kp4cel Posted December 18, 2009 ID:172347 Share Posted December 18, 2009 Hello all first posting here, I downloaded and run Malwrebytes after it found three infections it lockup the computer, Avast Pro find Win32:Rootkit-gen[RTK] but it doesn't removed. Using Windows XP SP3: See attachment and DDS information:DS (Ver_09-12-01.01) - NTFSx86 Run by Administrator at 6:04:21.14 on Fri 12/18/2009Internet Explorer: 7.0.5730.13Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2206 [GMT -5:00]AV: avast! antivirus 4.8.1368 [VPS 091217-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\WINDOWS\system32\svchost.exe -k WudfServiceGroupsvchost.exesvchost.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\spoolsv.exesvchost.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\system32\FortiSslvpnDaemon.exeC:\Program Files\Amateur Radio\Ham Radio Deluxe\HRDRemoteSvr.exeC:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\LogMeIn\x86\RaMaint.exeC:\Program Files\LogMeIn\x86\LogMeIn.exeC:\Program Files\LogMeIn\x86\LMIGuardian.exeC:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\MozyHome\mozybackup.exeC:\Program Files\Super_DVD_Creator_9.8\NMSAccessU.exeC:\Program Files\TrustedID\Identity Theft Protection\agent\Bin\SanaSafeConnectWatcher.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\System32\vssvc.exeC:\WINDOWS\system32\SearchIndexer.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\system32\igfxtray.exeC:\Program Files\TrustedID\Identity Theft Protection\agent\Bin\SanaAgent.exeC:\WINDOWS\system32\igfxsrvc.exeC:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\SMINST\Scheduler.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exeC:\WINDOWS\System32\DLA\DLACTRLW.EXEC:\Program Files\LogMeIn\x86\LogMeInSystray.exeC:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exeC:\Program Files\Logitech\Logitech WebCam Software\LWS.exeC:\Program Files\TrustedID\Identity Theft Protection\agent\bin\SanaSafeConnect.exeC:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exeC:\Program Files\LogMeIn\x86\LMIGuardian.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\WINDOWS\system32\ctfmon.exeC:\ProWin09\32bit\TaskSch.exeC:\Program Files\TrueCrypt\TrueCrypt.exeC:\Program Files\Logitech\Logitech Vid\vid.exeC:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exeC:\Program Files\PFU\ScanSnap\CardMinder V3.1\CardLauncher.exeC:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exeC:\Program Files\MozyHome\mozystat.exeC:\Program Files\PFU\ScanSnap\Driver\PfuSsMon.exeC:\Program Files\Windows Desktop Search\WindowsSearch.exeC:\Program Files\Logitech\Z Cinema\Z Cinema.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeC:\WINDOWS\System32\svchost.exe -k HTTPFilterC:\Program Files\TrustedID\Identity Theft Protection\agent\bin\SanaMonitor.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\SearchProtocolHost.exeC:\Documents and Settings\Administrator\My Documents\Downloads\dds.scr============== Pseudo HJT Report ===============uStart Page = hxxp://www.google.com/uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktopuInternet Connection Wizard,ShellNext = iexploreBHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dllBHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLLBHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dllBHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No FileBHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dllBHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dllTB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dllEB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dlluRun: [ctfmon.exe] c:\windows\system32\ctfmon.exeuRun: [TaskScheduler] c:\prowin09\32bit\TaskSch.exeuRun: [TrueCrypt] "c:\program files\truecrypt\TrueCrypt.exe" /q preferencesuRun: [Logitech Vid] "c:\program files\logitech\logitech vid\vid.exe" -bootmodeuRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -schedulermRun: [igfxTray] "c:\windows\system32\igfxtray.exe"mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"mRun: [Persistence] "c:\windows\system32\igfxpers.exe"mRun: [setRefresh] "c:\program files\compaq\setrefresh\SetRefresh.exe"mRun: [Recguard] "c:\windows\sminst\Recguard.exe"mRun: [scheduler] "c:\windows\sminst\Scheduler.exe"mRun: [hpbdfawep] "c:\program files\hp\dfawep\bin\hpbdfawep.exe" 1mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"mRun: [DLA] "c:\windows\system32\dla\DLACTRLW.EXE"mRun: [iSUSPM Startup] "c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe" -startupmRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -startmRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:onmRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hidemRun: [WinampAgent] "c:\program files\winamp\winampa.exe"mRun: [sanaSafeConnect] "c:\program files\trustedid\identity theft protection\agent\bin\SanaSafeConnect.exe"mRun: [blackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /backgroundmRun: [PfuSsSct.exe] c:\program files\pfu\scansnap\PfuSsSct.exe /StationmRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"mRun: [<NO NAME>] mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"mRun: [Wwamu] rundll32.exe "c:\windows\epixewofesed.dll",StartupmRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exeStartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\scansn~1.lnk - c:\program files\pfu\scansnap\driver\PfuSsMon.exeStartupFolder: c:\documents and settings\administrator\start menu\programs\startup\SISZYD32.EXEStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cardmi~1.lnk - c:\program files\pfu\scansnap\cardminder v3.1\CardLauncher.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\conver~1.lnk - c:\program files\pfu\scansnap\organizer\PfuSsOrgOcrChk.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\scansn~1.lnk - c:\program files\pfu\scansnap\driver\PfuSsMon.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\zcinem~1.lnk - c:\windows\installer\{ee885042-228a-446f-a30d-64ecbdc93859}\StartupShortcut_EE885042228A446FA30D64ECBDC93859.exeIE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dllIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLLDPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.7.1/GarminAxControl.CABDPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cabDPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CABDPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cabDPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cabDPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229688934562DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1259192416484DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1224112386268&h=3f9ddb50c5ec02c03b68e5db69c997ed/&filename=jinstall-6u7-windows-i586-jc.cabDPF: {B0882EB7-81A5-4A11-8D45-71888F973933} - hxxps://24.173.141.242:10443/sslvpn.cabDPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cabDPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cabDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cabDPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100Notify: igfxcui - igfxdev.dllNotify: LMIinit - LMIinit.dllAppInit_DLLs: ?????SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dllSEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dllLSA: Notification Packages = scecli svfhcdbj.dllmASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"================= FIREFOX ===================FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\gfc11asd.default\FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\gfc11asd.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dllFF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dllFF - plugin: c:\program files\fortinet\sslvpnclient\npccplugin.dllFF - plugin: c:\program files\fortinet\sslvpnclient\nptcplugin.dllFF - plugin: c:\program files\mozilla firefox\plugins\nppopcaploader.dllFF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\FF - HiddenExtension: XULRunner: {18971506-0728-4656-9122-98FBA44A8C38} - c:\documents and settings\administrator\local settings\application data\{18971506-0728-4656-9122-98FBA44A8C38}---- FIREFOX POLICIES ----c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);============= SERVICES / DRIVERS ===============R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-12-16 114768]R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-12-16 20560]R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-12-16 138680]R2 FortiSslvpnDaemon;FortiClient SSL VPN;c:\windows\system32\FortiSSLVPNdaemon.exe [2009-3-9 510496]R2 HRD RemoteSvr;Ham Radio Deluxe Remote Server;c:\program files\amateur radio\ham radio deluxe\HRDRemoteSvr.exe [2009-5-22 196608]R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-10-29 47640]R2 SanaSafeConnectAgent;SanaSafeConnectAgent;c:\program files\trustedid\identity theft protection\agent\bin\SanaAgent.exe [2008-3-21 4937240]R2 SanaSafeConnectWatcher;SanaSafeConnectWatcher;c:\program files\trustedid\identity theft protection\agent\bin\SanaSafeConnectWatcher.exe [2008-3-21 539160]R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-12-16 254040]R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-12-16 352920]R3 pppop;PPPoP WAN Adapter;c:\windows\system32\drivers\pppop.sys [2007-12-11 36384]R3 SanaSafeConnectDriver;SanaSafeConnectDriver;c:\program files\trustedid\identity theft protection\agent\driver\platform_xp\SafeConnectDriver.sys [2008-3-21 161304]R3 SanaSafeConnectFilter;SanaSafeConnectFilter;c:\program files\trustedid\identity theft protection\agent\driver\platform_xp\SafeConnectFilter.sys [2008-3-21 29720]R3 SanaSafeConnectShim;SanaSafeConnectShim;c:\program files\trustedid\identity theft protection\agent\driver\platform_xp\SafeConnectShim.sys [2008-3-21 27376]R3 ZCinema_TSHD;ZCinema TruSurround HD driver;c:\windows\system32\drivers\ZCinema_SRS_i386.sys [2009-5-6 21392]S3 Intuit Fuse Service;Intuit Fuse Service;c:\program files\common files\intuit\fuse\service\Intuit Fuse Service.exe [2008-11-15 72704]S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-12-16 38224]S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-12-23 50704]S4 LMIRfsClientNP;LMIRfsClientNP; [x]=============== Created Last 30 ================2009-12-17 00:42:07 697856 ----a-w- c:\windows\system32\drivers\xpaiupak.sys2009-12-17 00:41:08 148 ----a-w- c:\windows\system32\fjhdyfhsn.bat2009-12-16 22:58:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2009-12-16 22:58:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys2009-12-16 22:58:54 0 d-----w- c:\program files\Malwarebytes' Anti-Malware2009-12-16 12:43:37 0 ----a-w- c:\windows\Xdihuliwoluwaru.bin2009-12-16 12:43:36 120 ----a-w- c:\windows\Htiqi.dat2009-12-16 12:34:53 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys2009-12-16 12:34:53 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys2009-12-16 12:34:39 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys2009-12-16 12:34:39 8576 ----a-w- c:\windows\system32\dllcache\i2omgmt.sys2009-12-16 12:34:35 8192 ----a-w- c:\windows\system32\drivers\changer.sys2009-12-16 12:34:35 8192 ----a-w- c:\windows\system32\dllcache\changer.sys2009-12-16 12:34:07 8 ----a-w- c:\docume~1\admini~1\applic~1\avdrn.dat2009-12-07 00:37:44 4194304 ----a-w- c:\windows\system32\cdintf400.dll2009-12-07 00:34:01 0 d-----w- C:\ProWin092009-11-30 05:08:52 244 ---ha-w- C:\sqmnoopt10.sqm2009-11-30 05:08:52 232 ---ha-w- C:\sqmdata10.sqm2009-11-28 18:29:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Research In Motion2009-11-25 23:10:47 15064 ----a-w- c:\windows\system32\wuapi.dll.mui==================== Find3M ====================2009-12-18 10:43:46 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs2009-12-18 10:43:41 0 ----a-w- c:\windows\system32\drivers\logiflt.iad2009-11-27 17:18:15 223440 ----a-w- c:\windows\system32\drivers\truecrypt.sys2009-11-07 15:11:35 163738 ----a-w- c:\windows\fonts\AdobeFnt08.lst2009-10-21 04:08:54 3598336 ----a-w- c:\windows\system32\dllcache\mshtml.dll2009-10-01 22:03:09 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll2009-10-01 22:03:08 87352 ----a-w- c:\windows\system32\LMIinit.dll2009-10-01 22:03:08 28984 ----a-w- c:\windows\system32\LMIport.dll2009-09-19 20:12:17 256 ----a-w- c:\documents and settings\administrator\pool.bin============= FINISH: 6:04:46.42 ===============Thanks for all your helpJose A.Attach.zip Link to post Share on other sites More sharing options...
sjpritch25 Posted December 18, 2009 ID:172370 Share Posted December 18, 2009 Welcome to Malwarebytes!!!! Please update to the latest def's in Malwarebytes, run a quick scan and post the results. ThanksDownload GMER Antirootkit Here, click on Download EXE and save to your DesktopDisconnect from the internet and disable all active protection so your security program drivers will not conflict with gmer's driver Double-click Gmer.exe to run the program. When the program opens, click the "Rootkit" Tab On the right-side, check all the items to be scanned, but leave "Show All" unchecked Select all drives that are connected to your system to be scanned Click the Scan button When the scan is finished, click Copy to save the scan log to the Windows clipboard Open Notepad or a similar text editor Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V Save the gmer scan log and post it in your next reply. Close Gmer Open a command prompt (Start | run |type cmd and hit Enter) Type or paste the following to unload the gmer driver: net stop gmer Hit Enter Exit the command prompt. [*]Re-enable all active protection. Link to post Share on other sites More sharing options...
kp4cel Posted December 18, 2009 Author ID:172380 Share Posted December 18, 2009 Thanks for the fast reply, the log is included in my attachment on the original post. It is in a zip file at the end of the post since it is a big file. Please let me know if you want me to post it on the message.ThanksJose Welcome to Malwarebytes!!!! Please update to the latest def's in Malwarebytes, run a quick scan and post the results. ThanksDownload GMER Antirootkit Here, click on Download EXE and save to your DesktopDisconnect from the internet and disable all active protection so your security program drivers will not conflict with gmer's driver Double-click Gmer.exe to run the program. When the program opens, click the "Rootkit" Tab On the right-side, check all the items to be scanned, but leave "Show All" unchecked Select all drives that are connected to your system to be scanned Click the Scan button When the scan is finished, click Copy to save the scan log to the Windows clipboard Open Notepad or a similar text editor Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V Save the gmer scan log and post it in your next reply. Close Gmer Open a command prompt (Start | run |type cmd and hit Enter) Type or paste the following to unload the gmer driver: net stop gmer Hit Enter Exit the command prompt. [*]Re-enable all active protection. Link to post Share on other sites More sharing options...
sjpritch25 Posted December 18, 2009 ID:172499 Share Posted December 18, 2009 run it again and please disconnect from the internet and disable all protection programs. That will make the log much easier for me to analyze. Thanks Link to post Share on other sites More sharing options...
kp4cel Posted December 18, 2009 Author ID:172558 Share Posted December 18, 2009 Here it is:GMER 1.0.15.15281 - http://www.gmer.netRootkit scan 2009-12-18 17:36:14Windows 5.1.2600 Service Pack 3Running: ets22ef4.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uwlyypog.sys---- System - GMER 1.0.15 ----SSDT \??\C:\Program Files\TrustedID\Identity Theft Protection\agent\driver\platform_XP\SafeConnectShim.sys (SafeConnect Application Activity Monitor Loader Driver./Sana Security, Inc. ) ZwClose [0xBA4798B0] <-- ROOTKIT !!!SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0x9CDE3574] <-- ROOTKIT !!!SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0x9CDE3A52] <-- ROOTKIT !!!SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0x9CDE314C] <-- ROOTKIT !!!SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0x9CDE364E] <-- ROOTKIT !!!SSDT \??\C:\Program Files\TrustedID\Identity Theft Protection\agent\driver\platform_XP\SafeConnectShim.sys (SafeConnect Application Activity Monitor Loader Driver./Sana Security, Inc. ) ZwOpenProcess [0xBA4798E0] <-- ROOTKIT !!!SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0x9CDE30F0] <-- ROOTKIT !!!SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0x9CDE376E] <-- ROOTKIT !!!SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0x9CDE372E] <-- ROOTKIT !!!SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0x9CDE38AE] <-- ROOTKIT !!!SSDT \??\C:\Program Files\TrustedID\Identity Theft Protection\agent\driver\platform_XP\SafeConnectShim.sys (SafeConnect Application Activity Monitor Loader Driver./Sana Security, Inc. ) ZwTerminateProcess [0xBA479990] <-- ROOTKIT !!!SSDT \??\C:\Program Files\TrustedID\Identity Theft Protection\agent\driver\platform_XP\SafeConnectShim.sys (SafeConnect Application Activity Monitor Loader Driver./Sana Security, Inc. ) ZwTerminateThread [0xBA479A30] <-- ROOTKIT !!!SSDT \??\C:\Program Files\TrustedID\Identity Theft Protection\agent\driver\platform_XP\SafeConnectShim.sys (SafeConnect Application Activity Monitor Loader Driver./Sana Security, Inc. ) ZwWriteVirtualMemory [0xBA479AD0] <-- ROOTKIT !!!---- Kernel code sections - GMER 1.0.15 ----? C:\WINDOWS\system32\drivers\xpaiupak.sys A device attached to the system is not functioning. !PAGE Ntfs.sys B9CE6E55 4 Bytes CALL 8AD318D9 ---- User code sections - GMER 1.0.15 ----.text C:\WINDOWS\SMINST\Scheduler.exe[2460] USER32.dll!GetSysColor 7E418E78 5 Bytes JMP 004170D0 C:\WINDOWS\SMINST\Scheduler.exe.text C:\WINDOWS\SMINST\Scheduler.exe[2460] USER32.dll!GetSysColorBrush 7E418EAB 5 Bytes JMP 00417140 C:\WINDOWS\SMINST\Scheduler.exe.text C:\WINDOWS\SMINST\Scheduler.exe[2460] USER32.dll!SetScrollInfo 7E419056 7 Bytes JMP 00416FC0 C:\WINDOWS\SMINST\Scheduler.exe.text C:\WINDOWS\SMINST\Scheduler.exe[2460] USER32.dll!GetScrollInfo 7E42DFE2 7 Bytes JMP 00416F10 C:\WINDOWS\SMINST\Scheduler.exe.text C:\WINDOWS\SMINST\Scheduler.exe[2460] USER32.dll!ShowScrollBar 7E42F2F2 5 Bytes JMP 00417090 C:\WINDOWS\SMINST\Scheduler.exe.text C:\WINDOWS\SMINST\Scheduler.exe[2460] USER32.dll!GetScrollPos 7E42F704 5 Bytes JMP 00416F50 C:\WINDOWS\SMINST\Scheduler.exe.text C:\WINDOWS\SMINST\Scheduler.exe[2460] USER32.dll!SetScrollPos 7E42F750 5 Bytes JMP 00417000 C:\WINDOWS\SMINST\Scheduler.exe.text C:\WINDOWS\SMINST\Scheduler.exe[2460] USER32.dll!GetScrollRange 7E42F787 5 Bytes JMP 00416F80 C:\WINDOWS\SMINST\Scheduler.exe.text C:\WINDOWS\SMINST\Scheduler.exe[2460] USER32.dll!SetScrollRange 7E42F99B 5 Bytes JMP 00417040 C:\WINDOWS\SMINST\Scheduler.exe.text C:\WINDOWS\SMINST\Scheduler.exe[2460] USER32.dll!EnableScrollBar 7E468005 7 Bytes JMP 00416ED0 C:\WINDOWS\SMINST\Scheduler.exe.text C:\WINDOWS\system32\SearchIndexer.exe[3344] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)---- User IAT/EAT - GMER 1.0.15 ----IAT C:\WINDOWS\system32\services.exe[900] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002IAT C:\WINDOWS\system32\services.exe[900] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000IAT C:\WINDOWS\Explorer.EXE[2228] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00BA2F20] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)IAT C:\WINDOWS\Explorer.EXE[2228] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00BA2C90] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)IAT C:\WINDOWS\Explorer.EXE[2228] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00BA2CF0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)IAT C:\WINDOWS\Explorer.EXE[2228] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00BA2CC0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)---- Devices - GMER 1.0.15 ----Device \FileSystem\Ntfs \Ntfs 8AA55C88AttachedDevice \FileSystem\Ntfs \Ntfs mozy.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)AttachedDevice \FileSystem\Ntfs \Ntfs SafeConnectFilter.sys (SafeConnect Application Activity Monitor Filter Driver./Sana Security, Inc. )AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)AttachedDevice \FileSystem\Fastfat \Fat mozy.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)AttachedDevice \FileSystem\Fastfat \Fat SafeConnectFilter.sys (SafeConnect Application Activity Monitor Filter Driver./Sana Security, Inc. )Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)---- Services - GMER 1.0.15 ----Service (*** hidden *** ) [bOOT] xpaiupak <-- ROOTKIT !!!---- Registry - GMER 1.0.15 ----Reg HKLM\SYSTEM\CurrentControlSet\Services\xpaiupak@Type 1Reg HKLM\SYSTEM\CurrentControlSet\Services\xpaiupak@Start 0Reg HKLM\SYSTEM\CurrentControlSet\Services\xpaiupak@ErrorControl 0Reg HKLM\SYSTEM\CurrentControlSet\Services\xpaiupak@Group Boot Bus ExtenderReg HKLM\SYSTEM\ControlSet002\Services\xpaiupak@Type 1Reg HKLM\SYSTEM\ControlSet002\Services\xpaiupak@Start 0Reg HKLM\SYSTEM\ControlSet002\Services\xpaiupak@ErrorControl 0Reg HKLM\SYSTEM\ControlSet002\Services\xpaiupak@Group Boot Bus Extender---- Disk sectors - GMER 1.0.15 ----Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; ---- EOF - GMER 1.0.15 ----Thanks for the fast reply, the log is included in my attachment on the original post. It is in a zip file at the end of the post since it is a big file. Please let me know if you want me to post it on the message.ThanksJose Link to post Share on other sites More sharing options...
sjpritch25 Posted December 19, 2009 ID:172625 Share Posted December 19, 2009 Again, make sure Avast and any other security software is disabled before performing the fix below. Thanks1. Please download The Avenger2 by Swandog46 to your Desktop.Right click on the Avenger.zip folder and select "Extract All..." Follow the prompts and extract the avenger folder to your desktop2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):Files to delete:c:\windows\system32\drivers\xpaiupak.sysc:\windows\system32\fjhdyfhsn.batDrivers to delete:xpaiupakNote: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.3. Now, open the avenger folder and start The Avenger program by clicking on its icon. Right click on the window under Input script here:, and select Paste. You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard. Click on Execute Answer "Yes" twice when prompted.4. The Avenger will automatically do the following:[*]It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)[*]On reboot, it will briefly open a black command window on your desktop, this is normal.[*]After the restart, it creates a log file that should open with the results of Avenger Link to post Share on other sites More sharing options...
kp4cel Posted December 19, 2009 Author ID:172637 Share Posted December 19, 2009 Here is the avenger.txt looks like it took care of it:Logfile of The Avenger Version 2.0, © by Swandog46http://swandog46.geekstogo.comPlatform: Windows XP*******************Script file opened successfully.Script file read successfully.Backups directory opened successfully at C:\Avenger*******************Beginning to process script file:Rootkit scan active.No rootkits found!File "c:\windows\system32\drivers\xpaiupak.sys" deleted successfully.File "c:\windows\system32\fjhdyfhsn.bat" deleted successfully.Driver "xpaiupak" deleted successfully.Completed script processing.*******************Finished! Terminate.BTW I am also in West FlaAgain, make sure Avast and any other security software is disabled before performing the fix below. Thanks1. Please download The Avenger2 by Swandog46 to your Desktop.Right click on the Avenger.zip folder and select "Extract All..." Follow the prompts and extract the avenger folder to your desktop2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):Files to delete:c:\windows\system32\drivers\xpaiupak.sysc:\windows\system32\fjhdyfhsn.batDrivers to delete:xpaiupakNote: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.3. Now, open the avenger folder and start The Avenger program by clicking on its icon. Right click on the window under Input script here:, and select Paste. You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard. Click on Execute Answer "Yes" twice when prompted.4. The Avenger will automatically do the following:It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)On reboot, it will briefly open a black command window on your desktop, this is normal.After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.5. Please copy/paste the content of c:\avenger.txt into your reply Link to post Share on other sites More sharing options...
kp4cel Posted December 29, 2009 Author ID:176555 Share Posted December 29, 2009 Well still can not get MWB to run it just freeze my computer. Any Ideas?ThanksHere is the avenger.txt looks like it took care of it:Logfile of The Avenger Version 2.0, Link to post Share on other sites More sharing options...
sjpritch25 Posted December 29, 2009 ID:176562 Share Posted December 29, 2009 Please post a fresh Gmer log. Thanks Link to post Share on other sites More sharing options...
kp4cel Posted December 29, 2009 Author ID:176765 Share Posted December 29, 2009 Here is the log, also two days ago I noticed that Mozila was hijacked and looks like spybot took care of that but I am not sure since I could not run malwarebytes.:GMER 1.0.15.15281 - http://www.gmer.netRootkit scan 2009-12-29 07:09:01Windows 5.1.2600 Service Pack 3Running: 4xex3tsf.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uwlyypog.sys---- System - GMER 1.0.15 ----SSDT \??\C:\Program Files\TrustedID\Identity Theft Protection\agent\driver\platform_XP\SafeConnectShim.sys (SafeConnect Application Activity Monitor Loader Driver./Sana Security, Inc. ) ZwClose [0xB12858B0]SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0x9D1CE574]SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0x9D1CEA52]SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0x9D1CE14C]SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0x9D1CE64E]SSDT \??\C:\Program Files\TrustedID\Identity Theft Protection\agent\driver\platform_XP\SafeConnectShim.sys (SafeConnect Application Activity Monitor Loader Driver./Sana Security, Inc. ) ZwOpenProcess [0xB12858E0]SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0x9D1CE0F0]SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0x9D1CE76E]SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0x9D1CE72E]SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0x9D1CE8AE]SSDT \??\C:\Program Files\TrustedID\Identity Theft Protection\agent\driver\platform_XP\SafeConnectShim.sys (SafeConnect Application Activity Monitor Loader Driver./Sana Security, Inc. ) ZwTerminateProcess [0xB1285990]SSDT \??\C:\Program Files\TrustedID\Identity Theft Protection\agent\driver\platform_XP\SafeConnectShim.sys (SafeConnect Application Activity Monitor Loader Driver./Sana Security, Inc. ) ZwTerminateThread [0xB1285A30]SSDT \??\C:\Program Files\TrustedID\Identity Theft Protection\agent\driver\platform_XP\SafeConnectShim.sys (SafeConnect Application Activity Monitor Loader Driver./Sana Security, Inc. ) ZwWriteVirtualMemory [0xB1285AD0]---- Kernel code sections - GMER 1.0.15 ----.text ntkrnlpa.exe!ZwCallbackReturn + 2CC8 80504564 4 Bytes JMP 924A9D1C .text ntkrnlpa.exe!ZwCallbackReturn + 2FA0 8050483C 4 Bytes CALL 4144E55D ---- User code sections - GMER 1.0.15 ----.text C:\WINDOWS\SMINST\Scheduler.exe[1224] USER32.dll!GetSysColor 7E418E78 5 Bytes JMP 004170D0 C:\WINDOWS\SMINST\Scheduler.exe.text C:\WINDOWS\SMINST\Scheduler.exe[1224] USER32.dll!GetSysColorBrush 7E418EAB 5 Bytes JMP 00417140 C:\WINDOWS\SMINST\Scheduler.exe.text C:\WINDOWS\SMINST\Scheduler.exe[1224] USER32.dll!SetScrollInfo 7E419056 7 Bytes JMP 00416FC0 C:\WINDOWS\SMINST\Scheduler.exe.text C:\WINDOWS\SMINST\Scheduler.exe[1224] USER32.dll!GetScrollInfo 7E42DFE2 7 Bytes JMP 00416F10 C:\WINDOWS\SMINST\Scheduler.exe.text C:\WINDOWS\SMINST\Scheduler.exe[1224] USER32.dll!ShowScrollBar 7E42F2F2 5 Bytes JMP 00417090 C:\WINDOWS\SMINST\Scheduler.exe.text C:\WINDOWS\SMINST\Scheduler.exe[1224] USER32.dll!GetScrollPos 7E42F704 5 Bytes JMP 00416F50 C:\WINDOWS\SMINST\Scheduler.exe.text C:\WINDOWS\SMINST\Scheduler.exe[1224] USER32.dll!SetScrollPos 7E42F750 5 Bytes JMP 00417000 C:\WINDOWS\SMINST\Scheduler.exe.text C:\WINDOWS\SMINST\Scheduler.exe[1224] USER32.dll!GetScrollRange 7E42F787 5 Bytes JMP 00416F80 C:\WINDOWS\SMINST\Scheduler.exe.text C:\WINDOWS\SMINST\Scheduler.exe[1224] USER32.dll!SetScrollRange 7E42F99B 5 Bytes JMP 00417040 C:\WINDOWS\SMINST\Scheduler.exe.text C:\WINDOWS\SMINST\Scheduler.exe[1224] USER32.dll!EnableScrollBar 7E468005 7 Bytes JMP 00416ED0 C:\WINDOWS\SMINST\Scheduler.exe.text C:\WINDOWS\system32\SearchIndexer.exe[2636] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)---- User IAT/EAT - GMER 1.0.15 ----IAT C:\WINDOWS\system32\services.exe[916] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002IAT C:\WINDOWS\system32\services.exe[916] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000IAT C:\WINDOWS\Explorer.EXE[2312] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00C32F20] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)IAT C:\WINDOWS\Explorer.EXE[2312] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00C32C90] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)IAT C:\WINDOWS\Explorer.EXE[2312] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00C32CF0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)IAT C:\WINDOWS\Explorer.EXE[2312] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00C32CC0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)IAT C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[3164] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00F12F20] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)IAT C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[3164] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00F12C90] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)IAT C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[3164] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00F12CF0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)IAT C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[3164] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00F12CC0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)IAT C:\Program Files\Logitech\Logitech Vid\vid.exe[3696] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [01B92F20] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)IAT C:\Program Files\Logitech\Logitech Vid\vid.exe[3696] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [01B92C90] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)IAT C:\Program Files\Logitech\Logitech Vid\vid.exe[3696] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [01B92CF0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)IAT C:\Program Files\Logitech\Logitech Vid\vid.exe[3696] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [01B92CC0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)---- Devices - GMER 1.0.15 ----AttachedDevice \FileSystem\Ntfs \Ntfs mozy.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)AttachedDevice \FileSystem\Ntfs \Ntfs SafeConnectFilter.sys (SafeConnect Application Activity Monitor Filter Driver./Sana Security, Inc. )AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)---- Disk sectors - GMER 1.0.15 ----Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; ---- EOF - GMER 1.0.15 ----Please advice.THanks Link to post Share on other sites More sharing options...
kp4cel Posted December 29, 2009 Author ID:176766 Share Posted December 29, 2009 Mozilla still hijacked, when performing searches and click on any of the result of the search it takes me to http://seiniorage.com/index.php Link to post Share on other sites More sharing options...
sjpritch25 Posted December 29, 2009 ID:176965 Share Posted December 29, 2009 Download Combofix from this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix**Note: It is important that it is saved directly to your desktop**--------------------------------------------------------------------1. Close any open browsers.2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.--------------------------------------------------------------------Double click on combofix.exe & follow the prompts. When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.Note:Do not mouseclick combofix's window while it's running. That may cause it to stall Link to post Share on other sites More sharing options...
kp4cel Posted December 29, 2009 Author ID:177006 Share Posted December 29, 2009 Here is the combofix.log:ComboFix 09-12-29.03 - Administrator 12/29/2009 16:34:24.1.2 - x86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2163 [GMT -5:00]Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exeAV: avast! antivirus 4.8.1368 [VPS 091229-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\documents and settings\Administrator\Application Data\avdrn.datc:\documents and settings\Administrator\Application Data\inst.exec:\documents and settings\Administrator\Local Settings\Application Data\{18971506-0728-4656-9122-98FBA44A8C38}c:\documents and settings\Administrator\Local Settings\Application Data\{18971506-0728-4656-9122-98FBA44A8C38}\chrome.manifestc:\documents and settings\Administrator\Local Settings\Application Data\{18971506-0728-4656-9122-98FBA44A8C38}\chrome\content\_cfg.jsc:\documents and settings\Administrator\Local Settings\Application Data\{18971506-0728-4656-9122-98FBA44A8C38}\chrome\content\overlay.xulc:\documents and settings\Administrator\Local Settings\Application Data\{18971506-0728-4656-9122-98FBA44A8C38}\install.rdfc:\documents and settings\Administrator\Local Settings\Temporary Internet Files\HPPDEVX.DLL.logc:\recycler\S-1-5-21-1062567417-215967349-1460275934-500c:\windows\TEMP\logishrd\LVPrcInj01.dllD:\Autorun.inf.((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-29 ))))))))))))))))))))))))))))))).2009-12-29 12:39 . 2009-12-29 12:39 411368 ----a-w- c:\windows\system32\deploytk.dll2009-12-29 12:38 . 2009-12-29 12:38 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee2009-12-29 12:38 . 2009-12-29 12:40 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\lzma.dll2009-12-29 12:33 . 2009-12-29 12:33 -------- d-----w- c:\windows\LastGood.Tmp2009-12-29 12:33 . 2009-12-29 12:33 -------- d-----w- c:\program files\Secunia2009-12-27 16:04 . 2009-10-29 16:59 378368 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gfc11asd.default\extensions\{cb84136f-9c44-433a-9048-c5cd9df1dc16}\platform\WINNT_x86-msvc\components\libheuristic.dll2009-12-26 14:18 . 2009-12-26 14:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy2009-12-26 14:18 . 2009-12-26 14:21 -------- d-----w- c:\program files\Spybot - Search & Destroy2009-12-25 16:20 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2009-12-25 16:20 . 2009-12-25 16:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2009-12-25 16:20 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys2009-12-20 02:35 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll2009-12-18 21:50 . 2009-12-18 21:50 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys2009-12-18 21:50 . 2009-12-18 21:50 -------- d-----w- c:\documents and settings\Administrator\log2009-12-16 23:52 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys2009-12-16 23:52 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys2009-12-16 23:52 . 2009-11-24 23:47 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys2009-12-16 23:52 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr2009-12-16 23:52 . 2009-11-24 23:51 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys2009-12-16 23:52 . 2009-11-24 23:50 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys2009-12-16 23:52 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys2009-12-16 23:52 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys2009-12-16 23:51 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe2009-12-16 23:51 . 2009-12-16 23:51 -------- d-----w- c:\program files\Alwil Software2009-12-16 12:43 . 2009-12-26 14:10 0 ----a-w- c:\windows\Xdihuliwoluwaru.bin2009-12-16 12:43 . 2009-12-26 14:10 120 ----a-w- c:\windows\Htiqi.dat2009-12-16 12:34 . 2008-04-13 19:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys2009-12-16 12:34 . 2008-04-13 19:40 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys2009-12-16 12:34 . 2008-04-13 19:41 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys2009-12-16 12:34 . 2008-04-13 19:41 8576 ----a-w- c:\windows\system32\dllcache\i2omgmt.sys2009-12-16 12:34 . 2008-04-13 19:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys2009-12-16 12:34 . 2008-04-13 19:40 8192 ----a-w- c:\windows\system32\dllcache\changer.sys2009-12-07 00:37 . 2009-09-03 20:29 4194304 ----a-w- c:\windows\system32\cdintf400.dll2009-12-07 00:34 . 2009-12-29 05:10 -------- d-----w- C:\ProWin09.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-12-29 21:39 . 2009-08-16 14:40 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs2009-12-29 21:39 . 2009-08-16 14:40 0 ----a-w- c:\windows\system32\drivers\logiflt.iad2009-12-29 12:38 . 2008-09-23 01:59 -------- d-----w- c:\program files\Java2009-12-29 12:03 . 2008-10-29 11:21 -------- d-----w- c:\program files\LogMeIn2009-12-20 15:34 . 2009-01-04 14:41 -------- d-----w- c:\program files\Adams Business Forms2009-12-20 02:40 . 2008-10-17 21:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help2009-12-17 00:41 . 2009-12-17 00:40 24 ----a-w- c:\windows\system32\config\systemprofile\Application Data\fvgqad.dat2009-12-16 12:34 . 2009-12-16 12:34 24 ----a-w- c:\documents and settings\NetworkService\Application Data\fvgqad.dat2009-12-08 02:19 . 2008-11-19 22:38 -------- d-----w- c:\program files\Ten-Tec2009-12-07 00:35 . 2008-09-23 02:00 -------- d--h--w- c:\program files\InstallShield Installation Information2009-12-06 16:12 . 2009-09-04 20:38 -------- d-----w- c:\program files\Seabyrd Technologies2009-12-06 16:09 . 2009-09-05 22:59 -------- d-----w- c:\program files\Coupons2009-11-28 18:29 . 2009-11-28 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion2009-11-27 17:23 . 2008-12-07 13:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\TrueCrypt2009-11-27 17:18 . 2008-12-07 13:56 223440 ----a-w- c:\windows\system32\drivers\truecrypt.sys2009-11-21 15:51 . 2006-02-28 02:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll2009-11-05 23:42 . 2009-11-05 23:42 593920 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv305hw-0910190-0-main.dll2009-11-01 13:19 . 2008-10-15 20:41 109192 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT2009-10-31 13:16 . 2009-09-02 23:20 256 ----a-w- c:\windows\system32\pool.bin2009-10-30 23:51 . 2009-10-30 23:51 664 ----a-w- c:\windows\system32\d3d9caps.dat2009-10-30 23:51 . 2009-09-02 23:17 -------- d-----w- c:\program files\Common Files\Roxio Shared2009-10-30 23:47 . 2008-10-22 01:47 -------- d-----w- c:\program files\Roxio2009-10-30 23:46 . 2009-09-03 01:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio2009-10-30 23:46 . 2008-10-22 01:46 -------- d-----w- c:\program files\Common Files\Sonic Shared2009-10-29 07:46 . 2006-02-28 02:00 832512 ----a-w- c:\windows\system32\wininet.dll2009-10-29 07:46 . 2006-02-28 02:00 78336 ----a-w- c:\windows\system32\ieencode.dll2009-10-29 07:46 . 2006-02-28 02:00 17408 ----a-w- c:\windows\system32\corpol.dll2009-10-21 05:38 . 2006-02-28 02:00 75776 ----a-w- c:\windows\system32\strmfilt.dll2009-10-21 05:38 . 2006-02-28 02:00 25088 ----a-w- c:\windows\system32\httpapi.dll2009-10-20 16:20 . 2006-02-28 02:00 265728 ----a-w- c:\windows\system32\drivers\http.sys2009-10-13 10:30 . 2006-02-28 02:00 270336 ----a-w- c:\windows\system32\oakley.dll2009-10-12 13:38 . 2006-02-28 02:00 149504 ----a-w- c:\windows\system32\rastls.dll2009-10-12 13:38 . 2006-02-28 02:00 79872 ----a-w- c:\windows\system32\raschap.dll2009-10-08 00:50 . 2009-10-08 00:50 8520 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gfc11asd.default\extensions\LogMeInClient@logmein.com\plugins\ractrlkeyhook.dll2009-10-08 00:50 . 2009-10-08 00:50 83256 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gfc11asd.default\extensions\LogMeInClient@logmein.com\plugins\LMIGuardian.exe2009-10-08 00:50 . 2009-10-08 00:50 70984 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gfc11asd.default\extensions\LogMeInClient@logmein.com\plugins\LMIProxyHelper.exe2009-10-08 00:50 . 2009-10-08 00:50 574768 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gfc11asd.default\extensions\LogMeInClient@logmein.com\plugins\LMIGuardianDll.dll2009-10-08 00:50 . 2009-10-08 00:50 3858432 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gfc11asd.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll2009-10-08 00:50 . 2009-10-08 00:50 15664 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gfc11asd.default\extensions\LogMeInClient@logmein.com\plugins\LMIGuardianEvt.dll2009-10-01 22:03 . 2008-10-29 11:22 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll2009-10-01 22:03 . 2008-10-29 11:22 28984 ----a-w- c:\windows\system32\LMIport.dll2009-10-01 22:03 . 2008-10-29 11:22 87352 ----a-w- c:\windows\system32\LMIinit.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]2009-10-20 16:51 2846008 ----a-w- c:\program files\MozyHome\mozyshell.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]2009-10-20 16:51 2846008 ----a-w- c:\program files\MozyHome\mozyshell.dll[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"TaskScheduler"="c:\prowin09\32bit\TaskSch.exe" [2009-12-11 456024]"TrueCrypt"="c:\program files\TrueCrypt\TrueCrypt.exe" [2009-11-27 1415632]"Logitech Vid"="c:\program files\Logitech\Logitech Vid\vid.exe" [2009-06-02 5451536]"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-11-26 141848]"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-11-26 166424]"Persistence"="c:\windows\system32\igfxpers.exe" [2007-11-26 137752]"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]"Recguard"="c:\windows\Sminst\Recguard.exe" [2006-05-12 1138688]"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-07-10 872448]"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-12-24 618496]"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-10-08 127036]"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2008-10-24 206112]"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2006-06-15 49152]"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-05-08 2780432]"SanaSafeConnect"="c:\program files\TrustedID\Identity Theft Protection\agent\bin\SanaSafeConnect.exe" [2008-03-21 1378840]"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-11-20 623960]"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-07-08 236016]"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-12-03 429392]c:\documents and settings\Administrator\Start Menu\Programs\Startup\ScanSnap Manager.lnk - c:\program files\PFU\ScanSnap\Driver\PfuSsMon.exe [2008-12-29 1769472]Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2009-8-21 900816]c:\documents and settings\All Users\Start Menu\Programs\Startup\CardMinder Viewer.lnk - c:\program files\PFU\ScanSnap\CardMinder V3.1\CardLauncher.exe [2008-12-29 36864]Conversion to PDF with ScanSnap Organizer.lnk - c:\program files\PFU\ScanSnap\Organizer\PfuSsOrgOcrChk.exe [2008-12-29 24576]MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2009-10-20 2890552]ScanSnap Manager.lnk - c:\program files\PFU\ScanSnap\Driver\PfuSsMon.exe [2008-12-29 1769472]Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]Z Cinema.lnk - c:\windows\Installer\{EE885042-228A-446F-A30D-64ECBDC93859}\StartupShortcut_EE885042228A446FA30D64ECBDC93859.exe [2009-5-6 172032][hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]2009-10-01 22:03 87352 ----a-w- c:\windows\system32\LMIinit.dll[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^SISZYD32.EXE]path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\SISZYD32.EXEbackup=c:\windows\pss\SISZYD32.EXEStartup[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\WINDOWS\\SMINST\\Scheduler.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="c:\\Program Files\\microsoft frontpage\\bin\\fpexplor.exe"="c:\\FrontPage Webs\\Server\\vhttpd32.exe"="c:\\Program Files\\Ten-Tec\\OMNI VII One Plug\\UDP588.exe"="c:\\WINDOWS\\system32\\java.exe"="c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="c:\\Program Files\\Logitech\\Logitech Vid\\Vid.exe"=R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [12/16/2009 6:52 PM 114768]R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/16/2009 6:52 PM 20560]R2 FortiSslvpnDaemon;FortiClient SSL VPN;c:\windows\system32\FortiSSLVPNdaemon.exe [3/9/2009 2:02 PM 510496]R2 HRD RemoteSvr;Ham Radio Deluxe Remote Server;c:\program files\Amateur Radio\Ham Radio Deluxe\HRDRemoteSvr.exe [5/22/2009 10:06 PM 196608]R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 5:46 PM 12856]R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [10/29/2008 6:22 AM 47640]R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/25/2009 11:20 AM 276816]R2 SanaSafeConnectAgent;SanaSafeConnectAgent;c:\program files\TrustedID\Identity Theft Protection\agent\Bin\SanaAgent.exe [3/21/2008 1:42 PM 4937240]R2 SanaSafeConnectWatcher;SanaSafeConnectWatcher;c:\program files\TrustedID\Identity Theft Protection\agent\Bin\SanaSafeConnectWatcher.exe [3/21/2008 1:42 PM 539160]R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/25/2009 11:20 AM 19160]R3 pppop;PPPoP WAN Adapter;c:\windows\system32\drivers\pppop.sys [12/11/2007 1:57 PM 36384]R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [6/17/2009 7:20 AM 12648]R3 SanaSafeConnectDriver;SanaSafeConnectDriver;c:\program files\TrustedID\Identity Theft Protection\agent\driver\platform_XP\SafeConnectDriver.sys [3/21/2008 1:43 PM 161304]R3 SanaSafeConnectFilter;SanaSafeConnectFilter;c:\program files\TrustedID\Identity Theft Protection\agent\driver\platform_XP\SafeConnectFilter.sys [3/21/2008 1:43 PM 29720]R3 SanaSafeConnectShim;SanaSafeConnectShim;c:\program files\TrustedID\Identity Theft Protection\agent\driver\platform_XP\SafeConnectShim.sys [3/21/2008 1:43 PM 27376]R3 ZCinema_TSHD;ZCinema TruSurround HD driver;c:\windows\system32\drivers\ZCinema_SRS_i386.sys [5/6/2009 4:24 PM 21392]S3 aswArKrn;aswArKrn;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\aswArKrn.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\aswArKrn.sys [?]S3 Intuit Fuse Service;Intuit Fuse Service;c:\program files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe [11/15/2008 7:51 AM 72704]S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [12/23/2008 10:35 AM 50704]S4 LMIRfsClientNP;LMIRfsClientNP; [x][HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]2008-01-24 16:30 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe.Contents of the 'Scheduled Tasks' folder2009-12-28 c:\windows\Tasks\defrag.job- c:\windows\system32\defrag.exe [2006-02-28 00:12]..------- Supplementary Scan -------.uStart Page = hxxp://www.google.com/uInternet Connection Wizard,ShellNext = iexploreIE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.7.1/GarminAxControl.CABDPF: {B0882EB7-81A5-4A11-8D45-71888F973933} - hxxps://24.173.141.242:10443/sslvpn.cabFF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gfc11asd.default\FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/FF - prefs.js: keyword.URL - hxxp://www.google.com/FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gfc11asd.default\extensions\{cb84136f-9c44-433a-9048-c5cd9df1dc16}\platform\WINNT_x86-msvc\components\libheuristic.dllFF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gfc11asd.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dllFF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dllFF - plugin: c:\program files\Fortinet\SslvpnClient\npccplugin.dllFF - plugin: c:\program files\Fortinet\SslvpnClient\nptcplugin.dllFF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\.- - - - ORPHANS REMOVED - - - -HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exeHKLM-Run-PfuSsSct.exe - c:\program files\PFU\ScanSnap\PfuSsSct.exe**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-12-29 16:43Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(860)c:\windows\system32\LMIinit.dllc:\windows\system32\LMIRfsClientNP.dll- - - - - - - > 'explorer.exe'(5396)c:\windows\system32\WININET.dllc:\program files\MozyHome\mozyshell.dllc:\windows\system32\LMIRfsClientNP.dllc:\windows\system32\ieframe.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.------------------------ Other Running Processes ------------------------.c:\program files\Alwil Software\Avast4\aswUpdSv.exec:\program files\Alwil Software\Avast4\ashServ.exec:\windows\system32\msdtc.exec:\windows\system32\dllhost.exec:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exec:\program files\Java\jre6\bin\jqs.exec:\program files\Common Files\LightScribe\LSSrvc.exec:\program files\LogMeIn\x86\RaMaint.exec:\program files\LogMeIn\x86\LogMeIn.exec:\program files\LogMeIn\x86\LMIGuardian.exec:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exec:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEc:\program files\MozyHome\mozybackup.exec:\program files\Super_DVD_Creator_9.8\NMSAccessU.exec:\windows\system32\igfxsrvc.exec:\program files\LogMeIn\x86\LMIGuardian.exec:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exec:\windows\system32\dllhost.exec:\windows\System32\vssvc.exec:\windows\system32\SearchIndexer.exec:\program files\TrustedID\Identity Theft Protection\agent\bin\SanaMonitor.exec:\program files\Alwil Software\Avast4\ashMaiSv.exec:\program files\Alwil Software\Avast4\ashWebSv.exec:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe.**************************************************************************.Completion time: 2009-12-29 16:47:36 - machine was rebootedComboFix-quarantined-files.txt 2009-12-29 21:47Pre-Run: 443,301,662,720 bytes freePost-Run: 443,375,726,592 bytes freeWindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsmulti(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect- - End Of File - - EC3256E375AA629E2A7E54EA25F8C3ED Link to post Share on other sites More sharing options...
kp4cel Posted December 29, 2009 Author ID:177007 Share Posted December 29, 2009 Here is the Hijack This log:DDS (Ver_09-12-01.01) - NTFSx86 Run by Administrator at 17:01:58.82 on Tue 12/29/2009Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2400 [GMT -5:00]AV: avast! antivirus 4.8.1368 [VPS 091229-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\WINDOWS\system32\svchost.exe -k WudfServiceGroupsvchost.exesvchost.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\spoolsv.exesvchost.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\system32\FortiSslvpnDaemon.exeC:\Program Files\Amateur Radio\Ham Radio Deluxe\HRDRemoteSvr.exeC:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\MozyHome\mozybackup.exeC:\Program Files\Super_DVD_Creator_9.8\NMSAccessU.exeC:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\system32\igfxsrvc.exeC:\WINDOWS\SMINST\Scheduler.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exeC:\WINDOWS\System32\DLA\DLACTRLW.EXEC:\Program Files\Logitech\Logitech WebCam Software\LWS.exeC:\Program Files\TrustedID\Identity Theft Protection\agent\bin\SanaSafeConnect.exeC:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\ProWin09\32bit\TaskSch.exeC:\Program Files\TrueCrypt\TrueCrypt.exeC:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exeC:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exeC:\Program Files\PFU\ScanSnap\CardMinder V3.1\CardLauncher.exeC:\Program Files\MozyHome\mozystat.exeC:\Program Files\PFU\ScanSnap\Driver\PfuSsMon.exeC:\Program Files\TrustedID\Identity Theft Protection\agent\Bin\SanaSafeConnectWatcher.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\WINDOWS\system32\dllhost.exeC:\Program Files\Secunia\PSI\psi.exeC:\WINDOWS\System32\vssvc.exeC:\WINDOWS\system32\SearchIndexer.exeC:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeC:\WINDOWS\explorer.exeC:\WINDOWS\system32\wscntfy.exeC:\Documents and Settings\Administrator\Desktop\dds.com============== Pseudo HJT Report ===============uStart Page = hxxp://www.google.com/uInternet Connection Wizard,ShellNext = iexploreBHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dllBHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dllBHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLLBHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No FileBHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dllBHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllTB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dlluRun: [TaskScheduler] c:\prowin09\32bit\TaskSch.exeuRun: [TrueCrypt] "c:\program files\truecrypt\TrueCrypt.exe" /q preferencesuRun: [Logitech Vid] "c:\program files\logitech\logitech vid\vid.exe" -bootmodeuRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduleruRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exemRun: [igfxTray] "c:\windows\system32\igfxtray.exe"mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"mRun: [Persistence] "c:\windows\system32\igfxpers.exe"mRun: [setRefresh] "c:\program files\compaq\setrefresh\SetRefresh.exe"mRun: [Recguard] "c:\windows\sminst\Recguard.exe"mRun: [scheduler] "c:\windows\sminst\Scheduler.exe"mRun: [hpbdfawep] "c:\program files\hp\dfawep\bin\hpbdfawep.exe" 1mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"mRun: [DLA] "c:\windows\system32\dla\DLACTRLW.EXE"mRun: [iSUSPM Startup] "c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe" -startupmRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -startmRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:onmRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hidemRun: [sanaSafeConnect] "c:\program files\trustedid\identity theft protection\agent\bin\SanaSafeConnect.exe"mRun: [blackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /backgroundmRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exemRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttrayStartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\scansn~1.lnk - c:\program files\pfu\scansnap\driver\PfuSsMon.exeStartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cardmi~1.lnk - c:\program files\pfu\scansnap\cardminder v3.1\CardLauncher.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\conver~1.lnk - c:\program files\pfu\scansnap\organizer\PfuSsOrgOcrChk.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\scansn~1.lnk - c:\program files\pfu\scansnap\driver\PfuSsMon.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\zcinem~1.lnk - c:\windows\installer\{ee885042-228a-446f-a30d-64ecbdc93859}\StartupShortcut_EE885042228A446FA30D64ECBDC93859.exeIE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLLIE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dllDPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.7.1/GarminAxControl.CABDPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cabDPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CABDPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cabDPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cabDPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1261274835859DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1259192416484DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cabDPF: {B0882EB7-81A5-4A11-8D45-71888F973933} - hxxps://24.173.141.242:10443/sslvpn.cabDPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cabDPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cabDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cabDPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100Notify: igfxcui - igfxdev.dllNotify: LMIinit - LMIinit.dllSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dllSEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dllmASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"================= FIREFOX ===================FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\gfc11asd.default\FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/FF - prefs.js: keyword.URL - hxxp://www.google.com/FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\gfc11asd.default\extensions\{cb84136f-9c44-433a-9048-c5cd9df1dc16}\platform\winnt_x86-msvc\components\libheuristic.dllFF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\gfc11asd.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dllFF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dllFF - plugin: c:\program files\fortinet\sslvpnclient\npccplugin.dllFF - plugin: c:\program files\fortinet\sslvpnclient\nptcplugin.dllFF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}---- FIREFOX POLICIES ----c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);============= SERVICES / DRIVERS ===============R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-12-16 114768]R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-12-16 20560]R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-10-29 47640]R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-12-25 19160]R3 pppop;PPPoP WAN Adapter;c:\windows\system32\drivers\pppop.sys [2007-12-11 36384]R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 12648]R3 SanaSafeConnectDriver;SanaSafeConnectDriver;c:\program files\trustedid\identity theft protection\agent\driver\platform_xp\SafeConnectDriver.sys [2008-3-21 161304]R3 SanaSafeConnectFilter;SanaSafeConnectFilter;c:\program files\trustedid\identity theft protection\agent\driver\platform_xp\SafeConnectFilter.sys [2008-3-21 29720]R3 SanaSafeConnectShim;SanaSafeConnectShim;c:\program files\trustedid\identity theft protection\agent\driver\platform_xp\SafeConnectShim.sys [2008-3-21 27376]R3 ZCinema_TSHD;ZCinema TruSurround HD driver;c:\windows\system32\drivers\ZCinema_SRS_i386.sys [2009-5-6 21392]S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]S3 aswArKrn;aswArKrn;\??\c:\docume~1\admini~1\locals~1\temp\aswarkrn.sys --> c:\docume~1\admini~1\locals~1\temp\aswArKrn.sys [?]S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-12-23 50704]S4 LMIRfsClientNP;LMIRfsClientNP; [x]=============== Created Last 30 ================2009-12-29 22:00:43 0 ----a-w- c:\documents and settings\administrator\defogger_reenable2009-12-29 21:32:41 0 d-sha-r- C:\cmdcons2009-12-29 21:31:50 98816 ----a-w- c:\windows\sed.exe2009-12-29 21:31:50 77312 ----a-w- c:\windows\MBR.exe2009-12-29 21:31:50 261632 ----a-w- c:\windows\PEV.exe2009-12-29 21:31:50 161792 ----a-w- c:\windows\SWREG.exe2009-12-29 12:39:23 411368 ----a-w- c:\windows\system32\deploytk.dll2009-12-29 12:33:32 0 d-----w- c:\program files\Secunia2009-12-26 14:18:59 0 d-----w- c:\program files\Spybot - Search & Destroy2009-12-26 14:18:59 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy2009-12-25 16:20:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2009-12-25 16:20:06 19160 ----a-w- c:\windows\system32\drivers\mbam.sys2009-12-25 16:20:06 0 d-----w- c:\program files\Malwarebytes' Anti-Malware2009-12-20 02:35:21 471552 ------w- c:\windows\system32\dllcache\aclayers.dll2009-12-18 21:50:37 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys2009-12-18 21:50:37 0 d-----w- c:\documents and settings\administrator\log2009-12-16 12:43:37 0 ----a-w- c:\windows\Xdihuliwoluwaru.bin2009-12-16 12:43:36 120 ----a-w- c:\windows\Htiqi.dat2009-12-16 12:34:53 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys2009-12-16 12:34:53 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys2009-12-16 12:34:39 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys2009-12-16 12:34:39 8576 ----a-w- c:\windows\system32\dllcache\i2omgmt.sys2009-12-16 12:34:35 8192 ----a-w- c:\windows\system32\drivers\changer.sys2009-12-16 12:34:35 8192 ----a-w- c:\windows\system32\dllcache\changer.sys2009-12-07 00:37:44 4194304 ----a-w- c:\windows\system32\cdintf400.dll2009-12-07 00:34:01 0 d-----w- C:\ProWin092009-11-30 05:08:52 244 ---ha-w- C:\sqmnoopt10.sqm2009-11-30 05:08:52 232 ---ha-w- C:\sqmdata10.sqm==================== Find3M ====================2009-12-29 21:39:52 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs2009-12-29 21:39:47 0 ----a-w- c:\windows\system32\drivers\logiflt.iad2009-11-27 17:18:15 223440 ----a-w- c:\windows\system32\drivers\truecrypt.sys2009-11-07 15:11:35 163738 ----a-w- c:\windows\fonts\AdobeFnt08.lst2009-10-28 14:36:11 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe2009-10-28 14:36:11 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe2009-10-28 06:54:16 634632 ------w- c:\windows\system32\dllcache\iexplore.exe2009-10-28 06:52:46 161792 ------w- c:\windows\system32\dllcache\ieakui.dll2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll2009-10-01 22:03:09 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll2009-10-01 22:03:08 87352 ----a-w- c:\windows\system32\LMIinit.dll2009-10-01 22:03:08 28984 ----a-w- c:\windows\system32\LMIport.dll============= FINISH: 17:12:56.09 =============== Link to post Share on other sites More sharing options...
kp4cel Posted December 29, 2009 Author ID:177008 Share Posted December 29, 2009 Let me know when I can run Malwarebytes to see if it works.Thanks Link to post Share on other sites More sharing options...
kp4cel Posted December 30, 2009 Author ID:177255 Share Posted December 30, 2009 I was able to run Malwarebytes in safe mode I will try it again but not in safe mode here is the log:Malwarebytes' Anti-Malware 1.42Database version: 3454Windows 5.1.2600 Service Pack 3 (Safe Mode)Internet Explorer 7.0.5730.1312/30/2009 7:01:13 AMmbam-log-2009-12-30 (07-01-13).txtScan type: Quick ScanObjects scanned: 106771Time elapsed: 11 minute(s), 27 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\Documents and Settings\NetworkService\Application Data\fvgqad.dat (Malware.Trace) -> Quarantined and deleted successfully. Link to post Share on other sites More sharing options...
sjpritch25 Posted December 30, 2009 ID:177521 Share Posted December 30, 2009 Please run Malwarebytes in Normal mode. Let me know if you have anymore problems. Thanks Link to post Share on other sites More sharing options...
kp4cel Posted December 31, 2009 Author ID:177589 Share Posted December 31, 2009 Well I did and it took one hour and seventeen minutes here is the log: Malwarebytes' Anti-Malware 1.42Database version: 3455Windows 5.1.2600 Service Pack 3Internet Explorer 7.0.5730.1312/30/2009 12:43:02 PMmbam-log-2009-12-30 (12-43-02).txtScan type: Quick ScanObjects scanned: 110487Time elapsed: 1 hour(s), 17 minute(s), 26 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Should I delete the quarantine?Thanks? Link to post Share on other sites More sharing options...
sjpritch25 Posted December 31, 2009 ID:177620 Share Posted December 31, 2009 Go to Start ---> Run ---> Type ComboFix /uninstall and press Enter.How is everything running? Link to post Share on other sites More sharing options...
kp4cel Posted January 6, 2010 Author ID:180624 Share Posted January 6, 2010 Well still can not get Malwarebytes to run it just freezes and freezes the computer. Even in the scheduler since I have the purchase version. I scanned my pc with Spybot and it is clean, Windows Defender and my AV which is Avast not the free version and the boot scan came out clean. What is next??Thanks and Happy New Year... Link to post Share on other sites More sharing options...
sjpritch25 Posted January 6, 2010 ID:180819 Share Posted January 6, 2010 Are you able to update to version 1.43? I know they fixed a lot of issues with version 1.43 Link to post Share on other sites More sharing options...
kp4cel Posted January 7, 2010 Author ID:180932 Share Posted January 7, 2010 Yes, I did with same results. Link to post Share on other sites More sharing options...
kp4cel Posted January 8, 2010 Author ID:181300 Share Posted January 8, 2010 any other sugestions? Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 8, 2010 Root Admin ID:181334 Share Posted January 8, 2010 Please review the FAQ here and setup file exclusions for your Anti-Virus: http://www.malwarebytes.org/forums/index.php?showtopic=10138We don't have a writeup for Avast but see if you can follow the general idea from one of the other AV products.When does this lockup happen? During Windows startup or during a Quick Scan or a Full Scan?You may want also want to try the following if need be. Please try this on the computer that is having an issue.1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.2. Restart your computer (very important).3. Download and run this utility. mbam-clean.exe4. It will ask to restart your computer (please allow it to).5. After the computer restarts, install the latest version from here. mbam-setup.exeNote: You will need to reactivate the program using the license you were sent Launch the program and set the Protection and Registration. Then go to the UPDATE tab if not done during installation and check for updates.Restart the computer again and verify that MBAM is in the task tray and that you can run a quick scan and all is working as expected.You may have corrupted files on your disk. Please try running the following.First close ALL Applications as this routine will automatically restart your computer.Click on START - RUN and copy / paste the following entry into the box and click OKCMD /C ECHO Y|CHKDSK C: /R | SHUTDOWN /R /T 30 Link to post Share on other sites More sharing options...
kp4cel Posted January 9, 2010 Author ID:181797 Share Posted January 9, 2010 Hello Ron, well did as suggested and again the system freeze. What I noticed the it freeze while performing extra & heuristics scan so I removed the check mark to always perform extra & heuristics scan and it performed as supposed here is the log:Malwarebytes' Anti-Malware 1.44Database version: 3523Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.187021/8/2010 9:46:26 PMmbam-log-2010-01-08 (21-46-26).txtScan type: Quick ScanObjects scanned: 38490Time elapsed: 6 minute(s), 8 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)However the number of files scanned where less. Please advice.Jose Link to post Share on other sites More sharing options...
Recommended Posts