Jump to content

Malwarebytes

trojan agent reg key removal pls advise

- - - - -
Started by godsendxd, Jan 25 2009 11:14 PM

14 replies to this topic

#1
godsendxd
Posted 25 January 2009 - 11:14 PM

    New Member

  • Members
  • Pip
  • 6 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:05:21 PM, on 1/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
C:\program files\steam\steam.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\SPACE INTERNATIONAL\CDSpace 5\LCDPlyer.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Vidalia Bundle\Tor\tor.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Linksys Wireless-G PCI Adapter with SRX\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Adapter with SRX\WMP54GX.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [DriverUpdaterPro] C:\Program Files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe -t
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: LCDPlayer.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: nlycoo.dll
O20 - Winlogon Notify: mlJBTlMD - mlJBTlMD.dll (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.exe (file missing)
O23 - Service: Fast Track Installer (FastTrackInstallerService) - Unknown owner - C:\Program Files\M-Audio Fast Track\GBInst.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: WMP54GXSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Adapter with SRX\WLService.exe

--
End of file - 6783 bytes




Malwarebytes' Anti-Malware 1.33
Database version: 1684
Windows 5.1.2600 Service Pack 2

1/25/2009 6:13:22 PM
mbam-log-2009-01-25 (18-13-20).txt

Scan type: Quick Scan
Objects scanned: 50206
Time elapsed: 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#2
godsendxd
Posted 25 January 2009 - 11:21 PM

    New Member

  • Members
  • Pip
  • 6 posts
i have also ran this scan
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-25 17:53:51
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

INT 0x62 ? 8A8D3BF8
INT 0x63 ? 8A688BF8
INT 0x73 ? 8A688BF8
INT 0x73 ? 8A688BF8
INT 0x82 ? 8A8D3BF8
INT 0x83 ? 8A8D3BF8
INT 0x84 ? 8A688BF8
INT 0xA4 ? 8A688BF8

Code 89DADA90 ZwEnumerateKey
Code 89DADB48 ZwFlushInstructionCache
Code B4DE8323 pIofCallDriver

---- Kernel code sections - GMER 1.0.14 ----

PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B528A 5 Bytes JMP 89DADB4C
PAGE ntkrnlpa.exe!ZwEnumerateKey 80622950 5 Bytes JMP 89DADA94
? bpeercj.sys The system cannot find the file specified. !
? spiy.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B79A162C 5 Bytes JMP 8A6881D8

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\MSN Messenger\MsnMsgr.Exe[740] kernel32.dll!SetUnhandledExceptionFilter 7C84467D 5 Bytes JMP 004DE392 C:\Program Files\MSN Messenger\MsnMsgr.Exe (Messenger/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6A9040] spiy.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6A913C] spiy.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6A90BE] spiy.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6A97FC] spiy.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6A96D2] spiy.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [BA6B9048] spiy.sys

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8A8D21F8
Device \FileSystem\Fastfat \FatCdrom 88186320
Device \Driver\usbohci \Device\USBPDO-0 8A6861F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A8631F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A8631F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A8631F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A8631F8
Device \Driver\usbohci \Device\USBPDO-1 8A6861F8
Device \Driver\PCI_PNP3368 \Device\00000052 spiy.sys
Device \Driver\usbohci \Device\USBPDO-2 8A6861F8
Device \Driver\usbohci \Device\USBPDO-3 8A6861F8
Device \Driver\usbohci \Device\USBPDO-4 8A6861F8
Device \Driver\usbehci \Device\USBPDO-5 8A63C1F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A8D41F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{72702F06-F450-47C2-A1C4-7D228F1326A7} 898FC1F8
Device \Driver\Cdrom \Device\CdRom0 8A6231F8
Device \Driver\Cdrom \Device\CdRom1 8A6231F8
Device \Driver\atapi \Device\Ide\IdePort0 8A8D31F8
Device \Driver\atapi \Device\Ide\IdePort1 8A8D31F8
Device \Driver\atapi \Device\Ide\IdePort2 8A8D31F8
Device \Driver\atapi \Device\Ide\IdePort3 8A8D31F8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-12 8A8D31F8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-a 8A8D31F8
Device \Driver\Cdrom \Device\CdRom2 8A6231F8
Device \Driver\sptd \Device\2767887118 spiy.sys
Device \Driver\NetBT \Device\NetBt_Wins_Export 898FC1F8
Device \Driver\NetBT \Device\NetbiosSmb 898FC1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{A902EF5F-D631-4E5B-ACE8-4A99B0A65BC1} 898FC1F8
Device \Driver\usbohci \Device\USBFDO-0 8A6861F8
Device \Driver\usbohci \Device\USBFDO-1 8A6861F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 898BF1F8
Device \Driver\usbohci \Device\USBFDO-2 8A6861F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 898BF1F8
Device \Driver\TwoRabts \Device\0000007c 8A4C31F8
Device \Driver\usbohci \Device\USBFDO-3 8A6861F8
Device \Driver\usbohci \Device\USBFDO-4 8A6861F8
Device \Driver\Ftdisk \Device\FtControl 8A8D41F8
Device \Driver\usbehci \Device\USBFDO-5 8A63C1F8
Device \Driver\cdspacex \Device\Scsi\cdspacex1Port5Path0Target0Lun0 898C6500
Device \Driver\cdspacex \Device\Scsi\cdspacex1 898C6500
Device \Driver\aoi651yh \Device\Scsi\aoi651yh1Port4Path0Target0Lun0 8A5711F8
Device \Driver\aoi651yh \Device\Scsi\aoi651yh1 8A5711F8
Device \FileSystem\Fastfat \Fat 88186320
Device \FileSystem\Cdfs \Cdfs 8A4452C0

---- Modules - GMER 1.0.14 ----

Module \systemroot\system32\drivers\senekamimgqldm.sys (*** hidden *** ) B4DE6000-B4E05000 (126976 bytes)

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\system32\drivers\senekamimgqldm.sys (*** hidden *** ) [SYSTEM] seneka <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x36 0x48 0xDC 0x66 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x9A 0x96 0x1F 0xAC ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x45 0x95 0x76 0x3C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka@imagepath \systemroot\system32\drivers\senekamimgqldm.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka\modules@seneka.dll \systemroot\system32\senekagsiaelje.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka\modules@seneka.sys \systemroot\system32\drivers\senekamimgqldm.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka\modules@senekalog.dat \systemroot\system32\senekawfpshfep.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka\modules@senekawi.dll \systemroot\system32\senekajnwtdwok.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka\modules@seneka.dat \systemroot\system32\senekaptvviguy.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x36 0x48 0xDC 0x66 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x84 0x6A 0x61 0xAF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x31 0x63 0x71 0x04 ...
Reg HKLM\SYSTEM\ControlSet004\Services\seneka
Reg HKLM\SYSTEM\ControlSet004\Services\seneka@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\seneka@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\seneka@imagepath \systemroot\system32\drivers\senekamimgqldm.sys
Reg HKLM\SYSTEM\ControlSet004\Services\seneka@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\seneka\modules
Reg HKLM\SYSTEM\ControlSet004\Services\seneka\modules@seneka.dll \systemroot\system32\senekagsiaelje.dll
Reg HKLM\SYSTEM\ControlSet004\Services\seneka\modules@seneka.sys \systemroot\system32\drivers\senekamimgqldm.sys
Reg HKLM\SYSTEM\ControlSet004\Services\seneka\modules@senekalog.dat \systemroot\system32\senekawfpshfep.dat
Reg HKLM\SYSTEM\ControlSet004\Services\seneka\modules@senekawi.dll \systemroot\system32\senekajnwtdwok.dll
Reg HKLM\SYSTEM\ControlSet004\Services\seneka\modules@seneka.dat \systemroot\system32\senekaptvviguy.dat
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x36 0x48 0xDC 0x66 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x84 0x6A 0x61 0xAF ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x31 0x63 0x71 0x04 ...

---- EOF - GMER 1.0.14 ----

#3
sjpritch25
Posted 26 January 2009 - 11:25 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 1,605 posts
  • Gender:Male
  • Location:West Coast of Florida
Welcome to Malwarebytes!!!! :)

Please update MBAM and run another quick scan. In your next reply, please post the MBAM log followed by a fresh GMER log. Thanks

Malwarebytes Anti-Malware detects that rooter, but usually the service needs cleaning up. Just need to make sure. Thanks
Microsoft Valuable Professional---MVP Consumer Security 2007-2010
Windows 7 Ultimate 64bit
Gigabyte P55A-UD4P Motherboard Intel i5 750 G.SKILL Ripjaws Series 4GB DDR3 1333 1TB WD 32mb cache
60gb OCZ Vertex Turbo SSD (BOOT drive)Noctua NH-U12P SE2 HeatsinkAntec P183 Case

#4
godsendxd
Posted 27 January 2009 - 08:31 AM

    New Member

  • Members
  • Pip
  • 6 posts
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-27 03:04:09
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

INT 0x62 ? 8A8D3BF8
INT 0x63 ? 8A688BF8
INT 0x73 ? 8A688BF8
INT 0x73 ? 8A688BF8
INT 0x82 ? 8A8D3BF8
INT 0x83 ? 8A8D3BF8
INT 0x84 ? 8A688BF8
INT 0xA4 ? 8A688BF8

Code 89DADA90 ZwEnumerateKey
Code 89DADB48 ZwFlushInstructionCache
Code B4DE8323 pIofCallDriver

---- Kernel code sections - GMER 1.0.14 ----

PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B528A 5 Bytes JMP 89DADB4C
PAGE ntkrnlpa.exe!ZwEnumerateKey 80622950 5 Bytes JMP 89DADA94
? bpeercj.sys The system cannot find the file specified. !
? spiy.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B79A162C 5 Bytes JMP 8A6881D8

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\MSN Messenger\MsnMsgr.Exe[740] kernel32.dll!SetUnhandledExceptionFilter 7C84467D 5 Bytes JMP 004DE392 C:\Program Files\MSN Messenger\MsnMsgr.Exe (Messenger/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6A9040] spiy.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6A913C] spiy.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6A90BE] spiy.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6A97FC] spiy.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6A96D2] spiy.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [BA6B9048] spiy.sys

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8A8D21F8
Device \FileSystem\Fastfat \FatCdrom 88186320
Device \Driver\usbohci \Device\USBPDO-0 8A6861F8
Device \Driver\usbohci \Device\USBPDO-1 8A6861F8
Device \Driver\PCI_PNP3368 \Device\00000052 spiy.sys
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A8631F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A8631F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A8631F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A8631F8
Device \Driver\usbohci \Device\USBPDO-2 8A6861F8
Device \Driver\usbohci \Device\USBPDO-3 8A6861F8
Device \Driver\usbohci \Device\USBPDO-4 8A6861F8
Device \Driver\usbehci \Device\USBPDO-5 8A63C1F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A8D41F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{72702F06-F450-47C2-A1C4-7D228F1326A7} 898FC1F8
Device \Driver\Cdrom \Device\CdRom0 8A6231F8
Device \Driver\Cdrom \Device\CdRom1 8A6231F8
Device \Driver\atapi \Device\Ide\IdePort0 8A8D31F8
Device \Driver\atapi \Device\Ide\IdePort1 8A8D31F8
Device \Driver\atapi \Device\Ide\IdePort2 8A8D31F8
Device \Driver\atapi \Device\Ide\IdePort3 8A8D31F8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-12 8A8D31F8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-a 8A8D31F8
Device \Driver\Cdrom \Device\CdRom2 8A6231F8
Device \Driver\sptd \Device\2767887118 spiy.sys
Device \Driver\NetBT \Device\NetBt_Wins_Export 898FC1F8
Device \Driver\NetBT \Device\NetbiosSmb 898FC1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{A902EF5F-D631-4E5B-ACE8-4A99B0A65BC1} 898FC1F8
Device \Driver\usbohci \Device\USBFDO-0 8A6861F8
Device \Driver\usbohci \Device\USBFDO-1 8A6861F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 898BF1F8
Device \Driver\usbohci \Device\USBFDO-2 8A6861F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 898BF1F8
Device \Driver\usbohci \Device\USBFDO-3 8A6861F8
Device \Driver\TwoRabts \Device\0000007c 8A4C31F8
Device \Driver\Ftdisk \Device\FtControl 8A8D41F8
Device \Driver\usbohci \Device\USBFDO-4 8A6861F8
Device \Driver\usbehci \Device\USBFDO-5 8A63C1F8
Device \Driver\USBSTOR \Device\0000008b 882A8500
Device \Driver\USBSTOR \Device\0000008c 882A8500
Device \Driver\cdspacex \Device\Scsi\cdspacex1Port5Path0Target0Lun0 898C6500
Device \Driver\cdspacex \Device\Scsi\cdspacex1 898C6500
Device \Driver\aoi651yh \Device\Scsi\aoi651yh1Port4Path0Target0Lun0 8A5711F8
Device \Driver\aoi651yh \Device\Scsi\aoi651yh1 8A5711F8
Device \FileSystem\Fastfat \Fat 88186320
Device \FileSystem\Cdfs \Cdfs 8A4452C0

---- Modules - GMER 1.0.14 ----

Module \systemroot\system32\drivers\senekamimgqldm.sys (*** hidden *** ) B4DE6000-B4E05000 (126976 bytes)

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\system32\drivers\senekamimgqldm.sys (*** hidden *** ) [SYSTEM] seneka <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x36 0x48 0xDC 0x66 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x9A 0x96 0x1F 0xAC ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x45 0x95 0x76 0x3C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka@imagepath \systemroot\system32\drivers\senekamimgqldm.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka\modules@seneka.dll \systemroot\system32\senekagsiaelje.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka\modules@seneka.sys \systemroot\system32\drivers\senekamimgqldm.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka\modules@senekalog.dat \systemroot\system32\senekawfpshfep.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka\modules@senekawi.dll \systemroot\system32\senekajnwtdwok.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka\modules@seneka.dat \systemroot\system32\senekaptvviguy.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x36 0x48 0xDC 0x66 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x84 0x6A 0x61 0xAF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x31 0x63 0x71 0x04 ...
Reg HKLM\SYSTEM\ControlSet004\Services\seneka
Reg HKLM\SYSTEM\ControlSet004\Services\seneka@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\seneka@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\seneka@imagepath \systemroot\system32\drivers\senekamimgqldm.sys
Reg HKLM\SYSTEM\ControlSet004\Services\seneka@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\seneka\modules
Reg HKLM\SYSTEM\ControlSet004\Services\seneka\modules@seneka.dll \systemroot\system32\senekagsiaelje.dll
Reg HKLM\SYSTEM\ControlSet004\Services\seneka\modules@seneka.sys \systemroot\system32\drivers\senekamimgqldm.sys
Reg HKLM\SYSTEM\ControlSet004\Services\seneka\modules@senekalog.dat \systemroot\system32\senekawfpshfep.dat
Reg HKLM\SYSTEM\ControlSet004\Services\seneka\modules@senekawi.dll \systemroot\system32\senekajnwtdwok.dll
Reg HKLM\SYSTEM\ControlSet004\Services\seneka\modules@seneka.dat \systemroot\system32\senekaptvviguy.dat
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x36 0x48 0xDC 0x66 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x84 0x6A 0x61 0xAF ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x31 0x63 0x71 0x04 ...

---- EOF - GMER 1.0.14 ----






Malwarebytes' Anti-Malware 1.33
Database version: 1698
Windows 5.1.2600 Service Pack 2

1/27/2009 3:30:55 AM
mbam-log-2009-01-27 (03-30-55).txt

Scan type: Quick Scan
Objects scanned: 50997
Time elapsed: 3 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\chert5-998.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\winsinstall.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\9DL2NE6F\winsinstall[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D6FKCDMN\apstpldr.dll[1].htm (Adware.BHO) -> Quarantined and deleted successfully.

#5
sjpritch25
Posted 27 January 2009 - 10:29 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 1,605 posts
  • Gender:Male
  • Location:West Coast of Florida
I will be replying in a short while. I'm checking on something with a researcher be back later on. Thanks for your paitence.
Microsoft Valuable Professional---MVP Consumer Security 2007-2010
Windows 7 Ultimate 64bit
Gigabyte P55A-UD4P Motherboard Intel i5 750 G.SKILL Ripjaws Series 4GB DDR3 1333 1TB WD 32mb cache
60gb OCZ Vertex Turbo SSD (BOOT drive)Noctua NH-U12P SE2 HeatsinkAntec P183 Case

#6
sjpritch25
Posted 28 January 2009 - 02:16 AM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 1,605 posts
  • Gender:Male
  • Location:West Coast of Florida
Okay, i need you to update MBAM again, run a quick scan, post that log, and run gmer and post that log too. Thanks.
Microsoft Valuable Professional---MVP Consumer Security 2007-2010
Windows 7 Ultimate 64bit
Gigabyte P55A-UD4P Motherboard Intel i5 750 G.SKILL Ripjaws Series 4GB DDR3 1333 1TB WD 32mb cache
60gb OCZ Vertex Turbo SSD (BOOT drive)Noctua NH-U12P SE2 HeatsinkAntec P183 Case

#7
godsendxd
Posted 28 January 2009 - 08:00 PM

    New Member

  • Members
  • Pip
  • 6 posts
Malwarebytes' Anti-Malware 1.33
Database version: 1702
Windows 5.1.2600 Service Pack 2

1/28/2009 2:48:46 PM
mbam-log-2009-01-28 (14-48-46).txt

Scan type: Quick Scan
Objects scanned: 50837
Time elapsed: 8 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\seneka.sys (Trojan.Agent) -> Quarantined and deleted successfully.

it came up again after i restarted/





GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-28 15:00:21
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT spgg.sys ZwCreateKey [0xBA6A80E0]
SSDT B34C2E64 ZwCreateThread
SSDT spgg.sys ZwEnumerateKey [0xBA6C6CA2]
SSDT spgg.sys ZwEnumerateValueKey [0xBA6C7030]
SSDT spgg.sys ZwOpenKey [0xBA6A80C0]
SSDT B34C2E50 ZwOpenProcess
SSDT B34C2E55 ZwOpenThread
SSDT spgg.sys ZwQueryKey [0xBA6C7108]
SSDT spgg.sys ZwQueryValueKey [0xBA6C6F88]
SSDT spgg.sys ZwSetValueKey [0xBA6C719A]
SSDT B34C2E5F ZwTerminateProcess
SSDT B34C2E5A ZwWriteVirtualMemory

INT 0x62 ? 8A863BF8
INT 0x63 ? 8A662BF8
INT 0x73 ? 8A662BF8
INT 0x73 ? 8A662BF8
INT 0x82 ? 8A863BF8
INT 0x83 ? 8A863BF8
INT 0x84 ? 8A662BF8
INT 0xA4 ? 8A662BF8

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2FE2 80503DB6 2 Bytes [ 4C, B3 ]
? nmkh.sys The system cannot find the file specified. !
? spgg.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B771662C 5 Bytes JMP 8A6621D8
.text adfgoq7j.SYS B7499386 35 Bytes [ 00, 00, 00, 00, 00, 00, 20, ... ]
.text adfgoq7j.SYS B74993AA 24 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text adfgoq7j.SYS B74993C4 3 Bytes [ 00, 70, 02 ]
.text adfgoq7j.SYS B74993C9 1 Byte [ 2E ]
.text adfgoq7j.SYS B74993CB 9 Bytes [ 00, 00, 5C, 02, 00, 00, 00, ... ]
.text ...

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\MSN Messenger\MsnMsgr.Exe[604] kernel32.dll!SetUnhandledExceptionFilter 7C84467D 5 Bytes JMP 004DE392 C:\Program Files\MSN Messenger\MsnMsgr.Exe (Messenger/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6A9040] spgg.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6A913C] spgg.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6A90BE] spgg.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6A97FC] spgg.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6A96D2] spgg.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [BA6B9048] spgg.sys
IAT \SystemRoot\System32\Drivers\adfgoq7j.SYS[HAL.dll!KfAcquireSpinLock] 8A000002
IAT \SystemRoot\System32\Drivers\adfgoq7j.SYS[HAL.dll!READ_PORT_UCHAR] 83880846
IAT \SystemRoot\System32\Drivers\adfgoq7j.SYS[HAL.dll!KeGetCurrentIrql] 000001C0
IAT \SystemRoot\System32\Drivers\adfgoq7j.SYS[HAL.dll!KfRaiseIrql] 2C4EB70F
IAT \SystemRoot\System32\Drivers\adfgoq7j.SYS[HAL.dll!KfLowerIrql] 8303C183
IAT \SystemRoot\System32\Drivers\adfgoq7j.SYS[HAL.dll!HalGetInterruptVector] D103FCE1
IAT \SystemRoot\System32\Drivers\adfgoq7j.SYS[HAL.dll!HalTranslateBusAddress] 2E7E8366
IAT \SystemRoot\System32\Drivers\adfgoq7j.SYS[HAL.dll!KeStallExecutionProcessor] 8D1C7400
IAT \SystemRoot\System32\Drivers\adfgoq7j.SYS[HAL.dll!KfReleaseSpinLock] 83893204
IAT \SystemRoot\System32\Drivers\adfgoq7j.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 00000218
IAT \SystemRoot\System32\Drivers\adfgoq7j.SYS[HAL.dll!READ_PORT_USHORT] 2E4EB70F
IAT \SystemRoot\System32\Drivers\adfgoq7j.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 021C8B89
IAT \SystemRoot\System32\Drivers\adfgoq7j.SYS[HAL.dll!WRITE_PORT_UCHAR] B70F0000
IAT \SystemRoot\System32\Drivers\adfgoq7j.SYS[WMILIB.SYS!WmiSystemControl] 03D00304
IAT \SystemRoot\System32\Drivers\adfgoq7j.SYS[WMILIB.SYS!WmiCompleteRequest] 0CB389F2

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8A8621F8
Device \FileSystem\Fastfat \FatCdrom 897F9500
Device \Driver\sptd \Device\322869262 spgg.sys
Device \Driver\usbohci \Device\USBPDO-0 8A65A1F8
Device \Driver\PCI_PNP5512 \Device\00000051 spgg.sys
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A8D31F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A8D31F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A8D31F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A8D31F8
Device \Driver\usbohci \Device\USBPDO-1 8A65A1F8
Device \Driver\usbohci \Device\USBPDO-2 8A65A1F8
Device \Driver\usbohci \Device\USBPDO-3 8A65A1F8
Device \Driver\usbohci \Device\USBPDO-4 8A65A1F8
Device \Driver\usbehci \Device\USBPDO-5 8A6111F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A8641F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{72702F06-F450-47C2-A1C4-7D228F1326A7} 8A2BF500
Device \Driver\Cdrom \Device\CdRom0 8A6051F8
Device \Driver\Cdrom \Device\CdRom1 8A6051F8
Device \Driver\atapi \Device\Ide\IdePort0 8A8631F8
Device \Driver\atapi \Device\Ide\IdePort1 8A8631F8
Device \Driver\atapi \Device\Ide\IdePort2 8A8631F8
Device \Driver\atapi \Device\Ide\IdePort3 8A8631F8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-12 8A8631F8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-a 8A8631F8
Device \Driver\Cdrom \Device\CdRom2 8A6051F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A2BF500
Device \Driver\USBSTOR \Device\00000083 897AF1F8
Device \Driver\USBSTOR \Device\00000084 897AF1F8
Device \Driver\NetBT \Device\NetbiosSmb 8A2BF500
Device \Driver\NetBT \Device\NetBT_Tcpip_{A902EF5F-D631-4E5B-ACE8-4A99B0A65BC1} 8A2BF500
Device \Driver\usbohci \Device\USBFDO-0 8A65A1F8
Device \Driver\usbohci \Device\USBFDO-1 8A65A1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 899071F8
Device \Driver\TwoRabts \Device\0000007b 8A4BF500
Device \Driver\usbohci \Device\USBFDO-2 8A65A1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 899071F8
Device \Driver\usbohci \Device\USBFDO-3 8A65A1F8
Device \Driver\usbohci \Device\USBFDO-4 8A65A1F8
Device \Driver\Ftdisk \Device\FtControl 8A8641F8
Device \Driver\usbehci \Device\USBFDO-5 8A6111F8
Device \Driver\cdspacex \Device\Scsi\cdspacex1Port5Path0Target0Lun0 899051F8
Device \Driver\adfgoq7j \Device\Scsi\adfgoq7j1 8A57C500
Device \Driver\adfgoq7j \Device\Scsi\adfgoq7j1Port4Path0Target0Lun0 8A57C500
Device \Driver\cdspacex \Device\Scsi\cdspacex1 899051F8
Device \FileSystem\Fastfat \Fat 897F9500
Device \FileSystem\Cdfs \Cdfs 8A417500

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x36 0x48 0xDC 0x66 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x9A 0x96 0x1F 0xAC ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x45 0x95 0x76 0x3C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x36 0x48 0xDC 0x66 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x84 0x6A 0x61 0xAF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x31 0x63 0x71 0x04 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x36 0x48 0xDC 0x66 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x84 0x6A 0x61 0xAF ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x31 0x63 0x71 0x04 ...

---- EOF - GMER 1.0.14 ----

#8
sjpritch25
Posted 28 January 2009 - 11:04 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 1,605 posts
  • Gender:Male
  • Location:West Coast of Florida
Okay good that got the rooter. How is everything running
Microsoft Valuable Professional---MVP Consumer Security 2007-2010
Windows 7 Ultimate 64bit
Gigabyte P55A-UD4P Motherboard Intel i5 750 G.SKILL Ripjaws Series 4GB DDR3 1333 1TB WD 32mb cache
60gb OCZ Vertex Turbo SSD (BOOT drive)Noctua NH-U12P SE2 HeatsinkAntec P183 Case

#9
sjpritch25
Posted 28 January 2009 - 11:16 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 1,605 posts
  • Gender:Male
  • Location:West Coast of Florida
Okay it looks like you may have an infected userinit.exe file.

Download the attached file godsendxd.zip, Unzip/Extract look.bat to your Desktop. Double-Click on lookbat, the command prompt will appear and disappear. In your next reply, please include the look.txt contents. Thanks

Attached Files


Microsoft Valuable Professional---MVP Consumer Security 2007-2010
Windows 7 Ultimate 64bit
Gigabyte P55A-UD4P Motherboard Intel i5 750 G.SKILL Ripjaws Series 4GB DDR3 1333 1TB WD 32mb cache
60gb OCZ Vertex Turbo SSD (BOOT drive)Noctua NH-U12P SE2 HeatsinkAntec P183 Case

#10
godsendxd
Posted 29 January 2009 - 12:57 AM

    New Member

  • Members
  • Pip
  • 6 posts
Volume in drive C has no label.
Volume Serial Number is 5CA4-B134

Directory of C:\WINDOWS\system32

01/25/2009 06:19 AM 125,440 userinit.exe
1 File(s) 125,440 bytes

Directory of C:\WINDOWS\system32\dllcache

01/25/2009 06:19 AM 125,440 userinit.exe
1 File(s) 125,440 bytes

Total Files Listed:
2 File(s) 250,880 bytes
0 Dir(s) 192,150,372,352 bytes free

#11
sjpritch25
Posted 29 January 2009 - 11:28 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 1,605 posts
  • Gender:Male
  • Location:West Coast of Florida
Download Combofix from this webpage: http://www.bleepingc...to-use-combofix

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Microsoft Valuable Professional---MVP Consumer Security 2007-2010
Windows 7 Ultimate 64bit
Gigabyte P55A-UD4P Motherboard Intel i5 750 G.SKILL Ripjaws Series 4GB DDR3 1333 1TB WD 32mb cache
60gb OCZ Vertex Turbo SSD (BOOT drive)Noctua NH-U12P SE2 HeatsinkAntec P183 Case

#12
godsendxd
Posted 30 January 2009 - 08:43 PM

    New Member

  • Members
  • Pip
  • 6 posts
ComboFix 09-01-21.04 - Administrator 2009-01-30 7:21:44.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1461 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\998.exe
c:\windows\system32\pdaqbalk.ini
c:\windows\system32\senekaptvviguy.dat
c:\windows\system32\senekawfpshfep.dat
c:\windows\system32\test.ttt
c:\windows\system32\uniq.tll
c:\windows\system32\win32hlp.cnf
c:\windows\Tasks\iwzidfxa.job

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\system32\init32.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_seneka


((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-30 )))))))))))))))))))))))))))))))
.

2009-01-28 16:31 . 2009-01-28 16:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Musicnotes
2009-01-23 15:08 . 2009-01-23 15:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-01-23 14:55 . 2009-01-23 14:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-26 13:23 . 2008-12-26 13:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\nView_Profiles
2008-12-25 08:29 . 2008-12-25 08:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-25 08:28 . 2008-12-25 08:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2508-01-09 20:32 --------- d-----w c:\program files\DIFX
2508-01-09 20:20 17,801 ----a-w c:\windows\system32\drivers\AegisP.sys
2508-01-09 20:20 --------- d-----w c:\program files\Linksys Wireless-G PCI Adapter with SRX
2508-01-09 20:12 --------- d-----w c:\program files\microsoft frontpage
2009-01-30 12:26 --------- d-----w c:\program files\Steam
2009-01-30 12:25 --------- d-----w c:\documents and settings\Administrator\Application Data\Vidalia
2009-01-30 12:25 --------- d-----w c:\documents and settings\Administrator\Application Data\tor
2009-01-30 12:25 --------- d-----w c:\documents and settings\Administrator\Application Data\LimeWire
2009-01-28 21:31 --------- d-----w c:\program files\Musicnotes
2009-01-28 18:59 --------- d-----w c:\program files\World of Warcraft
2009-01-28 09:51 --------- d-----w c:\program files\Warcraft III
2009-01-25 23:04 --------- d-----w c:\program files\Trend Micro
2009-01-23 21:22 --------- d-----w c:\program files\reFX
2009-01-23 20:42 --------- d-----w c:\program files\DAEMON Tools Lite
2009-01-23 20:36 --------- d-----w c:\program files\DAEMON Tools Toolbar
2009-01-23 20:33 --------- d-----w c:\documents and settings\Administrator\Application Data\DAEMON Tools Pro
2009-01-23 20:33 --------- d-----w c:\documents and settings\Administrator\Application Data\DAEMON Tools Lite
2009-01-23 20:33 --------- d-----w c:\documents and settings\Administrator\Application Data\DAEMON Tools
2009-01-23 19:55 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-23 19:55 --------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-23 19:37 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-01-14 21:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 21:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-12-31 00:50 --------- d-----w c:\program files\Diablo II
2008-12-28 06:49 --------- d-----w c:\program files\Native Instruments
2008-12-28 06:49 --------- d-----w c:\program files\Common Files\Native Instruments
2008-12-26 21:53 137,688 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-12-25 15:49 --------- d-----w c:\program files\FLV to AVI MPEG WMV 3GP MP4 iPod Converter
2008-12-25 13:29 --------- d-----w c:\program files\iTunes
2008-12-25 13:29 --------- d-----w c:\program files\iPod
2008-12-25 13:29 --------- d-----w c:\program files\Common Files\Apple
2008-12-25 13:29 --------- d-----w c:\documents and settings\Administrator\Application Data\Apple Computer
2008-12-25 13:28 --------- d-----w c:\program files\QuickTime
2008-12-25 13:26 --------- d-----w c:\program files\Apple Software Update
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-05-04 10:07 22,328 ----a-w c:\documents and settings\Administrator\Application Data\PnkBstrK.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"AIM"="c:\program files\AIM\aim.exe" [2004-06-07 61440]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Vidalia"="c:\program files\Vidalia Bundle\Vidalia\vidalia.exe" [2007-11-22 12889088]
"Steam"="c:\program files\steam\steam.exe" [2008-10-09 1410296]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-12-27 2356088]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 266497]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-07-09 36352]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"BigDog303"="c:\windows\VM303_STI.EXE" [2005-06-23 61440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-30 185872]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-06-18 147456]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
LCDPlayer.lnk - c:\program files\SPACE INTERNATIONAL\CDSpace 5\LCDPlyer.exe [2008-03-13 323584]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=nlycoo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Steam\\steamapps\\godsendxd\\counter-strike\\hl.exe"=

R1 XSPACEWG;XSPACEWG;c:\windows\system32\drivers\XSpaceWg.sys [2008-03-13 3543]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2008-02-24 37376]
R3 cdspacex;cdspacex;c:\windows\system32\drivers\CDSPACEX.sys [2008-03-13 22571]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [2008-07-09 31616]
R3 TwoRabts;Two Rabbits Live Bus;c:\windows\system32\drivers\TwoRabts.sys [2008-03-13 11120]
R4 WMP54GXSVC;WMP54GXSVC;c:\program files\Linksys Wireless-G PCI Adapter with SRX\WLService.exe [2508-01-09 41025]
S3 MA763010;M-Audio Fast Track;c:\windows\system32\drivers\MA763010.sys [2008-07-29 30848]
S3 XDva037;XDva037;\??\c:\windows\system32\XDva037.sys --> c:\windows\system32\XDva037.sys [?]
S3 XDva039;XDva039;\??\c:\windows\system32\XDva039.sys --> c:\windows\system32\XDva039.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DriverUpdaterPro - c:\program files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe
Notify-mlJBTlMD - mlJBTlMD.dll


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
Trusted Zone: aol.com\free
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\qlmsgevy.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\qlmsgevy.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-30 07:26:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
BigDog303 = c:\windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)????????????????0?????????@?9????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(908)
c:\windows\system32\CLBCATQ.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\Vidalia Bundle\Tor\tor.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Linksys Wireless-G PCI Adapter with SRX\WMP54GX.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\iTunes\iTunes.exe
.
**************************************************************************
.
Completion time: 2009-01-30 7:30:15 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2009-01-30 12:30:13

Pre-Run: 192,004,530,176 bytes free
Post-Run: 194,787,844,096 bytes free

191 --- E O F --- 2009-01-15 08:00:56



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:43:21 PM, on 1/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\SPACE INTERNATIONAL\CDSpace 5\LCDPlyer.exe
C:\Program Files\Vidalia Bundle\Tor\tor.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Linksys Wireless-G PCI Adapter with SRX\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Adapter with SRX\WMP54GX.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: LCDPlayer.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: nlycoo.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.exe (file missing)
O23 - Service: Fast Track Installer (FastTrackInstallerService) - Unknown owner - C:\Program Files\M-Audio Fast Track\GBInst.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: WMP54GXSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Adapter with SRX\WLService.exe

--
End of file - 6522 bytes

#13
sjpritch25
Posted 30 January 2009 - 11:57 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 1,605 posts
  • Gender:Male
  • Location:West Coast of Florida
i attached a file named godsendxd1.zip, unzip/extract appinifix.reg to your desktop. Double-Click on apinifix.reg and allow it to be merged into Windows registry. Reboot your computer

Please update MBAM, run a quick scan, and post the results along with a fresh HIjackthis log. Thanks

Attached Files


Microsoft Valuable Professional---MVP Consumer Security 2007-2010
Windows 7 Ultimate 64bit
Gigabyte P55A-UD4P Motherboard Intel i5 750 G.SKILL Ripjaws Series 4GB DDR3 1333 1TB WD 32mb cache
60gb OCZ Vertex Turbo SSD (BOOT drive)Noctua NH-U12P SE2 HeatsinkAntec P183 Case

#14
AdvancedSetup
Posted 03 February 2009 - 09:13 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,574 posts
  • Gender:Male
  • Location:US
Please post a status update on this.
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

#15
AdvancedSetup
Posted 04 February 2009 - 08:10 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,574 posts
  • Gender:Male
  • Location:US
Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.
Back to Resolved HijackThis Logs · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Computer Help
  3. Malware Removal - HijackThis Logs
  4. Resolved HijackThis Logs

Products

About

Partners

Follow Us