Jump to content

Malware problem, posting as per instructions


Recommended Posts

I have two important notes that you may want to know about before I post my logs:

  1. I'm not sure if this is important, but DDS took more than 30 minutes to run.
  2. GMER did NOT run at all. The randomly named file saved to my desktop but would not load and therefore, I do not have an ARK log to post here

Latest Malwarebytes Log

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6187

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

3/28/2011 1:21:12 PM

mbam-log-2011-03-28 (13-21-12).txt

Scan type: Quick scan

Objects scanned: 149316

Time elapsed: 6 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS Log

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by Chad at 2:06:44.18 on Mon 03/28/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.947 [GMT -4:00]

.

AV: AntiVir Desktop *Disabled/Updated* {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\WINDOWS\system32\devldr32.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Avira\AntiVir Desktop\avmailc.exe

C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Documents and Settings\Chad\Desktop\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = file:///D:/Website-macrossmechamanual/m3.html

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

LSP: c:\program files\avira\antivir desktop\avsda.dll

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1280529014546

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1280529708671

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Notify: AtiExtEvent - Ati2evxx.dll

AppInit_DLLs: c:\windows\system32\avgrsstx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\docume~1\chad\applic~1\mozilla\firefox\profiles\2gb3rafp.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - www.google.ca

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\program files\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

.

============= SERVICES / DRIVERS ===============

.

.

=============== Created Last 30 ================

.

.

==================== Find3M ====================

.

2005-05-13 23:12:00 217073 --sha-r- c:\windows\meta4.exe

2005-10-24 17:13:58 66560 --sha-r- c:\windows\MOTA113.exe

2005-10-14 03:27:00 422400 --sha-r- c:\windows\x2.64.exe

2005-07-14 18:31:20 27648 --sha-r- c:\windows\system32\AVSredirect.dll

2005-06-26 21:32:28 616448 --sha-r- c:\windows\system32\cygwin1.dll

2005-06-22 04:37:42 45568 --sha-r- c:\windows\system32\cygz.dll

2004-01-25 06:00:00 70656 --sha-r- c:\windows\system32\i420vfw.dll

2005-12-23 02:23:08 816640 --sha-r- c:\windows\system32\smab.dll

2005-02-28 19:16:22 240128 --sha-r- c:\windows\system32\x.264.exe

2004-01-25 06:00:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll

.

============= FINISH: 2:30:47.56 ===============

Attach.zip

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

What symptoms of infection are you currently experiencing?

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Hi and welcome to Malwarebytes.

What symptoms of infection are you currently experiencing?

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

The initial problem is all too familiar: I'm browsing the internet and suddenly my browser (FireFox) freezes for a significant amount of time, the browser changes ever so slightly from full screen to a windowed view and then a program installs itself in my system tray, professing to be spyware/malware removal software. At that point, I know I'm screwed. Symptoms include:

  • My system runs notably slower, getting worse as time goes on
  • When performing ANY Google search, there is a 5-6 second delay where there was none before
  • Anti-Virus software or Microsoft Security Essentials continually detects threats even when my computer is turned on but I'm not actually doing anything nor surfing the net (Avira is detecting TR/Crypt.XPACK.GEN.)
  • At random times the hard drive makes brief access noises and also a notable bleep emitting from the system case speaker, behaviour that is not typical of regular operation prior to infection

I'll run ComboFix and reply with the results.

Link to post
Share on other sites

ComboFix 11-03-28.01 - Chad 03/28/2011 17:10:16.3.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.967 [GMT -4:00]

Running from: c:\documents and settings\Chad\Desktop\ComboFix.exe

AV: AntiVir Desktop *Disabled/Updated* {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files\INSTALL.LOG

.

.

((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-28 )))))))))))))))))))))))))))))))

.

.

2011-03-28 21:02 . 2011-03-28 21:02 41680 ----a-w- c:\windows\system32\drivers\lkzhamtc.sys

2011-03-28 20:58 . 2011-03-28 20:58 41680 ----a-w- c:\windows\system32\drivers\tgffzhdd.sys

2011-03-28 20:50 . 2011-03-28 20:50 41680 ----a-w- c:\windows\system32\drivers\sshptgzy.sys

2011-03-28 20:38 . 2011-03-28 20:38 41680 ----a-w- c:\windows\system32\drivers\ievzkoob.sys

2011-03-28 20:33 . 2011-03-28 20:33 41680 ----a-w- c:\windows\system32\drivers\hiqygwsr.sys

2011-03-28 16:58 . 2011-03-28 16:58 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2DB6968F-B8D1-48A2-8513-E30D8BCD3DEC}\MpKsl9f849f91.sys

2011-03-28 16:58 . 2011-03-15 04:05 6792528 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2DB6968F-B8D1-48A2-8513-E30D8BCD3DEC}\mpengine.dll

2011-03-28 05:44 . 2011-03-28 05:44 -------- d-----w- c:\documents and settings\Chad\Application Data\Avira

2011-03-28 04:06 . 2011-03-28 20:33 -------- d-----w- c:\windows\system32\NtmsData

2011-03-28 04:01 . 2011-03-28 16:49 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-03-28 04:01 . 2011-03-28 16:49 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-03-28 04:01 . 2009-05-11 16:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2011-03-28 04:01 . 2009-05-11 16:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2011-03-28 04:01 . 2011-03-28 04:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2011-03-28 04:01 . 2011-03-28 04:01 -------- d-----w- c:\program files\Avira

2011-03-27 20:13 . 2011-03-27 20:13 60416 ---ha-w- c:\windows\system32\doskltmc.dll

2011-03-27 20:12 . 2011-03-27 21:38 -------- d-----w- c:\documents and settings\All Users\Application Data\eKeKfJfIcIj28601

2011-03-02 23:48 . 2011-03-02 23:49 -------- d-----w- c:\program files\iTunes

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-27 06:40 . 2010-08-21 22:11 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll

2011-03-15 04:05 . 2010-07-31 16:35 6792528 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2011-02-09 13:53 . 2004-08-04 07:56 270848 ------w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2004-08-04 07:56 186880 ------w- c:\windows\system32\encdec.dll

2011-02-02 07:58 . 2005-11-09 22:40 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57 . 2005-11-09 22:40 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44 . 2001-08-23 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-13 09:41 . 2011-01-26 13:37 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll

2011-01-07 14:09 . 2001-08-23 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10 . 2001-08-23 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys

2005-05-13 23:12 217073 --sha-r- c:\windows\meta4.exe

2005-10-24 17:13 66560 --sha-r- c:\windows\MOTA113.exe

2005-10-14 03:27 422400 --sha-r- c:\windows\x2.64.exe

2005-07-14 18:31 27648 --sha-r- c:\windows\system32\AVSredirect.dll

2005-06-26 21:32 616448 --sha-r- c:\windows\system32\cygwin1.dll

2005-06-22 04:37 45568 --sha-r- c:\windows\system32\cygz.dll

2004-01-25 06:00 70656 --sha-r- c:\windows\system32\i420vfw.dll

2005-12-23 02:23 816640 --sha-r- c:\windows\system32\smab.dll

2005-02-28 19:16 240128 --sha-r- c:\windows\system32\x.264.exe

2004-01-25 06:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2009-09-30 718688]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 61440]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-03-23 335872]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-02 421160]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-11-29 113664]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk

backup=c:\windows\pss\Windows Search.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Chad^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]

path=c:\documents and settings\Chad\Start Menu\Programs\Startup\Microsoft Find Fast.lnk

backup=c:\windows\pss\Microsoft Find Fast.lnkStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Chad^Start Menu^Programs^Startup^Office Startup.lnk]

path=c:\documents and settings\Chad\Start Menu\Programs\Startup\Office Startup.lnk

backup=c:\windows\pss\Office Startup.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]

2010-06-03 00:50 1144104 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\WINDOWS\\system32\\dplaysvr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"d:\\VALVE\\STEAM\\STEAMAPPS\\AGENTFREEMAN\\COUNTER-STRIKE SOURCE\\HL2.EXE"=

"d:\\STARCRAFT\\STARCRAFT.EXE"=

"d:\\Valve\\SteamApps\\agentfreeman\\counter-strike\\hl.exe"=

"d:\\Valve\\SteamApps\\agentfreeman\\condition zero\\hl.exe"=

"d:\\Valve\\SteamApps\\agentfreeman\\half-life 2 deathmatch\\hl2.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"d:\\Valve\\SteamApps\\agentfreeman\\counter-strike source\\hl2.exe"=

"d:\\Quake II Downloaded\\Quake2\\Quake2\\quake2.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

.

R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [7/30/2010 7:46 PM 116264]

R1 MpKsl9f849f91;MpKsl9f849f91;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2DB6968F-B8D1-48A2-8513-E30D8BCD3DEC}\MpKsl9f849f91.sys [3/28/2011 12:58 PM 28752]

R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\Avira\AntiVir Desktop\avmailc.exe [3/28/2011 12:01 AM 339624]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/28/2011 12:01 AM 135336]

R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [3/28/2011 12:01 AM 421032]

R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [7/15/2010 8:45 PM 35088]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

S1 hiqygwsr;hiqygwsr;c:\windows\system32\drivers\hiqygwsr.sys [3/28/2011 4:33 PM 41680]

S1 ievzkoob;ievzkoob;c:\windows\system32\drivers\ievzkoob.sys [3/28/2011 4:38 PM 41680]

S1 lkzhamtc;lkzhamtc;c:\windows\system32\drivers\lkzhamtc.sys [3/28/2011 5:02 PM 41680]

S1 sshptgzy;sshptgzy;c:\windows\system32\drivers\sshptgzy.sys [3/28/2011 4:50 PM 41680]

S1 tgffzhdd;tgffzhdd;c:\windows\system32\drivers\tgffzhdd.sys [3/28/2011 4:58 PM 41680]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]

S3 DrmRAudio;DrmRAudio;c:\windows\system32\drivers\DrmRAudio.sys [9/28/2010 10:56 AM 23608]

S3 Filsserv;Filsserv;c:\windows\system32\drivers\mspclock.sys [11/9/2005 11:36 AM 5376]

S3 gtermddo;gtermddo;\??\c:\docume~1\Chad\LOCALS~1\Temp\gtermddo.sys --> c:\docume~1\Chad\LOCALS~1\Temp\gtermddo.sys [?]

S3 Mrangnrdc-ms;Mrangnrdc-ms; [x]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/23/2001 8:00 AM 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/30/2010 11:38 PM 643072]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - MPKSL9F849F91

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WINRM REG_MULTI_SZ WINRM

.

Contents of the 'Scheduled Tasks' folder

.

2011-03-28 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]

.

2011-03-28 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26]

.

.

------- Supplementary Scan -------

.

uStart Page = file:///D:/Website-macrossmechamanual/m3.html

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll

FF - ProfilePath - c:\documents and settings\Chad\Application Data\Mozilla\Firefox\Profiles\2gb3rafp.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - www.google.ca

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

.

- - - - ORPHANS REMOVED - - - -

.

MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-03-28 17:15

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(484)

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'lsass.exe'(548)

c:\program files\Avira\AntiVir Desktop\avsda.dll

.

Completion time: 2011-03-28 17:18:03

ComboFix-quarantined-files.txt 2011-03-28 21:18

.

Pre-Run: 877,264,896 bytes free

Post-Run: 1,899,376,640 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

.

- - End Of File - - 63F4D8BE8CBD404C0D63FB1933CD0046

NEW DDS log

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by Chad at 17:24:08.40 on Mon 03/28/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.884 [GMT -4:00]

.

AV: AntiVir Desktop *Disabled/Updated* {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe

C:\WINDOWS\system32\devldr32.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE

C:\Program Files\Avira\AntiVir Desktop\avmailc.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\System32\dllhost.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Chad\Desktop\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = file:///D:/Website-macrossmechamanual/m3.html

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

LSP: c:\program files\avira\antivir desktop\avsda.dll

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1280529014546

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1280529708671

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\docume~1\chad\applic~1\mozilla\firefox\profiles\2gb3rafp.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - www.google.ca

FF - component: c:\documents and settings\chad\application data\mozilla\firefox\profiles\2gb3rafp.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - component: c:\documents and settings\chad\application data\mozilla\firefox\profiles\2gb3rafp.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\program files\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

.

============= SERVICES / DRIVERS ===============

.

R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2010-7-30 116264]

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165264]

R1 MpKsl9f849f91;MpKsl9f849f91;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2db6968f-b8d1-48a2-8513-e30d8bcd3dec}\MpKsl9f849f91.sys [2011-3-28 28752]

R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\avira\antivir desktop\avmailc.exe [2011-3-28 339624]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-3-28 135336]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-3-28 269480]

R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\avira\antivir desktop\avwebgrd.exe [2011-3-28 421032]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-3-28 61960]

R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-7-15 35088]

S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]

S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-3-28 11608]

S1 hiqygwsr;hiqygwsr;c:\windows\system32\drivers\hiqygwsr.sys [2011-3-28 41680]

S1 ievzkoob;ievzkoob;c:\windows\system32\drivers\ievzkoob.sys [2011-3-28 41680]

S1 lkzhamtc;lkzhamtc;c:\windows\system32\drivers\lkzhamtc.sys [2011-3-28 41680]

S1 sshptgzy;sshptgzy;c:\windows\system32\drivers\sshptgzy.sys [2011-3-28 41680]

S1 tgffzhdd;tgffzhdd;c:\windows\system32\drivers\tgffzhdd.sys [2011-3-28 41680]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 DrmRAudio;DrmRAudio;c:\windows\system32\drivers\DrmRAudio.sys [2010-9-28 23608]

S3 Filsserv;Filsserv;c:\windows\system32\drivers\mspclock.sys [2005-11-9 5376]

S3 gtermddo;gtermddo;\??\c:\docume~1\chad\locals~1\temp\gtermddo.sys --> c:\docume~1\chad\locals~1\temp\gtermddo.sys [?]

S3 Mrangnrdc-ms;Mrangnrdc-ms; [x]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2001-8-23 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2011-03-28 21:09:12 -------- d-sha-r- C:\cmdcons

2011-03-28 21:06:56 98816 ----a-w- c:\windows\sed.exe

2011-03-28 21:06:56 89088 ----a-w- c:\windows\MBR.exe

2011-03-28 21:06:56 256512 ----a-w- c:\windows\PEV.exe

2011-03-28 21:06:56 161792 ----a-w- c:\windows\SWREG.exe

2011-03-28 21:02:31 41680 ----a-w- c:\windows\system32\drivers\lkzhamtc.sys

2011-03-28 20:58:16 41680 ----a-w- c:\windows\system32\drivers\tgffzhdd.sys

2011-03-28 20:50:34 41680 ----a-w- c:\windows\system32\drivers\sshptgzy.sys

2011-03-28 20:38:06 41680 ----a-w- c:\windows\system32\drivers\ievzkoob.sys

2011-03-28 20:33:46 41680 ----a-w- c:\windows\system32\drivers\hiqygwsr.sys

2011-03-28 16:58:36 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{2db6968f-b8d1-48a2-8513-e30d8bcd3dec}\MpKsl9f849f91.sys

2011-03-28 16:58:14 6792528 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{2db6968f-b8d1-48a2-8513-e30d8bcd3dec}\mpengine.dll

2011-03-28 05:44:12 -------- d-----w- c:\docume~1\chad\applic~1\Avira

2011-03-28 04:06:57 -------- d-----w- c:\windows\system32\NtmsData

2011-03-28 04:01:38 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-03-28 04:01:36 -------- d-----w- c:\program files\Avira

2011-03-28 04:01:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira

2011-03-27 20:13:11 60416 ---ha-w- c:\windows\system32\doskltmc.dll

2011-03-27 20:12:55 -------- d-----w- c:\docume~1\alluse~1\applic~1\eKeKfJfIcIj28601

2011-03-02 23:48:07 -------- d-----w- c:\program files\iTunes

.

==================== Find3M ====================

.

2011-03-27 06:40:08 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll

2011-02-09 13:53:52 270848 ------w- c:\windows\system32\sbe.dll

2011-02-09 13:53:52 186880 ------w- c:\windows\system32\encdec.dll

2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys

2005-05-13 23:12:00 217073 --sha-r- c:\windows\meta4.exe

2005-10-24 17:13:58 66560 --sha-r- c:\windows\MOTA113.exe

2005-10-14 03:27:00 422400 --sha-r- c:\windows\x2.64.exe

2005-07-14 18:31:20 27648 --sha-r- c:\windows\system32\AVSredirect.dll

2005-06-26 21:32:28 616448 --sha-r- c:\windows\system32\cygwin1.dll

2005-06-22 04:37:42 45568 --sha-r- c:\windows\system32\cygz.dll

2004-01-25 06:00:00 70656 --sha-r- c:\windows\system32\i420vfw.dll

2005-12-23 02:23:08 816640 --sha-r- c:\windows\system32\smab.dll

2005-02-28 19:16:22 240128 --sha-r- c:\windows\system32\x.264.exe

2004-01-25 06:00:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll

.

============= FINISH: 17:24:36.53 ===============

NEW Attach file added to this post

Attach.zip

Link to post
Share on other sites

One thing to note: despite disabling the Avira Anti-Virus software as instructed in the ComboFix guide, the software continued to detect ComboFix while it was running. At several times I had to select various ComboFix files as "trusted" files in the Avira pop-up windows.

Link to post
Share on other sites

  • Staff

Hi,

I notice that you are using more than one antivirus program (Avira and Microsoft Security Essentials). This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you go to Start -> Control Panel -> Add or Remove Programs and uninstall all but one antivirus program.

Please go to VirusTotal, and upload the following files for analysis:

c:\windows\system32\drivers\lkzhamtc.sys

c:\windows\system32\drivers\tgffzhdd.sys

Post the results in your reply.

Link to post
Share on other sites

  • Staff

Hi,

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    lkzhamtc.sys
    tgffzhdd.sys


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

System Look Log

SystemLook 04.09.10 by jpshortstuff

Log created at 17:19 on 31/03/2011 by Chad

Administrator - Elevation successful

========== filefind ==========

Searching for "lkzhamtc.sys"

No files found.

Searching for "tgffzhdd.sys"

No files found.

-= EOF =-

ESET Log

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6425

# api_version=3.0.2

# EOSSerial=ebd510eb32063e4e9213a0701a25a1c3

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-03-31 09:56:09

# local_time=2011-03-31 05:56:09 (-0500, Eastern Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1024 16777215 100 0 32974644 32974644 0 0

# compatibility_mode=5891 16776869 42 87 0 12711572 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=115045

# found=1

# cleaned=1

# scan_time=1859

C:\WINDOWS\system32\doskltmc.dll a variant of Win32/Kryptik.LYY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Security Check Log

Results of screen317's Security Check version 0.99.10

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

ESET Online Scanner v3

Microsoft Security Essentials

Antivirus up to date! (On Access scanning disabled!)

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

CCleaner

Java 6 Update 20

Out of date Java installed!

Adobe Flash Player 10.2.153.1

Adobe Reader 9.3.3

Out of date Adobe Reader installed!

````````````````````````````````

Process Check:

objlist.exe by Laurent

Windows Defender MSMpEng.exe

Microsoft Security Essentials msseces.exe

Microsoft Security Client Antimalware MsMpEng.exe

``````````End of Log````````````

I will reboot, run some programs, surf the internet a bit and report.

Link to post
Share on other sites

  • 4 weeks later...
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.