lesser-equity

Magazine
Go Back   Computer Juice > Computer Software > Virus, Spyware & Security
Reload this Page

Random Crashes, Maybe Userinit.exe, Can't Figure Out the Problem

Register Site Spy Member List Donate Search Today's Posts Mark Forums Read Forum Rules


Register


Reply
Page 1 of 2 1 2
 
Thread Tools
  #1  
Old 17th May 2009, 17:20
New Member Group
  
Hi,

I started getting a whole bunch of warnings from WinPatrol about new startup programs and I looked them up and they all seemed to be malware, it was the same group of five .dll files again and again. I had WinPatrol try to delete them but they seemed to just keep popping up over and over. Next I tried using Avast to clean them up and detected a couple things and said it got rid of them.

Those files have since stopped popping up but I now am having random Blue Sceens of Death pop up and then crash and reboot the computer. The other thing that worried me that got flagged was Userinit.exe. I don't know if it got fixed or not. I ran through all the steps in the malware removal thread but I'm still having crashes.

I would really appreciate any help.

Here are the three logs asked for in the guide:
(I ran malwarebytes a few times earlier before going through the guide, do you need those logs too?)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/17/2009 at 07:30 PM

Application Version : 4.26.1002

Core Rules Database Version : 3897
Trace Rules Database Version: 1844

Scan type : Complete Scan
Total Scan Time : 01:52:22

Memory items scanned : 409
Memory threats detected : 0
Registry items scanned : 5634
Registry threats detected : 7
File items scanned : 250444
File threats detected : 5

Rogue.Component/Trace
HKLM\Software\Microsoft\90867B35
HKLM\Software\Microsoft\90867B35#90867b35
HKLM\Software\Microsoft\90867B35#Version
HKLM\Software\Microsoft\90867B35#9086d6b5
HKLM\Software\Microsoft\90867B35#9086bf50
HKU\S-1-5-21-299502267-1284227242-682003330-1004\Software\Microsoft\FIAS4018
HKU\S-1-5-21-299502267-1284227242-682003330-1004\Software\Microsoft\FIAS4057

Rogue.FakeAlert/Wallpaper
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\UR21IHYP\WARNING[1].GIF

Trojan.Dropper/UserInit-Fake
C:\WINDOWS\SYSTEM32\USERINIT.EXE
C:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf

Trace.Known Threat Sources
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTCV\winlogon[1].htm
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ETQHO3K1\loads[1].htm



-----------------------------------

Malwarebytes' Anti-Malware 1.36
Database version: 2146
Windows 5.1.2600 Service Pack 2

5/17/2009 7:43:40 PM
mbam-log-2009-05-17 (19-43-40).txt

Scan type: Quick Scan
Objects scanned: 81583
Time elapsed: 1 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\win32hlp.cnf (Trojan.Agent) -> Quarantined and deleted successfully.


-------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:02:43 PM, on 5/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\juice.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll (file missing)
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBContr oller
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\docume~1\admini~1\locals~1\temp\ntdll64.dll' missing
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8478 bytes
  #2  
Old 17th May 2009, 21:26
Moderator Group
  
Welcome to CJ.

A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.
  • Please download LSPFix
  • Run the LSPFix.exe that you have just finished downloading.
  • Check the I know what I'm doing box.
  • In the Keep box you should see one or more instances of ntdll64.dll
  • Select every instance of ntdll64.dll and move each one to the Remove box by clicking the >> button.
  • If the ntdll64.dll file only appears on the right side then just click fix checked and close the program.
  • When you are done click Finish>>

Reboot, and post a new HijackThis log.
__________________
  #3  
Old 17th May 2009, 22:33
New Member Group
  
Hi evilfantasy,

Thank you for helping. When I ran LSPFix one instance of ntdll64.dll came up in the remove box.

Here is the new Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:29:36 AM, on 5/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\juice.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll (file missing)
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBContr oller
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8423 bytes
  #4  
Old 18th May 2009, 09:58
Moderator Group
  
You have Viewpoint installed.

Viewpoint Media Player/Manager/Toolbar is considered as Foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

More information:

It is suggested to remove the program now.
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
  • Viewpoint Toolbar
  • Viewpoint Experience Technology


----------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix
__________________
  #5  
Old 18th May 2009, 13:12
New Member Group
  
Here is the ComboFix log:

ComboFix 09-05-17.08 - user 05/18/2009 16:01.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1609 [GMT -5:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1290 [VPS 090518-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\mimic.log
c:\windows\system32\drivers\ovfsthxqxqicaowqgjryou kdnwjkulknrnejat.sys
c:\windows\system32\ovfsthnjyqlhrjhwoluclffhjbmero seicbccx.dll
c:\windows\system32\ovfstholybhhyqafxrmmmxvpiatvrs uoxkwxek.dat
c:\windows\system32\ovfsthqpgwyaxmhheyxuyltkyykcgu xgtrwixe.dat
c:\windows\system32\ovfsthutwjonkuatcmtxknsxekkijf lumckexm.dll
c:\windows\system32\ovfsthvgunlaptgcufebnqxkpwyutv netondyl.dll
c:\windows\system32\uniq.tll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthpkakawfomndwmqvfrhvowerpjltaccqs


((((((((((((((((((((((((( Files Created from 2009-04-18 to 2009-05-18 )))))))))))))))))))))))))))))))
.

2009-05-18 06:20 . 2009-05-18 06:20 -------- d-----w c:\documents and settings\user\Local Settings\Application Data\Activision
2009-05-18 00:51 . 2009-05-18 00:51 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-17 22:33 . 2009-05-17 22:33 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-17 22:33 . 2009-05-17 22:33 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-17 22:33 . 2009-05-17 22:33 -------- d-----w c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2009-05-14 06:33 . 2009-05-14 06:33 -------- d-----w c:\documents and settings\user\Local Settings\Application Data\Blizzard Entertainment
2009-05-11 22:27 . 2009-05-11 22:28 -------- d-----w c:\program files\Microsoft Games for Windows - LIVE
2009-05-02 00:44 . 2009-05-02 00:44 -------- d-----w c:\program files\MSXML 4.0
2009-05-02 00:18 . 2009-05-02 00:18 -------- d-----w c:\program files\Microsoft Games
2009-05-01 22:40 . 2009-05-01 22:40 -------- d-----w c:\program files\Common Files\Logitech
2009-05-01 22:40 . 2009-05-01 22:40 -------- d-----w c:\program files\Logitech
2009-04-22 05:20 . 2009-04-22 05:20 14311680 ----a-w c:\windows\system32\xlive.dll
2009-04-22 05:20 . 2009-04-22 05:20 13642496 ----a-w c:\windows\system32\xlivefnt.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-05-18 20:39 . 2007-09-18 22:40 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-18 07:20 . 2008-03-13 14:22 -------- d-----w c:\program files\DNA
2009-05-18 06:22 . 2009-05-17 15:57 98304 ----a-w c:\windows\DUMP5d14.tmp
2009-05-18 06:20 . 2007-11-20 20:14 22328 ----a-w c:\documents and settings\user\Application Data\PnkBstrK.sys
2009-05-18 06:20 . 2007-10-05 21:46 22328 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-05-18 06:20 . 2007-10-05 21:45 107832 ----a-w c:\windows\system32\PnkBstrB.exe
2009-05-18 06:20 . 2007-12-26 03:03 682280 ----a-w c:\windows\system32\pbsvc.exe
2009-05-18 06:19 . 2007-12-26 22:53 -------- d-----w c:\program files\Steam
2009-05-18 00:52 . 2007-09-24 05:04 -------- d-----w c:\program files\Java
2009-05-17 22:32 . 2007-12-09 00:35 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-17 22:20 . 2008-11-26 15:28 -------- d-----w c:\program files\CCleaner
2009-05-17 22:09 . 2009-05-17 15:57 98304 ----a-w c:\windows\DUMP5f27.tmp
2009-05-17 22:05 . 2009-05-17 15:57 98304 ----a-w c:\windows\DUMP5cf4.tmp
2009-05-17 15:56 . 2009-05-16 20:43 98304 ----a-w c:\windows\DUMP5851.tmp
2009-05-17 01:32 . 2009-05-16 20:43 98304 ----a-w c:\windows\DUMP58fd.tmp
2009-05-16 20:40 . 2007-09-18 15:06 98304 ----a-w c:\windows\DUMP595b.tmp
2009-05-16 20:36 . 2008-12-26 03:33 223184 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-05-16 20:31 . 2008-11-24 23:39 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-16 20:22 . 2008-11-26 21:36 -------- d-----w c:\program files\SpywareBlaster
2009-05-14 06:33 . 2007-11-13 21:26 -------- d-----w c:\program files\World of Warcraft
2009-05-09 23:34 . 2007-09-23 05:00 -------- d-----w c:\program files\2K Games
2009-05-09 23:33 . 2009-03-27 21:13 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
2009-05-09 23:32 . 2009-03-27 21:12 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2009-05-03 04:26 . 2007-09-25 23:05 22904 ----a-w c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-02 00:16 . 2008-10-01 00:35 -------- d-----w c:\program files\Starcraft
2009-04-06 20:32 . 2008-11-24 23:39 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 . 2008-11-24 23:39 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-30 06:52 . 2007-10-05 21:45 75064 ----a-w c:\windows\system32\PnkBstrA.exe
2009-03-27 21:17 . 2009-03-27 21:12 -------- d-----w c:\program files\Common Files\Nikon
2009-03-27 21:13 . 2009-03-27 21:12 -------- d-----w c:\program files\Nikon
2009-03-27 21:12 . 2009-03-27 21:12 -------- d-----w c:\program files\Common Files\muvee Technologies
2009-03-27 21:12 . 2003-03-19 00:05 106496 ----a-w c:\windows\system32\ATL71.DLL
2009-03-22 21:35 . 2008-12-23 20:48 -------- d-----w c:\program files\McAfee
2009-03-06 00:20 . 2009-03-05 00:17 36104 ----a-w c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
2009-03-06 00:20 . 2009-03-05 00:17 131072 ----a-w c:\windows\system32\SpoonUninstall.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-25 2356088]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-02-06 3325952]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-19 342848]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-10-08 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-10-05 868352]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.e xe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-18 148888]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"USB2Check"="c:\windows\system32\PCLECoInst.dl l" [2004-09-21 73728]
"USBToolTip"="c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [2006-06-01 196608]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2008-10-07 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-10-09 333120]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-27 734264]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-10-07 1630208]

c:\documents and settings\user\Start Menu\Programs\Startup\
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=
"c:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer .exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Steam\\SteamApps\\druiddude17\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\druiddude17\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis Wars\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Autodesk\\Maya8.5\\bin\\maya.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Alwil Software\\Avast4\\ashServ.exe"=
"c:\\WINDOWS\\system32\\cscript.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.8.9506-to-3.0.9.9551-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\world of goo\\WorldOfGoo.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\call of duty world at war\\CoDWaW.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\call of duty world at war\\CoDWaWmp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Diablo Battle.net
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [11/24/2008 1:07 AM 110160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/14/2009 2:22 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 2:22 PM 72944]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswF sBlk.sys [11/24/2008 1:07 AM 20560]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/23/2008 3:48 PM 210216]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\s ystem32\Wacom_Tablet.exe [10/8/2007 9:41 PM 1373480]
S0 kgdsIjmz;kgdsIjmz;c:\windows\system32\drivers\bmvo .sys --> c:\windows\system32\drivers\bmvo.sys [?]
S0 kwvfkc;kwvfkc;c:\windows\system32\drivers\enaab.sy s --> c:\windows\system32\drivers\enaab.sys [?]
S0 trfbhl;trfbhl;c:\windows\system32\drivers\drkloi.s ys --> c:\windows\system32\drivers\drkloi.sys [?]
S1 msfss;msfss;c:\windows\system32\drivers\msfss.sys --> c:\windows\system32\drivers\msfss.sys [?]
S3 gkmixern;gkmixern;\??\c:\docume~1\user\LOCALS~1\Te mp\gkmixern.sys --> c:\docume~1\user\LOCALS~1\Temp\gkmixern.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 2:22 PM 7408]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKCU-Run-Start WingMan Profiler - (no file)
Notify-!SASWinLogon - (no file)


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\9mnttaxk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-18 16:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-299502267-1284227242-682003330-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:3b,cf,4d,c8,08,9f,71,6d,35,08,77,1a,71,74 ,fc,0a,fa,89,f1,05,03,1c,56,
b0,2b,65,66,f6,c2,ae,00,50,b9,c4,2f,94,a2,e1,e0,8a ,0d,0b,f5,66,fc,79,01,e0,\
"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f ,d9,49

[HKEY_USERS\S-1-5-21-299502267-1284227242-682003330-1004\Software\SecuROM\License information*]
"datasecu"=hex:f4,ea,43,cc,45,44,6a,60,99,53,63,bb ,44,71,33,64,11,ef,80,8f,7c,
58,a1,b4,3b,39,2e,77,e8,59,99,70,31,bf,4f,30,07,6c ,f7,51,fe,4a,08,38,5f,36,\
"rkeysecu"=hex:cf,fd,36,ed,8f,83,8f,67,d5,d5,68,a4 ,04,da,e7,c7
.
Completion time: 2009-05-18 16:06
ComboFix-quarantined-files.txt 2009-05-18 21:06

Pre-Run: 5,674,881,024 bytes free
Post-Run: 5,690,249,216 bytes free

203
  #6  
Old 18th May 2009, 14:07
Moderator Group
  
**Delete your copy of ComboFix and download the new version.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

DO NOT run it yet!

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:
KillAll::

Driver::
kgdsIjmz
kwvfkc
trfbhl
msfss
gkmixern

File::
c:\windows\system32\drivers\bmvo.sys
c:\windows\system32\drivers\enaab.sys
c:\windows\system32\drivers\drkloi.sys
c:\windows\system32\drivers\msfss.sys
c:\docume~1\user\LOCALS~1\Temp\gkmixern.sys
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
__________________
  #7  
Old 18th May 2009, 14:54
New Member Group
  
ComboFix 09-05-18.02 - user 05/18/2009 17:40.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1561 [GMT -5:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1290 [VPS 090518-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
c:\docume~1\user\LOCALS~1\Temp\gkmixern.sys
c:\windows\system32\drivers\bmvo.sys
c:\windows\system32\drivers\drkloi.sys
c:\windows\system32\drivers\enaab.sys
c:\windows\system32\drivers\msfss.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GKMIXERN
-------\Legacy_MSFSS
-------\Service_gkmixern
-------\Service_kgdsIjmz
-------\Service_kwvfkc
-------\Service_msfss
-------\Service_trfbhl


((((((((((((((((((((((((( Files Created from 2009-04-18 to 2009-05-18 )))))))))))))))))))))))))))))))
.

2009-05-18 06:20 . 2009-05-18 06:20 -------- d-----w c:\documents and settings\user\Local Settings\Application Data\Activision
2009-05-18 00:51 . 2009-05-18 00:51 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-17 22:33 . 2009-05-17 22:33 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-17 22:33 . 2009-05-17 22:33 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-17 22:33 . 2009-05-17 22:33 -------- d-----w c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2009-05-14 06:33 . 2009-05-14 06:33 -------- d-----w c:\documents and settings\user\Local Settings\Application Data\Blizzard Entertainment
2009-05-11 22:27 . 2009-05-11 22:28 -------- d-----w c:\program files\Microsoft Games for Windows - LIVE
2009-05-02 00:44 . 2009-05-02 00:44 -------- d-----w c:\program files\MSXML 4.0
2009-05-02 00:18 . 2009-05-02 00:18 -------- d-----w c:\program files\Microsoft Games
2009-05-01 22:40 . 2009-05-01 22:40 -------- d-----w c:\program files\Common Files\Logitech
2009-05-01 22:40 . 2009-05-01 22:40 -------- d-----w c:\program files\Logitech
2009-04-22 05:20 . 2009-04-22 05:20 14311680 ----a-w c:\windows\system32\xlive.dll
2009-04-22 05:20 . 2009-04-22 05:20 13642496 ----a-w c:\windows\system32\xlivefnt.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-05-18 22:46 . 2008-03-13 14:22 -------- d-----w c:\program files\DNA
2009-05-18 21:44 . 2007-12-26 22:53 -------- d-----w c:\program files\Steam
2009-05-18 21:42 . 2007-11-20 20:14 22328 ----a-w c:\documents and settings\user\Application Data\PnkBstrK.sys
2009-05-18 21:42 . 2007-10-05 21:46 22328 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-05-18 21:42 . 2007-10-05 21:45 107832 ----a-w c:\windows\system32\PnkBstrB.exe
2009-05-18 21:42 . 2007-12-26 03:03 682280 ----a-w c:\windows\system32\pbsvc.exe
2009-05-18 21:42 . 2007-10-05 21:45 66872 ----a-w c:\windows\system32\PnkBstrA.exe
2009-05-18 20:39 . 2007-09-18 22:40 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-18 06:22 . 2009-05-17 15:57 98304 ----a-w c:\windows\DUMP5d14.tmp
2009-05-18 00:52 . 2007-09-24 05:04 -------- d-----w c:\program files\Java
2009-05-17 22:32 . 2007-12-09 00:35 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-17 22:20 . 2008-11-26 15:28 -------- d-----w c:\program files\CCleaner
2009-05-17 22:09 . 2009-05-17 15:57 98304 ----a-w c:\windows\DUMP5f27.tmp
2009-05-17 22:05 . 2009-05-17 15:57 98304 ----a-w c:\windows\DUMP5cf4.tmp
2009-05-17 15:56 . 2009-05-16 20:43 98304 ----a-w c:\windows\DUMP5851.tmp
2009-05-17 01:32 . 2009-05-16 20:43 98304 ----a-w c:\windows\DUMP58fd.tmp
2009-05-16 20:40 . 2007-09-18 15:06 98304 ----a-w c:\windows\DUMP595b.tmp
2009-05-16 20:36 . 2008-12-26 03:33 223184 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-05-16 20:31 . 2008-11-24 23:39 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-16 20:22 . 2008-11-26 21:36 -------- d-----w c:\program files\SpywareBlaster
2009-05-14 06:33 . 2007-11-13 21:26 -------- d-----w c:\program files\World of Warcraft
2009-05-09 23:34 . 2007-09-23 05:00 -------- d-----w c:\program files\2K Games
2009-05-09 23:33 . 2009-03-27 21:13 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
2009-05-09 23:32 . 2009-03-27 21:12 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2009-05-03 04:26 . 2007-09-25 23:05 22904 ----a-w c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-02 00:16 . 2008-10-01 00:35 -------- d-----w c:\program files\Starcraft
2009-04-06 20:32 . 2008-11-24 23:39 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 . 2008-11-24 23:39 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-27 21:17 . 2009-03-27 21:12 -------- d-----w c:\program files\Common Files\Nikon
2009-03-27 21:13 . 2009-03-27 21:12 -------- d-----w c:\program files\Nikon
2009-03-27 21:12 . 2009-03-27 21:12 -------- d-----w c:\program files\Common Files\muvee Technologies
2009-03-27 21:12 . 2003-03-19 00:05 106496 ----a-w c:\windows\system32\ATL71.DLL
2009-03-22 21:35 . 2008-12-23 20:48 -------- d-----w c:\program files\McAfee
2009-03-06 00:20 . 2009-03-05 00:17 36104 ----a-w c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
2009-03-06 00:20 . 2009-03-05 00:17 131072 ----a-w c:\windows\system32\SpoonUninstall.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-05-18_21.05.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-18 22:45 . 2009-05-18 22:45 16384 c:\windows\Temp\Perflib_Perfdata_6d4.dat
+ 2009-05-18 22:45 . 2009-05-18 22:45 16384 c:\windows\Temp\Perflib_Perfdata_69c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-02-06 3325952]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-19 342848]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-10-08 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-10-05 868352]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.e xe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-18 148888]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"USB2Check"="c:\windows\system32\PCLECoInst.dl l" [2004-09-21 73728]
"USBToolTip"="c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [2006-06-01 196608]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2008-10-07 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-10-09 333120]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-27 734264]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-10-07 1630208]

c:\documents and settings\user\Start Menu\Programs\Startup\
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=
"c:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer .exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Steam\\SteamApps\\druiddude17\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\druiddude17\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis Wars\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Autodesk\\Maya8.5\\bin\\maya.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Alwil Software\\Avast4\\ashServ.exe"=
"c:\\WINDOWS\\system32\\cscript.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.8.9506-to-3.0.9.9551-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\world of goo\\WorldOfGoo.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\call of duty world at war\\CoDWaW.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\call of duty world at war\\CoDWaWmp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Diablo Battle.net
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [11/24/2008 1:07 AM 110160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/14/2009 2:22 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 2:22 PM 72944]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswF sBlk.sys [11/24/2008 1:07 AM 20560]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/23/2008 3:48 PM 210216]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\s ystem32\Wacom_Tablet.exe [10/8/2007 9:41 PM 1373480]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 2:22 PM 7408]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\9mnttaxk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-18 17:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-299502267-1284227242-682003330-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:3b,cf,4d,c8,08,9f,71,6d,35,08,77,1a,71,74 ,fc,0a,fa,89,f1,05,03,1c,56,
b0,2b,65,66,f6,c2,ae,00,50,b9,c4,2f,94,a2,e1,e0,8a ,0d,0b,f5,66,fc,79,01,e0,\
"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f ,d9,49

[HKEY_USERS\S-1-5-21-299502267-1284227242-682003330-1004\Software\SecuROM\License information*]
"datasecu"=hex:f4,ea,43,cc,45,44,6a,60,99,53,63,bb ,44,71,33,64,11,ef,80,8f,7c,
58,a1,b4,3b,39,2e,77,e8,59,99,70,31,bf,4f,30,07,6c ,f7,51,fe,4a,08,38,5f,36,\
"rkeysecu"=hex:cf,fd,36,ed,8f,83,8f,67,d5,d5,68,a4 ,04,da,e7,c7
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2704)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\a-squared Free\a2service.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
************************************************** ************************
.
Completion time: 2009-05-18 17:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-18 22:51
ComboFix2.txt 2009-05-18 21:06

Pre-Run: 5,695,102,976 bytes free
Post-Run: 5,631,594,496 bytes free

229
  #8  
Old 18th May 2009, 15:19
Moderator Group
  
Looks good so far. I want to check for rootkits and run a full virus scan. We need to be thorough. Those drivers make me think there could be other nasties hiding.

Please remove ComboFix so it does not interfere with the next scans.

  • Click START then RUN
  • Now type Combofix /u in the runbox
  • Make sure there's a space between Combofix and /u
  • Then hit Enter.


  • The above procedure will:
  • Delete the following:
  • ComboFix and its associated files and folders.
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Set a new, clean Restore Point.


----------

Download GMER and save it your desktop.

* Extract it to your desktop and double-click GMER.exe
* Click the rootkit tab and then scan.
* Don't check the Show All box while scanning in progress!
* When scanning is finished click Copy.
* This copies the log to clipboard
* Save the log so you can post it in your reply.

----------

Scan with Panda ActiveScan

This scanner requires Internet Explorer

  • Once you are on the Panda site click the Scan your PC now button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Select the appropriate Yes or No to receiving marketing information
  • Click the Free Online Scan button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.


Post the contents of the ActiveScan report in your next reply.
__________________
  #9  
Old 18th May 2009, 22:12
New Member Group
  
Here is the first log. Hit the max characters with both logs so I will post the Panda Active Scan log in the next post.

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-18 21:41:23
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB6DE4604]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB6DE44C0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB6DE499E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB6DE4098]
SSDT spve.sys ZwEnumerateKey [0xBA6C6CA2]
SSDT spve.sys ZwEnumerateValueKey [0xBA6C7030]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB6DE459A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB6DE3FD8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB6DE403C]
SSDT spve.sys ZwQueryKey [0xBA6C7108]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB6DE46BA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB6DE467A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB6DE47FA]

INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) B65A816D
INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) B65A7FC2
INT 0x62 ? 89DCCBF8
INT 0x63 ? 89D57BF8
INT 0x73 ? 89D57BF8
INT 0x73 ? 89B4BBF8
INT 0x73 ? 89D57BF8
INT 0xB1 ? 89D5ABF8
INT 0xB1 ? 89D5ABF8
INT 0xB4 ? 89D57BF8

Code \??\C:\DOCUME~1\user\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

? spve.sys The system cannot find the file specified. !
? Combo-Fix.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B96BC62C 5 Bytes JMP 89B4B1D8
.text a86x14es.SYS B9496384 1 Byte [20]
.text a86x14es.SYS B9496384 37 Bytes [20, 00, 00, 68, 00, 00, 00, ...]
.text a86x14es.SYS B94963AA 24 Bytes [00, 00, 20, 00, 00, E0, 00, ...]
.text a86x14es.SYS B94963C4 3 Bytes [00, 00, 00]
.text a86x14es.SYS B94963C9 1 Byte [00]
.text ...
.text a226ibyt.SYS B945F386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text a226ibyt.SYS B945F3AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text a226ibyt.SYS B945F3C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text a226ibyt.SYS B945F3C9 1 Byte [2E]
.text a226ibyt.SYS B945F3C9 11 Bytes [2E, 00, 00, 00, 5A, 02, 00, ...]
.text ...
? C:\DOCUME~1\user\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6A9040] spve.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6A913C] spve.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6A90BE] spve.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6A97FC] spve.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6A96D2] spve.sys
IAT \SystemRoot\System32\Drivers\a86x14es.SYS[HAL.dll!KfAcquireSpinLock] 0A64D90F
IAT \SystemRoot\System32\Drivers\a86x14es.SYS[HAL.dll!READ_PORT_UCHAR] 046FD406
IAT \SystemRoot\System32\Drivers\a86x14es.SYS[HAL.dll!KeGetCurrentIrql] 1672C31D
IAT \SystemRoot\System32\Drivers\a86x14es.SYS[HAL.dll!KfRaiseIrql] 1879CE14
IAT \SystemRoot\System32\Drivers\a86x14es.SYS[HAL.dll!KfLowerIrql] 3248ED2B
IAT \SystemRoot\System32\Drivers\a86x14es.SYS[HAL.dll!HalGetInterruptVector] 3C43E022
IAT \SystemRoot\System32\Drivers\a86x14es.SYS[HAL.dll!HalTranslateBusAddress] 2E5EF739
IAT \SystemRoot\System32\Drivers\a86x14es.SYS[HAL.dll!KeStallExecutionProcessor] 2055FA30
IAT \SystemRoot\System32\Drivers\a86x14es.SYS[HAL.dll!KfReleaseSpinLock] EC01B79A
IAT \SystemRoot\System32\Drivers\a86x14es.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] E20ABA93
IAT \SystemRoot\System32\Drivers\a86x14es.SYS[HAL.dll!READ_PORT_USHORT] F017AD88
IAT \SystemRoot\System32\Drivers\a86x14es.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] FE1CA081
IAT \SystemRoot\System32\Drivers\a86x14es.SYS[HAL.dll!WRITE_PORT_UCHAR] D42D83BE
IAT \SystemRoot\System32\Drivers\a86x14es.SYS[WMILIB.SYS!WmiSystemControl] C83B99AC
IAT \SystemRoot\System32\Drivers\a86x14es.SYS[WMILIB.SYS!WmiCompleteRequest] C63094A5
IAT \SystemRoot\System32\Drivers\a226ibyt.SYS[HAL.dll!KfAcquireSpinLock] 4B8BDF8B
IAT \SystemRoot\System32\Drivers\a226ibyt.SYS[HAL.dll!READ_PORT_UCHAR] 8D3F0304
IAT \SystemRoot\System32\Drivers\a226ibyt.SYS[HAL.dll!KeGetCurrentIrql] CB033043
IAT \SystemRoot\System32\Drivers\a226ibyt.SYS[HAL.dll!KfRaiseIrql] 0673C13B
IAT \SystemRoot\System32\Drivers\a226ibyt.SYS[HAL.dll!KfLowerIrql] C13B0003
IAT \SystemRoot\System32\Drivers\a226ibyt.SYS[HAL.dll!HalGetInterruptVector] 8366FA72
IAT \SystemRoot\System32\Drivers\a226ibyt.SYS[HAL.dll!HalTranslateBusAddress] 75000E7B
IAT \SystemRoot\System32\Drivers\a226ibyt.SYS[HAL.dll!KeStallExecutionProcessor] 0B7D80E3
IAT \SystemRoot\System32\Drivers\a226ibyt.SYS[HAL.dll!KfReleaseSpinLock] 307B8D00
IAT \SystemRoot\System32\Drivers\a226ibyt.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 00AA840F
IAT \SystemRoot\System32\Drivers\a226ibyt.SYS[HAL.dll!READ_PORT_USHORT] 83660000
IAT \SystemRoot\System32\Drivers\a226ibyt.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 6A000E7A
IAT \SystemRoot\System32\Drivers\a226ibyt.SYS[HAL.dll!WRITE_PORT_UCHAR] C6647400
IAT \SystemRoot\System32\Drivers\a226ibyt.SYS[WMILIB.SYS!WmiSystemControl] 4F8B0200
IAT \SystemRoot\System32\Drivers\a226ibyt.SYS[WMILIB.SYS!WmiCompleteRequest] 968D5140

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[924] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00370002
IAT C:\WINDOWS\system32\services.exe[924] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00370000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 89DCA1F8

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Fastfat \FatCdrom 8981D500

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\USBSTOR \Device\0000009f 89924408
Device \Driver\usbohci \Device\USBPDO-0 89B6B1F8
Device \Driver\usbehci \Device\USBPDO-1 89B201F8

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Ftdisk \Device\HarddiskVolume1 89D581F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{183A6D1B-85EC-4F91-AB38-E968D9447647} 886A31F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 89D581F8
Device \Driver\Cdrom \Device\CdRom0 89B141F8
Device \Driver\Cdrom \Device\CdRom1 89B141F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 89DCC1F8
Device \Driver\atapi \Device\Ide\IdePort0 89DCC1F8
Device \Driver\atapi \Device\Ide\IdePort1 89DCC1F8
Device \Driver\Cdrom \Device\CdRom2 89B141F8
Device \Driver\Cdrom \Device\CdRom3 89B141F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 886A31F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{256911B5-7C39-49F4-86BB-5087157BB308} 886A31F8
Device \Driver\NetBT \Device\NetbiosSmb 886A31F8
Device \Driver\nvata \Device\00000088 89D571F8

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\PCI_PNP3882 \Device\0000005e spve.sys
Device \Driver\PCI_PNP3882 \Device\0000005f spve.sys
Device \Driver\sptd \Device\1394145132 spve.sys
Device \Driver\usbohci \Device\USBFDO-0 89B6B1F8
Device \Driver\USBSTOR \Device\00000099 89924408
Device \Driver\usbehci \Device\USBFDO-1 89B201F8
Device \Driver\sptd \Device\1394301382 spve.sys
Device \Driver\nvata \Device\NvAta0 89D571F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89933500
Device \Driver\nvata \Device\NvAta1 89D571F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89933500
Device \Driver\nvata \Device\NvAta2 89D571F8
Device \Driver\Ftdisk \Device\FtControl 89D581F8
Device \Driver\a226ibyt \Device\Scsi\a226ibyt1Port6Path0Target0Lun0 89A88470
Device \Driver\a86x14es \Device\Scsi\a86x14es1Port7Path0Target0Lun0 89AE21F8
Device \Driver\a86x14es \Device\Scsi\a86x14es1 89AE21F8
Device \Driver\a226ibyt \Device\Scsi\a226ibyt1 89A88470
Device \FileSystem\Fastfat \Fat 8981D500

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Cdfs \Cdfs 898C5500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D 79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D 79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D 79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D 79C293C1ED61418462E24595C90D04@ujdew 0x43 0x16 0x83 0xFC ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D 79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D 79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D 79C293C1ED61418462E24595C90D04\00000001@ujdew 0x4F 0xBC 0xDD 0x3A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D 79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D 79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujd ew 0x28 0xA6 0x3B 0x95 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4@khjeh 0xB8 0xFC 0xBC 0x42 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC0 0xE9 0x93 0x23 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khje h 0x72 0x2D 0x68 0x81 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C2 93C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C2 93C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C2 93C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C2 93C1ED61418462E24595C90D04@ujdew 0x43 0x16 0x83 0xFC ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C2 93C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C2 93C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C2 93C1ED61418462E24595C90D04\00000001@ujdew 0x4F 0xBC 0xDD 0x3A ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C2 93C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C2 93C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x28 0xA6 0x3B 0x95 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4@khjeh 0xB8 0xFC 0xBC 0x42 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4\00000001@khjeh 0xC0 0xE9 0x93 0x23 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x72 0x2D 0x68 0x81 ...

---- EOF - GMER 1.0.15 ----
  #10  
Old 18th May 2009, 22:13
New Member Group
  
Here is the Active Scan log:
I hit the max characters with both logs so the other is in a separate post.

Active Scan

;************************************************* ************************************************** ************************************************** ******************************
ANALYSIS: 2009-05-19 01:05:53
PROTECTIONS: 1
MALWARE: 0
SUSPECTS: 0
;************************************************* ************************************************** ************************************************** ******************************
PROTECTIONS
Description Version Active Updated
;================================================= ================================================== ================================================== ==============================
avast! antivirus 4.8.1290 [VPS 090518-0] 4.8.1290 No Yes
;================================================= ================================================== ================================================== ==============================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;================================================= ================================================== ================================================== ==============================
;================================================= ================================================== ================================================== ==============================
SUSPECTS
Sent Location X
;================================================= ================================================== ================================================== ==============================
;================================================= ================================================== ================================================== ==============================
VULNERABILITIES
Id Severity Description X
;================================================= ================================================== ================================================== ==============================
184380 MEDIUM MS08-002 X
184379 MEDIUM MS08-001 X
182048 HIGH MS07-069 X
182046 HIGH MS07-067 X
182043 HIGH MS07-064 X
179553 HIGH MS07-061 X
176382 HIGH MS07-057 X
176383 HIGH MS07-058 X
170911 HIGH MS07-050 X
170907 HIGH MS07-046 X
170906 HIGH MS07-045 X
170904 HIGH MS07-043 X
164915 HIGH MS07-035 X
164913 HIGH MS07-033 X
164911 HIGH MS07-031 X
160623 HIGH MS07-027 X
157262 HIGH MS07-022 X
157261 HIGH MS07-021 X
157260 HIGH MS07-020 X
157259 HIGH MS07-019 X
156477 HIGH MS07-017 X
150253 HIGH MS07-016 X
150249 HIGH MS07-013 X
150248 HIGH MS07-012 X
150247 HIGH MS07-011 X
150243 HIGH MS07-008 X
150242 HIGH MS07-007 X
150241 MEDIUM MS07-006 X
145501 HIGH MS07-004 X
141034 HIGH MS06-076 X
141033 MEDIUM MS06-075 X
137571 HIGH MS06-070 X
133387 MEDIUM MS06-065 X
133386 MEDIUM MS06-064 X
133385 MEDIUM MS06-063 X
133379 HIGH MS06-057 X
129977 MEDIUM MS06-053 X
129976 MEDIUM MS06-052 X
126093 HIGH MS06-051 X
126092 MEDIUM MS06-050 X
126087 HIGH MS06-046 X
126086 MEDIUM MS06-045 X
126082 HIGH MS06-041 X
126081 HIGH MS06-040 X
123421 HIGH MS06-036 X
123420 HIGH MS06-035 X
120825 MEDIUM MS06-032 X
120823 MEDIUM MS06-030 X
120818 HIGH MS06-025 X
120815 HIGH MS06-022 X
117384 MEDIUM MS06-018 X
114666 HIGH MS06-015 X
108744 MEDIUM MS06-008 X
108743 MEDIUM MS06-007 X
108742 MEDIUM MS06-006 X
104567 HIGH MS06-002 X
104237 HIGH MS06-001 X
96574 HIGH MS05-053 X
93395 HIGH MS05-051 X
93394 HIGH MS05-050 X
93454 MEDIUM MS05-049 X
;================================================= ================================================== ================================================== ==============================
Reply
Page 1 of 2 1 2

Register
Thread Tools



Arabic Bulgarian Chinese (Simplified) Chinese (Traditional) Croatian Czech Danish Dutch English Finnish French German Greek Hebrew Hungarian Italian Japanese Korean Latvian Lithuanian Norwegian Polish Portuguese Romanian Russian Serbian Slovak Spanish Swedish Thai Turkish Ukrainian

Copyright ©2006 - 2009 Computer Juice.
Contact - Privacy - Sitemap - Top

Powered by vBulletin® Copyright ©2000 - 2009 Jelsoft Enterprises Ltd. SEO by vBSEO ©2009, Crawlability, Inc.