Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:41:19 PM, on 1/6/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\WINDOWS\stsystra.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Steam\Steam.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\WINDOWS\system32\taskmgr.exe C:\WINDOWS\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sportsline.com/mlb R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [Monitor] "C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe" O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent O4 - Startup: Dropbox.lnk = C:\Program Files\Dropbox\dropbox.exe O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1122857477765 O17 - HKLM\System\CCS\Services\Tcpip\..\{775968D3-1770-4F5D-8D1A-93BDB01F0A9E}: NameServer = 4.2.2.1,4.2.2.2 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LeapFrog Connect Device Service - Unknown owner - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: CYGWIN sshd (sshd) - Unknown owner - C:\cygwin\bin\cygrunsrv.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O24 - Desktop Component 0: (no name) - (no file) -- End of file - 7808 bytes
[Resolved] Using 85.255.113.146 to For DNS Resolution
#1
Posted 06 January 2009 - 07:43 PM
Register to Remove
#2
Posted 07 January 2009 - 02:40 AM
Welcome to WTT.
This sounds like a case of a Zlob/DNSchanger that changes the router's DNS settings. Make sure you read the remainder of this post completely, then carry on with the instructions below.
Please download Malwarebytes' Anti-Malware from Here or Here
Next, disconnect your system from the internet, and your router, then:
Double Click mbam-setup.exe to install the application.
- Launch Malwarebytes' Anti-Malware, then click Finish.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply.
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Next you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds). If you don’t know the router's default password, you can look it up HERE
However, if there are other Zlob-infected machines using the same router, they will need to be cleared with the above steps before resetting the router. Otherwise, the malware will simply go back and change the router's DNS settings. Make sure you run MBAM on every computer connected to your router by hardwire (LAN) or Wireless! You also need to reconfigure any security settings you had in place prior to the reset. Check out this site here for video tutorials on how to properly configure your router's encryption and security settings. You may also need to consult with your Internet service provider to find out which DNS servers your network should be using.
Once you have run Malwarebytes' Anti-Malware on the infected system, and reset the router to its default configuration you can reconnect to the internet, and router. Then return to this site to post your logs.
Regards,
RatHat
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to join the fight against Malware? Click here to find out how.
Please do not PM me asking for support. Post on the forums instead
Please post the final results, good or bad. We like to know!
If you feel I have helped you and would like to make a small donation, please click here
#3
Posted 07 January 2009 - 05:13 PM
Malwarebytes' Anti-Malware 1.32 Database version: 1625 Windows 5.1.2600 Service Pack 3 1/7/2009 2:42:03 AM mbam-log-2009-01-07 (02-42-03).txt Scan type: Full Scan (C:\|) Objects scanned: 177340 Time elapsed: 1 hour(s), 48 minute(s), 31 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 1 Files Infected: 6 Memory Modules Infected: C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Spyware.Passwords) -> Delete on reboot. Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully. Files Infected: C:\Documents and Settings\jbisbee\Local Settings\Temp\tmp38.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\msqpdxrumqwwyl.dll (Trojan.TDSS) -> Delete on reboot. C:\autorun.inf (Trojan.DNSChanger) -> Quarantined and deleted successfully. C:\resycled\boot.com (Trojan.DNSChanger) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\msqpdxpkhasxwp.sys (Trojan.Agent) -> Quarantined and deleted successfully. C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Spyware.Passwords) -> Delete on reboot.
Edited by JeffreyB, 07 January 2009 - 05:14 PM.
#4
Posted 07 January 2009 - 05:34 PM
Download the GMER Rootkit Scanner. Unzip it to your Desktop.
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
Double-click gmer.exe. The program will begin to run.
**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!
If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
- Click NO
- In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
- Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity. - Click OK.
- GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
- Save it where you can easily find it, such as your desktop.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to join the fight against Malware? Click here to find out how.
Please do not PM me asking for support. Post on the forums instead
Please post the final results, good or bad. We like to know!
If you feel I have helped you and would like to make a small donation, please click here
#5
Posted 07 January 2009 - 06:10 PM
GMER 1.0.14.14536 - http://www.gmer.net Rootkit scan 2009-01-07 19:07:27 Windows 5.1.2600 Service Pack 3 ---- System - GMER 1.0.14 ---- SSDT spmg.sys ZwCreateKey [0xB9EAB0E0] SSDT spmg.sys ZwEnumerateKey [0xB9EC8CA2] SSDT spmg.sys ZwEnumerateValueKey [0xB9EC9030] SSDT spmg.sys ZwOpenKey [0xB9EAB0C0] SSDT spmg.sys ZwQueryKey [0xB9EC9108] SSDT spmg.sys ZwQueryValueKey [0xB9EC8F88] SSDT spmg.sys ZwSetValueKey [0xB9EC919A] INT 0x62 ? 8AF89BF8 INT 0x63 ? 8AF17BF8 INT 0x84 ? 8A4E8BF8 INT 0x94 ? 8A4E8BF8 INT 0xA4 ? 8A4E8BF8 INT 0xB4 ? 8A4E8BF8 ---- Kernel code sections - GMER 1.0.14 ---- ? spmg.sys The system cannot find the file specified. ! .text USBPORT.SYS!DllUnload B88B58AC 5 Bytes JMP 8A4E81D8 ---- Kernel IAT/EAT - GMER 1.0.14 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EAC040] spmg.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EAC13C] spmg.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EAC0BE] spmg.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EAC7FC] spmg.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EAC6D2] spmg.sys ---- User IAT/EAT - GMER 1.0.14 ---- IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[1604] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003D2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[1604] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003D2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[1604] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [003D2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[1604] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003D2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINDOWS\Explorer.EXE[3296] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00C52F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINDOWS\Explorer.EXE[3296] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00C52CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINDOWS\Explorer.EXE[3296] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00C52D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINDOWS\Explorer.EXE[3296] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00C52CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Documents and Settings\jbisbee\Desktop\gmer.exe[3404] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00392F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Documents and Settings\jbisbee\Desktop\gmer.exe[3404] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00392CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Documents and Settings\jbisbee\Desktop\gmer.exe[3404] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00392D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Documents and Settings\jbisbee\Desktop\gmer.exe[3404] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00392CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[3620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003E2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[3620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003E2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[3620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [003E2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[3620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003E2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Mozilla Firefox\firefox.exe[3676] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00B12F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Mozilla Firefox\firefox.exe[3676] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00B12CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Mozilla Firefox\firefox.exe[3676] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00B12D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Mozilla Firefox\firefox.exe[3676] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00B12CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3736] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00392F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3736] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00392CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3736] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00392D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3736] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00392CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Java\jre6\bin\jusched.exe[3840] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00C22F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Java\jre6\bin\jusched.exe[3840] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00C22CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Java\jre6\bin\jusched.exe[3840] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00C22D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Java\jre6\bin\jusched.exe[3840] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00C22CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[3868] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00A92F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[3868] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00A92CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[3868] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00A92D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[3868] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00A92CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINDOWS\stsystra.exe[3948] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00A92F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINDOWS\stsystra.exe[3948] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00A92CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINDOWS\stsystra.exe[3948] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00A92D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINDOWS\stsystra.exe[3948] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00A92CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINDOWS\system32\ctfmon.exe[4008] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [009F2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINDOWS\system32\ctfmon.exe[4008] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [009F2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINDOWS\system32\ctfmon.exe[4008] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [009F2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINDOWS\system32\ctfmon.exe[4008] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [009F2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Windows Media Player\WMPNSCFG.exe[4020] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00A12F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Windows Media Player\WMPNSCFG.exe[4020] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00A12CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Windows Media Player\WMPNSCFG.exe[4020] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00A12D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Windows Media Player\WMPNSCFG.exe[4020] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00A12CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[4032] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00AB2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[4032] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00AB2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[4032] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00AB2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[4032] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00AB2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) ---- Devices - GMER 1.0.14 ---- Device \FileSystem\Ntfs \Ntfs 8AF161F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{775968D3-1770-4F5D-8D1A-93BDB01F0A9E} 8A4BC500 Device \Driver\usbuhci \Device\USBPDO-0 8A4C91F8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 8AF181F8 Device \Driver\dmio \Device\DmControl\DmConfig 8AF181F8 Device \Driver\dmio \Device\DmControl\DmPnP 8AF181F8 Device \Driver\dmio \Device\DmControl\DmInfo 8AF181F8 Device \Driver\usbehci \Device\USBPDO-1 8A4FF1F8 Device \Driver\usbuhci \Device\USBPDO-2 8A4C91F8 Device \Driver\usbuhci \Device\USBPDO-3 8A4C91F8 Device \Driver\usbuhci \Device\USBPDO-4 8A4C91F8 Device \Driver\Ftdisk \Device\HarddiskVolume1 8AF8A1F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 8AF8A1F8 Device \Driver\Cdrom \Device\CdRom0 8A5021F8 Device \Driver\iastor \Device\Ide\iaStor0 8AF171F8 Device \Driver\iastor \Device\Ide\IAAStorageDevice-0 8AF171F8 Device \Driver\Cdrom \Device\CdRom1 8A5021F8 Device \Driver\Ftdisk \Device\HarddiskVolume3 8AF8A1F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 8A4BC500 Device \Driver\NetBT \Device\NetbiosSmb 8A4BC500 Device \Driver\usbuhci \Device\USBFDO-0 8A4C91F8 Device \Driver\usbuhci \Device\USBFDO-1 8A4C91F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A33D500 Device \Driver\usbuhci \Device\USBFDO-2 8A4C91F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A33D500 Device \Driver\usbuhci \Device\USBFDO-3 8A4C91F8 Device \Driver\usbehci \Device\USBFDO-4 8A4FF1F8 Device \Driver\Ftdisk \Device\FtControl 8AF8A1F8 Device \FileSystem\Fastfat \Fat 8A4CA1F8 Device \FileSystem\Fastfat \Fat A4B75297 AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device \FileSystem\Cdfs \Cdfs 89D53500 ---- Services - GMER 1.0.14 ---- Service system32\drivers\msqpdxpkhasxwp.sys (*** hidden *** ) [SYSTEM] msqpdxserv.sys <-- ROOTKIT !!! ---- Registry - GMER 1.0.14 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys@start 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys@type 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys@imagepath \systemroot\system32\drivers\msqpdxpkhasxwp.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys@group file system Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys\modules Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys\modules@msqpdxserv \\?\globalroot\systemroot\system32\drivers\msqpdxpkhasxwp.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys\modules@msqpdxl \\?\globalroot\systemroot\system32\msqpdxrumqwwyl.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x24 0x89 0xC8 0x3E ... Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys@start 1 Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys@type 1 Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys@imagepath \systemroot\system32\drivers\msqpdxpkhasxwp.sys Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys@group file system Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys\modules Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys\modules@msqpdxserv \\?\globalroot\systemroot\system32\drivers\msqpdxpkhasxwp.sys Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys\modules@msqpdxl \\?\globalroot\systemroot\system32\msqpdxrumqwwyl.dll Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x24 0x89 0xC8 0x3E ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x24 0x89 0xC8 0x3E ... ---- Files - GMER 1.0.14 ---- File C:\Documents and Settings\jbisbee\Local Settings\Temp\Temporary Directory 1 for eclipse-SDK-3.2.2-win32.zip\eclipse\plugins\org.eclipse.platform.source_3.2.2.r322_v20070119-RQghndJN8IM0MsK\src\org.eclipse.ui.views.properties.tabbed_3.2.1.M20060830-0800\schema\propertySections.ex 7434 bytes ---- EOF - GMER 1.0.14 ----
#6
Posted 07 January 2009 - 06:35 PM
Link 1
Link 2
Link 3
* IMPORTANT !!! Save ComboFix.exe to your Desktop
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you are unsure of how to disable these programs, please refer to this page for details.
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply along with a fresh GMER log, taken after Combofix has run.
Note: If you are unsure about anything, a very good Combofix tutorial can be found here.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to join the fight against Malware? Click here to find out how.
Please do not PM me asking for support. Post on the forums instead
Please post the final results, good or bad. We like to know!
If you feel I have helped you and would like to make a small donation, please click here
#7
Posted 07 January 2009 - 07:17 PM
ComboFix 09-01-07.01 - jbisbee 2009-01-07 19:43:00.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2392 [GMT -5:00] Running from: c:\documents and settings\jbisbee\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\jbisbee\Application Data\FunWebProducts c:\documents and settings\jbisbee\Application Data\FunWebProducts\Data\jbisbee\avatar.dat c:\documents and settings\jbisbee\Application Data\FunWebProducts\Data\jbisbee\outfit.dat c:\documents and settings\jbisbee\Application Data\FunWebProducts\Data\jbisbee\register.dat c:\documents and settings\jbisbee\Application Data\FunWebProducts\Data\jbisbee\zbucks.dat . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NPF ((((((((((((((((((((((((( Files Created from 2008-12-08 to 2009-01-08 ))))))))))))))))))))))))))))))) . 2009-01-07 18:51 . 2009-01-07 18:52 250 --a------ c:\windows\gmer.ini 2009-01-06 23:25 . 2009-01-06 23:25 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-01-06 23:25 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-01-06 23:25 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-01-06 22:34 . 2009-01-07 06:45 <DIR> d--h----- C:\$AVG8.VAULT$ 2009-01-06 22:27 . 2009-01-06 22:27 10,520 --a------ c:\windows\system32\avgrsstx.dll 2009-01-06 22:26 . 2009-01-07 18:48 <DIR> d-------- c:\windows\system32\drivers\Avg 2009-01-06 22:26 . 2009-01-06 22:26 <DIR> d-------- c:\program files\AVG 2009-01-06 22:26 . 2009-01-06 22:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8 2009-01-06 22:26 . 2009-01-06 22:26 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys 2009-01-06 20:48 . 2009-01-06 20:48 <DIR> d-------- c:\program files\ERUNT 2009-01-06 18:57 . 2009-01-06 18:57 <DIR> d-------- c:\program files\Trend Micro 2009-01-06 00:42 . 2009-01-06 00:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Drivers Headquarters 2009-01-06 00:18 . 2009-01-06 00:20 2,444 --a------ C:\autorun.PNF 2009-01-05 23:54 . 2009-01-05 23:54 <DIR> d-------- C:\IBMTOOLS 2009-01-05 23:23 . 2009-01-05 23:23 <DIR> d--h----- c:\windows\system32\GroupPolicy 2009-01-05 22:57 . 2009-01-05 22:57 <DIR> d-------- c:\program files\WinDirStat 2009-01-04 06:38 . 2009-01-04 06:39 <DIR> d-------- c:\documents and settings\jbisbee\Application Data\Quicken 2009-01-03 23:34 . 2009-01-04 00:10 <DIR> d-------- c:\documents and settings\jbisbee\Application Data\vlc 2009-01-03 22:22 . 2009-01-03 22:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\SpinTop Games 2009-01-03 10:41 . 2008-11-11 16:32 3,523,872 --a------ c:\windows\system32\cdintf300.dll 2009-01-03 10:41 . 2008-11-11 16:32 1,848,608 --a------ c:\windows\system32\acXMLParser.dll 2009-01-02 14:52 . 2009-01-02 14:52 98,304 --a------ c:\windows\system32\CmdLineExt.dll 2009-01-02 14:19 . 2009-01-02 14:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hot Lava Games 2009-01-02 06:45 . 2009-01-02 06:46 <DIR> d-------- c:\documents and settings\jbisbee\Application Data\The Longest Journey Demo 2009-01-01 23:01 . 2009-01-01 23:09 <DIR> d-------- c:\documents and settings\jbisbee\Application Data\Mount&Blade 2009-01-01 22:26 . 2009-01-06 21:57 79 --a------ c:\windows\popcinfot.dat 2008-12-31 09:16 . 2008-12-31 09:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\2DBoy 2008-12-31 08:59 . 2009-01-07 19:48 <DIR> d-------- c:\program files\Steam 2008-12-30 22:17 . 2008-12-30 22:17 <DIR> d-------- c:\documents and settings\jbisbee\Application Data\ATI 2008-12-30 22:17 . 2008-12-30 22:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\ATI 2008-12-29 20:32 . 2008-12-29 21:26 <DIR> d-------- c:\program files\CDisplayEx 2008-12-28 22:21 . 2008-12-28 22:21 <DIR> d-------- c:\documents and settings\jbisbee\Application Data\Amphetype 2008-12-26 17:31 . 2005-08-18 11:44 49,867 --a------ c:\windows\system32\drivers\mardp2k.sys 2008-12-26 17:31 . 2005-08-18 11:44 49,484 --a------ c:\windows\system32\drivers\MARDPNP.SYS 2008-12-26 17:31 . 2007-02-02 16:57 49,377 --a------ c:\windows\system32\drivers\mamotou.sys 2008-12-26 17:31 . 2007-01-16 11:46 25,302 --a------ c:\windows\system32\drivers\MaVctrl.sys 2008-12-26 17:31 . 2007-01-16 11:44 11,986 --a------ c:\windows\system32\drivers\MaVc2K.sys 2008-12-26 17:30 . 2008-12-26 17:30 <DIR> d-------- c:\windows\Application Data 2008-12-25 18:36 . 2008-12-25 18:36 <DIR> d-------- c:\program files\DIFX 2008-12-25 18:36 . 2008-11-25 12:39 18,560 --a------ c:\windows\system32\drivers\FlyUsb.sys 2008-12-25 18:35 . 2008-12-25 18:35 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2008-12-25 18:35 . 2008-12-25 18:35 110 --a------ c:\windows\{CF055C57-A988-42E6-BDAF-E3D94C6973A8}_WiseFW.ini 2008-12-25 18:34 . 2008-12-25 18:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Leapfrog 2008-12-25 18:33 . 2008-12-25 18:35 <DIR> d-------- c:\program files\LeapFrog 2008-12-22 21:10 . 2008-12-22 21:11 <DIR> d-------- c:\documents and settings\jbisbee\temp 2008-12-15 08:56 . 2008-12-30 22:54 <DIR> d-------- c:\program files\AviSynth 2.5 2008-12-12 16:47 . 2008-12-12 16:47 3,751,995 --a------ c:\windows\system32\GPhotos.scr 2008-12-12 14:03 . 2008-12-29 21:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! 2008-12-12 07:06 . 2008-12-12 07:06 <DIR> d-------- c:\program files\Common Files\Adobe AIR 2008-12-12 06:44 . 2008-12-12 06:44 <DIR> d-------- c:\documents and settings\jbisbee\Application Data\gnupg 2008-12-12 06:44 . 2008-12-12 07:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Appupdater 2008-12-12 06:42 . 2008-12-30 22:53 <DIR> d-------- c:\program files\AppSnap 2008-12-12 06:42 . 2008-12-12 06:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\AppSnap 2008-12-12 06:40 . 2008-12-12 06:40 <DIR> d-------- c:\program files\GNU 2008-12-12 06:40 . 2008-12-12 06:40 <DIR> d-------- c:\documents and settings\LocalService\Application Data\gnupg 2008-12-12 06:40 . 2008-12-30 20:31 <DIR> d-------- c:\documents and settings\All Users\Appupdater 2008-12-12 06:37 . 2008-12-30 22:54 <DIR> d-------- c:\program files\Puchisoft 2008-12-12 06:37 . 2008-12-12 06:38 <DIR> d-------- c:\documents and settings\jbisbee\Application Data\PuchisoftDispatcher . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-01-08 00:45 0 ----a-w c:\windows\system32\drivers\lvuvc.hs 2009-01-08 00:45 0 ----a-w c:\windows\system32\drivers\logiflt.iad 2009-01-07 23:51 --------- d-----w c:\documents and settings\jbisbee\Application Data\uTorrent 2009-01-07 23:40 --------- d-----w c:\program files\PeerGuardian2 2009-01-07 23:24 --------- d-----w c:\documents and settings\jbisbee\Application Data\Skype 2009-01-07 22:13 --------- d-----w c:\documents and settings\jbisbee\Application Data\skypePM 2009-01-07 22:11 --------- d-----w c:\documents and settings\jbisbee\Application Data\Dropbox 2009-01-07 00:03 --------- d-----w c:\program files\VMware 2009-01-06 14:10 --------- d-----w c:\documents and settings\NetworkService\Application Data\VMware 2009-01-06 14:10 --------- d-----w c:\documents and settings\LocalService\Application Data\VMware 2009-01-06 14:09 --------- d-----w c:\documents and settings\All Users\Application Data\VMware 2009-01-06 13:46 --------- d-----w c:\documents and settings\jbisbee\Application Data\.purple 2009-01-06 05:46 --------- d--h--w c:\program files\InstallShield Installation Information 2009-01-03 15:41 --------- d-----w c:\program files\Quicken 2008-12-31 04:50 --------- d-----w c:\program files\SystemRequirementsLab 2008-12-31 04:50 --------- d-----w c:\documents and settings\jbisbee\Application Data\SystemRequirementsLab 2008-12-31 04:30 --------- d-----w c:\program files\Intel 2008-12-31 03:55 --------- d-----w c:\program files\Opera 9.5 beta 2008-12-31 03:55 --------- d-----w c:\program files\Opera 2008-12-31 03:55 --------- d-----w c:\documents and settings\jbisbee\Application Data\Move Networks 2008-12-31 03:13 --------- d-----w c:\program files\ATI Technologies 2008-12-30 14:41 --------- d-----w c:\program files\Dropbox 2008-12-30 02:16 --------- d-----w c:\program files\Yahoo! 2008-12-24 15:47 --------- d-----w c:\program files\Pidgin 2008-12-16 13:58 --------- d-----w c:\program files\Java 2008-12-15 14:20 --------- d-----w c:\documents and settings\jbisbee\Application Data\dvdcss 2008-12-12 12:04 --------- d-----w c:\program files\Common Files\Adobe 2008-12-12 11:56 --------- d-----w c:\program files\PuTTY 2008-12-12 11:55 --------- d-----w c:\program files\MSECache 2008-12-07 14:56 --------- d-----w c:\documents and settings\jbisbee\Application Data\VMware 2008-12-01 22:13 3,452,928 ----a-w c:\windows\system32\drivers\ati2mtag.sys 2008-12-01 19:51 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll 2008-11-26 13:25 --------- d-----w c:\documents and settings\jbisbee\Application Data\Malwarebytes 2008-11-26 13:25 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes 2008-11-23 21:31 --------- d-----w c:\program files\CyberLink 2008-11-23 21:19 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft 2008-11-22 21:24 --------- d-----w c:\program files\Spybot - Search & Destroy 2008-11-22 21:13 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-11-22 20:27 --------- d-----w c:\program files\Apple Software Update 2008-11-22 02:12 --------- d-----w c:\program files\iTunes 2008-11-22 02:12 --------- d-----w c:\program files\iPod 2008-11-22 02:12 --------- d-----w c:\program files\Common Files\Apple 2008-11-22 01:53 --------- d-----w c:\program files\QuickTime 2008-11-21 02:59 --------- d-----w c:\program files\Bonjour 2008-11-21 02:22 --------- d-----w c:\program files\Safari 2008-11-17 00:56 --------- d-----w c:\program files\PokerStars 2008-11-11 13:21 --------- d-----w c:\program files\Skype 2008-11-08 12:20 --------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant 2008-08-29 12:16 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082920080830\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2008-09-07 02:20 143360 --a------ c:\program files\Dropbox\DropboxExt.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2008-09-07 02:20 143360 --a------ c:\program files\Dropbox\DropboxExt.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2008-09-07 02:20 143360 --a------ c:\program files\Dropbox\DropboxExt.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296] "Steam"="c:\program files\Steam\Steam.exe" [2008-12-31 1410296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-14 344064] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600] "Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2008-11-25 356352] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-06 1261336] "SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe] c:\documents and settings\jbisbee\Start Menu\Programs\Startup\ Dropbox.lnk - c:\program files\Dropbox\dropbox.exe [2008-09-26 24096981] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=avgrsstx.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\XLink Kai Evolution 7\\kaiEngine.exe"= "c:\\cygwin\\usr\\X11R6\\bin\\XWin.exe"= "c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"= "c:\\cygwin\\bin\\perl.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\java.exe"= "c:\\cygwin\\bin\\perl5.10.0.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\cygwin\\bin\\XWin.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-06 97928] R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-06 231704] R4 LeapFrog Connect Device Service;LeapFrog Connect Device Service;c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe [2008-11-25 991232] R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-07-21 24652] S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2008-12-25 18560] S3 MTK;Media Technology Kernel Driver;c:\windows\system32\Drivers\mtk.sys --> c:\windows\system32\Drivers\mtk.sys [?] S4 sshd;CYGWIN sshd;c:\cygwin\bin\cygrunsrv.exe [2008-07-09 68096] . Contents of the 'Scheduled Tasks' folder 2009-01-03 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] . - - - - ORPHANS REMOVED - - - - HKLM-Run-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe MSConfigStartUp-BDRegion - c:\program files\Cyberlink\Shared Files\brs.exe MSConfigStartUp-PDVD8LanguageShortcut - c:\program files\CyberLink\PowerDVD8\Language\Language.exe MSConfigStartUp-RemoteControl8 - c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://www.sportsline.com/mlb uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 TCP: {775968D3-1770-4F5D-8D1A-93BDB01F0A9E} = 4.2.2.1,4.2.2.2 FF - ProfilePath - c:\documents and settings\jbisbee\Application Data\Mozilla\Firefox\Profiles\8k77utin.default\ FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-07 19:46:50 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(816) c:\windows\system32\Ati2evxx.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\windows\system32\ati2evxx.exe c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe c:\windows\system32\HPZipm12.exe c:\program files\Windows Media Player\wmpnetwk.exe c:\program files\AVG\AVG8\avgrsx.exe c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe . ************************************************************************** . Completion time: 2009-01-07 19:57:05 - machine was rebooted [jbisbee] ComboFix-quarantined-files.txt 2009-01-08 00:57:02 Pre-Run: 42,723,471,360 bytes free Post-Run: 42,930,200,576 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect c:\wubildr.mbr="Ubuntu" 269 --- E O F --- 2008-12-18 08:01:41
#8
Posted 07 January 2009 - 07:18 PM
GMER 1.0.14.14536 - http://www.gmer.net Rootkit scan 2009-01-07 20:14:41 Windows 5.1.2600 Service Pack 3 ---- System - GMER 1.0.14 ---- SSDT spvk.sys ZwCreateKey [0xB9EAB0E0] SSDT spvk.sys ZwEnumerateKey [0xB9EC8CA2] SSDT spvk.sys ZwEnumerateValueKey [0xB9EC9030] SSDT spvk.sys ZwOpenKey [0xB9EAB0C0] SSDT spvk.sys ZwQueryKey [0xB9EC9108] SSDT spvk.sys ZwQueryValueKey [0xB9EC8F88] SSDT spvk.sys ZwSetValueKey [0xB9EC919A] INT 0x62 ? 8AF89BF8 INT 0x63 ? 8AF17BF8 INT 0x84 ? 8A4E2CE8 INT 0x94 ? 8A4E2CE8 INT 0xA4 ? 8A4E2CE8 INT 0xB4 ? 8A4E2CE8 ---- Kernel code sections - GMER 1.0.14 ---- ? spvk.sys The system cannot find the file specified. ! ? Combo-Fix.sys The system cannot find the file specified. ! .text USBPORT.SYS!DllUnload B84518AC 5 Bytes JMP 8A4E22C8 ? C:\ComboFix\catchme.sys The system cannot find the path specified. ! ? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. ! ---- Kernel IAT/EAT - GMER 1.0.14 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EAC040] spvk.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EAC13C] spvk.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EAC0BE] spvk.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EAC7FC] spvk.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EAC6D2] spvk.sys ---- User IAT/EAT - GMER 1.0.14 ---- IAT C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[164] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003E2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[164] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003E2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[164] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [003E2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[164] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003E2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[552] @ C:\WINDOWS\system32\KERNEL32.dll [ntdll.dll!NtCreateFile] [00802F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[552] @ C:\WINDOWS\system32\KERNEL32.dll [ntdll.dll!NtDeviceIoControlFile] [00802CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[552] @ C:\WINDOWS\system32\KERNEL32.dll [ntdll.dll!NtClose] [00802D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[552] @ C:\WINDOWS\system32\KERNEL32.dll [ntdll.dll!NtDuplicateObject] [00802CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Windows Media Player\WMPNSCFG.exe[628] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [008C2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Windows Media Player\WMPNSCFG.exe[628] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [008C2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Windows Media Player\WMPNSCFG.exe[628] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [008C2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Windows Media Player\WMPNSCFG.exe[628] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [008C2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Dropbox\dropbox.exe[2384] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003D2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Dropbox\dropbox.exe[2384] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003D2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Dropbox\dropbox.exe[2384] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [003D2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Dropbox\dropbox.exe[2384] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003D2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2696] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [009D2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2696] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [009D2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2696] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [009D2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2696] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [009D2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3000] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00982F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3000] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00982CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3000] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00982D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3000] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00982CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Java\jre6\bin\jusched.exe[3624] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00C12F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Java\jre6\bin\jusched.exe[3624] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00C12CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Java\jre6\bin\jusched.exe[3624] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00C12D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Java\jre6\bin\jusched.exe[3624] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00C12CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[3652] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00A82F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[3652] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00A82CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[3652] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00A82D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[3652] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00A82CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINDOWS\stsystra.exe[3844] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00A82F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINDOWS\stsystra.exe[3844] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00A82CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINDOWS\stsystra.exe[3844] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00A82D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINDOWS\stsystra.exe[3844] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00A82CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\PROGRA~1\AVG\AVG8\avgtray.exe[3896] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00B62F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\PROGRA~1\AVG\AVG8\avgtray.exe[3896] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00B62CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\PROGRA~1\AVG\AVG8\avgtray.exe[3896] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00B62D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\PROGRA~1\AVG\AVG8\avgtray.exe[3896] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00B62CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINDOWS\system32\ctfmon.exe[4076] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00512F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINDOWS\system32\ctfmon.exe[4076] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00512CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINDOWS\system32\ctfmon.exe[4076] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00512D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINDOWS\system32\ctfmon.exe[4076] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00512CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[5248] @ C:\WINDOWS\system32\KERNEL32.dll [ntdll.dll!NtCreateFile] [003E2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[5248] @ C:\WINDOWS\system32\KERNEL32.dll [ntdll.dll!NtDeviceIoControlFile] [003E2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[5248] @ C:\WINDOWS\system32\KERNEL32.dll [ntdll.dll!NtClose] [003E2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[5248] @ C:\WINDOWS\system32\KERNEL32.dll [ntdll.dll!NtDuplicateObject] [003E2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINDOWS\explorer.exe[7164] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00C32F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINDOWS\explorer.exe[7164] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00C32CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINDOWS\explorer.exe[7164] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00C32D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINDOWS\explorer.exe[7164] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00C32CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Documents and Settings\jbisbee\Desktop\gmer.exe[7360] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003A2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Documents and Settings\jbisbee\Desktop\gmer.exe[7360] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003A2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Documents and Settings\jbisbee\Desktop\gmer.exe[7360] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [003A2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Documents and Settings\jbisbee\Desktop\gmer.exe[7360] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003A2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINDOWS\system32\notepad.exe[8040] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [009D2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINDOWS\system32\notepad.exe[8040] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [009D2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINDOWS\system32\notepad.exe[8040] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [009D2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINDOWS\system32\notepad.exe[8040] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [009D2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) ---- Devices - GMER 1.0.14 ---- Device \FileSystem\Ntfs \Ntfs 8AF161F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{775968D3-1770-4F5D-8D1A-93BDB01F0A9E} 8A4001F8 Device \Driver\usbuhci \Device\USBPDO-0 8A4E91F8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 8AF181F8 Device \Driver\dmio \Device\DmControl\DmConfig 8AF181F8 Device \Driver\dmio \Device\DmControl\DmPnP 8AF181F8 Device \Driver\dmio \Device\DmControl\DmInfo 8AF181F8 Device \Driver\usbehci \Device\USBPDO-1 8A4E81F8 Device \Driver\usbuhci \Device\USBPDO-2 8A4E91F8 Device \Driver\usbuhci \Device\USBPDO-3 8A4E91F8 Device \Driver\usbuhci \Device\USBPDO-4 8A4E91F8 Device \Driver\Ftdisk \Device\HarddiskVolume1 8AF8A1F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 8AF8A1F8 Device \Driver\Cdrom \Device\CdRom0 8A5101F8 Device \Driver\iastor \Device\Ide\iaStor0 8AF171F8 Device \Driver\iastor \Device\Ide\IAAStorageDevice-0 8AF171F8 Device \Driver\Cdrom \Device\CdRom1 8A5101F8 Device \Driver\Ftdisk \Device\HarddiskVolume3 8AF8A1F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 8A4001F8 Device \Driver\NetBT \Device\NetbiosSmb 8A4001F8 Device \Driver\usbuhci \Device\USBFDO-0 8A4E91F8 Device \Driver\usbuhci \Device\USBFDO-1 8A4E91F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89E09500 Device \Driver\usbuhci \Device\USBFDO-2 8A4E91F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 89E09500 Device \Driver\usbuhci \Device\USBFDO-3 8A4E91F8 Device \Driver\usbehci \Device\USBFDO-4 8A4E81F8 Device \Driver\Ftdisk \Device\FtControl 8AF8A1F8 Device \FileSystem\Fastfat \Fat 8A4E01F8 Device \FileSystem\Fastfat \Fat A2280297 AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device \FileSystem\Cdfs \Cdfs 8A3D6470 ---- Registry - GMER 1.0.14 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x24 0x89 0xC8 0x3E ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x24 0x89 0xC8 0x3E ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x24 0x89 0xC8 0x3E ... ---- EOF - GMER 1.0.14 ----
#9
Posted 07 January 2009 - 07:55 PM
uTorrent
Viewpoint (anything with Viewpoint in the name)
- Go to Start then Settings, then Control Panel
- Choose Add or Remove Programs
- Remove all of the above
I would like you to upload a file to be scanned
- Please go to VirSCAN.org
- Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
- c:\windows\system32\drivers\mardp2k.sys
- Click on the Upload button
- Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
- Open Notepad and paste the contents into a new Notepad file using Ctrl and V at the same time.
- Save the notepad file to your desktop as VirScan.txt and copy the contents into your next reply.
1. Please open Notepad
- Click Start , then Run
- Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
File:: c:\windows\popcinfot.dat c:\windows\system32\drivers\lvuvc.hs c:\windows\system32\drivers\logiflt.iad
3. Save the above as CFScript.txt
4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
5. After reboot, (in case it asks to reboot), please post the Combofix.txt report into your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Please run an online scan with Kaspersky WebScanner.
Note: You must use Internet Explorer to run this scan, and you must disable your Anti Virus program during the scan.
Click the Accept button.
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
- The program will launch and then begin downloading the latest definition files:
- Once the files have been downloaded click on NEXT
- Now click on Scan Settings
- In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Scan Options:
Scan Mail Bases - Click OK
- Now under select a target to scan:Select My Computer
- This will program will start and scan your system.
- The scan will take a while so be patient and let it run.
- Once the scan is complete it will display the results if your system has been infected.
- Now click on the View scan report link:
- Click the Save report as button
- Under Save as type, choose Text file (*.txt)
- Save the file to your desktop as Kaspersky.txt
- Copy and paste that information in your next post.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to join the fight against Malware? Click here to find out how.
Please do not PM me asking for support. Post on the forums instead
Please post the final results, good or bad. We like to know!
If you feel I have helped you and would like to make a small donation, please click here
#10
Posted 08 January 2009 - 05:40 AM
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
VirScan of mardp2k.sys
VirSCAN.org Scanned Report : Scanned time : 2009/01/07 21:08:17 (EST) Scanner results: All Scanners reported not find malware! File Name : mardp2k.sys File Size : 49867 byte File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit MD5 : b51e7eab4baf13b492aa3299bcf52a35 SHA1 : 849f2ae00c3601dc855b10ea9c3f2d5e3e9b24ed Online report : http://virscan.org/report/447ee03cc43c78f389829c9b04f29b51.html Scanner Engine Ver Sig Ver Sig Date Time Scan result a-squared 4.0.0.29 20090107203418 2009-01-07 2.44 - AhnLab V3 2009.01.08.00 2009.01.08 2009-01-08 1.86 - AntiVir 7.9.0.45 7.1.1.80 2009-01-07 1.73 - Antiy 2.0.18 20090105.1950502 2009-01-05 0.02 - Authentium 5.1.1 200901071754 2009-01-07 1.07 - AVAST! 3.0.1 090107-0 2009-01-07 0.01 - AVG 7.5.52.442 270.10.5/1881 2009-01-07 1.81 - BitDefender 7.81008.2413034 7.23029 2009-01-08 2.20 - CA (VET) 9.0.0.143 31.6.6296 2009-01-07 6.84 - ClamAV 0.94.2 8842 2009-01-07 0.02 - Comodo 3.0 891 2009-01-07 0.98 - CP Secure 1.1.0.715 2009.01.08 2009-01-08 6.42 - Dr.Web 4.44.0.9170 2009.01.07 2009-01-07 3.80 - ewido 4.0.0.2 2008.12.31 2008-12-31 3.62 - F-Prot 4.4.4.56 20090107 2009-01-07 1.07 - F-Secure 5.51.6100 2009.01.08.01 2009-01-08 4.13 - Fortinet 2.81-3.117 9.901 2009-01-07 0.17 - GData 19.2319/19.176 20090108 2009-01-08 2.91 - ViRobot 20090107 2009.01.07 2009-01-07 0.41 - Ikarus T3.1.01.45 2009.01.07.72114 2009-01-07 3.60 - JiangMin 11.0.706 2009.01.07 2009-01-07 1.53 - Kaspersky 5.5.10 2009.01.07 2009-01-07 0.04 - KingSoft 2008.9.8.18 2009.1.8.10 2009-01-08 0.62 - McAfee 5.3.00 5488 2009-01-07 2.84 - Microsoft 1.4205 2009.01.07 2009-01-07 4.12 - mks_vir 2.01 2009.01.08 2009-01-08 2.69 - Norman 5.93.01 5.93.00 2009-01-05 6.05 - Panda 9.05.01 2009.01.07 2009-01-07 2.37 - Trend Micro 8.700-1004 5.754.05 2009-01-07 0.03 - Quick Heal 10.00 2009.01.06 2009-01-06 0.87 - Rising 20.0 21.11.22.00 2009-01-07 0.78 - Sophos 2.82.1 4.37 2009-01-08 2.06 - Sunbelt 4755 4755 2008-12-22 0.57 - Symantec 1.3.0.24 20090107.002 2009-01-07 0.22 - nProtect 20090107.01 2850296 2009-01-07 3.33 - The Hacker 6.3.1.2 v00212 2009-01-07 0.48 - VBA32 3.12.8.10 20090107.1010 2009-01-07 1.53 - VirusBuster 4.5.11.10 10.100.18/762229 2009-01-07 1.00 -
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Ran ComboFix
ComboFix 09-01-07.01 - jbisbee 2009-01-07 21:15:23.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2319 [GMT -5:00] Running from: c:\documents and settings\jbisbee\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\jbisbee\Desktop\CFScript.txt AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) * Created a new restore point FILE :: c:\windows\popcinfot.dat c:\windows\system32\drivers\logiflt.iad c:\windows\system32\drivers\lvuvc.hs . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\popcinfot.dat c:\windows\system32\drivers\logiflt.iad c:\windows\system32\drivers\lvuvc.hs . ((((((((((((((((((((((((( Files Created from 2008-12-08 to 2009-01-08 ))))))))))))))))))))))))))))))) . 2009-01-07 18:51 . 2009-01-07 19:58 250 --a------ c:\windows\gmer.ini 2009-01-06 23:25 . 2009-01-06 23:25 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-01-06 23:25 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-01-06 23:25 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-01-06 22:34 . 2009-01-07 06:45 <DIR> d--h----- C:\$AVG8.VAULT$ 2009-01-06 22:27 . 2009-01-06 22:27 10,520 --a------ c:\windows\system32\avgrsstx.dll 2009-01-06 22:26 . 2009-01-07 18:48 <DIR> d-------- c:\windows\system32\drivers\Avg 2009-01-06 22:26 . 2009-01-06 22:26 <DIR> d-------- c:\program files\AVG 2009-01-06 22:26 . 2009-01-06 22:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8 2009-01-06 22:26 . 2009-01-06 22:26 .97,928 --a------ c:\windows\system32\drivers\avgldx86.sys 2009-01-06 20:48 . 2009-01-06 20:48 <DIR> d-------- c:\program files\ERUNT 2009-01-06 18:57 . 2009-01-06 18:57 <DIR> d-------- c:\program files\Trend Micro 2009-01-06 00:42 . 2009-01-06 00:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Drivers Headquarters 2009-01-06 00:18 . 2009-01-06 00:20 2,444 --a------ C:\autorun.PNF 2009-01-05 23:54 . 2009-01-05 23:54 <DIR> d-------- C:\IBMTOOLS 2009-01-05 23:23 . 2009-01-05 23:23 <DIR> d--h----- c:\windows\system32\GroupPolicy 2009-01-05 22:57 . 2009-01-05 22:57 <DIR> d-------- c:\program files\WinDirStat 2009-01-04 06:38 . 2009-01-04 06:39 <DIR> d-------- c:\documents and settings\jbisbee\Application Data\Quicken 2009-01-03 23:34 . 2009-01-04 00:10 <DIR> d-------- c:\documents and settings\jbisbee\Application Data\vlc 2009-01-03 22:22 . 2009-01-03 22:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\SpinTop Games 2009-01-03 10:41 . 2008-11-11 16:32 3,523,872 --a------ c:\windows\system32\cdintf300.dll 2009-01-03 10:41 . 2008-11-11 16:32 1,848,608 --a------ c:\windows\system32\acXMLParser.dll 2009-01-02 14:52 . 2009-01-02 14:52 98,304 --a------ c:\windows\system32\CmdLineExt.dll 2009-01-02 14:19 . 2009-01-02 14:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hot Lava Games 2009-01-02 06:45 . 2009-01-02 06:46 <DIR> d-------- c:\documents and settings\jbisbee\Application Data\The Longest Journey Demo 2009-01-01 23:01 . 2009-01-01 23:09 <DIR> d-------- c:\documents and settings\jbisbee\Application Data\Mount&Blade 2008-12-31 09:16 . 2008-12-31 09:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\2DBoy 2008-12-31 08:59 . 2009-01-07 19:48 <DIR> d-------- c:\program files\Steam 2008-12-30 22:17 . 2008-12-30 22:17 <DIR> d-------- c:\documents and settings\jbisbee\Application Data\ATI 2008-12-30 22:17 . 2008-12-30 22:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\ATI 2008-12-29 20:32 . 2008-12-29 21:26 <DIR> d-------- c:\program files\CDisplayEx 2008-12-28 22:21 . 2008-12-28 22:21 <DIR> d-------- c:\documents and settings\jbisbee\Application Data\Amphetype 2008-12-26 17:31 . 2005-08-18 11:44 49,867 --a------ c:\windows\system32\drivers\mardp2k.sys 2008-12-26 17:31 . 2005-08-18 11:44 49,484 --a------ c:\windows\system32\drivers\MARDPNP.SYS 2008-12-26 17:31 . 2007-02-02 16:57 49,377 --a------ c:\windows\system32\drivers\mamotou.sys 2008-12-26 17:31 . 2007-01-16 11:46 25,302 --a------ c:\windows\system32\drivers\MaVctrl.sys 2008-12-26 17:31 . 2007-01-16 11:44 11,986 --a------ c:\windows\system32\drivers\MaVc2K.sys 2008-12-26 17:30 . 2008-12-26 17:30 <DIR> d-------- c:\windows\Application Data 2008-12-25 18:36 . 2008-12-25 18:36 <DIR> d-------- c:\program files\DIFX 2008-12-25 18:36 . 2008-11-25 12:39 18,560 --a------ c:\windows\system32\drivers\FlyUsb.sys 2008-12-25 18:35 . 2008-12-25 18:35 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2008-12-25 18:35 . 2008-12-25 18:35 110 --a------ c:\windows\{CF055C57-A988-42E6-BDAF-E3D94C6973A8}_WiseFW.ini 2008-12-25 18:34 . 2008-12-25 18:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Leapfrog 2008-12-25 18:33 . 2008-12-25 18:35 <DIR> d-------- c:\program files\LeapFrog 2008-12-22 21:10 . 2008-12-22 21:11 <DIR> d-------- c:\documents and settings\jbisbee\temp 2008-12-15 08:56 . 2008-12-30 22:54 <DIR> d-------- c:\program files\AviSynth 2.5 2008-12-12 16:47 . 2008-12-12 16:47 3,751,995 --a------ c:\windows\system32\GPhotos.scr 2008-12-12 14:03 . 2008-12-29 21:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! 2008-12-12 07:06 . 2008-12-12 07:06 <DIR> d-------- c:\program files\Common Files\Adobe AIR 2008-12-12 06:44 . 2008-12-12 06:44 <DIR> d-------- c:\documents and settings\jbisbee\Application Data\gnupg 2008-12-12 06:44 . 2008-12-12 07:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Appupdater 2008-12-12 06:42 . 2008-12-30 22:53 <DIR> d-------- c:\program files\AppSnap 2008-12-12 06:42 . 2008-12-12 06:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\AppSnap 2008-12-12 06:40 . 2008-12-12 06:40 <DIR> d-------- c:\program files\GNU 2008-12-12 06:40 . 2008-12-12 06:40 <DIR> d-------- c:\documents and settings\LocalService\Application Data\gnupg 2008-12-12 06:40 . 2008-12-30 20:31 <DIR> d-------- c:\documents and settings\All Users\Appupdater 2008-12-12 06:37 . 2008-12-30 22:54 <DIR> d-------- c:\program files\Puchisoft 2008-12-12 06:37 . 2008-12-12 06:38 <DIR> d-------- c:\documents and settings\jbisbee\Application Data\PuchisoftDispatcher . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-01-08 02:01 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint 2009-01-08 00:50 --------- d-----w c:\documents and settings\jbisbee\Application Data\Dropbox 2009-01-07 23:51 --------- d-----w c:\documents and settings\jbisbee\Application Data\uTorrent 2009-01-07 23:40 --------- d-----w c:\program files\PeerGuardian2 2009-01-07 23:24 --------- d-----w c:\documents and settings\jbisbee\Application Data\Skype 2009-01-07 22:13 --------- d-----w c:\documents and settings\jbisbee\Application Data\skypePM 2009-01-07 00:03 --------- d-----w c:\program files\VMware 2009-01-06 14:10 --------- d-----w c:\documents and settings\NetworkService\Application Data\VMware 2009-01-06 14:10 --------- d-----w c:\documents and settings\LocalService\Application Data\VMware 2009-01-06 14:09 --------- d-----w c:\documents and settings\All Users\Application Data\VMware 2009-01-06 13:46 --------- d-----w c:\documents and settings\jbisbee\Application Data\.purple 2009-01-06 05:46 --------- d--h--w c:\program files\InstallShield Installation Information 2009-01-03 15:41 --------- d-----w c:\program files\Quicken 2008-12-31 04:50 --------- d-----w c:\program files\SystemRequirementsLab 2008-12-31 04:50 --------- d-----w c:\documents and settings\jbisbee\Application Data\SystemRequirementsLab 2008-12-31 04:30 --------- d-----w c:\program files\Intel 2008-12-31 03:55 --------- d-----w c:\program files\Opera 9.5 beta 2008-12-31 03:55 --------- d-----w c:\program files\Opera 2008-12-31 03:55 --------- d-----w c:\documents and settings\jbisbee\Application Data\Move Networks 2008-12-31 03:13 --------- d-----w c:\program files\ATI Technologies 2008-12-30 14:41 --------- d-----w c:\program files\Dropbox 2008-12-30 02:16 --------- d-----w c:\program files\Yahoo! 2008-12-24 15:47 --------- d-----w c:\program files\Pidgin 2008-12-16 13:58 --------- d-----w c:\program files\Java 2008-12-15 14:20 --------- d-----w c:\documents and settings\jbisbee\Application Data\dvdcss 2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll 2008-12-12 12:04 --------- d-----w c:\program files\Common Files\Adobe 2008-12-12 11:56 --------- d-----w c:\program files\PuTTY 2008-12-12 11:55 --------- d-----w c:\program files\MSECache 2008-12-07 14:56 --------- d-----w c:\documents and settings\jbisbee\Application Data\VMware 2008-12-01 22:13 3,452,928 ----a-w c:\windows\system32\drivers\ati2mtag.sys 2008-12-01 22:13 3,452,928 ----a-w c:\windows\system32\dllcache\ati2mtag.sys 2008-12-01 20:52 425,984 ----a-w c:\windows\system32\ATIDEMGX.dll 2008-12-01 20:51 318,464 ----a-w c:\windows\system32\ati2dvag.dll 2008-12-01 20:46 11,304,960 ----a-w c:\windows\system32\atioglxx.dll 2008-12-01 20:41 188,416 ----a-w c:\windows\system32\atipdlxx.dll 2008-12-01 20:40 43,520 ----a-w c:\windows\system32\ati2edxx.dll 2008-12-01 20:40 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe 2008-12-01 20:40 147,456 ----a-w c:\windows\system32\Oemdspif.dll 2008-12-01 20:40 143,360 ----a-w c:\windows\system32\ati2evxx.dll 2008-12-01 20:38 598,016 ----a-w c:\windows\system32\ati2evxx.exe 2008-12-01 20:37 53,248 ----a-w c:\windows\system32\ATIDDC.DLL 2008-12-01 20:27 4,120,384 ----a-w c:\windows\system32\ati3duag.dll 2008-12-01 20:19 307,200 ----a-w c:\windows\system32\atiiiexx.dll 2008-12-01 20:11 2,495,360 ----a-w c:\windows\system32\ativvaxx.dll 2008-12-01 19:57 48,640 ----a-w c:\windows\system32\amdpcom32.dll 2008-12-01 19:53 45,056 ----a-w c:\windows\system32\amdcalrt.dll 2008-12-01 19:53 45,056 ----a-w c:\windows\system32\amdcalcl.dll 2008-12-01 19:53 401,408 ----a-w c:\windows\system32\atikvmag.dll 2008-12-01 19:52 86,016 ----a-w c:\windows\system32\atiadlxx.dll 2008-12-01 19:52 17,408 ----a-w c:\windows\system32\atitvo32.dll 2008-12-01 19:51 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll 2008-12-01 19:50 3,252,224 ----a-w c:\windows\system32\Amdcaldd.dll 2008-12-01 19:50 286,720 ----a-w c:\windows\system32\atiok3x2.dll 2008-12-01 19:45 577,536 ----a-w c:\windows\system32\ati2cqag.dll 2008-12-01 19:35 593,920 ------w c:\windows\system32\ati2sgag.exe 2008-11-26 13:25 --------- d-----w c:\documents and settings\jbisbee\Application Data\Malwarebytes 2008-11-26 13:25 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes 2008-11-23 21:31 --------- d-----w c:\program files\CyberLink 2008-11-23 21:19 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft 2008-11-22 21:24 --------- d-----w c:\program files\Spybot - Search & Destroy 2008-11-22 21:13 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-11-22 20:27 --------- d-----w c:\program files\Apple Software Update 2008-11-22 02:12 --------- d-----w c:\program files\iTunes 2008-11-22 02:12 --------- d-----w c:\program files\iPod 2008-11-22 02:12 --------- d-----w c:\program files\Common Files\Apple 2008-11-22 01:53 --------- d-----w c:\program files\QuickTime 2008-11-21 02:59 --------- d-----w c:\program files\Bonjour 2008-11-21 02:22 --------- d-----w c:\program files\Safari 2008-11-17 00:56 --------- d-----w c:\program files\PokerStars 2008-11-11 13:21 --------- d-----w c:\program files\Skype 2008-11-10 10:43 410,984 ----a-w c:\windows\system32\deploytk.dll 2008-11-08 12:20 --------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant 2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys 2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll 2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll 2008-10-21 18:51 118,784 ----a-w c:\windows\system32\atibrtmon.exe 2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll 2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll 2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll 2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll 2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll 2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe 2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll 2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll 2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll 2008-10-16 13:11 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe 2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe 2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll 2008-10-15 07:06 633,632 ------w c:\windows\system32\dllcache\iexplore.exe 2008-10-15 07:04 161,792 ------w c:\windows\system32\dllcache\ieakui.dll 2008-08-29 12:16 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082920080830\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2008-09-07 02:20 143360 --a------ c:\program files\Dropbox\DropboxExt.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2008-09-07 02:20 143360 --a------ c:\program files\Dropbox\DropboxExt.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2008-09-07 02:20 143360 --a------ c:\program files\Dropbox\DropboxExt.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296] "Steam"="c:\program files\Steam\Steam.exe" [2008-12-31 1410296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-14 344064] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600] "Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2008-11-25 356352] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-06 1261336] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [BU] "SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe] c:\documents and settings\jbisbee\Start Menu\Programs\Startup\ Dropbox.lnk - c:\program files\Dropbox\dropbox.exe [2008-09-26 24096981] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=avgrsstx.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\XLink Kai Evolution 7\\kaiEngine.exe"= "c:\\cygwin\\usr\\X11R6\\bin\\XWin.exe"= "c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"= "c:\\cygwin\\bin\\perl.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\java.exe"= "c:\\cygwin\\bin\\perl5.10.0.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\cygwin\\bin\\XWin.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-06 97928] R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-06 231704] R4 LeapFrog Connect Device Service;LeapFrog Connect Device Service;c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe [2008-11-25 991232] S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2008-12-25 18560] S3 MTK;Media Technology Kernel Driver;c:\windows\system32\Drivers\mtk.sys --> c:\windows\system32\Drivers\mtk.sys [?] S4 sshd;CYGWIN sshd;c:\cygwin\bin\cygrunsrv.exe [2008-07-09 68096] . Contents of the 'Scheduled Tasks' folder 2009-01-03 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.sportsline.com/mlb uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 TCP: {775968D3-1770-4F5D-8D1A-93BDB01F0A9E} = 4.2.2.1,4.2.2.2 FF - ProfilePath - c:\documents and settings\jbisbee\Application Data\Mozilla\Firefox\Profiles\8k77utin.default\ FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-07 21:17:16 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(816) c:\windows\system32\Ati2evxx.dll . Completion time: 2009-01-07 21:19:53 ComboFix-quarantined-files.txt 2009-01-08 02:19:00 ComboFix2.txt 2009-01-08 00:57:06 Pre-Run: 42,931,683,328 bytes free Post-Run: 42,915,532,800 bytes free 287 --- E O F --- 2008-12-18 08:01:41
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Ran ATF Cleaner
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Ran Kaspersky Online Scanner
-------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Thursday, January 8, 2009 Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Thursday, January 08, 2009 00:32:59 Records in database: 1583436 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ E:\ Scan statistics: Files scanned: 125705 Threat name: 0 Infected objects: 0 Suspicious objects: 0 Duration of the scan: 02:14:37 No malware has been detected. The scan area is clean. The selected area was scanned.
#11
Posted 08 January 2009 - 06:12 AM
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to join the fight against Malware? Click here to find out how.
Please do not PM me asking for support. Post on the forums instead
Please post the final results, good or bad. We like to know!
If you feel I have helped you and would like to make a small donation, please click here
#12
Posted 08 January 2009 - 06:02 PM
#13
Posted 08 January 2009 - 07:06 PM
I've always understood that you need to reformat and reinstall the os just to be safe with a rootkit.
Nowadays with the tools we have available to clean a computer, we can get rid of almost all rootkits. However reformatting is the only sure way that can guarantee complete removal of a rootkit. You now have the chance to copy all your important files to CD or external drive before doing so, or as it looks like we have removed the rootkit, you can continue on with the machine, as is.
That choice is yours.
If you choose to continue on with the machine, we need to remove the tools that have been used.
Firstly, lets uninstall GMER:
- Copy the entire contents of the Code Box below to Notepad.
- Name the file as gmer_uninstall.bat
- Change the Save as Type to All Files
- and Save it in the folder where GMER.exe was saved
- Once saved, double click on the gmer_uninstall.bat file. a MSDOS window will be displayed. That is normal.
@echo off sc stop gmer sc delete gmer if exist %SystemRoot%\System32\drivers\gmer.sys del /f /q %SystemRoot%\System32\drivers\gmer.sys if exist %SystemRoot%\gmer.dll del /f /q %SystemRoot%\gmer.dll if exist %SystemRoot%\gmer.exe del /f /q %SystemRoot%\gmer.exe if exist %SystemRoot%\gmer.ini del /f /q %SystemRoot%\gmer.ini if exist %SystemRoot%\gmer_uninstall.cmd del /f /q %SystemRoot%\gmer_uninstall.cmd if exist %SystemRoot%\gmer.bat del /f /q %SystemRoot%\gmer.bat if exist %SystemRoot%\gmer.reg del /f /q %SystemRoot%\gmer.reg if exist %SystemRoot%\gmer.log del /f /q %SystemRoot%\gmer.log rd /s /q gmer del /f /q gmer_uninstall.bat exit
Now lets uninstall Combofix:
- Click START then RUN
- Now type Combofix /u in the runbox and click OK. Note the space between the X and the /u, it needs to be there.
Double-click OTCleanIt.exe to run it.
Click the Clean up button
Click Yes to the reboot.
Now delete any logs that you have left over on your desktop.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
For some useful tips on staying clean, along with links to some freeware to help, have a look at this page.
To find out more information about how you got infected in the first place, you can read this article.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I will keep this log open for the next couple of days, so if you have any further problems post another reply here.
OK, all the best, and stay safe!
Best regards,
RatHat
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to join the fight against Malware? Click here to find out how.
Please do not PM me asking for support. Post on the forums instead
Please post the final results, good or bad. We like to know!
If you feel I have helped you and would like to make a small donation, please click here
#14
Posted 12 January 2009 - 02:22 AM
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to join the fight against Malware? Click here to find out how.
Please do not PM me asking for support. Post on the forums instead
Please post the final results, good or bad. We like to know!
If you feel I have helped you and would like to make a small donation, please click here
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users