Jump to content

Which RootRepeal drivers do I disable? (attached)


Recommended Posts

YoKenny sent me here from the Avast forum

This explains what I have done so far 4.8 home won't scan

I also have the HijacThis log if you need it.

Thanks

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/10/03 19:24

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: 1394BUS.SYS

Image Path: E:\WINDOWS\system32\DRIVERS\1394BUS.SYS

Address: 0xF7617000 Size: 57344 File Visible: - Signed: -

Status: -

Name: ACPI.sys

Image Path: ACPI.sys

Address: 0xF75A8000 Size: 187776 File Visible: - Signed: -

Status: -

Name: ACPI_HAL

Image Path: \Driver\ACPI_HAL

Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -

Status: -

Name: afd.sys

Image Path: E:\WINDOWS\System32\drivers\afd.sys

Address: 0xBAA49000 Size: 138496 File Visible: - Signed: -

Status: -

Name: AnyDVD.sys

Image Path: E:\WINDOWS\System32\Drivers\AnyDVD.sys

Address: 0xBAF74000 Size: 97408 File Visible: - Signed: -

Status: -

Name: aswTdi.SYS

Image Path: E:\WINDOWS\System32\Drivers\aswTdi.SYS

Address: 0xF74F7000 Size: 42592 File Visible: - Signed: -

Status: -

Name: atapi.sys

Image Path: atapi.sys

Address: 0xF749A000 Size: 96512 File Visible: - Signed: -

Status: -

Name: ATMFD.DLL

Image Path: E:\WINDOWS\System32\ATMFD.DLL

Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: -

Status: -

Name: Beep.SYS

Image Path: E:\WINDOWS\System32\Drivers\Beep.SYS

Address: 0xF79A9000 Size: 4224 File Visible: - Signed: -

Status: -

Name: BOOTVID.dll

Image Path: E:\WINDOWS\system32\BOOTVID.dll

Address: 0xF7897000 Size: 12288 File Visible: - Signed: -

Status: -

Name: Cdfs.SYS

Image Path: E:\WINDOWS\System32\Drivers\Cdfs.SYS

Address: 0xBAEC9000 Size: 63744 File Visible: - Signed: -

Status: -

Name: cdrom.sys

Image Path: E:\WINDOWS\system32\DRIVERS\cdrom.sys

Address: 0xF76A7000 Size: 62976 File Visible: - Signed: -

Status: -

Name: CLASSPNP.SYS

Image Path: E:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS

Address: 0xF7657000 Size: 53248 File Visible: - Signed: -

Status: -

Name: disk.sys

Image Path: disk.sys

Address: 0xF7647000 Size: 36352 File Visible: - Signed: -

Status: -

Name: dmio.sys

Image Path: dmio.sys

Address: 0xF74B2000 Size: 153344 File Visible: - Signed: -

Status: -

Name: dmload.sys

Image Path: dmload.sys

Address: 0xF798B000 Size: 5888 File Visible: - Signed: -

Status: -

Name: dump_nvata.sys

Image Path: E:\WINDOWS\System32\Drivers\dump_nvata.sys

Address: 0xBA96D000 Size: 102400 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: E:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF79DB000 Size: 8192 File Visible: No Signed: -

Status: -

Name: Dxapi.sys

Image Path: E:\WINDOWS\System32\drivers\Dxapi.sys

Address: 0xBAC2C000 Size: 12288 File Visible: - Signed: -

Status: -

Name: dxg.sys

Image Path: E:\WINDOWS\System32\drivers\dxg.sys

Address: 0xBF9C3000 Size: 73728 File Visible: - Signed: -

Status: -

Name: dxgthk.sys

Image Path: E:\WINDOWS\System32\drivers\dxgthk.sys

Address: 0xF7A62000 Size: 4096 File Visible: - Signed: -

Status: -

Name: eacfilt.sys

Image Path: E:\WINDOWS\system32\DRIVERS\eacfilt.sys

Address: 0xF7817000 Size: 23200 File Visible: - Signed: -

Status: -

Name: Fastfat.SYS

Image Path: E:\WINDOWS\System32\Drivers\Fastfat.SYS

Address: 0xBA111000 Size: 143744 File Visible: - Signed: -

Status: -

Name: fdc.sys

Image Path: E:\WINDOWS\system32\DRIVERS\fdc.sys

Address: 0xF77E7000 Size: 27392 File Visible: - Signed: -

Status: -

Name: flpydisk.sys

Image Path: E:\WINDOWS\system32\DRIVERS\flpydisk.sys

Address: 0xBACF2000 Size: 20480 File Visible: - Signed: -

Status: -

Name: fltmgr.sys

Image Path: fltmgr.sys

Address: 0xF7461000 Size: 129792 File Visible: - Signed: -

Status: -

Name: framebuf.dll

Image Path: E:\WINDOWS\System32\framebuf.dll

Address: 0xBFF50000 Size: 12288 File Visible: - Signed: -

Status: -

Name: Fs_Rec.SYS

Image Path: E:\WINDOWS\System32\Drivers\Fs_Rec.SYS

Address: 0xF79A5000 Size: 7936 File Visible: - Signed: -

Status: -

Name: ftdisk.sys

Image Path: ftdisk.sys

Address: 0xF74D8000 Size: 125056 File Visible: - Signed: -

Status: -

Name: hal.dll

Image Path: E:\WINDOWS\system32\hal.dll

Address: 0x806EE000 Size: 131840 File Visible: - Signed: -

Status: -

Name: HDAudBus.sys

Image Path: E:\WINDOWS\system32\DRIVERS\HDAudBus.sys

Address: 0xBAF29000 Size: 163840 File Visible: - Signed: -

Status: -

Name: HIDCLASS.SYS

Image Path: E:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS

Address: 0xF743F000 Size: 36864 File Visible: - Signed: -

Status: -

Name: HIDPARSE.SYS

Image Path: E:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS

Address: 0xF7787000 Size: 28672 File Visible: - Signed: -

Status: -

Name: hidusb.sys

Image Path: E:\WINDOWS\system32\DRIVERS\hidusb.sys

Address: 0xBAD0E000 Size: 10368 File Visible: - Signed: -

Status: -

Name: imapi.sys

Image Path: E:\WINDOWS\system32\DRIVERS\imapi.sys

Address: 0xF7697000 Size: 42112 File Visible: - Signed: -

Status: -

Name: InCDPass.sys

Image Path: E:\WINDOWS\System32\DRIVERS\InCDPass.sys

Address: 0xF77B7000 Size: 29696 File Visible: - Signed: -

Status: -

Name: incdrm.SYS

Image Path: E:\WINDOWS\System32\Drivers\incdrm.SYS

Address: 0xF77C7000 Size: 28160 File Visible: - Signed: -

Status: -

Name: ipnat.sys

Image Path: E:\WINDOWS\system32\DRIVERS\ipnat.sys

Address: 0xBAA93000 Size: 152832 File Visible: - Signed: -

Status: -

Name: ipsec.sys

Image Path: E:\WINDOWS\system32\DRIVERS\ipsec.sys

Address: 0xBAB12000 Size: 75264 File Visible: - Signed: -

Status: -

Name: ipsecw2k.sys

Image Path: E:\WINDOWS\system32\DRIVERS\ipsecw2k.sys

Address: 0xBAD52000 Size: 149184 File Visible: - Signed: -

Status: -

Name: isapnp.sys

Image Path: isapnp.sys

Address: 0xF75F7000 Size: 37248 File Visible: - Signed: -

Status: -

Name: kbdclass.sys

Image Path: E:\WINDOWS\system32\DRIVERS\kbdclass.sys

Address: 0xF77D7000 Size: 24576 File Visible: - Signed: -

Status: -

Name: kbdhid.sys

Image Path: E:\WINDOWS\system32\DRIVERS\kbdhid.sys

Address: 0xBAD06000 Size: 14592 File Visible: - Signed: -

Status: -

Name: KDCOM.DLL

Image Path: E:\WINDOWS\system32\KDCOM.DLL

Address: 0xF7987000 Size: 8192 File Visible: - Signed: -

Status: -

Name: ks.sys

Image Path: E:\WINDOWS\system32\DRIVERS\ks.sys

Address: 0xBAF51000 Size: 143360 File Visible: - Signed: -

Status: -

Name: KSecDD.sys

Image Path: KSecDD.sys

Address: 0xF7860000 Size: 92928 File Visible: - Signed: -

Status: -

Name: mouclass.sys

Image Path: E:\WINDOWS\system32\DRIVERS\mouclass.sys

Address: 0xF77FF000 Size: 23040 File Visible: - Signed: -

Status: -

Name: mouhid.sys

Image Path: E:\WINDOWS\system32\DRIVERS\mouhid.sys

Address: 0xBAC30000 Size: 12160 File Visible: - Signed: -

Status: -

Name: MountMgr.sys

Image Path: MountMgr.sys

Address: 0xF7627000 Size: 42368 File Visible: - Signed: -

Status: -

Name: mrxsmb.sys

Image Path: E:\WINDOWS\system32\DRIVERS\mrxsmb.sys

Address: 0xBA9AE000 Size: 455296 File Visible: - Signed: -

Status: -

Name: Msfs.SYS

Image Path: E:\WINDOWS\System32\Drivers\Msfs.SYS

Address: 0xF781F000 Size: 19072 File Visible: - Signed: -

Status: -

Name: msgpc.sys

Image Path: E:\WINDOWS\system32\DRIVERS\msgpc.sys

Address: 0xF7577000 Size: 35072 File Visible: - Signed: -

Status: -

Name: mssmbios.sys

Image Path: E:\WINDOWS\system32\DRIVERS\mssmbios.sys

Address: 0xBAFE8000 Size: 15488 File Visible: - Signed: -

Status: -

Name: Mup.sys

Image Path: Mup.sys

Address: 0xF796D000 Size: 105344 File Visible: - Signed: -

Status: -

Name: NDIS.sys

Image Path: NDIS.sys

Address: 0xF7833000 Size: 182656 File Visible: - Signed: -

Status: -

Name: ndistapi.sys

Image Path: E:\WINDOWS\system32\DRIVERS\ndistapi.sys

Address: 0xF793F000 Size: 10112 File Visible: - Signed: -

Status: -

Name: ndisuio.sys

Image Path: E:\WINDOWS\system32\DRIVERS\ndisuio.sys

Address: 0xBA3C1000 Size: 14592 File Visible: - Signed: -

Status: -

Name: ndiswan.sys

Image Path: E:\WINDOWS\system32\DRIVERS\ndiswan.sys

Address: 0xBAD88000 Size: 91520 File Visible: - Signed: -

Status: -

Name: NDProxy.SYS

Image Path: E:\WINDOWS\System32\Drivers\NDProxy.SYS

Address: 0xF7547000 Size: 40576 File Visible: - Signed: -

Status: -

Name: netbios.sys

Image Path: E:\WINDOWS\system32\DRIVERS\netbios.sys

Address: 0xF742F000 Size: 34688 File Visible: - Signed: -

Status: -

Name: netbt.sys

Image Path: E:\WINDOWS\system32\DRIVERS\netbt.sys

Address: 0xBAA6B000 Size: 162816 File Visible: - Signed: -

Status: -

Name: Npfs.SYS

Image Path: E:\WINDOWS\System32\Drivers\Npfs.SYS

Address: 0xF773F000 Size: 30848 File Visible: - Signed: -

Status: -

Name: Ntfs.sys

Image Path: Ntfs.sys

Address: 0xF7B52000 Size: 574976 File Visible: - Signed: -

Status: -

Name: ntoskrnl.exe

Image Path: E:\WINDOWS\system32\ntoskrnl.exe

Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -

Status: -

Name: Null.SYS

Image Path: E:\WINDOWS\System32\Drivers\Null.SYS

Address: 0xF7AAD000 Size: 2944 File Visible: - Signed: -

Status: -

Name: nvata.sys

Image Path: nvata.sys

Address: 0xF7481000 Size: 98432 File Visible: - Signed: -

Status: -

Name: NVENETFD.sys

Image Path: E:\WINDOWS\system32\DRIVERS\NVENETFD.sys

Address: 0xF7537000 Size: 54784 File Visible: - Signed: -

Status: -

Name: nvnetbus.sys

Image Path: E:\WINDOWS\system32\DRIVERS\nvnetbus.sys

Address: 0xF76C7000 Size: 40960 File Visible: - Signed: -

Status: -

Name: NVNRM.SYS

Image Path: E:\WINDOWS\system32\DRIVERS\NVNRM.SYS

Address: 0xBAD9F000 Size: 958464 File Visible: - Signed: -

Status: -

Name: ohci1394.sys

Image Path: ohci1394.sys

Address: 0xF7607000 Size: 61696 File Visible: - Signed: -

Status: -

Name: PartMgr.sys

Image Path: PartMgr.sys

Address: 0xF770F000 Size: 19712 File Visible: - Signed: -

Status: -

Name: pci.sys

Image Path: pci.sys

Address: 0xF7597000 Size: 68224 File Visible: - Signed: -

Status: -

Name: pciide.sys

Image Path: pciide.sys

Address: 0xF7A4F000 Size: 3328 File Visible: - Signed: -

Status: -

Name: PCIIDEX.SYS

Image Path: E:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS

Address: 0xF7707000 Size: 28672 File Visible: - Signed: -

Status: -

Name: PnpManager

Image Path: \Driver\PnpManager

Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -

Status: -

Name: point32.sys

Image Path: E:\WINDOWS\system32\DRIVERS\point32.sys

Address: 0xBACBA000 Size: 21760 File Visible: - Signed: -

Status: -

Name: psched.sys

Image Path: E:\WINDOWS\system32\DRIVERS\psched.sys

Address: 0xBAD77000 Size: 69120 File Visible: - Signed: -

Status: -

Name: ptilink.sys

Image Path: E:\WINDOWS\system32\DRIVERS\ptilink.sys

Address: 0xF77EF000 Size: 17792 File Visible: - Signed: -

Status: -

Name: PxHelp20.sys

Image Path: PxHelp20.sys

Address: 0xF7667000 Size: 35712 File Visible: - Signed: -

Status: -

Name: rasacd.sys

Image Path: E:\WINDOWS\system32\DRIVERS\rasacd.sys

Address: 0xBAD1A000 Size: 8832 File Visible: - Signed: -

Status: -

Name: rasirda.sys

Image Path: E:\WINDOWS\system32\DRIVERS\rasirda.sys

Address: 0xF7767000 Size: 19584 File Visible: - Signed: -

Status: -

Name: rasl2tp.sys

Image Path: E:\WINDOWS\system32\DRIVERS\rasl2tp.sys

Address: 0xF76E7000 Size: 51328 File Visible: - Signed: -

Status: -

Name: raspppoe.sys

Image Path: E:\WINDOWS\system32\DRIVERS\raspppoe.sys

Address: 0xF76F7000 Size: 41472 File Visible: - Signed: -

Status: -

Name: raspptp.sys

Image Path: E:\WINDOWS\system32\DRIVERS\raspptp.sys

Address: 0xF7587000 Size: 48384 File Visible: - Signed: -

Status: -

Name: raspti.sys

Image Path: E:\WINDOWS\system32\DRIVERS\raspti.sys

Address: 0xF7807000 Size: 16512 File Visible: - Signed: -

Status: -

Name: RAW

Image Path: \FileSystem\RAW

Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -

Status: -

Name: rdbss.sys

Image Path: E:\WINDOWS\system32\DRIVERS\rdbss.sys

Address: 0xBAA1E000 Size: 175744 File Visible: - Signed: -

Status: -

Name: RDPCDD.sys

Image Path: E:\WINDOWS\System32\DRIVERS\RDPCDD.sys

Address: 0xF79AD000 Size: 4224 File Visible: - Signed: -

Status: -

Name: rdpdr.sys

Image Path: E:\WINDOWS\system32\DRIVERS\rdpdr.sys

Address: 0xBAD22000 Size: 196224 File Visible: - Signed: -

Status: -

Name: redbook.sys

Image Path: E:\WINDOWS\system32\DRIVERS\redbook.sys

Address: 0xF76B7000 Size: 57600 File Visible: - Signed: -

Status: -

Name: rootrepeal.sys

Image Path: E:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xBA2C5000 Size: 49152 File Visible: No Signed: -

Status: -

Name: sr.sys

Image Path: sr.sys

Address: 0xF744F000 Size: 73472 File Visible: - Signed: -

Status: -

Name: srv.sys

Image Path: E:\WINDOWS\system32\DRIVERS\srv.sys

Address: 0xBA06F000 Size: 333952 File Visible: - Signed: -

Status: -

Name: swenum.sys

Image Path: E:\WINDOWS\system32\DRIVERS\swenum.sys

Address: 0xF7997000 Size: 4352 File Visible: - Signed: -

Status: -

Name: tcpip.sys

Image Path: E:\WINDOWS\system32\DRIVERS\tcpip.sys

Address: 0xBAAB9000 Size: 361600 File Visible: - Signed: -

Status: -

Name: TDI.SYS

Image Path: E:\WINDOWS\system32\DRIVERS\TDI.SYS

Address: 0xF7777000 Size: 20480 File Visible: - Signed: -

Status: -

Name: termdd.sys

Image Path: E:\WINDOWS\system32\DRIVERS\termdd.sys

Address: 0xF7567000 Size: 40704 File Visible: - Signed: -

Status: -

Name: update.sys

Image Path: E:\WINDOWS\system32\DRIVERS\update.sys

Address: 0xBAC4C000 Size: 384768 File Visible: - Signed: -

Status: -

Name: usbccgp.sys

Image Path: E:\WINDOWS\system32\DRIVERS\usbccgp.sys

Address: 0xF774F000 Size: 32128 File Visible: - Signed: -

Status: -

Name: USBD.SYS

Image Path: E:\WINDOWS\system32\DRIVERS\USBD.SYS

Address: 0xF799B000 Size: 8192 File Visible: - Signed: -

Status: -

Name: usbehci.sys

Image Path: E:\WINDOWS\system32\DRIVERS\usbehci.sys

Address: 0xF772F000 Size: 30208 File Visible: - Signed: -

Status: -

Name: usbhub.sys

Image Path: E:\WINDOWS\system32\DRIVERS\usbhub.sys

Address: 0xF7557000 Size: 59520 File Visible: - Signed: -

Status: -

Name: usbohci.sys

Image Path: E:\WINDOWS\system32\DRIVERS\usbohci.sys

Address: 0xF77F7000 Size: 17152 File Visible: - Signed: -

Status: -

Name: USBPORT.SYS

Image Path: E:\WINDOWS\system32\DRIVERS\USBPORT.SYS

Address: 0xBAF8C000 Size: 147456 File Visible: - Signed: -

Status: -

Name: vga.sys

Image Path: E:\WINDOWS\System32\drivers\vga.sys

Address: 0xBACD2000 Size: 20992 File Visible: - Signed: -

Status: -

Name: VIDEOPRT.SYS

Image Path: E:\WINDOWS\System32\drivers\VIDEOPRT.SYS

Address: 0xBAB66000 Size: 81920 File Visible: - Signed: -

Status: -

Name: VMNetSrv.sys

Image Path: E:\WINDOWS\system32\DRIVERS\VMNetSrv.sys

Address: 0xF76D7000 Size: 61440 File Visible: - Signed: -

Status: -

Name: VolSnap.sys

Image Path: VolSnap.sys

Address: 0xF7637000 Size: 52352 File Visible: - Signed: -

Status: -

Name: watchdog.sys

Image Path: E:\WINDOWS\System32\watchdog.sys

Address: 0xF776F000 Size: 20480 File Visible: - Signed: -

Status: -

Name: Win32k

Image Path: \Driver\Win32k

Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -

Status: -

Name: win32k.sys

Image Path: E:\WINDOWS\System32\win32k.sys

Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -

Status: -

Name: win32k.sys:1

Image Path: E:\WINDOWS\win32k.sys:1

Address: 0xBA51D000 Size: 20480 File Visible: No Signed: -

Status: -

Name: win32k.sys:2

Image Path: E:\WINDOWS\win32k.sys:2

Address: 0xF7887000 Size: 61440 File Visible: No Signed: -

Status: -

Name: WMILIB.SYS

Image Path: E:\WINDOWS\system32\DRIVERS\WMILIB.SYS

Address: 0xF7989000 Size: 8192 File Visible: - Signed: -

Status: -

Name: WMIxWDM

Image Path: \Driver\WMIxWDM

Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -

Status: -

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

After that, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Hi, Maybe I should have started from he beginning. Malwarebytes and most of the other repair programs like Avast, Spybot S&D and windows update will not run (in windows or safe mode).

However I did get root repeal to run but I don't know which .sys file to disable. I understantd that after I disable the correct file I can then run malwarebytes.

That being said I will now follow your direction and run combo fix and report back the findings.

Link to post
Share on other sites

I am replying from another PC because combofix is on it's 10th reboot and counting.

It keeps finding the same rootkit activity files and reboots.

E:\windows\system32\drivers\gasfkytxyumndx.sys

E:\windows\system32\gasfkyxoflnwsn.dll

E:\windows\system32\gasfkytjuprwic.dat

E:\windows\system32\gasfkyaqysqegh.dll

E:\windows\system32\gasfkyvkdubcrx.dat

E:\windows\system32\gasfkyydapwoon.dll

I had to initially install Microsoft Recovery and on the 10th reboot I tried to boot to it and it reported.

Windows could not start because the following file is missing or corrupt.

<windows root> system32\hal.dll

Please re-install a copy of the above file.

Should I just let combofix run?

Thanks

Link to post
Share on other sites

BTW, I haven't seen an Auto Scan window that shows "Completed Stage_x" or a "Log Report window". All my machine does is run ConboFix, list the same 6 files and reboot (in windows and safe mode).

I never could run malwarebytes, (renamed in windows or safe mode) like I said on my title.

I sincerely hope my O.S. isn't toast.

Link to post
Share on other sites

I managed to stop combofix from constantly rebooting and run malwarebytes to run in safe mode. :D I also re-ran HijacThis and ISeeYourXP. Let me know if you want them. I'm deathly afraid to run ComboFix again unless you want me to.

-----------------

Malwarebytes' Anti-Malware 1.41

Database version: 2907

Windows 5.1.2600 Service Pack 3 (Safe Mode)

10/4/2009 10:12:09 PM

mbam-log-2009-10-04 (22-12-03).txt

Scan type: Quick Scan

Objects scanned: 112573

Time elapsed: 6 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 10

Registry Values Infected: 1

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\Interface\{986a8ac1-ab4d-4f41-9068-4b01c0197867} (Trojan.BHO) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{9d3cf193-58e5-40d5-ba60-233f4c216e37} (Rogue.MalwareRemovalBot) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1f26a7a704abd8f4f8801f37167d691f (Rogue.MalwareBot) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\93de74a43267cfb4ca586db6f1f79964 (Rogue.MalwareBot) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\aa02c0f5889834c42886c1a98ea53266 (Rogue.MalwareBot) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\b575e3c1288dd9e4a83e9e064562cdc1 (Rogue.MalwareBot) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\d37f1f5d110c2ea4c85ec64e702394b9 (Rogue.MalwareBot) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\poprock (Trojan.Downloader) -> No action taken.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gasfkyeulxjnup (Rootkit.TDSS) -> No action taken.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\e:\program files\malwareremovalbot\(default) (Rogue.MalwareRemovalBot) -> No action taken.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe tftp.nfo beforegllav) Good: (Explorer.exe) -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

E:\WINDOWS\system32\eventlog.dll (Trojan.Sirefef) -> No action taken.

E:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> No action taken.

E:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> No action taken.

E:\WINDOWS\Tasks\MalwareRemovalBot Scheduled Scan.job (Rogue.MalwareRemovalBot) -> No action taken.

E:\WINDOWS\win32k.sys (Trojan.Dropper) -> No action taken.

Link to post
Share on other sites

I decided to give you the HijacThis log. The ISeeYouXP is quite large 776 KB.

-------------------------------

Logfile of HijackThis v1.97.7

Scan saved at 10:31:53 PM, on 10/4/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:

E:\WINDOWS\System32\smss.exe

E:\WINDOWS\system32\winlogon.exe

E:\WINDOWS\system32\services.exe

E:\WINDOWS\system32\lsass.exe

E:\WINDOWS\system32\svchost.exe

E:\WINDOWS\system32\svchost.exe

E:\WINDOWS\Explorer.exe

E:\WINDOWS\system32\ctfmon.exe

E:\Documents and Settings\Ed\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.bls.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

F0 - system.ini: Shell=Explorer.exe rundll32.exe tftp.nfo beforegllav

F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe tftp.nfo beforegllav

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - E:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - E:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - E:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - E:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [itype] "E:\Program Files\Microsoft IntelliType Pro\itype.exe"

O4 - HKLM\..\Run: [nmctxth] "E:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] "E:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] E:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O11 - Options group: [iNTERNATIONAL] International

O15 - Trusted Zone: http://www.unitedmedia.com

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shock...director/sw.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc3.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1152884808703

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1153692684828

O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab

O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} (Java Plug-in 1.6.0_12) -

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

Link to post
Share on other sites

Well I grabbed some guts and managed to get a malwarebytes log in safemode. Even though I disabled avast in windows apparently it was running in safemode. I hope noting got messed up. :blink:

---------------------------

ComboFix 09-10-04.01 - Ed 10/04/2009 23:19.1.1 - NTFSx86 NETWORK

Running from: e:\documents and settings\Ed\Desktop\ComboFix.exe

AV: avast! antivirus 4.8.1356 [VPS 091004-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

* Created a new restore point

.

ADS - WINDOWS: deleted 48 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

e:\program files\Common

e:\windows\system32\drivers\gasfkytxyumndx.sys

e:\windows\system32\gasfkyaqysqegh.dll

e:\windows\system32\gasfkytjuprwic.dat

e:\windows\system32\gasfkyvkdubcrx.dat

e:\windows\system32\gasfkyxoflnwsn.dll

e:\windows\system32\gasfkyydapwoon.dll

e:\windows\system32\wl.exe

e:\windows\wpd99.drv

Infected copy of e:\windows\system32\eventlog.dll was found and disinfected

Restored copy from - e:\windows\system32\dllcache\eventlog.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_gasfkyeulxjnup

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Service_gasfkyeulxjnup

((((((((((((((((((((((((( Files Created from 2009-09-05 to 2009-10-05 )))))))))))))))))))))))))))))))

.

2009-10-05 02:04 . 2009-09-10 18:54 38224 ----a-w- e:\windows\system32\drivers\mbamswissarmy.sys

2009-10-05 02:04 . 2009-09-10 18:53 19160 ----a-w- e:\windows\system32\drivers\mbam.sys

2009-10-03 12:55 . 2009-09-15 10:54 52368 ----a-w- e:\windows\system32\drivers\aswTdi.sys

2009-10-03 12:55 . 2009-09-15 10:54 23152 ----a-w- e:\windows\system32\drivers\aswRdr.sys

2009-10-03 12:55 . 2009-09-15 10:53 27408 ----a-w- e:\windows\system32\drivers\aavmker4.sys

2009-10-03 12:55 . 2009-09-15 10:53 97480 ----a-w- e:\windows\system32\AvastSS.scr

2009-10-03 12:55 . 2009-09-15 10:56 93424 ----a-w- e:\windows\system32\drivers\aswmon.sys

2009-10-03 12:55 . 2009-09-15 10:56 94160 ----a-w- e:\windows\system32\drivers\aswmon2.sys

2009-10-03 12:55 . 2009-09-15 10:55 114768 ----a-w- e:\windows\system32\drivers\aswSP.sys

2009-10-03 12:55 . 2009-09-15 10:55 20560 ----a-w- e:\windows\system32\drivers\aswFsBlk.sys

2009-10-03 12:55 . 2009-09-15 10:59 1279968 ----a-w- e:\windows\system32\aswBoot.exe

2009-10-03 12:55 . 2009-10-03 12:55 -------- d-----w- e:\program files\Alwil Software

2009-10-01 15:58 . 2009-10-01 15:58 -------- d-----w- e:\documents and settings\Ed\Application Data\Malwarebytes

2009-10-01 15:58 . 2009-10-05 02:12 -------- d-----w- e:\program files\Malwarebytes' Anti-Malware

2009-10-01 15:58 . 2009-10-01 15:58 -------- d-----w- e:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-30 17:51 . 2008-04-14 00:12 116224 -c--a-w- e:\windows\system32\dllcache\xrxwiadr.dll

2009-09-30 17:51 . 2001-08-18 02:36 23040 -c--a-w- e:\windows\system32\dllcache\xrxwbtmp.dll

2009-09-30 17:51 . 2008-04-14 00:12 18944 -c--a-w- e:\windows\system32\dllcache\xrxscnui.dll

2009-09-30 17:51 . 2001-08-18 02:37 27648 -c--a-w- e:\windows\system32\dllcache\xrxftplt.exe

2009-09-30 17:51 . 2001-08-18 02:37 4608 -c--a-w- e:\windows\system32\dllcache\xrxflnch.exe

2009-09-30 17:51 . 2001-08-18 02:37 99865 -c--a-w- e:\windows\system32\dllcache\xlog.exe

2009-09-30 17:49 . 2001-08-17 16:13 19528 -c--a-w- e:\windows\system32\dllcache\w840nd.sys

2009-09-30 17:48 . 2004-08-04 02:31 32384 -c--a-w- e:\windows\system32\dllcache\usb101et.sys

2009-09-30 17:47 . 2001-08-17 18:56 440576 -c--a-w- e:\windows\system32\dllcache\tridkb.dll

2009-09-30 17:46 . 2001-08-17 17:49 30464 -c--a-w- e:\windows\system32\dllcache\tbatm155.sys

2009-09-30 17:45 . 2001-08-17 16:11 48736 -c--a-w- e:\windows\system32\dllcache\srwlnd5.sys

2009-09-30 17:44 . 2001-08-17 16:10 35913 -c--a-w- e:\windows\system32\dllcache\smcirda.sys

2009-09-30 17:43 . 2001-07-21 18:29 161568 -c--a-w- e:\windows\system32\dllcache\sgsmusb.sys

2009-09-30 17:43 . 2001-07-21 18:29 18400 -c--a-w- e:\windows\system32\dllcache\sgsmld.sys

2009-09-30 17:43 . 2001-08-17 16:51 98080 -c--a-w- e:\windows\system32\dllcache\sgiulnt5.sys

2009-09-30 17:43 . 2001-08-18 02:36 386560 -c--a-w- e:\windows\system32\dllcache\sgiul50.dll

2009-09-30 17:43 . 2001-08-17 16:19 36480 -c--a-w- e:\windows\system32\dllcache\sfmanm.sys

2009-09-30 17:43 . 2001-08-17 17:53 6784 -c--a-w- e:\windows\system32\dllcache\serscan.sys

2009-09-30 17:43 . 2001-08-17 17:48 17664 -c--a-w- e:\windows\system32\dllcache\sermouse.sys

2009-09-30 17:43 . 2001-08-17 17:53 6912 -c--a-w- e:\windows\system32\dllcache\seaddsmc.sys

2009-09-30 17:43 . 2008-04-13 18:45 11520 -c--a-w- e:\windows\system32\dllcache\scsiscan.sys

2009-09-30 17:41 . 2001-08-18 02:36 79872 -c--a-w- e:\windows\system32\dllcache\rwia430.dll

2009-09-30 17:40 . 2001-08-17 17:52 40320 -c--a-w- e:\windows\system32\dllcache\ql1080.sys

2009-09-30 17:39 . 2008-04-13 18:44 27904 -c--a-w- e:\windows\system32\dllcache\perm2.sys

2009-09-30 17:38 . 2001-08-17 18:05 25088 -c--a-w- e:\windows\system32\dllcache\ovca.sys

2009-09-30 17:37 . 2001-08-17 18:56 91488 -c--a-w- e:\windows\system32\dllcache\n9i3disp.dll

2009-09-30 17:36 . 2001-08-17 17:48 6016 -c--a-w- e:\windows\system32\dllcache\msfsio.sys

2009-09-30 17:35 . 2001-08-17 17:53 4992 -c--a-w- e:\windows\system32\dllcache\loop.sys

2009-09-30 17:34 . 2001-08-17 16:12 45632 -c--a-w- e:\windows\system32\dllcache\ip5515.sys

2009-09-30 17:33 . 2008-04-14 00:11 702845 -c--a-w- e:\windows\system32\dllcache\i81xdnt5.dll

2009-09-30 17:32 . 2001-08-18 02:36 32768 -c--a-w- e:\windows\system32\dllcache\hpgtmcro.dll

2009-09-30 17:31 . 2001-08-17 16:15 455680 -c--a-w- e:\windows\system32\dllcache\fus2base.sys

2009-09-30 17:30 . 2001-08-18 02:36 51200 -c--a-w- e:\windows\system32\dllcache\eqnlogr.exe

2009-09-30 17:29 . 2001-08-18 02:36 236060 -c--a-w- e:\windows\system32\dllcache\ditrace.exe

2009-09-30 17:28 . 2001-08-17 16:19 42112 -c--a-w- e:\windows\system32\dllcache\crtaud.sys

2009-09-30 17:27 . 2001-08-17 17:51 13824 -c--a-w- e:\windows\system32\dllcache\bulltlp3.sys

2009-09-30 17:26 . 2001-08-17 16:19 553984 -c--a-w- e:\windows\system32\dllcache\adm8820.sys

2009-09-30 05:13 . 2009-08-20 21:51 195440 ------w- e:\windows\system32\MpSigStub.exe

2009-09-30 04:00 . 2009-10-02 00:14 -------- d-----w- e:\program files\Microsoft Security Essentials

2009-09-29 21:50 . 2005-01-14 06:41 11254 ----a-w- e:\windows\system32\locate.com

2009-09-29 18:46 . 2009-09-29 18:46 -------- d-----w- E:\ISeeYouXP

2009-09-29 18:45 . 2009-09-29 18:45 -------- d-----w- e:\program files\ExplorerXP

2009-09-27 02:32 . 2009-09-27 02:32 -------- d-sh--w- e:\windows\system32\config\systemprofile\IETldCache

2009-09-26 18:03 . 2009-09-30 10:41 -------- d-----w- e:\program files\a-squared Free

2009-09-24 14:14 . 2009-10-03 23:28 0 ----a-r- e:\windows\win32k.sys

2009-09-05 05:16 . 2009-09-05 05:16 -------- d-----w- e:\documents and settings\All Users\Application Data\Office Genuine Advantage

2009-09-05 05:16 . 2009-09-05 05:16 -------- d-----w- e:\documents and settings\Ed\Application Data\Office Genuine Advantage

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-05 03:15 . 2008-08-29 01:56 1324 ----a-w- e:\windows\system32\d3d9caps.dat

2009-10-04 00:19 . 2008-03-02 03:52 -------- d---a-w- e:\documents and settings\All Users\Application Data\TEMP

2009-10-03 02:07 . 2008-04-12 18:57 -------- d-----w- e:\program files\RegCure

2009-09-30 17:07 . 2006-07-14 13:18 -------- d-----w- e:\program files\Spybot - Search & Destroy

2009-09-30 17:07 . 2006-07-14 13:18 -------- d-----w- e:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-30 03:55 . 2006-07-15 04:06 -------- d-----w- e:\program files\Lavasoft

2009-09-25 12:35 . 2008-01-26 01:36 -------- d-----w- e:\documents and settings\All Users\Application Data\Lavasoft

2009-09-08 17:54 . 2008-03-17 02:09 -------- d-----w- e:\program files\Microsoft Silverlight

2009-09-02 12:49 . 2007-02-15 21:16 -------- d-----w- e:\program files\Bethesda Softworks

2009-08-23 14:19 . 2006-12-09 17:11 -------- d-----w- e:\program files\QuickTime

2009-08-18 03:21 . 2007-12-01 03:05 -------- d-----w- e:\program files\Canon

2009-08-18 03:20 . 2009-08-18 03:20 -------- d-----w- e:\documents and settings\All Users\Application Data\ZoomBrowser

2009-08-18 03:18 . 2009-08-18 03:18 -------- d-----w- e:\program files\Common Files\Canon

2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- e:\windows\system32\mswebdvd.dll

2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- e:\windows\system32\OGACheckControl.dll

2009-08-03 19:07 . 2009-08-03 19:07 322928 ----a-w- e:\windows\system32\OGAAddin.dll

2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- e:\windows\system32\OGAEXEC.exe

2009-07-25 09:23 . 2008-12-12 19:40 411368 ----a-w- e:\windows\system32\deploytk.dll

2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- e:\windows\system32\atl.dll

2009-07-15 21:40 . 2009-07-15 21:40 229208 ----a-w- e:\windows\system32\drivers\VMM.sys

2009-07-14 03:43 . 2004-08-04 12:00 286208 ----a-w- e:\windows\system32\wmpdxm.dll

2008-03-13 22:09 . 2008-03-13 22:09 0 -c--a-w- e:\program files\temp01

2001-10-05 15:53 . 2006-06-30 10:32 21866 -c--a-w- e:\program files\Common Files\tppupd2k.dll

2007-09-30 18:32 . 2007-09-30 18:32 0 -csh--w- e:\windows\S9259FD30.tmp

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="e:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 68856]

"ctfmon.exe"="e:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"itype"="e:\program files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 576320]

"nmctxth"="e:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]

"NvCplDaemon"="e:\windows\system32\NvCpl.dll" [2008-09-18 13574144]

"QuickTime Task"="e:\program files\QuickTime\qttask.exe" [2009-08-23 413696]

"avast!"="e:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]

"nwiz"="nwiz.exe" - e:\windows\system32\nwiz.exe [2008-09-18 1657376]

e:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - e:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-6-24 113664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "e:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

path=

backup=

[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^DigiCell.lnk]

backup=e:\windows\pss\DigiCell.lnkCommon Startup

[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]

path=e:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk

backup=e:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\E:^Documents and Settings^Ed^Start Menu^Programs^Startup^St. Johns County Library System Tray App.lnk]

backup=e:\windows\pss\St. Johns County Library System Tray App.lnkStartup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopRock

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"e:\\Games\\CAVEDOG\\TOTALA\\prefrontend.exe"=

"e:\\Program Files\\Smartparts\\Smartparts Desktop\\OptiPix.exe"=

"e:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"e:\\WINDOWS\\system32\\dpvsetup.exe"=

"e:\\WINDOWS\\system32\\dxdiag.exe"=

"e:\\WINDOWS\\system32\\dpnsvr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"67:UDP"= 67:UDP:DHCP Discovery Service

R3 ExtranetAccess;Contivity VPN Service;c:\program files\Nortel Networks\Extranet_serv.exe [2006-05-09 835584]

R3 IPSECEXT;Nortel Extranet Access Protocol;e:\windows\system32\DRIVERS\ipsecw2k.sys [2006-05-09 155216]

R3 WFIOCTL;WFIOCTL;e:\program files\WinFast\WFTVFM\WFIOCTL.SYS [x]

S1 aswSP;avast! Self Protection; [x]

S2 aswFsBlk;aswFsBlk;e:\windows\system32\DRIVERS\aswFsBlk.sys [2009-09-15 20560]

S2 LinksysUpdater;Linksys Updater;e:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-01-15 204800]

S2 wlidsvc;Windows Live ID Sign-in Assistant;e:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [2009-03-30 1533808]

S3 Eacfilt;Eacfilt Miniport;e:\windows\system32\DRIVERS\eacfilt.sys [2006-05-09 24521]

S3 WFsys;WinFox Control I/O Driver;e:\windows\system32\DRIVERS\wfsys.sys [2002-04-22 13692]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"e:\windows\system32\rundll32.exe" "e:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-10-05 e:\windows\Tasks\RegCure Program Check.job

- e:\program files\RegCure\RegCure.exe [2009-06-10 22:28]

2009-10-05 e:\windows\Tasks\RegCure Startup.job

- e:\program files\RegCure\RegCure.exe [2009-06-10 22:28]

2009-10-04 e:\windows\Tasks\RegCure.job

- e:\program files\RegCure\RegCure.exe [2009-06-10 22:28]

2009-10-05 e:\windows\Tasks\User_Feed_Synchronization-{A2AD8B70-17B9-4A06-A27C-C7816CEC16C6}.job

- e:\windows\system32\msfeedssync.exe [2007-08-13 08:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.bls.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

Trusted Zone: turbotax.com

Trusted Zone: unitedmedia.com\www

.

- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)

AddRemove-DIVXCodec - e:\windows\rundll.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-04 23:26

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-926492609-725345543-1003\Software\SecuROM\License information*]

"datasecu"=hex:6c,56,8a,88,ad,44,2d,e7,a3,65,1c,8c,9e,6b,6d,d8,0c,2f,67,46,9b,

2d,bd,71,b5,89,34,6e,f1,2c,3b,a4,00,09,26,b7,20,1c,7a,82,fd,10,dc,a0,66,63,\

"rkeysecu"=hex:ab,69,d1,dd,5a,b5,21,90,9d,1a,a8,19,e7,cd,16,7c

[HKEY_USERS\S-1-5-21-343818398-926492609-725345543-1003\Software\Zepter Software\RegLib*30bfa56e\AnyDVD/1]

"1"=dword:44ae3382

"2"=dword:450cbc16

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@e:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="e:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1768)

e:\windows\system32\ginamsi.dll

- - - - - - - > 'explorer.exe'(1204)

e:\windows\system32\WININET.dll

e:\windows\system32\ieframe.dll

e:\windows\system32\webcheck.dll

e:\windows\system32\WPDShServiceObj.dll

e:\program files\Microsoft Virtual PC\VPCShExH.DLL

e:\windows\system32\PortableDeviceTypes.dll

e:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

e:\program files\Ahead\InCD\InCDsrv.exe

e:\program files\Alwil Software\Avast4\aswUpdSv.exe

e:\program files\Alwil Software\Avast4\ashServ.exe

e:\program files\Java\jre6\bin\jqs.exe

e:\windows\system32\nvsvc32.exe

e:\windows\system32\java.exe

e:\windows\system32\searchindexer.exe

e:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

e:\program files\Canon\CAL\CALMAIN.exe

e:\windows\system32\wscntfy.exe

e:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE

e:\program files\Alwil Software\Avast4\ashMaiSv.exe

e:\windows\system32\searchprotocolhost.exe

e:\windows\system32\searchfilterhost.exe

.

**************************************************************************

.

Completion time: 2009-10-05 23:31 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-05 03:31

Pre-Run: 29,662,674,944 bytes free

Post-Run: 31,093,444,608 bytes free

273 --- E O F --- 2009-10-04 07:00

Link to post
Share on other sites

  • Staff
Well I grabbed some guts
Looks like it helped. :)

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Here is the F-Secure Online Scanner results.

------------------------------

Scanning Report

Tuesday, October 6, 2009 09:56:28 - 10:34:13

Computer name: EPG-AD8A10EF408

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\ E:\ G:\ H:\ I:\

--------------------------------------------------------------------------------

7 malware found

TrackingCookie.Adinterax (spyware)

System (Disinfected)

TrackingCookie.Atdmt (spyware)

System (Disinfected)

TrackingCookie.Revsci (spyware)

System (Disinfected)

TrackingCookie.Webtrends (spyware)

System (Disinfected)

TrackingCookie.Atwola (spyware)

System (Disinfected)

Trojan.Generic.1910083 (virus)

C:\WINFAST WORKAREA\GAMES\DIABLO II\DRUG+MASTER5.1.EXE (Renamed & Submitted)

Trojan.Generic.58451 (virus)

C:\WINFAST WORKAREA\COMPUTER\DVD STUFF - JIM\DVD\DVD2ONE2V2.0.0\DVD2ONE2V2.EXE (Renamed & Submitted)

--------------------------------------------------------------------------------

Statistics

Scanned:

Files: 31085

System: 6401

Not scanned: 1

Actions:

Disinfected: 5

Renamed: 2

Deleted: 0

Not cleaned: 0

Submitted: 2

Files not scanned:

C:\SYSTEM VOLUME INFORMATION\MOUNTPOINTMANAGERREMOTEDATABASE

--------------------------------------------------------------------------------

Options

Scanning engines:

Scanning options:

Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

Use advanced heuristics

Link to post
Share on other sites

Here is the Security Check results.

----------------------------

Results of screen317's Security Check version 0.99.0

Windows XP Service Pack 3

``````````````````````````````

Antivirus/Firewall Check:

avast! Antivirus

Antivirus up to date! (On Access scanning disabled!)

``````````````````````````````

Anti-malware/Other Utilities Check:

Windows Defender Signatures

Java 6 Update 15

Java SE Runtime Environment 6 Update 1

Java 6 Update 2

Java 6 Update 3

Java 6 Update 5

Java 6 Update 7

Out of date Java installed!

Adobe Flash Player 10

Adobe Reader 7.0.9

Out of date Adobe Reader installed!

``````````````````````````````

Process Check:

objlist.exe by Laurent

Alwil Software Avast4 aswUpdSv.exe

Alwil Software Avast4 ashServ.exe

Alwil Software Avast4 ashDisp.exe

system32 fsonlinescanner.exe -?-

``````````````````````````````

DNS Vulnerability Check:

nslookup.exe missing!

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

Link to post
Share on other sites

Problems identified so far:

- Microsoft update can't install "Security Update for Windows XP (KB956572)"

- Avast can't scan because of an unknown error "Skin is not complete. Look at the following description: Skin is not loaded properly." Then the program shuts down.

Actually I'm thinking of going with MS Defender or the new MS System Check.

Link to post
Share on other sites

screen317

Once we get everything in order can you make any recommendations on the spyware & virus programs (Avast and Spybot S&D) that I am using ?

Is MS Defender or the new MS System Check better or worse than what I am now using?

Should I be running the various programs (Malwarebytes, ComboFix, HijackThis, F-Secure and Security Check) on a routine basis? Or are they after-the-fact troubleshooters?

Link to post
Share on other sites

  • Staff

Hi,

Navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

Java

Link to post
Share on other sites

Latest Update:

I replaced my Avast virus checker with Avira AntiVir. I also removed SpyBot S&D but have not added any new spyware program yet. Any suggestions?

I removed everything except malwarebytes. I plan on purchasing the pro version.

Got the latest version of Java and Adobe Reader.

I took a case out with Microsoft Support. We Verified the relevant Windows Update services and registered the Windows Update engine files. I can now access Windows Update as usual. I also sent them the WindowsUpdate.log.

I can access and install most updates except for KB890830 & KB956572 (malicious software removal & security updates). The windows power shelf KB926141 had no problem installing. The 2 programs downloaded & loaded but would not install. I also have the yellow instillation shield with the same 2 programs on my task bar. They won

Link to post
Share on other sites

  • Staff

Hi,

Latest Update:

I replaced my Avast virus checker with Avira AntiVir. I also removed SpyBot S&D but have not added any new spyware program yet. Any suggestions?

I removed everything except malwarebytes. I plan on purchasing the pro version.

Good choice. See the bottom of this post for my recommendations.
Got the latest version of Java and Adobe Reader.
Good.
I can access and install most updates except for KB890830 & KB956572 (malicious software removal & security updates). The windows power shelf KB926141 had no problem installing. The 2 programs downloaded & loaded but would not install. I also have the yellow instillation shield with the same 2 programs on my task bar. They won
Link to post
Share on other sites

  • Staff

They protect you differently and work well side-by-side. SpywareBlaster is passive protection; it runs in the background and doesn't alert you of anything; MBAM, however, is active protection, waiting for an infection to begin to attempt to run (or waiting for you to visit a suspicious site) before acting.

-screen317

Link to post
Share on other sites

screen317

I have everything on my system that you suggesed (Malwarebytes, Avira, COMODO, SpywareBlaster, IE-SPYAD, Secunia Online Software Inspector, WOT & Windows Update) and it's like I built a new machine.

BTW, The Microsoft Windows Technical Support people liked your suggestions as well.

I want to thank you again for all your help in solving my problem and offering suggestions.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.