Jump to content

Please help, unable to delete rootkit.agent


rengis
 Share

Recommended Posts

Hi,

I was recently infected with a nasty spyware/trojan. I've been able to remove the vast majority of the malware but still have a few lingering issues...

As soon as my TCP/IP connection starts "WINDOWS.0\system32\services.exe" repeatedly tries to connect to the internet. I employed the Comodo firewall which blocks those attempts (approx. 10 attempted connections per minute).

My anti-virus (AVG) and numerous malware/spyware tools show no infection, but Malwarebytes repeatedly shows a rootkit.agent "npguiw.sys" which requires a restart to delete. Upon restart, the file still exists and the date/time modified is always updated to the current time anytime I look for the file.

I've been working on this issue for about a week and am very frustrated as you can imagine. Any help is greatly appreciated.

DDS ran fine after I disabled my anti-virus, but about 2 seconds into the GMER scan the computer crashed then restarted. A little Windows box came up with a "The System has recovered from a serious error" message.

Here are the logs & attachments as requested in the "I'm infected - What do I Do Now?" pinned thread:

Malwarebytes' Anti-Malware 1.44

Database version: 3524

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

1/8/2010 8:50:20 PM

mbam-log-2010-01-08 (20-50-20).txt

Scan type: Quick Scan

Objects scanned: 117271

Time elapsed: 41 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS.0\system32\drivers\npguiw.sys (Rootkit.Agent) -> Delete on reboot.

-----------------------------------------------

DDS (Ver_09-12-01.01) - NTFSx86

Run by john at 22:00:00.74 on Fri 01/08/2010

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.638 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS.0\system32\savedump.exe

C:\WINDOWS.0\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

C:\WINDOWS.0\system32\svchost.exe -k netsvcs

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

svchost.exe

C:\WINDOWS.0\Explorer.EXE

C:\WINDOWS.0\system32\spoolsv.exe

svchost.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\WINDOWS.0\system32\CTsvcCDA.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS.0\runservice.exe

C:\WINDOWS.0\system32\lxdicoms.exe

C:\WINDOWS.0\system32\svchost.exe -k imgsvc

C:\WINDOWS.0\system32\wuauclt.exe

C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE

C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe

C:\WINDOWS.0\CTHELPER.EXE

C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\Program Files\COMODO\COMODO Internet Security\cfp.exe

C:\Program Files\Atomic Clock Sync\Atomic.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Documents and Settings\john\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\PROGRA~1\MICROS~1\rapimgr.exe

C:\WINDOWS.0\system32\wscntfy.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\john\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.care2.com/

mWinlogon: SfcDisable=-99 (0xffffff9d)

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"

uRun: [Google Update] "c:\documents and settings\john\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [NeroFilterCheck] c:\windows.0\system32\NeroCheck.exe

mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"

mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"

mRun: [AtiPTA] Atiptaxx.exe

mRun: [CTXFIREG] CTxfiReg.exe

mRun: [CTDVDDET] "c:\program files\creative\sbaudigy4\dvdaudio\CTDVDDET.EXE"

mRun: [CTSysVol] c:\program files\creative\sbaudigy4\surround mixer\CTSysVol.exe /r

mRun: [RCSystem] "c:\program files\creative\shared files\module loader\DLLML.exe" RCSystem * -Startup

mRun: [CTHelper] CTHELPER.EXE

mRun: [updReg] c:\windows.0\UpdReg.EXE

mRun: [lxdimon.exe] "c:\program files\lexmark 3500-4500 series\lxdimon.exe"

mRun: [lxdiamon] "c:\program files\lexmark 3500-4500 series\lxdiamon.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h

mRun: [Atomic.exe] c:\program files\atomic clock sync\Atomic.exe

dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683}

IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~1\INetRepl.dll

IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~1\INetRepl.dll

DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab

TCP: {08E4A312-63B8-49FD-8E05-EE1B9CC011E7} = 205.171.3.65,205.171.2.65

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll

Notify: avgrsstarter - avgrsstx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows.0\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

LSA: Authentication Packages = msv1_0 c:\windows.0\system32\ddcDvsRL

LSA: Notification Packages = scecli wejupaza.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\john\applic~1\mozilla\firefox\profiles\jvr0eka8.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.care2.com

FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll

FF - plugin: c:\documents and settings\john\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows.0\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows.0\system32\drivers\avgldx86.sys [2009-12-26 333192]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows.0\system32\drivers\avgmfx86.sys [2009-12-26 28424]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows.0\system32\drivers\avgtdix.sys [2009-12-26 360584]

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows.0\system32\drivers\cmdguard.sys [2010-1-1 133064]

R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows.0\system32\drivers\cmdhlp.sys [2010-1-1 25160]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-12-16 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-12-16 74480]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-12-26 285392]

R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-1-1 723632]

R2 LicCtrlService;LicCtrl Service;c:\windows.0\Runservice.exe [2006-8-19 2560]

R2 lxdi_device;lxdi_device;c:\windows.0\system32\lxdicoms.exe -service --> c:\windows.0\system32\lxdicoms.exe -service [?]

R2 npf;NetGroup Packet Filter Driver;c:\windows.0\system32\drivers\npf.sys [2007-11-15 34064]

R3 ndisrd;WinpkFilter Service;c:\windows.0\system32\drivers\ndisrd.sys [2009-11-19 20480]

R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-12-16 7408]

R3 viafilter;VIA USB Filter;c:\windows.0\system32\drivers\viausb1.sys [2008-11-27 9728]

S2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows.0\system32\spool\drivers\w32x86\3\lxdiserv.exe [2009-6-28 99248]

S2 srenum;srenum;c:\windows.0\system32\drivers\srenum.sys --> c:\windows.0\system32\drivers\srenum.sys [?]

S3 ati2mpad;ati2mpad;c:\windows.0\system32\drivers\ati2mpad.sys [2002-2-18 303360]

S3 atirage;atirage;c:\windows.0\system32\drivers\atiragem.sys [2006-8-18 70528]

S3 COMMONFX;COMMONFX;c:\windows.0\system32\drivers\commonfx.sys --> c:\windows.0\system32\drivers\COMMONFX.SYS [?]

S3 CTAUDFX;CTAUDFX;c:\windows.0\system32\drivers\ctaudfx.sys --> c:\windows.0\system32\drivers\CTAUDFX.SYS [?]

S3 CTERFXFX;CTERFXFX;c:\windows.0\system32\drivers\cterfxfx.sys --> c:\windows.0\system32\drivers\CTERFXFX.SYS [?]

S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);c:\windows.0\system32\drivers\ctlsb16.sys [2006-8-18 96256]

S3 CTSBLFX;CTSBLFX;c:\windows.0\system32\drivers\ctsblfx.sys --> c:\windows.0\system32\drivers\CTSBLFX.SYS [?]

============== File Associations ===============

regfile=regedit.exe "%1" %*

scrfile="%1" %*

=============== Created Last 30 ================

2010-01-09 05:31:06 0 ----a-w- c:\documents and settings\john\defogger_reenable

2010-01-07 06:16:48 0 d-----w- c:\docume~1\alluse~1\applic~1\SecTaskMan

2010-01-07 06:16:22 0 d-----w- c:\program files\Security Task Manager

2010-01-07 04:12:42 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-01-07 04:12:42 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-01-07 00:56:00 0 d-----w- C:\VundoFix Backups

2010-01-07 00:24:26 0 d-----w- C:\Lop SD

2010-01-06 23:57:38 0 d-----w- c:\program files\Trend Micro

2010-01-01 19:17:41 0 d-----w- c:\docume~1\alluse~1\applic~1\Comodo

2010-01-01 19:17:27 25160 ----a-w- c:\windows.0\system32\drivers\cmdhlp.sys

2010-01-01 19:17:27 171552 ----a-w- c:\windows.0\system32\guard32.dll

2010-01-01 19:17:26 133064 ----a-w- c:\windows.0\system32\drivers\cmdguard.sys

2010-01-01 19:08:11 0 d-----w- c:\windows.0\system32\wbem\Repository

2010-01-01 19:07:27 0 d-----w- c:\program files\Atomic Clock Sync

2010-01-01 01:38:12 0 d-----w- c:\program files\COMODO

2009-12-29 15:44:13 0 d-----w- c:\docume~1\john\applic~1\ParetoLogic

2009-12-29 15:44:05 0 d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic

2009-12-29 04:45:23 7680 --sha-w- c:\windows.0\Thumbs.db

2009-12-29 04:45:13 5632 --sha-w- C:\Thumbs.db

2009-12-28 05:09:33 0 d-----w- c:\documents and settings\john\.zenmap

2009-12-28 03:25:40 471552 ------w- c:\windows.0\system32\dllcache\aclayers.dll

2009-12-26 22:58:54 0 d--h--w- C:\$AVG

2009-12-26 22:58:40 12464 ----a-w- c:\windows.0\system32\avgrsstx.dll

2009-12-26 22:58:39 360584 ----a-w- c:\windows.0\system32\drivers\avgtdix.sys

2009-12-26 22:58:23 333192 ----a-w- c:\windows.0\system32\drivers\avgldx86.sys

2009-12-26 22:58:19 0 d-----w- c:\windows.0\system32\drivers\Avg

2009-12-26 22:57:54 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9

2009-12-24 23:04:55 0 d-----w- c:\program files\Microsoft ActiveSync

2009-12-24 23:04:05 0 d-----w- c:\program files\Windows Mobile Device Handbook

2009-12-24 01:02:18 38224 ----a-w- c:\windows.0\system32\drivers\mbamswissarmy.sys

2009-12-24 01:02:11 19160 ----a-w- c:\windows.0\system32\drivers\mbam.sys

2009-12-23 12:46:08 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2009-12-23 12:44:32 0 d-----w- c:\program files\SUPERAntiSpyware

2009-12-23 12:44:32 0 d-----w- c:\docume~1\john\applic~1\SUPERAntiSpyware.com

2009-12-23 12:41:50 0 d-----w- c:\program files\common files\Wise Installation Wizard

2009-12-22 05:13:23 0 ----a-w- c:\windows.0\Kkutadomipuso.bin

2009-12-22 05:13:16 120 ----a-w- c:\windows.0\Qleqesugunepoza.dat

2009-12-22 05:09:01 142592 ----a-w- c:\windows.0\system32\drivers\OLD106.tmp

2009-12-22 05:08:57 763904 ----a-w- c:\windows.0\system32\drivers\npguiw.sys

2009-12-19 20:32:00 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-01-09 05:56:43 3513 --sha-w- c:\windows.0\system32\mmf.sys

2010-01-01 20:44:05 110592 ----a-w- c:\windows.0\system32\services.exe

2010-01-01 19:55:43 361600 ----a-w- c:\windows.0\system32\drivers\tcpip.sys

2010-01-01 19:55:43 361600 ----a-w- c:\windows.0\system32\dllcache\tcpip.sys

2009-12-26 00:16:12 2296 ----a-w- c:\windows.0\system32\d3d9caps.dat

2009-12-08 02:16:50 56816 ----a-w- c:\windows.0\system32\drivers\avgntflt.sys

2009-11-19 13:41:20 20480 ----a-w- c:\windows.0\system32\drivers\ndisrd.sys

2009-10-30 08:38:22 3070976 ------w- c:\windows.0\system32\dllcache\mshtml.dll

2009-10-29 05:38:23 667136 ----a-w- c:\windows.0\system32\wininet.dll

2009-10-29 05:38:23 667136 ------w- c:\windows.0\system32\dllcache\wininet.dll

2009-10-29 05:38:22 627712 ------w- c:\windows.0\system32\dllcache\urlmon.dll

2009-10-29 05:38:22 1509888 ------w- c:\windows.0\system32\dllcache\shdocvw.dll

2009-10-24 00:43:44 249856 ------w- c:\windows.0\Setup1.exe

2009-10-24 00:43:40 73216 ----a-w- c:\windows.0\ST6UNST.EXE

2009-10-21 05:38:36 75776 ----a-w- c:\windows.0\system32\strmfilt.dll

2009-10-21 05:38:36 75776 ------w- c:\windows.0\system32\dllcache\strmfilt.dll

2009-10-21 05:38:36 25088 ----a-w- c:\windows.0\system32\httpapi.dll

2009-10-21 05:38:36 25088 ------w- c:\windows.0\system32\dllcache\httpapi.dll

2009-10-20 16:20:16 265728 ------w- c:\windows.0\system32\dllcache\http.sys

2009-10-13 10:30:16 270336 ----a-w- c:\windows.0\system32\oakley.dll

2009-10-13 10:30:16 270336 ------w- c:\windows.0\system32\dllcache\oakley.dll

2009-10-12 13:38:19 149504 ----a-w- c:\windows.0\system32\rastls.dll

2009-10-12 13:38:19 149504 ------w- c:\windows.0\system32\dllcache\rastls.dll

2009-10-12 13:38:18 79872 ----a-w- c:\windows.0\system32\raschap.dll

2009-10-12 13:38:18 79872 ------w- c:\windows.0\system32\dllcache\raschap.dll

2009-10-11 12:17:27 411368 ----a-w- c:\windows.0\system32\deploytk.dll

2008-03-13 06:27:43 333 --sha-r- c:\windows.0\110x52qx4x.dat

2008-12-03 01:31:27 23 --sha-w- c:\windows.0\system32\ddcffcfdb8_z.dll

2008-03-13 06:27:43 333 --sha-r- c:\windows.0\system32\MS4xx0104q.dll

============= FINISH: 22:00:57.62 ===============

Link to post
Share on other sites

It's been a few days without a response so I thought I'd reply to my own thread in hopes that one of you kind folks would assist me.

After the first post, I realized that my attach zip didn't go through so I will include it with this post.

In the meantime, I uninstalled AVG anti-virus and installed Avira... Avira detected the same file "npguiw.sys" sent it to quarantine and asked me to immediately restart my computer. It still won't go away ;) I now have four copies of "npguiw.sys" in my Avira quarantine list and "services.exe" continues trying to access my internet connection.

I realize you folks are swamped with help requests. I'd greatly appreciate any assistance that could be provided to help solve this problem.

Have a good day.

Attach.zip

Link to post
Share on other sites

  • Root Admin

Hi John,

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..

This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

Link to post
Share on other sites

3hanks for taking the time to look at my problem.

i ran combofix and it seemed to run fine, it deleted a bunch of files including a whole slew of .dat iles & 3 .sys files including the offending one I ad mentioned previously.

_nfortunately, my computer is now unable to access the internet and I,m posting from my phone ;)... unable to show my logs, etc. i,ve attepted numeous restarts and still am unable to connect.

any ideas?

thanks again

Link to post
Share on other sites

Apologies for the poor grammar/spelling on my last post as I am unable to edit.

I ran a system restore back to yesterday which repaired my TCP/IP so that I could post my logs from the scans that were requested, unfortunately that likely undid any positive changes that ComboFix was able to provide. Before restoring, I attempted to repair my internet connection and I got a message "failed to query TCP/IP"... haven't seen that before?

here are the logs:

ComboFix 10-01-13.09 - john 01/13/2010 22:12:07.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.899 [GMT -8:00]

Running from: c:\documents and settings\john\Desktop\Combo-Fix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Thumbs.db

c:\windows.0\a3kebook.ini

c:\windows.0\akebook.ini

c:\windows.0\ANS2000.INI

c:\windows.0\kb913800.exe

c:\windows.0\system32\Data

c:\windows.0\system32\Data\CT0060W.DAT

c:\windows.0\system32\Data\CTEAPSW.DAT

c:\windows.0\system32\Data\CTEDSP2W.DAT

c:\windows.0\system32\Data\CTEDSPKW.DAT

c:\windows.0\system32\Data\CTEDSPLW.DAT

c:\windows.0\system32\Data\CTEDSPPW.DAT

c:\windows.0\system32\Data\CTEDSPTW.DAT

c:\windows.0\system32\Data\CTEDSPUW.DAT

c:\windows.0\system32\Data\CTEDSPW.DAT

c:\windows.0\system32\Data\CTP0060W.DAT

c:\windows.0\system32\Data\CTP0061W.DAT

c:\windows.0\system32\Data\CTP0070W.DAT

c:\windows.0\system32\Data\CTP0073W.DAT

c:\windows.0\system32\Data\CTP0090W.DAT

c:\windows.0\system32\Data\CTP0091W.DAT

c:\windows.0\system32\Data\CTP0092W.DAT

c:\windows.0\system32\Data\CTP0095W.DAT

c:\windows.0\system32\Data\CTP0100W.DAT

c:\windows.0\system32\Data\CTP0101W.DAT

c:\windows.0\system32\Data\CTP0102W.DAT

c:\windows.0\system32\Data\CTP0103W.DAT

c:\windows.0\system32\Data\CTP0105W.DAT

c:\windows.0\system32\Data\CTP0150W.DAT

c:\windows.0\system32\Data\CTP0161W.DAT

c:\windows.0\system32\Data\CTP0162W.DAT

c:\windows.0\system32\Data\CTP0170W.DAT

c:\windows.0\system32\Data\CTP017AW.DAT

c:\windows.0\system32\Data\CTP017BW.DAT

c:\windows.0\system32\Data\CTP017CW.DAT

c:\windows.0\system32\Data\CTP017DW.DAT

c:\windows.0\system32\Data\CTP017EW.DAT

c:\windows.0\system32\Data\CTP017FW.DAT

c:\windows.0\system32\Data\CTP017GW.DAT

c:\windows.0\system32\Data\CTP017HW.DAT

c:\windows.0\system32\Data\CTP0191W.DAT

c:\windows.0\system32\Data\CTP0192W.DAT

c:\windows.0\system32\Data\CTP0221W.DAT

c:\windows.0\system32\Data\CTP0222W.DAT

c:\windows.0\system32\Data\CTP0230W.DAT

c:\windows.0\system32\Data\CTP0231W.DAT

c:\windows.0\system32\Data\CTP0232W.DAT

c:\windows.0\system32\Data\CTP0238W.DAT

c:\windows.0\system32\Data\CTP0240W.DAT

c:\windows.0\system32\Data\CTP0242W.DAT

c:\windows.0\system32\Data\CTP0243W.DAT

c:\windows.0\system32\Data\CTP0244W.DAT

c:\windows.0\system32\Data\CTP0245W.DAT

c:\windows.0\system32\Data\CTP0249W.DAT

c:\windows.0\system32\Data\CTP0280W.DAT

c:\windows.0\system32\Data\CTP0320W.DAT

c:\windows.0\system32\Data\CTP0350W.DAT

c:\windows.0\system32\Data\CTP0352W.DAT

c:\windows.0\system32\Data\CTP0360W.DAT

c:\windows.0\system32\Data\CTP0380W.DAT

c:\windows.0\system32\Data\CTP0400W.DAT

c:\windows.0\system32\Data\CTP0530L.DAT

c:\windows.0\system32\Data\CTP0530W.DAT

c:\windows.0\system32\Data\CTP0600W.DAT

c:\windows.0\system32\Data\CTP0610W.DAT

c:\windows.0\system32\Data\CTP1140W.DAT

c:\windows.0\system32\Data\CTP4620W.DAT

c:\windows.0\system32\Data\CTP4670W.DAT

c:\windows.0\system32\Data\CTP4760W.DAT

c:\windows.0\system32\Data\CTP4780W.DAT

c:\windows.0\system32\Data\CTP4790W.DAT

c:\windows.0\system32\Data\CTP4820W.DAT

c:\windows.0\system32\Data\CTP4830W.DAT

c:\windows.0\system32\Data\CTP4831W.DAT

c:\windows.0\system32\Data\CTP4832W.DAT

c:\windows.0\system32\Data\CTP4840W.DAT

c:\windows.0\system32\Data\CTP4850W.DAT

c:\windows.0\system32\Data\CTP4870W.DAT

c:\windows.0\system32\Data\CTP4871W.DAT

c:\windows.0\system32\Data\CTP4872W.DAT

c:\windows.0\system32\Data\CTP4875W.DAT

c:\windows.0\system32\Data\CTP4890W.DAT

c:\windows.0\system32\Data\CTP4891W.DAT

c:\windows.0\system32\Data\CTP4893W.DAT

c:\windows.0\system32\Data\CTPDXW.DAT

c:\windows.0\system32\Data\CTPM002W.DAT

c:\windows.0\system32\drivers\ndisrd.sys

c:\windows.0\system32\drivers\npf.sys

c:\windows.0\system32\drivers\npguiw.sys

c:\windows.0\system32\Packet.dll

c:\windows.0\system32\pthreadVC.dll

c:\windows.0\system32\WanPacket.dll

c:\windows.0\system32\wpcap.dll

c:\windows.0\wiaserviv.log

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NPF

-------\Service_ndisrd

-------\Service_npf

-------\Legacy_npguiw

-------\Service_npguiw

((((((((((((((((((((((((( Files Created from 2009-12-14 to 2010-01-14 )))))))))))))))))))))))))))))))

.

2010-01-09 08:02 . 2009-03-30 17:33 96104 ----a-w- c:\windows.0\system32\drivers\avipbb.sys

2010-01-09 08:02 . 2009-02-13 19:29 22360 ----a-w- c:\windows.0\system32\drivers\avgntmgr.sys

2010-01-09 08:02 . 2009-02-13 19:17 45416 ----a-w- c:\windows.0\system32\drivers\avgntdd.sys

2010-01-09 08:02 . 2010-01-09 08:02 -------- d-----w- c:\program files\Avira

2010-01-09 08:02 . 2010-01-09 08:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-01-07 06:16 . 2010-01-07 06:31 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan

2010-01-07 06:16 . 2010-01-07 06:16 -------- d-----w- c:\program files\Security Task Manager

2010-01-07 04:12 . 2010-01-07 05:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-01-07 04:12 . 2010-01-07 04:13 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-01-07 00:56 . 2010-01-07 00:56 -------- d-----w- C:\VundoFix Backups

2010-01-07 00:24 . 2010-01-07 00:34 -------- d-----w- C:\Lop SD

2010-01-06 23:57 . 2010-01-06 23:57 -------- d-----w- c:\program files\Trend Micro

2010-01-01 19:17 . 2010-01-01 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo

2010-01-01 19:17 . 2010-01-01 19:17 87104 ----a-w- c:\windows.0\system32\drivers\inspect.sys

2010-01-01 19:17 . 2010-01-01 19:17 25160 ----a-w- c:\windows.0\system32\drivers\cmdhlp.sys

2010-01-01 19:17 . 2010-01-01 19:17 171552 ----a-w- c:\windows.0\system32\guard32.dll

2010-01-01 19:17 . 2010-01-01 19:17 133064 ----a-w- c:\windows.0\system32\drivers\cmdguard.sys

2010-01-01 19:08 . 2010-01-01 19:08 -------- d-----w- c:\windows.0\system32\wbem\Repository

2010-01-01 19:07 . 2010-01-01 19:07 -------- d-----w- c:\program files\Atomic Clock Sync

2010-01-01 01:38 . 2010-01-01 01:38 -------- d-----w- c:\program files\COMODO

2009-12-29 15:44 . 2009-12-29 15:44 -------- d-----w- c:\documents and settings\john\Application Data\ParetoLogic

2009-12-29 15:44 . 2010-01-01 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic

2009-12-29 02:22 . 2009-12-29 02:22 -------- d-----w- c:\documents and settings\john\Local Settings\Application Data\Temp

2009-12-28 05:09 . 2010-01-01 06:26 -------- d-----w- c:\documents and settings\john\.zenmap

2009-12-28 03:25 . 2009-11-21 15:51 471552 ------w- c:\windows.0\system32\dllcache\aclayers.dll

2009-12-24 23:04 . 2009-12-24 23:05 -------- d-----w- c:\program files\Microsoft ActiveSync

2009-12-24 23:04 . 2009-12-24 23:04 -------- d-----w- c:\program files\Windows Mobile Device Handbook

2009-12-24 01:02 . 2010-01-08 00:07 38224 ----a-w- c:\windows.0\system32\drivers\mbamswissarmy.sys

2009-12-24 01:02 . 2010-01-08 00:07 19160 ----a-w- c:\windows.0\system32\drivers\mbam.sys

2009-12-23 12:46 . 2009-12-23 12:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-12-23 12:44 . 2010-01-06 23:48 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-12-23 12:44 . 2009-12-23 12:44 -------- d-----w- c:\documents and settings\john\Application Data\SUPERAntiSpyware.com

2009-12-23 12:41 . 2009-12-23 12:41 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-12-22 05:13 . 2009-12-23 12:25 0 ----a-w- c:\windows.0\Kkutadomipuso.bin

2009-12-22 05:13 . 2009-12-24 00:46 120 ----a-w- c:\windows.0\Qleqesugunepoza.dat

2009-12-19 20:32 . 2010-01-08 02:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-01-14 06:27 . 2006-08-19 18:21 3513 --sha-w- c:\windows.0\system32\mmf.sys

2010-01-14 01:20 . 2009-12-23 12:47 52224 ----a-w- c:\documents and settings\john\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-01-14 01:19 . 2009-12-23 12:46 117760 ----a-w- c:\documents and settings\john\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-01-12 13:09 . 2008-11-11 08:03 1 ----a-w- c:\documents and settings\john\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys

2010-01-10 08:07 . 2009-10-28 00:52 56816 ----a-w- c:\windows.0\system32\drivers\avgntflt.sys

2010-01-09 23:02 . 2008-10-28 04:48 -------- d-----w- c:\documents and settings\john\Application Data\uTorrent

2010-01-09 22:26 . 2006-12-25 02:39 2296 ----a-w- c:\windows.0\system32\d3d9caps.dat

2010-01-08 02:30 . 2010-01-02 21:38 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-01-07 06:17 . 2010-01-07 06:17 40 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_96F67BA0167EAFC49B0B1A09B6E4E9B4.dll

2010-01-07 06:17 . 2010-01-07 06:17 302 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_E5D9D200AB92D6E3B94CD3D7D6CB37C5.dll

2010-01-07 06:17 . 2010-01-07 06:17 3257 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_DDE7F2BCF1D91C3409CFF425AE1E271A.dll

2010-01-07 06:17 . 2010-01-07 06:17 152 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_DDA39468D428E8B4DB27C8D5DC5CA217.dll

2010-01-07 06:17 . 2010-01-07 06:17 1507 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_D33A333FC5212A23D8ECC5D54132E172.dll

2010-01-07 06:17 . 2010-01-07 06:17 1251 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_D20352A90C039D93DBF6126ECE614057.dll

2010-01-07 06:17 . 2010-01-07 06:17 10 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_DC3BF90CC0D3D2F398A9A6D1762F70F3.dll

2010-01-07 06:17 . 2010-01-07 06:16 10185 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_9D99FDDE3EF917847ABD1D25C215EEA9.dll

2010-01-05 05:29 . 2006-08-19 19:59 -------- d-----w- c:\program files\Winamp

2010-01-05 03:31 . 2009-08-28 05:38 -------- d-----w- c:\documents and settings\john\Application Data\vlc

2010-01-05 01:25 . 2008-11-06 02:45 -------- d-----w- c:\documents and settings\john\Application Data\FileZilla

2010-01-01 20:44 . 2004-08-04 05:56 110592 ----a-w- c:\windows.0\system32\services.exe

2010-01-01 19:55 . 2008-07-08 23:59 361600 ----a-w- c:\windows.0\system32\drivers\tcpip.sys

2009-12-26 22:58 . 2008-05-18 04:26 -------- d-----w- c:\program files\AVG

2009-12-24 00:48 . 2008-12-14 03:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-12-19 04:11 . 2006-08-19 10:16 -------- d-----w- c:\program files\Java

2009-12-19 04:09 . 2009-12-19 04:09 152576 ----a-w- c:\documents and settings\john\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

2009-12-19 04:09 . 2009-12-19 04:09 79488 ----a-w- c:\documents and settings\john\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2009-12-14 01:08 . 2008-11-25 06:09 -------- d-----w- c:\documents and settings\john\Application Data\dvdcss

2009-12-13 17:55 . 2009-12-13 17:55 686080 ----a-w- c:\documents and settings\john\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\81F.tmp_\sun-pdfimport.oxt\pdfimport.uno.dll

2009-12-13 17:55 . 2009-12-13 17:55 568832 ----a-w- c:\documents and settings\john\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\81F.tmp_\sun-pdfimport.oxt\msvcp90.dll

2009-12-13 17:55 . 2009-12-13 17:55 655872 ----a-w- c:\documents and settings\john\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\81F.tmp_\sun-pdfimport.oxt\msvcr90.dll

2009-12-13 17:55 . 2009-12-13 17:55 583168 ----a-w- c:\documents and settings\john\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\81F.tmp_\sun-pdfimport.oxt\xpdfimport.exe

2009-12-13 17:55 . 2009-12-13 17:55 224768 ----a-w- c:\documents and settings\john\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\81F.tmp_\sun-pdfimport.oxt\msvcm90.dll

2009-11-21 15:51 . 2004-08-04 05:56 471552 ----a-w- c:\windows.0\AppPatch\aclayers.dll

2009-11-21 06:27 . 2009-10-24 00:44 -------- d-----w- c:\program files\Quest

2009-11-02 00:41 . 2009-11-02 00:41 593920 ----a-w- c:\documents and settings\john\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv305hw-0910190-0-main.dll

2009-11-02 00:40 . 2009-11-02 00:40 319488 ----a-w- c:\documents and settings\john\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe

2009-10-29 05:38 . 2006-06-17 23:43 667136 ----a-w- c:\windows.0\system32\wininet.dll

2009-10-24 00:43 . 2008-04-27 06:24 249856 ------w- c:\windows.0\Setup1.exe

2009-10-24 00:43 . 2008-04-27 06:24 73216 ----a-w- c:\windows.0\ST6UNST.EXE

2009-10-21 05:38 . 2004-08-04 05:56 75776 ----a-w- c:\windows.0\system32\strmfilt.dll

2009-10-21 05:38 . 2004-08-04 05:56 25088 ----a-w- c:\windows.0\system32\httpapi.dll

2009-10-20 16:20 . 2006-06-17 23:43 265728 ----a-w- c:\windows.0\system32\drivers\http.sys

2008-03-13 06:27 . 2008-03-13 06:27 333 --sha-r- c:\windows.0\110x52qx4x.dat

2008-12-03 01:31 . 2008-12-03 01:31 23 --sha-w- c:\windows.0\system32\ddcffcfdb8_z.dll

2008-03-13 06:27 . 2008-03-13 06:27 333 --sha-r- c:\windows.0\system32\MS4xx0104q.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-06 2002160]

"Google Update"="c:\documents and settings\john\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-12-29 135664]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroFilterCheck"="c:\windows.0\system32\NeroCheck.exe" [2001-07-09 155648]

"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-17 49152]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]

"AtiPTA"="Atiptaxx.exe" [2001-10-10 270336]

"CTDVDDET"="c:\program files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]

"CTSysVol"="c:\program files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe" [2005-02-16 57344]

"RCSystem"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-17 49152]

"CTHelper"="CTHELPER.EXE" [2005-06-18 16384]

"UpdReg"="c:\windows.0\UpdReg.EXE" [2000-05-11 90112]

"lxdimon.exe"="c:\program files\Lexmark 3500-4500 Series\lxdimon.exe" [2007-07-16 434864]

"lxdiamon"="c:\program files\Lexmark 3500-4500 Series\lxdiamon.exe" [2007-07-16 25264]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-01-01 1800464]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"Atomic.exe"="c:\program files\Atomic Clock Sync\Atomic.exe" [2004-06-17 524288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.sys

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\nes\\NESTCL95.EXE"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Documents and Settings\\john\\Application Data\\SopCast\\adv\\SopAdver.exe"=

"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

"c:\\WINDOWS.0\\system32\\lxdicoms.exe"=

"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"=

"c:\\Program Files\\Lexmark 3500-4500 Series\\App4R.exe"=

"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe"=

"c:\\WINDOWS.0\\system32\\spool\\drivers\\w32x86\\3\\lxdipswx.exe"=

"c:\\WINDOWS.0\\system32\\spool\\drivers\\w32x86\\3\\lxdijswx.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Documents and Settings\\john\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=

"c:\\WINDOWS.0\\CTHELPER.EXE"=

"c:\\WINDOWS.0\\system32\\wbem\\wmiprvse.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\SopCast\\SopCast.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"52369:TCP"= 52369:TCP:bit torrent

"52370:TCP"= 52370:TCP:bit torrent

"52371:TCP"= 52371:TCP:bit torrent

"5900:TCP"= 5900:TCP:VNC

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows.0\system32\drivers\cmdguard.sys [1/1/2010 11:17 AM 133064]

R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows.0\system32\drivers\cmdhlp.sys [1/1/2010 11:17 AM 25160]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/16/2009 4:26 PM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/16/2009 4:26 PM 74480]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/9/2010 12:02 AM 108289]

R2 LicCtrlService;LicCtrl Service;c:\windows.0\Runservice.exe [8/19/2006 10:21 AM 2560]

R2 lxdi_device;lxdi_device;c:\windows.0\system32\lxdicoms.exe -service --> c:\windows.0\system32\lxdicoms.exe -service [?]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/16/2009 4:27 PM 7408]

R3 viafilter;VIA USB Filter;c:\windows.0\system32\drivers\viausb1.sys [11/27/2008 10:04 AM 9728]

S2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows.0\system32\spool\drivers\w32x86\3\lxdiserv.exe [6/28/2009 8:15 PM 99248]

S2 srenum;srenum;c:\windows.0\system32\DRIVERS\srenum.sys --> c:\windows.0\system32\DRIVERS\srenum.sys [?]

S3 ati2mpad;ati2mpad;c:\windows.0\system32\drivers\ati2mpad.sys [2/18/2002 2:19 PM 303360]

S3 atirage;atirage;c:\windows.0\system32\drivers\atiragem.sys [8/18/2006 6:49 PM 70528]

S3 COMMONFX;COMMONFX;c:\windows.0\system32\drivers\COMMONFX.SYS --> c:\windows.0\system32\drivers\COMMONFX.SYS [?]

S3 CTAUDFX;CTAUDFX;c:\windows.0\system32\drivers\CTAUDFX.SYS --> c:\windows.0\system32\drivers\CTAUDFX.SYS [?]

S3 CTERFXFX;CTERFXFX;c:\windows.0\system32\drivers\CTERFXFX.SYS --> c:\windows.0\system32\drivers\CTERFXFX.SYS [?]

S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);c:\windows.0\system32\drivers\ctlsb16.sys [8/18/2006 6:49 PM 96256]

S3 CTSBLFX;CTSBLFX;c:\windows.0\system32\drivers\CTSBLFX.SYS --> c:\windows.0\system32\drivers\CTSBLFX.SYS [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - Hmnt

.

Contents of the 'Scheduled Tasks' folder

2010-01-14 c:\windows.0\Tasks\GoogleUpdateTaskUserS-1-5-21-839522115-1202660629-2147060419-1004Core.job

- c:\documents and settings\john\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-29 02:22]

2010-01-14 c:\windows.0\Tasks\GoogleUpdateTaskUserS-1-5-21-839522115-1202660629-2147060419-1004UA.job

- c:\documents and settings\john\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-29 02:22]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.care2.com/

FF - ProfilePath - c:\documents and settings\john\Application Data\Mozilla\Firefox\Profiles\jvr0eka8.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.care2.com

FF - plugin: c:\documents and settings\john\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows.0\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-CTXFIREG - CTxfiReg.exe

Notify-avgrsstarter - (no file)

AddRemove-TVAnts 1.0 - c:\progra~1\TVAnts\UNWISE.EXE

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-01-13 22:28

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F]

"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,c2,97,86,6a,a5,82,f8,

d5,44,f7,88,8f,b5,4c,1b,f9,3e,da,c2,d2,eb,69,77,32,91,02,8c,84,09,5e,d2,d3

"2"=hex:f1,df,16,de,80,08,0e,2a,d1,38,b5,6f,94,ca,dc,d2,b3,e8,d2,40,6c,6f,61,

5e,d2,5e,7f,21,14,b5,b2,29

"3"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,c2,97,86,6a,a5,82,f8,

d5,f2,55,76,c8,bc,53,92,25,3f,d1,b6,bc,00,35,73,43,96,90,79,f6,5b,97,35,47,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\3323E31CCF524E1933A08EFC0405BBBB]

"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,

b0,50,94,16,01,b2,17,1a,42

"2"=hex:cf,77,c8,3e,ea,da,16,30

"3"=hex:3c,f5,98,58,d9,0b,97,ad,6e,5c,7b,1c,d1,1e,64,53,f3,e3,3c,d8,7d,a3,42,

bf,38,cb,8c,88,5b,21,0f,1f,6f,f2,c8,15,d9,76,7a,f4,ee,cd,dc,6c,1b,6d,ea,54,\

"4"=hex:2f,ad,a2,e7,8a,bf,05,5e

"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,

1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\

"6"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,

b0,62,93,57,0b,21,63,41,55,32,b5,f6,08,b8,5e,2d,e4,ec,af,ae,86,59,ce,53,bb,\

"7"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,

b0,e5,98,6b,ad,2b,ca,86,50

"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,6b,8d,dd,0b,84,72,f6,

f2,3d,a6,3c,a0,07,7d,db,f3,88,a8,6c,3f,5c,60,94,94,89,77,0c,65,96,1c,ff,8e,\

"9"=hex:81,20,8f,ab,28,6a,52,9c

"18"=hex:4b,72,8f,bc,6c,3f,e4,15

"10"=hex:3d,7b,8c,93,7f,aa,3a,8c

"11"=hex:7d,ba,74,77,fe,09,92,36

"12"=hex:21,fc,78,ba,63,4f,e5,63,c1,31,2f,d7,1b,b9,d8,fe,f6,42,9a,bb,54,7a,8a,

6d,ae,05,c0,7f,c4,80,c8,c3,7e,b6,e5,45,57,ed,87,4c,a4,e0,de,31,7b,26,ed,a6,\

"13"=hex:d5,53,0f,d7,f4,2a,1e,99,18,16,b5,00,2b,69,d7,87,30,0f,2d,f0,cb,21,f7,

17

"14"=hex:4e,63,05,ff,92,a2,5b,c8

"24"=hex:81,20,8f,ab,28,6a,52,9c

"26"=hex:81,20,8f,ab,28,6a,52,9c

"27"=hex:81,20,8f,ab,28,6a,52,9c

"19"=hex:c3,d4,ad,ce,8a,87,e6,e1,3b,49,66,d3,8d,98,96,a1

"22"=hex:81,20,8f,ab,28,6a,52,9c

"15"=hex:83,bf,e8,54,29,a6,e3,09,3e,4b,4c,0c,19,4a,0a,1d,c6,f1,c8,75,c2,fd,68,

f4,98,48,0a,03,bb,7c,c0,d1,f9,74,81,eb,92,67,e5,15,b8,48,3e,b1,b0,b1,65,33,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\37539B6D352ECF5C006214859EC1AF0C]

"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,

b0,c8,c9,f6,99,f8,a7,b9,da

"2"=hex:76,4e,1c,cc,2e,81,b8,f3

"3"=hex:3a,52,38,f3,c8,b8,8c,cb,d6,2e,87,d0,20,c0,52,63,ee,2c,dc,74,20,d4,99,

9b,c8,b8,9a,c8,95,93,97,10,bd,b5,1b,49,9a,4f,c1,76,f3,96,26,cc,d1,10,12,aa,\

"4"=hex:2f,ad,a2,e7,8a,bf,05,5e

"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,

1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\

"6"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,

b0,13,d6,a9,04,9e,fe,4b,b3,10,e4,eb,ef,c4,3c,01,7c,da,ad,aa,35,c5,9e,af,7d,\

"7"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,

b0,f5,de,1e,04,6d,6b,1c,69

"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,6b,8d,dd,0b,84,72,f6,

f2,3d,a6,3c,a0,07,7d,db,f3,88,a8,6c,3f,5c,60,94,94,89,77,0c,65,96,1c,ff,8e,\

"9"=hex:81,20,8f,ab,28,6a,52,9c

"18"=hex:4b,72,8f,bc,6c,3f,e4,15

"10"=hex:f8,fe,42,b7,de,5f,ba,f0

"11"=hex:81,20,8f,ab,28,6a,52,9c

"12"=hex:67,42,f9,b1,ba,fb,c1,1c,10,98,92,83,29,d4,4d,2c,fb,62,8d,78,90,7f,2c,

7b,bd,ff,a8,0d,7a,58,67,da,41,3a,52,eb,99,ed,47,f2,c2,f2,01,94,43,d0,e3,4d,\

"13"=hex:13,c8,29,63,81,f4,bd,40,e2,d0,0f,cf,23,38,14,08,bb,d2,a8,33,12,c5,d9,

43

"14"=hex:6c,3a,76,3b,92,16,dd,60

"24"=hex:81,20,8f,ab,28,6a,52,9c

"26"=hex:81,20,8f,ab,28,6a,52,9c

"27"=hex:81,20,8f,ab,28,6a,52,9c

"19"=hex:9e,6c,a8,8d,15,c0,31,74,0b,16,22,0b,62,79,79,97

"22"=hex:81,20,8f,ab,28,6a,52,9c

"15"=hex:50,0f,e3,f0,af,48,32,1e,aa,6d,70,be,9c,1b,e2,43,5a,74,ff,34,5b,94,6f,

1e,3e,f0,16,79,e0,9c,11,bd,2a,7f,99,e8,5f,c4,ad,44,c8,a1,af,31,45,57,d2,1a,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\D580A8CFDA60E9362F91B6F863D46379]

"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,

b0,50,94,16,01,b2,17,1a,42

"2"=hex:11,b7,bf,c5,fa,e2,5a,47

"3"=hex:eb,74,e3,3e,31,66,17,db,c7,29,d3,d4,2e,d0,09,be,68,65,41,8b,9b,a8,a1,

94,d2,56,85,28,31,45,b9,32,d8,c9,80,42,8a,b7,4d,dc,72,87,53,a7,78,61,49,f8,\

"4"=hex:2f,ad,a2,e7,8a,bf,05,5e

"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,

1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\

"6"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,

b0,30,ee,8f,52,62,66,50,ce,77,e9,c4,12,3a,ea,b5,46,6c,fa,23,06,2c,2a,16,61,\

"7"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,

b0,04,de,29,1c,d1,59,b3,b5,1c,3a,e8,07,ed,d8,08,6e,a7,52,c4,be,fd,58,1e,61,\

"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,6b,8d,dd,0b,84,72,f6,

f2,3d,a6,3c,a0,07,7d,db,f3,88,a8,6c,3f,5c,60,94,94,89,77,0c,65,96,1c,ff,8e,\

"9"=hex:81,20,8f,ab,28,6a,52,9c

"18"=hex:4b,72,8f,bc,6c,3f,e4,15

"10"=hex:81,20,8f,ab,28,6a,52,9c

"11"=hex:81,20,8f,ab,28,6a,52,9c

"12"=hex:d6,1c,dd,33,13,76,0e,77,90,fa,da,30,37,10,3a,e0,b1,22,0a,ee,53,f0,e7,

be,09,be,2d,7b,3e,7e,e2,9b,16,1f,ad,d4,0e,99,4f,10,c5,ac,2a,79,ac,0d,af,b9,\

"13"=hex:ba,9c,d8,ff,62,23,be,eb,70,9b,1f,92,5b,a6,1c,c3,65,22,d6,b0,11,81,49,

46

"14"=hex:6b,51,bd,2b,8f,5b,c4,81

"24"=hex:81,20,8f,ab,28,6a,52,9c

"26"=hex:81,20,8f,ab,28,6a,52,9c

"27"=hex:81,20,8f,ab,28,6a,52,9c

"19"=hex:a8,b9,df,a6,dc,a3,1f,cb,53,23,cc,d8,eb,28,80,6b

"22"=hex:81,20,8f,ab,28,6a,52,9c

"15"=hex:22,bc,51,e4,ab,49,9a,06,16,89,3e,66,b5,09,aa,fe,74,7e,b6,77,4f,2f,cd,

21,28,77,ea,86,f1,d3,0c,88,5a,0f,b7,26,52,01,6d,1b,dc,63,56,3d,81,3a,a7,e8,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(400)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3584)

c:\windows.0\system32\WPDShServiceObj.dll

c:\windows.0\system32\PortableDeviceTypes.dll

c:\windows.0\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\windows.0\system32\CTsvcCDA.EXE

c:\program files\Java\jre6\bin\jqs.exe

c:\windows.0\system32\lxdicoms.exe

c:\program files\Microsoft ActiveSync\wcescomm.exe

c:\progra~1\MICROS~1\rapimgr.exe

c:\documents and settings\john\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe

c:\windows.0\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2010-01-13 22:35:57 - machine was rebooted

ComboFix-quarantined-files.txt 2010-01-14 06:35

Pre-Run: 2,032,222,208 bytes free

Post-Run: 2,393,956,352 bytes free

Current=1 Default=1 Failed=4 LastKnownGood=3 Sets=1,2,3,4

- - End Of File - - 6BA83CF65D838FD59A2A93C0E87A36BD

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:37:36 PM, on 1/13/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS.0\System32\smss.exe

C:\WINDOWS.0\system32\winlogon.exe

C:\WINDOWS.0\system32\services.exe

C:\WINDOWS.0\system32\lsass.exe

C:\WINDOWS.0\system32\svchost.exe

C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

C:\WINDOWS.0\system32\svchost.exe

C:\WINDOWS.0\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS.0\system32\CTsvcCDA.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS.0\runservice.exe

C:\WINDOWS.0\system32\lxdicoms.exe

C:\WINDOWS.0\system32\svchost.exe

C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe

C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\PROGRA~1\MICROS~1\rapimgr.exe

C:\Documents and Settings\john\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe

C:\WINDOWS.0\system32\wscntfy.exe

C:\WINDOWS.0\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.care2.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS.0\system32\NeroCheck.exe

O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE"

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [updReg] C:\WINDOWS.0\UpdReg.EXE

O4 - HKLM\..\Run: [lxdimon.exe] "C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe"

O4 - HKLM\..\Run: [lxdiamon] "C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [Atomic.exe] C:\Program Files\Atomic Clock Sync\Atomic.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\john\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~1\INetRepl.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS.0\system32\shdocvw.dll

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS.0\system32\shdocvw.dll

O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/...101/CTSUEng.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/...15106/CTPID.cab

O17 - HKLM\System\CS4\Services\Tcpip\..\{08E4A312-63B8-49FD-8E05-EE1B9CC011E7}: NameServer = 205.171.3.65,205.171.2.65

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS.0\system32\CTsvcCDA.EXE

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS.0\runservice.exe

O23 - Service: lxdiCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe

O23 - Service: lxdi_device - - C:\WINDOWS.0\system32\lxdicoms.exe

--

End of file - 6711 bytes

Link to post
Share on other sites

I tried again after the 1st system restore, this time downloading the Recovery Console in advance as ComboFix couldn't get an internet connection to download it on the initial attempt. Once again I was unable to access the internet after running ComboFix. I performed another system restore, this time to the time between the two scans so that I could access the internet.

logs of second scan attempt:

ComboFixlog2.zip

hijackthis2.zip

Link to post
Share on other sites

I think I beat it ;)

ran combofix again, couldn't access the internet afterwards

tried the netsh winsock reset -> still couldn't connect

ran winsockxpfix & voila! internet connection is functional again

ran Malwarebytes and no malicious items were detected!!!

thanks so much for pointing me in the direction of combofix

cheers & happy computing

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.