Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91813 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Computer just went haywire! Need Help :P


  • This topic is locked This topic is locked
18 replies to this topic

#1 Kazavana

Kazavana

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 22 September 2009 - 05:10 PM

Hi guys, First off, thank you for any help you can provide. Now for the problem. I had the computer on for about a week and did various things on it. Today I shutdown and started it up again later in the day but this start up resulted in my NOD32 antivirus going crazy with prompts and the background changing to saying "YOUR SYSTEM HAS BEEN INFECTED!". I tried running adaware but it just freezes, I also tried running NOD32 and it caught a couple of things and deleted them but things are still going haywire. Things i've noticed are that when I google something and click on the link - regardless of what i've googled - i get directed to some random search engine - ie. clink on an article on wikipedia but still end up going to search engine. Firefox seems to crash after several minutes which is why im trying to do this ASAP. Other things are that I cant seem to do crtl alt delete nor change the background on the desktop. I have no idea what else could be wrong and by chance found this forum. I attempted to follow the instructions by first running ERUNT and backing up the registry (i think thats what i did - i just followed the instructions). The next thing i did was attempt to get the dds.scr thing running - i've waited about 25 minutes and still no report - just a command prompt screens shows up for a split second. I then attempted to run rootrepeal but get an error message stating "could not read the boot sector. Try adjusting the Disk access level in the options dialog" though it eventually opens and I did manage to run a scan and Here are the results of that : I would post DDs.txt log if it ever appeared to me but it didn't nor the attach.txt. Hopefully someone can help me figure this thing out. Thanks again in advance! ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/09/22 18:00 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP2 ================================================== Drivers ------------------- Name: 000006C2 Image Path: 000006C2 Address: 0x893F6000 Size: 41216 File Visible: No Signed: - Status: - Name: 000006C2 Image Path: 000006C2 Address: 0xA1FD9000 Size: 81536 File Visible: No Signed: - Status: Hidden from the Windows API! Name: PCI_PNP2358 Image Path: \Driver\PCI_PNP2358 Address: 0x00000000 Size: 0 File Visible: No Signed: - Status: - Name: PROCEXP113.SYS Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS Address: 0xB860E000 Size: 7872 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xA1588000 Size: 49152 File Visible: No Signed: - Status: - Name: spjj.sys Image Path: spjj.sys Address: 0xB7EA7000 Size: 1048576 File Visible: No Signed: - Status: - Name: sptd Image Path: \Driver\sptd Address: 0x00000000 Size: 0 File Visible: No Signed: - Status: - Name: win32k.sys:1 Image Path: C:\WINDOWS\win32k.sys:1 Address: 0xB5604000 Size: 20480 File Visible: No Signed: - Status: - Name: win32k.sys:2 Image Path: C:\WINDOWS\win32k.sys:2 Address: 0xB6F46000 Size: 61440 File Visible: No Signed: - Status: - SSDT ------------------- ServiceTable Hooked [0x894406a8]! Hidden Services ------------------- Service Name: gasfkypvbkisxy Image Path: C:\WINDOWS\system32\drivers\gasfkytkotxehn.sys Service Name: izzngcrqhdbh Image Path: C:\WINDOWS\system32\drivers\miiqcxvyb.sys Service Name: UACd.sys Image Path: C:\WINDOWS\system32\drivers\UACulnowxnspy.sys ==EOF==

    Advertisements

Register to Remove


#2 jmw3

jmw3

    MRU Emeritus

  • Authentic Member
  • PipPipPip
  • 280 posts

Posted 23 September 2009 - 02:13 AM

Hello & Welcome to What the Tech

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Options, then click Track this topic. Make sure it is set to Immediate Email Notification, then click Proceed.

In the meantime please note the following:
  • Any recommendations made are for your computer problems only and should NOT be used on any other computer.
  • Please DO NOT run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:
    1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.
    2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
  • If you get stuck or are unsure of something please ask for a further explanation, do not guess.
  • It will require more than one round to properly clean your system. Continue to respond to this thread until I give you the All Clean! even if symptoms seemingly abate.
Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave & if there is no contact for that amount of time I will have to assume you have abandoned your topic.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Thanks

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

Win32kDiag
Download Win32kDiag.exe by a_d_13 from Here & save the file to your desktop.
  • Click Start->Run Then copy/paste the following command (the bolded text) into the Run box & click OK:
    "%userprofile%\desktop\win32kdiag.exe" -f -r
  • When it's finished, there will be a log called Win32kDiag.txt on your desktop. Copy/ paste the contents of the log & post in your next reply.
ComboFix
Download ComboFix from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links):
Link 1
Link 2

**IMPORTANT !!! Rename ComboFix.exe to commy.exe BEFORE you save it to your Desktop**
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    A guide to do this can be found here
  • Click Start>Run then copy paste the following command (the bolded text) into the Run box & click OK:
    "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
Posted Image
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Posted Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


I would also like to see a list of installed programs, so please do this:
Click Start > Run then copy/paste the following single-line command into the Run box and click OK:

C:\Qoobox\Add-Remove Programs.txt

A text file should open. Post the contents of that file in your next reply.

To post in next reply:
Win32kDiag log
ComboFix log
Add-Remove Programs.txt log
Update on how the computer is running

Edited by jmw3, 23 September 2009 - 02:16 AM.

Member - UNITE, Alliance of Security Analysis Professionals

#3 Kazavana

Kazavana

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 23 September 2009 - 11:59 AM

Hey jmw3, I followed the instructions up to the point where I should have the combofix.txt except my computer restarted and now its on a restart loop. Everytime it starts the software runs and says it found activity at the rootkit (sp) something and it list a bunch of files, and states that it must restart, and continues doing the same thing over and over again. I tried booting in safemode but it just restarts automatically (this time without a prompt). :( Any ideas on how I should proceed? Thank you.

#4 jmw3

jmw3

    MRU Emeritus

  • Authentic Member
  • PipPipPip
  • 280 posts

Posted 23 September 2009 - 07:34 PM

Hi

Everytime it starts the software runs and says it found activity at the rootkit (sp) something and it list a bunch of files

If possible & you have time could you write down the file names & post here, then try this:

Restart the computer & tap the f8 key repeatedly until you get the Advanced Options menu screen. Using the arrow keys scroll down to Last Known Good Configuration (your most recent settings that worked) then press Enter.

Let me know what happens.
Member - UNITE, Alliance of Security Analysis Professionals

#5 Kazavana

Kazavana

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 24 September 2009 - 02:35 PM

I attempted to restart with the last known good configuration but to no avail. The same message popped up and prompted the computer be restarted. It listed the following files C:\WINDOWS\system32\Drivers\gasfkytkotxehn.sys C:\WINDOWS\system32\gasfkywecfvdrv.dll C:\WINDOWS\system32\gasfkydcxgradn.dat C:\WINDOWS\system32\gasfkymqytprfm.dll C:\WINDOWS\system32\gasfkytunmmhew.dat C:\WINDOWS\system32\gasfkynqvorodm.dll C:\WINDOWS\system32\Drivers\UACulnowxnspy.sys C:\WINDOWS\system32\UACpdibivkbfp.dll I cant log on to my desktop at the moment because it keeps on restarting - im using a local library computer to post of the forums. Thank you! Hope this can be fixed someone!

#6 jmw3

jmw3

    MRU Emeritus

  • Authentic Member
  • PipPipPip
  • 280 posts

Posted 24 September 2009 - 04:55 PM

Hi

Did you allow ComboFix to install the Recovery Console when you were prompted?
Member - UNITE, Alliance of Security Analysis Professionals

#7 Kazavana

Kazavana

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 24 September 2009 - 06:01 PM

Yes I did

#8 jmw3

jmw3

    MRU Emeritus

  • Authentic Member
  • PipPipPip
  • 280 posts

Posted 24 September 2009 - 09:01 PM

Hi

Try this:
Restart the computer & when the blue ComboFix DOS screen appears close it BEFORE it gets to the 'Rootkit Activity found' message.

Let me know what happens.

Edited by jmw3, 25 September 2009 - 05:56 AM.

Member - UNITE, Alliance of Security Analysis Professionals

#9 Kazavana

Kazavana

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 25 September 2009 - 02:39 PM

Hi jmw3, I closed the combofix DOS and was able to access the desktop. Immediately I noticed that the firewall had been disabled as well as other programs that usually start up. I also noticed my internet connection is not working even though it is connected (browser does not load any webpages). I do not have a combofix.txt but do have a win32diag.txt file on the desktop. I can load it onto a pendrive and post it here if you would like, im just afraid that whatever affected my computer will affect the pendrive as well. Thanks a lot for your help again, I cant thank you enough! I will not do anything until I receive further instructions. Thanks!

#10 jmw3

jmw3

    MRU Emeritus

  • Authentic Member
  • PipPipPip
  • 280 posts

Posted 25 September 2009 - 04:55 PM

Hi Before we start transferring things from other computers (due to no internet connection), we'll try ComboFix again. This time just double click on it to run. If you have the same problem of it trying to restart all the time then do as you did before (close the blue DOS window) & we'll try something else.
Member - UNITE, Alliance of Security Analysis Professionals

    Advertisements

Register to Remove


#11 Kazavana

Kazavana

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 25 September 2009 - 05:33 PM

hey jmw3, I'm on my desktop now and combo fix ran and it did everything it was suppose to do and now have a log.txt What should I continue with next? Thanks a lot for the help!

#12 jmw3

jmw3

    MRU Emeritus

  • Authentic Member
  • PipPipPip
  • 280 posts

Posted 25 September 2009 - 05:48 PM

Hello Kazavana Good stuff.. if you could post the contents of the ComboFix log for me to have a look please. And what's the status of the machine now? What problems are you experiencing?
Member - UNITE, Alliance of Security Analysis Professionals

#13 Kazavana

Kazavana

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 25 September 2009 - 05:52 PM

Hey jmw3,

The contents of the log are below. The machine seems fine. Seems to run well and internet is functioning as well. The wallpaper that I had completely disappeared but that does not worry me at all. Other than that, superficially it seems fine. Thanks again

ComboFix 09-09-22.03 - Kazavana 09/25/2009 18:21.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3327.2704 [GMT -5:00]
Running from: c:\documents and settings\Kazavana\Desktop\commy.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Install.txt
c:\windows\Installer\fd42aa3.msi
c:\windows\system32\41.exe
c:\windows\system32\6to4v32.dll
c:\windows\system32\AVR09.exe
c:\windows\system32\certstore.dat
c:\windows\system32\drivers\gasfkytkotxehn.sys
c:\windows\system32\drivers\miiqcxvyb.sys
c:\windows\system32\drivers\str.sys
c:\windows\system32\drivers\UACulnowxnspy.sys
c:\windows\system32\FInstall.sys
c:\windows\system32\gasfkydcxgradn.dat
c:\windows\system32\gasfkymqytprfm.dll
c:\windows\system32\gasfkynqvorodm.dll
c:\windows\system32\gasfkytuwmmhew.dat
c:\windows\system32\gasfkywecfvdrv.dll
c:\windows\system32\Install.txt
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe
c:\windows\system32\UACpdibivkbfp.dll
c:\windows\system32\winupdate.exe
c:\windows\system32\wiwow64.exe
c:\windows\TEMP\mta100799.dll

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\eventlog.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_gasfkypvbkisxy
-------\Legacy_IZZNGCRQHDBH
-------\Legacy_UACd.sys
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_gasfkypvbkisxy
-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-08-25 to 2009-09-25 )))))))))))))))))))))))))))))))
.

2009-09-23 12:20 . 2009-09-23 12:20 8432 ----a-w- c:\windows\system32\sebdpx.sys
2009-09-23 12:20 . 2009-09-23 12:20 23155 ----a-w- c:\windows\system32\sebdpp.dll
2009-09-22 22:49 . 2009-09-22 22:49 -------- d-----w- c:\program files\ERUNT
2009-09-22 21:37 . 2009-09-22 21:37 158208 ----a-w- C:\iusfdc.exe
2009-09-22 21:37 . 2009-09-22 21:37 148480 ----a-w- C:\butwwo.exe
2009-09-22 21:37 . 2009-09-22 21:37 55296 ----a-w- C:\wuun.exe
2009-09-22 21:37 . 2009-09-22 21:37 79360 ----a-w- C:\cibwemri.exe
2009-09-22 21:37 . 2009-09-22 21:37 10752 ----a-w- C:\jqijnws.exe
2009-09-22 21:37 . 2009-09-22 21:37 51200 ----a-w- C:\hempabtn.exe
2009-09-22 21:37 . 2009-09-22 21:37 37888 ----a-w- C:\ddmishqi.exe
2009-09-22 21:12 . 2009-09-23 12:10 0 ----a-r- c:\windows\win32k.sys
2009-09-22 21:01 . 2009-09-22 20:56 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-22 20:57 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-22 20:55 . 2009-09-22 20:55 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-22 20:55 . 2009-09-22 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-22 20:55 . 2009-09-22 20:55 -------- d-----w- c:\program files\Lavasoft
2009-09-22 05:41 . 2009-09-22 05:41 -------- d-----w- c:\windows\system32\Registry Patrol
2009-09-22 05:41 . 2009-09-22 05:52 -------- d-----w- c:\program files\Registry Patrol
2009-09-22 05:13 . 2009-09-22 05:13 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-22 05:13 . 2009-09-22 05:13 -------- d-----w- c:\documents and settings\All Users\Application Data\RocketReader
2009-09-22 05:08 . 2009-09-22 05:08 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-22 04:57 . 2009-09-22 05:53 -------- d-----w- c:\program files\RocketReaderV810
2009-09-06 18:47 . 2009-09-06 18:47 -------- d-----w- c:\program files\Maxis
2009-09-06 16:51 . 2009-09-06 16:51 -------- d-----w- c:\program files\NVIDIA Corporation
2009-09-06 16:51 . 2009-09-06 16:51 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2009-09-04 19:06 . 2009-09-06 18:47 533 ----a-w- c:\windows\eReg.dat
2009-08-31 19:00 . 1998-09-11 14:14 21504 ----a-w- c:\windows\system32\WBCustomizer.dll
2009-08-31 19:00 . 2001-03-13 02:51 185344 ----a-w- c:\windows\system32\MemWarp.dll
2009-08-31 19:00 . 2003-05-07 22:09 147456 ----a-w- c:\windows\system32\AbsoluteHttp.dll
2009-08-28 01:35 . 2009-08-28 01:35 -------- d-----w- c:\program files\AskBarDis

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-25 23:27 . 2009-07-15 20:33 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-09-25 23:27 . 2009-07-15 20:33 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-09-23 12:42 . 2009-09-23 12:42 16 ----a-w- c:\windows\pxysdb.dat
2009-09-22 21:08 . 2008-12-30 01:44 -------- d-----w- c:\documents and settings\Kazavana\Application Data\LimeWire
2009-09-22 05:11 . 2008-05-28 01:31 -------- d-----w- c:\documents and settings\Kazavana\Application Data\Azureus
2009-09-21 23:57 . 2009-03-09 03:28 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-21 13:23 . 2008-06-07 18:35 139072 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-09-21 13:21 . 2008-06-07 18:35 189672 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-09-12 03:10 . 2008-07-31 04:26 -------- d-----w- c:\documents and settings\Kazavana\Application Data\ZoomBrowser EX
2009-09-06 16:51 . 2008-06-10 00:37 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-06 16:51 . 2008-12-21 23:14 -------- d-----w- c:\program files\AGEIA Technologies
2009-09-04 19:07 . 2009-07-14 03:40 -------- d-----w- c:\documents and settings\Kazavana\Application Data\Canon
2009-08-30 23:00 . 2008-08-12 18:35 -------- d-----w- c:\program files\Ubisoft
2009-08-30 23:00 . 2008-05-28 01:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-30 16:08 . 2008-06-09 05:10 -------- d-----w- c:\program files\YNAB Pro
2009-08-28 01:36 . 2008-05-28 01:31 -------- d-----w- c:\program files\Azureus
2009-08-24 03:30 . 2009-07-15 22:42 -------- d-----w- c:\documents and settings\Kazavana\Application Data\Skype
2009-08-24 03:24 . 2009-08-24 03:24 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-08-24 03:24 . 2009-08-24 03:24 -------- d-----w- c:\documents and settings\Kazavana\Application Data\skypePM
2009-08-17 08:04 . 2009-08-17 08:04 2173472 ----a-w- c:\windows\system32\nvcplui.exe
2009-08-17 08:04 . 2009-08-17 08:04 81920 ----a-w- c:\windows\system32\nvwddi.dll
2009-08-17 08:03 . 2009-08-17 08:03 3170304 ----a-w- c:\windows\system32\nvwss.dll
2009-08-17 08:03 . 2009-08-17 08:03 4026368 ----a-w- c:\windows\system32\nvvitvs.dll
2009-08-17 08:03 . 2009-08-17 08:03 188416 ----a-w- c:\windows\system32\nvmccss.dll
2009-08-17 08:03 . 2009-08-17 08:03 1286144 ----a-w- c:\windows\system32\nvmobls.dll
2009-08-17 08:03 . 2009-08-17 08:03 3547136 ----a-w- c:\windows\system32\nvgames.dll
2009-08-17 08:03 . 2009-08-17 08:03 4923392 ----a-w- c:\windows\system32\nvdisps.dll
2009-08-17 08:03 . 2009-08-17 08:03 86016 ----a-w- c:\windows\system32\nvmctray.dll
2009-08-17 08:03 . 2009-08-17 08:03 168004 ----a-w- c:\windows\system32\nvsvc32.exe
2009-08-17 08:03 . 2009-08-17 08:03 143360 ----a-w- c:\windows\system32\nvcolor.exe
2009-08-17 08:03 . 2009-08-17 08:03 13877248 ----a-w- c:\windows\system32\nvcpl.dll
2009-08-17 08:02 . 2009-08-17 08:02 229376 ----a-w- c:\windows\system32\nvmccs.dll
2009-08-17 05:57 . 2009-08-17 05:57 2189856 ----a-w- c:\windows\system32\nvcuvid.dll
2009-08-17 05:57 . 2009-08-17 05:57 1706528 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-08-17 05:57 . 2009-08-17 05:57 1597690 ----a-w- c:\windows\system32\nvdata.bin
2009-08-17 05:57 . 2008-05-28 01:26 485920 -c--a-w- c:\windows\system32\nvudisp.exe
2009-08-17 05:57 . 2007-12-26 22:35 10457088 ----a-w- c:\windows\system32\nvoglnt.dll
2009-08-17 05:57 . 2007-12-26 22:35 2002944 ----a-w- c:\windows\system32\nvcuda.dll
2009-08-17 05:57 . 2007-12-26 22:35 868352 ----a-w- c:\windows\system32\nvapi.dll
2009-08-17 05:57 . 2007-12-26 22:35 7729568 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-08-17 05:57 . 2007-12-26 22:35 5845760 ----a-w- c:\windows\system32\nv4_disp.dll
2009-08-17 05:57 . 2007-12-26 22:35 155648 ----a-w- c:\windows\system32\nvcodins.dll
2009-08-17 05:57 . 2007-12-26 22:35 155648 ----a-w- c:\windows\system32\nvcod.dll
2009-08-14 18:36 . 2009-08-14 18:36 70936 ----a-w- c:\windows\system32\PhysXLoader.dll
2009-08-11 17:35 . 2008-05-28 01:26 485920 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-08-05 09:11 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 04:44 . 2008-12-30 01:44 -------- d-----w- c:\program files\LimeWire
2009-08-03 05:21 . 2009-08-03 05:21 23320 ----a-w- c:\windows\system32\PhysXDevice.dll
2009-08-01 20:17 . 2009-08-01 20:04 -------- d-----w- c:\documents and settings\Kazavana\Application Data\Mumble(PR Edition)
2009-08-01 20:04 . 2009-08-01 20:04 -------- d-----w- c:\program files\Mumble(PR Edition)
2009-07-29 21:58 . 2009-07-29 21:58 -------- d-----w- c:\program files\iTunes
2009-07-29 21:58 . 2009-07-29 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-29 21:58 . 2009-07-29 21:58 -------- d-----w- c:\program files\iPod
2009-07-29 21:58 . 2009-01-02 19:03 -------- d-----w- c:\program files\Common Files\Apple
2009-07-29 21:57 . 2008-09-17 00:19 -------- d-----w- c:\program files\Bonjour
2009-07-29 21:57 . 2009-07-29 21:57 -------- d-----w- c:\program files\QuickTime
2009-07-23 04:13 . 2008-06-24 02:16 256 -c--a-w- c:\windows\system32\pool.bin
2009-07-17 18:55 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-15 23:41 . 2008-05-28 01:31 81560 ----a-w- c:\documents and settings\Kazavana\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-14 04:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-11 22:30 . 2009-07-11 22:30 61632 ---ha-w- c:\windows\system32\mlfcache.dat
2009-07-03 17:09 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2008-05-29 01:12 . 2008-05-29 01:11 283347733 -c--a-w- c:\program files\UTCAN-AK-Setup.exe
2008-08-06 20:27 . 2008-08-06 20:27 90 --sh--w- c:\windows\cnerolf.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 1443072]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sebdpp]
2009-09-23 12:20 23155 ----a-w- c:\windows\system32\sebdpp.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck lsdelete

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Calendar Sync.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Calendar Sync.lnk
backup=c:\windows\pss\Google Calendar Sync.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kazavana^Start Menu^Programs^Startup^Windows Updater.lnk]
path=c:\documents and settings\Kazavana\Start Menu\Programs\Startup\Windows Updater.lnk
backup=c:\windows\pss\Windows Updater.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SandraTheSrv"=3 (0x3)
"SandraDataSrv"=3 (0x3)
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"ose"=3 (0x3)
"iPod Service"=3 (0x3)
"ImapiService"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"CCALib8"=2 (0x2)
"NVSvc"=2 (0x2)
"MDM"=2 (0x2)
"IntuitUpdateService"=2 (0x2)
"Bonjour Service"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"LVCOMSer"=2 (0x2)
"ASKUpgrade"=2 (0x2)
"ASKService"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XIb\\RpcSandraSrv.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XIb\\Win32\\RpcDataSrv.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2 Demo\\BF2.exe"=
"c:\\Program Files\\America's Army\\System\\ArmyOps.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\forophele\\counter-strike source\\hl2.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Holdem Indicator\\HoldemIndicator.exe"=
"c:\\Program Files\\America's Army Deploy Client\\AADeployClient.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\X-System 670\\X-Plane 670.exe"=
"c:\\X-Plane 9\\X-Plane.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\IHMC CmapTools\\jre\\bin\\javaw.exe"=
"c:\\Documents and Settings\\Kazavana\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Kazavana\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\LearnLift\\MemoryLifter2\\MLifter.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"49520:TCP"= 49520:TCP:Vuze
"49520:UDP"= 49520:UDP:Vuze1.2

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/22/2009 3:57 PM 64160]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2/20/2008 10:11 AM 33800]
R2 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2/20/2008 10:08 AM 472320]
R2 sofatnet;sofatnet Service;c:\windows\system32\sofatnet.exe [8/4/2004 7:00 AM 94208]
R3 chdrvr01;CH Control Manager Driver 1;c:\windows\system32\drivers\chdrvr01.sys [8/4/2008 3:49 PM 215104]
R3 chdrvr02;CH Control Manager Driver 2;c:\windows\system32\drivers\chdrvr02.sys [8/4/2008 3:49 PM 3744]
R3 chdrvr03;CH Control Manager Driver 3;c:\windows\system32\drivers\chdrvr03.sys [8/4/2008 3:49 PM 9024]
S2 izzngcrqhdbh;izzngcrqhdbh;\??\c:\windows\system32\drivers\miiqcxvyb.sys --> c:\windows\system32\drivers\miiqcxvyb.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1028432]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [8/4/2004 7:00 AM 3584]
S3 mfsdisk;mfsdisk;c:\windows\system32\mfsdisk.sys [8/4/2004 7:00 AM 2304]
S4 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [8/27/2009 8:35 PM 464264]
S4 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [8/27/2009 8:36 PM 234888]
S4 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [1/14/2009 6:12 PM 13088]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - BTWSRV

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-22 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 20:56]

2009-09-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-573735546-839522115-1003Core.job
- c:\documents and settings\Kazavana\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-20 01:31]

2009-09-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-573735546-839522115-1003UA.job
- c:\documents and settings\Kazavana\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-20 01:31]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Kazavana\Application Data\Mozilla\Firefox\Profiles\m4ofvm72.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\progra~1\MOZILL~1\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Kazavana\Application Data\Mozilla\Firefox\Profiles\m4ofvm72.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\Kazavana\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Kazavana\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-deoko - c:\documents and settings\Kazavana\deoko.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-25 18:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1960408961-573735546-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:57,21,bd,b7,1e,da,c5,50,10,7d,1f,fe,fe,3a,05,21,d0,73,a0,b6,aa,0b,2c,
6c,3e,3c,2a,f0,75,12,e6,e8,70,fe,9e,6c,ab,e7,30,1b,0d,39,8c,60,bb,06,a1,70,\
"??"=hex:08,72,03,54,06,ef,66,d7,b5,7b,3d,28,7f,25,65,80
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(556)
c:\windows\system32\sebdpp.dll
c:\windows\system32\wininet.dll

- - - - - - - > 'explorer.exe'(3772)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\progra~1\COMMON~1\MICROS~1\Web Components\10\OWC10.DLL
c:\windows\system32\Msi.dll
c:\progra~1\COMMON~1\MICROS~1\Web Components\11\OWC11.DLL
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\qoobox\Quarantine\C\WINDOWS\system32\wiwow64.exe.vir
c:\windows\system32\lsm32.sys
.
**************************************************************************
.
Completion time: 2009-09-25 18:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-25 23:30

Pre-Run: 12,729,864,192 bytes free
Post-Run: 15,217,807,360 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
328 --- E O F --- 2009-09-21 13:41

#14 jmw3

jmw3

    MRU Emeritus

  • Authentic Member
  • PipPipPip
  • 280 posts

Posted 25 September 2009 - 06:01 PM

Hi

Thanks for the log. A couple more things for you to do while I'm going though this.

I would also like to see a list of installed programs, so please do this:
Click Start > Run then copy/paste the following single-line command into the Run box and click OK:

C:\Qoobox\Add-Remove Programs.txt

A text file should open. Post the contents of that file in your next reply.

Gmer
Download GMER Rootkit Scanner from here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


To post in next reply:
Add-Remove Programs log
Gmer log
Member - UNITE, Alliance of Security Analysis Professionals

#15 Kazavana

Kazavana

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 25 September 2009 - 06:19 PM

Hey jmw3,

Here are the logs you asked for

Add-remove log

3DMark06
AC3Filter (remove only)
Acrobat.com
Active Camera 2004 patch for FS 9.1
Active Camera 2004 update to version 2.1 (FS 9.1)
Active Camera 2004 version 2.0
ActiveSky Version 6 and ActiveSky Graphics
Ad-Aware
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Reader 9.1.3
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AI Suite
America's Army
America's Army Deploy Client
America's Army Server Manager
Antilles 2004 v1.3
Apple Mobile Device Support
Apple Software Update
ATITool Overclocking Utility
AutoUpdate
Battlefield 2™
Battlefield 2™ Demo
BattlEye Uninstall
Beechcraft Bonanza F33A
BioShock
BlackBerry Desktop Software 4.5
Bonjour
Call of Duty Game of the Year Edition
Call of Duty® - World at War™
Call of Duty® 4 - Modern Warfare™
Canon Camera Access Library
Canon Camera Support Core Library
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities Digital Photo Professional 3.3
Canon Utilities EOS Utility
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities Original Data Security Tools
Canon Utilities PhotoStitch
Canon Utilities Picture Style Editor
Canon Utilities RemoteCapture DC
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
CH Control Manager
Critical Update for Windows Media Player 11 (KB959772)
Crysis®
Diskeeper 2008 Pro Premier
DivX Codec
DivX Converter
DivX Player
DivX Web Player
ERUNT 1.1j
ESET NOD32 Antivirus
FeelThere PIC ERJ-145LR 1.0
FS9 Configurator
FSAutoStart
FSNavigator
Genova Sestri V.2
Google Calendar Sync
Google Earth
Google Talk Plugin
Ground Environment Professional
Half-Life® 2
Hawaii Oahu
High Definition Audio Driver Package - KB888111
Holdem Indicator 1.6.0
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
IHMC CmapTools v5.03
Intel® Matrix Storage Manager
ISD Project - LIPZ and LIPV 2003
ISD PROJECT LIML2004
iTunes
Java™ 6 Update 7
Level-D Simulations 767-300
Level-D Simulations 767-300 Update
LimeWire 5.2.13
Logitech QuickCam
Logitech QuickCam Driver Package
Logitech Updater
Marvell Miniport Driver
MemoryLifter
Men of War Demo (Remove Only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Flight Simulator 2004 A Century of Flight
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.3)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
Mumble(PR edition) and Murmur(PR edition)
Nero 6 Ultra Edition
Network Addon Mod Version June 2009
NOD32 v3.0.642 FiX1.2 by TemDono (31 days remaining forever up
NVIDIA Drivers
NVIDIA nView Desktop Manager
NVIDIA PhysX
NVIDIA Windows 95/98/ME/2000/XP Stereo Drivers
Octoshape add-in for Adobe Flash Player
OpenAL
PDF Settings
Phoenix
Picasa 3
PlayFLV
PokerStars
PR_SP 0.7 - MAPPACK 2
PR_SP 0.7 - mappack v3
Project Reality 0856 Core
Project Reality 0856 Levels
Project Reality 0874 Patch
Project Reality SP 0.85 Core
Project Reality SP 0.85 Mappack 1
PunkBuster Services
QuickTime
RivaTuner v2.23
Roxio Media Manager
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
SimCity 4 Deluxe
SiSoftware Sandra Lite XIb (Win64/32/CE)
Skyhawk 172R by Flight One Software
Skype web features
Skype™ 4.1
SoundMAX
Spelling Dictionaries Support For Adobe Reader 9
Steam™
Thermal Analysis Tool
TurboTax 2008
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wnyiper
TurboTax 2008 wrapper
Ultimate Terrain - Canada & Alaska
Ultimate Terrain - USA
Update Bonanza F33A
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
VideoLAN VLC media player 0.8.6d
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Vuze
Vuze Toolbar
WebFldrs XP
Winamp
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
World in Conflict
XML Paper Specification Shared Components Pack 1.0
YNAB Pro version 2.9.4.0


gmer.txt log


GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-09-25 19:18:16
Windows 5.1.2600 Service Pack 2
Running: bnmlrqp8.exe; Driver: C:\DOCUME~1\Kazavana\LOCALS~1\Temp\uwrdapoc.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xB811887E]
SSDT spsu.sys ZwEnumerateKey [0xB7EC6CA2]
SSDT spsu.sys ZwEnumerateValueKey [0xB7EC7030]
SSDT spsu.sys ZwOpenKey [0xB7EA80C0]
SSDT spsu.sys ZwQueryKey [0xB7EC7108]
SSDT spsu.sys ZwQueryValueKey [0xB7EC6F88]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xB8118BFE]

INT 0x63 ? 8A826BF8
INT 0x63 ? 8A826BF8
INT 0x63 ? 8A826BF8
INT 0x63 ? 8A826BF8
INT 0x83 ? 8B30DBF8
INT 0x83 ? 8B30DBF8
INT 0x83 ? 8A826BF8
INT 0x83 ? 8B30DBF8
INT 0x84 ? 8A826BF8
INT 0x94 ? 8A826BF8
INT 0xA4 ? 8B380BF8

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8B37F1F8

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

Device \FileSystem\Fastfat \FatCdrom 8A07B1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{2831B365-C51B-4EA1-B2F5-EE89B6D18BCE} 8A1361F8

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 DumaNT.SYS (DumaNT Auxillary Driver for Stereo/Windows ® 2000 DDK provider)

Device \Driver\usbuhci \Device\USBPDO-0 8A77F1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8B3811F8
Device \Driver\dmio \Device\DmControl\DmConfig 8B3811F8
Device \Driver\dmio \Device\DmControl\DmPnP 8B3811F8
Device \Driver\dmio \Device\DmControl\DmInfo 8B3811F8
Device \Driver\usbuhci \Device\USBPDO-1 8A77F1F8
Device \Driver\usbuhci \Device\USBPDO-2 8A77F1F8
Device \Driver\usbehci \Device\USBPDO-3 8A7D61F8
Device \Driver\usbuhci \Device\USBPDO-4 8A77F1F8

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys

Device \Driver\usbuhci \Device\USBPDO-5 8A77F1F8
Device \Driver\usbuhci \Device\USBPDO-6 8A77F1F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8B30E1F8
Device \Driver\usbehci \Device\USBPDO-7 8A7D61F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8B30E1F8
Device \Driver\Cdrom \Device\CdRom0 8A72D1F8
Device \Driver\atapi \Device\Ide\IdePort0 8B30D1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 8B30D1F8
Device \Driver\atapi \Device\Ide\IdePort1 8B30D1F8
Device \Driver\Cdrom \Device\CdRom1 8A72D1F8
Device \Driver\sptd \Device\2834739910 spsu.sys
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A1361F8
Device \Driver\NetBT \Device\NetbiosSmb 8A1361F8
Device \Driver\PCI_PNP6160 \Device\0000004c spsu.sys
Device \Driver\USBSTOR \Device\00000087 8A578500
Device \Driver\usbuhci \Device\USBFDO-0 8A77F1F8
Device \Driver\usbuhci \Device\USBFDO-1 8A77F1F8
Device \Driver\usbuhci \Device\USBFDO-2 8A77F1F8
Device \Driver\usbehci \Device\USBFDO-3 8A7D61F8
Device \Driver\usbuhci \Device\USBFDO-4 8A77F1F8
Device \Driver\Ftdisk \Device\FtControl 8B30E1F8
Device \Driver\USBSTOR \Device\0000008a 8A578500
Device \Driver\usbuhci \Device\USBFDO-5 8A77F1F8
Device \Driver\usbuhci \Device\USBFDO-6 8A77F1F8
Device \Driver\usbehci \Device\USBFDO-7 8A7D61F8
Device \Driver\a3saikbm \Device\Scsi\a3saikbm1Port3Path0Target0Lun0 8A717500
Device \Driver\a3saikbm \Device\Scsi\a3saikbm1 8A717500
Device \FileSystem\Fastfat \Fat 8A07B1F8

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

Device \FileSystem\Cdfs \Cdfs 8A0B91F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x0C 0x1B 0x91 0xE2 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE3 0x37 0x37 0xB5 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x20 0xA3 0xD5 0x5E ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x0C 0x1B 0x91 0xE2 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE3 0x37 0x37 0xB5 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x20 0xA3 0xD5 0x5E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x0C 0x1B 0x91 0xE2 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE3 0x37 0x37 0xB5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x20 0xA3 0xD5 0x5E ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x0C 0x1B 0x91 0xE2 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE3 0x37 0x37 0xB5 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x20 0xA3 0xD5 0x5E ...

---- EOF - GMER 1.0.15 ----

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users