Jump to content


Photo
- - - - -

Malwarebytes Lock Up


  • Please log in to reply
25 replies to this topic

#1 kp4cel

kp4cel

    New Member

  • Members
  • Pip
  • 19 posts

Posted 18 December 2009 - 09:23 AM

Hello all first posting here, I downloaded and run Malwrebytes after it found three infections it lockup the computer, Avast Pro find Win32:Rootkit-gen[RTK] but it doesn't removed. Using Windows XP SP3:

See attachment and DDS information:

DS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 6:04:21.14 on Fri 12/18/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2206 [GMT -5:00]

AV: avast! antivirus 4.8.1368 [VPS 091217-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\FortiSslvpnDaemon.exe
C:\Program Files\Amateur Radio\Ham Radio Deluxe\HRDRemoteSvr.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\Super_DVD_Creator_9.8\NMSAccessU.exe
C:\Program Files\TrustedID\Identity Theft Protection\agent\Bin\SanaSafeConnectWatcher.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\TrustedID\Identity Theft Protection\agent\Bin\SanaAgent.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\TrustedID\Identity Theft Protection\agent\bin\SanaSafeConnect.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\ProWin09\32bit\TaskSch.exe
C:\Program Files\TrueCrypt\TrueCrypt.exe
C:\Program Files\Logitech\Logitech Vid\vid.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\PFU\ScanSnap\CardMinder V3.1\CardLauncher.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files\PFU\ScanSnap\Driver\PfuSsMon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Logitech\Z Cinema\Z Cinema.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\TrustedID\Identity Theft Protection\agent\bin\SanaMonitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TaskScheduler] c:\prowin09\32bit\TaskSch.exe
uRun: [TrueCrypt] "c:\program files\truecrypt\TrueCrypt.exe" /q preferences
uRun: [Logitech Vid] "c:\program files\logitech\logitech vid\vid.exe" -bootmode
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [IgfxTray] "c:\windows\system32\igfxtray.exe"
mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"
mRun: [Persistence] "c:\windows\system32\igfxpers.exe"
mRun: [SetRefresh] "c:\program files\compaq\setrefresh\SetRefresh.exe"
mRun: [Recguard] "c:\windows\sminst\Recguard.exe"
mRun: [Scheduler] "c:\windows\sminst\Scheduler.exe"
mRun: [hpbdfawep] "c:\program files\hp\dfawep\bin\hpbdfawep.exe" 1
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [DLA] "c:\windows\system32\dla\DLACTRLW.EXE"
mRun: [ISUSPM Startup] "c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [SanaSafeConnect] "c:\program files\trustedid\identity theft protection\agent\bin\SanaSafeConnect.exe"
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [PfuSsSct.exe] c:\program files\pfu\scansnap\PfuSsSct.exe /Station
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [Wwamu] rundll32.exe "c:\windows\epixewofesed.dll",Startup
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\scansn~1.lnk - c:\program files\pfu\scansnap\driver\PfuSsMon.exe
StartupFolder: c:\documents and settings\administrator\start menu\programs\startup\SISZYD32.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cardmi~1.lnk - c:\program files\pfu\scansnap\cardminder v3.1\CardLauncher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\conver~1.lnk - c:\program files\pfu\scansnap\organizer\PfuSsOrgOcrChk.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\scansn~1.lnk - c:\program files\pfu\scansnap\driver\PfuSsMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\zcinem~1.lnk - c:\windows\installer\{ee885042-228a-446f-a30d-64ecbdc93859}\StartupShortcut_EE885042228A446FA30D64ECBDC93859.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.7.1/GarminAxControl.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229688934562
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1259192416484
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1224112386268&h=3f9ddb50c5ec02c03b68e5db69c997ed/&filename=jinstall-6u7-windows-i586-jc.cab
DPF: {B0882EB7-81A5-4A11-8D45-71888F973933} - hxxps://24.173.141.242:10443/sslvpn.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
AppInit_DLLs: ?????SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli svfhcdbj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\gfc11asd.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\gfc11asd.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\fortinet\sslvpnclient\npccplugin.dll
FF - plugin: c:\program files\fortinet\sslvpnclient\nptcplugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nppopcaploader.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {18971506-0728-4656-9122-98FBA44A8C38} - c:\documents and settings\administrator\local settings\application data\{18971506-0728-4656-9122-98FBA44A8C38}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-12-16 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-12-16 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-12-16 138680]
R2 FortiSslvpnDaemon;FortiClient SSL VPN;c:\windows\system32\FortiSSLVPNdaemon.exe [2009-3-9 510496]
R2 HRD RemoteSvr;Ham Radio Deluxe Remote Server;c:\program files\amateur radio\ham radio deluxe\HRDRemoteSvr.exe [2009-5-22 196608]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-10-29 47640]
R2 SanaSafeConnectAgent;SanaSafeConnectAgent;c:\program files\trustedid\identity theft protection\agent\bin\SanaAgent.exe [2008-3-21 4937240]
R2 SanaSafeConnectWatcher;SanaSafeConnectWatcher;c:\program files\trustedid\identity theft protection\agent\bin\SanaSafeConnectWatcher.exe [2008-3-21 539160]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-12-16 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-12-16 352920]
R3 pppop;PPPoP WAN Adapter;c:\windows\system32\drivers\pppop.sys [2007-12-11 36384]
R3 SanaSafeConnectDriver;SanaSafeConnectDriver;c:\program files\trustedid\identity theft protection\agent\driver\platform_xp\SafeConnectDriver.sys [2008-3-21 161304]
R3 SanaSafeConnectFilter;SanaSafeConnectFilter;c:\program files\trustedid\identity theft protection\agent\driver\platform_xp\SafeConnectFilter.sys [2008-3-21 29720]
R3 SanaSafeConnectShim;SanaSafeConnectShim;c:\program files\trustedid\identity theft protection\agent\driver\platform_xp\SafeConnectShim.sys [2008-3-21 27376]
R3 ZCinema_TSHD;ZCinema TruSurround HD driver;c:\windows\system32\drivers\ZCinema_SRS_i386.sys [2009-5-6 21392]
S3 Intuit Fuse Service;Intuit Fuse Service;c:\program files\common files\intuit\fuse\service\Intuit Fuse Service.exe [2008-11-15 72704]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-12-16 38224]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-12-23 50704]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-12-17 00:42:07 697856 ----a-w- c:\windows\system32\drivers\xpaiupak.sys
2009-12-17 00:41:08 148 ----a-w- c:\windows\system32\fjhdyfhsn.bat
2009-12-16 22:58:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-16 22:58:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-16 22:58:54 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-16 12:43:37 0 ----a-w- c:\windows\Xdihuliwoluwaru.bin
2009-12-16 12:43:36 120 ----a-w- c:\windows\Htiqi.dat
2009-12-16 12:34:53 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2009-12-16 12:34:53 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2009-12-16 12:34:39 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2009-12-16 12:34:39 8576 ----a-w- c:\windows\system32\dllcache\i2omgmt.sys
2009-12-16 12:34:35 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2009-12-16 12:34:35 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
2009-12-16 12:34:07 8 ----a-w- c:\docume~1\admini~1\applic~1\avdrn.dat
2009-12-07 00:37:44 4194304 ----a-w- c:\windows\system32\cdintf400.dll
2009-12-07 00:34:01 0 d-----w- C:\ProWin09
2009-11-30 05:08:52 244 ---ha-w- C:\sqmnoopt10.sqm
2009-11-30 05:08:52 232 ---ha-w- C:\sqmdata10.sqm
2009-11-28 18:29:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Research In Motion
2009-11-25 23:10:47 15064 ----a-w- c:\windows\system32\wuapi.dll.mui

==================== Find3M ====================

2009-12-18 10:43:46 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-12-18 10:43:41 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-11-27 17:18:15 223440 ----a-w- c:\windows\system32\drivers\truecrypt.sys
2009-11-07 15:11:35 163738 ----a-w- c:\windows\fonts\AdobeFnt08.lst
2009-10-21 04:08:54 3598336 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2009-10-01 22:03:09 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2009-10-01 22:03:08 87352 ----a-w- c:\windows\system32\LMIinit.dll
2009-10-01 22:03:08 28984 ----a-w- c:\windows\system32\LMIport.dll
2009-09-19 20:12:17 256 ----a-w- c:\documents and settings\administrator\pool.bin

============= FINISH: 6:04:46.42 ===============

Thanks for all your help

Jose A.

Attached Files



#2 sjpritch25

sjpritch25

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 1,611 posts
  • Gender:Male
  • Location:West Coast of Florida

Posted 18 December 2009 - 11:19 AM

Welcome to Malwarebytes!!!! :)

Please update to the latest def's in Malwarebytes, run a quick scan and post the results. Thanks


Download GMER Antirootkit Here, click on Download EXE and save to your Desktop

  • Disconnect from the internet and disable all active protection so your security program drivers will not conflict with gmer's driver
  • Double-click Gmer.exe to run the program.
  • When the program opens, click the "Rootkit" Tab
  • On the right-side, check all the items to be scanned, but leave "Show All" unchecked
  • Select all drives that are connected to your system to be scanned
  • Click the Scan button
  • When the scan is finished, click Copy to save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Save the gmer scan log and post it in your next reply.
  • Close Gmer
  • Open a command prompt (Start | run |type cmd and hit Enter)
    • Type or paste the following to unload the gmer driver:
    • net stop gmer
    • Hit Enter
    • Exit the command prompt.
  • Re-enable all active protection.

Microsoft Valuable Professional---MVP Consumer Security 2007-2010
Windows 7 Ultimate 64bit
Gigabyte P55A-UD4P Motherboard Intel i5 750 G.SKILL Ripjaws Series 4GB DDR3 1333 1TB WD 32mb cache
60gb OCZ Vertex Turbo SSD (BOOT drive)Noctua NH-U12P SE2 HeatsinkAntec P183 Case

#3 kp4cel

kp4cel

    New Member

  • Members
  • Pip
  • 19 posts

Posted 18 December 2009 - 11:42 AM

Thanks for the fast reply, the log is included in my attachment on the original post. It is in a zip file at the end of the post since it is a big file. Please let me know if you want me to post it on the message.

Thanks

Jose

Welcome to Malwarebytes!!!! :)

Please update to the latest def's in Malwarebytes, run a quick scan and post the results. Thanks


Download GMER Antirootkit Here, click on Download EXE and save to your Desktop

  • Disconnect from the internet and disable all active protection so your security program drivers will not conflict with gmer's driver
  • Double-click Gmer.exe to run the program.
  • When the program opens, click the "Rootkit" Tab
  • On the right-side, check all the items to be scanned, but leave "Show All" unchecked
  • Select all drives that are connected to your system to be scanned
  • Click the Scan button
  • When the scan is finished, click Copy to save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Save the gmer scan log and post it in your next reply.
  • Close Gmer
  • Open a command prompt (Start | run |type cmd and hit Enter)
    • Type or paste the following to unload the gmer driver:
    • net stop gmer
    • Hit Enter
    • Exit the command prompt.
  • Re-enable all active protection.



#4 sjpritch25

sjpritch25

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 1,611 posts
  • Gender:Male
  • Location:West Coast of Florida

Posted 18 December 2009 - 02:55 PM

run it again and please disconnect from the internet and disable all protection programs. That will make the log much easier for me to analyze. Thanks
Microsoft Valuable Professional---MVP Consumer Security 2007-2010
Windows 7 Ultimate 64bit
Gigabyte P55A-UD4P Motherboard Intel i5 750 G.SKILL Ripjaws Series 4GB DDR3 1333 1TB WD 32mb cache
60gb OCZ Vertex Turbo SSD (BOOT drive)Noctua NH-U12P SE2 HeatsinkAntec P183 Case

#5 kp4cel

kp4cel

    New Member

  • Members
  • Pip
  • 19 posts

Posted 18 December 2009 - 05:42 PM

Here it is:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-18 17:36:14
Windows 5.1.2600 Service Pack 3
Running: ets22ef4.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uwlyypog.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\TrustedID\Identity Theft Protection\agent\driver\platform_XP\SafeConnectShim.sys (SafeConnect Application Activity Monitor Loader Driver./Sana Security, Inc. ) ZwClose [0xBA4798B0] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0x9CDE3574] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0x9CDE3A52] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0x9CDE314C] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0x9CDE364E] <-- ROOTKIT !!!
SSDT \??\C:\Program Files\TrustedID\Identity Theft Protection\agent\driver\platform_XP\SafeConnectShim.sys (SafeConnect Application Activity Monitor Loader Driver./Sana Security, Inc. ) ZwOpenProcess [0xBA4798E0] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0x9CDE30F0] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0x9CDE376E] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0x9CDE372E] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0x9CDE38AE] <-- ROOTKIT !!!
SSDT \??\C:\Program Files\TrustedID\Identity Theft Protection\agent\driver\platform_XP\SafeConnectShim.sys (SafeConnect Application Activity Monitor Loader Driver./Sana Security, Inc. ) ZwTerminateProcess [0xBA479990] <-- ROOTKIT !!!
SSDT \??\C:\Program Files\TrustedID\Identity Theft Protection\agent\driver\platform_XP\SafeConnectShim.sys (SafeConnect Application Activity Monitor Loader Driver./Sana Security, Inc. ) ZwTerminateThread [0xBA479A30] <-- ROOTKIT !!!
SSDT \??\C:\Program Files\TrustedID\Identity Theft Protection\agent\driver\platform_XP\SafeConnectShim.sys (SafeConnect Application Activity Monitor Loader Driver./Sana Security, Inc. ) ZwWriteVirtualMemory [0xBA479AD0] <-- ROOTKIT !!!

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\drivers\xpaiupak.sys A device attached to the system is not functioning. !
PAGE Ntfs.sys B9CE6E55 4 Bytes CALL 8AD318D9

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\SMINST\Scheduler.exe[2460] USER32.dll!GetSysColor 7E418E78 5 Bytes JMP 004170D0 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[2460] USER32.dll!GetSysColorBrush 7E418EAB 5 Bytes JMP 00417140 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[2460] USER32.dll!SetScrollInfo 7E419056 7 Bytes JMP 00416FC0 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[2460] USER32.dll!GetScrollInfo 7E42DFE2 7 Bytes JMP 00416F10 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[2460] USER32.dll!ShowScrollBar 7E42F2F2 5 Bytes JMP 00417090 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[2460] USER32.dll!GetScrollPos 7E42F704 5 Bytes JMP 00416F50 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[2460] USER32.dll!SetScrollPos 7E42F750 5 Bytes JMP 00417000 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[2460] USER32.dll!GetScrollRange 7E42F787 5 Bytes JMP 00416F80 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[2460] USER32.dll!SetScrollRange 7E42F99B 5 Bytes JMP 00417040 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[2460] USER32.dll!EnableScrollBar 7E468005 7 Bytes JMP 00416ED0 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\system32\SearchIndexer.exe[3344] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[900] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[900] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000
IAT C:\WINDOWS\Explorer.EXE[2228] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00BA2F20] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[2228] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00BA2C90] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[2228] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00BA2CF0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[2228] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00BA2CC0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8AA55C88

AttachedDevice \FileSystem\Ntfs \Ntfs mozy.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \FileSystem\Ntfs \Ntfs SafeConnectFilter.sys (SafeConnect Application Activity Monitor Filter Driver./Sana Security, Inc. )
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat mozy.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat SafeConnectFilter.sys (SafeConnect Application Activity Monitor Filter Driver./Sana Security, Inc. )

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] xpaiupak <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\xpaiupak@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\xpaiupak@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\xpaiupak@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\xpaiupak@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\Services\xpaiupak@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\xpaiupak@Start 0
Reg HKLM\SYSTEM\ControlSet002\Services\xpaiupak@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\xpaiupak@Group Boot Bus Extender

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

---- EOF - GMER 1.0.15 ----






Thanks for the fast reply, the log is included in my attachment on the original post. It is in a zip file at the end of the post since it is a big file. Please let me know if you want me to post it on the message.

Thanks

Jose



#6 sjpritch25

sjpritch25

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 1,611 posts
  • Gender:Male
  • Location:West Coast of Florida

Posted 18 December 2009 - 09:01 PM

Again, make sure Avast and any other security software is disabled before performing the fix below. Thanks


1. Please download The Avenger2 by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
c:\windows\system32\drivers\xpaiupak.sys
c:\windows\system32\fjhdyfhsn.bat
Drivers to delete:
xpaiupak

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply
Microsoft Valuable Professional---MVP Consumer Security 2007-2010
Windows 7 Ultimate 64bit
Gigabyte P55A-UD4P Motherboard Intel i5 750 G.SKILL Ripjaws Series 4GB DDR3 1333 1TB WD 32mb cache
60gb OCZ Vertex Turbo SSD (BOOT drive)Noctua NH-U12P SE2 HeatsinkAntec P183 Case

#7 kp4cel

kp4cel

    New Member

  • Members
  • Pip
  • 19 posts

Posted 18 December 2009 - 10:10 PM

Here is the avenger.txt looks like it took care of it:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "c:\windows\system32\drivers\xpaiupak.sys" deleted successfully.
File "c:\windows\system32\fjhdyfhsn.bat" deleted successfully.
Driver "xpaiupak" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

BTW I am also in West Fla


Again, make sure Avast and any other security software is disabled before performing the fix below. Thanks


1. Please download The Avenger2 by Swandog46 to your Desktop.

  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
c:\windows\system32\drivers\xpaiupak.sys
c:\windows\system32\fjhdyfhsn.bat
Drivers to delete:
xpaiupak

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply



#8 kp4cel

kp4cel

    New Member

  • Members
  • Pip
  • 19 posts

Posted 28 December 2009 - 08:22 PM

Well still can not get MWB to run it just freeze my computer. Any Ideas?

Thanks


Here is the avenger.txt looks like it took care of it:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "c:\windows\system32\drivers\xpaiupak.sys" deleted successfully.
File "c:\windows\system32\fjhdyfhsn.bat" deleted successfully.
Driver "xpaiupak" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

BTW I am also in West Fla



#9 sjpritch25

sjpritch25

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 1,611 posts
  • Gender:Male
  • Location:West Coast of Florida

Posted 28 December 2009 - 08:28 PM

Please post a fresh Gmer log. Thanks
Microsoft Valuable Professional---MVP Consumer Security 2007-2010
Windows 7 Ultimate 64bit
Gigabyte P55A-UD4P Motherboard Intel i5 750 G.SKILL Ripjaws Series 4GB DDR3 1333 1TB WD 32mb cache
60gb OCZ Vertex Turbo SSD (BOOT drive)Noctua NH-U12P SE2 HeatsinkAntec P183 Case

#10 kp4cel

kp4cel

    New Member

  • Members
  • Pip
  • 19 posts

Posted 29 December 2009 - 07:23 AM

Here is the log, also two days ago I noticed that Mozila was hijacked and looks like spybot took care of that but I am not sure since I could not run malwarebytes.:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-29 07:09:01
Windows 5.1.2600 Service Pack 3
Running: 4xex3tsf.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uwlyypog.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\TrustedID\Identity Theft Protection\agent\driver\platform_XP\SafeConnectShim.sys (SafeConnect Application Activity Monitor Loader Driver./Sana Security, Inc. ) ZwClose [0xB12858B0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0x9D1CE574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0x9D1CEA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0x9D1CE14C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0x9D1CE64E]
SSDT \??\C:\Program Files\TrustedID\Identity Theft Protection\agent\driver\platform_XP\SafeConnectShim.sys (SafeConnect Application Activity Monitor Loader Driver./Sana Security, Inc. ) ZwOpenProcess [0xB12858E0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0x9D1CE0F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0x9D1CE76E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0x9D1CE72E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0x9D1CE8AE]
SSDT \??\C:\Program Files\TrustedID\Identity Theft Protection\agent\driver\platform_XP\SafeConnectShim.sys (SafeConnect Application Activity Monitor Loader Driver./Sana Security, Inc. ) ZwTerminateProcess [0xB1285990]
SSDT \??\C:\Program Files\TrustedID\Identity Theft Protection\agent\driver\platform_XP\SafeConnectShim.sys (SafeConnect Application Activity Monitor Loader Driver./Sana Security, Inc. ) ZwTerminateThread [0xB1285A30]
SSDT \??\C:\Program Files\TrustedID\Identity Theft Protection\agent\driver\platform_XP\SafeConnectShim.sys (SafeConnect Application Activity Monitor Loader Driver./Sana Security, Inc. ) ZwWriteVirtualMemory [0xB1285AD0]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2CC8 80504564 4 Bytes JMP 924A9D1C
.text ntkrnlpa.exe!ZwCallbackReturn + 2FA0 8050483C 4 Bytes CALL 4144E55D

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\SMINST\Scheduler.exe[1224] USER32.dll!GetSysColor 7E418E78 5 Bytes JMP 004170D0 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[1224] USER32.dll!GetSysColorBrush 7E418EAB 5 Bytes JMP 00417140 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[1224] USER32.dll!SetScrollInfo 7E419056 7 Bytes JMP 00416FC0 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[1224] USER32.dll!GetScrollInfo 7E42DFE2 7 Bytes JMP 00416F10 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[1224] USER32.dll!ShowScrollBar 7E42F2F2 5 Bytes JMP 00417090 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[1224] USER32.dll!GetScrollPos 7E42F704 5 Bytes JMP 00416F50 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[1224] USER32.dll!SetScrollPos 7E42F750 5 Bytes JMP 00417000 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[1224] USER32.dll!GetScrollRange 7E42F787 5 Bytes JMP 00416F80 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[1224] USER32.dll!SetScrollRange 7E42F99B 5 Bytes JMP 00417040 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[1224] USER32.dll!EnableScrollBar 7E468005 7 Bytes JMP 00416ED0 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\system32\SearchIndexer.exe[2636] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[916] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[916] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000
IAT C:\WINDOWS\Explorer.EXE[2312] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00C32F20] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[2312] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00C32C90] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[2312] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00C32CF0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[2312] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00C32CC0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[3164] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00F12F20] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[3164] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00F12C90] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[3164] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00F12CF0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[3164] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00F12CC0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\Logitech Vid\vid.exe[3696] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [01B92F20] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\Logitech Vid\vid.exe[3696] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [01B92C90] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\Logitech Vid\vid.exe[3696] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [01B92CF0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\Logitech Vid\vid.exe[3696] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [01B92CC0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mozy.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \FileSystem\Ntfs \Ntfs SafeConnectFilter.sys (SafeConnect Application Activity Monitor Filter Driver./Sana Security, Inc. )
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

---- EOF - GMER 1.0.15 ----


Please advice.

THanks

#11 kp4cel

kp4cel

    New Member

  • Members
  • Pip
  • 19 posts

Posted 29 December 2009 - 07:30 AM

Mozilla still hijacked, when performing searches and click on any of the result of the search it takes me to http://seiniorage.com/index.php

#12 sjpritch25

sjpritch25

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 1,611 posts
  • Gender:Male
  • Location:West Coast of Florida

Posted 29 December 2009 - 04:03 PM

Download Combofix from this webpage: http://www.bleepingc...to-use-combofix

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Microsoft Valuable Professional---MVP Consumer Security 2007-2010
Windows 7 Ultimate 64bit
Gigabyte P55A-UD4P Motherboard Intel i5 750 G.SKILL Ripjaws Series 4GB DDR3 1333 1TB WD 32mb cache
60gb OCZ Vertex Turbo SSD (BOOT drive)Noctua NH-U12P SE2 HeatsinkAntec P183 Case

#13 kp4cel

kp4cel

    New Member

  • Members
  • Pip
  • 19 posts

Posted 29 December 2009 - 05:26 PM

Here is the combofix.log:

ComboFix 09-12-29.03 - Administrator 12/29/2009 16:34:24.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2163 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 091229-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\avdrn.dat
c:\documents and settings\Administrator\Application Data\inst.exe
c:\documents and settings\Administrator\Local Settings\Application Data\{18971506-0728-4656-9122-98FBA44A8C38}
c:\documents and settings\Administrator\Local Settings\Application Data\{18971506-0728-4656-9122-98FBA44A8C38}\chrome.manifest
c:\documents and settings\Administrator\Local Settings\Application Data\{18971506-0728-4656-9122-98FBA44A8C38}\chrome\content\_cfg.js
c:\documents and settings\Administrator\Local Settings\Application Data\{18971506-0728-4656-9122-98FBA44A8C38}\chrome\content\overlay.xul
c:\documents and settings\Administrator\Local Settings\Application Data\{18971506-0728-4656-9122-98FBA44A8C38}\install.rdf
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\HPPDEVX.DLL.log
c:\recycler\S-1-5-21-1062567417-215967349-1460275934-500
c:\windows\TEMP\logishrd\LVPrcInj01.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-29 )))))))))))))))))))))))))))))))
.

2009-12-29 12:39 . 2009-12-29 12:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-29 12:38 . 2009-12-29 12:38 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-12-29 12:38 . 2009-12-29 12:40 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-29 12:33 . 2009-12-29 12:33 -------- d-----w- c:\windows\LastGood.Tmp
2009-12-29 12:33 . 2009-12-29 12:33 -------- d-----w- c:\program files\Secunia
2009-12-27 16:04 . 2009-10-29 16:59 378368 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gfc11asd.default\extensions\{cb84136f-9c44-433a-9048-c5cd9df1dc16}\platform\WINNT_x86-msvc\components\libheuristic.dll
2009-12-26 14:18 . 2009-12-26 14:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-26 14:18 . 2009-12-26 14:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-25 16:20 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-25 16:20 . 2009-12-25 16:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-25 16:20 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-20 02:35 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2009-12-18 21:50 . 2009-12-18 21:50 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-12-18 21:50 . 2009-12-18 21:50 -------- d-----w- c:\documents and settings\Administrator\log
2009-12-16 23:52 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-12-16 23:52 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-12-16 23:52 . 2009-11-24 23:47 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-12-16 23:52 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-12-16 23:52 . 2009-11-24 23:51 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-12-16 23:52 . 2009-11-24 23:50 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-12-16 23:52 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-12-16 23:52 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-12-16 23:51 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-12-16 23:51 . 2009-12-16 23:51 -------- d-----w- c:\program files\Alwil Software
2009-12-16 12:43 . 2009-12-26 14:10 0 ----a-w- c:\windows\Xdihuliwoluwaru.bin
2009-12-16 12:43 . 2009-12-26 14:10 120 ----a-w- c:\windows\Htiqi.dat
2009-12-16 12:34 . 2008-04-13 19:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2009-12-16 12:34 . 2008-04-13 19:40 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2009-12-16 12:34 . 2008-04-13 19:41 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2009-12-16 12:34 . 2008-04-13 19:41 8576 ----a-w- c:\windows\system32\dllcache\i2omgmt.sys
2009-12-16 12:34 . 2008-04-13 19:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2009-12-16 12:34 . 2008-04-13 19:40 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
2009-12-07 00:37 . 2009-09-03 20:29 4194304 ----a-w- c:\windows\system32\cdintf400.dll
2009-12-07 00:34 . 2009-12-29 05:10 -------- d-----w- C:\ProWin09

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-29 21:39 . 2009-08-16 14:40 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-12-29 21:39 . 2009-08-16 14:40 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-12-29 12:38 . 2008-09-23 01:59 -------- d-----w- c:\program files\Java
2009-12-29 12:03 . 2008-10-29 11:21 -------- d-----w- c:\program files\LogMeIn
2009-12-20 15:34 . 2009-01-04 14:41 -------- d-----w- c:\program files\Adams Business Forms
2009-12-20 02:40 . 2008-10-17 21:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-17 00:41 . 2009-12-17 00:40 24 ----a-w- c:\windows\system32\config\systemprofile\Application Data\fvgqad.dat
2009-12-16 12:34 . 2009-12-16 12:34 24 ----a-w- c:\documents and settings\NetworkService\Application Data\fvgqad.dat
2009-12-08 02:19 . 2008-11-19 22:38 -------- d-----w- c:\program files\Ten-Tec
2009-12-07 00:35 . 2008-09-23 02:00 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-06 16:12 . 2009-09-04 20:38 -------- d-----w- c:\program files\Seabyrd Technologies
2009-12-06 16:09 . 2009-09-05 22:59 -------- d-----w- c:\program files\Coupons
2009-11-28 18:29 . 2009-11-28 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2009-11-27 17:23 . 2008-12-07 13:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\TrueCrypt
2009-11-27 17:18 . 2008-12-07 13:56 223440 ----a-w- c:\windows\system32\drivers\truecrypt.sys
2009-11-21 15:51 . 2006-02-28 02:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-05 23:42 . 2009-11-05 23:42 593920 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv305hw-0910190-0-main.dll
2009-11-01 13:19 . 2008-10-15 20:41 109192 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-31 13:16 . 2009-09-02 23:20 256 ----a-w- c:\windows\system32\pool.bin
2009-10-30 23:51 . 2009-10-30 23:51 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-30 23:51 . 2009-09-02 23:17 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-10-30 23:47 . 2008-10-22 01:47 -------- d-----w- c:\program files\Roxio
2009-10-30 23:46 . 2009-09-03 01:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-10-30 23:46 . 2008-10-22 01:46 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-10-29 07:46 . 2006-02-28 02:00 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2006-02-28 02:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2006-02-28 02:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2006-02-28 02:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2006-02-28 02:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2006-02-28 02:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2006-02-28 02:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2006-02-28 02:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2006-02-28 02:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-08 00:50 . 2009-10-08 00:50 8520 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gfc11asd.default\extensions\LogMeInClient@logmein.com\plugins\ractrlkeyhook.dll
2009-10-08 00:50 . 2009-10-08 00:50 83256 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gfc11asd.default\extensions\LogMeInClient@logmein.com\plugins\LMIGuardian.exe
2009-10-08 00:50 . 2009-10-08 00:50 70984 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gfc11asd.default\extensions\LogMeInClient@logmein.com\plugins\LMIProxyHelper.exe
2009-10-08 00:50 . 2009-10-08 00:50 574768 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gfc11asd.default\extensions\LogMeInClient@logmein.com\plugins\LMIGuardianDll.dll
2009-10-08 00:50 . 2009-10-08 00:50 3858432 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gfc11asd.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
2009-10-08 00:50 . 2009-10-08 00:50 15664 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gfc11asd.default\extensions\LogMeInClient@logmein.com\plugins\LMIGuardianEvt.dll
2009-10-01 22:03 . 2008-10-29 11:22 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2009-10-01 22:03 . 2008-10-29 11:22 28984 ----a-w- c:\windows\system32\LMIport.dll
2009-10-01 22:03 . 2008-10-29 11:22 87352 ----a-w- c:\windows\system32\LMIinit.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2009-10-20 16:51 2846008 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2009-10-20 16:51 2846008 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TaskScheduler"="c:\prowin09\32bit\TaskSch.exe" [2009-12-11 456024]
"TrueCrypt"="c:\program files\TrueCrypt\TrueCrypt.exe" [2009-11-27 1415632]
"Logitech Vid"="c:\program files\Logitech\Logitech Vid\vid.exe" [2009-06-02 5451536]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-11-26 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-11-26 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-11-26 137752]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2006-05-12 1138688]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-07-10 872448]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-12-24 618496]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-10-08 127036]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2008-10-24 206112]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2006-06-15 49152]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-05-08 2780432]
"SanaSafeConnect"="c:\program files\TrustedID\Identity Theft Protection\agent\bin\SanaSafeConnect.exe" [2008-03-21 1378840]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-11-20 623960]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-07-08 236016]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-12-03 429392]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
ScanSnap Manager.lnk - c:\program files\PFU\ScanSnap\Driver\PfuSsMon.exe [2008-12-29 1769472]
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2009-8-21 900816]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
CardMinder Viewer.lnk - c:\program files\PFU\ScanSnap\CardMinder V3.1\CardLauncher.exe [2008-12-29 36864]
Conversion to PDF with ScanSnap Organizer.lnk - c:\program files\PFU\ScanSnap\Organizer\PfuSsOrgOcrChk.exe [2008-12-29 24576]
MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2009-10-20 2890552]
ScanSnap Manager.lnk - c:\program files\PFU\ScanSnap\Driver\PfuSsMon.exe [2008-12-29 1769472]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
Z Cinema.lnk - c:\windows\Installer\{EE885042-228A-446F-A30D-64ECBDC93859}\StartupShortcut_EE885042228A446FA30D64ECBDC93859.exe [2009-5-6 172032]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-10-01 22:03 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^SISZYD32.EXE]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\SISZYD32.EXE
backup=c:\windows\pss\SISZYD32.EXEStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\microsoft frontpage\\bin\\fpexplor.exe"=
"c:\\FrontPage Webs\\Server\\vhttpd32.exe"=
"c:\\Program Files\\Ten-Tec\\OMNI VII One Plug\\UDP588.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Logitech\\Logitech Vid\\Vid.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [12/16/2009 6:52 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/16/2009 6:52 PM 20560]
R2 FortiSslvpnDaemon;FortiClient SSL VPN;c:\windows\system32\FortiSSLVPNdaemon.exe [3/9/2009 2:02 PM 510496]
R2 HRD RemoteSvr;Ham Radio Deluxe Remote Server;c:\program files\Amateur Radio\Ham Radio Deluxe\HRDRemoteSvr.exe [5/22/2009 10:06 PM 196608]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 5:46 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [10/29/2008 6:22 AM 47640]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/25/2009 11:20 AM 276816]
R2 SanaSafeConnectAgent;SanaSafeConnectAgent;c:\program files\TrustedID\Identity Theft Protection\agent\Bin\SanaAgent.exe [3/21/2008 1:42 PM 4937240]
R2 SanaSafeConnectWatcher;SanaSafeConnectWatcher;c:\program files\TrustedID\Identity Theft Protection\agent\Bin\SanaSafeConnectWatcher.exe [3/21/2008 1:42 PM 539160]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/25/2009 11:20 AM 19160]
R3 pppop;PPPoP WAN Adapter;c:\windows\system32\drivers\pppop.sys [12/11/2007 1:57 PM 36384]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [6/17/2009 7:20 AM 12648]
R3 SanaSafeConnectDriver;SanaSafeConnectDriver;c:\program files\TrustedID\Identity Theft Protection\agent\driver\platform_XP\SafeConnectDriver.sys [3/21/2008 1:43 PM 161304]
R3 SanaSafeConnectFilter;SanaSafeConnectFilter;c:\program files\TrustedID\Identity Theft Protection\agent\driver\platform_XP\SafeConnectFilter.sys [3/21/2008 1:43 PM 29720]
R3 SanaSafeConnectShim;SanaSafeConnectShim;c:\program files\TrustedID\Identity Theft Protection\agent\driver\platform_XP\SafeConnectShim.sys [3/21/2008 1:43 PM 27376]
R3 ZCinema_TSHD;ZCinema TruSurround HD driver;c:\windows\system32\drivers\ZCinema_SRS_i386.sys [5/6/2009 4:24 PM 21392]
S3 aswArKrn;aswArKrn;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\aswArKrn.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\aswArKrn.sys [?]
S3 Intuit Fuse Service;Intuit Fuse Service;c:\program files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe [11/15/2008 7:51 AM 72704]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [12/23/2008 10:35 AM 50704]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-01-24 16:30 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2009-12-28 c:\windows\Tasks\defrag.job
- c:\windows\system32\defrag.exe [2006-02-28 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.7.1/GarminAxControl.CAB
DPF: {B0882EB7-81A5-4A11-8D45-71888F973933} - hxxps://24.173.141.242:10443/sslvpn.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gfc11asd.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gfc11asd.default\extensions\{cb84136f-9c44-433a-9048-c5cd9df1dc16}\platform\WINNT_x86-msvc\components\libheuristic.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gfc11asd.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Fortinet\SslvpnClient\npccplugin.dll
FF - plugin: c:\program files\Fortinet\SslvpnClient\nptcplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe
HKLM-Run-PfuSsSct.exe - c:\program files\PFU\ScanSnap\PfuSsSct.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-29 16:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(860)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(5396)
c:\windows\system32\WININET.dll
c:\program files\MozyHome\mozyshell.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\dllhost.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\MozyHome\mozybackup.exe
c:\program files\Super_DVD_Creator_9.8\NMSAccessU.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\windows\system32\dllhost.exe
c:\windows\System32\vssvc.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\TrustedID\Identity Theft Protection\agent\bin\SanaMonitor.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2009-12-29 16:47:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-29 21:47

Pre-Run: 443,301,662,720 bytes free
Post-Run: 443,375,726,592 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - EC3256E375AA629E2A7E54EA25F8C3ED

#14 kp4cel

kp4cel

    New Member

  • Members
  • Pip
  • 19 posts

Posted 29 December 2009 - 05:28 PM

Here is the Hijack This log:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 17:01:58.82 on Tue 12/29/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2400 [GMT -5:00]

AV: avast! antivirus 4.8.1368 [VPS 091229-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\FortiSslvpnDaemon.exe
C:\Program Files\Amateur Radio\Ham Radio Deluxe\HRDRemoteSvr.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\Super_DVD_Creator_9.8\NMSAccessU.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\TrustedID\Identity Theft Protection\agent\bin\SanaSafeConnect.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\ProWin09\32bit\TaskSch.exe
C:\Program Files\TrueCrypt\TrueCrypt.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\PFU\ScanSnap\CardMinder V3.1\CardLauncher.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files\PFU\ScanSnap\Driver\PfuSsMon.exe
C:\Program Files\TrustedID\Identity Theft Protection\agent\Bin\SanaSafeConnectWatcher.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Administrator\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [TaskScheduler] c:\prowin09\32bit\TaskSch.exe
uRun: [TrueCrypt] "c:\program files\truecrypt\TrueCrypt.exe" /q preferences
uRun: [Logitech Vid] "c:\program files\logitech\logitech vid\vid.exe" -bootmode
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IgfxTray] "c:\windows\system32\igfxtray.exe"
mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"
mRun: [Persistence] "c:\windows\system32\igfxpers.exe"
mRun: [SetRefresh] "c:\program files\compaq\setrefresh\SetRefresh.exe"
mRun: [Recguard] "c:\windows\sminst\Recguard.exe"
mRun: [Scheduler] "c:\windows\sminst\Scheduler.exe"
mRun: [hpbdfawep] "c:\program files\hp\dfawep\bin\hpbdfawep.exe" 1
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [DLA] "c:\windows\system32\dla\DLACTRLW.EXE"
mRun: [ISUSPM Startup] "c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [SanaSafeConnect] "c:\program files\trustedid\identity theft protection\agent\bin\SanaSafeConnect.exe"
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\scansn~1.lnk - c:\program files\pfu\scansnap\driver\PfuSsMon.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cardmi~1.lnk - c:\program files\pfu\scansnap\cardminder v3.1\CardLauncher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\conver~1.lnk - c:\program files\pfu\scansnap\organizer\PfuSsOrgOcrChk.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\scansn~1.lnk - c:\program files\pfu\scansnap\driver\PfuSsMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\zcinem~1.lnk - c:\windows\installer\{ee885042-228a-446f-a30d-64ecbdc93859}\StartupShortcut_EE885042228A446FA30D64ECBDC93859.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.7.1/GarminAxControl.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1261274835859
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1259192416484
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {B0882EB7-81A5-4A11-8D45-71888F973933} - hxxps://24.173.141.242:10443/sslvpn.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\gfc11asd.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\gfc11asd.default\extensions\{cb84136f-9c44-433a-9048-c5cd9df1dc16}\platform\winnt_x86-msvc\components\libheuristic.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\gfc11asd.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\fortinet\sslvpnclient\npccplugin.dll
FF - plugin: c:\program files\fortinet\sslvpnclient\nptcplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-12-16 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-12-16 20560]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-10-29 47640]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-12-25 19160]
R3 pppop;PPPoP WAN Adapter;c:\windows\system32\drivers\pppop.sys [2007-12-11 36384]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 12648]
R3 SanaSafeConnectDriver;SanaSafeConnectDriver;c:\program files\trustedid\identity theft protection\agent\driver\platform_xp\SafeConnectDriver.sys [2008-3-21 161304]
R3 SanaSafeConnectFilter;SanaSafeConnectFilter;c:\program files\trustedid\identity theft protection\agent\driver\platform_xp\SafeConnectFilter.sys [2008-3-21 29720]
R3 SanaSafeConnectShim;SanaSafeConnectShim;c:\program files\trustedid\identity theft protection\agent\driver\platform_xp\SafeConnectShim.sys [2008-3-21 27376]
R3 ZCinema_TSHD;ZCinema TruSurround HD driver;c:\windows\system32\drivers\ZCinema_SRS_i386.sys [2009-5-6 21392]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
S3 aswArKrn;aswArKrn;\??\c:\docume~1\admini~1\locals~1\temp\aswarkrn.sys --> c:\docume~1\admini~1\locals~1\temp\aswArKrn.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-12-23 50704]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-12-29 22:00:43 0 ----a-w- c:\documents and settings\administrator\defogger_reenable
2009-12-29 21:32:41 0 d-sha-r- C:\cmdcons
2009-12-29 21:31:50 98816 ----a-w- c:\windows\sed.exe
2009-12-29 21:31:50 77312 ----a-w- c:\windows\MBR.exe
2009-12-29 21:31:50 261632 ----a-w- c:\windows\PEV.exe
2009-12-29 21:31:50 161792 ----a-w- c:\windows\SWREG.exe
2009-12-29 12:39:23 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-29 12:33:32 0 d-----w- c:\program files\Secunia
2009-12-26 14:18:59 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-12-26 14:18:59 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-12-25 16:20:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-25 16:20:06 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-25 16:20:06 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-20 02:35:21 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2009-12-18 21:50:37 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-12-18 21:50:37 0 d-----w- c:\documents and settings\administrator\log
2009-12-16 12:43:37 0 ----a-w- c:\windows\Xdihuliwoluwaru.bin
2009-12-16 12:43:36 120 ----a-w- c:\windows\Htiqi.dat
2009-12-16 12:34:53 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2009-12-16 12:34:53 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2009-12-16 12:34:39 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2009-12-16 12:34:39 8576 ----a-w- c:\windows\system32\dllcache\i2omgmt.sys
2009-12-16 12:34:35 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2009-12-16 12:34:35 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
2009-12-07 00:37:44 4194304 ----a-w- c:\windows\system32\cdintf400.dll
2009-12-07 00:34:01 0 d-----w- C:\ProWin09
2009-11-30 05:08:52 244 ---ha-w- C:\sqmnoopt10.sqm
2009-11-30 05:08:52 232 ---ha-w- C:\sqmdata10.sqm

==================== Find3M ====================

2009-12-29 21:39:52 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-12-29 21:39:47 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-11-27 17:18:15 223440 ----a-w- c:\windows\system32\drivers\truecrypt.sys
2009-11-07 15:11:35 163738 ----a-w- c:\windows\fonts\AdobeFnt08.lst
2009-10-28 14:36:11 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-28 14:36:11 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-10-28 06:54:16 634632 ------w- c:\windows\system32\dllcache\iexplore.exe
2009-10-28 06:52:46 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll
2009-10-01 22:03:09 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2009-10-01 22:03:08 87352 ----a-w- c:\windows\system32\LMIinit.dll
2009-10-01 22:03:08 28984 ----a-w- c:\windows\system32\LMIport.dll

============= FINISH: 17:12:56.09 ===============

#15 kp4cel

kp4cel

    New Member

  • Members
  • Pip
  • 19 posts

Posted 29 December 2009 - 05:29 PM

Let me know when I can run Malwarebytes to see if it works.

Thanks

#16 kp4cel

kp4cel

    New Member

  • Members
  • Pip
  • 19 posts

Posted 30 December 2009 - 07:11 AM

I was able to run Malwarebytes in safe mode I will try it again but not in safe mode here is the log:

Malwarebytes' Anti-Malware 1.42
Database version: 3454
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.13

12/30/2009 7:01:13 AM
mbam-log-2009-12-30 (07-01-13).txt

Scan type: Quick Scan
Objects scanned: 106771
Time elapsed: 11 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\NetworkService\Application Data\fvgqad.dat (Malware.Trace) -> Quarantined and deleted successfully.

#17 sjpritch25

sjpritch25

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 1,611 posts
  • Gender:Male
  • Location:West Coast of Florida

Posted 30 December 2009 - 06:52 PM

Please run Malwarebytes in Normal mode. Let me know if you have anymore problems. Thanks
Microsoft Valuable Professional---MVP Consumer Security 2007-2010
Windows 7 Ultimate 64bit
Gigabyte P55A-UD4P Motherboard Intel i5 750 G.SKILL Ripjaws Series 4GB DDR3 1333 1TB WD 32mb cache
60gb OCZ Vertex Turbo SSD (BOOT drive)Noctua NH-U12P SE2 HeatsinkAntec P183 Case

#18 kp4cel

kp4cel

    New Member

  • Members
  • Pip
  • 19 posts

Posted 30 December 2009 - 08:29 PM

Well I did and it took one hour and seventeen minutes here is the log:


Malwarebytes' Anti-Malware 1.42
Database version: 3455
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

12/30/2009 12:43:02 PM
mbam-log-2009-12-30 (12-43-02).txt

Scan type: Quick Scan
Objects scanned: 110487
Time elapsed: 1 hour(s), 17 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Should I delete the quarantine?

Thanks?

#19 sjpritch25

sjpritch25

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 1,611 posts
  • Gender:Male
  • Location:West Coast of Florida

Posted 30 December 2009 - 09:31 PM

Go to Start ---> Run ---> Type ComboFix /uninstall and press Enter.

How is everything running?
Microsoft Valuable Professional---MVP Consumer Security 2007-2010
Windows 7 Ultimate 64bit
Gigabyte P55A-UD4P Motherboard Intel i5 750 G.SKILL Ripjaws Series 4GB DDR3 1333 1TB WD 32mb cache
60gb OCZ Vertex Turbo SSD (BOOT drive)Noctua NH-U12P SE2 HeatsinkAntec P183 Case

#20 kp4cel

kp4cel

    New Member

  • Members
  • Pip
  • 19 posts

Posted 06 January 2010 - 09:21 AM

Well still can not get Malwarebytes to run it just freezes and freezes the computer. Even in the scheduler since I have the purchase version. I scanned my pc with Spybot and it is clean, Windows Defender and my AV which is Avast not the free version and the boot scan came out clean. What is next??

Thanks and Happy New Year...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users