Jump to content

Virus on my computer


wompodite

Recommended Posts

Hey, I recently got some sort of virus on my computer and it has blocked all of my virus scanners including Malware Bytes, Hijack This!, Spybot, and SuperAntiSpyware. I was able to run AVG at one point and it found a bunch of viruses but they were sent to the virus vault, which I currently cannot access. Any help would be much appreciated. :)

Link to post
Share on other sites

Please save this file to your desktop.

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. It will take a while to generate.

Please open it with notepad and post the contents here. If the log generated OK then ignore the rest of the directions.

_______________

Only if win32kdiag.exe doesn't run, then download the program to a clean PC and transfer it to removable media (USB drive, CDROM) as follows

  • I want you to rename win32kdiag.exe as you download it to womp.pif
  • Then copy it to removable media and copy that file (womp.pif) to the desktop of the infected PC.

Notes:

  • It is very important that save the newly renamed PIF file to your desktop.
  • You must rename win32kdiag.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename it as you download it. To do that:
  • For Firefox
    • Open Firefox and click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • When downloading, choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Now launch the program womp.pif on the infected PC:

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\womp.pif" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. It will take a while to generate - be sure to let it finish.

Please open it with notepad and post the contents here.

If this is not clear tell me and I will expand upon it.

Link to post
Share on other sites

Running from: D:\Documents and Settings\Paul\Desktop\womp.pif

Log file at : D:\Documents and Settings\Paul\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'D:\WINDOWS'...

Found mount point : D:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\$hf_mig$\KB933729\KB933729

Found mount point : D:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\$hf_mig$\KB943460\KB943460

Found mount point : D:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\addins\addins

Found mount point : D:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP16A.tmp\ZAP16A.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP16A.tmp\ZAP16A.tmp

Found mount point : D:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP19.tmp\ZAP19.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP19.tmp\ZAP19.tmp

Found mount point : D:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1E3.tmp\ZAP1E3.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1E3.tmp\ZAP1E3.tmp

Found mount point : D:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP356.tmp\ZAP356.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP356.tmp\ZAP356.tmp

Found mount point : D:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP413.tmp\ZAP413.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP413.tmp\ZAP413.tmp

Found mount point : D:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\assembly\temp\temp

Found mount point : D:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\assembly\tmp\tmp

Found mount point : D:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\Config\Config

Found mount point : D:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : D:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\Debug\UserMode\UserMode

Found mount point : D:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\ftpcache\ftpcache

Found mount point : D:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\ime\chsime\applets\applets

Found mount point : D:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : D:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\ime\imejp\applets\applets

Found mount point : D:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\ime\imejp98\imejp98

Found mount point : D:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : D:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : D:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : D:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\ime\shared\res\res

Found mount point : D:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : D:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Found mount point : D:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : D:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\java\trustlib\trustlib

Found mount point : D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : D:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\msapps\msinfo\msinfo

Found mount point : D:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\msdownld.tmp\msdownld.tmp

Found mount point : D:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\mui\mui

Found mount point : D:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : D:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : D:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Found mount point : D:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\pchealth\helpctr\batch\batch

Found mount point : D:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : D:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : D:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : D:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : D:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : D:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\PIF\PIF

Found mount point : D:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : D:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\security\logs\logs

Found mount point : D:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : D:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Found mount point : D:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : D:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Removing mount point : D:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Cannot access: D:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : D:\WINDOWS\system32\eventlog.dll

Link to post
Share on other sites

There should be more to the log than that. I don't think you let it finish because the most critical part is missing.

Open win32diag.txt

Search on eventlog.dll within the file

There should be more to the log after these last entries you posted at the bottom.

Cannot access: D:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : D:\WINDOWS\system32\eventlog.dll

If there is, then post the remainder of the log that was clipped.

If that is truly the end of the log then:

Delete the copy of win32diag.txt on your desktop.

Please run womp.pif again and post win32diag.txt in your next reply.

Link to post
Share on other sites

Running from: F:\womp.pif.exe

Log file at : D:\Documents and Settings\Paul\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'D:\WINDOWS'...

Found mount point : D:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP16A.tmp\ZAP16A.tmp

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP19.tmp\ZAP19.tmp

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1E3.tmp\ZAP1E3.tmp

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP356.tmp\ZAP356.tmp

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP413.tmp\ZAP413.tmp

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Cannot access: D:\WINDOWS\system32\eventlog.dll

[1] 2004-08-12 06:57:17 55808 D:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 17:11:53 56320 D:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 17:11:53 61952 D:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 17:11:53 56320 D:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Found mount point : D:\WINDOWS\Temp\avgdiagex\avgdiagex23739\avgdiagex23739

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Temp\avgdiagex\cfg\cfg

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Temp\avgdiagex\log\log

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Temp\avgdiagex\scanlogs\scanlogs

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Temp\MPTelemetrySubmit\MPTelemetrySubmit

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Temp\SDDLLS\SDDLLS

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Temp\_avast4_\_avast4_

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0(2).0_x-ww_6e57c34e\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0(2).0_x-ww_6e57c34e

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0(2).0_x-ww_7d5f3790\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0(2).0_x-ww_7d5f3790

Mount point destination : \Device\__max++>\^

Finished!

Link to post
Share on other sites

Download The Avenger by Swandog46:

http://swandog46.geekstogo.com/avenger2/download.php

  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to launch Avenger.
  • Click OK.
  • Make sure that the box next to "Scan for rootkits" is checked and that the box next to Automatically "Disable any rootkits found" is not checked.

Copy and Paste the text in the Code Box into the Avenger's "Input Script here" Box:

Files to move:
D:\WINDOWS\system32\logevent.dll | D:\WINDOWS\system32\eventlog.dll

  • Click the Execute button.
  • You will be prompted with "Are you sure you want to execute the current script?"
  • Click "Yes"
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click "Yes".
  • Your PC will reboot.
  • After your PC has completed the necessary reboot, a log should automatically open.
  • If it the log does not automatically open, then it can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt)
  • Please post the Avenger log in your next reply.

Reboot

Next, download this Antirootkit Program to a folder that you create such as C:\ARK.

Disable the active protection component of your antivirus by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a rootkit scan:

  • Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  • When the program opens, it will automatically initiate a very fast scan (quick scan) of common rootkit hiding places.
  • When the "quick" scan is finished (a few seconds), if the program alerts you of rootkit activity
    then select Copy, to copy the quick scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Exit the Program (do not perform a complete scan)
  • Save the Scan log as ARKQuick.txt and post it in your next reply.

Please download Combofix from:

from HERE

I want you to rename Combofix.exe as you download it to explorer.exe

Notes:

  • It is very important that save the newly renamed EXE file to your desktop.
  • You must rename Combofixe.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
    • Open Firefox
    • Click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • Choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console - if you have not done that already (if your OS is Vista - then you don't need to install the recovery console):

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Also, disable your firewall!

You can enable the Window firewall in the interim, until the scan is complete.

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

  • Close any open browsers.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. Double click on the renamed combofix.exe & follow the prompts.

2. When finished, it will produce a logfile located at C:\ComboFix.txt

Please post C:\Avenger.txt, Ark.txt, and C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

Here is the Avenger Log, I'm still working on the others.

//////////////////////////////////////////

Avenger Pre-Processor log

//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)

Thu Sep 24 17:10:51 2009

17:10:51: Error: Invalid script. A valid script must begin with a command directive.

Aborting execution!

//////////////////////////////////////////

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at D:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Error: file move operations must be within volumes.

File move operation "D:\WINDOWS\system32\logevent.dll|C:\WINDOWS\system32\eventlog.dll" failed!

Status: 0xc000003e (STATUS_DATA_ERROR)

Completed script processing.

*******************

Finished! Terminate.

Link to post
Share on other sites

Here is the Antirootkit program scan

GMER 1.0.15.15087 - http://www.gmer.net

Rootkit quick scan 2009-09-24 17:22:12

Windows 5.1.2600 Service Pack 3

Running: zqob7qdt.exe; Driver: D:\DOCUME~1\Paul\LOCALS~1\Temp\uxloapoc.sys

---- System - GMER 1.0.15 ----

SSDT spsb.sys ZwEnumerateKey [0xF74A3CA2]

SSDT spsb.sys ZwEnumerateValueKey [0xF74A4030]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 877631F8

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Here is the Combofix

ComboFix 09-09-23.02 - Paul 09/24/2009 17:38.1.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.279 [GMT -7:00]

Running from: d:\documents and settings\Paul\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: avast! antivirus 4.8.1351 [VPS 090924-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\AUTORUN.INF

c:\windows\Installer\12ead5c.msi

c:\windows\Installer\150d802.msi

c:\windows\Installer\1599F.MSP

c:\windows\Installer\15ed501.msi

c:\windows\Installer\1ba4c31.msi

c:\windows\Installer\229d255.msi

c:\windows\Installer\22b11f.msi

c:\windows\Installer\2a8936a.msi

c:\windows\Installer\2b24cb4.msi

c:\windows\Installer\2c0ca4a.msi

c:\windows\Installer\343280.msi

c:\windows\Installer\4032a4.msi

c:\windows\Installer\4afae8.msi

c:\windows\Installer\50C4.MSI

c:\windows\Installer\53046.msi

c:\windows\Installer\597ac.msi

c:\windows\Installer\597b2.msi

c:\windows\Installer\5cf060.msi

c:\windows\Installer\5f190.msi

c:\windows\Installer\69656b.msi

c:\windows\Installer\696570.msi

c:\windows\Installer\696575.msi

c:\windows\Installer\69657a.msi

c:\windows\Installer\69657f.msi

c:\windows\Installer\696584.msi

c:\windows\Installer\696589.msi

c:\windows\Installer\69658e.msi

c:\windows\Installer\696593.msi

c:\windows\Installer\696598.msi

c:\windows\Installer\69659d.msi

c:\windows\Installer\6cbea.msi

c:\windows\Installer\738f.msi

c:\windows\Installer\7393.msi

c:\windows\Installer\739a.msi

c:\windows\Installer\73a0.msi

c:\windows\Installer\73a4.msi

c:\windows\Installer\73a8.msi

c:\windows\Installer\73ac.msi

c:\windows\Installer\73b0.msi

c:\windows\Installer\73b4.msi

c:\windows\Installer\73ca.msi

c:\windows\Installer\73ce.msi

c:\windows\Installer\73d2.msi

c:\windows\Installer\73d6.msi

c:\windows\Installer\73da.msi

c:\windows\Installer\73e1.msi

c:\windows\Installer\73e8.msi

c:\windows\Installer\73ef.msi

c:\windows\Installer\73fa.msi

c:\windows\Installer\73fe.msi

c:\windows\Installer\7402.msi

c:\windows\Installer\740a.msi

c:\windows\Installer\740e.msi

c:\windows\Installer\7415.msi

c:\windows\Installer\7506.MSI

c:\windows\Installer\75259.msi

c:\windows\Installer\89d174.msi

c:\windows\Installer\89d17c.msp

c:\windows\Installer\89d182.msp

c:\windows\Installer\9711c7.msi

c:\windows\Installer\b2cba.msi

c:\windows\Installer\b37cb1.msp

c:\windows\Installer\b46b92.msi

c:\windows\Installer\d7d558.msi

c:\windows\Installer\d864a5.msi

c:\windows\Installer\d864af.msi

c:\windows\Installer\d864b4.msi

c:\windows\Installer\d9710d.msi

c:\windows\Installer\e01261.msi

c:\windows\Installer\eb7d69.msi

c:\windows\Installer\ff95d3.msi

c:\windows\Installer\ff95d6.msi

d:\documents and settings\Paul\Application Data\Google\T-Scan

d:\recycler\S-1-5-21-864700238-547723815-2042116285-1006

d:\windows\run.log

d:\windows\system32\sX3i19

d:\windows\system32\xa.tmp

Infected copy of d:\windows\system32\eventlog.dll was found and disinfected

Restored copy from - d:\windows\ServicePackFiles\i386\eventlog.dll

Infected copy of d:\windows\system32\winlogon.exe was found and disinfected

Restored copy from - d:\windows\ServicePackFiles\i386\winlogon.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_BOONTY_GAMES

-------\Legacy_TDSSSERV.SYS

-------\Legacy_UACd.sys

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Service_Boonty Games

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-08-25 to 2009-09-25 )))))))))))))))))))))))))))))))

.

2009-09-25 00:51 . 2009-09-25 00:51 -------- d-----w- d:\documents and settings\Paul\Local Settings\Application Data\The Weather Channel

2009-09-22 22:13 . 2009-09-22 22:13 -------- d-----w- d:\program files\Trend Micro

2009-09-21 04:49 . 2009-08-17 16:04 51376 ----a-w- d:\windows\system32\drivers\aswTdi.sys

2009-09-21 04:49 . 2009-08-17 16:04 23152 ----a-w- d:\windows\system32\drivers\aswRdr.sys

2009-09-21 04:49 . 2009-08-17 16:03 26944 ----a-w- d:\windows\system32\drivers\aavmker4.sys

2009-09-21 04:49 . 2009-08-17 16:02 97480 ----a-w- d:\windows\system32\AvastSS.scr

2009-09-21 04:49 . 2009-08-17 16:06 93392 ----a-w- d:\windows\system32\drivers\aswmon.sys

2009-09-21 04:49 . 2009-08-17 16:06 94160 ----a-w- d:\windows\system32\drivers\aswmon2.sys

2009-09-21 04:49 . 2009-08-17 16:05 114768 ----a-w- d:\windows\system32\drivers\aswSP.sys

2009-09-21 04:49 . 2009-08-17 16:05 20560 ----a-w- d:\windows\system32\drivers\aswFsBlk.sys

2009-09-21 04:49 . 2009-08-17 16:10 1279456 ----a-w- d:\windows\system32\aswBoot.exe

2009-09-21 00:48 . 2009-07-28 23:33 55656 ----a-w- d:\windows\system32\drivers\avgntflt.sys

2009-09-21 00:48 . 2009-03-30 17:33 96104 ----a-w- d:\windows\system32\drivers\avipbb.sys

2009-09-21 00:48 . 2009-02-13 19:29 22360 ----a-w- d:\windows\system32\drivers\avgntmgr.sys

2009-09-21 00:48 . 2009-02-13 19:17 45416 ----a-w- d:\windows\system32\drivers\avgntdd.sys

2009-09-21 00:48 . 2009-09-21 00:48 -------- d-----w- d:\program files\Avira

2009-09-21 00:48 . 2009-09-21 00:48 -------- d-----w- d:\documents and settings\All Users\Application Data\Avira

2009-09-21 00:19 . 2009-09-10 21:54 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys

2009-09-21 00:19 . 2009-09-10 21:53 19160 ----a-w- d:\windows\system32\drivers\mbam.sys

2009-09-21 00:17 . 2009-09-21 00:17 -------- d-----w- d:\documents and settings\Administrator.AWESOMETRON\Local Settings\Application Data\Mozilla

2009-09-21 00:16 . 2009-09-21 00:16 -------- d-----w- d:\program files\Common Files\Wise Installation Wizard

2009-09-20 23:45 . 2009-09-20 23:45 -------- d-sh--w- d:\documents and settings\Administrator.AWESOMETRON\IETldCache

2009-09-20 20:04 . 2009-09-20 22:09 -------- d-----w- d:\program files\AV Care

2009-09-20 20:04 . 2009-09-20 20:04 68608 ----a-w- d:\windows\system32\drivers\xvxtqdecbvoqhpmp.sys

2009-09-20 20:02 . 2009-09-25 00:12 0 ----a-r- d:\windows\win32k.sys

2009-09-20 19:51 . 2009-09-20 19:51 68608 ----a-w- d:\windows\system32\drivers\pqxxtirxtfmkbpfq.sys

2009-09-19 19:10 . 2009-09-19 19:10 -------- d-----w- d:\program files\iPod

2009-09-19 19:10 . 2009-09-19 19:11 -------- d-----w- d:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

2009-09-17 00:36 . 2009-09-18 03:08 -------- d-----w- d:\documents and settings\Paul\Application Data\Juce VST Host

2009-09-17 00:33 . 2006-06-20 08:56 225280 ----a-w- d:\windows\system32\rewire.dll

2009-09-17 00:32 . 2009-09-17 00:32 -------- d-----w- d:\program files\Outsim

2009-09-17 00:30 . 2009-09-17 00:33 -------- d-----w- d:\program files\Image-Line

2009-09-16 03:09 . 2009-09-16 03:09 -------- d-----w- d:\program files\Guru.dll.rsrc

2009-09-16 03:09 . 2009-09-16 03:09 3739648 ----a-w- d:\program files\Guru.dll

2009-09-16 02:46 . 2009-09-16 02:46 -------- d-----w- d:\program files\ASIO4ALL v2

2009-09-16 02:44 . 2009-09-16 02:44 -------- d-----w- d:\program files\Common Files\Digidesign

2009-09-16 02:44 . 2009-09-16 03:09 69632 ----a-w- d:\windows\system32\FxShared.dll

2009-09-16 02:44 . 2009-09-16 03:09 69632 ----a-w- d:\windows\system32\com.fxpansion.fxshared.dll

2009-09-16 02:44 . 2009-09-16 03:09 233472 ----a-w- d:\windows\system32\REX Shared Library.dll

2009-09-16 02:44 . 2009-09-17 00:33 -------- d-----w- d:\program files\VSTPlugins

2009-09-16 02:44 . 2009-09-16 02:45 -------- d-----w- d:\documents and settings\Paul\Application Data\FXpansion

2009-09-09 22:17 . 2009-06-21 21:44 153088 -c----w- d:\windows\system32\dllcache\triedit.dll

2009-09-06 17:09 . 2009-09-06 17:09 -------- d-sh--w- d:\documents and settings\Nina\IETldCache

2009-09-02 01:06 . 2009-09-21 01:11 -------- d-----w- d:\documents and settings\Paul\Local Settings\Application Data\Temp

2009-09-02 01:05 . 2009-09-02 01:06 -------- d-----w- d:\documents and settings\Paul\Local Settings\Application Data\Deployment

2009-08-29 02:34 . 2009-08-29 02:34 -------- d-----w- d:\program files\directx

2009-08-29 02:31 . 2009-08-29 02:33 -------- d-----w- D:\DeusEx

2009-08-26 22:36 . 2009-08-26 22:36 -------- d-sh--w- d:\documents and settings\Paul\IECompatCache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-25 00:51 . 2007-06-16 07:02 -------- d-----w- d:\program files\Steam

2009-09-25 00:44 . 2008-12-01 06:20 -------- d-----w- d:\program files\SUPERAntiSpyware

2009-09-25 00:27 . 2008-12-07 23:32 -------- d---a-w- d:\documents and settings\All Users\Application Data\TEMP

2009-09-22 22:14 . 2008-12-07 18:17 -------- d-----w- d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-22 22:10 . 2008-12-07 18:17 -------- d-----w- d:\program files\Spybot - Search & Destroy

2009-09-21 00:19 . 2008-11-30 22:34 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware

2009-09-19 19:13 . 2007-06-17 18:18 -------- d-----w- d:\documents and settings\Paul\Application Data\Apple Computer

2009-09-19 19:11 . 2007-09-09 07:01 -------- d-----w- d:\program files\iTunes

2009-09-19 19:10 . 2007-08-12 07:14 -------- d-----w- d:\program files\Common Files\Apple

2009-09-19 19:06 . 2008-09-19 23:28 -------- d-----w- d:\program files\QuickTime

2009-09-10 22:09 . 2008-04-19 01:25 -------- d-----w- d:\program files\Microsoft Silverlight

2009-09-02 22:21 . 2008-05-14 20:52 11952 ----a-w- d:\windows\system32\avgrsstx.dll

2009-09-02 22:21 . 2008-05-14 20:52 335240 ----a-w- d:\windows\system32\drivers\avgldx86.sys

2009-09-02 22:21 . 2007-06-16 06:41 27784 ----a-w- d:\windows\system32\drivers\avgmfx86.sys

2009-09-02 22:21 . 2008-05-14 20:52 108552 ----a-w- d:\windows\system32\drivers\avgtdix.sys

2009-09-02 22:21 . 2008-05-14 20:52 12552 ----a-w- d:\windows\system32\drivers\avgrkx86.sys

2009-09-02 22:13 . 2008-12-22 01:26 -------- d-----w- d:\program files\COMODO

2009-09-02 02:30 . 2008-05-14 20:52 -------- d-----w- d:\documents and settings\All Users\Application Data\avg8

2009-09-02 01:14 . 2008-12-22 01:26 -------- d-----w- d:\documents and settings\All Users\Application Data\comodo

2009-08-29 02:42 . 2009-03-21 20:56 2065696 ----a-w- d:\windows\system32\usbaaplrc.dll

2009-08-29 02:42 . 2007-11-10 03:28 40448 ----a-w- d:\windows\system32\drivers\usbaapl.sys

2009-08-18 08:57 . 2009-08-18 08:57 0 ---ha-w- d:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf

2009-08-18 08:57 . 2009-08-18 08:57 0 ---ha-w- d:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

2009-08-08 18:37 . 2007-07-29 04:07 -------- d-----w- d:\program files\Azureus

2009-08-08 18:37 . 2007-07-29 04:08 -------- d-----w- d:\documents and settings\Paul\Application Data\Azureus

2009-08-05 09:01 . 2004-08-12 14:01 204800 ----a-w- d:\windows\system32\mswebdvd.dll

2009-08-03 15:08 . 2008-03-31 01:03 -------- d-----w- d:\program files\Common Files\Symantec Shared

2009-08-03 01:34 . 2008-03-29 05:53 -------- d-----w- d:\program files\Norton Security Scan

2009-08-03 01:30 . 2009-08-03 01:10 -------- d-----w- d:\documents and settings\All Users\Application Data\NortonInstaller

2009-08-03 01:16 . 2008-12-06 23:58 -------- d-----w- d:\documents and settings\All Users\Application Data\Symantec

2009-08-03 01:10 . 2009-08-03 01:10 -------- d-----w- d:\program files\NortonInstaller

2009-08-01 17:08 . 2009-04-06 20:37 -------- d-----w- d:\program files\Free Offers from Freeze.com

2009-07-31 18:28 . 2009-07-31 18:28 -------- d-----w- d:\documents and settings\Administrator.AWESOMETRON\Application Data\SUPERAntiSpyware.com

2009-07-31 18:18 . 2009-07-31 18:18 -------- d-----w- d:\documents and settings\Administrator.AWESOMETRON\Application Data\Malwarebytes

2009-07-29 04:37 . 2004-08-12 14:07 119808 ----a-w- d:\windows\system32\t2embed.dll

2009-07-29 04:37 . 2004-08-12 13:57 81920 ----a-w- d:\windows\system32\fontsub.dll

2009-07-17 19:01 . 2004-08-12 13:55 58880 ----a-w- d:\windows\system32\atl.dll

2009-07-14 06:43 . 2004-08-12 14:10 286208 ----a-w- d:\windows\system32\wmpdxm.dll

2009-07-03 17:09 . 2004-08-12 14:09 915456 ----a-w- d:\windows\system32\wininet.dll

2008-01-02 03:53 . 2008-01-02 03:50 952 --sha-w- d:\windows\system32\KGyGaAvL.sys

.

------- Sigcheck -------

[-] 2008-11-30 . 63999D0ABD8DABFD76A9C07F6E104868 . 295424 . . [5.1.2600.5512] . . d:\windows\system32\termsrv.dll

[7] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . d:\windows\ServicePackFiles\i386\termsrv.dll

[7] 2004-08-12 . B60C877D16D9C880B952FDA04ADF16E6 . 295424 . . [5.1.2600.2180] . . d:\windows\$NtServicePackUninstall$\termsrv.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]

2008-08-06 23:20 279944 ----a-w- d:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "d:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "d:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Steam"="d:\program files\steam\steam.exe" [2007-10-05 1271032]

"DAEMON Tools Lite"="d:\program files\DAEMON Tools Lite\daemon.exe" [2008-03-21 486856]

"WMPNSCFG"="d:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

"SUPERAntiSpyware"="d:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-10 1994480]

"DW6"="d:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-02-11 801904]

"Google Update"="d:\documents and settings\Paul\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-09-02 133104]

"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2008-11-28 136600]

"Adobe Photo Downloader"="d:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]

"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"IntelliPoint"="d:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]

"SSBkgdUpdate"="d:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]

"OpwareSE4"="d:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]

"AVG8_TRAY"="d:\progra~1\AVG\AVG8\avgtray.exe" [2009-09-17 2022680]

"AppleSyncNotifier"="d:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]

"Windows Defender"="d:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

"COMODO SafeSurf"="d:\program files\COMODO\SafeSurf\cssurf.exe" [2008-12-22 278264]

"StartCCC"="d:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440]

"QuickTime Task"="d:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]

"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]

"avgnt"="d:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"avast!"="d:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"MySpaceIM"="d:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-07 8720384]

"DWQueuedReporting"="d:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

d:\documents and settings\All Users\Start Menu\Programs\Startup\

Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - d:\program files\WiFiConnector\NintendoWFCReg.exe [2008-3-14 1073152]

Smart Wizard Wireless Settings.lnk - d:\program files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe [2008-1-8 1044577]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-09-02 22:21 11952 ----a-w- d:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"d:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=

"d:\\Program Files\\GameSpy Arcade\\Aphex.exe"=

"d:\\Program Files\\Steam\\steamapps\\wompodite\\half-life 2 deathmatch\\hl2.exe"=

"d:\\Program Files\\Steam\\steamapps\\wompodite\\garrysmod\\hl2.exe"=

"d:\\Program Files\\Steam\\steamapps\\wompodite\\counter-strike source\\hl2.exe"=

"d:\\Program Files\\Azureus\\Azureus.exe"=

"d:\\Program Files\\FlashGet\\flashget.exe"=

"d:\\Program Files\\Steam\\steamapps\\wompodite\\day of defeat source\\hl2.exe"=

"d:\\Program Files\\Steam\\steamapps\\wompodite\\source sdk base\\hl2.exe"=

"d:\\Program Files\\LimeWire\\LimeWire.exe"=

"d:\\Program Files\\Steam\\Steam.exe"=

"d:\\Program Files\\Messenger\\msmsgs.exe"=

"d:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

"d:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=

"c:\\Program Files\\Groove Games\\Land Of The Dead\\System\\LOTD.exe"=

"d:\\Program Files\\Soulseek\\slsk.exe"=

"d:\\Program Files\\uTorrent\\uTorrent.exe"=

"d:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"d:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

"d:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"d:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"d:\\Python30\\pythonw.exe"=

"d:\\Documents and Settings\\Paul\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=

"d:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"d:\\Program Files\\SoulseekNS\\slsk.exe"=

"d:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"d:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=

"d:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=

"d:\\Program Files\\AVG\\AVG8\\avgam.exe"=

"d:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3074:TCP"= 3074:TCP:XboxLive3601

"88:UDP"= 88:UDP:XboxLive3602

"3074:UDP"= 3074:UDP:XboxLive3603

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 AvgRkx86;avgrkx86.sys;d:\windows\system32\drivers\avgrkx86.sys [5/14/2008 13:52 12552]

R1 aswSP;avast! Self Protection;d:\windows\system32\drivers\aswSP.sys [9/20/2009 21:49 114768]

R1 AvgLdx86;AVG AVI Loader Driver x86;d:\windows\system32\drivers\avgldx86.sys [5/14/2008 13:52 335240]

R1 AvgTdiX;AVG8 Network Redirector;d:\windows\system32\drivers\avgtdix.sys [5/14/2008 13:52 108552]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\program files\Avira\AntiVir Desktop\sched.exe [9/20/2009 17:48 108289]

R2 aswFsBlk;aswFsBlk;d:\windows\system32\drivers\aswFsBlk.sys [9/20/2009 21:49 20560]

R2 avg8wd;AVG8 WatchDog;d:\progra~1\AVG\AVG8\avgwdsvc.exe [9/2/2009 15:21 297752]

S1 SASKUTIL;SASKUTIL;\??\d:\program files\SUPERAntiSpyware\SASKUTIL.sys --> d:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]

S2 EFAW;EFAW;d:\windows\system32\drivers\efasw.sys [6/27/2008 19:49 16680]

S2 INIT4;INIT4;d:\windows\system32\drivers\efasinit.sys [6/27/2008 19:49 11815]

S2 WinDefend;Windows Defender;d:\program files\Windows Defender\MsMpEng.exe [11/3/2006 20:19 13592]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;d:\windows\system32\DNINDIS5.sys [6/15/2007 21:57 17149]

S3 dopewars-server;dopewars server;d:\program files\dopewars-1.5.12\dopewars.exe -N --> d:\program files\dopewars-1.5.12\dopewars.exe -N [?]

S3 kvpndev;Kerio VPN adapter;d:\windows\system32\drivers\kvpndrv.sys [6/24/2008 10:36 65024]

S3 kwflower;Kerio WinRoute Firewall Driver - Lower Layer;d:\windows\system32\DRIVERS\kwflower.sys --> d:\windows\system32\DRIVERS\kwflower.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"d:\windows\system32\rundll32.exe" "d:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-08-03 d:\windows\Tasks\AppleSoftwareUpdate.job

- d:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-09-24 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-73586283-682003330-1004Core.job

- d:\documents and settings\Paul\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-02 01:06]

2009-09-25 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-73586283-682003330-1004UA.job

- d:\documents and settings\Paul\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-02 01:06]

2009-09-20 d:\windows\Tasks\MP Scheduled Scan.job

- d:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

IE: &Download All with FlashGet - d:\program files\FlashGet\jc_all.htm

IE: &Download Directly to iTunes - d:\program files\Tunestor\Tunestor.dll/GoRSDN.dll.htm

IE: &Download with FlashGet - d:\program files\FlashGet\jc_link.htm

IE: &Tunestory.com Hit List - d:\program files\Tunestor\Tunestor.dll/Tunestory.dll.htm

IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

IE: {{D104757D-9536-4a1b-9FA8-4DD5B44AC981} - http://www.tunestor.com/redirect.php

DPF: Microsoft XML Parser for Java - file://d:\windows\Java\classes\xmldso.cab

DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB

FF - ProfilePath - d:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\pbwm1gu0.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-w3i&p=

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-w3i&p=

FF - component: d:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - plugin: d:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\pbwm1gu0.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll

FF - plugin: d:\documents and settings\Paul\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: d:\program files\GameTap\bin\Release\npgametaptool.dll

FF - plugin: d:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll

FF - plugin: d:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

FF - plugin: d:\program files\Mozilla Firefox\plugins\npambulant.dll

FF - plugin: d:\program files\Mozilla Firefox\plugins\NPStreamPlug.dll

FF - plugin: d:\program files\Unity\WebPlayer\loader\npUnity3D32.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - d:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: network.proxy.type - 0

FF - user.js: network.proxy.http -

user_pref(network.proxy.http_port,);

FF - user.js: network.proxy.no_proxies_on -

FF - user.js: yahoo.homepage.dontask - true.

- - - - ORPHANS REMOVED - - - -

BHO-{2422fed3-e9e8-403a-ba69-6b2af7617b92} - (no file)

AddRemove-Steam App 240 - d:\documents and settings\Paul\My Documents\Steam backup\steam.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-24 17:50

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

d:\docume~1\Paul\LOCALS~1\Temp\GUR5.tmp 0 bytes

scan completed successfully

hidden files: 1

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1078081533-73586283-682003330-1004\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1078081533-73586283-682003330-1004\Software\SecuROM\License information*]

"datasecu"=hex:af,32,70,4e,e7,dc,f7,81,19,3c,cc,f4,44,2a,55,ea,bb,29,42,79,3a,

cc,4c,42,f6,5a,9b,3d,e2,5a,e8,a3,66,69,53,c6,46,0b,d2,85,fe,45,61,65,f4,fc,\

"rkeysecu"=hex:68,f9,8c,2d,b1,a2,46,22,a3,95,52,91,e2,76,14,59

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(648)

d:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1172)

d:\windows\system32\WININET.dll

d:\program files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll

d:\windows\system32\ieframe.dll

d:\windows\system32\webcheck.dll

d:\windows\system32\WPDShServiceObj.dll

d:\windows\system32\PortableDeviceTypes.dll

d:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

d:\windows\system32\ati2evxx.exe

d:\program files\Alwil Software\Avast4\aswUpdSv.exe

d:\windows\system32\ati2evxx.exe

d:\program files\Alwil Software\Avast4\ashServ.exe

d:\program files\Avira\AntiVir Desktop\avguard.exe

d:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

d:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe

d:\program files\Bonjour\mDNSResponder.exe

d:\program files\Java\jre6\bin\jqs.exe

d:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

d:\progra~1\AVG\AVG8\avgam.exe

d:\windows\system32\PnkBstrA.exe

d:\progra~1\AVG\AVG8\avgrsx.exe

d:\progra~1\AVG\AVG8\avgnsx.exe

d:\program files\Windows Media Player\wmpnetwk.exe

d:\program files\Alwil Software\Avast4\ashMaiSv.exe

d:\program files\Alwil Software\Avast4\ashWebSv.exe

d:\windows\system32\wscntfy.exe

d:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

d:\documents and settings\Paul\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe

d:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

d:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2009-09-25 18:00 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-25 01:00

Pre-Run: 139,505,000,448 bytes free

Post-Run: 139,437,268,992 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(1)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

430 --- E O F --- 2009-09-24 22:08

Link to post
Share on other sites

Open the antirootkit program again by double-clicking the randomly named EXE file within the D:\ARK folder

1) UNCheck all the checkboxes in the right pane and leave only the "Services" checkbox checked

2) Place a checkmark next to "Show all"

3) Click "Scan"

4) When the scan is done select Copy and paste the contents of the scan into a Notepad file called servicelog.txt.

5. Please post back the contents of that file.

Link to post
Share on other sites

GMER 1.0.15.15087 - http://www.gmer.net

Rootkit scan 2009-09-24 18:47:00

Windows 5.1.2600 Service Pack 3

Running: zqob7qdt.exe; Driver: D:\DOCUME~1\Paul\LOCALS~1\Temp\uxloapoc.sys

---- Services - GMER 1.0.15 ----

Service .NET CLR Data

Service .NET CLR Networking

Service .NET Data Provider for Oracle

Service .NET Data Provider for SqlServer

Service .NETFramework

Service (avast! Base Kernel-Mode Device Driver for Windows NT/2000/XP/ALWIL Software) [sYSTEM] Aavmker4

Service [DISABLED] Abiosdsk

Service [DISABLED] abp480n5

Service D:\WINDOWS\system32\DRIVERS\ACPI.sys (ACPI Driver for NT/Microsoft Corporation) [bOOT] ACPI

Service (ACPI Embedded Controller Driver/Microsoft Corporation) [DISABLED] ACPIEC

Service [DISABLED] adpu160m

Service D:\WINDOWS\system32\drivers\aec.sys (Microsoft Acoustic Echo Canceller/Microsoft Corporation) [MANUAL] aec

Service D:\WINDOWS\system32\DRIVERS\AegisP.sys (IEEE 802.1X Protocol Driver/Meetinghouse Data Communications) [AUTO] AegisP

Service D:\WINDOWS\System32\drivers\afd.sys (Ancillary Function Driver for WinSock/Microsoft Corporation) [sYSTEM] AFD

Service [DISABLED] Aha154x

Service [DISABLED] aic78u2

Service [DISABLED] aic78xx

Service system32\drivers\ALCXWDM.SYS [MANUAL] ALCXWDM

Service D:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [DISABLED] Alerter

Service D:\WINDOWS\System32\alg.exe (Application Layer Gateway Service/Microsoft Corporation) [MANUAL] ALG

Service [DISABLED] AliIde

Service [DISABLED] amsint

Service D:\Program Files\Avira\AntiVir Desktop\sched.exe (Antivirus Scheduler/Avira GmbH) [AUTO] AntiVirSchedulerService

Service D:\Program Files\Avira\AntiVir Desktop\avguard.exe (Antivirus On-Access Service/Avira GmbH) [AUTO] AntiVirService

Service D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Mobile Device Service/Apple Inc.) [AUTO] Apple Mobile Device

Service D:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [MANUAL] AppMgmt

Service [DISABLED] asc

Service [DISABLED] asc3350p

Service [DISABLED] asc3550

Service ASP.NET

Service ASP.NET_2.0.50727

Service D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft ASP.NET State Server/Microsoft Corporation) [MANUAL] aspnet_state

Service D:\WINDOWS\system32\DRIVERS\aswFsBlk.sys (avast! File System Access Blocking Driver/ALWIL Software) [AUTO] aswFsBlk

Service (avast! File System Filter Driver for Windows XP/ALWIL Software) [AUTO] aswMon2

Service (avast! TDI RDR Driver/ALWIL Software) [MANUAL] aswRdr

Service (avast! self protection module/ALWIL Software) [sYSTEM] aswSP

Service (avast! TDI Filter Driver/ALWIL Software) [sYSTEM] aswTdi

Service D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (avast! Antivirus updating service/ALWIL Software) [AUTO] aswUpdSv

Service D:\WINDOWS\system32\DRIVERS\asyncmac.sys (MS Remote Access serial network driver/Microsoft Corporation) [MANUAL] AsyncMac

Service D:\WINDOWS\system32\DRIVERS\atapi.sys (IDE/ATAPI Port Driver/Microsoft Corporation) [bOOT] atapi

Service [DISABLED] Atdisk

Service D:\WINDOWS\system32\Ati2evxx.exe (ATI External Event Utility EXE Module/ATI Technologies Inc.) [AUTO] Ati HotKey Poller

Service D:\WINDOWS\system32\ati2sgag.exe [AUTO] ATI Smart

Service D:\WINDOWS\system32\DRIVERS\ati2mtag.sys (ATI Radeon WindowsNT Miniport Driver/ATI Technologies Inc.) [MANUAL] ati2mtag

Service Atierecord

Service D:\WINDOWS\system32\DRIVERS\atmarpc.sys (IP/ATM Arp Client/Microsoft Corporation) [MANUAL] Atmarpc

Service D:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] AudioSrv

Service D:\WINDOWS\system32\DRIVERS\audstub.sys (AudStub Driver/Microsoft Corporation) [MANUAL] audstub

Service D:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe (Automatic LiveUpdate Scheduler Service/Symantec Corporation) [AUTO] Automatic LiveUpdate Scheduler

Service D:\Program Files\Alwil Software\Avast4\ashServ.exe (avast! antivirus service/ALWIL Software) [AUTO] avast! Antivirus

Service D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (avast! e-Mail Scanner Service/ALWIL Software) [MANUAL] avast! Mail Scanner

Service D:\Program Files\Alwil Software\Avast4\ashWebSv.exe (avast! Web Scanner/ALWIL Software) [MANUAL] avast! Web Scanner

Service AVG

Service D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (AVG Watchdog Service/AVG Technologies CZ, s.r.o.) [AUTO] avg8wd

Service D:\Program Files\Avira\AntiVir Desktop\avgio.sys (Avira AntiVir Support for Minifilter/Avira GmbH) [sYSTEM] avgio

Service D:\WINDOWS\System32\Drivers\avgldx86.sys (AVG AVI Loader Driver/AVG Technologies CZ, s.r.o.) [sYSTEM] AvgLdx86

Service D:\WINDOWS\System32\Drivers\avgmfx86.sys (AVG Resident Shield Minifilter Driver/AVG Technologies CZ, s.r.o.) [sYSTEM] AvgMfx86

Service D:\WINDOWS\system32\DRIVERS\avgntflt.sys (Avira Minifilter Driver/Avira GmbH) [AUTO] avgntflt

Service D:\WINDOWS\System32\Drivers\avgrkx86.sys (AVG Anti-Rootkit Driver/AVG Technologies CZ, s.r.o.) [bOOT] AvgRkx86

Service D:\WINDOWS\System32\Drivers\avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) [sYSTEM] AvgTdiX

Service D:\WINDOWS\system32\DRIVERS\avipbb.sys (Avira Driver for RootKit Detection/Avira GmbH) [sYSTEM] avipbb

Service D:\WINDOWS\System32\Drivers\BANTExt.sys [sYSTEM] BANTExt

Service BattC

Service (BEEP Driver/Microsoft Corporation) [sYSTEM] Beep

Service D:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] BITS

Service D:\Program Files\Bonjour\mDNSResponder.exe (Bonjour Service/Apple Inc.) [AUTO] Bonjour Service

Service D:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] Browser

Service D:\ComboFix\catchme.sys [MANUAL] catchme

Service (CardBus/PCMCIA IDE Miniport Driver/Microsoft Corporation) [DISABLED] cbidf2k

Service [DISABLED] cd20xrnt

Service (CD-ROM Audio Filter Driver/Microsoft Corporation) [sYSTEM] Cdaudio

Service (CD-ROM File System Driver/Microsoft Corporation) [DISABLED] Cdfs

Service D:\WINDOWS\system32\DRIVERS\cdrom.sys (SCSI CD-ROM Driver/Microsoft Corporation) [sYSTEM] Cdrom

Service [sYSTEM] Changer

Service D:\WINDOWS\system32\cisvc.exe (Content Index service/Microsoft Corporation) [MANUAL] CiSvc

Service D:\WINDOWS\system32\clipsrv.exe (Windows NT DDE Server/Microsoft Corporation) [MANUAL] ClipSrv

Service D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (.NET Runtime Optimization Service/Microsoft Corporation) [MANUAL] clr_optimization_v2.0.50727_32

Service [DISABLED] CmdIde

Service D:\WINDOWS\system32\dllhost.exe (COM Surrogate/Microsoft Corporation) [MANUAL] COMSysApp

Service ContentFilter

Service ContentIndex

Service [DISABLED] Cpqarray

Service D:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] CryptSvc

Service [DISABLED] dac2w2k

Service [DISABLED] dac960nt

Service D:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] DcomLaunch

Service D:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] Dhcp

Service D:\WINDOWS\system32\DRIVERS\disk.sys (PnP Disk Driver/Microsoft Corporation) [bOOT] Disk

Service D:\WINDOWS\System32\dmadmin.exe (Logical Disk Manager service process/Microsoft Corp., Veritas Software) [MANUAL] dmadmin

Service D:\WINDOWS\System32\drivers\dmboot.sys (NT Disk Manager Startup Driver/Microsoft Corp., Veritas Software) [DISABLED] dmboot

Service D:\WINDOWS\System32\drivers\dmio.sys (NT Disk Manager I/O Driver/Microsoft Corp., Veritas Software) [DISABLED] dmio

Service D:\WINDOWS\System32\drivers\dmload.sys (NT Disk Manager Startup Driver/Microsoft Corp., Veritas Software.) [DISABLED] dmload

Service D:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [MANUAL] dmserver

Service D:\WINDOWS\system32\drivers\DMusic.sys (Microsoft Kernel DLS Synthesizer/Microsoft Corporation) [MANUAL] DMusic

Service D:\WINDOWS\system32\DNINDIS5.SYS (PCAUSA NDIS 5.0 Protocol Driver/Printing Communications Assoc., Inc. (PCAUSA)) [MANUAL] DNINDIS5

Service D:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] Dnscache

Service D:\Program [MANUAL] dopewars-server

Service D:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [MANUAL] Dot3svc

Service [DISABLED] dpti2o

Service D:\WINDOWS\system32\drivers\drmkaud.sys (Microsoft Kernel DRM Audio Descrambler Filter/Microsoft Corporation) [MANUAL] drmkaud

Service D:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [MANUAL] EapHost

Service D:\WINDOWS\System32\Drivers\efasw.sys [AUTO] EFAW

Service D:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] ERSvc

Service D:\WINDOWS\system32\services.exe (Services and Controller app/Microsoft Corporation) [AUTO] Eventlog

Service D:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [MANUAL] EventSystem

Service (Fast FAT File System Driver/Microsoft Corporation) [DISABLED] Fastfat

Service D:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [MANUAL] FastUserSwitchingCompatibility

Service (Floppy Disk Controller Driver/Microsoft Corporation) [sYSTEM] Fdc

Service (FIPS Crypto Driver/Microsoft Corporation) [sYSTEM] Fips

Service D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Activation Licensing Service/Macrovision Europe Ltd.) [MANUAL] FLEXnet Licensing Service

Service (Floppy Driver/Microsoft Corporation) [sYSTEM] Flpydisk

Service D:\WINDOWS\system32\drivers\fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) [bOOT] FltMgr

Service D:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe (PresentationFontCache.exe/Microsoft Corporation) [MANUAL] FontCache3.0.0.0

Service (File System Recognizer Driver/Microsoft Corporation) [sYSTEM] Fs_Rec

Service D:\WINDOWS\system32\DRIVERS\ftdisk.sys (FT Disk Driver/Microsoft Corporation) [bOOT] Ftdisk

Service D:\WINDOWS\System32\Drivers\GEARAspiWDM.sys (CD DVD Filter/GEAR Software Inc.) [MANUAL] GEARAspiWDM

Service D:\WINDOWS\system32\DRIVERS\msgpc.sys (MS General Packet Classifier/Microsoft Corporation) [MANUAL] Gpc

Service D:\WINDOWS\system32\DRIVERS\hamachi.sys (Hamachi Virtual Network Interface Driver/LogMeIn, Inc.) [MANUAL] hamachi

Service D:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] helpsvc

Service D:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] HidServ

Service D:\WINDOWS\system32\DRIVERS\hidusb.sys (USB Miniport Driver for Input Devices/Microsoft Corporation) [MANUAL] HidUsb

Service D:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [MANUAL] hkmsvc

Service [DISABLED] hpn

Service D:\WINDOWS\System32\Drivers\HTTP.sys (HTTP Protocol Stack/Microsoft Corporation) [MANUAL] HTTP

Service D:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [MANUAL] HTTPFilter

Service [sYSTEM] i2omgmt

Service [DISABLED] i2omp

Service D:\WINDOWS\system32\DRIVERS\i8042prt.sys (i8042 Port Driver/Microsoft Corporation) [sYSTEM] i8042prt

Service ICSharing

Service D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (IDriverT Module/Macrovision Corporation) [MANUAL] IDriverT

Service D:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Windows CardSpace/Microsoft Corporation) [MANUAL] idsvc

Service D:\WINDOWS\system32\DRIVERS\imapi.sys (IMAPI Kernel Driver/Microsoft Corporation) [sYSTEM] Imapi

Service D:\WINDOWS\system32\imapi.exe (Image Mastering API/Microsoft Corporation) [MANUAL] ImapiService

Service inetaccs

Service [DISABLED] ini910u

Service D:\WINDOWS\System32\Drivers\efasinit.sys (efaloader/USTC) [AUTO] INIT4

Service Inport

Service D:\WINDOWS\system32\DRIVERS\intelide.sys (Intel PCI IDE Driver/Microsoft Corporation) [bOOT] IntelIde

Service D:\WINDOWS\system32\DRIVERS\intelppm.sys (Processor Device Driver/Microsoft Corporation) [sYSTEM] intelppm

Service D:\WINDOWS\system32\drivers\ip6fw.sys (IPv6 Windows Firewall Driver/Microsoft Corporation) [MANUAL] Ip6Fw

Service D:\WINDOWS\system32\DRIVERS\ipfltdrv.sys (IP FILTER DRIVER/Microsoft Corporation) [MANUAL] IpFilterDriver

Service D:\WINDOWS\system32\DRIVERS\ipinip.sys (IP in IP Encapsulation Driver/Microsoft Corporation) [MANUAL] IpInIp

Service D:\WINDOWS\system32\DRIVERS\ipnat.sys (IP Network Address Translator/Microsoft Corporation) [MANUAL] IpNat

Service D:\Program Files\iPod\bin\iPodService.exe (iPodService Module (32-bit)/Apple Inc.) [MANUAL] iPod Service

Service D:\WINDOWS\system32\DRIVERS\ipsec.sys (IPSec Driver/Microsoft Corporation) [sYSTEM] IPSec

Service D:\WINDOWS\system32\DRIVERS\irenum.sys (Infra-Red Bus Enumerator/Microsoft Corporation) [MANUAL] IRENUM

Service ISAPISearch

Service D:\WINDOWS\system32\DRIVERS\isapnp.sys (PNP ISA Bus Driver/Microsoft Corporation) [bOOT] isapnp

Service D:\Program Files\Java\jre6\bin\jqs.exe (Java Quick Starter Service/Sun Microsystems, Inc.) [AUTO] JavaQuickStarterService

Service D:\WINDOWS\system32\DRIVERS\kbdclass.sys (Keyboard Class Driver/Microsoft Corporation) [sYSTEM] Kbdclass

Service D:\WINDOWS\system32\drivers\kmixer.sys (Kernel Mode Audio Mixer/Microsoft Corporation) [MANUAL] kmixer

Service (Kernel Security Support Provider Interface/Microsoft Corporation) [bOOT] KSecDD

Service D:\WINDOWS\system32\DRIVERS\kvpndrv.sys (Kerio VPN driver (x86)/Kerio Technologies Inc.) [MANUAL] kvpndev

Service system32\DRIVERS\kwflower.sys [MANUAL] kwflower

Service D:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] lanmanserver

Service D:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] lanmanworkstation

Service [sYSTEM] lbrtfdc

Service ldap

Service LicenseService

Service D:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE (LiveUpdate Engine COM Module/Symantec Corporation) [MANUAL] LiveUpdate

Service D:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] LmHosts

Service D:\WINDOWS\system32\DRIVERS\mdc8021x.sys (IEEE 802.1X Protocol Driver/Meetinghouse Data Communications) [AUTO] MDC8021X

Service D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Machine Debug Manager/Microsoft Corporation) [AUTO] MDM

Service D:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [DISABLED] Messenger

Service (Frame buffer simulator/Microsoft Corporation) [sYSTEM] mnmdd

Service D:\WINDOWS\system32\mnmsrvc.exe (NetMeeting Remote Desktop Sharing/Microsoft Corporation) [MANUAL] mnmsrvc

Service (Modem Device Driver/Microsoft Corporation) [MANUAL] Modem

Service D:\WINDOWS\system32\DRIVERS\mouclass.sys (Mouse Class Driver/Microsoft Corporation) [sYSTEM] Mouclass

Service D:\WINDOWS\system32\DRIVERS\mouhid.sys (HID Mouse Filter Driver/Microsoft Corporation) [MANUAL] mouhid

Service (Mount Manager/Microsoft Corporation) [bOOT] MountMgr

Service [DISABLED] mraid35x

Service D:\WINDOWS\system32\DRIVERS\mrxdav.sys (Windows NT WebDav Minirdr/Microsoft Corporation) [MANUAL] MRxDAV

Service D:\WINDOWS\system32\DRIVERS\mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation) [sYSTEM] MRxSmb

Service D:\WINDOWS\system32\msdtc.exe (MS DTC console program/Microsoft Corporation) [MANUAL] MSDTC

Service MSDTC Bridge 3.0.0.0

Service (Mailslot driver/Microsoft Corporation) [sYSTEM] Msfs

Service D:\WINDOWS\system32\msiexec.exe (Windows

Link to post
Share on other sites

Make sure you can view hidden files and folders

Are you able to see these two files using Windows Explorer?

d:\windows\system32\drivers\xvxtqdecbvoqhpmp.sys

d:\windows\system32\drivers\pqxxtirxtfmkbpfq.sys

You are running three antiviruses simultaneously:

ComboFix 09-09-23.02 - Paul 09/24/2009 17:38.1.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.279 [GMT -7:00]

Running from: d:\documents and settings\Paul\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: avast! antivirus 4.8.1351 [VPS 090924-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

Your running processes show all three running, and the Symantec AV live updater.

------------------------ Other Running Processes ------------------------

d:\program files\Alwil Software\Avast4\aswUpdSv.exe

d:\program files\Alwil Software\Avast4\ashServ.exe

d:\program files\Avira\AntiVir Desktop\avguard.exe

d:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe <= Symantec Updater

d:\progra~1\AVG\AVG8\avgrsx.exe

d:\progra~1\AVG\AVG8\avgnsx.exe

d:\program files\Alwil Software\Avast4\ashMaiSv.exe

d:\program files\Alwil Software\Avast4\ashWebSv.exe

I suggest removing AVG8 and Avast, and LiveUpdate from Add/Remove Programs and retaining Avira Antivir.

Launch MBAM, update it, and perform a quick scan.

Remove all threats found and post the log back here in your next reply.

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.