I'm infected

[elero]

Malwarebytes' Anti-Malware 1.33

Database version: 1665

Windows 5.1.2600 Service Pack 3

18.01.2009 14:02:31

mbam-log-2009-01-18 (14-02-27).txt

Scan type: Quick Scan

Objects scanned: 54417

Time elapsed: 2 minute(s), 21 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\gaopdxxwhowipl.dll (Trojan.DNSChanger) -> No action taken.

________________________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:18:25, on 18.01.2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Programme\Lexmark 1200 Series\lxczbmgr.exe

C:\Programme\FreePDF_XP\fpassist.exe

C:\Programme\iTunes\iTunesHelper.exe

C:\Programme\Lexmark 1200 Series\lxczbmon.exe

C:\Programme\Winamp\winampa.exe

C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Programme\Java\jre6\bin\jusched.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Programme\Bonjour\mDNSResponder.exe

C:\Programme\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Programme\AVG\AVG8\avgui.exe

C:\Programme\iPod\bin\iPodService.exe

C:\Programme\AVG\AVG8\avgscanx.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Dokumente und Einstellungen\Bia\Desktop\trendmicro.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orf.at/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programme\AVG\AVG8\avgssie.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Programme\Lexmark 1200 Series\lxczbmgr.exe"

O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre6\bin\jp2iexp.dll

O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre6\bin\jp2iexp.dll

O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe

O9 - Extra button: @C:\Programme\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: @C:\Programme\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programme\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: avgrsstx.dll

O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Programme\Gemeinsame Dateien\ArcSoft\Connection Service\Bin\ACService.exe (file missing)

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe

O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--

End of file - 6470 bytes

[elero]

I can't find the file in Windows Explorer, why this? Hidden files are visible

AVG update doesn't work and I can't connect to this forum on the infected machine

[Fatdcuk]

Hi spt,

It is quite possibly CLB driver related infection from information you have supplied but just to check for sure

Can you download Rootrepeal>>>

http://rootrepeal.googlepages.com/

Run a scan and post back the output log generated.

[elero]

ROOTREPEAL © AD, 2007-2008

==================================================

Scan Time: 2009/01/19 11:07

Program Version: Version 1.2.3.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: 1394BUS.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS

Address: 0xF7607000 Size: 57344 File Visible: -

Status: -

Name: Aavmker4.SYS

Image Path: C:\WINDOWS\System32\Drivers\Aavmker4.SYS

Address: 0xF77AF000 Size: 19072 File Visible: -

Status: -

Name: ACPI.sys

Image Path: ACPI.sys

Address: 0xF748F000 Size: 188800 File Visible: -

Status: -

Name: ACPI_HAL

Image Path: \Driver\ACPI_HAL

Address: 0x804D7000 Size: 2265088 File Visible: -

Status: -

Name: afd.sys

Image Path: C:\WINDOWS\System32\drivers\afd.sys

Address: 0xB6E1A000 Size: 138496 File Visible: -

Status: -

Name: arp1394.sys

Image Path: C:\WINDOWS\system32\DRIVERS\arp1394.sys

Address: 0xF7877000 Size: 60800 File Visible: -

Status: -

Name: aswFsBlk.sys

Image Path: C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys

Address: 0xF77EF000 Size: 32768 File Visible: -

Status: -

Name: aswMon2.SYS

Image Path: C:\WINDOWS\System32\Drivers\aswMon2.SYS

Address: 0xB67B7000 Size: 87296 File Visible: -

Status: -

Name: aswRdr.SYS

Image Path: C:\WINDOWS\System32\Drivers\aswRdr.SYS

Address: 0xB5386000 Size: 15136 File Visible: -

Status: -

Name: aswSP.SYS

Image Path: C:\WINDOWS\System32\Drivers\aswSP.SYS

Address: 0xB6D37000 Size: 131072 File Visible: -

Status: -

Name: aswTdi.SYS

Image Path: C:\WINDOWS\System32\Drivers\aswTdi.SYS

Address: 0xF740E000 Size: 41152 File Visible: -

Status: -

Name: atapi.sys

Image Path: atapi.sys

Address: 0xF796F000 Size: 98304 File Visible: -

Status: -

Name: atapi.sys

Image Path: atapi.sys

Address: 0x00000000 Size: 0 File Visible: -

Status: -

Name: atksgt.sys

Image Path: C:\WINDOWS\system32\DRIVERS\atksgt.sys

Address: 0xB56D8000 Size: 271360 File Visible: -

Status: -

Name: atl01_xp.sys

Image Path: C:\WINDOWS\system32\DRIVERS\atl01_xp.sys

Address: 0xBA6DD000 Size: 35840 File Visible: -

Status: -

Name: ATMFD.DLL

Image Path: C:\WINDOWS\System32\ATMFD.DLL

Address: 0xBFFA9000 Size: 286720 File Visible: -

Status: -

Name: audstub.sys

Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys

Address: 0xF7AC0000 Size: 3072 File Visible: -

Status: -

Name: Beep.SYS

Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS

Address: 0xF79D3000 Size: 4224 File Visible: -

Status: -

Name: BOOTVID.dll

Image Path: C:\WINDOWS\system32\BOOTVID.dll

Address: 0xF7897000 Size: 12288 File Visible: -

Status: -

Name: Cdfs.SYS

Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS

Address: 0xBAF4E000 Size: 63744 File Visible: -

Status: -

Name: cdrom.sys

Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys

Address: 0xBA69D000 Size: 62976 File Visible: -

Status: -

Name: CLASSPNP.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS

Address: 0xF7657000 Size: 53248 File Visible: -

Status: -

Name: disk.sys

Image Path: disk.sys

Address: 0xF7647000 Size: 36352 File Visible: -

Status: -

Name: dmio.sys

Image Path: dmio.sys

Address: 0xF7832000 Size: 154112 File Visible: -

Status: -

Name: dmload.sys

Image Path: dmload.sys

Address: 0xF798B000 Size: 5888 File Visible: -

Status: -

Name: drmk.sys

Image Path: C:\WINDOWS\system32\drivers\drmk.sys

Address: 0xF744E000 Size: 61440 File Visible: -

Status: -

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xB6C9D000 Size: 98304 File Visible: No

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF79E3000 Size: 8192 File Visible: No

Status: -

Name: Dxapi.sys

Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys

Address: 0xB6E92000 Size: 12288 File Visible: -

Status: -

Name: dxg.sys

Image Path: C:\WINDOWS\System32\drivers\dxg.sys

Address: 0xBF9C3000 Size: 73728 File Visible: -

Status: -

Name: dxgthk.sys

Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys

Address: 0xF7A9B000 Size: 4096 File Visible: -

Status: -

Name: Fips.SYS

Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS

Address: 0xBAFAE000 Size: 44672 File Visible: -

Status: -

Name: fltmgr.sys

Image Path: fltmgr.sys

Address: 0xBAFE0000 Size: 129792 File Visible: -

Status: -

Name: Fs_Rec.SYS

Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS

Address: 0xF79D1000 Size: 7936 File Visible: -

Status: -

Name: ftdisk.sys

Image Path: ftdisk.sys

Address: 0xF7858000 Size: 126336 File Visible: -

Status: -

Name: gaopdxcfqxblak.sys

Image Path: C:\WINDOWS\system32\drivers\gaopdxcfqxblak.sys

Address: 0xB6F50000 Size: 163840 File Visible: -

Status: Hidden from Windows API!

Name: GEARAspiWDM.sys

Image Path: C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

Address: 0xBAB72000 Size: 9984 File Visible: -

Status: -

Name: hal.dll

Image Path: C:\WINDOWS\system32\hal.dll

Address: 0x80700000 Size: 134400 File Visible: -

Status: -

Name: HDAudBus.sys

Image Path: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

Address: 0xB999E000 Size: 163840 File Visible: -

Status: -

Name: HIDCLASS.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS

Address: 0xBAF6E000 Size: 36864 File Visible: -

Status: -

Name: HIDPARSE.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS

Address: 0xF776F000 Size: 28672 File Visible: -

Status: -

Name: hidusb.sys

Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys

Address: 0xB6F40000 Size: 10368 File Visible: -

Status: -

Name: HTTP.sys

Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys

Address: 0xB5155000 Size: 264832 File Visible: -

Status: -

Name: imapi.sys

Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys

Address: 0xBA6AD000 Size: 42112 File Visible: -

Status: -

Name: intelppm.sys

Image Path: C:\WINDOWS\system32\DRIVERS\intelppm.sys

Address: 0xBA6ED000 Size: 40448 File Visible: -

Status: -

Name: ipnat.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys

Address: 0xB6E64000 Size: 152832 File Visible: -

Status: -

Name: ipsec.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys

Address: 0xB6F15000 Size: 75264 File Visible: -

Status: -

Name: isapnp.sys

Image Path: isapnp.sys

Address: 0xF7617000 Size: 37632 File Visible: -

Status: -

Name: kbdclass.sys

Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys

Address: 0xBA629000 Size: 25216 File Visible: -

Status: -

Name: kbdhid.sys

Image Path: C:\WINDOWS\system32\DRIVERS\kbdhid.sys

Address: 0xB6F2C000 Size: 14720 File Visible: -

Status: -

Name: KDCOM.DLL

Image Path: C:\WINDOWS\system32\KDCOM.DLL

Address: 0xF7987000 Size: 8192 File Visible: -

Status: -

Name: kmixer.sys

Image Path: C:\WINDOWS\system32\drivers\kmixer.sys

Address: 0xB4CC3000 Size: 172416 File Visible: -

Status: -

Name: ks.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys

Address: 0xB9943000 Size: 143360 File Visible: -

Status: -

Name: KSecDD.sys

Image Path: KSecDD.sys

Address: 0xBAF17000 Size: 92288 File Visible: -

Status: -

Name: lirsgt.sys

Image Path: C:\WINDOWS\system32\DRIVERS\lirsgt.sys

Address: 0xF7817000 Size: 18048 File Visible: -

Status: -

Name: mnmdd.SYS

Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS

Address: 0xF79D5000 Size: 4224 File Visible: -

Status: -

Name: mouclass.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys

Address: 0xBA621000 Size: 23552 File Visible: -

Status: -

Name: mouhid.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mouhid.sys

Address: 0xB6F34000 Size: 12288 File Visible: -

Status: -

Name: MountMgr.sys

Image Path: MountMgr.sys

Address: 0xF7627000 Size: 42368 File Visible: -

Status: -

Name: mrxdav.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys

Address: 0xB5743000 Size: 180608 File Visible: -

Status: -

Name: mrxsmb.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

Address: 0xB6D7F000 Size: 455296 File Visible: -

Status: -

Name: Msfs.SYS

Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS

Address: 0xF778F000 Size: 19072 File Visible: -

Status: -

Name: msgpc.sys

Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys

Address: 0xF76D7000 Size: 35072 File Visible: -

Status: -

Name: mssmbios.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys

Address: 0xF7923000 Size: 15488 File Visible: -

Status: -

Name: Mup.sys

Image Path: Mup.sys

Address: 0xBAE43000 Size: 105344 File Visible: -

Status: -

Name: NDIS.sys

Image Path: NDIS.sys

Address: 0xBAE5D000 Size: 182656 File Visible: -

Status: -

Name: ndistapi.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys

Address: 0xBAB6A000 Size: 10112 File Visible: -

Status: -

Name: ndisuio.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys

Address: 0xB6D5B000 Size: 14592 File Visible: -

Status: -

Name: ndiswan.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys

Address: 0xB992C000 Size: 91520 File Visible: -

Status: -

Name: NDProxy.SYS

Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS

Address: 0xF745E000 Size: 40576 File Visible: -

Status: -

Name: netbios.sys

Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys

Address: 0xBAFBE000 Size: 34688 File Visible: -

Status: -

Name: netbt.sys

Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys

Address: 0xB6E3C000 Size: 162816 File Visible: -

Status: -

Name: nic1394.sys

Image Path: C:\WINDOWS\system32\DRIVERS\nic1394.sys

Address: 0xBA6CD000 Size: 61824 File Visible: -

Status: -

Name: Npfs.SYS

Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS

Address: 0xF7797000 Size: 30848 File Visible: -

Status: -

Name: Ntfs.sys

Image Path: Ntfs.sys

Address: 0xBAE8A000 Size: 574976 File Visible: -

Status: -

Name: ntoskrnl.exe

Image Path: C:\WINDOWS\system32\ntoskrnl.exe

Address: 0x804D7000 Size: 2265088 File Visible: -

Status: -

Name: Null.SYS

Image Path: C:\WINDOWS\System32\Drivers\Null.SYS

Address: 0xB70B7000 Size: 2944 File Visible: -

Status: -

Name: nv4_disp.dll

Image Path: C:\WINDOWS\System32\nv4_disp.dll

Address: 0xBF9D5000 Size: 6111232 File Visible: -

Status: -

Name: nv4_mini.sys

Image Path: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

Address: 0xB99DA000 Size: 6557408 File Visible: -

Status: -

Name: ohci1394.sys

Image Path: ohci1394.sys

Address: 0xF75F7000 Size: 61696 File Visible: -

Status: -

Name: parport.sys

Image Path: C:\WINDOWS\system32\DRIVERS\parport.sys

Address: 0xB9966000 Size: 80384 File Visible: -

Status: -

Name: PartMgr.sys

Image Path: PartMgr.sys

Address: 0xF770F000 Size: 19712 File Visible: -

Status: -

Name: ParVdm.SYS

Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS

Address: 0xB6691000 Size: 7040 File Visible: -

Status: -

Name: pci.sys

Image Path: pci.sys

Address: 0xF747E000 Size: 68224 File Visible: -

Status: -

Name: PCI_PNP2096

Image Path: \Driver\PCI_PNP2096

Address: 0x00000000 Size: 0 File Visible: No

Status: -

Name: pciide.sys

Image Path: pciide.sys

Address: 0xF7A4F000 Size: 3328 File Visible: -

Status: -

Name: PCIIDEX.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS

Address: 0xF7707000 Size: 28672 File Visible: -

Status: -

Name: PnpManager

Image Path: \Driver\PnpManager

Address: 0x804D7000 Size: 2265088 File Visible: -

Status: -

Name: portcls.sys

Image Path: C:\WINDOWS\system32\drivers\portcls.sys

Address: 0xB70FA000 Size: 147456 File Visible: -

Status: -

Name: psched.sys

Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys

Address: 0xB991B000 Size: 69120 File Visible: -

Status: -

Name: ptilink.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys

Address: 0xBA639000 Size: 17792 File Visible: -

Status: -

Name: PxHelp20.sys

Image Path: PxHelp20.sys

Address: 0xF7667000 Size: 35712 File Visible: -

Status: -

Name: rasacd.sys

Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys

Address: 0xB8708000 Size: 8832 File Visible: -

Status: -

Name: rasl2tp.sys

Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

Address: 0xF76A7000 Size: 51328 File Visible: -

Status: -

Name: raspppoe.sys

Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys

Address: 0xF76B7000 Size: 41472 File Visible: -

Status: -

Name: raspptp.sys

Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys

Address: 0xF76C7000 Size: 48384 File Visible: -

Status: -

Name: raspti.sys

Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys

Address: 0xBA631000 Size: 16512 File Visible: -

Status: -

Name: RAW

Image Path: \FileSystem\RAW

Address: 0x804D7000 Size: 2265088 File Visible: -

Status: -

Name: rdbss.sys

Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys

Address: 0xB6DEF000 Size: 175744 File Visible: -

Status: -

Name: RDPCDD.sys

Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys

Address: 0xF79D7000 Size: 4224 File Visible: -

Status: -

Name: rdpdr.sys

Image Path: C:\WINDOWS\system32\DRIVERS\rdpdr.sys

Address: 0xB98DA000 Size: 196224 File Visible: -

Status: -

Name: redbook.sys

Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys

Address: 0xF7697000 Size: 57728 File Visible: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xF76E7000 Size: 45056 File Visible: No

Status: -

Name: RtkHDAud.sys

Image Path: C:\WINDOWS\system32\drivers\RtkHDAud.sys

Address: 0xB711E000 Size: 4927488 File Visible: -

Status: -

Name: SCSIPORT.SYS

Image Path: C:\WINDOWS\System32\Drivers\SCSIPORT.SYS

Address: 0xF74BE000 Size: 98304 File Visible: -

Status: -

Name: serenum.sys

Image Path: C:\WINDOWS\system32\DRIVERS\serenum.sys

Address: 0xBAB76000 Size: 15744 File Visible: -

Status: -

Name: serial.sys

Image Path: C:\WINDOWS\system32\DRIVERS\serial.sys

Address: 0xBA6BD000 Size: 65536 File Visible: -

Status: -

Name: spcu.sys

Image Path: spcu.sys

Address: 0xF74D6000 Size: 1048576 File Visible: No

Status: -

Name: sptd

Image Path: \Driver\sptd

Address: 0x00000000 Size: 0 File Visible: No

Status: -

Name: sr.sys

Image Path: sr.sys

Address: 0xBAFCE000 Size: 73472 File Visible: -

Status: -

Name: srv.sys

Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys

Address: 0xB557E000 Size: 333952 File Visible: -

Status: -

Name: swenum.sys

Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys

Address: 0xF79C5000 Size: 4352 File Visible: -

Status: -

Name: sysaudio.sys

Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys

Address: 0xB664B000 Size: 60800 File Visible: -

Status: -

Name: tcpip.sys

Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys

Address: 0xB6EBC000 Size: 361600 File Visible: -

Status: -

Name: TDI.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS

Address: 0xBA641000 Size: 20480 File Visible: -

Status: -

Name: termdd.sys

Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys

Address: 0xF76F7000 Size: 40704 File Visible: -

Status: -

Name: tmcomm.sys

Image Path: C:\WINDOWS\system32\drivers\tmcomm.sys

Address: 0xB55D0000 Size: 97280 File Visible: -

Status: -

Name: update.sys

Image Path: C:\WINDOWS\system32\DRIVERS\update.sys

Address: 0xB9828000 Size: 384768 File Visible: -

Status: -

Name: usbccgp.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbccgp.sys

Address: 0xF77B7000 Size: 32128 File Visible: -

Status: -

Name: USBD.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS

Address: 0xF79CF000 Size: 8192 File Visible: -

Status: -

Name: usbehci.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys

Address: 0xBA649000 Size: 30208 File Visible: -

Status: -

Name: usbhub.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys

Address: 0xF742E000 Size: 59520 File Visible: -

Status: -

Name: USBPORT.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS

Address: 0xB997A000 Size: 147456 File Visible: -

Status: -

Name: usbprint.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbprint.sys

Address: 0xF7787000 Size: 25856 File Visible: -

Status: -

Name: usbuhci.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys

Address: 0xBA651000 Size: 20608 File Visible: -

Status: -

Name: vga.sys

Image Path: C:\WINDOWS\System32\drivers\vga.sys

Address: 0xF7777000 Size: 20992 File Visible: -

Status: -

Name: VIDEOPRT.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS

Address: 0xB99C6000 Size: 81920 File Visible: -

Status: -

Name: VolSnap.sys

Image Path: VolSnap.sys

Address: 0xF7637000 Size: 53760 File Visible: -

Status: -

Name: wanarp.sys

Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys

Address: 0xF7887000 Size: 34560 File Visible: -

Status: -

Name: watchdog.sys

Image Path: C:\WINDOWS\System32\watchdog.sys

Address: 0xF77BF000 Size: 20480 File Visible: -

Status: -

Name: wdmaud.sys

Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys

Address: 0xB59A0000 Size: 83072 File Visible: -

Status: -

Name: Win32k

Image Path: \Driver\Win32k

Address: 0xBF800000 Size: 1847296 File Visible: -

Status: -

Name: win32k.sys

Image Path: C:\WINDOWS\System32\win32k.sys

Address: 0xBF800000 Size: 1847296 File Visible: -

Status: -

Name: WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\WMILIB.SYS

Address: 0xF7989000 Size: 8192 File Visible: -

Status: -

Name: WMIxWDM

Image Path: \Driver\WMIxWDM

Address: 0x804D7000 Size: 2265088 File Visible: -

Status: -

[Fatdcuk]

As suspected you have new variant of CLB driver.

• Name: gaopdxcfqxblak.sys
  Image Path: C:\WINDOWS\system32\drivers\gaopdxcfqxblak.sys
  Address: 0xB6F50000 Size: 163840 File Visible: -
  Status: Hidden from Windows API!
  

If possible i would like to see the infection files for further analysis.

So please can you you use the file scan of RootRepeal this time.We are looking for all files with the same, simmillar name to the above driver.

If you highlight each line and then right click(Copy file) and save to holding folder.Zip the folder and upload to a new topic here>>>

http://www.malwarebytes.org/forums/index.php?showforum=55

Please also can i see the output logs from RootRepeal for Files,Process's/Stealth Objects and Hidden Services.

Thanks:)

[elero]

If possible i would like to see the infection files for further analysis.

Sorry, it seems that AVG Anti-Rootkit has deleted the file? MBAM log file is clean now:

Malwarebytes' Anti-Malware 1.33

Database version: 1666

Windows 5.1.2600 Service Pack 3

19.01.2009 13:46:32

mbam-log-2009-01-19 (13-46-32).txt

Scan type: Quick Scan

Objects scanned: 54274

Time elapsed: 3 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

___________________________________________________________

RootRepeal:

Drivers: Found 134 drivers (0 hidden)!

Processes: Found 38 processes (0 hidden, 0 locked)

Stealth Objects: Found 116 stealth objects!

Hidden Services: Found 1 hidden services!

When I want to copy the file I get this: (see screenshot)

So the machine isn't clean?

[Fatdcuk]

Ok use Rootrepeal to delete the Hidden service file by right clicking on its line and selecting delete.

Reboot the system and see if AVG updates & PC can get onto this forum.

Also can you run a fresh scan with Rootrepeal and post the output(Report) log generated.

[elero]

Hello!

The machine can get onto this forum and AVG updates!

But it seems that there are some registry keys that can't be deleted:

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys\modules

HKEY_LOCAL_MACHINE\System\ControlSet003\Services\gaopdxserv.sys\modules

I tried to delete it with regedit, but I got the message that the keys couldn't be deleted

Is there any way to get rid of these keys?

[Fatdcuk]

Download IceSword>>>

http://majorgeeks.com/Icesword_d5199.html

When you have extracted and run IceSword.exe,you will see a Registry button/option in the lower left of the software main GUI.

Use this option to navigate to the offending keys and when your there,right click and select delete.

[elero]

IceSword did it, the keys are gone Thank you for your help!

[AdvancedSetup]

Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
  • Select the Update tab
    
  • Click Update
    

  [*]When the update is complete, select the Scanner tab

  [*]Select Perform quick scan, then click Scan.

  [*]When the scan is complete, click OK, then Show Results to view the results.

  [*]Be sure that everything is checked, and click Remove Selected.

  [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    

Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

[AdvancedSetup]

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.