Jump to content

ROOTKIT Infection


shep711
 Share

Recommended Posts

Ok I know I have a rootkit. I've ran several scans of MBAM and Avira and quarantined the files that were infected, however the bug keeps returning. I also ran 2 GMER scans and could not get the log to save as in the save window there was no active destination or computer to save it to. I then ran a short scan with GMER and I was able to save that. I've copied the latest logs and attached what was required, please help in removing this bug, Thanks

DDS (Ver_10-12-12.02) - NTFSx86

Run by Owner at 23:41:40.20 on Mon 02/21/2011

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.247.105 [GMT -8:00]

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Softex\OmniPass\Omniserv.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\Explorer.EXE

C:\windows\system\hpsysdrv.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\WINDOWS\System32\hphmon05.exe

C:\HP\KBD\KBD.EXE

"C:\WINDOWS\System32\svchost.exe"

"C:\WINDOWS\System32\svchost.exe"

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

C:\Program Files\HP\HP Software Update\HPWuSchd.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe

C:\WINDOWS\System32\dllhost.exe

C:\WINDOWS\system32\taskmgr.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Softex\OmniPass\OPXPApp.exe

C:\WINDOWS\System32\vssvc.exe

C:\WINDOWS\System32\dllhost.exe

C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P.001\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.calbanktrust.com/

uWindow Title = Internet Explorer, optimized for Bing and MSN

uDefault_Page_URL = hxxp://www.msn.com

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll

BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - c:\program files\wot\WOT.dll

BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\drop down deals\YontooIEClient.dll

TB: HP View: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hewlett-packard\digital imaging\bin\hpdtlk02.dll

TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - c:\program files\wot\WOT.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

EB: hp view: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [CamMonitor] c:\program files\hewlett-packard\digital imaging\\unload\hpqcmon.exe

mRun: [HPHUPD05] c:\program files\hewlett-packard\{45b6180b-dcab-4093-8ee8-6164457517f0}\hphupd05.exe

mRun: [HPHmon05] c:\windows\system32\hphmon05.exe

mRun: [KBD] c:\hp\kbd\KBD.EXE

mRun: [storageGuard] "c:\program files\common files\sonic\update manager\sgtray.exe" /r

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [AutoTKit] c:\hp\bin\AUTOTKIT.EXE

mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect

mRun: [_SetRes] c:\hp\bin\cloaker c:\hp\bin\res.bat

mRun: [icoSet] c:\hp\bin\cloaker.exe c:\hp\bin\icoset\adjust.bat seticon

mRun: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd

mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"

mRun: [PS2] c:\windows\system32\ps2.exe

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [AlcxMonitor] ALCXMNTR.EXE

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe

mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd.exe"

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [Wsaxifi] rundll32.exe "c:\windows\oxojevoh.dll",Startup

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Microsoft Office.lnk.disabled

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\program files\quicken\bagent.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

LSP: SpSubLSP.dll

Trusted Zone: microsoft.com\*.update

Trusted Zone: microsoft.com\update

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1289381534141

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1289381690875

DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab

DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab

DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll

Notify: igfxcui - igfxsrvc.dll

Notify: OPXPGina - c:\program files\softex\omnipass\opxpgina.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-8-8 11608]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-8-8 135336]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-8-8 267944]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-11-10 61960]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-4 136176]

S2 mrtRate;mrtRate; [x]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-11-20 38224]

=============== Created Last 30 ================

2011-02-21 23:01:45 -------- d-----w- c:\program files\Drop Down Deals

2011-02-21 23:00:25 -------- d-----w- c:\docume~1\alluse~1\applic~1\Tarma Installer

2011-02-21 00:04:45 0 ----a-w- c:\windows\Hgoyu.bin

2011-02-21 00:04:43 -------- d-----w- c:\docume~1\ownery~1.001\locals~1\applic~1\{F4809D4F-E098-48E2-B273-25D45A255A4E}

2011-02-21 00:01:29 762368 ----a-w- c:\windows\system32\drivers\xcnshbg.sys

2011-02-20 23:59:57 -------- d-----w- c:\docume~1\alluse~1\applic~1\dJnHmOd15400

2011-02-20 14:53:56 -------- d-----w- c:\program files\Yontoo Layers Client

2011-02-19 22:40:40 -------- d-----w- c:\docume~1\ownery~1.001\applic~1\Malwarebytes

2011-02-19 22:05:38 709456 ----a-w- c:\windows\isRS-000.tmp

==================== Find3M ====================

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys

2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll

2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll

2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-12-20 23:59:19 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll

2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec

2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll

2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll

2010-12-09 13:38:47 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-12-09 13:07:05 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe

============= FINISH: 23:43:36.92 ===============

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5823

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

2/21/2011 4:22:47 PM

mbam-log-2011-02-21 (16-22-47).txt

Scan type: Quick scan

Objects scanned: 321619

Time elapsed: 25 minute(s), 45 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 1

Files Infected: 7

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{52794457-af6c-4c50-9def-f2e24f4c8889} (PUP.WhiteSmoke) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{52794457-AF6C-4C50-9DEF-F2E24F4C8889} (PUP.WhiteSmoke) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{52794457-AF6C-4C50-9DEF-F2E24F4C8889} (PUP.WhiteSmoke) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{52794457-AF6C-4C50-9DEF-F2E24F4C8889} (PUP.WhiteSmoke) -> Value: {52794457-AF6C-4C50-9DEF-F2E24F4C8889} -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{52794457-af6c-4c50-9def-f2e24f4c8889} (PUP.WhiteSmoke) -> Value: {52794457-af6c-4c50-9def-f2e24f4c8889} -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

c:\documents and settings\networkservice\application data\whitesmoketoolbar (PUP.WhiteSmoke) -> Quarantined and deleted successfully.

Files Infected:

c:\WINDOWS\temp\1728600 (PUP.BHO) -> Quarantined and deleted successfully.

c:\WINDOWS\temp\2375820 (PUP.BHO) -> Quarantined and deleted successfully.

c:\documents and settings\networkservice\local settings\temporary internet files\Content.IE5\WWRP5B21\whitesmoketoolbar[1].exe (PUP.WhiteSmoke) -> Quarantined and deleted successfully.

c:\documents and settings\networkservice\application data\whitesmoketoolbar\dtx.ini (PUP.WhiteSmoke) -> Quarantined and deleted successfully.

c:\documents and settings\networkservice\application data\whitesmoketoolbar\exeArgs.xml (PUP.WhiteSmoke) -> Quarantined and deleted successfully.

c:\documents and settings\networkservice\application data\whitesmoketoolbar\guid.dat (PUP.WhiteSmoke) -> Quarantined and deleted successfully.

c:\documents and settings\networkservice\application data\whitesmoketoolbar\setupCfg.xml (PUP.WhiteSmoke) -> Quarantined and deleted successfully.

Avira AntiVir Personal

Report file date: Monday, February 21, 2011 19:31

Scanning for 2419316 virus strains and unwanted programs.

The program is running as an unrestricted full version.

Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 3) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : YOUR-XHTR8HVC4P

Version information:

BUILD.DAT : 10.0.0.611 31824 Bytes 1/14/2011 13:42:00

AVSCAN.EXE : 10.0.3.5 435368 Bytes 12/9/2010 04:12:31

AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 21:57:04

LUKE.DLL : 10.0.3.2 104296 Bytes 12/9/2010 04:12:32

LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 08:40:49

VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 18:05:36

VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 17:29:28

VBASE002.VDF : 7.11.3.0 1950720 Bytes 2/9/2011 15:37:41

VBASE003.VDF : 7.11.3.1 2048 Bytes 2/9/2011 15:37:41

VBASE004.VDF : 7.11.3.2 2048 Bytes 2/9/2011 15:37:41

VBASE005.VDF : 7.11.3.3 2048 Bytes 2/9/2011 15:37:42

VBASE006.VDF : 7.11.3.4 2048 Bytes 2/9/2011 15:37:42

VBASE007.VDF : 7.11.3.5 2048 Bytes 2/9/2011 15:37:42

VBASE008.VDF : 7.11.3.6 2048 Bytes 2/9/2011 15:37:42

VBASE009.VDF : 7.11.3.7 2048 Bytes 2/9/2011 15:37:43

VBASE010.VDF : 7.11.3.8 2048 Bytes 2/9/2011 15:37:43

VBASE011.VDF : 7.11.3.9 2048 Bytes 2/9/2011 15:37:43

VBASE012.VDF : 7.11.3.10 2048 Bytes 2/9/2011 15:37:43

VBASE013.VDF : 7.11.3.59 157184 Bytes 2/14/2011 15:34:17

VBASE014.VDF : 7.11.3.97 120320 Bytes 2/16/2011 15:33:54

VBASE015.VDF : 7.11.3.148 128000 Bytes 2/19/2011 15:35:50

VBASE016.VDF : 7.11.3.149 2048 Bytes 2/19/2011 15:35:51

VBASE017.VDF : 7.11.3.150 2048 Bytes 2/19/2011 15:35:51

VBASE018.VDF : 7.11.3.151 2048 Bytes 2/19/2011 15:35:51

VBASE019.VDF : 7.11.3.152 2048 Bytes 2/19/2011 15:35:51

VBASE020.VDF : 7.11.3.153 2048 Bytes 2/19/2011 15:35:51

VBASE021.VDF : 7.11.3.154 2048 Bytes 2/19/2011 15:35:52

VBASE022.VDF : 7.11.3.155 2048 Bytes 2/19/2011 15:35:52

VBASE023.VDF : 7.11.3.156 2048 Bytes 2/19/2011 15:35:52

VBASE024.VDF : 7.11.3.157 2048 Bytes 2/19/2011 15:35:52

VBASE025.VDF : 7.11.3.158 2048 Bytes 2/19/2011 15:35:52

VBASE026.VDF : 7.11.3.159 2048 Bytes 2/19/2011 15:35:53

VBASE027.VDF : 7.11.3.160 2048 Bytes 2/19/2011 15:35:53

VBASE028.VDF : 7.11.3.161 2048 Bytes 2/19/2011 15:35:53

VBASE029.VDF : 7.11.3.162 2048 Bytes 2/19/2011 15:35:53

VBASE030.VDF : 7.11.3.163 2048 Bytes 2/19/2011 15:37:14

VBASE031.VDF : 7.11.3.172 58368 Bytes 2/21/2011 21:13:01

Engineversion : 8.2.4.170

AEVDF.DLL : 8.1.2.1 106868 Bytes 8/3/2010 00:09:54

AESCRIPT.DLL : 8.1.3.53 1282427 Bytes 1/31/2011 05:44:57

AESCN.DLL : 8.1.7.2 127349 Bytes 11/22/2010 18:53:26

AESBX.DLL : 8.1.3.2 254324 Bytes 11/22/2010 18:53:58

AERDL.DLL : 8.1.9.2 635252 Bytes 11/10/2010 10:28:36

AEPACK.DLL : 8.2.4.9 512374 Bytes 1/31/2011 05:44:51

AEOFFICE.DLL : 8.1.1.16 205179 Bytes 1/31/2011 05:44:47

AEHEUR.DLL : 8.1.2.78 3277175 Bytes 2/18/2011 15:34:35

AEHELP.DLL : 8.1.16.1 246134 Bytes 2/4/2011 05:45:42

AEGEN.DLL : 8.1.5.2 397683 Bytes 1/21/2011 18:40:52

AEEMU.DLL : 8.1.3.0 393589 Bytes 11/22/2010 18:51:12

AECORE.DLL : 8.1.19.2 196983 Bytes 1/21/2011 18:40:49

AEBB.DLL : 8.1.1.0 53618 Bytes 8/3/2010 00:09:48

AVWINLL.DLL : 10.0.0.0 19304 Bytes 8/3/2010 00:09:56

AVPREF.DLL : 10.0.0.0 44904 Bytes 8/3/2010 00:09:55

AVREP.DLL : 10.0.0.8 62209 Bytes 6/17/2010 23:27:13

AVREG.DLL : 10.0.3.2 53096 Bytes 8/3/2010 00:09:55

AVSCPLR.DLL : 10.0.3.2 84328 Bytes 12/9/2010 04:12:32

AVARKT.DLL : 10.0.22.6 231784 Bytes 12/9/2010 04:12:27

AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 8/3/2010 00:09:55

SQLITE3.DLL : 3.6.19.0 355688 Bytes 6/17/2010 23:27:22

AVSMTP.DLL : 10.0.0.17 63848 Bytes 8/3/2010 00:09:56

NETNT.DLL : 10.0.0.0 11624 Bytes 6/17/2010 23:27:21

RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 22:10:20

RCTEXT.DLL : 10.0.58.0 97128 Bytes 8/3/2010 00:10:08

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:, D:,

Process scan........................: on

Extended process scan...............: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+PFS,+SPR,

Start of the scan: Monday, February 21, 2011 19:31

Starting search for hidden objects.

HKEY_LOCAL_MACHINE\System\ControlSet002\Services\xcnshbg\ogztenwax

[NOTE] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet002\Services\xcnshbg\type

[NOTE] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet002\Services\xcnshbg\start

[NOTE] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet002\Services\xcnshbg\errorcontrol

[NOTE] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet002\Services\xcnshbg\group

[NOTE] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet002\Services\xcnshbg\group

HKEY_LOCAL_MACHINE\System\ControlSet002\Services\xcnshbg\lf8rs5la1tn

[NOTE] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet002\Services\xcnshbg\qhqh2hs2

[NOTE] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet002\Services\xcnshbg\ptuyicu

[NOTE] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NtmsSvc\Config\Standalone\drivelist

[NOTE] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet003\Services\xcnshbg\ogztenwax

[NOTE] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet003\Services\xcnshbg\type

[NOTE] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet003\Services\xcnshbg\start

[NOTE] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet003\Services\xcnshbg\errorcontrol

[NOTE] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet003\Services\xcnshbg\lf8rs5la1tn

[NOTE] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet003\Services\xcnshbg\qhqh2hs2

[NOTE] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet003\Services\xcnshbg\ptuyicu

[NOTE] The registry entry is invisible.

The scan of running processes will be started

Scan process 'logon.scr' - '12' Module(s) have been scanned

Scan process 'avscan.exe' - '70' Module(s) have been scanned

Scan process 'avcenter.exe' - '65' Module(s) have been scanned

Scan process 'wscntfy.exe' - '21' Module(s) have been scanned

Scan process 'taskmgr.exe' - '37' Module(s) have been scanned

Scan process 'msdtc.exe' - '40' Module(s) have been scanned

Scan process 'dllhost.exe' - '59' Module(s) have been scanned

Scan process 'dllhost.exe' - '45' Module(s) have been scanned

Scan process 'vssvc.exe' - '48' Module(s) have been scanned

Scan process 'hpqtra08.exe' - '36' Module(s) have been scanned

Scan process 'ctfmon.exe' - '28' Module(s) have been scanned

Scan process 'msmsgs.exe' - '45' Module(s) have been scanned

Scan process 'GrooveMonitor.exe' - '45' Module(s) have been scanned

Scan process 'HPWuSchd.exe' - '21' Module(s) have been scanned

Scan process 'hpztsb09.exe' - '22' Module(s) have been scanned

Scan process 'igfxtray.exe' - '32' Module(s) have been scanned

Scan process 'avgnt.exe' - '56' Module(s) have been scanned

Scan process 'svchost.exe' - '45' Module(s) have been scanned

Scan process 'svchost.exe' - '38' Module(s) have been scanned

Scan process 'KBD.EXE' - '59' Module(s) have been scanned

Scan process 'hphmon05.exe' - '24' Module(s) have been scanned

Scan process 'hpqcmon.exe' - '32' Module(s) have been scanned

Scan process 'hkcmd.exe' - '32' Module(s) have been scanned

Scan process 'hpsysdrv.exe' - '21' Module(s) have been scanned

Scan process 'Explorer.EXE' - '130' Module(s) have been scanned

Scan process 'alg.exe' - '35' Module(s) have been scanned

Scan process 'OPXPApp.exe' - '13' Module(s) have been scanned

Scan process 'svchost.exe' - '42' Module(s) have been scanned

Scan process 'Omniserv.exe' - '12' Module(s) have been scanned

Scan process 'avshadow.exe' - '25' Module(s) have been scanned

Scan process 'avguard.exe' - '54' Module(s) have been scanned

Scan process 'svchost.exe' - '34' Module(s) have been scanned

Scan process 'sched.exe' - '45' Module(s) have been scanned

Scan process 'spoolsv.exe' - '58' Module(s) have been scanned

Scan process 'svchost.exe' - '39' Module(s) have been scanned

Scan process 'svchost.exe' - '34' Module(s) have been scanned

Scan process 'svchost.exe' - '168' Module(s) have been scanned

Scan process 'svchost.exe' - '41' Module(s) have been scanned

Scan process 'svchost.exe' - '51' Module(s) have been scanned

Scan process 'lsass.exe' - '60' Module(s) have been scanned

Scan process 'services.exe' - '49' Module(s) have been scanned

Scan process 'winlogon.exe' - '67' Module(s) have been scanned

Scan process 'csrss.exe' - '14' Module(s) have been scanned

Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Master boot sector HD1

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Boot sector 'D:\'

[iNFO] No virus was found!

Starting to scan executable files (registry).

The registry was scanned ( '397' files ).

Starting the file scan:

Begin scan in 'C:\' <HP_PAVILION>

C:\WINDOWS\system32\drivers\xcnshbg.sys

[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan

Begin scan in 'D:\' <HP_RECOVERY>

Beginning disinfection:

C:\WINDOWS\system32\drivers\xcnshbg.sys

[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan

[NOTE] The file was moved to the quarantine directory under the name '4741c764.qua'.

End of the scan: Monday, February 21, 2011 23:38

Used time: 3:01:51 Hour(s)

The scan has been done completely.

19456 Scanned directories

715146 Files were scanned

1 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

1 Files were moved to quarantine

0 Files were renamed

0 Files cannot be scanned

715145 Files not concerned

21743 Archives were scanned

0 Warnings

0 Notes

706206 Objects were scanned with rootkit scan

17 Hidden objects were found

Link to post
Share on other sites

Hello shep711! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.
  • Post all of your log files, don't attach them.

Use regular mode for the following step:

  • Launch Malwarebytes' Anti-Malware
  • Go to Update" tab and select Check for Updates.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
    [*d-When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

In your next reply, please post the following logs:

  • Malwarebytes' Anti-Malware log
  • a new fresh DDS log only

Link to post
Share on other sites

I did as directed in normal mode and when the DL tried to install into MBAM, my computer rebooted before it finished. So I repeated it, same result. I then reviewed this artical

http://forums.malwarebytes.org/index.php?showtopic=12709

and tried to run Root Repeal and as it was trying to open up my computer locked up. I did a hard shut down and now several of the system32 drivers are not present and my OS will not load. At this point my computer will not open up, I do not know if it was the virus or user error that caused this to happen, in any case, I will attempt to reload the OS and go from there. It may be a while for me to repost, so take what ever action necessary to this post. THX

Link to post
Share on other sites

Hi Maniac I got my computer back up and running, however, every time I try and update the MBAM it reboots my computer before install. Suggestions? I work away from my home computer, so any tasks you provide will be a few days before I am able to carry them out.. Thanks for your help..

Link to post
Share on other sites

Ok thanks for waiting. I was able to update and run in regular mode.

Time elapsed: 34 minute(s), 20 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\whitesmoketoolbar (PUP.Whitesmoke) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\whitesmoketoolbar (PUP.Whitesmoke) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS (Ver_10-12-12.02) - NTFSx86

Run by Owner at 0:55:34.31 on Sat 03/05/2011

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.247.67 [GMT -8:00]

AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Softex\OmniPass\Omniserv.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

"C:\WINDOWS\System32\svchost.exe"

"C:\WINDOWS\System32\svchost.exe"

C:\Program Files\Softex\OmniPass\OPXPApp.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\taskmgr.exe

C:\windows\system\hpsysdrv.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\WINDOWS\System32\hphmon05.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

C:\Program Files\HP\HP Software Update\HPWuSchd.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Owner.YOUR-XHTR8HVC4P.001\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.calbanktrust.com/

uWindow Title = Internet Explorer, optimized for Bing and MSN

uDefault_Page_URL = hxxp://www.msn.com

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll

BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - c:\program files\wot\WOT.dll

BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\drop down deals\YontooIEClient.dll

TB: HP View: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hewlett-packard\digital imaging\bin\hpdtlk02.dll

TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - c:\program files\wot\WOT.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

EB: hp view: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [CamMonitor] c:\program files\hewlett-packard\digital imaging\\unload\hpqcmon.exe

mRun: [HPHUPD05] c:\program files\hewlett-packard\{45b6180b-dcab-4093-8ee8-6164457517f0}\hphupd05.exe

mRun: [HPHmon05] c:\windows\system32\hphmon05.exe

mRun: [KBD] c:\hp\kbd\KBD.EXE

mRun: [storageGuard] "c:\program files\common files\sonic\update manager\sgtray.exe" /r

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [AutoTKit] c:\hp\bin\AUTOTKIT.EXE

mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect

mRun: [_SetRes] c:\hp\bin\cloaker c:\hp\bin\res.bat

mRun: [icoSet] c:\hp\bin\cloaker.exe c:\hp\bin\icoset\adjust.bat seticon

mRun: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd

mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"

mRun: [PS2] c:\windows\system32\ps2.exe

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [AlcxMonitor] ALCXMNTR.EXE

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe

mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd.exe"

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Microsoft Office.lnk.disabled

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\program files\quicken\bagent.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

LSP: SpSubLSP.dll

Trusted Zone: microsoft.com\*.update

Trusted Zone: microsoft.com\update

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1289381534141

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1289381690875

DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab

DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab

DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll

Notify: igfxcui - igfxsrvc.dll

Notify: OPXPGina - c:\program files\softex\omnipass\opxpgina.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-8-8 11608]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-8-8 135336]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-8-8 267944]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-11-10 61960]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-4 136176]

S2 mrtRate;mrtRate; [x]

S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]

=============== Created Last 30 ================

2011-02-21 23:01:45 -------- d-----w- c:\program files\Drop Down Deals

2011-02-21 23:00:25 -------- d-----w- c:\docume~1\alluse~1\applic~1\Tarma Installer

2011-02-21 00:04:45 0 ----a-w- c:\windows\Hgoyu.bin

2011-02-21 00:04:43 -------- d-----w- c:\docume~1\ownery~1.001\locals~1\applic~1\{F4809D4F-E098-48E2-B273-25D45A255A4E}

2011-02-21 00:01:29 762368 ----a-w- c:\windows\system32\drivers\xcnshbg.sys

2011-02-20 23:59:57 -------- d-----w- c:\docume~1\alluse~1\applic~1\dJnHmOd15400

2011-02-20 14:53:56 -------- d-----w- c:\program files\Yontoo Layers Client

2011-02-19 22:40:40 -------- d-----w- c:\docume~1\ownery~1.001\applic~1\Malwarebytes

2011-02-19 22:05:38 709456 ----a-w- c:\windows\isRS-000.tmp

==================== Find3M ====================

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys

2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll

2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll

2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-12-20 23:59:19 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll

2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec

2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll

2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll

2010-12-09 13:38:47 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-12-09 13:07:05 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe

============= FINISH: 0:58:08.64 ===============

Link to post
Share on other sites

The log file of MBAM is cut, please post the entire log file.

Ok I know that MBAM ran fully and quarantined the 2 registry items, but looking in the quarantine tab those items are not listed. I also looked at the 2-21-2011 log posted in this topic and the one that is being shown from my computer log is not complete like the one is posted here (it's cut on my computer). I ran another avira scan yesterday and I am posting that one. Shall I re scan with MBAM to see if I can a complete report for you?

Avira AntiVir Personal

Report file date: Saturday, March 05, 2011 14:08

Scanning for 2460711 virus strains and unwanted programs.

The program is running as an unrestricted full version.

Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 3) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : YOUR-XHTR8HVC4P

Version information:

BUILD.DAT : 10.0.0.611 31824 Bytes 1/14/2011 13:42:00

AVSCAN.EXE : 10.0.3.5 435368 Bytes 12/9/2010 04:12:31

AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 21:57:04

LUKE.DLL : 10.0.3.2 104296 Bytes 12/9/2010 04:12:32

LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 08:40:49

VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 18:05:36

VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 17:29:28

VBASE002.VDF : 7.11.3.0 1950720 Bytes 2/9/2011 15:37:41

VBASE003.VDF : 7.11.3.1 2048 Bytes 2/9/2011 15:37:41

VBASE004.VDF : 7.11.3.2 2048 Bytes 2/9/2011 15:37:41

VBASE005.VDF : 7.11.3.3 2048 Bytes 2/9/2011 15:37:42

VBASE006.VDF : 7.11.3.4 2048 Bytes 2/9/2011 15:37:42

VBASE007.VDF : 7.11.3.5 2048 Bytes 2/9/2011 15:37:42

VBASE008.VDF : 7.11.3.6 2048 Bytes 2/9/2011 15:37:42

VBASE009.VDF : 7.11.3.7 2048 Bytes 2/9/2011 15:37:43

VBASE010.VDF : 7.11.3.8 2048 Bytes 2/9/2011 15:37:43

VBASE011.VDF : 7.11.3.9 2048 Bytes 2/9/2011 15:37:43

VBASE012.VDF : 7.11.3.10 2048 Bytes 2/9/2011 15:37:43

VBASE013.VDF : 7.11.3.59 157184 Bytes 2/14/2011 15:34:17

VBASE014.VDF : 7.11.3.97 120320 Bytes 2/16/2011 15:33:54

VBASE015.VDF : 7.11.3.148 128000 Bytes 2/19/2011 15:35:50

VBASE016.VDF : 7.11.3.183 140288 Bytes 2/22/2011 01:28:44

VBASE017.VDF : 7.11.3.216 124416 Bytes 2/24/2011 01:28:46

VBASE018.VDF : 7.11.3.251 159232 Bytes 2/28/2011 08:03:26

VBASE019.VDF : 7.11.4.33 148992 Bytes 3/2/2011 08:03:31

VBASE020.VDF : 7.11.4.34 2048 Bytes 3/2/2011 08:03:31

VBASE021.VDF : 7.11.4.35 2048 Bytes 3/2/2011 08:03:31

VBASE022.VDF : 7.11.4.36 2048 Bytes 3/2/2011 08:03:32

VBASE023.VDF : 7.11.4.37 2048 Bytes 3/2/2011 08:03:32

VBASE024.VDF : 7.11.4.38 2048 Bytes 3/2/2011 08:03:32

VBASE025.VDF : 7.11.4.39 2048 Bytes 3/2/2011 08:03:32

VBASE026.VDF : 7.11.4.40 2048 Bytes 3/2/2011 08:03:32

VBASE027.VDF : 7.11.4.41 2048 Bytes 3/2/2011 08:03:33

VBASE028.VDF : 7.11.4.42 2048 Bytes 3/2/2011 08:03:33

VBASE029.VDF : 7.11.4.43 2048 Bytes 3/2/2011 08:03:35

VBASE030.VDF : 7.11.4.44 2048 Bytes 3/2/2011 08:03:35

VBASE031.VDF : 7.11.4.71 118784 Bytes 3/4/2011 08:03:39

Engineversion : 8.2.4.178

AEVDF.DLL : 8.1.2.1 106868 Bytes 8/3/2010 00:09:54

AESCRIPT.DLL : 8.1.3.55 1282426 Bytes 2/28/2011 01:29:18

AESCN.DLL : 8.1.7.2 127349 Bytes 11/22/2010 18:53:26

AESBX.DLL : 8.1.3.2 254324 Bytes 11/22/2010 18:53:58

AERDL.DLL : 8.1.9.2 635252 Bytes 11/10/2010 10:28:36

AEPACK.DLL : 8.2.4.11 520566 Bytes 3/5/2011 08:03:45

AEOFFICE.DLL : 8.1.1.16 205179 Bytes 1/31/2011 05:44:47

AEHEUR.DLL : 8.1.2.81 3314038 Bytes 2/28/2011 01:29:10

AEHELP.DLL : 8.1.16.1 246134 Bytes 2/4/2011 05:45:42

AEGEN.DLL : 8.1.5.2 397683 Bytes 1/21/2011 18:40:52

AEEMU.DLL : 8.1.3.0 393589 Bytes 11/22/2010 18:51:12

AECORE.DLL : 8.1.19.2 196983 Bytes 1/21/2011 18:40:49

AEBB.DLL : 8.1.1.0 53618 Bytes 8/3/2010 00:09:48

AVWINLL.DLL : 10.0.0.0 19304 Bytes 8/3/2010 00:09:56

AVPREF.DLL : 10.0.0.0 44904 Bytes 8/3/2010 00:09:55

AVREP.DLL : 10.0.0.8 62209 Bytes 6/17/2010 23:27:13

AVREG.DLL : 10.0.3.2 53096 Bytes 8/3/2010 00:09:55

AVSCPLR.DLL : 10.0.3.2 84328 Bytes 12/9/2010 04:12:32

AVARKT.DLL : 10.0.22.6 231784 Bytes 12/9/2010 04:12:27

AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 8/3/2010 00:09:55

SQLITE3.DLL : 3.6.19.0 355688 Bytes 6/17/2010 23:27:22

AVSMTP.DLL : 10.0.0.17 63848 Bytes 8/3/2010 00:09:56

NETNT.DLL : 10.0.0.0 11624 Bytes 6/17/2010 23:27:21

RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 22:10:20

RCTEXT.DLL : 10.0.58.0 97128 Bytes 8/3/2010 00:10:08

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:, D:,

Process scan........................: on

Extended process scan...............: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+PFS,+SPR,

Start of the scan: Saturday, March 05, 2011 14:08

Starting search for hidden objects.

HKEY_LOCAL_MACHINE\System\ControlSet002\Services\xcnshbg\ogztenwax

[NOTE] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet002\Services\xcnshbg\type

[NOTE] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet002\Services\xcnshbg\start

[NOTE] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet002\Services\xcnshbg\errorcontrol

[NOTE] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet002\Services\xcnshbg\group

[NOTE] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet002\Services\xcnshbg\group

HKEY_LOCAL_MACHINE\System\ControlSet002\Services\xcnshbg\lf8rs5la1tn

[NOTE] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet002\Services\xcnshbg\qhqh2hs2

[NOTE] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet002\Services\xcnshbg\ptuyicu

[NOTE] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NtmsSvc\Config\Standalone\drivelist

[NOTE] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet003\Services\xcnshbg\ogztenwax

[NOTE] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet003\Services\xcnshbg\type

[NOTE] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet003\Services\xcnshbg\start

[NOTE] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet003\Services\xcnshbg\errorcontrol

[NOTE] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet003\Services\xcnshbg\lf8rs5la1tn

[NOTE] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet003\Services\xcnshbg\qhqh2hs2

[NOTE] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet003\Services\xcnshbg\ptuyicu

[NOTE] The registry entry is invisible.

The scan of running processes will be started

Scan process 'msdtc.exe' - '40' Module(s) have been scanned

Scan process 'dllhost.exe' - '59' Module(s) have been scanned

Scan process 'dllhost.exe' - '45' Module(s) have been scanned

Scan process 'vssvc.exe' - '48' Module(s) have been scanned

Scan process 'avscan.exe' - '70' Module(s) have been scanned

Scan process 'avcenter.exe' - '94' Module(s) have been scanned

Scan process 'ctfmon.exe' - '25' Module(s) have been scanned

Scan process 'msmsgs.exe' - '41' Module(s) have been scanned

Scan process 'GrooveMonitor.exe' - '43' Module(s) have been scanned

Scan process 'HPWuSchd.exe' - '17' Module(s) have been scanned

Scan process 'hpztsb09.exe' - '19' Module(s) have been scanned

Scan process 'igfxtray.exe' - '26' Module(s) have been scanned

Scan process 'avgnt.exe' - '54' Module(s) have been scanned

Scan process 'KBD.EXE' - '57' Module(s) have been scanned

Scan process 'hphmon05.exe' - '22' Module(s) have been scanned

Scan process 'hpqcmon.exe' - '29' Module(s) have been scanned

Scan process 'hkcmd.exe' - '29' Module(s) have been scanned

Scan process 'hpsysdrv.exe' - '13' Module(s) have been scanned

Scan process 'Explorer.EXE' - '101' Module(s) have been scanned

Scan process 'svchost.exe' - '45' Module(s) have been scanned

Scan process 'svchost.exe' - '38' Module(s) have been scanned

Scan process 'alg.exe' - '35' Module(s) have been scanned

Scan process 'OPXPApp.exe' - '13' Module(s) have been scanned

Scan process 'svchost.exe' - '39' Module(s) have been scanned

Scan process 'Omniserv.exe' - '12' Module(s) have been scanned

Scan process 'avshadow.exe' - '25' Module(s) have been scanned

Scan process 'avguard.exe' - '54' Module(s) have been scanned

Scan process 'svchost.exe' - '34' Module(s) have been scanned

Scan process 'sched.exe' - '45' Module(s) have been scanned

Scan process 'spoolsv.exe' - '58' Module(s) have been scanned

Scan process 'svchost.exe' - '39' Module(s) have been scanned

Scan process 'svchost.exe' - '34' Module(s) have been scanned

Scan process 'svchost.exe' - '170' Module(s) have been scanned

Scan process 'svchost.exe' - '41' Module(s) have been scanned

Scan process 'svchost.exe' - '51' Module(s) have been scanned

Scan process 'lsass.exe' - '60' Module(s) have been scanned

Scan process 'services.exe' - '49' Module(s) have been scanned

Scan process 'winlogon.exe' - '71' Module(s) have been scanned

Scan process 'csrss.exe' - '12' Module(s) have been scanned

Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Boot sector 'D:\'

[iNFO] No virus was found!

Starting to scan executable files (registry).

The registry was scanned ( '395' files ).

Starting the file scan:

Begin scan in 'C:\' <HP_PAVILION>

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP159\A0051709.dll

[DETECTION] Is the TR/Kazy.3810.108 Trojan

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP159\A0051710.exe

[DETECTION] Is the TR/Kazy.13211.psa Trojan

C:\WINDOWS\SoftwareDistribution\Download\6189e468edd5590d58e8ee89d5ba249f\BIT4.tmp

[0] Archive type: CAB (Microsoft)

--> _sfx_0007._p

[WARNING] The file could not be written!

C:\WINDOWS\system32\drivers\xcnshbg.sys

[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan

Begin scan in 'D:\' <HP_RECOVERY>

Beginning disinfection:

C:\WINDOWS\system32\drivers\xcnshbg.sys

[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan

[NOTE] The file was moved to the quarantine directory under the name '46ca52e5.qua'.

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP159\A0051710.exe

[DETECTION] Is the TR/Kazy.13211.psa Trojan

[NOTE] The file was moved to the quarantine directory under the name '5e1f7684.qua'.

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP159\A0051709.dll

[DETECTION] Is the TR/Kazy.3810.108 Trojan

[NOTE] The file was moved to the quarantine directory under the name '0c402c6c.qua'.

End of the scan: Saturday, March 05, 2011 19:20

Used time: 3:10:25 Hour(s)

The scan has been done completely.

19429 Scanned directories

714352 Files were scanned

3 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

3 Files were moved to quarantine

0 Files were renamed

0 Files cannot be scanned

714349 Files not concerned

21745 Archives were scanned

1 Warnings

2 Notes

710582 Objects were scanned with rootkit scan

17 Hidden objects were found

Link to post
Share on other sites

Sorry I thought I was helping. Here is the latest MBAM log . I copied it just as displayed.

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5974

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

3/6/2011 6:11:59 PM

mbam-log-2011-03-06 (18-11-59).txt

Scan type: Quick scan

Objects scanned: 329198

Time elapsed: 32 minute(s), 17 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

How are things now?

I'll get back to you on Wednesday late, as I am away from my computer. I did run another AVIRA scan before I ran MBAM again for you, but, did not post that log as you said not to. It found a couple more trojans but cleaned them up.

Link to post
Share on other sites

  • 2 weeks later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.