Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:41:19 PM, on 1/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Steam\Steam.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sportsline.com/mlb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Monitor] "C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - Startup: Dropbox.lnk = C:\Program Files\Dropbox\dropbox.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1122857477765
O17 - HKLM\System\CCS\Services\Tcpip\..\{775968D3-1770-4F5D-8D1A-93BDB01F0A9E}: NameServer = 4.2.2.1,4.2.2.2
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LeapFrog Connect Device Service - Unknown owner - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: CYGWIN sshd (sshd) - Unknown owner - C:\cygwin\bin\cygrunsrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - (no file)
--
End of file - 7808 bytes
WE'RE SURE THAT YOU'LL LOVE US!
Hey there! 
Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. 
Join 93085 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.
Try What the Tech -- It's free!
[Resolved] Using 85.255.113.146 to For DNS Resolution
Started by
JeffreyB
, Jan 06 2009 07:43 PM
-
This topic is locked
13 replies to this topic
#1
JeffreyB
-
- Authentic Member
-
- 16 posts
New Member
Posted 06 January 2009 - 07:43 PM
Register to Remove
#2
RatHat
-
- Authentic Member
-
- 816 posts
Retired Staff-Malware Expert
Posted 07 January 2009 - 02:40 AM
Hi there,
Welcome to WTT.
This sounds like a case of a Zlob/DNSchanger that changes the router's DNS settings. Make sure you read the remainder of this post completely, then carry on with the instructions below.
Please download Malwarebytes' Anti-Malware from Here or Here
Next, disconnect your system from the internet, and your router, then:
Double Click mbam-setup.exe to install the application.
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Next you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds). If you don’t know the router's default password, you can look it up HERE
However, if there are other Zlob-infected machines using the same router, they will need to be cleared with the above steps before resetting the router. Otherwise, the malware will simply go back and change the router's DNS settings. Make sure you run MBAM on every computer connected to your router by hardwire (LAN) or Wireless! You also need to reconfigure any security settings you had in place prior to the reset. Check out this site here for video tutorials on how to properly configure your router's encryption and security settings. You may also need to consult with your Internet service provider to find out which DNS servers your network should be using.
Once you have run Malwarebytes' Anti-Malware on the infected system, and reset the router to its default configuration you can reconnect to the internet, and router. Then return to this site to post your logs.
Regards,
RatHat
Welcome to WTT.
This sounds like a case of a Zlob/DNSchanger that changes the router's DNS settings. Make sure you read the remainder of this post completely, then carry on with the instructions below.
Please download Malwarebytes' Anti-Malware from Here or Here
Next, disconnect your system from the internet, and your router, then:
Double Click mbam-setup.exe to install the application.
- Launch Malwarebytes' Anti-Malware, then click Finish.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply.
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Next you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds). If you don’t know the router's default password, you can look it up HERE
However, if there are other Zlob-infected machines using the same router, they will need to be cleared with the above steps before resetting the router. Otherwise, the malware will simply go back and change the router's DNS settings. Make sure you run MBAM on every computer connected to your router by hardwire (LAN) or Wireless! You also need to reconfigure any security settings you had in place prior to the reset. Check out this site here for video tutorials on how to properly configure your router's encryption and security settings. You may also need to consult with your Internet service provider to find out which DNS servers your network should be using.
Once you have run Malwarebytes' Anti-Malware on the infected system, and reset the router to its default configuration you can reconnect to the internet, and router. Then return to this site to post your logs.
Regards,
RatHat
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to join the fight against Malware? Click here to find out how.
Please do not PM me asking for support. Post on the forums instead 
Please post the final results, good or bad. We like to know!
If you feel I have helped you and would like to make a small donation, please click here
#3
JeffreyB
-
- Authentic Member
-
- 16 posts
New Member
Posted 07 January 2009 - 05:13 PM
My router was not compromised, my DNS servers are as they should be. The problem is now gone. I have also changed all my passwords via another computer (a mac)
Malwarebytes' Anti-Malware 1.32 Database version: 1625 Windows 5.1.2600 Service Pack 3 1/7/2009 2:42:03 AM mbam-log-2009-01-07 (02-42-03).txt Scan type: Full Scan (C:\|) Objects scanned: 177340 Time elapsed: 1 hour(s), 48 minute(s), 31 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 1 Files Infected: 6 Memory Modules Infected: C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Spyware.Passwords) -> Delete on reboot. Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully. Files Infected: C:\Documents and Settings\jbisbee\Local Settings\Temp\tmp38.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\msqpdxrumqwwyl.dll (Trojan.TDSS) -> Delete on reboot. C:\autorun.inf (Trojan.DNSChanger) -> Quarantined and deleted successfully. C:\resycled\boot.com (Trojan.DNSChanger) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\msqpdxpkhasxwp.sys (Trojan.Agent) -> Quarantined and deleted successfully. C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Spyware.Passwords) -> Delete on reboot.
Edited by JeffreyB, 07 January 2009 - 05:14 PM.
#4
RatHat
-
- Authentic Member
-
- 816 posts
Retired Staff-Malware Expert
Posted 07 January 2009 - 05:34 PM
Your log shows signs of a rootkit infection.
Download the GMER Rootkit Scanner. Unzip it to your Desktop.
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
Double-click gmer.exe. The program will begin to run.
**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!
If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
Download the GMER Rootkit Scanner. Unzip it to your Desktop.
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
Double-click gmer.exe. The program will begin to run.
**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!
If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
- Click NO
- In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
- Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity. - Click OK.
- GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
- Save it where you can easily find it, such as your desktop.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to join the fight against Malware? Click here to find out how.
Please do not PM me asking for support. Post on the forums instead
Please post the final results, good or bad. We like to know!
If you feel I have helped you and would like to make a small donation, please click here
#5
JeffreyB
-
- Authentic Member
-
- 16 posts
New Member
Posted 07 January 2009 - 06:10 PM
Looks like it found system32/drivers/msqpdxpkhasxwp.sys...
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-07 19:07:27
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.14 ----
SSDT spmg.sys ZwCreateKey [0xB9EAB0E0]
SSDT spmg.sys ZwEnumerateKey [0xB9EC8CA2]
SSDT spmg.sys ZwEnumerateValueKey [0xB9EC9030]
SSDT spmg.sys ZwOpenKey [0xB9EAB0C0]
SSDT spmg.sys ZwQueryKey [0xB9EC9108]
SSDT spmg.sys ZwQueryValueKey [0xB9EC8F88]
SSDT spmg.sys ZwSetValueKey [0xB9EC919A]
INT 0x62 ? 8AF89BF8
INT 0x63 ? 8AF17BF8
INT 0x84 ? 8A4E8BF8
INT 0x94 ? 8A4E8BF8
INT 0xA4 ? 8A4E8BF8
INT 0xB4 ? 8A4E8BF8
---- Kernel code sections - GMER 1.0.14 ----
? spmg.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B88B58AC 5 Bytes JMP 8A4E81D8
---- Kernel IAT/EAT - GMER 1.0.14 ----
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EAC040] spmg.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EAC13C] spmg.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EAC0BE] spmg.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EAC7FC] spmg.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EAC6D2] spmg.sys
---- User IAT/EAT - GMER 1.0.14 ----
IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[1604] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003D2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[1604] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003D2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[1604] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [003D2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[1604] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003D2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[3296] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00C52F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[3296] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00C52CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[3296] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00C52D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[3296] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00C52CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\jbisbee\Desktop\gmer.exe[3404] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00392F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\jbisbee\Desktop\gmer.exe[3404] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00392CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\jbisbee\Desktop\gmer.exe[3404] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00392D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\jbisbee\Desktop\gmer.exe[3404] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00392CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[3620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003E2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[3620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003E2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[3620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [003E2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[3620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003E2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3676] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00B12F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3676] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00B12CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3676] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00B12D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3676] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00B12CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3736] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00392F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3736] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00392CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3736] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00392D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3736] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00392CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Java\jre6\bin\jusched.exe[3840] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00C22F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Java\jre6\bin\jusched.exe[3840] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00C22CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Java\jre6\bin\jusched.exe[3840] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00C22D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Java\jre6\bin\jusched.exe[3840] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00C22CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[3868] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00A92F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[3868] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00A92CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[3868] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00A92D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[3868] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00A92CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\stsystra.exe[3948] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00A92F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\stsystra.exe[3948] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00A92CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\stsystra.exe[3948] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00A92D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\stsystra.exe[3948] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00A92CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\ctfmon.exe[4008] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [009F2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\ctfmon.exe[4008] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [009F2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\ctfmon.exe[4008] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [009F2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\ctfmon.exe[4008] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [009F2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Windows Media Player\WMPNSCFG.exe[4020] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00A12F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Windows Media Player\WMPNSCFG.exe[4020] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00A12CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Windows Media Player\WMPNSCFG.exe[4020] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00A12D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Windows Media Player\WMPNSCFG.exe[4020] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00A12CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[4032] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00AB2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[4032] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00AB2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[4032] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00AB2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[4032] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00AB2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
---- Devices - GMER 1.0.14 ----
Device \FileSystem\Ntfs \Ntfs 8AF161F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{775968D3-1770-4F5D-8D1A-93BDB01F0A9E} 8A4BC500
Device \Driver\usbuhci \Device\USBPDO-0 8A4C91F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8AF181F8
Device \Driver\dmio \Device\DmControl\DmConfig 8AF181F8
Device \Driver\dmio \Device\DmControl\DmPnP 8AF181F8
Device \Driver\dmio \Device\DmControl\DmInfo 8AF181F8
Device \Driver\usbehci \Device\USBPDO-1 8A4FF1F8
Device \Driver\usbuhci \Device\USBPDO-2 8A4C91F8
Device \Driver\usbuhci \Device\USBPDO-3 8A4C91F8
Device \Driver\usbuhci \Device\USBPDO-4 8A4C91F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8AF8A1F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8AF8A1F8
Device \Driver\Cdrom \Device\CdRom0 8A5021F8
Device \Driver\iastor \Device\Ide\iaStor0 8AF171F8
Device \Driver\iastor \Device\Ide\IAAStorageDevice-0 8AF171F8
Device \Driver\Cdrom \Device\CdRom1 8A5021F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 8AF8A1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A4BC500
Device \Driver\NetBT \Device\NetbiosSmb 8A4BC500
Device \Driver\usbuhci \Device\USBFDO-0 8A4C91F8
Device \Driver\usbuhci \Device\USBFDO-1 8A4C91F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A33D500
Device \Driver\usbuhci \Device\USBFDO-2 8A4C91F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A33D500
Device \Driver\usbuhci \Device\USBFDO-3 8A4C91F8
Device \Driver\usbehci \Device\USBFDO-4 8A4FF1F8
Device \Driver\Ftdisk \Device\FtControl 8AF8A1F8
Device \FileSystem\Fastfat \Fat 8A4CA1F8
Device \FileSystem\Fastfat \Fat A4B75297
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device \FileSystem\Cdfs \Cdfs 89D53500
---- Services - GMER 1.0.14 ----
Service system32\drivers\msqpdxpkhasxwp.sys (*** hidden *** ) [SYSTEM] msqpdxserv.sys <-- ROOTKIT !!!
---- Registry - GMER 1.0.14 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys@imagepath \systemroot\system32\drivers\msqpdxpkhasxwp.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys\modules@msqpdxserv \\?\globalroot\systemroot\system32\drivers\msqpdxpkhasxwp.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys\modules@msqpdxl \\?\globalroot\systemroot\system32\msqpdxrumqwwyl.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x24 0x89 0xC8 0x3E ...
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys@imagepath \systemroot\system32\drivers\msqpdxpkhasxwp.sys
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys\modules@msqpdxserv \\?\globalroot\systemroot\system32\drivers\msqpdxpkhasxwp.sys
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys\modules@msqpdxl \\?\globalroot\systemroot\system32\msqpdxrumqwwyl.dll
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x24 0x89 0xC8 0x3E ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x24 0x89 0xC8 0x3E ...
---- Files - GMER 1.0.14 ----
File C:\Documents and Settings\jbisbee\Local Settings\Temp\Temporary Directory 1 for eclipse-SDK-3.2.2-win32.zip\eclipse\plugins\org.eclipse.platform.source_3.2.2.r322_v20070119-RQghndJN8IM0MsK\src\org.eclipse.ui.views.properties.tabbed_3.2.1.M20060830-0800\schema\propertySections.ex 7434 bytes
---- EOF - GMER 1.0.14 ----
#6
RatHat
-
- Authentic Member
-
- 816 posts
Retired Staff-Malware Expert
Posted 07 January 2009 - 06:35 PM
Please download ComboFix from one of these locations:
Link 1
Link 2
Link 3
* IMPORTANT !!! Save ComboFix.exe to your Desktop
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you are unsure of how to disable these programs, please refer to this page for details.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply along with a fresh GMER log, taken after Combofix has run.
Note: If you are unsure about anything, a very good Combofix tutorial can be found here.
Link 1
Link 2
Link 3
* IMPORTANT !!! Save ComboFix.exe to your Desktop
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you are unsure of how to disable these programs, please refer to this page for details.
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply along with a fresh GMER log, taken after Combofix has run.
Note: If you are unsure about anything, a very good Combofix tutorial can be found here.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to join the fight against Malware? Click here to find out how.
Please do not PM me asking for support. Post on the forums instead
Please post the final results, good or bad. We like to know!
If you feel I have helped you and would like to make a small donation, please click here
#7
JeffreyB
-
- Authentic Member
-
- 16 posts
New Member
Posted 07 January 2009 - 07:17 PM
ComboFix
ComboFix 09-01-07.01 - jbisbee 2009-01-07 19:43:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2392 [GMT -5:00]
Running from: c:\documents and settings\jbisbee\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\jbisbee\Application Data\FunWebProducts
c:\documents and settings\jbisbee\Application Data\FunWebProducts\Data\jbisbee\avatar.dat
c:\documents and settings\jbisbee\Application Data\FunWebProducts\Data\jbisbee\outfit.dat
c:\documents and settings\jbisbee\Application Data\FunWebProducts\Data\jbisbee\register.dat
c:\documents and settings\jbisbee\Application Data\FunWebProducts\Data\jbisbee\zbucks.dat
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NPF
((((((((((((((((((((((((( Files Created from 2008-12-08 to 2009-01-08 )))))))))))))))))))))))))))))))
.
2009-01-07 18:51 . 2009-01-07 18:52 250 --a------ c:\windows\gmer.ini
2009-01-06 23:25 . 2009-01-06 23:25 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-06 23:25 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-06 23:25 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-06 22:34 . 2009-01-07 06:45 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-06 22:27 . 2009-01-06 22:27 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-06 22:26 . 2009-01-07 18:48 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-06 22:26 . 2009-01-06 22:26 <DIR> d-------- c:\program files\AVG
2009-01-06 22:26 . 2009-01-06 22:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-06 22:26 . 2009-01-06 22:26 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-06 20:48 . 2009-01-06 20:48 <DIR> d-------- c:\program files\ERUNT
2009-01-06 18:57 . 2009-01-06 18:57 <DIR> d-------- c:\program files\Trend Micro
2009-01-06 00:42 . 2009-01-06 00:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Drivers Headquarters
2009-01-06 00:18 . 2009-01-06 00:20 2,444 --a------ C:\autorun.PNF
2009-01-05 23:54 . 2009-01-05 23:54 <DIR> d-------- C:\IBMTOOLS
2009-01-05 23:23 . 2009-01-05 23:23 <DIR> d--h----- c:\windows\system32\GroupPolicy
2009-01-05 22:57 . 2009-01-05 22:57 <DIR> d-------- c:\program files\WinDirStat
2009-01-04 06:38 . 2009-01-04 06:39 <DIR> d-------- c:\documents and settings\jbisbee\Application Data\Quicken
2009-01-03 23:34 . 2009-01-04 00:10 <DIR> d-------- c:\documents and settings\jbisbee\Application Data\vlc
2009-01-03 22:22 . 2009-01-03 22:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\SpinTop Games
2009-01-03 10:41 . 2008-11-11 16:32 3,523,872 --a------ c:\windows\system32\cdintf300.dll
2009-01-03 10:41 . 2008-11-11 16:32 1,848,608 --a------ c:\windows\system32\acXMLParser.dll
2009-01-02 14:52 . 2009-01-02 14:52 98,304 --a------ c:\windows\system32\CmdLineExt.dll
2009-01-02 14:19 . 2009-01-02 14:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hot Lava Games
2009-01-02 06:45 . 2009-01-02 06:46 <DIR> d-------- c:\documents and settings\jbisbee\Application Data\The Longest Journey Demo
2009-01-01 23:01 . 2009-01-01 23:09 <DIR> d-------- c:\documents and settings\jbisbee\Application Data\Mount&Blade
2009-01-01 22:26 . 2009-01-06 21:57 79 --a------ c:\windows\popcinfot.dat
2008-12-31 09:16 . 2008-12-31 09:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\2DBoy
2008-12-31 08:59 . 2009-01-07 19:48 <DIR> d-------- c:\program files\Steam
2008-12-30 22:17 . 2008-12-30 22:17 <DIR> d-------- c:\documents and settings\jbisbee\Application Data\ATI
2008-12-30 22:17 . 2008-12-30 22:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\ATI
2008-12-29 20:32 . 2008-12-29 21:26 <DIR> d-------- c:\program files\CDisplayEx
2008-12-28 22:21 . 2008-12-28 22:21 <DIR> d-------- c:\documents and settings\jbisbee\Application Data\Amphetype
2008-12-26 17:31 . 2005-08-18 11:44 49,867 --a------ c:\windows\system32\drivers\mardp2k.sys
2008-12-26 17:31 . 2005-08-18 11:44 49,484 --a------ c:\windows\system32\drivers\MARDPNP.SYS
2008-12-26 17:31 . 2007-02-02 16:57 49,377 --a------ c:\windows\system32\drivers\mamotou.sys
2008-12-26 17:31 . 2007-01-16 11:46 25,302 --a------ c:\windows\system32\drivers\MaVctrl.sys
2008-12-26 17:31 . 2007-01-16 11:44 11,986 --a------ c:\windows\system32\drivers\MaVc2K.sys
2008-12-26 17:30 . 2008-12-26 17:30 <DIR> d-------- c:\windows\Application Data
2008-12-25 18:36 . 2008-12-25 18:36 <DIR> d-------- c:\program files\DIFX
2008-12-25 18:36 . 2008-11-25 12:39 18,560 --a------ c:\windows\system32\drivers\FlyUsb.sys
2008-12-25 18:35 . 2008-12-25 18:35 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-25 18:35 . 2008-12-25 18:35 110 --a------ c:\windows\{CF055C57-A988-42E6-BDAF-E3D94C6973A8}_WiseFW.ini
2008-12-25 18:34 . 2008-12-25 18:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Leapfrog
2008-12-25 18:33 . 2008-12-25 18:35 <DIR> d-------- c:\program files\LeapFrog
2008-12-22 21:10 . 2008-12-22 21:11 <DIR> d-------- c:\documents and settings\jbisbee\temp
2008-12-15 08:56 . 2008-12-30 22:54 <DIR> d-------- c:\program files\AviSynth 2.5
2008-12-12 16:47 . 2008-12-12 16:47 3,751,995 --a------ c:\windows\system32\GPhotos.scr
2008-12-12 14:03 . 2008-12-29 21:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!
2008-12-12 07:06 . 2008-12-12 07:06 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-12-12 06:44 . 2008-12-12 06:44 <DIR> d-------- c:\documents and settings\jbisbee\Application Data\gnupg
2008-12-12 06:44 . 2008-12-12 07:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Appupdater
2008-12-12 06:42 . 2008-12-30 22:53 <DIR> d-------- c:\program files\AppSnap
2008-12-12 06:42 . 2008-12-12 06:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\AppSnap
2008-12-12 06:40 . 2008-12-12 06:40 <DIR> d-------- c:\program files\GNU
2008-12-12 06:40 . 2008-12-12 06:40 <DIR> d-------- c:\documents and settings\LocalService\Application Data\gnupg
2008-12-12 06:40 . 2008-12-30 20:31 <DIR> d-------- c:\documents and settings\All Users\Appupdater
2008-12-12 06:37 . 2008-12-30 22:54 <DIR> d-------- c:\program files\Puchisoft
2008-12-12 06:37 . 2008-12-12 06:38 <DIR> d-------- c:\documents and settings\jbisbee\Application Data\PuchisoftDispatcher
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-08 00:45 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2009-01-08 00:45 0 ----a-w c:\windows\system32\drivers\logiflt.iad
2009-01-07 23:51 --------- d-----w c:\documents and settings\jbisbee\Application Data\uTorrent
2009-01-07 23:40 --------- d-----w c:\program files\PeerGuardian2
2009-01-07 23:24 --------- d-----w c:\documents and settings\jbisbee\Application Data\Skype
2009-01-07 22:13 --------- d-----w c:\documents and settings\jbisbee\Application Data\skypePM
2009-01-07 22:11 --------- d-----w c:\documents and settings\jbisbee\Application Data\Dropbox
2009-01-07 00:03 --------- d-----w c:\program files\VMware
2009-01-06 14:10 --------- d-----w c:\documents and settings\NetworkService\Application Data\VMware
2009-01-06 14:10 --------- d-----w c:\documents and settings\LocalService\Application Data\VMware
2009-01-06 14:09 --------- d-----w c:\documents and settings\All Users\Application Data\VMware
2009-01-06 13:46 --------- d-----w c:\documents and settings\jbisbee\Application Data\.purple
2009-01-06 05:46 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-03 15:41 --------- d-----w c:\program files\Quicken
2008-12-31 04:50 --------- d-----w c:\program files\SystemRequirementsLab
2008-12-31 04:50 --------- d-----w c:\documents and settings\jbisbee\Application Data\SystemRequirementsLab
2008-12-31 04:30 --------- d-----w c:\program files\Intel
2008-12-31 03:55 --------- d-----w c:\program files\Opera 9.5 beta
2008-12-31 03:55 --------- d-----w c:\program files\Opera
2008-12-31 03:55 --------- d-----w c:\documents and settings\jbisbee\Application Data\Move Networks
2008-12-31 03:13 --------- d-----w c:\program files\ATI Technologies
2008-12-30 14:41 --------- d-----w c:\program files\Dropbox
2008-12-30 02:16 --------- d-----w c:\program files\Yahoo!
2008-12-24 15:47 --------- d-----w c:\program files\Pidgin
2008-12-16 13:58 --------- d-----w c:\program files\Java
2008-12-15 14:20 --------- d-----w c:\documents and settings\jbisbee\Application Data\dvdcss
2008-12-12 12:04 --------- d-----w c:\program files\Common Files\Adobe
2008-12-12 11:56 --------- d-----w c:\program files\PuTTY
2008-12-12 11:55 --------- d-----w c:\program files\MSECache
2008-12-07 14:56 --------- d-----w c:\documents and settings\jbisbee\Application Data\VMware
2008-12-01 22:13 3,452,928 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2008-12-01 19:51 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2008-11-26 13:25 --------- d-----w c:\documents and settings\jbisbee\Application Data\Malwarebytes
2008-11-26 13:25 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-23 21:31 --------- d-----w c:\program files\CyberLink
2008-11-23 21:19 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-22 21:24 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-22 21:13 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-22 20:27 --------- d-----w c:\program files\Apple Software Update
2008-11-22 02:12 --------- d-----w c:\program files\iTunes
2008-11-22 02:12 --------- d-----w c:\program files\iPod
2008-11-22 02:12 --------- d-----w c:\program files\Common Files\Apple
2008-11-22 01:53 --------- d-----w c:\program files\QuickTime
2008-11-21 02:59 --------- d-----w c:\program files\Bonjour
2008-11-21 02:22 --------- d-----w c:\program files\Safari
2008-11-17 00:56 --------- d-----w c:\program files\PokerStars
2008-11-11 13:21 --------- d-----w c:\program files\Skype
2008-11-08 12:20 --------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant
2008-08-29 12:16 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082920080830\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 02:20 143360 --a------ c:\program files\Dropbox\DropboxExt.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 02:20 143360 --a------ c:\program files\Dropbox\DropboxExt.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 02:20 143360 --a------ c:\program files\Dropbox\DropboxExt.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"Steam"="c:\program files\Steam\Steam.exe" [2008-12-31 1410296]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-14 344064]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2008-11-25 356352]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-06 1261336]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]
c:\documents and settings\jbisbee\Start Menu\Programs\Startup\
Dropbox.lnk - c:\program files\Dropbox\dropbox.exe [2008-09-26 24096981]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\XLink Kai Evolution 7\\kaiEngine.exe"=
"c:\\cygwin\\usr\\X11R6\\bin\\XWin.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\cygwin\\bin\\perl.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\cygwin\\bin\\perl5.10.0.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\cygwin\\bin\\XWin.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-06 97928]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-06 231704]
R4 LeapFrog Connect Device Service;LeapFrog Connect Device Service;c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe [2008-11-25 991232]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-07-21 24652]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2008-12-25 18560]
S3 MTK;Media Technology Kernel Driver;c:\windows\system32\Drivers\mtk.sys --> c:\windows\system32\Drivers\mtk.sys [?]
S4 sshd;CYGWIN sshd;c:\cygwin\bin\cygrunsrv.exe [2008-07-09 68096]
.
Contents of the 'Scheduled Tasks' folder
2009-01-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
MSConfigStartUp-BDRegion - c:\program files\Cyberlink\Shared Files\brs.exe
MSConfigStartUp-PDVD8LanguageShortcut - c:\program files\CyberLink\PowerDVD8\Language\Language.exe
MSConfigStartUp-RemoteControl8 - c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sportsline.com/mlb
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: {775968D3-1770-4F5D-8D1A-93BDB01F0A9E} = 4.2.2.1,4.2.2.2
FF - ProfilePath - c:\documents and settings\jbisbee\Application Data\Mozilla\Firefox\Profiles\8k77utin.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-07 19:46:50
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(816)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2009-01-07 19:57:05 - machine was rebooted [jbisbee]
ComboFix-quarantined-files.txt 2009-01-08 00:57:02
Pre-Run: 42,723,471,360 bytes free
Post-Run: 42,930,200,576 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
c:\wubildr.mbr="Ubuntu"
269 --- E O F --- 2008-12-18 08:01:41
#8
JeffreyB
-
- Authentic Member
-
- 16 posts
New Member
Posted 07 January 2009 - 07:18 PM
new gmer
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-07 20:14:41
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.14 ----
SSDT spvk.sys ZwCreateKey [0xB9EAB0E0]
SSDT spvk.sys ZwEnumerateKey [0xB9EC8CA2]
SSDT spvk.sys ZwEnumerateValueKey [0xB9EC9030]
SSDT spvk.sys ZwOpenKey [0xB9EAB0C0]
SSDT spvk.sys ZwQueryKey [0xB9EC9108]
SSDT spvk.sys ZwQueryValueKey [0xB9EC8F88]
SSDT spvk.sys ZwSetValueKey [0xB9EC919A]
INT 0x62 ? 8AF89BF8
INT 0x63 ? 8AF17BF8
INT 0x84 ? 8A4E2CE8
INT 0x94 ? 8A4E2CE8
INT 0xA4 ? 8A4E2CE8
INT 0xB4 ? 8A4E2CE8
---- Kernel code sections - GMER 1.0.14 ----
? spvk.sys The system cannot find the file specified. !
? Combo-Fix.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B84518AC 5 Bytes JMP 8A4E22C8
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !
---- Kernel IAT/EAT - GMER 1.0.14 ----
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EAC040] spvk.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EAC13C] spvk.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EAC0BE] spvk.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EAC7FC] spvk.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EAC6D2] spvk.sys
---- User IAT/EAT - GMER 1.0.14 ----
IAT C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[164] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003E2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[164] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003E2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[164] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [003E2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[164] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003E2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[552] @ C:\WINDOWS\system32\KERNEL32.dll [ntdll.dll!NtCreateFile] [00802F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[552] @ C:\WINDOWS\system32\KERNEL32.dll [ntdll.dll!NtDeviceIoControlFile] [00802CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[552] @ C:\WINDOWS\system32\KERNEL32.dll [ntdll.dll!NtClose] [00802D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[552] @ C:\WINDOWS\system32\KERNEL32.dll [ntdll.dll!NtDuplicateObject] [00802CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Windows Media Player\WMPNSCFG.exe[628] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [008C2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Windows Media Player\WMPNSCFG.exe[628] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [008C2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Windows Media Player\WMPNSCFG.exe[628] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [008C2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Windows Media Player\WMPNSCFG.exe[628] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [008C2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Dropbox\dropbox.exe[2384] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003D2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Dropbox\dropbox.exe[2384] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003D2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Dropbox\dropbox.exe[2384] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [003D2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Dropbox\dropbox.exe[2384] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003D2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2696] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [009D2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2696] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [009D2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2696] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [009D2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2696] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [009D2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3000] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00982F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3000] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00982CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3000] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00982D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3000] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00982CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Java\jre6\bin\jusched.exe[3624] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00C12F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Java\jre6\bin\jusched.exe[3624] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00C12CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Java\jre6\bin\jusched.exe[3624] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00C12D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Java\jre6\bin\jusched.exe[3624] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00C12CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[3652] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00A82F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[3652] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00A82CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[3652] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00A82D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[3652] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00A82CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\stsystra.exe[3844] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00A82F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\stsystra.exe[3844] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00A82CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\stsystra.exe[3844] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00A82D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\stsystra.exe[3844] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00A82CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\PROGRA~1\AVG\AVG8\avgtray.exe[3896] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00B62F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\PROGRA~1\AVG\AVG8\avgtray.exe[3896] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00B62CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\PROGRA~1\AVG\AVG8\avgtray.exe[3896] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00B62D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\PROGRA~1\AVG\AVG8\avgtray.exe[3896] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00B62CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\ctfmon.exe[4076] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00512F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\ctfmon.exe[4076] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00512CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\ctfmon.exe[4076] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00512D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\ctfmon.exe[4076] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00512CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[5248] @ C:\WINDOWS\system32\KERNEL32.dll [ntdll.dll!NtCreateFile] [003E2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[5248] @ C:\WINDOWS\system32\KERNEL32.dll [ntdll.dll!NtDeviceIoControlFile] [003E2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[5248] @ C:\WINDOWS\system32\KERNEL32.dll [ntdll.dll!NtClose] [003E2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[5248] @ C:\WINDOWS\system32\KERNEL32.dll [ntdll.dll!NtDuplicateObject] [003E2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\explorer.exe[7164] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00C32F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\explorer.exe[7164] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00C32CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\explorer.exe[7164] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00C32D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\explorer.exe[7164] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00C32CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\jbisbee\Desktop\gmer.exe[7360] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003A2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\jbisbee\Desktop\gmer.exe[7360] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003A2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\jbisbee\Desktop\gmer.exe[7360] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [003A2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\jbisbee\Desktop\gmer.exe[7360] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003A2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\notepad.exe[8040] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [009D2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\notepad.exe[8040] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [009D2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\notepad.exe[8040] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [009D2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\notepad.exe[8040] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [009D2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
---- Devices - GMER 1.0.14 ----
Device \FileSystem\Ntfs \Ntfs 8AF161F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{775968D3-1770-4F5D-8D1A-93BDB01F0A9E} 8A4001F8
Device \Driver\usbuhci \Device\USBPDO-0 8A4E91F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8AF181F8
Device \Driver\dmio \Device\DmControl\DmConfig 8AF181F8
Device \Driver\dmio \Device\DmControl\DmPnP 8AF181F8
Device \Driver\dmio \Device\DmControl\DmInfo 8AF181F8
Device \Driver\usbehci \Device\USBPDO-1 8A4E81F8
Device \Driver\usbuhci \Device\USBPDO-2 8A4E91F8
Device \Driver\usbuhci \Device\USBPDO-3 8A4E91F8
Device \Driver\usbuhci \Device\USBPDO-4 8A4E91F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8AF8A1F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8AF8A1F8
Device \Driver\Cdrom \Device\CdRom0 8A5101F8
Device \Driver\iastor \Device\Ide\iaStor0 8AF171F8
Device \Driver\iastor \Device\Ide\IAAStorageDevice-0 8AF171F8
Device \Driver\Cdrom \Device\CdRom1 8A5101F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 8AF8A1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A4001F8
Device \Driver\NetBT \Device\NetbiosSmb 8A4001F8
Device \Driver\usbuhci \Device\USBFDO-0 8A4E91F8
Device \Driver\usbuhci \Device\USBFDO-1 8A4E91F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89E09500
Device \Driver\usbuhci \Device\USBFDO-2 8A4E91F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89E09500
Device \Driver\usbuhci \Device\USBFDO-3 8A4E91F8
Device \Driver\usbehci \Device\USBFDO-4 8A4E81F8
Device \Driver\Ftdisk \Device\FtControl 8AF8A1F8
Device \FileSystem\Fastfat \Fat 8A4E01F8
Device \FileSystem\Fastfat \Fat A2280297
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device \FileSystem\Cdfs \Cdfs 8A3D6470
---- Registry - GMER 1.0.14 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x24 0x89 0xC8 0x3E ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x24 0x89 0xC8 0x3E ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x24 0x89 0xC8 0x3E ...
---- EOF - GMER 1.0.14 ----
#9
RatHat
-
- Authentic Member
-
- 816 posts
Retired Staff-Malware Expert
Posted 07 January 2009 - 07:55 PM
Please uninstall the following programs:
I would like you to upload a file to be scanned
1. Please open Notepad
2. Now copy/paste the entire content of the codebox below into the Notepad window:
3. Save the above as CFScript.txt
4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
5. After reboot, (in case it asks to reboot), please post the Combofix.txt report into your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Please run an online scan with Kaspersky WebScanner.
Note: You must use Internet Explorer to run this scan, and you must disable your Anti Virus program during the scan.
Click the Accept button.
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
uTorrent
Viewpoint (anything with Viewpoint in the name)
- Go to Start then Settings, then Control Panel
- Choose Add or Remove Programs
- Remove all of the above
I would like you to upload a file to be scanned
- Please go to VirSCAN.org
- Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
- c:\windows\system32\drivers\mardp2k.sys
- Click on the Upload button
- Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
- Open Notepad and paste the contents into a new Notepad file using Ctrl and V at the same time.
- Save the notepad file to your desktop as VirScan.txt and copy the contents into your next reply.
1. Please open Notepad
- Click Start , then Run
- Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
File:: c:\windows\popcinfot.dat c:\windows\system32\drivers\lvuvc.hs c:\windows\system32\drivers\logiflt.iad
3. Save the above as CFScript.txt
4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
5. After reboot, (in case it asks to reboot), please post the Combofix.txt report into your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Please run an online scan with Kaspersky WebScanner.
Note: You must use Internet Explorer to run this scan, and you must disable your Anti Virus program during the scan.
Click the Accept button.
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
- The program will launch and then begin downloading the latest definition files:
- Once the files have been downloaded click on NEXT
- Now click on Scan Settings
- In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Scan Options:
Scan Mail Bases - Click OK
- Now under select a target to scan:Select My Computer
- This will program will start and scan your system.
- The scan will take a while so be patient and let it run.
- Once the scan is complete it will display the results if your system has been infected.
- Now click on the View scan report link:
- Click the Save report as button
- Under Save as type, choose Text file (*.txt)
- Save the file to your desktop as Kaspersky.txt
- Copy and paste that information in your next post.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to join the fight against Malware? Click here to find out how.
Please do not PM me asking for support. Post on the forums instead
Please post the final results, good or bad. We like to know!
If you feel I have helped you and would like to make a small donation, please click here
#10
JeffreyB
-
- Authentic Member
-
- 16 posts
New Member
Posted 08 January 2009 - 05:40 AM
Removed uTorrent and Viewpoint
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
VirScan of mardp2k.sys
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Ran ComboFix
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Ran ATF Cleaner
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Ran Kaspersky Online Scanner
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
VirScan of mardp2k.sys
VirSCAN.org Scanned Report : Scanned time : 2009/01/07 21:08:17 (EST) Scanner results: All Scanners reported not find malware! File Name : mardp2k.sys File Size : 49867 byte File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit MD5 : b51e7eab4baf13b492aa3299bcf52a35 SHA1 : 849f2ae00c3601dc855b10ea9c3f2d5e3e9b24ed Online report : http://virscan.org/report/447ee03cc43c78f389829c9b04f29b51.html Scanner Engine Ver Sig Ver Sig Date Time Scan result a-squared 4.0.0.29 20090107203418 2009-01-07 2.44 - AhnLab V3 2009.01.08.00 2009.01.08 2009-01-08 1.86 - AntiVir 7.9.0.45 7.1.1.80 2009-01-07 1.73 - Antiy 2.0.18 20090105.1950502 2009-01-05 0.02 - Authentium 5.1.1 200901071754 2009-01-07 1.07 - AVAST! 3.0.1 090107-0 2009-01-07 0.01 - AVG 7.5.52.442 270.10.5/1881 2009-01-07 1.81 - BitDefender 7.81008.2413034 7.23029 2009-01-08 2.20 - CA (VET) 9.0.0.143 31.6.6296 2009-01-07 6.84 - ClamAV 0.94.2 8842 2009-01-07 0.02 - Comodo 3.0 891 2009-01-07 0.98 - CP Secure 1.1.0.715 2009.01.08 2009-01-08 6.42 - Dr.Web 4.44.0.9170 2009.01.07 2009-01-07 3.80 - ewido 4.0.0.2 2008.12.31 2008-12-31 3.62 - F-Prot 4.4.4.56 20090107 2009-01-07 1.07 - F-Secure 5.51.6100 2009.01.08.01 2009-01-08 4.13 - Fortinet 2.81-3.117 9.901 2009-01-07 0.17 - GData 19.2319/19.176 20090108 2009-01-08 2.91 - ViRobot 20090107 2009.01.07 2009-01-07 0.41 - Ikarus T3.1.01.45 2009.01.07.72114 2009-01-07 3.60 - JiangMin 11.0.706 2009.01.07 2009-01-07 1.53 - Kaspersky 5.5.10 2009.01.07 2009-01-07 0.04 - KingSoft 2008.9.8.18 2009.1.8.10 2009-01-08 0.62 - McAfee 5.3.00 5488 2009-01-07 2.84 - Microsoft 1.4205 2009.01.07 2009-01-07 4.12 - mks_vir 2.01 2009.01.08 2009-01-08 2.69 - Norman 5.93.01 5.93.00 2009-01-05 6.05 - Panda 9.05.01 2009.01.07 2009-01-07 2.37 - Trend Micro 8.700-1004 5.754.05 2009-01-07 0.03 - Quick Heal 10.00 2009.01.06 2009-01-06 0.87 - Rising 20.0 21.11.22.00 2009-01-07 0.78 - Sophos 2.82.1 4.37 2009-01-08 2.06 - Sunbelt 4755 4755 2008-12-22 0.57 - Symantec 1.3.0.24 20090107.002 2009-01-07 0.22 - nProtect 20090107.01 2850296 2009-01-07 3.33 - The Hacker 6.3.1.2 v00212 2009-01-07 0.48 - VBA32 3.12.8.10 20090107.1010 2009-01-07 1.53 - VirusBuster 4.5.11.10 10.100.18/762229 2009-01-07 1.00 -
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Ran ComboFix
ComboFix 09-01-07.01 - jbisbee 2009-01-07 21:15:23.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2319 [GMT -5:00]
Running from: c:\documents and settings\jbisbee\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\jbisbee\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
FILE ::
c:\windows\popcinfot.dat
c:\windows\system32\drivers\logiflt.iad
c:\windows\system32\drivers\lvuvc.hs
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\popcinfot.dat
c:\windows\system32\drivers\logiflt.iad
c:\windows\system32\drivers\lvuvc.hs
.
((((((((((((((((((((((((( Files Created from 2008-12-08 to 2009-01-08 )))))))))))))))))))))))))))))))
.
2009-01-07 18:51 . 2009-01-07 19:58 250 --a------ c:\windows\gmer.ini
2009-01-06 23:25 . 2009-01-06 23:25 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-06 23:25 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-06 23:25 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-06 22:34 . 2009-01-07 06:45 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-06 22:27 . 2009-01-06 22:27 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-06 22:26 . 2009-01-07 18:48 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-06 22:26 . 2009-01-06 22:26 <DIR> d-------- c:\program files\AVG
2009-01-06 22:26 . 2009-01-06 22:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-06 22:26 . 2009-01-06 22:26 .97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-06 20:48 . 2009-01-06 20:48 <DIR> d-------- c:\program files\ERUNT
2009-01-06 18:57 . 2009-01-06 18:57 <DIR> d-------- c:\program files\Trend Micro
2009-01-06 00:42 . 2009-01-06 00:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Drivers Headquarters
2009-01-06 00:18 . 2009-01-06 00:20 2,444 --a------ C:\autorun.PNF
2009-01-05 23:54 . 2009-01-05 23:54 <DIR> d-------- C:\IBMTOOLS
2009-01-05 23:23 . 2009-01-05 23:23 <DIR> d--h----- c:\windows\system32\GroupPolicy
2009-01-05 22:57 . 2009-01-05 22:57 <DIR> d-------- c:\program files\WinDirStat
2009-01-04 06:38 . 2009-01-04 06:39 <DIR> d-------- c:\documents and settings\jbisbee\Application Data\Quicken
2009-01-03 23:34 . 2009-01-04 00:10 <DIR> d-------- c:\documents and settings\jbisbee\Application Data\vlc
2009-01-03 22:22 . 2009-01-03 22:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\SpinTop Games
2009-01-03 10:41 . 2008-11-11 16:32 3,523,872 --a------ c:\windows\system32\cdintf300.dll
2009-01-03 10:41 . 2008-11-11 16:32 1,848,608 --a------ c:\windows\system32\acXMLParser.dll
2009-01-02 14:52 . 2009-01-02 14:52 98,304 --a------ c:\windows\system32\CmdLineExt.dll
2009-01-02 14:19 . 2009-01-02 14:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hot Lava Games
2009-01-02 06:45 . 2009-01-02 06:46 <DIR> d-------- c:\documents and settings\jbisbee\Application Data\The Longest Journey Demo
2009-01-01 23:01 . 2009-01-01 23:09 <DIR> d-------- c:\documents and settings\jbisbee\Application Data\Mount&Blade
2008-12-31 09:16 . 2008-12-31 09:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\2DBoy
2008-12-31 08:59 . 2009-01-07 19:48 <DIR> d-------- c:\program files\Steam
2008-12-30 22:17 . 2008-12-30 22:17 <DIR> d-------- c:\documents and settings\jbisbee\Application Data\ATI
2008-12-30 22:17 . 2008-12-30 22:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\ATI
2008-12-29 20:32 . 2008-12-29 21:26 <DIR> d-------- c:\program files\CDisplayEx
2008-12-28 22:21 . 2008-12-28 22:21 <DIR> d-------- c:\documents and settings\jbisbee\Application Data\Amphetype
2008-12-26 17:31 . 2005-08-18 11:44 49,867 --a------ c:\windows\system32\drivers\mardp2k.sys
2008-12-26 17:31 . 2005-08-18 11:44 49,484 --a------ c:\windows\system32\drivers\MARDPNP.SYS
2008-12-26 17:31 . 2007-02-02 16:57 49,377 --a------ c:\windows\system32\drivers\mamotou.sys
2008-12-26 17:31 . 2007-01-16 11:46 25,302 --a------ c:\windows\system32\drivers\MaVctrl.sys
2008-12-26 17:31 . 2007-01-16 11:44 11,986 --a------ c:\windows\system32\drivers\MaVc2K.sys
2008-12-26 17:30 . 2008-12-26 17:30 <DIR> d-------- c:\windows\Application Data
2008-12-25 18:36 . 2008-12-25 18:36 <DIR> d-------- c:\program files\DIFX
2008-12-25 18:36 . 2008-11-25 12:39 18,560 --a------ c:\windows\system32\drivers\FlyUsb.sys
2008-12-25 18:35 . 2008-12-25 18:35 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-25 18:35 . 2008-12-25 18:35 110 --a------ c:\windows\{CF055C57-A988-42E6-BDAF-E3D94C6973A8}_WiseFW.ini
2008-12-25 18:34 . 2008-12-25 18:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Leapfrog
2008-12-25 18:33 . 2008-12-25 18:35 <DIR> d-------- c:\program files\LeapFrog
2008-12-22 21:10 . 2008-12-22 21:11 <DIR> d-------- c:\documents and settings\jbisbee\temp
2008-12-15 08:56 . 2008-12-30 22:54 <DIR> d-------- c:\program files\AviSynth 2.5
2008-12-12 16:47 . 2008-12-12 16:47 3,751,995 --a------ c:\windows\system32\GPhotos.scr
2008-12-12 14:03 . 2008-12-29 21:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!
2008-12-12 07:06 . 2008-12-12 07:06 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-12-12 06:44 . 2008-12-12 06:44 <DIR> d-------- c:\documents and settings\jbisbee\Application Data\gnupg
2008-12-12 06:44 . 2008-12-12 07:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Appupdater
2008-12-12 06:42 . 2008-12-30 22:53 <DIR> d-------- c:\program files\AppSnap
2008-12-12 06:42 . 2008-12-12 06:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\AppSnap
2008-12-12 06:40 . 2008-12-12 06:40 <DIR> d-------- c:\program files\GNU
2008-12-12 06:40 . 2008-12-12 06:40 <DIR> d-------- c:\documents and settings\LocalService\Application Data\gnupg
2008-12-12 06:40 . 2008-12-30 20:31 <DIR> d-------- c:\documents and settings\All Users\Appupdater
2008-12-12 06:37 . 2008-12-30 22:54 <DIR> d-------- c:\program files\Puchisoft
2008-12-12 06:37 . 2008-12-12 06:38 <DIR> d-------- c:\documents and settings\jbisbee\Application Data\PuchisoftDispatcher
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-08 02:01 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-01-08 00:50 --------- d-----w c:\documents and settings\jbisbee\Application Data\Dropbox
2009-01-07 23:51 --------- d-----w c:\documents and settings\jbisbee\Application Data\uTorrent
2009-01-07 23:40 --------- d-----w c:\program files\PeerGuardian2
2009-01-07 23:24 --------- d-----w c:\documents and settings\jbisbee\Application Data\Skype
2009-01-07 22:13 --------- d-----w c:\documents and settings\jbisbee\Application Data\skypePM
2009-01-07 00:03 --------- d-----w c:\program files\VMware
2009-01-06 14:10 --------- d-----w c:\documents and settings\NetworkService\Application Data\VMware
2009-01-06 14:10 --------- d-----w c:\documents and settings\LocalService\Application Data\VMware
2009-01-06 14:09 --------- d-----w c:\documents and settings\All Users\Application Data\VMware
2009-01-06 13:46 --------- d-----w c:\documents and settings\jbisbee\Application Data\.purple
2009-01-06 05:46 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-03 15:41 --------- d-----w c:\program files\Quicken
2008-12-31 04:50 --------- d-----w c:\program files\SystemRequirementsLab
2008-12-31 04:50 --------- d-----w c:\documents and settings\jbisbee\Application Data\SystemRequirementsLab
2008-12-31 04:30 --------- d-----w c:\program files\Intel
2008-12-31 03:55 --------- d-----w c:\program files\Opera 9.5 beta
2008-12-31 03:55 --------- d-----w c:\program files\Opera
2008-12-31 03:55 --------- d-----w c:\documents and settings\jbisbee\Application Data\Move Networks
2008-12-31 03:13 --------- d-----w c:\program files\ATI Technologies
2008-12-30 14:41 --------- d-----w c:\program files\Dropbox
2008-12-30 02:16 --------- d-----w c:\program files\Yahoo!
2008-12-24 15:47 --------- d-----w c:\program files\Pidgin
2008-12-16 13:58 --------- d-----w c:\program files\Java
2008-12-15 14:20 --------- d-----w c:\documents and settings\jbisbee\Application Data\dvdcss
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-12 12:04 --------- d-----w c:\program files\Common Files\Adobe
2008-12-12 11:56 --------- d-----w c:\program files\PuTTY
2008-12-12 11:55 --------- d-----w c:\program files\MSECache
2008-12-07 14:56 --------- d-----w c:\documents and settings\jbisbee\Application Data\VMware
2008-12-01 22:13 3,452,928 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2008-12-01 22:13 3,452,928 ----a-w c:\windows\system32\dllcache\ati2mtag.sys
2008-12-01 20:52 425,984 ----a-w c:\windows\system32\ATIDEMGX.dll
2008-12-01 20:51 318,464 ----a-w c:\windows\system32\ati2dvag.dll
2008-12-01 20:46 11,304,960 ----a-w c:\windows\system32\atioglxx.dll
2008-12-01 20:41 188,416 ----a-w c:\windows\system32\atipdlxx.dll
2008-12-01 20:40 43,520 ----a-w c:\windows\system32\ati2edxx.dll
2008-12-01 20:40 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe
2008-12-01 20:40 147,456 ----a-w c:\windows\system32\Oemdspif.dll
2008-12-01 20:40 143,360 ----a-w c:\windows\system32\ati2evxx.dll
2008-12-01 20:38 598,016 ----a-w c:\windows\system32\ati2evxx.exe
2008-12-01 20:37 53,248 ----a-w c:\windows\system32\ATIDDC.DLL
2008-12-01 20:27 4,120,384 ----a-w c:\windows\system32\ati3duag.dll
2008-12-01 20:19 307,200 ----a-w c:\windows\system32\atiiiexx.dll
2008-12-01 20:11 2,495,360 ----a-w c:\windows\system32\ativvaxx.dll
2008-12-01 19:57 48,640 ----a-w c:\windows\system32\amdpcom32.dll
2008-12-01 19:53 45,056 ----a-w c:\windows\system32\amdcalrt.dll
2008-12-01 19:53 45,056 ----a-w c:\windows\system32\amdcalcl.dll
2008-12-01 19:53 401,408 ----a-w c:\windows\system32\atikvmag.dll
2008-12-01 19:52 86,016 ----a-w c:\windows\system32\atiadlxx.dll
2008-12-01 19:52 17,408 ----a-w c:\windows\system32\atitvo32.dll
2008-12-01 19:51 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2008-12-01 19:50 3,252,224 ----a-w c:\windows\system32\Amdcaldd.dll
2008-12-01 19:50 286,720 ----a-w c:\windows\system32\atiok3x2.dll
2008-12-01 19:45 577,536 ----a-w c:\windows\system32\ati2cqag.dll
2008-12-01 19:35 593,920 ------w c:\windows\system32\ati2sgag.exe
2008-11-26 13:25 --------- d-----w c:\documents and settings\jbisbee\Application Data\Malwarebytes
2008-11-26 13:25 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-23 21:31 --------- d-----w c:\program files\CyberLink
2008-11-23 21:19 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-22 21:24 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-22 21:13 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-22 20:27 --------- d-----w c:\program files\Apple Software Update
2008-11-22 02:12 --------- d-----w c:\program files\iTunes
2008-11-22 02:12 --------- d-----w c:\program files\iPod
2008-11-22 02:12 --------- d-----w c:\program files\Common Files\Apple
2008-11-22 01:53 --------- d-----w c:\program files\QuickTime
2008-11-21 02:59 --------- d-----w c:\program files\Bonjour
2008-11-21 02:22 --------- d-----w c:\program files\Safari
2008-11-17 00:56 --------- d-----w c:\program files\PokerStars
2008-11-11 13:21 --------- d-----w c:\program files\Skype
2008-11-10 10:43 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-11-08 12:20 --------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-21 18:51 118,784 ----a-w c:\windows\system32\atibrtmon.exe
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 13:11 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-08-29 12:16 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082920080830\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 02:20 143360 --a------ c:\program files\Dropbox\DropboxExt.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 02:20 143360 --a------ c:\program files\Dropbox\DropboxExt.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 02:20 143360 --a------ c:\program files\Dropbox\DropboxExt.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"Steam"="c:\program files\Steam\Steam.exe" [2008-12-31 1410296]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-14 344064]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2008-11-25 356352]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-06 1261336]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [BU]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]
c:\documents and settings\jbisbee\Start Menu\Programs\Startup\
Dropbox.lnk - c:\program files\Dropbox\dropbox.exe [2008-09-26 24096981]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\XLink Kai Evolution 7\\kaiEngine.exe"=
"c:\\cygwin\\usr\\X11R6\\bin\\XWin.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\cygwin\\bin\\perl.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\cygwin\\bin\\perl5.10.0.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\cygwin\\bin\\XWin.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-06 97928]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-06 231704]
R4 LeapFrog Connect Device Service;LeapFrog Connect Device Service;c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe [2008-11-25 991232]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2008-12-25 18560]
S3 MTK;Media Technology Kernel Driver;c:\windows\system32\Drivers\mtk.sys --> c:\windows\system32\Drivers\mtk.sys [?]
S4 sshd;CYGWIN sshd;c:\cygwin\bin\cygrunsrv.exe [2008-07-09 68096]
.
Contents of the 'Scheduled Tasks' folder
2009-01-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sportsline.com/mlb
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: {775968D3-1770-4F5D-8D1A-93BDB01F0A9E} = 4.2.2.1,4.2.2.2
FF - ProfilePath - c:\documents and settings\jbisbee\Application Data\Mozilla\Firefox\Profiles\8k77utin.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-07 21:17:16
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(816)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-01-07 21:19:53
ComboFix-quarantined-files.txt 2009-01-08 02:19:00
ComboFix2.txt 2009-01-08 00:57:06
Pre-Run: 42,931,683,328 bytes free
Post-Run: 42,915,532,800 bytes free
287 --- E O F --- 2008-12-18 08:01:41
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Ran ATF Cleaner
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Ran Kaspersky Online Scanner
-------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Thursday, January 8, 2009 Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Thursday, January 08, 2009 00:32:59 Records in database: 1583436 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ E:\ Scan statistics: Files scanned: 125705 Threat name: 0 Infected objects: 0 Suspicious objects: 0 Duration of the scan: 02:14:37 No malware has been detected. The scan area is clean. The selected area was scanned.
#11
RatHat
-
- Authentic Member
-
- 816 posts
Retired Staff-Malware Expert
Posted 08 January 2009 - 06:12 AM
Looks like you are clean again! 
Are there any more problems with this machine?
Regards,
RatHat
Are there any more problems with this machine?
Regards,
RatHat
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to join the fight against Malware? Click here to find out how.
Please do not PM me asking for support. Post on the forums instead
Please post the final results, good or bad. We like to know!
If you feel I have helped you and would like to make a small donation, please click here
#12
JeffreyB
-
- Authentic Member
-
- 16 posts
New Member
Posted 08 January 2009 - 06:02 PM
The computers seems to run just great. I've always understood that you need to reformat and reinstall the os just to be safe with a rootkit.
#13
RatHat
-
- Authentic Member
-
- 816 posts
Retired Staff-Malware Expert
Posted 08 January 2009 - 07:06 PM
I've always understood that you need to reformat and reinstall the os just to be safe with a rootkit.
Nowadays with the tools we have available to clean a computer, we can get rid of almost all rootkits. However reformatting is the only sure way that can guarantee complete removal of a rootkit. You now have the chance to copy all your important files to CD or external drive before doing so, or as it looks like we have removed the rootkit, you can continue on with the machine, as is.
That choice is yours.
If you choose to continue on with the machine, we need to remove the tools that have been used.
Firstly, lets uninstall GMER:
- Copy the entire contents of the Code Box below to Notepad.
- Name the file as gmer_uninstall.bat
- Change the Save as Type to All Files
- and Save it in the folder where GMER.exe was saved
- Once saved, double click on the gmer_uninstall.bat file. a MSDOS window will be displayed. That is normal.
@echo off sc stop gmer sc delete gmer if exist %SystemRoot%\System32\drivers\gmer.sys del /f /q %SystemRoot%\System32\drivers\gmer.sys if exist %SystemRoot%\gmer.dll del /f /q %SystemRoot%\gmer.dll if exist %SystemRoot%\gmer.exe del /f /q %SystemRoot%\gmer.exe if exist %SystemRoot%\gmer.ini del /f /q %SystemRoot%\gmer.ini if exist %SystemRoot%\gmer_uninstall.cmd del /f /q %SystemRoot%\gmer_uninstall.cmd if exist %SystemRoot%\gmer.bat del /f /q %SystemRoot%\gmer.bat if exist %SystemRoot%\gmer.reg del /f /q %SystemRoot%\gmer.reg if exist %SystemRoot%\gmer.log del /f /q %SystemRoot%\gmer.log rd /s /q gmer del /f /q gmer_uninstall.bat exit
Now lets uninstall Combofix:
- Click START then RUN
- Now type Combofix /u in the runbox and click OK. Note the space between the X and the /u, it needs to be there.
Double-click OTCleanIt.exe to run it.
Click the Clean up button
Click Yes to the reboot.
Now delete any logs that you have left over on your desktop.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
For some useful tips on staying clean, along with links to some freeware to help, have a look at this page.
To find out more information about how you got infected in the first place, you can read this article.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I will keep this log open for the next couple of days, so if you have any further problems post another reply here.
OK, all the best, and stay safe!
Best regards,
RatHat
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to join the fight against Malware? Click here to find out how.
Please do not PM me asking for support. Post on the forums instead
Please post the final results, good or bad. We like to know!
If you feel I have helped you and would like to make a small donation, please click here
#14
RatHat
-
- Authentic Member
-
- 816 posts
Retired Staff-Malware Expert
Posted 12 January 2009 - 02:22 AM
Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to join the fight against Malware? Click here to find out how.
Please do not PM me asking for support. Post on the forums instead
Please post the final results, good or bad. We like to know!
If you feel I have helped you and would like to make a small donation, please click here
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
