAMED_PIPE]

Process: System Address: 0x86ed8330 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]

Process: System Address: 0x86ed8330 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_READ]

Process: System Address: 0x86ed8330 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_WRITE]

Process: System Address: 0x86ed8330 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x86ed8330 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x86ed8330 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_EA]

Process: System Address: 0x86ed8330 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_EA]

Process: System Address: 0x86ed8330 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x86ed8330 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x86ed8330 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x86ed8330 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x86ed8330 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x86ed8330 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x86ed8330 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x86ed8330 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SHUTDOWN]

Process: System Address: 0x86ed8330 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x86ed8330 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CLEANUP]

Process: System Address: 0x86ed8330 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_MAILSLOT]

Process: System Address: 0x86ed8330 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_SECURITY]

Process: System Address: 0x86ed8330 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_SECURITY]

Process: System Address: 0x86ed8330 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]

Process: System Address: 0x86ed8330 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x86ed8330 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CHANGE]

Process: System Address: 0x86ed8330 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_QUOTA]

Process: System Address: 0x86ed8330 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_QUOTA]

Process: System Address: 0x86ed8330 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]

Process: System Address: 0x86ed8330 Size: 99

Object: Hidden Code [Driver: Disk, IRP_MJ_CREATE]

Process: System Address: 0x87389808 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_CLOSE]

Process: System Address: 0x87389808 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_READ]

Process: System Address: 0x87389808 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_WRITE]

Process: System Address: 0x87389808 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x87389808 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x87389808 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x87389808 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_SHUTDOWN]

Process: System Address: 0x87389808 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_POWER]

Process: System Address: 0x87389808 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x87389808 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_PNP]

Process: System Address: 0x87389808 Size: 15

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE]

Process: System Address: 0x86d0fc88 Size: 15

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CLOSE]

Process: System Address: 0x86d0fc88 Size: 15

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_READ]

Process: System Address: 0x86d0fc88 Size: 15

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_WRITE]

Process: System Address: 0x86d0fc88 Size: 15

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x86d0fc88 Size: 15

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x86d0fc88 Size: 15

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_POWER]

Process: System Address: 0x86d0fc88 Size: 15

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x86d0fc88 Size: 15

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_PNP]

Process: System Address: 0x86d0fc88 Size: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]

Process: System Address: 0x873d4590 Size: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]

Process: System Address: 0x873d4590 Size: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]

Process: System Address: 0x873d4590 Size: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]

Process: System Address: 0x873d4590 Size: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x873d4590 Size: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x873d4590 Size: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x873d4590 Size: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]

Process: System Address: 0x873d4590 Size: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]

Process: System Address: 0x873d4590 Size: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x873d4590 Size: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]

Process: System Address: 0x873d4590 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]

Process: System Address: 0x873d47c8 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]

Process: System Address: 0x873d47c8 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]

Process: System Address: 0x873d47c8 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x873d47c8 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x873d47c8 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x873d47c8 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]

Process: System Address: 0x873d47c8 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]

Process: System Address: 0x873d47c8 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]

Process: System Address: 0x873d47c8 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x873d47c8 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]

Process: System Address: 0x873d47c8 Size: 15

Object: Hidden Code [Driver: Vax347s, IRP_MJ_CREATE]

Process: System Address: 0x86edf5d8 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_CREATE_NAMED_PIPE]

Process: System Address: 0x86edf5d8 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_CLOSE]

Process: System Address: 0x86edf5d8 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_READ]

Process: System Address: 0x86edf5d8 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_WRITE]

Process: System Address: 0x86edf5d8 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x86edf5d8 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x86edf5d8 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_QUERY_EA]

Process: System Address: 0x86edf5d8 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_SET_EA]

Process: System Address: 0x86edf5d8 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x86edf5d8 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x86edf5d8 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x86edf5d8 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x86edf5d8 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x86edf5d8 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x86edf5d8 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x86edf5d8 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_SHUTDOWN]

Process: System Address: 0x86edf5d8 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x86edf5d8 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_CLEANUP]

Process: System Address: 0x86edf5d8 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_CREATE_MAILSLOT]

Process: System Address: 0x86edf5d8 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_QUERY_SECURITY]

Process: System Address: 0x86edf5d8 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_SET_SECURITY]

Process: System Address: 0x86edf5d8 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_POWER]

Process: System Address: 0x86edf5d8 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x86edf5d8 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_DEVICE_CHANGE]

Process: System Address: 0x86edf5d8 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_QUERY_QUOTA]

Process: System Address: 0x86edf5d8 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_SET_QUOTA]

Process: System Address: 0x86edf5d8 Size: 99

Object: Hidden Code [Driver: Vax347s, IRP_MJ_PNP]

Process: System Address: 0x86edf5d8 Size: 99

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]

Process: System Address: 0x86d74c88 Size: 15

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]

Process: System Address: 0x86d74c88 Size: 15

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x86d74c88 Size: 15

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x86d74c88 Size: 15

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]

Process: System Address: 0x86d74c88 Size: 15

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]

Process: System Address: 0x86d74c88 Size: 15

Object: Hidden Code [Driver: fasttx2k, IRP_MJ_CREATE]

Process: System Address: 0x87389eb0 Size: 15

Object: Hidden Code [Driver: fasttx2k, IRP_MJ_CLOSE]

Process: System Address: 0x87389eb0 Size: 15

Object: Hidden Code [Driver: fasttx2k, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x87389eb0 Size: 15

Object: Hidden Code [Driver: fasttx2k, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x87389eb0 Size: 15

Object: Hidden Code [Driver: fasttx2k, IRP_MJ_POWER]

Process: System Address: 0x87389eb0 Size: 15

Object: Hidden Code [Driver: fasttx2k, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x87389eb0 Size: 15

Object: Hidden Code [Driver: fasttx2k, IRP_MJ_PNP]

Process: System Address: 0x87389eb0 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CREATE]

Process: System Address: 0x86d4f7c8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CREATE_NAMED_PIPE]

Process: System Address: 0x86d4f7c8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CLOSE]

Process: System Address: 0x86d4f7c8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_READ]

Process: System Address: 0x86cf3bf0 Size: 11

Object: Hidden Code [Driver: Rdbss, IRP_MJ_WRITE]

Process: System Address: 0x86d4f7c8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x86d4f7c8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x86d4f7c8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_EA]

Process: System Address: 0x86d4f7c8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_EA]

Process: System Address: 0x86d4f7c8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x86d4f7c8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x86d4f7c8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x86d4f7c8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x86d4f7c8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x86d4f7c8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x86d4f7c8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x86d4f7c8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SHUTDOWN]

Process: System Address: 0x86d4f7c8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x86d4f7c8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CLEANUP]

Process: System Address: 0x86d4f7c8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CREATE_MAILSLOT]

Process: System Address: 0x86d4f7c8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_SECURITY]

Process: System Address: 0x86d4f7c8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_SECURITY]

Process: System Address: 0x86d4f7c8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_POWER]

Process: System Address: 0x86d4f7c8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x86d4f7c8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_DEVICE_CHANGE]

Process: System Address: 0x86d4f7c8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_QUOTA]

Process: System Address: 0x86d4f7c8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_QUOTA]

Process: System Address: 0x86d4f7c8 Size: 15

Object: Hidden Code [Driver: Srv, IRP_MJ_READ]

Process: System Address: 0x86b5bb18 Size: 11

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]

Process: System Address: 0x86d4c838 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]

Process: System Address: 0x86d4c838 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]

Process: System Address: 0x86d4c838 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]

Process: System Address: 0x86d53b28 Size: 11

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]

Process: System Address: 0x86d4c838 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x86d4c838 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x86d4c838 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]

Process: System Address: 0x86d4c838 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]

Process: System Address: 0x86d4c838 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x86d4c838 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x86d4c838 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x86d4c838 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x86d4c838 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x86d4c838 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x86d4c838 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x86d4c838 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]

Process: System Address: 0x86d4c838 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x86d4c838 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]

Process: System Address: 0x86d4c838 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]

Process: System Address: 0x86d4c838 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]

Process: System Address: 0x86d4c838 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]

Process: System Addres==EOF==

Link to post
Share on other sites

We are at the end of hunt for malware. The RootRepeal result is fine. And the Kaspersky online tagged mostly items already out of the way.

A small bit of updating for security:

De-install your Adobe Reader: Use Control Panel's Add-Remove programs, Remove Adobe Reader.

Get the latest version from http://www.adobe.com/products/acrobat/readstep2.html

=

Next, Close all applications and windows.

If you have an older copy of SDFix, delete it now.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual user account.

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back in a Reply here.

and tell me, How is your system now?

On the following pass, I'll have you do some cleanups for the tools we have used.

Link to post
Share on other sites

SDFix: Version 1.240

Run by Compaq_Administrator on Mon 08/17/2009 at 11:12 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Checking Services :

Restoring Default Security Values

Restoring Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-18 00:06:38

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]

"s0"=dword:28f6901a

"s1"=dword:53d1e458

"s2"=dword:daa70ea3

"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"p0"="C:\Program Files\DAEMON Tools\"

"h0"=dword:00000000

"khjeh"=hex:43,d7,a0,f0,36,cd,ba,aa,74,d1,3d,4a,34,f0,1e,fe,fa,1d,32,71,fd,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"a0"=hex:20,01,00,00,51,6d,e5,ca,0e,de,49,7d,61,b3,18,e6,cf,f1,cc,31,f7,..

"khjeh"=hex:68,5f,84,ee,ca,91,50,8d,ed,0e,af,79,3e,10,5e,b4,3b,1c,a5,73,55,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:4a,f4,94,82,29,8b,3d,01,11,64,b3,e5,3c,ab,8d,08,f4,96,c4,89,44,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg40]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"p0"="C:\Program Files\DAEMON Tools\"

"h0"=dword:00000000

"khjeh"=hex:43,d7,a0,f0,36,cd,ba,aa,74,d1,3d,4a,34,f0,1e,fe,fa,1d,32,71,fd,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"a0"=hex:20,01,00,00,51,6d,e5,ca,0e,de,49,7d,61,b3,18,e6,cf,f1,cc,31,f7,..

"khjeh"=hex:68,5f,84,ee,ca,91,50,8d,ed,0e,af,79,3e,10,5e,b4,3b,1c,a5,73,55,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:4a,f4,94,82,29,8b,3d,01,11,64,b3,e5,3c,ab,8d,08,f4,96,c4,89,44,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"p0"="C:\Program Files\DAEMON Tools\"

"h0"=dword:00000000

"khjeh"=hex:d0,f8,3b,73,2c,0c,49,1e,ce,68,10,99,b3,a6,da,f5,3f,fd,dc,92,63,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"a0"=hex:20,01,00,00,51,6d,e5,ca,0e,de,49,7d,61,b3,18,e6,cf,f1,cc,31,f7,..

"khjeh"=hex:68,5f,84,ee,ca,91,50,8d,ed,0e,af,79,3e,10,5e,b4,3b,1c,a5,73,55,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:4a,f4,94,82,29,8b,3d,01,11,64,b3,e5,3c,ab,8d,08,f4,96,c4,89,44,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\DISC\\DISCover.exe"="C:\\Program Files\\DISC\\DISCover.exe:*:Enabled:DISCover Drop & Play System"

"C:\\Program Files\\DISC\\DiscStreamHub.exe"="C:\\Program Files\\DISC\\DiscStreamHub.exe:*:Enabled:DISCover Stream Hub"

"C:\\Program Files\\DISC\\myFTP.exe"="C:\\Program Files\\DISC\\myFTP.exe:*:Enabled:DISCover FTP"

"C:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"="C:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe:*:Enabled:Compaq Connections"

"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"

"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"

"C:\\Documents and Settings\\Compaq_Administrator\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\Compaq_Administrator\\Desktop\\utorrent.exe:*:Enabled:

Link to post
Share on other sites

I see that you are clear of your rootkit infection issues.

If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used; followed by advice on staying safer.

We have to remove Combofix and all its associated folders. By whichever name you named it, ( you had named it combo-fix icon_exclaim.gif), put that name in the RUN box stated just below.

The "/u" in the Run line below is to start Combofix for it's cleanup & removal function.

Note the space after x and before the slash mark.

The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.

  • Click Start, then click Run.
    In the command box that opens, type or copy/paste combo-fix /u and then click OK.

  • Please double-click OTL.exe otlDesktopIcon.png to run it.
  • Click on the CleanUp! button at upper Right corner. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTL attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
  • This step removes the files, folders, and shortcuts created by the tools I had you download and run.

  • Run ATF Cleaner, and checkmark "Empty Recycle Bin", click "Empty Selected" and exit the program. You can delete or keep this utility as you wish.
  • You may reset your Windows Explorer {My Computer} Folder Options > VIEW settings back to where they had been before. {under hidden files & folders to not show hidden or system files -and- to "hide protected operating system files" }
  • Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.
  • Check in at Windows Update and install any Critical Updates offered.
  • Download and Install Windows Defender by Microsoft (free) if you do not already have it:
    http://www.microsoft.com/downloads/details...A4-F7F14E605A0D
  • Make certain that Automatic Updates is enabled.
    How to configure and use Automatic Updates in WinXP:
    http://support.microsoft.com/kb/306525
  • Download, install, and keep updated Spyware Blaster (free): http://www.javacoolsoftware.com/spywareblaster.html (all Protections should be enabled at all times)
  • I'd recommend that you get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm
    See the FAQ page http://mvps.org/winhelp2002/hostsfaq.htm
    That would help to keep your browser away from known spyware/malware sites.
  • Make regular backups of your system to removable media: DVD, USB external hard drive, etc.

Link to post
Share on other sites

ok am currently doing the things you left for me to do. Also fixed the lack of internet connectivity by uninstalling the copy of Norton antivirus that I had. Works fine now, but can you suggest a good Antivirus/Firewall that I should get? Thanks for all the help in restoring my pc to a non infected state.

Link to post
Share on other sites

The security check log (done way earlier) showed this to have:

avast! Antivirus and Norton 360.

I should have mentioned something, but had overlooked it. My bad. If you are de-installing Norton360, then make sure that avast (a good AV) is functional and updating.

Avast is good. Though I personally tend towards Avira AntiVir or Eset NOD32.

If the system has no third-party firewall, consider getting TallEmu's Online Armor.

HTH

Since the issues are resolved, I'm closing this thread. The advice and procedures used here are only for this pc.

Do not use the procedures on another system.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.