Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91987 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] infected - please help


  • This topic is locked This topic is locked
21 replies to this topic

#1 fmedwards3

fmedwards3

    Authentic Member

  • Authentic Member
  • PipPip
  • 59 posts

Posted 23 September 2009 - 05:31 PM

My google toolbar search returns an empty page, but a search from the google.com site works normally.
Neither Spybot Search and Destroy nor Ad-aware will run.
Kaspersky anti-virus hangs shortly after beginning to scan.

Startup and Hijackthis log files are below.

********************************************************************************
*****************************
My startup log is:
StartupList report, 9/23/2009, 6:25:21 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hasplms.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\iPod Access for Windows\iPAHelper.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\Fastream IQ Web FTP Server Engine\IQWebFTPServerEngine.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\vmnetdhcp.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\onyx\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
Synchronization Manager = mobsync.exe /logon
IgfxTray = C:\WINNT\system32\igfxtray.exe
HotKeysCmds = C:\WINNT\system32\hkcmd.exe
PDF Converter Registry Controller = "C:\Program Files\ScanSoft\PDF Converter\RegistryController.exe"
HP Software Update = C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
Adobe Reader Speed Launcher = "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
AVP = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = ctfmon.exe
swg = C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
{9281A4FC-C581-3449-5FA6-456C6F7B9079} = C:\Documents and Settings\onyx\Application Data:winsock32.exe
antivirus-2008pro.exe = C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
=

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = NOTEPAD.EXE %1

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\UltraEdit.txt\shell\open\command

(Default) = notepad.exe %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = "C:\WINNT\system32\shmgrate.exe" OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = "C:\WINNT\system32\shmgrate.exe" OCInstallUserConfigOE

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\mplayer2.inf,PerUserStub.NT

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{6A5110B5-E14B-4268-A065-EF89FF33C325}] *
StubPath = regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = c:\WINNT\system32\Rundll32.exe c:\WINNT\system32\mscories.dll,Install

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\system32\updcrl.exe -e -u %SystemRoot%\system32\verisignpub1.crl

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINNT\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=C:\PROGRA~1\Kaspersky Lab\Kaspersky Internet Security 2009\mzvkbd.dll,C:\PROGRA~1\Kaspersky Lab\Kaspersky Internet Security 2009\adialhk.dll,C:\PROGRA~1\Kaspersky Lab\Kaspersky Internet Security 2009\kloehk.dll

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINNT\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer.exe: not present
C:\WINNT\System\Explorer.exe: not present
C:\WINNT\System32\Explorer.exe: not present
C:\WINNT\Command\Explorer.exe: not present
C:\WINNT\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINNT
- .reg open command is normal (regedit.exe %1 %*)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll - {089FD14D-132B-48FC-8861-0048AE113215}
(no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
IEVkbdBHO - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}
(no name) - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

--------------------------------------------------

Enumerating Task Scheduler jobs:

1-Click Maintenance.job
Ad-Aware Update (Weekly).job
SDMsgUpdate (TE).job
twinsplay.job

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINNT\Java\classes\dajava.cab

[Microsoft XML Parser for Java]

[{31564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.micros.../i386/wmvax.cab

[{32564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.micros...i386/wmv8ax.cab

[{33564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...D0C/wmv9dmo.cab

[Facebook Photo Uploader Control]
CODEBASE = http://upload.facebo...otoUploader.cab

[PopupMenu Object]
InProcServer32 = C:\WINNT\Downloaded Program Files\iemenu.ocx
CODEBASE = http://tcapps.selu.e...mmon/iemenu.cab

[Java Plug-in 1.6.0_07]
InProcServer32 = C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupd...8458.7024884259

[Crucial cpcScan]
InProcServer32 = C:\WINNT\Downloaded Program Files\cpcScan.dll
CODEBASE = http://www.crucial.c.../cpcScanner.cab

[SABScanProcesses Class]
CODEBASE = http://www.superadbl...ivex/sabspx.cab

[Java Plug-in 1.6.0_07]
InProcServer32 = C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Java Plug-in 1.6.0_07]
InProcServer32 = C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Infragistics DataTable Control 8.0 (OLEDB)]
InProcServer32 = C:\WINNT\DOWNLO~1\pvdt80.ocx
CODEBASE = http://tcapps.selu.e...mmon/pvdt80.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINNT\System32\rnr20.dll
NameSpace #2: C:\WINNT\System32\winrnr.dll
Protocol #1: C:\WINNT\system32\msafd.dll
Protocol #2: C:\WINNT\system32\msafd.dll
Protocol #3: C:\WINNT\system32\msafd.dll
Protocol #4: C:\WINNT\system32\rsvpsp.dll
Protocol #5: C:\WINNT\system32\rsvpsp.dll
Protocol #6: C:\Program Files\VMware\VMware Player\vsocklib.dll
Protocol #7: C:\Program Files\VMware\VMware Player\vsocklib.dll
Protocol #8: C:\WINNT\system32\msafd.dll
Protocol #9: C:\WINNT\system32\msafd.dll
Protocol #10: C:\WINNT\system32\msafd.dll
Protocol #11: C:\WINNT\system32\msafd.dll
Protocol #12: C:\WINNT\system32\msafd.dll
Protocol #13: C:\WINNT\system32\msafd.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
aksfridge: \??\C:\WINNT\system32\drivers\aksfridge.sys (autostart)
Alerter: %SystemRoot%\System32\services.exe (disabled)
Application Management: %SystemRoot%\system32\services.exe (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Kaspersky Internet Security: "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" -r (autostart)
Belarc SMBios Access: \SystemRoot\System32\Drivers\BANTExt.sys (system)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k BITSgroup (autostart)
Computer Browser: %SystemRoot%\System32\services.exe (disabled)
Closed Caption Decoder: system32\DRIVERS\CCDECODE.sys (manual start)
Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (disabled)
Symantec Settings Manager: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" (disabled)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINNT\System32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
.NET Runtime Optimization Service v2.0.50727_X86: C:\WINNT\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start)
Symantec AntiVirus Definition Watcher: "C:\Program Files\Symantec AntiVirus\DefWatch.exe" (disabled)
Defragmentation-Service: "C:\Program Files\Ashampoo\Ashampoo WinOptimizer 6\Dfsdks.exe" (manual start)
DHCP Client: %SystemRoot%\System32\services.exe (autostart)
DigimHID: system32\DRIVERS\DigimHID.sys (manual start)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\services.exe (autostart)
Microsoft DirectMusic SW Synth (WDM): system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\services.exe (disabled)
ebouucg: system32\drivers\ojlayp.sys (autostart)
Symantec Eraser Control driver: \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (system)
3Com EtherLink XL B/C Adapter Driver: System32\DRIVERS\el90xbc5.sys (manual start)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINNT\System32\svchost.exe -k netsvcs (autostart)
Fax Service: %systemroot%\system32\faxsvc.exe (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
FSLX: \??\C:\WINNT\system32\drivers\fslx.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Hardlock: \??\C:\WINNT\system32\drivers\hardlock.sys (autostart)
HASP License Manager: C:\WINNT\system32\hasplms.exe -run (autostart)
VMware hcmon: \??\C:\WINNT\system32\drivers\hcmon.sys (autostart)
HID Input Service: %SystemRoot%\system32\hidserv.exe (autostart)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (autostart)
IEEE-1284.4 Driver HPZid412: system32\DRIVERS\HPZid412.sys (manual start)
Print Class Driver for IEEE-1284.4 HPZipr12: system32\DRIVERS\HPZipr12.sys (manual start)
USB to IEEE-1284.4 Translation Driver HPZius12: system32\DRIVERS\HPZius12.sys (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
i81x: system32\DRIVERS\i81xnt5.sys (manual start)
Service for AC'97 Driver (WDM): system32\drivers\ichaud.sys (manual start)
InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (manual start)
Intuit Update Service: "C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" (disabled)
iPAHelper.exe: C:\Program Files\iPod Access for Windows\iPAHelper.exe (autostart)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (manual start)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Kl1: system32\drivers\kl1.sys (system)
Kaspersky Lab Boot Guard Driver: system32\drivers\klbg.sys (system)
Kaspersky Lab KLFltDev: system32\DRIVERS\klfltdev.sys (manual start)
Kaspersky Lab Driver: system32\DRIVERS\klif.sys (system)
Kaspersky Anti-Virus NDIS Filter: system32\DRIVERS\klim5.sys (manual start)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\services.exe (autostart)
Workstation: %SystemRoot%\System32\services.exe (autostart)
Lavasoft Ad-Aware Service: "C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe" (autostart)
Lbd: system32\DRIVERS\Lbd.sys (system)
TCP/IP NetBIOS Helper Service: %SystemRoot%\System32\services.exe (disabled)
McciCMService: "C:\Program Files\Common Files\Motive\McciCMService.exe" (autostart)
Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" (autostart)
Messenger: %SystemRoot%\System32\services.exe (disabled)
NetMeeting Remote Desktop Sharing: C:\WINNT\System32\mnmsrvc.exe (disabled)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
BDA MPE Filter: system32\DRIVERS\MPE.sys (manual start)
MREMP50 NDIS Protocol Driver: \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS (manual start)
MREMP50a64 NDIS Protocol Driver: \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS (manual start)
MRESP50 NDIS Protocol Driver: \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS (manual start)
MRESP50a64 NDIS Protocol Driver: \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINNT\System32\msdtc.exe (manual start)
Windows Installer: C:\WINNT\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: system32\DRIVERS\NABTSFEC.sys (manual start)
NAVENG: \??\C:\PROGRA~1\COMMON~1\Symantec Shared\VirusDefs\20070820.048\naveng.sys (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\Symantec Shared\VirusDefs\20070820.048\navex15.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
NetDetect: \SystemRoot\system32\drivers\netdtect.sys (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Fastream IQ Web/FTP Server: C:\PROGRA~1\Fastream IQ Web FTP Server Engine\IQWebFTPServerEngine.exe (autostart)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (disabled)
Removable Storage: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
OMCI WDM Device Driver: system32\DRIVERS\omci.sys (system)
Office Source Engine: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (manual start)
Parallel class driver: System32\DRIVERS\parallel.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (system)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Pml Driver HPZ12: C:\WINNT\system32\HPZipm12.exe (autostart)
IPSEC Policy Agent: %SystemRoot%\System32\lsass.exe (manual start)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Profos: \??\C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\profos.sys (manual start)
Protected Storage: %SystemRoot%\system32\services.exe (autostart)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\Drivers\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Microsoft Streaming Network Raw Channel Access: system32\drivers\RCA.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Registry Service: %SystemRoot%\system32\regsvc.exe (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe -s (manual start)
SABProcEnum: \??\C:\Program Files\Internet Explorer\SABProcEnum.sys (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SASKUTIL: \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (system)
SAVRoam: "C:\Program Files\Symantec AntiVirus\SavRoam.exe" (manual start)
SAVRT: \??\C:\Program Files\Symantec AntiVirus\savrt.sys (system)
SAVRTPEL: \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys (system)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\system32\MSTask.exe (autostart)
SecDrv: \??\C:\WINNT\system32\drivers\SECDRV.SYS (autostart)
RunAs Service: %SystemRoot%\system32\services.exe (disabled)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Sharing: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SiteAdvisor Service: "C:\Program Files\SiteAdvisor\6261\SAService.exe" (autostart)
BDA Slip De-Framer: system32\DRIVERS\SLIP.sys (manual start)
Symantec Network Drivers Service: "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" (disabled)
SPBBCDrv: \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (manual start)
Symantec SPBBCSvc: "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe" (disabled)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
stcp2v30 Driver: system32\drivers\stcp2v30.sys (system)
Still Image Service: %systemroot%\system32\stisvc.exe (autostart)
BDA IPSink: system32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
Symantec AntiVirus: "C:\Program Files\Symantec AntiVirus\Rtvscan.exe" (disabled)
SymEvent: \??\C:\WINNT\system32\Drivers\SYMEVENT.SYS (manual start)
SYMREDRV: \SystemRoot\System32\Drivers\SYMREDRV.SYS (manual start)
SYMTDI: \SystemRoot\System32\Drivers\SYMTDI.SYS (system)
Microsoft System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (disabled)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Telnet: %SystemRoot%\system32\tlntsvr.exe (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\services.exe (manual start)
Trufos: \??\C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\trufos.sys (manual start)
TSP: \??\C:\WINNT\system32\drivers\klif.sys (manual start)
VMware Agent Service: "C:\Program Files\VMware\VMware Player\vmware-ufad.exe" -d "C:\Program Files\VMware\VMware Player\\" -s ufad-p2v.xml (manual start)
Microsoft USB Universal Host Controller Driver: System32\DRIVERS\uhcd.sys (manual start)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (disabled)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Utility Manager: %SystemRoot%\System32\UtilMan.exe (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
VMware Authorization Service: "C:\Program Files\VMware\VMware Player\vmware-authd.exe" (autostart)
VMware vmci: \??\C:\WINNT\system32\Drivers\vmci.sys (autostart)
VMware kbd: \??\C:\WINNT\system32\drivers\VMkbd.sys (manual start)
VMware Virtual Ethernet Adapter Driver: system32\DRIVERS\vmnetadapter.sys (manual start)
VMware Bridge Protocol: system32\DRIVERS\vmnetbridge.sys (autostart)
VMware DHCP Service: C:\WINNT\system32\vmnetdhcp.exe (autostart)
VMware Network Application Interface: \??\C:\WINNT\system32\drivers\vmnetuserif.sys (autostart)
VMware Virtual Mount Manager Extended: "C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe" (disabled)
VMware VMparport: \??\C:\WINNT\system32\Drivers\VMparport.sys (autostart)
VMware NAT Service: C:\WINNT\system32\vmnat.exe (disabled)
VMware vmx86: \??\C:\WINNT\system32\Drivers\vmx86.sys (autostart)
Vstor2 WS60 Virtual Storage Driver: \??\C:\Program Files\VMware\VMware Player\vstor2-ws60.sys (autostart)
Windows Time: %SystemRoot%\System32\services.exe (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
Windows Management Instrumentation: %SystemRoot%\System32\WBEM\WinMgmt.exe (autostart)
Wintb62: System32\Drivers\Wintb62.sys (system)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\system32\Services.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (autostart)
World Standard Teletext Codec: system32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k wugroup (autostart)
Wireless Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\WINNT\TEMP\UACceb0.tmp|||P

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\netshell.dll
WebCheck: C:\WINNT\system32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

Explorer Options2 = w

--------------------------------------------------

End of report, 35,730 bytes
Report generated in 0.421 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


********************************************************************************
*****************************
My hijackthis log follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:15:50, on 9/23/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hasplms.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\iPod Access for Windows\iPAHelper.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\Fastream IQ Web FTP Server Engine\IQWebFTPServerEngine.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\vmnetdhcp.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [PDF Converter Registry Controller] "C:\Program Files\ScanSoft\PDF Converter\RegistryController.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [{9281A4FC-C581-3449-5FA6-456C6F7B9079}] C:\Documents and Settings\onyx\Application Data:winsock32.exe
O4 - HKCU\..\Run: [antivirus-2008pro.exe] C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe
O4 - HKLM\..\Policies\Explorer\Run: [Explorer Options2] w
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open PDF in Word - res://C:\Program Files\ScanSoft\PDF Converter\IEShellExt.dll /100
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware player\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware player\vsocklib.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} (PopupMenu Object) - http://tcapps.selu.e...mmon/iemenu.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadbl...ivex/sabspx.cab
O16 - DPF: {E9C9692E-F93C-11D1-ABB0-0040054FC6FB} (Infragistics DataTable Control 8.0 (OLEDB)) - http://tcapps.selu.e...mmon/pvdt80.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = home.domain
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = home.domain
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = home.domain
O20 - AppInit_DLLs: C:\PROGRA~1\Kaspersky Lab\Kaspersky Internet Security 2009\mzvkbd.dll,C:\PROGRA~1\Kaspersky Lab\Kaspersky Internet Security 2009\adialhk.dll,C:\PROGRA~1\Kaspersky Lab\Kaspersky Internet Security 2009\kloehk.dll
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Defragmentation-Service (DfSdkS) - mst software GmbH, Germany - C:\Program Files\Ashampoo\Ashampoo WinOptimizer 6\Dfsdks.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINNT\system32\hasplms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPAHelper.exe - Unknown owner - C:\Program Files\iPod Access for Windows\iPAHelper.exe
O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (file missing)
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Fastream IQ Web/FTP Server (NFService) - Fastream Technologies - C:\PROGRA~1\Fastream IQ Web FTP Server Engine\IQWebFTPServerEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - Unknown owner - C:\Program Files\Symantec AntiVirus\SavRoam.exe (file missing)
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINNT\system32\vmnetdhcp.exe

--
End of file - 8780 bytes

    Advertisements

Register to Remove


#2 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 23 September 2009 - 07:23 PM

Hi,

Please do the following:



Please download exeHelper to your desktop.
  • Double-click on exeHelper.com to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


NEXT

Download and run Win32kDiag:

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#3 fmedwards3

fmedwards3

    Authentic Member

  • Authentic Member
  • PipPip
  • 59 posts

Posted 23 September 2009 - 09:05 PM

Thanks for the reply. exeHelper output **************************************************** exeHelper by Raktor - 09 Build 20090919 Run at 21:45:35 on 09/23/09 Now searching... Checking for numerical processes... Checking for bad processes... Checking for bad files... Found file C:\WINNT\system32\wingenocx.dll Deleting file C:\WINNT\system32\wingenocx.dll Resetting filetype association for .exe Resetting filetype association for .com Resetting userinit and shell values... Resetting policies... --Finished-- Win32KDiag output ****************************************** Running from: C:\Documents and Settings\onyx\Desktop\software2\Win32kDiag.exe Log file at : C:\Documents and Settings\onyx\Desktop\Win32kDiag.txt WARNING: Could not get backup privileges! Searching 'C:\WINNT'... Finished!

#4 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 24 September 2009 - 12:58 AM

Please do the following:

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.pif to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


NEXT


Posted Image
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#5 fmedwards3

fmedwards3

    Authentic Member

  • Authentic Member
  • PipPip
  • 59 posts

Posted 24 September 2009 - 08:58 AM

Again - thanks for your help.




DDS.TXT*******************************************************************
DDS (Ver_09-07-30.01) - NTFSx86
Run by onyx at 9:15:22.56 on Thu 09/24/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.510.176 [GMT -6:00]


============== Running Processes ===============

C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\hasplms.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\iPod Access for Windows\iPAHelper.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\Fastream IQ Web FTP Server Engine\IQWebFTPServerEngine.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\WINNT\system32\vmnetdhcp.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\onyx\Desktop\software2\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.selu.edu/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {089fd14d-132b-48fc-8861-0048ae113215} - c:\program files\siteadvisor\6261\SiteAdv.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search &

destroy\SDHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security

2009\ievkbd.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6261\SiteAdv.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - No File
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\system32\browseui.dll
uRun: [ctfmon.exe] ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [{9281A4FC-C581-3449-5FA6-456C6F7B9079}] c:\documents and settings\onyx\Application Data:winsock32.exe
uRun: [antivirus-2008pro.exe] c:\program files\antivirus 2008 pro\antivirus-2008pro.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [IgfxTray] c:\winnt\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\winnt\system32\hkcmd.exe
mRun: [PDF Converter Registry Controller] "c:\program files\scansoft\pdf converter\RegistryController.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
mExplorerRun: [Explorer Options2] w
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hp digital imaging monitor.lnk - c:\program files\hp\digital

imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hp image zone fast start.lnk - c:\program files\hp\digital

imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\symantec fax starter edition port.lnk - c:\program

files\microsoft office\office\1033\OLFSNT40.EXE
uPolicies-explorer: NoStartMenuMorePrograms = 0
uPolicies-explorer: StartMenuLogOff = 0
uPolicies-explorer: NoToolbarCustomize = 0
uPolicies-explorer: NoSetFolders = 0
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat

8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat

8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Open PDF in Word - c:\program files\scansoft\pdf converter\IEShellExt.dll /100
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky

lab\kaspersky internet security 2009\SCIEPlgn.dll
LSP: c:\program files\vmware\vmware player\vsocklib.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java
DPF: {31564D57-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmvax.cab
DPF: {32564D57-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv8ax.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} -

hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} - hxxp://tcapps.selu.edu/timecentre/Common/iemenu.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -

hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38458.7024884259
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {E9C9692E-F93C-11D1-ABB0-0040054FC6FB} - hxxp://tcapps.selu.edu/timecentre/Common/pvdt80.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6261\SiteAdv.dll
Notify: klogon - c:\winnt\system32\klogon.dll
Notify: NavLogon - c:\winnt\system32\NavLogon.dll
Notify: WRNotifier - WRLogonNTF.dll
AppInit_DLLs: c:\progra~1\kaspersky lab\kaspersky internet security 2009\mzvkbd.dll,c:\progra~1\kaspersky lab\kaspersky

internet security 2009\adialhk.dll,c:\progra~1\kaspersky lab\kaspersky internet security 2009\kloehk.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\onyx\applic~1\mozilla\firefox\profiles\5alwvt2f.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.selu.edu/|http://www.selu.edu/
FF - component: c:\program files\siteadvisor\6261\ff\components\FFHook.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js -

pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\winnt\system32\drivers\kl1.sys [2008-4-16 112144]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\winnt\system32\drivers\klbg.sys [2008-1-29 33808]
R0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [2009-5-11 64160]
R0 stcp2v30;stcp2v30 Driver;c:\winnt\system32\drivers\stcp2v30.sys [2008-12-1 64960]
R1 FSLX;FSLX;c:\winnt\system32\drivers\fslx.sys [2008-7-21 192256]
R1 KLIF;Kaspersky Lab Driver;c:\winnt\system32\drivers\klif.sys [2009-5-12 215824]
R2 hasplms;HASP License Manager;c:\winnt\system32\hasplms.exe -run --> c:\winnt\system32\hasplms.exe -run [?]
R2 NFService;Fastream IQ Web/FTP Server;c:\progra~1\fastream iq web ftp server engine\IQWebFTPServerEngine.exe [2008-10-4

3220992]
R2 vmci;VMware vmci;c:\winnt\system32\drivers\vmci.sys [2009-3-26 54960]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\drivers\el90xbc5.sys [2005-4-16 61712]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\winnt\system32\drivers\klfltdev.sys [2008-3-13 23312]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\winnt\system32\drivers\klim5.sys [2008-3-25 24592]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys

[?]
S1 SAVRT;SAVRT;\??\c:\program files\symantec antivirus\savrt.sys --> c:\program files\symantec antivirus\savrt.sys [?]
S1 SAVRTPEL;SAVRTPEL;\??\c:\program files\symantec antivirus\savrtpel.sys --> c:\program files\symantec

antivirus\Savrtpel.sys [?]
S2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe [2008-4-25 201992]
S2 ebouucg;ebouucg;c:\winnt\system32\drivers\ojlayp.sys --> c:\winnt\system32\drivers\ojlayp.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" --> c:\program

files\lavasoft\ad-aware\AAWService.exe [?]
S3 DfSdkS;Defragmentation-Service;c:\program files\ashampoo\ashampoo winoptimizer 6\DfSdkS.exe [2008-12-27 410976]
S3 DigimHID;DigimHID;c:\winnt\system32\drivers\DigimHID.SYS [2008-8-18 5248]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symantec shared\virusdefs\20070820.048\naveng.sys [2008-8-8 81232]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symantec shared\virusdefs\20070820.048\navex15.sys [2008-8-8 865904]
S3 SavRoam;SAVRoam;"c:\program files\symantec antivirus\savroam.exe" --> c:\program files\symantec antivirus\SavRoam.exe [?]
S4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2007-5-29 192104]
S4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2007-5-29 169576]
S4 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe

[2008-10-10 13088]
S4 Symantec AntiVirus;Symantec AntiVirus;"c:\program files\symantec antivirus\rtvscan.exe" --> c:\program files\symantec

antivirus\Rtvscan.exe [?]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
regfile=regedit.exe "%1" %*
scrfile="%1" %*
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-09-24 09:15 16,384 a------t c:\winnt\system32\Perflib_Perfdata_4f8.dat
2009-09-23 15:19 2,476 a------- c:\winnt\system32\%LocalXml%
2009-09-23 15:08 16,384 a------t c:\winnt\system32\Perflib_Perfdata_438.dat
2009-09-23 09:46 16,384 a------t c:\winnt\system32\Perflib_Perfdata_434.dat
2009-09-23 08:10 16,384 a------t c:\winnt\system32\Perflib_Perfdata_4dc.dat
2009-09-23 07:59 16,384 a------t c:\winnt\system32\Perflib_Perfdata_544.dat
2009-09-23 07:55 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-23 07:40 16,384 a------t c:\winnt\system32\Perflib_Perfdata_518.dat
2009-09-22 22:53 16,384 a------t c:\winnt\system32\Perflib_Perfdata_700.dat
2009-09-22 21:55 16,384 a------t c:\winnt\system32\Perflib_Perfdata_538.dat
2009-09-22 21:30 0 a--sh--- c:\winnt\klif.spi
2009-09-22 21:28 16,384 a------t c:\winnt\system32\Perflib_Perfdata_558.dat
2009-09-18 18:31 <DIR> --d----- C:\usr
2009-09-18 17:52 16,384 a------t c:\winnt\system32\Perflib_Perfdata_588.dat
2009-09-18 16:53 16,384 a------t c:\winnt\system32\Perflib_Perfdata_508.dat
2009-09-18 07:24 16,384 a------t c:\winnt\system32\Perflib_Perfdata_550.dat
2009-09-18 00:04 16,384 a------t c:\winnt\system32\Perflib_Perfdata_59c.dat
2009-09-17 23:53 42,192 ac------ c:\winnt\system32\dllcache\atibt829.sys
2009-09-13 14:14 16,384 a------t c:\winnt\system32\Perflib_Perfdata_484.dat
2009-09-05 23:20 16,384 a------t c:\winnt\system32\Perflib_Perfdata_460.dat
2009-08-25 16:31 16,384 a------t c:\winnt\system32\Perflib_Perfdata_45c.dat
2009-08-25 16:23 16,384 a------t c:\winnt\system32\Perflib_Perfdata_3b8.dat

==================== Find3M ====================

2009-09-22 20:29 33,808 a------- c:\winnt\system32\drivers\klbg.sys
2009-09-22 20:29 107,547 a------- c:\winnt\system32\drivers\klin.dat
2009-09-22 20:29 95,259 a------- c:\winnt\system32\drivers\klick.dat
2009-08-15 11:59 16,384 a------t c:\winnt\system32\Perflib_Perfdata_5c8.dat
2009-08-02 14:15 16,384 a------t c:\winnt\system32\Perflib_Perfdata_468.dat
2009-08-01 07:01 16,384 a------t c:\winnt\system32\Perflib_Perfdata_478.dat
2009-07-19 12:51 16,384 a------t c:\winnt\system32\Perflib_Perfdata_528.dat
2009-07-16 18:55 16,384 a------t c:\winnt\system32\Perflib_Perfdata_5c4.dat
2009-07-06 15:37 16,384 a------t c:\winnt\system32\Perflib_Perfdata_464.dat
2009-07-03 22:20 16,384 a------t c:\winnt\system32\Perflib_Perfdata_5c0.dat
2009-06-30 20:45 16,384 a------t c:\winnt\system32\Perflib_Perfdata_5dc.dat
2009-06-30 19:11 16,384 a------t c:\winnt\system32\Perflib_Perfdata_5b0.dat
2009-06-29 20:45 16,384 a------t c:\winnt\system32\Perflib_Perfdata_4ec.dat
2009-05-29 00:03 208,896 a------- c:\documents and settings\onyx\Norton2008-360-keygen.exe
2009-05-11 22:01 9,673,395 a------- c:\documents and settings\onyx\ATT_SST_Installer.exe
2008-09-24 21:59 53,926 a------- c:\program files\INSTALL.LOG
2007-11-22 12:31 21,952 ----h--- c:\program files\folder.htt
2007-11-22 12:31 271 ----h--- c:\program files\desktop.ini
2006-07-22 23:26 774,144 a------- c:\program files\RngInterstitial.dll
1999-12-07 06:00 32,528 a------- c:\winnt\inf\wbfirdma.sys
1998-12-08 20:53 186,368 a------- c:\program files\common files\IRAREG.DLL
1998-12-08 20:53 99,840 a------- c:\program files\common files\IRAABOUT.DLL
1998-12-08 20:53 70,144 a------- c:\program files\common files\IRAMDMTR.DLL
1998-12-08 20:53 48,640 a------- c:\program files\common files\IRALPTTR.DLL
1998-12-08 20:53 31,744 a------- c:\program files\common files\IRAWEBTR.DLL
1998-12-08 20:53 17,920 a------- c:\program files\common files\IRASRIAL.DLL
2003-06-19 13:05 65,536 ---shr-- c:\winnt\system32\ftdutil.exe
2003-06-19 13:05 65,536 ---shr-- c:\winnt\system32\ntvxdc.exe

============= FINISH: 9:16:36.43 ===============

DDS.Attach.txt******************************************************************
******************
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows 2000 Professional
Boot Device: \Device\Harddisk0\Partition1
Install Date:
System Uptime: 9/24/2009 3:09:19 AM (6 hours ago)

Motherboard: Dell Computer Corporation | | OptiPlex GX150
Processor: Intel Pentium III processor | Microprocessor | 996/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 112 GiB total, 34.237 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================


µTorrent
A-PDF Merger 2.3
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.3
AnswerWorks 5.0 English Runtime
Ashampoo WinOptimizer 6.01
ATT-PRT22
Belarc Advisor 7.2
Bullzip PDF Printer 4.0.0.463
CCleaner (remove only)
ConTEXT
CP_AtenaShokunin1Config
CP_CalendarTemplates1
CP_Package_Basic1
CP_Panorama1Config
CueTour
DeviceFunctionQFolder
Diner Dash 2
DocumentViewer
DocumentViewerQFolder
Easy File Sharing Web Server 4.2
EVEREST Home Edition v2.20
ExactFile 1.0.0.15
FloorPlan 3D v11
Free Pascal 2.0.4
FullDPAppQFolder
Google Earth
HijackThis 2.0.2
HP Document Viewer 5.3
HP Image Zone 5.3
HP Imaging Device Functions 5.3
HP Product Assistant
HP PSC & OfficeJet 5.3.B
InstantShareDevices
iPod Access for Windows v4.2.2
JetBrains Omea
Kaspersky Internet Security 2009
Malwarebytes' Anti-Malware
Malwarebytes' RogueRemover
Micro Logic Info Select 2007
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Visual C++ 2005 Redistributable
Money Manager Ex 0.9.4.2
Move Networks Media Player for Internet Explorer
Mozilla Firefox (3.5.3)
Mozilla Thunderbird (2.0.0.17)
NX Client for Windows 3.2.0-13
PanoStandAlone
PhotoGallery
ProductContext
Quicken 2009
RandMap
ResumeMaker Professional
Scan
SkinsHP1
SmartDraw 2009
Software Virtualization Agent
Sonic_PrimoSDK
Spybot - Search & Destroy
TeXnicCenter Version 1 Beta 7.01 (Greengrass)
TI-SmartView™ - Trial
Tina 8 - Industrial
TurboFLOORPLAN Home & Landscape Pro
TurboTax 2008
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wlaiper
TurboTax 2008 wrapper
UltraEdit 14.20
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VMware Player
WinEdt
WinSCP 4.1.7

==== End Of File ===========================


gmer.txt************************************************************************
************
GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-09-24 09:50:57
Windows 5.0.2195 Service Pack 4
Running: uu4ef8i2.exe; Driver: C:\DOCUME~1\onyx\LOCALS~1\Temp\uxliiuod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwAdjustPrivilegesToken [0xF45AEB96]
SSDT \??\C:\WINNT\system32\drivers\fslx.sys (FSL System Driver/Altiris, Inc.) ZwClose [0xF42CC9A0]
SSDT 81E58448 ZwConnectPort
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwCreateFile [0xF45B0538]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xF45B24E6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwCreateThread [0xF45AEF3E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwDeviceIoControlFile [0xF45B0844]
SSDT \??\C:\WINNT\system32\drivers\fslx.sys (FSL System Driver/Altiris, Inc.) ZwDuplicateObject [0xF42CD8B8]
SSDT \??\C:\WINNT\system32\drivers\fslx.sys (FSL System Driver/Altiris, Inc.) ZwFlushKey [0xF42CCA3A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwFsControlFile [0xF45B06FA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwLoadDriver [0xF45B1FAA]
SSDT \??\C:\WINNT\system32\drivers\fslx.sys (FSL System Driver/Altiris, Inc.) ZwLoadKey [0xF42CD74A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwOpenFile [0xF45B0394]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwOpenProcess [0xF45AED64]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwOpenSection [0xF45B2510]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwOpenThread [0xF45AECBA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwQueryMultipleValueKey [0xF45AE838]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwReplaceKey [0xF45ADF8E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwRequestWaitReplyPort [0xF45B140C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwRestoreKey [0xF45AE0F0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwSaveKey [0xF45ADD8C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwSecureConnectPort [0xF45B0A24]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwSetSecurityObject [0xF45B20A4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwSetSystemInformation [0xF45B253A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwSystemDebugControl [0xF45B1ED6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwTerminateProcess [0xF45AEE0E]
SSDT \??\C:\WINNT\system32\drivers\fslx.sys (FSL System Driver/Altiris, Inc.) ZwUnloadKey [0xF42CD7CA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwWriteVirtualMemory [0xF45AEE80]
SSDT \WINNT\System32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation) ZwCreateKey [0x8040009B]
SSDT \WINNT\System32\ntoskrnl.exe[unknown section] [8040009B] ZwCreateKey [0x8040009B]
SSDT \WINNT\System32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation) ZwDeleteKey [0x804000A5]
SSDT \WINNT\System32\ntoskrnl.exe[unknown section] [804000A5] ZwDeleteKey [0x804000A5]
SSDT \WINNT\System32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation) ZwDeleteValueKey [0x80400096]
SSDT \WINNT\System32\ntoskrnl.exe[unknown section] [80400096] ZwDeleteValueKey [0x80400096]
SSDT \WINNT\System32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation) ZwEnumerateKey [0x804000AA]
SSDT \WINNT\System32\ntoskrnl.exe[unknown section] [804000AA] ZwEnumerateKey [0x804000AA]
SSDT \WINNT\System32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation) ZwEnumerateValueKey [0x804000AF]
SSDT \WINNT\System32\ntoskrnl.exe[unknown section] [804000AF] ZwEnumerateValueKey [0x804000AF]
SSDT \WINNT\System32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation) ZwOpenKey [0x804000BE]
SSDT \WINNT\System32\ntoskrnl.exe[unknown section] [804000BE] ZwOpenKey [0x804000BE]
SSDT \WINNT\System32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation) ZwQueryKey [0x804000B9]
SSDT \WINNT\System32\ntoskrnl.exe[unknown section] [804000B9] ZwQueryKey [0x804000B9]
SSDT \WINNT\System32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation) ZwQueryValueKey [0x804000B4]
SSDT \WINNT\System32\ntoskrnl.exe[unknown section] [804000B4] ZwQueryValueKey [0x804000B4]
SSDT \WINNT\System32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation) ZwSetValueKey [0x804000A0]
SSDT \WINNT\System32\ntoskrnl.exe[unknown section] [804000A0] ZwSetValueKey [0x804000A0]

INT 0x03 \WINNT\System32\ntoskrnl.exe[unknown section] 804000C3

Code 81E81A4E ZwFlushInstructionCache

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs stcp2v30.sys (StorageCraft Volume Snapshot Driver/StorageCraft Technology Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 VMkbd.sys (VMware keyboard filter driver (32-bit)/VMware, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 stcp2v30.sys (StorageCraft Volume Snapshot Driver/StorageCraft Technology Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\usbhub \Device\00000018 hcmon.sys (VMware USB monitor/VMware, Inc.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat stcp2v30.sys (StorageCraft Volume Snapshot Driver/StorageCraft Technology Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [8:136] 81E24000
Thread System [8:140] 81E24000
Thread System [8:144] 81DF1620
Thread System [8:148] 81DF1620
Thread System [8:156] 81DF3610
Thread System [8:160] 81DF3610
Thread System [8:164] 81DF1620
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\UACyajfpiovkq.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [432] 0x009E0000
Library \\?\globalroot\systemroot\system32\UACkjpgaduoro.dll (*** hidden *** ) @ C:\WINNT\system32\svchost.exe [484] 0x00F50000
Library \\?\globalroot\systemroot\system32\UACbcjdoediqu.dll (*** hidden *** ) @ C:\WINNT\system32\svchost.exe [484] 0x01110000
Library \\?\globalroot\systemroot\system32\UACkjpgaduoro.dll (*** hidden *** ) @ C:\WINNT\System32\svchost.exe [576] 0x10000000
Library \\?\globalroot\systemroot\system32\UACkjpgaduoro.dll (*** hidden *** ) @ C:\WINNT\system32\svchost.exe [1292] 0x10000000
Library \\?\globalroot\systemroot\system32\UACkjpgaduoro.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [1508] 0x013F0000
Library \\?\globalroot\systemroot\system32\UACyajfpiovkq.dll (*** hidden *** ) @ C:\WINNT\Explorer.EXE [1532] 0x00920000

---- Services - GMER 1.0.15 ----

Service system32\drivers\gxvxcbqlrmltqsiramtksldkrvitudpqcyxwb.sys (*** hidden *** ) [SYSTEM] gxvxcserv.sys <-- ROOTKIT !!!
Service C:\WINNT\system32\drivers\UACcjcfpxxthl.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@imagepath \systemroot\system32\drivers\gxvxcbqlrmltqsiramtksldkrvitudpqcyxwb.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACcjcfpxxthl.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACcjcfpxxthl.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACiadxlqhrtm.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACkjpgaduoro.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACtqxcvpqxpf.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacav \\?\globalroot\systemroot\system32\UACbcjdoediqu.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACyajfpiovkq.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@imagepath \systemroot\system32\drivers\gxvxcbqlrmltqsiramtksldkrvitudpqcyxwb.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACcjcfpxxthl.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACcjcfpxxthl.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACiadxlqhrtm.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACkjpgaduoro.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACtqxcvpqxpf.dat
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacav \\?\globalroot\systemroot\system32\UACbcjdoediqu.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACyajfpiovkq.dll
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9040110900063D11C8EF10054038389C\Usage@HandWritingFiles 993529658

---- EOF - GMER 1.0.15 ----

#6 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 24 September 2009 - 09:23 AM

Download Combofix from either of the links below. You must rename it to Combome.exe before saving it.
Save it to your desktop.

**Note: In the event you already have Combofix, delete it, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  • If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".



Link 1
Link 2


--------------------------------------------------------------------

Double click on the renamed ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.


-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------



NOTE: If ComboFix asks to install the Recovery Console, please ALLOW it to do so.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#7 fmedwards3

fmedwards3

    Authentic Member

  • Authentic Member
  • PipPip
  • 59 posts

Posted 24 September 2009 - 10:46 AM

I have been doing what yo ask in the order written, so I did not see your notes about disabling antivirus and allowing recovery console installation (though it did not ask about this) until after I ran combofix. I can do it again if you want me to.


combofix.txt log output*****************************

ComboFix 09-09-23.02 - onyx 09/24/2009 10:50.1.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.510.251 [GMT -6:00]
Running from: c:\documents and settings\onyx\Desktop\software2\Combome.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk
c:\program files\Common Files\SERVICES\S-1-5-21-1303342014-1704936951-537590071-0504
c:\program files\Common Files\SERVICES\S-1-5-21-1303342014-1704936951-537590071-0504\desktop.ini
c:\program files\Common Files\SERVICES\S-1-5-21-1303342014-1704936951-537590071-0504\mswinsck.ocx
c:\program files\Common Files\SERVICES\S-1-5-21-1303342014-1704936951-537590071-0504\system.ico
c:\program files\INSTALL.LOG
c:\recycler\S-1-5-21-6058514035-3792471798-744722088-5104
c:\winnt\system32\drivers\gxvxcbqlrmltqsiramtksldkrvitudpqcyxwb.sys
c:\winnt\system32\drivers\UACcjcfpxxthl.sys
c:\winnt\system32\gxvxccounter
c:\winnt\system32\gxvxcopwpybwudpssowqxjjwcpypnuirfnjrw.dll
c:\winnt\system32\msconfig.exe
c:\winnt\system32\tmp.reg
c:\winnt\system32\UACbcjdoediqu.dll
c:\winnt\system32\UACiadxlqhrtm.dll
c:\winnt\system32\uacinit.dll
c:\winnt\system32\UACkjpgaduoro.dll
c:\winnt\system32\UACtqxcvpqxpf.dat
c:\winnt\system32\UACyajfpiovkq.dll
c:\winnt\system32\x13
c:\winnt\system32\Z55
c:\winnt\Web\default.htt

c:\winnt\system32\comres.dll . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gxvxcserv.sys
-------\Legacy_gxvxcserv.sys
-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Legacy_TNIDRIVER


((((((((((((((((((((((((( Files Created from 2009-08-24 to 2009-09-24 )))))))))))))))))))))))))))))))
.

2009-09-23 13:55 . 2009-09-23 14:32 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-19 00:31 . 2009-09-19 00:36 -------- d-----w- C:\usr
2009-09-18 05:53 . 1999-10-21 21:09 42192 -c--a-w- c:\winnt\system32\dllcache\atibt829.sys
2009-08-25 22:31 . 2009-08-25 22:31 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_45c.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-24 17:24 . 2008-07-27 18:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-09-24 17:20 . 2008-03-17 04:20 -------- d-----w- c:\documents and settings\Default User\Application Data\VMware
2009-09-24 17:20 . 2008-03-17 04:17 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2009-09-24 16:14 . 2006-09-18 05:31 -------- d-----w- c:\documents and settings\onyx\Application Data\Download Manager
2009-09-23 15:29 . 2009-07-28 03:41 -------- d-----w- c:\program files\ResumeMaker
2009-09-23 14:34 . 2005-05-30 19:10 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-23 14:34 . 2005-05-30 19:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-23 02:29 . 2008-01-30 00:29 33808 ----a-w- c:\winnt\system32\drivers\klbg.sys
2009-09-23 02:29 . 2009-05-12 16:41 95259 ----a-w- c:\winnt\system32\drivers\klick.dat
2009-09-23 02:29 . 2009-05-12 16:41 107547 ----a-w- c:\winnt\system32\drivers\klin.dat
2009-09-18 05:27 . 2006-09-30 23:32 -------- d-----w- c:\documents and settings\onyx\Application Data\uTorrent
2009-09-07 20:06 . 2006-08-16 02:09 -------- d-----w- c:\documents and settings\onyx\Application Data\U3
2009-08-26 14:31 . 2008-02-28 04:28 -------- d-----w- c:\documents and settings\onyx\Application Data\SiteAdvisor
2009-07-28 04:10 . 2009-07-28 03:43 -------- d-----w- c:\documents and settings\onyx\Application Data\Individual Software
2009-07-28 03:43 . 2006-01-08 21:31 143120 ----a-w- c:\documents and settings\onyx\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-28 03:41 . 2009-07-28 03:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Individual Software
2007-11-22 18:31 . 2005-04-16 23:40 21952 ---h--w- c:\program files\folder.htt
2006-07-23 05:26 . 2006-07-23 05:26 774144 ----a-w- c:\program files\RngInterstitial.dll
1998-12-09 02:53 . 1998-12-09 02:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 . 1998-12-09 02:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 . 1998-12-09 02:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-16 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-13 282624]
"IgfxTray"="c:\winnt\system32\igfxtray.exe" [2002-07-17 143360]
"HotKeysCmds"="c:\winnt\system32\hkcmd.exe" [2002-07-17 90112]
"PDF Converter Registry Controller"="c:\program files\ScanSoft\PDF Converter\RegistryController.exe" [2003-09-09 102400]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-09-23 201992]
"Synchronization Manager"="mobsync.exe" - c:\winnt\system32\mobsync.exe [2003-06-19 111376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"Explorer Options2"="w" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]
Symantec Fax Starter Edition Port.lnk - c:\program files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 45568]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\program files\System Mechanic Professional 6\\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^onyx^Start Menu^Programs^Startup^Bandwidth Meter.lnk]
path=c:\documents and settings\onyx\Start Menu\Programs\Startup\Bandwidth Meter.lnk
backup=c:\winnt\pss\Bandwidth Meter.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LIVESRV"=2 (0x2)
"XCOMM"=2 (0x2)
"VSSERV"=2 (0x2)
"scan"=3 (0x3)
"vmount2"=2 (0x2)
"Symantec AntiVirus"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=3 (0x3)
"DefWatch"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"IntuitUpdateService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\winnt\system32\drivers\klbg.sys [1/29/2008 6:29 PM 33808]
R0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [5/11/2009 11:53 PM 64160]
R0 stcp2v30;stcp2v30 Driver;c:\winnt\system32\drivers\stcp2v30.sys [12/1/2008 11:50 AM 64960]
R1 FSLX;FSLX;c:\winnt\system32\drivers\fslx.sys [7/21/2008 10:31 AM 192256]
R2 hasplms;HASP License Manager;c:\winnt\system32\hasplms.exe -run --> c:\winnt\system32\hasplms.exe -run [?]
R2 NFService;Fastream IQ Web/FTP Server;c:\progra~1\Fastream IQ Web FTP Server Engine\IQWebFTPServerEngine.exe [10/4/2008 2:25 PM 3220992]
R2 vmci;VMware vmci;c:\winnt\system32\drivers\vmci.sys [3/26/2009 10:58 PM 54960]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\drivers\el90xbc5.sys [4/16/2005 12:26 PM 61712]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\winnt\system32\drivers\klfltdev.sys [3/13/2008 7:02 PM 23312]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\winnt\system32\drivers\klim5.sys [3/25/2008 8:07 PM 24592]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 ebouucg;ebouucg;c:\winnt\system32\drivers\ojlayp.sys --> c:\winnt\system32\drivers\ojlayp.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 6\DfSdkS.exe [12/27/2008 5:42 PM 410976]
S3 DigimHID;DigimHID;c:\winnt\system32\drivers\DigimHID.SYS [8/18/2008 10:28 PM 5248]
S3 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" --> c:\program files\Symantec AntiVirus\SavRoam.exe [?]
S4 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]

NETSVCS REQUIRES REPAIRS - current entries shown
EventSystem

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

.
Contents of the 'Scheduled Tasks' folder

2009-09-24 c:\winnt\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SmartDraw 2009\Messages\SDNotify.exe [2008-11-25 13:29]

2009-09-24 c:\winnt\Tasks\twinsplay.job
- c:\program files\twinsplay\twinsplay.exe [2009-06-14 15:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.selu.edu/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Open PDF in Word - c:\program files\ScanSoft\PDF Converter\IEShellExt.dll /100
LSP: %SystemRoot%\system32\msafd.dll
LSP: c:\program files\VMware\VMware Player\vsocklib.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java
DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} - hxxp://tcapps.selu.edu/timecentre/Common/iemenu.cab
DPF: {E9C9692E-F93C-11D1-ABB0-0040054FC6FB} - hxxp://tcapps.selu.edu/timecentre/Common/pvdt80.cab
FF - ProfilePath - c:\documents and settings\onyx\Application Data\Mozilla\Firefox\Profiles\5alwvt2f.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.selu.edu/|http://www.selu.edu/
FF - component: c:\program files\SiteAdvisor\6261\FF\components\FFHook.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-{9281A4FC-C581-3449-5FA6-456C6F7B9079} - c:\documents and settings\onyx\Application Data:winsock32.exe
AddRemove-Mozilla Thunderbird (2.0.0.17) - f:\system\Apps\FEFECB84-0E05-42d8-B044-F2D0FCFF8C15\Exec\thunderbird\uninstall\helper.exe
AddRemove-Omea - f:\omea\Uninstall.exe
AddRemove-uTorrent - c:\documents and settings\onyx\Desktop\software\uTorrent.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-24 11:23
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINNT\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINNT\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(264)
c:\winnt\system32\klogon.dll
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'explorer.exe'(1492)
c:\winnt\AppPatch\AcLayers.DLL
c:\winnt\system32\SHDOCVW.DLL
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
Completion time: 2009-09-24 11:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-24 17:32

Pre-Run: 38,894,157,824 bytes free
Post-Run: 40,707,850,240 bytes free

228

#8 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 24 September 2009 - 11:12 AM

Hi,

Please do the following:


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://forums.whatthetech.com/infected_please_help_t107166.html&view=findpost&p=598542#entry598542

Collect::
c:\winnt\system32\drivers\ojlayp.sys

Driver::
ebouucg

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.


NEXT

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :reg
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost /s 
    
    :filefind
    *comres*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#9 fmedwards3

fmedwards3

    Authentic Member

  • Authentic Member
  • PipPip
  • 59 posts

Posted 24 September 2009 - 01:31 PM

ComboFixLog2.txt*****************************************************
ComboFix 09-09-23.02 - onyx 09/24/2009 13:32.2.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.510.306 [GMT -6:00]
Running from: c:\documents and settings\onyx\Desktop\software2\Combome.exe
Command switches used :: c:\documents and settings\onyx\Desktop\software2\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\system32\comres.dll . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EBOUUCG
-------\Service_ebouucg


((((((((((((((((((((((((( Files Created from 2009-08-24 to 2009-09-24 )))))))))))))))))))))))))))))))
.

2009-09-24 19:53 . 2009-09-24 19:53 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_450.dat
2009-09-23 13:55 . 2009-09-23 14:32 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-19 00:31 . 2009-09-19 00:36 -------- d-----w- C:\usr
2009-09-18 05:53 . 1999-10-21 21:09 42192 -c--a-w- c:\winnt\system32\dllcache\atibt829.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-24 19:57 . 2008-07-27 18:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-09-24 19:53 . 2008-03-17 04:20 -------- d-----w- c:\documents and settings\Default User\Application Data\VMware
2009-09-24 19:53 . 2008-03-17 04:17 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2009-09-24 19:25 . 2005-05-30 19:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-24 16:14 . 2006-09-18 05:31 -------- d-----w- c:\documents and settings\onyx\Application Data\Download Manager
2009-09-23 15:29 . 2009-07-28 03:41 -------- d-----w- c:\program files\ResumeMaker
2009-09-23 14:34 . 2005-05-30 19:10 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-23 02:29 . 2008-01-30 00:29 33808 ----a-w- c:\winnt\system32\drivers\klbg.sys
2009-09-23 02:29 . 2009-05-12 16:41 95259 ----a-w- c:\winnt\system32\drivers\klick.dat
2009-09-23 02:29 . 2009-05-12 16:41 107547 ----a-w- c:\winnt\system32\drivers\klin.dat
2009-09-18 05:27 . 2006-09-30 23:32 -------- d-----w- c:\documents and settings\onyx\Application Data\uTorrent
2009-09-07 20:06 . 2006-08-16 02:09 -------- d-----w- c:\documents and settings\onyx\Application Data\U3
2009-08-26 14:31 . 2008-02-28 04:28 -------- d-----w- c:\documents and settings\onyx\Application Data\SiteAdvisor
2009-07-28 04:10 . 2009-07-28 03:43 -------- d-----w- c:\documents and settings\onyx\Application Data\Individual Software
2009-07-28 03:43 . 2006-01-08 21:31 143120 ----a-w- c:\documents and settings\onyx\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-28 03:41 . 2009-07-28 03:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Individual Software
2007-11-22 18:31 . 2005-04-16 23:40 21952 ---h--w- c:\program files\folder.htt
2006-07-23 05:26 . 2006-07-23 05:26 774144 ----a-w- c:\program files\RngInterstitial.dll
1998-12-09 02:53 . 1998-12-09 02:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 . 1998-12-09 02:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 . 1998-12-09 02:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((( SnapShot@2009-09-24_17.24.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-24 19:53 . 2009-09-24 19:54 32768 c:\winnt\temp\Temporary Internet Files\Content.IE5\index.dat
- 2009-09-23 03:27 . 2009-09-24 17:20 32768 c:\winnt\temp\Temporary Internet Files\Content.IE5\index.dat
- 2009-09-23 03:27 . 2009-09-24 17:20 16384 c:\winnt\temp\History\History.IE5\index.dat
+ 2009-09-24 19:53 . 2009-09-24 19:54 16384 c:\winnt\temp\History\History.IE5\index.dat
+ 2009-09-24 19:53 . 2009-09-24 19:54 16384 c:\winnt\temp\Cookies\index.dat
- 2009-09-23 03:27 . 2009-09-24 17:20 16384 c:\winnt\temp\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-16 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-13 282624]
"IgfxTray"="c:\winnt\system32\igfxtray.exe" [2002-07-17 143360]
"HotKeysCmds"="c:\winnt\system32\hkcmd.exe" [2002-07-17 90112]
"PDF Converter Registry Controller"="c:\program files\ScanSoft\PDF Converter\RegistryController.exe" [2003-09-09 102400]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-09-23 201992]
"Synchronization Manager"="mobsync.exe" - c:\winnt\system32\mobsync.exe [2003-06-19 111376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"Explorer Options2"="w" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]
Symantec Fax Starter Edition Port.lnk - c:\program files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 45568]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\program files\System Mechanic Professional 6\\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^onyx^Start Menu^Programs^Startup^Bandwidth Meter.lnk]
path=c:\documents and settings\onyx\Start Menu\Programs\Startup\Bandwidth Meter.lnk
backup=c:\winnt\pss\Bandwidth Meter.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LIVESRV"=2 (0x2)
"XCOMM"=2 (0x2)
"VSSERV"=2 (0x2)
"scan"=3 (0x3)
"vmount2"=2 (0x2)
"Symantec AntiVirus"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=3 (0x3)
"DefWatch"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"IntuitUpdateService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\winnt\system32\drivers\klbg.sys [1/29/2008 6:29 PM 33808]
R0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [5/11/2009 11:53 PM 64160]
R0 stcp2v30;stcp2v30 Driver;c:\winnt\system32\drivers\stcp2v30.sys [12/1/2008 11:50 AM 64960]
R1 FSLX;FSLX;c:\winnt\system32\drivers\fslx.sys [7/21/2008 10:31 AM 192256]
R2 hasplms;HASP License Manager;c:\winnt\system32\hasplms.exe -run --> c:\winnt\system32\hasplms.exe -run [?]
R2 NFService;Fastream IQ Web/FTP Server;c:\progra~1\Fastream IQ Web FTP Server Engine\IQWebFTPServerEngine.exe [10/4/2008 2:25 PM 3220992]
R2 vmci;VMware vmci;c:\winnt\system32\drivers\vmci.sys [3/26/2009 10:58 PM 54960]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\drivers\el90xbc5.sys [4/16/2005 12:26 PM 61712]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\winnt\system32\drivers\klfltdev.sys [3/13/2008 7:02 PM 23312]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\winnt\system32\drivers\klim5.sys [3/25/2008 8:07 PM 24592]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 6\DfSdkS.exe [12/27/2008 5:42 PM 410976]
S3 DigimHID;DigimHID;c:\winnt\system32\drivers\DigimHID.SYS [8/18/2008 10:28 PM 5248]
S3 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" --> c:\program files\Symantec AntiVirus\SavRoam.exe [?]
S4 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]

NETSVCS REQUIRES REPAIRS - current entries shown
EventSystem

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

.
Contents of the 'Scheduled Tasks' folder

2009-09-24 c:\winnt\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SmartDraw 2009\Messages\SDNotify.exe [2008-11-25 13:29]

2009-09-24 c:\winnt\Tasks\twinsplay.job
- c:\program files\twinsplay\twinsplay.exe [2009-06-14 15:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.selu.edu/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Open PDF in Word - c:\program files\ScanSoft\PDF Converter\IEShellExt.dll /100
LSP: %SystemRoot%\system32\msafd.dll
LSP: c:\program files\VMware\VMware Player\vsocklib.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java
DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} - hxxp://tcapps.selu.edu/timecentre/Common/iemenu.cab
DPF: {E9C9692E-F93C-11D1-ABB0-0040054FC6FB} - hxxp://tcapps.selu.edu/timecentre/Common/pvdt80.cab
FF - ProfilePath - c:\documents and settings\onyx\Application Data\Mozilla\Firefox\Profiles\5alwvt2f.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.selu.edu/|http://www.selu.edu/
FF - component: c:\program files\SiteAdvisor\6261\FF\components\FFHook.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-24 13:56
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINNT\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINNT\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(264)
c:\winnt\system32\klogon.dll
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'explorer.exe'(1192)
c:\winnt\AppPatch\AcLayers.DLL
c:\winnt\system32\SHDOCVW.DLL
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
Completion time: 2009-09-24 14:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-24 20:13
ComboFix2.txt 2009-09-24 17:33

Pre-Run: 40,720,199,680 bytes free
Post-Run: 40,641,298,432 bytes free

202




SystemLook.txt*******************************************
SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 14:19 on 24/09/2009 by onyx (Administrator - Elevation successful)

========== reg ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
"BITSgroup"="BITS"
"netsvcs"="EventSystem"
"rpcss"="RpcSs"
"wugroup"="wuauserv"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\BITSGroup]
"DefaultRpcStackSize"= 0x0000000008 (8)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs]
"CoInitializeSecurityParam"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\wugroup]
"CoInitializeSecurityParam"= 0x0000000001 (1)


========== filefind ==========

Searching for "*comres*"
C:\Deckard\System Scanner\20080728214648\backup\DOCUME~1\onyx\LOCALS~1\Temp\N360.2.0.0.242\Support\LUpdate\WLUEX\0901\LUCOMRES.loc --a--- 50552 bytes [17:13 27/07/2008] [22:02 21/02/2008] 29F96F3EC0F5F2A6EA4023DF42726E89
C:\Documents and Settings\onyx\Application Data\Symantec\Layouts\Norton 360\2.0\English\0E743DD31FF89B86DBEBF1C48C5BAFF874A5B132\20080103\Support\LUpdate\WLUEX\0901\LUCOMRES.loc --a--- 50552 bytes [17:17 27/07/2008] [22:02 21/02/2008] 29F96F3EC0F5F2A6EA4023DF42726E89

-=End Of File=-

#10 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 24 September 2009 - 02:22 PM

Hi,

Please do the following:

  • Make sure to use Internet Explorer for this
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:


    c:\winnt\system32\comres.dll

  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

    Advertisements

Register to Remove


#11 fmedwards3

fmedwards3

    Authentic Member

  • Authentic Member
  • PipPip
  • 59 posts

Posted 24 September 2009 - 03:16 PM

I got a message that the server was down until 9/25/2009. I'll try again tomorrow morning and post the results. Thanks again for your help.

#12 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 24 September 2009 - 04:23 PM

Thanks for letting me know,

you can use this scanner instead:



submit a file to virustotal for analysis
  • Use the browse button on that page to navigate to the location of the file to be scanned.
  • In the right hand panel,
  • click on the file c:\winnt\system32\comres.dll
  • then click the open button.
  • The file will now be displayed in the submit box.
  • Scroll down a bit and click "send file", wait for the results

Make sure you have copied and saved the results before continuing.



I also have a regfix for your Netsvc that needs repair.

I have uploaded the file...please download to your desktop and extract the file. Double click the icon and ALLOW the file to merge into your registry:


[attachment=5591:W2KSP4_netsvcs.zip]

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#13 fmedwards3

fmedwards3

    Authentic Member

  • Authentic Member
  • PipPip
  • 59 posts

Posted 24 September 2009 - 07:07 PM

I did not locate the file comres.dll in the directory c:\winnt\system32\ , and a windows search of the hard drive did not find it anywhere else, either. I unzipped and merged W2KSP4_netsvcs.zip as specified.

#14 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 24 September 2009 - 07:09 PM

OK, that's fine, please show your hidden files and folders,;ook one more time, make sure it's not out of view.
  • Double-click My Computer.
  • Click the Tools menu, and then click Folder Options.
  • Click the View tab.
  • Clear "Hide file extensions for known file types."
  • Under the "Hidden files" folder, select "Show hidden files and folders."
  • Clear "Hide protected operating system files."
  • Click Apply, and then click OK.

Please do the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT

Run an on-line scan with Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.

    Posted Image
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply


In your next reply please include
  • MBAM Log
  • Kaspersky report

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#15 fmedwards3

fmedwards3

    Authentic Member

  • Authentic Member
  • PipPip
  • 59 posts

Posted 25 September 2009 - 11:03 AM

the MBAM log follows************************************************ Malwarebytes' Anti-Malware 1.41 Database version: 2859 Windows 5.0.2195 Service Pack 4 9/25/2009 11:26:18 AM mbam-log-2009-09-25 (11-26-18).txt Scan type: Quick Scan Objects scanned: 142287 Time elapsed: 22 minute(s), 52 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Kaspersky online scanner******************************************* I could not get Kaspersky online scanner to run. I got a message that the online scanner would not run if Kaspersky Internet Security was installed (it is) on my computer. I disabled my Kaspersky, but apparently simply being installed is enough to prevent the online scanner from running. I did run a quick scan using my Kaspersky Ucurrent update), and nothing was found. I could not find a log file to send to you.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users