Hey,

Recently, I suspected I had a virus after strange things were happening when browsing the internet; sometimes pages would only load with text (basic, white backgrounds etc.)...Also I'm connected through a university proxy, so when I first open up either firefox or IE a pop-up box comes in where I have to key in my username and password etc... but in conjuction with the other browser problems the pop-up box started to come in many times, even when I clicked the cross, as though a program is trying to connect or something??? I can download things fine, however the main problem is when I try to install any anti-virus or other unrelated programs it will always come up with (paraphrasing) "The source file is corrupt" or something similar. Also I can't update AVG or any of programs, in its outdated state AVG doesnt pick up anything regardless. Intially hijack this wasn't installing either, but for some reason I tried later and I managed to install it and get the log. Thanks SO MUCH for any help!



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:38:00 PM, on 16/09/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Applications\DAEMON Tools\daemon.exe
C:\Applications\Cyberlink PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Applications\DVD Region Killer\RegKillTray.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Applications\WinZip\WZQKPICK.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.usyd.edu.au/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://www-cache.usyd.edu.au:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\iiNet Web Accelerator\prpl_IePopupBlocker.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [SmoothView] "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe"
O4 - HKLM\..\Run: [Tvs] "C:\Program Files\Toshiba\Tvs\TvsTray.exe"
O4 - HKLM\..\Run: [THotkey] "C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe"
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] "C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" /logon
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Applications\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RemoteControl] "C:\Applications\Cyberlink PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Applications\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [RegKillTray] "C:\Applications\DVD Region Killer\RegKillTray.exe"
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Applications\Photoshop Lightroom\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [TOSCDSPD] "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Ubisoft register.lnk = C:\Games\Chess Master 10th\Register\register\schedule.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Applications\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Unknown owner - C:\WINDOWS\system32\AvidSDMService.exe (file missing)
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Applications\Perfect Disk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Applications\Perfect Disk\PDSched.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 10704 bytes

Just another note (this is NOT an intentional bump, I forgot to include important info)

I ran combofix after reading through other posts with similiar problems (I know I probably shouldn't have done this without supervision), but the following files were deleted:

c:\program files\Mozilla Firefox\plc4.dll
c:\windows\system32\HQDLAPI.dll
c:\windows\system32\lsp.dll

The first is a legitmate component of firefox, and as such firefox no longer works (not a problem though, I can reinstall later). Im not sure about the middle file, I cant find much info on it, but the last one is a browser hijacker. And not suprisingly I no longer get the pop-up box jumping in all the time... so it seems at least that part of the problem is fixed (or partially at least). However, the corrupt file problem and the other browser issues are still there, so I would really appreciate some help whenever someone is available.

The above Hijack this log was taken after the combofix scan (maybe thats how I got hijack this to work???).

Hi and welcome to Malwarebytes.

Please post the log from C:\ComboFix.txt


After that, please go to this website, and complete the form as follows:



Link to topic where this file was requested: http://www.malwarebytes.org/forums/index.php?showtopic=24864

Browse to the file you want to submit:

Click Browse, and navigate to the following file:

C:\Qoobox\quarantine\c\program files\Mozilla Firefox\plc4.dll

Leave any comments, further information about this file, or contact information: ComboFix false positive

-screen317

Hi, thanks so much for quick reply.

Here is the combofix log I took the other day:



ComboFix 09-09-14.02 - Andris 16/09/2009 21:15.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.204 [GMT 10:00]
Running from: c:\documents and settings\Andris\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Mozilla Firefox\plc4.dll
c:\windows\system32\HQDLAPI.dll
c:\windows\system32\lsp.dll

.
((((((((((((((((((((((((( Files Created from 2009-08-16 to 2009-09-16 )))))))))))))))))))))))))))))))
.

2009-09-16 10:01 . 2009-09-16 10:01 10520 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-16 10:01 . 2009-09-16 10:01 107912 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-09-16 10:01 . 2009-09-16 10:01 325640 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-16 10:01 . 2009-09-16 10:01 27656 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-09-16 10:01 . 2009-09-16 10:01 -------- d-----w- c:\windows\system32\drivers\Avg
2009-09-16 09:16 . 2009-09-16 09:16 -------- d-----w- c:\program files\Panda Security
2009-09-16 09:16 . 2009-09-16 09:16 -------- d-----w- c:\windows\LastGood.Tmp
2009-09-16 08:51 . 2009-09-16 08:51 -------- d-----w- c:\program files\Trend Micro
2009-09-16 08:47 . 2009-09-10 04:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-11 22:49 . 2009-06-21 22:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-16 10:01 . 2009-06-02 02:18 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-14 00:16 . 2008-03-18 01:43 -------- d-----w- c:\program files\Lx_cats
2009-08-05 09:11 . 2005-12-21 21:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-30 23:57 . 2009-07-30 23:57 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Juniper Networks
2009-07-17 18:55 . 2005-12-21 21:14 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 13:43 . 2005-12-21 21:15 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-26 15:59 . 2005-12-21 21:15 668160 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 15:59 . 2005-12-21 21:14 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 18:36 . 2005-12-21 21:14 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2005-12-21 21:14 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2005-12-21 21:14 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2005-12-21 21:14 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2005-12-21 21:14 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2005-12-21 21:14 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2005-12-21 21:14 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2005-12-21 21:14 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2005-12-21 21:14 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2005-12-21 21:14 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2005-12-21 21:14 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 18:36 . 2005-12-21 21:14 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-22 11:49 . 2005-12-21 21:14 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2005-12-21 21:14 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2005-12-21 21:14 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2005-12-21 21:14 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-10 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]
"DAEMON Tools"="c:\applications\DAEMON Tools\daemon.exe" [2005-12-10 133016]
"RemoteControl"="c:\applications\Cyberlink PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-24 132496]
"RegKillElbyCheck"="c:\applications\DVD Region Killer\ElbyCheck.exe" [2002-11-02 45056]
"RegKillTray"="c:\applications\DVD Region Killer\RegKillTray.exe" [2002-11-27 49152]
"LXCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 73728]
"lxcgmon.exe"="c:\program files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-21 200704]
"EzPrint"="c:\program files\Lexmark 2300 Series\ezprint.exe" [2005-08-01 94208]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2005-07-12 299008]
"Adobe Photo Downloader"="c:\applications\Photoshop Lightroom\apdproxy.exe" [2008-03-06 61440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2006-12-08 61440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-09-16 1932568]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2005-10-14 88203]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2005-12-09 15691264]
"NDSTray.exe"="NDSTray.exe" [BU]
"TDispVol"="TDispVol.exe" - c:\windows\system32\TDispVol.exe [2005-03-11 73728]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-05-31 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-7-25 113664]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-12-22 155648]
WinZip Quick Pick.lnk - c:\applications\WinZip\WZQKPICK.EXE [2006-12-11 106560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-16 10:01 10520 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI1"=diomidi.dll
"wave2"=Digi32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Applications\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Valve\\Condition Zero\\czero.exe"=
"c:\\Applications\\Combustion\\combustion.exe"=
"c:\\Applications\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Real Alternative\\Media Player Classic\\mplayerc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFi~1.sys [10/10/2006 2:35 PM 20992]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [16/09/2009 8:01 PM 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [16/09/2009 8:01 PM 107912]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [16/09/2009 8:01 PM 298264]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [26/05/2008 3:07 PM 11776]
R3 RegKill;RegKill;c:\windows\system32\drivers\RegKill.sys [28/11/2002 7:46 AM 6400]
R3 swivsp;AC8xx Virtual Serial Port;c:\windows\system32\drivers\swivspnt.sys [8/02/2007 10:38 AM 20352]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys --> c:\windows\system32\drivers\pavboot.sys [?]
S2 PDSched;PDScheduler;c:\applications\Perfect Disk\PDSched.exe [28/06/2005 2:07 PM 241731]
S3 cmusbnet;WAN Driver @ 3GPP (6280);c:\windows\system32\drivers\cmusbnet.sys [8/02/2007 11:11 AM 81152]
S3 cmusbser;%CMUSBSER%;c:\windows\system32\drivers\cmusbser.sys [8/02/2007 11:11 AM 90368]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [10/10/2006 2:35 PM 73216]
S3 DCM300;ScopeTek DCM300 Driver;c:\windows\system32\drivers\dcm300.sys [25/12/2007 8:19 PM 13312]
S3 RDID1009;EDIROL UM-1;c:\windows\system32\drivers\Rdwm1009.sys [15/11/2008 2:34 PM 79393]
S3 Slnt7554;USB Soft Modem Driver;c:\windows\system32\drivers\slnt7554.sys [15/08/2006 6:52 PM 129535]
.
Contents of the 'Scheduled Tasks' folder

2009-09-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 03:57]

2009-09-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-10 06:19]

2009-09-16 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-03 11:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyServer = hxxp://www-cache.usyd.edu.au:8080
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Andris\Application Data\Mozilla\Firefox\Profiles\p9be4xmc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.news.google.com/
FF - prefs.js: network.proxy.http - http://www-cache.usyd.edu.au
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 2
FF - component: c:\documents and settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
FF - component: c:\documents and settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metricsloader.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1601.7122\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPInfotl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Propel Accelerator - c:\program files\iiNet Web Accelerator\trayctl.exe
HKLM-Run-BigPondWirelessBroadbandCM - c:\program files\Telstra\BigPond Wireless Broadband 2.0\BigPond_CM.exe
HKLM-Run-Antiy Auto Update - c:\program files\Antiy Labs\Alive\ALiveCenter.exe
AddRemove-CANONBJ_Deinstall_CNMCP64.DLL - c:\windows\system32\CNMCP64.exe -PRINTERNAMECanon PIXMA iP4000 -HELPERDLLc:\bjprinter\CNMWINDOWS\Canon PIXMA iP4000 Installer\Inst2\cnmis.dll
AddRemove-Power Saver - c:\windows\IsUninst.exe -fc:\program files\TOSHIBA\Power Saver\Uninst.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-16 21:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Antiy Auto Update = c:\program files\Antiy Labs\Alive\ALiveCenter.exe????????? ?????x?=?x?=????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
LXCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2744)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\windows\system32\TPSBattM.exe
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
c:\windows\system32\lxcgcoms.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2009-09-16 21:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-16 11:27

Pre-Run: 5,631,053,824 bytes free
Post-Run: 6,238,081,024 bytes free

222 --- E O F --- 2009-09-13 00:58

Also the file was submitted successfully.

Hi,

Thanks for submitting it-- it is currently being examined.

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Please download this file and save it as it's originally named, next to ComboFix.exe.





Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, it will ask you whether or not to continue with the malware scan. Select Yes, and post the resultant log.


-screen317

Hi,

I tried to download the new combofix, but I can't install it? I keep getting the "file is corrupt" thing. I don't know why it worked last time, but changing the name of it doesn't seem to help either.

More specifically I tried to download it name unchanged (didnt work), then changed it to chambershex.exe (didn't work), and also tried chambershex.bat (still didn't work)...I hate malware!

Hmm.

Download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post the one that is not minimized.


Next, please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

-screen317

Hey DDS can't be installed ("some installation files might be corrupt"). Kapersky also doesn't work ( as do none of the online scanners, probably because they have to be dowloaded and this virus is corrupting the download). However the error msg was slightly different (attached picture).

I fear that you have a file infector installed.

Does that error come up when you double-click any .exe file? What happens if you change the extension from .exe to .com?

Well the wierd thing is, is that certain downloaded programs cant install. For instance win32kdiag works and so does rootrepeal, which are both .exe files (shoudl I post these logs?). Also for some reason one copy of combofix worked last time (hence the log), but now the new version doesn't. I tried changing a downloaded file to .com but the some "corrupt" msg comes up. Its corrupting the file in the download process, because when I watch streamed videos online, they have glitches (corruptions) aswell.

Re-run Win32kDiag and RootRepeal; post their logs.

Success! I changed the dds name to .com at the 'save as' screen and the program works (coincidence maybe?). Heres the log (btw thanks heaps for your time and effort thus far):


DDS (Ver_09-07-30.01) - NTFSx86
Run by Andris at 13:32:00.90 on Sun 20/09/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.135 [GMT 10:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Applications\DAEMON Tools\daemon.exe
C:\Applications\Cyberlink PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Applications\DVD Region Killer\RegKillTray.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\Applications\Photoshop Lightroom\apdproxy.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Applications\WinZip\WZQKPICK.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Andris\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uInternet Settings,ProxyServer = hxxp://www-cache.usyd.edu.au:8080
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: {656ec4b7-072b-4698-b504-2a414c1f0037} - IE_PopupBlocker Class
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRun: [TOSCDSPD] "c:\program files\toshiba\toscdspd\toscdspd.exe"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NDSTray.exe] NDSTray.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [SmoothView] "c:\program files\toshiba\toshiba zooming utility\SmoothView.exe"
mRun: [Tvs] "c:\program files\toshiba\tvs\TvsTray.exe"
mRun: [THotkey] "c:\program files\toshiba\toshiba applet\thotkey.exe"
mRun: [TDispVol] TDispVol.exe
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [TPSMain] TPSMain.exe
mRun: [Easy-PrintToolBox] "c:\program files\canon\easy-printtoolbox\BJPSMAIN.EXE" /logon
mRun: [DAEMON Tools] "c:\applications\daemon tools\daemon.exe" -lang 1033
mRun: [RemoteControl] "c:\applications\cyberlink powerdvd\PDVDServ.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [RegKillElbyCheck] "c:\applications\dvd region killer\ElbyCheck.exe" /L RegKill
mRun: [RegKillTray] "c:\applications\dvd region killer\RegKillTray.exe"
mRun: [LXCGCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCGtime.dll,_RunDLLEntry@16
mRun: [lxcgmon.exe] "c:\program files\lexmark 2300 series\lxcgmon.exe"
mRun: [EzPrint] "c:\program files\lexmark 2300 series\ezprint.exe"
mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s
mRun: [Adobe Photo Downloader] "c:\applications\photoshop lightroom\apdproxy.exe"
mRun: [DigidesignMMERefresh] c:\program files\digidesign\drivers\MMERefresh.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\applications\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\andris\applic~1\mozilla\firefox\profiles\p9be4xmc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.news.google.com/
FF - prefs.js: network.proxy.http - http://www-cache.usyd.edu.au
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 2
FF - component: c:\documents and settings\all users\application data\google\toolbar for firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
FF - component: c:\documents and settings\all users\application data\google\toolbar for firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metricsloader.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\google updater\2.4.1601.7122\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPInfotl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFi~1.sys [2006-10-10 20992]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-16 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-9-16 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-16 107912]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-9-16 298264]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [2008-5-26 11776]
R3 RegKill;RegKill;c:\windows\system32\drivers\RegKill.sys [2002-11-28 6400]
R3 swivsp;AC8xx Virtual Serial Port;c:\windows\system32\drivers\swivspnt.sys [2007-2-8 20352]
S2 PDSched;PDScheduler;c:\applications\perfect disk\PDSched.exe [2005-6-28 241731]
S3 cmusbnet;WAN Driver @ 3GPP (6280);c:\windows\system32\drivers\cmusbnet.sys [2007-2-8 81152]
S3 cmusbser;%CMUSBSER%;c:\windows\system32\drivers\cmusbser.sys [2007-2-8 90368]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [2006-10-10 73216]
S3 DCM300;ScopeTek DCM300 Driver;c:\windows\system32\drivers\dcm300.sys [2007-12-25 13312]
S3 RDID1009;EDIROL UM-1;c:\windows\system32\drivers\Rdwm1009.sys [2008-11-15 79393]
S3 Slnt7554;USB Soft Modem Driver;c:\windows\system32\drivers\slnt7554.sys [2006-8-15 129535]

=============== Created Last 30 ================

2009-09-18 18:36 <DIR> --d----- C:\32788R22FWJFV
2009-09-18 16:56 <DIR> --d----- c:\program files\Yahoo!
2009-09-18 16:56 <DIR> --d----- c:\program files\CCleaner
2009-09-18 15:25 <DIR> --d----- c:\program files\Eusing Free Registry Cleaner
2009-09-18 14:05 <DIR> a-dshr-- C:\cmdcons
2009-09-17 14:10 29,576 a------- C:\MGlogs.zip
2009-09-17 14:10 <DIR> --d----- C:\MGtools
2009-09-16 21:55 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-16 21:13 229,888 a------- c:\windows\PEV.exe
2009-09-16 21:13 161,792 a------- c:\windows\SWREG.exe
2009-09-16 21:13 98,816 a------- c:\windows\sed.exe
2009-09-16 20:01 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-09-16 20:01 107,912 a------- c:\windows\system32\drivers\avgtdix.sys
2009-09-16 20:01 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-09-16 20:01 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-09-16 19:16 <DIR> --d----- c:\program files\Panda Security
2009-09-16 18:51 <DIR> --d----- c:\program files\Trend Micro
2009-09-16 18:47 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-13 12:50 54,156 a---h--- c:\windows\QTFont.qfn
2009-09-13 12:50 1,409 a------- c:\windows\QTFont.for
2009-09-12 08:49 153,088 -c------ c:\windows\system32\dllcache\triedit.dll

==================== Find3M ====================

2009-08-05 19:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-18 04:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-06-27 01:59 668,160 -------- c:\windows\system32\wininet.dll
2009-06-27 01:59 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-26 04:36 661,504 a------- c:\windows\system32\mqqm.dll
2009-06-26 04:36 517,120 a------- c:\windows\system32\mqsnap.dll
2009-06-26 04:36 471,552 a------- c:\windows\system32\mqutil.dll
2009-06-26 04:36 225,280 a------- c:\windows\system32\mqoa.dll
2009-06-26 04:36 186,880 a------- c:\windows\system32\mqtrig.dll
2009-06-26 04:36 177,152 a------- c:\windows\system32\mqrt.dll
2009-06-26 04:36 138,240 a------- c:\windows\system32\mqad.dll
2009-06-26 04:36 123,392 a------- c:\windows\system32\mqrtdep.dll
2009-06-26 04:36 95,744 a------- c:\windows\system32\mqsec.dll
2009-06-26 04:36 48,640 a------- c:\windows\system32\mqupgrd.dll
2009-06-26 04:36 47,104 a------- c:\windows\system32\mqdscli.dll
2009-06-26 04:36 16,896 a------- c:\windows\system32\mqise.dll
2009-06-22 21:49 117,248 a------- c:\windows\system32\mqtgsvc.exe
2009-06-22 21:49 19,968 a------- c:\windows\system32\mqbkup.exe
2009-06-22 21:49 4,608 a------- c:\windows\system32\mqsvc.exe

============= FINISH: 13:32:38.85 ===============

Heres the rootrepeal log:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/20 13:11
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: 00000052
Image Path: \Driver\00000052
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA755000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF9465000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA9160000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "sptd.sys" at address 0xf8e57b3a

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "sptd.sys" at address 0xf8e57c7e

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "sptd.sys" at address 0xf8e57ff6

#: 119 Function Name: NtOpenKey
Status: Hooked by "sptd.sys" at address 0xf8e57a18

#: 160 Function Name: NtQueryKey
Status: Hooked by "sptd.sys" at address 0xf8e580c0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "sptd.sys" at address 0xf8e57f58

#: 247 Function Name: NtSetValueKey
Status: Hooked by "sptd.sys" at address 0xf8e58148

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8378eeb0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8378eeb0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8378eeb0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8378eeb0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8378eeb0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8378eeb0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8378eeb0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8378eeb0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8378eeb0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8378eeb0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8378eeb0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8378eeb0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8378eeb0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8378eeb0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8378eeb0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8378eeb0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8378eeb0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8378eeb0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8378eeb0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8378eeb0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8378eeb0 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8378eeb0 Size: 15

Object: Hidden Code [Driver: Udfsȅ
䵃慄ȁః瑎て, IRP_MJ_CREATE]
Process: System Address: 0x834b50e8 Size: 15

Object: Hidden Code [Driver: Udfsȅ
䵃慄ȁః瑎て, IRP_MJ_CLOSE]
Process: System Address: 0x834b50e8 Size: 15

Object: Hidden Code [Driver: Udfsȅ
䵃慄ȁః瑎て, IRP_MJ_READ]
Process: System Address: 0x834b50e8 Size: 15

Object: Hidden Code [Driver: Udfsȅ
䵃慄ȁః瑎て, IRP_MJ_WRITE]
Process: System Address: 0x834b50e8 Size: 15

Object: Hidden Code [Driver: Udfsȅ
䵃慄ȁః瑎て, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x834b50e8 Size: 15

Object: Hidden Code [Driver: Udfsȅ
䵃慄ȁః瑎て, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x834b50e8 Size: 15

Object: Hidden Code [Driver: Udfsȅ
䵃慄ȁః瑎て, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x834b50e8 Size: 15

Object: Hidden Code [Driver: Udfsȅ
䵃慄ȁః瑎て, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x834b50e8 Size: 15

Object: Hidden Code [Driver: Udfsȅ
䵃慄ȁః瑎て, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x834b50e8 Size: 15

Object: Hidden Code [Driver: Udfsȅ
䵃慄ȁః瑎て, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x834b50e8 Size: 15

Object: Hidden Code [Driver: Udfsȅ
䵃慄ȁః瑎て, IRP_MJ_CLEANUP]
Process: System Address: 0x834b50e8 Size: 15

Object: Hidden Code [Driver: Udfsȅ
䵃慄ȁః瑎て, IRP_MJ_PNP]
Process: System Address: 0x834b50e8 Size: 15

Object: Hidden Code [Driver: meiudf, IRP_MJ_CREATE]
Process: System Address: 0x8335f0e8 Size: 15

Object: Hidden Code [Driver: meiudf, IRP_MJ_CLOSE]
Process: System Address: 0x8335f0e8 Size: 15

Object: Hidden Code [Driver: meiudf, IRP_MJ_READ]
Process: System Address: 0x8335f0e8 Size: 15

Object: Hidden Code [Driver: meiudf, IRP_MJ_WRITE]
Process: System Address: 0x8335f0e8 Size: 15

Object: Hidden Code [Driver: meiudf, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8335f0e8 Size: 15

Object: Hidden Code [Driver: meiudf, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8335f0e8 Size: 15

Object: Hidden Code [Driver: meiudf, IRP_MJ_QUERY_EA]
Process: System Address: 0x8335f0e8 Size: 15

Object: Hidden Code [Driver: meiudf, IRP_MJ_SET_EA]
Process: System Address: 0x8335f0e8 Size: 15

Object: Hidden Code [Driver: meiudf, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8335f0e8 Size: 15

Object: Hidden Code [Driver: meiudf, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8335f0e8 Size: 15

Object: Hidden Code [Driver: meiudf, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8335f0e8 Size: 15

Object: Hidden Code [Driver: meiudf, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8335f0e8 Size: 15

Object: Hidden Code [Driver: meiudf, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8335f0e8 Size: 15

Object: Hidden Code [Driver: meiudf, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8335f0e8 Size: 15

Object: Hidden Code [Driver: meiudf, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8335f0e8 Size: 15

Object: Hidden Code [Driver: meiudf, IRP_MJ_CLEANUP]
Process: System Address: 0x8335f0e8 Size: 15

Object: Hidden Code [Driver: meiudf, IRP_MJ_PNP]
Process: System Address: 0x8335f0e8 Size: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x835080e8 Size: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x835080e8 Size: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x835080e8 Size: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x835080e8 Size: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x835080e8 Size: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x835080e8 Size: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x835080e8 Size: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x835080e8 Size: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x835080e8 Size: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x835080e8 Size: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x835080e8 Size: 15

Object: Hidden Code [Driver: dtscsi, IRP_MJ_CREATE]
Process: System Address: 0x8355b0e8 Size: 15

Object: Hidden Code [Driver: dtscsi, IRP_MJ_CLOSE]
Process: System Address: 0x8355b0e8 Size: 15

Object: Hidden Code [Driver: dtscsi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8355b0e8 Size: 15

Object: Hidden Code [Driver: dtscsi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8355b0e8 Size: 15

Object: Hidden Code [Driver: dtscsi, IRP_MJ_POWER]
Process: System Address: 0x8355b0e8 Size: 15

Object: Hidden Code [Driver: dtscsi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8355b0e8 Size: 15

Object: Hidden Code [Driver: dtscsi, IRP_MJ_PNP]
Process: System Address: 0x8355b0e8 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_CREATE]
Process: System Address: 0x8378e0e8 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_CLOSE]
Process: System Address: 0x8378e0e8 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_READ]
Process: System Address: 0x8378e0e8 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_WRITE]
Process: System Address: 0x8378e0e8 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8378e0e8 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8378e0e8 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8378e0e8 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8378e0e8 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_POWER]
Process: System Address: 0x8378e0e8 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8378e0e8 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_PNP]
Process: System Address: 0x8378e0e8 Size: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x8378f660 Size: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x8378f660 Size: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x8378f660 Size: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x8378f660 Size: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8378f660 Size: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8378f660 Size: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8378f660 Size: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8378f660 Size: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x8378f660 Size: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8378f660 Size: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x8378f660 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8378f918 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8378f918 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8378f918 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8378f918 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8378f918 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8378f918 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8378f918 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8378f918 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8378f918 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8378f918 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8378f918 Size: 15

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x832b24b0 Size: 15

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x832b24b0 Size: 15

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x832b24b0 Size: 15

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x832b24b0 Size: 15

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x832b24b0 Size: 15

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x832b24b0 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CREATE]
Process: System Address: 0x832ae788 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x832ae788 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CLOSE]
Process: System Address: 0x832ae788 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_READ]
Process: System Address: 0x832ae788 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_WRITE]
Process: System Address: 0x832ae788 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x832ae788 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x832ae788 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_EA]
Process: System Address: 0x832ae788 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_EA]
Process: System Address: 0x832ae788 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x832ae788 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x832ae788 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x832ae788 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x832ae788 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x832ae788 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x832ae788 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x832ae788 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SHUTDOWN]
Process: System Address: 0x832ae788 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x832ae788 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CLEANUP]
Process: System Address: 0x832ae788 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x832ae788 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x832ae788 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_SECURITY]
Process: System Address: 0x832ae788 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_POWER]
Process: System Address: 0x832ae788 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x832ae788 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x832ae788 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x832ae788 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_QUOTA]
Process: System Address: 0x832ae788 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x833b84e8 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x833b84e8 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x833b84e8 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x833b84e8 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x833b84e8 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x833b84e8 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x833b84e8 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x833b84e8 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x833b84e8 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x833b84e8 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x833b84e8 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x833b84e8 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x833b84e8 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x833b84e8 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x833b84e8 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x833b84e8 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x833b84e8 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x833b84e8 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x833b84e8 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x833b84e8 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x833b84e8 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x833b84e8 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x833b84e8 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x833b84e8 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x833b84e8 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x833b84e8 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x833b84e8 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x833b84e8 Size: 15

Object: Hidden Code [Driver: 0000, IRP_MJ_CREATE]
Process: System Address: 0x83394eb0 Size: 15

Object: Hidden Code [Driver: 0000, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x83394eb0 Size: 15

Object: Hidden Code [Driver: 0000, IRP_MJ_CLOSE]
Process: System Address: 0x83394eb0 Size: 15

Object: Hidden Code [Driver: 0000, IRP_MJ_READ]
Process: System Address: 0x83394eb0 Size: 15

Object: Hidden Code [Driver: 0000, IRP_MJ_WRITE]
Process: System Address: 0x83394eb0 Size: 15

Object: Hidden Code [Driver: 0000, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x83394eb0 Size: 15

Object: Hidden Code [Driver: 0000, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x83394eb0 Size: 15

Object: Hidden Code [Driver: 0000, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x83394eb0 Size: 15

Object: Hidden Code [Driver: 0000, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x83394eb0 Size: 15

Object: Hidden Code [Driver: 0000, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x83394eb0 Size: 15

Object: Hidden Code [Driver: 0000, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x83394eb0 Size: 15

Object: Hidden Code [Driver: 0000, IRP_MJ_CLEANUP]
Process: System Address: 0x83394eb0 Size: 15

Object: Hidden Code [Driver: 0000, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x83394eb0 Size: 15

Object: Hidden Code [Driver: 0000, IRP_MJ_SET_SECURITY]
Process: System Address: 0x83394eb0 Size: 15

Object: Hidden Code [Driver: Msfsȅఐ卆浩
, IRP_MJ_CREATE]
Process: System Address: 0x833100e8 Size: 15

Object: Hidden Code [Driver: Msfsȅఐ卆浩
, IRP_MJ_CLOSE]
Process: System Address: 0x833100e8 Size: 15

Object: Hidden Code [Driver: Msfsȅఐ卆浩
, IRP_MJ_READ]
Process: System Address: 0x833100e8 Size: 15

Object: Hidden Code [Driver: Msfsȅఐ卆浩
, IRP_MJ_WRITE]
Process: System Address: 0x833100e8 Size: 15

Object: Hidden Code [Driver: Msfsȅఐ卆浩
, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x833100e8 Size: 15

Object: Hidden Code [Driver: Msfsȅఐ卆浩
, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x833100e8 Size: 15

Object: Hidden Code [Driver: Msfsȅఐ卆浩
, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x833100e8 Size: 15

Object: Hidden Code [Driver: Msfsȅఐ卆浩
, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x833100e8 Size: 15

Object: Hidden Code [Driver: Msfsȅఐ卆浩
, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x833100e8 Size: 15

Object: Hidden Code [Driver: Msfsȅఐ卆浩
, IRP_MJ_CLEANUP]
Process: System Address: 0x833100e8 Size: 15

Object: Hidden Code [Driver: Msfsȅఐ卆浩
, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x833100e8 Size: 15

Object: Hidden Code [Driver: Msfsȅఐ卆浩
, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x833100e8 Size: 15

Object: Hidden Code [Driver: Msfsȅఐ卆浩
, IRP_MJ_SET_SECURITY]
Process: System Address: 0x833100e8 Size: 15

Object: Hidden Code [Driver: CdfsЅఋ敓Ш, IRP_MJ_CREATE]
Process: System Address: 0x825a2248 Size: 15

Object: Hidden Code [Driver: CdfsЅఋ敓Ш, IRP_MJ_CLOSE]
Process: System Address: 0x825a2248 Size: 15

Object: Hidden Code [Driver: CdfsЅఋ敓Ш, IRP_MJ_READ]
Process: System Address: 0x825a2248 Size: 15

Object: Hidden Code [Driver: CdfsЅఋ敓Ш, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x825a2248 Size: 15

Object: Hidden Code [Driver: CdfsЅఋ敓Ш, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x825a2248 Size: 15

Object: Hidden Code [Driver: CdfsЅఋ敓Ш, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x825a2248 Size: 15

Object: Hidden Code [Driver: CdfsЅఋ敓Ш, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x825a2248 Size: 15

Object: Hidden Code [Driver: CdfsЅఋ敓Ш, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x825a2248 Size: 15

Object: Hidden Code [Driver: CdfsЅఋ敓Ш, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x825a2248 Size: 15

Object: Hidden Code [Driver: CdfsЅఋ敓Ш, IRP_MJ_SHUTDOWN]
Process: System Address: 0x825a2248 Size: 15

Object: Hidden Code [Driver: CdfsЅఋ敓Ш, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x825a2248 Size: 15

Object: Hidden Code [Driver: CdfsЅఋ敓Ш, IRP_MJ_CLEANUP]
Process: System Address: 0x825a2248 Size: 15

Object: Hidden Code [Driver: CdfsЅఋ敓Ш, IRP_MJ_PNP]
Process: System Address: 0x825a2248 Size: 15

==EOF==

And sorry the windiag program seems to be malfunctioning. It says it does it successfully but then says:

"Log file is located at: C:\Documents and Settings\Andris\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!"

However, thats all thats in the log file???

Grab a fresh copy of ComboFix.

Before you download it, rename it to chambershex.bat

Save it to your Desktop.

Reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Navigate to Start --> Run, and enter this command exactly as shown:

"%userprofile%\desktop\chambershex.bat" /killall

See if it runs now.

-screen317

Na sorry it didn't work.

I'm thinking that if it is corrupting the file during the download (not during the installation), then that explains why the above won't work - because the damage has already been done to the file.

Is there some way to block it from interfering with the download? I've tried downloading in safe mode with networking but that doesn't work either...

Download it from another computer, then bring it over with a flash drive.

I was hoping you wouldn't say that... a while ago when I tried to download some antivirus stuff to transfer to this computer (in order to try and get rid of the problem), in the process the other computer got infected as well (despite thorough scanning). So I can't download most files on either computer now. Any other ideas?

Yikes.

What browser are you using?

Try using Firefox if you're using IE, vice-versa.


If no joy, try this online scanner.

Please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

• Click Start Scanning.
• You should get a notification bar (on top) to install the ActiveX control.
• Click on it and select to install the ActiveX.
• Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
• In case you are having problems with installing the ActiveX/starting the scan, please read here.
• Click the Full System Scan button.
• It will start to download scanner components and databases. This can take a while.
• The main scan will start.
• Once the scan has finished scanning, click the Automatic cleaning (recommended) button
• It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
• The cleaning can take a while, so please be patient.
• Then click the Show report button and Copy/Paste what is present under results in your next reply.

-screen317

Well I can't use firefox now, because combofix deleted that file that was integral to it working (I can't reinstall it either because of the corrupt bullshit). But I can tell you prior to using combofix both IE and firefox were suffering the same problems, so this is independant of a browser.

Also tried the scanner, didn't work. Didn't even begin downloading the required files. I have serious browser issues, almost every pg I visit is marked with the little "done but with errors on the page" triangle.

I just had a ridiculous idea...after reading up a bit on data corruption I noticed a fair few sites were talking about causes due to connection issues... You don't think its possible that the corruption is caused by a damaged ethernet cable? If you think about it something like that could explain everything: BOTH IE and firefox are affected equally, almost every file I download is corrupted (even if they are irrelevant to malware removal) regardless of file type, streaming videos, webpages and pictures all have glitches, and my other laptop suddenly got "infected", in retrospect, very soon after I plugged it in to the same ethernet cable...

It all seems to fit, and if it is the case, I'm extremely sorry for all your time that I will have wasted...

That very well may be the case.

Do you have another ethernet cable you could plug in and test that theory with?

Unfortunately not at the moment... but by saturday I will able to use this computer with wireless internet (thereby getting the cable out of the picture), so I can report back to you then.

So unless theres anything else you think I should be doing in the meantime, do you think you could keep this thread open until sat/sun?

Cheers

Sure I'll keep the thread open. Keep me updated.

Hey, yep I checked it with wireless and it works fine. Must be the cable. thanks heaps for your time, sorry for the anti-climax haha... Btw I noticed u go to university of california, dont know Ramachandran by any chance do you? That
guys awesome!

Cheers

Hi,

Good to hear wireless works. I would much rather have an anti-climactic ending than an unsolvable problem..


Ramachandran teaches at UC San Diego if I'm not mistaken; I'm up at UCLA.


Please take the following steps to help prevent infection in the future:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.

3) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

4) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

5) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

• Green to go
• Yellow for caution
• Red to stop

WOT has an addon available for both Firefox and IE.

6) Be sure to update your Antivirus and Antispyware programs often!


Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?



Take care,

-screen317

Alright I will check out all of those things...Once again thanks so much for your help...

Glad we could help.

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.