Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:35:04 AM, on 9/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
Any Trojan Services and Registry Entries that it finds will be removed then you will be prompted to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open and a copy of the report will be saved in the SDFix folder as Report.txt
(Report.txt will also be copied automatically to your Clipboard and ready for posting back in the forum).
Finally paste the contents of the Report.txt back here along with a fresh HijackThis log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:02:01 PM, on 9/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
* Unzip it to your desktop and start gmer.exe * Click the Rootkit tab. * Make sure all the boxes on the right of the screen are checked, EXCEPT for "Show All". * Click Scan. * Once done, click the Copy button. * This will copy the results to the clipboard. Paste the results in your next reply.
If you're having problems with running gmer.exe, try it in Safe Mode.
This tool works in Safe Mode� other rootkit revealers don't.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:02:01 PM, on 9/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing Security Center Service
Restoring Missing SharedAccess Service
i have no idea if you are going to be able to read this. this is what it gave me when i clicked advanced report. it sent is to an excel page that i am not familiar with. i might have made a mistake but im pretty sure i followed your instructions clearly. let me know if you want me to do this another way. thanks PATH;"ROOTKIT_NAME";"HIDDEN";"INT2E_MODIFIER";"MSR_MODIFIER";"REGISTRY_KEY";"REGISTRY_VALUE";"REGISTRY_HIDDEN";"PROCESS_COMMANDLINE";"PROCESS_HIDDEN";"SDT_FUN_NAME";"EAT_OBJECTIVE";"EAT_FUN_NAME";"IRP_DRIVER";"IRP_FUNCTION";"IDT_ID";"IDT_TYPE" C:\WINDOWS\system32\frmabbycm.exe;;"TRUE";"FALSE";"FALSE";"SOFTWARE\Microsoft\Windows\CurrentVersion\Run";"frmabbycm";"TRUE";" ";" ";" ";" ";" ";" ";" ";" "; C:\WINDOWS\system32\frmabbycm.exe;;"TRUE";"FALSE";"FALSE";" ";" ";" ";""C:\windows\system32\frmabbycm.exe" frmabbycm";"TRUE";" ";" ";" ";" ";" ";" "; C:\WINDOWS\system32\frmabbycm_navps.dat;;"TRUE";"FALSE";"FALSE";" ";" ";" ";" ";" ";" ";" ";" ";" ";" ";" "; C:\WINDOWS\system32\frmabbycm.dat;;"TRUE";"FALSE";"FALSE";" ";" ";" ";" ";" ";" ";" ";" ";" ";" ";" "; C:\WINDOWS\system32\Drivers\Wpe29.sys;;"TRUE";"FALSE";"FALSE";"SYSTEM\CurrentControlSet\Services\Wpe29";;"TRUE";" ";" ";" ";" ";" ";" ";" ";" "; C:\WINDOWS\system32\Drivers\Wpe29.sys;;"TRUE";"FALSE";"FALSE";" ";" ";" ";" ";" ";" ";" ";" ";"Ntfs";"IRP_MJ_DIRECTORY_CONTROL";" "; C:\WINDOWS\system32\Drivers\Wpe29.sys;;"TRUE";"FALSE";"FALSE";" ";" ";" ";" ";" ";" ";" ";" ";"Ntfs";"IRP_MJ_CREATE";" "; C:\WINDOWS\system32\frmabbycm_nav.dat;;"TRUE";"FALSE";"FALSE";" ";" ";" ";" ";" ";" ";" ";" ";" ";" ";" ";
OK...all of those need to go. Run Panda Anti-Rootkit again as before. When the scan completes
this time, check the box next to each of those entries and click
Remove rootkits.
When that completes, reboot and run the sdfix.exe again.
Please post back THAT log. Thanks!
alconguy
14 Posts
0
September 9th, 2007 00:00
Message Edited by alconguy on 09-08-2007 09:07 PM
jefraz2003
29 Posts
0
September 9th, 2007 01:00
1972vet
3.3K Posts
0
September 9th, 2007 10:00
jefraz2003
29 Posts
0
September 10th, 2007 13:00
Scan saved at 10:35:04 AM, on 9/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\txumdvuw.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\SymCuw.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CheckIt\86\CheckIt86.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton 360\ScanStub.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://winsafesurf.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:80
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [lsass] svchost32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=0
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TP CfgWiz] "C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\SymCuw.exe" -G:{2D617065-1C52-4240-B5BC-C0AE12157777} -T:Config
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [lsass] svchost32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [DelayShred] "C:\Program Files\McAfee\McAfee Shared Components\Shredder 5\SHRED32.EXE" /q C:\DOCUME~1\JOEFRA~1\LOCALS~1\TEMPOR~1\Content.IE5\UJ0NLYVM\AIM_UA~1.SH! C:\DOCUME~1\JOEFRA~1\LOCALS~1\TEMPOR~1\Content.IE5\YFU3Y5M3\CAOLYTPM.SH! C:\DOCUME~1\JOEFRA~1\LOCALS~1\TEMPOR~1\Content.IE5\QHRC1CFQ\CA9O8N9P.SH!
O4 - HKUS\S-1-5-18\..\Run: [Service Pack 1] C:\WINDOWS\system32\vedxg6ame4.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Service Pack 1] C:\WINDOWS\system32\vedxg6ame4.exe (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = ?
O4 - Global Startup: PowerReg Scheduler.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxmk762LXUS
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CheckIt\86\AddToTrustList.js
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra 'Tools' menuitem: CheckIt &86 - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O9 - Extra button: Security InfoCenter - {CEF2D273-7F43-4445-B9DF-FD095524C49F} - http://winsafesurf.com/ (file missing) (HKCU)
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_98.dll' missing
O12 - Plugin for .xml: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15-3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - http://207.207.60.50/SiteRoots/main/Install/CentraDownloader.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O21 - SSODL: cFTVVCykuvN - {A487CC3A-0E2D-6690-3AF9-FB949BD9E8EF} - C:\WINDOWS\system32\xvrtd.dll (file missing)
O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - C:\WINDOWS\system32\tfuo.dll (file missing)
O22 - SharedTaskScheduler: bedstead - {b23dc537-3e13-44c7-bf67-d8405eb377f7} - (no file)
O22 - SharedTaskScheduler: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - C:\WINDOWS\system32\tfuo.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\txumdvuw.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:exe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
End of file - 10780 bytes
1972vet
3.3K Posts
0
September 10th, 2007 23:00
Double click SDFix.exe and the files will be extracted to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Reboot the computer into Safe mode.
jefraz2003
29 Posts
0
September 11th, 2007 02:00
Scan saved at 11:02:01 PM, on 9/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\SymCuw.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\CheckIt\86\CheckIt86.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\rundll32.exe
C:\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton 360\ScanStub.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://winsafesurf.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:80
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=0
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TP CfgWiz] "C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\SymCuw.exe" -G:{2D617065-1C52-4240-B5BC-C0AE12157777} -T:Config
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [lsass] svchost32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [DelayShred] "C:\Program Files\McAfee\McAfee Shared Components\Shredder 5\SHRED32.EXE" /q C:\DOCUME~1\JOEFRA~1\LOCALS~1\TEMPOR~1\Content.IE5\UJ0NLYVM\AIM_UA~1.SH! C:\DOCUME~1\JOEFRA~1\LOCALS~1\TEMPOR~1\Content.IE5\YFU3Y5M3\CAOLYTPM.SH! C:\DOCUME~1\JOEFRA~1\LOCALS~1\TEMPOR~1\Content.IE5\QHRC1CFQ\CA9O8N9P.SH!
O4 - HKUS\S-1-5-18\..\Run: [Service Pack 1] C:\WINDOWS\system32\vedxg6ame4.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Service Pack 1] C:\WINDOWS\system32\vedxg6ame4.exe (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = ?
O4 - Global Startup: PowerReg Scheduler.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxmk762LXUS
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CheckIt\86\AddToTrustList.js
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra 'Tools' menuitem: CheckIt &86 - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O9 - Extra button: Security InfoCenter - {CEF2D273-7F43-4445-B9DF-FD095524C49F} - http://winsafesurf.com/ (file missing) (HKCU)
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_98.dll' missing
O12 - Plugin for .xml: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15-3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - http://207.207.60.50/SiteRoots/main/Install/CentraDownloader.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O21 - SSODL: cFTVVCykuvN - {A487CC3A-0E2D-6690-3AF9-FB949BD9E8EF} - C:\WINDOWS\system32\xvrtd.dll (file missing)
O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - C:\WINDOWS\system32\tfuo.dll (file missing)
O22 - SharedTaskScheduler: bedstead - {b23dc537-3e13-44c7-bf67-d8405eb377f7} - (no file)
O22 - SharedTaskScheduler: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - C:\WINDOWS\system32\tfuo.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
End of file - 10559 bytes
1972vet
3.3K Posts
0
September 11th, 2007 02:00
- * Unzip it to your desktop and start gmer.exe
If you're having problems with running gmer.exe, try it in Safe Mode.* Click the Rootkit tab.
* Make sure all the boxes on the right of the screen are checked, EXCEPT for "Show All".
* Click Scan.
* Once done, click the Copy button.
* This will copy the results to the clipboard. Paste the results in your next reply.
This tool works in Safe Mode� other rootkit revealers don't.
jefraz2003
29 Posts
0
September 11th, 2007 02:00
Scan saved at 11:02:01 PM, on 9/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\SymCuw.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\CheckIt\86\CheckIt86.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\rundll32.exe
C:\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton 360\ScanStub.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://winsafesurf.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:80
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=0
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TP CfgWiz] "C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\SymCuw.exe" -G:{2D617065-1C52-4240-B5BC-C0AE12157777} -T:Config
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [lsass] svchost32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [DelayShred] "C:\Program Files\McAfee\McAfee Shared Components\Shredder 5\SHRED32.EXE" /q C:\DOCUME~1\JOEFRA~1\LOCALS~1\TEMPOR~1\Content.IE5\UJ0NLYVM\AIM_UA~1.SH! C:\DOCUME~1\JOEFRA~1\LOCALS~1\TEMPOR~1\Content.IE5\YFU3Y5M3\CAOLYTPM.SH! C:\DOCUME~1\JOEFRA~1\LOCALS~1\TEMPOR~1\Content.IE5\QHRC1CFQ\CA9O8N9P.SH!
O4 - HKUS\S-1-5-18\..\Run: [Service Pack 1] C:\WINDOWS\system32\vedxg6ame4.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Service Pack 1] C:\WINDOWS\system32\vedxg6ame4.exe (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = ?
O4 - Global Startup: PowerReg Scheduler.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxmk762LXUS
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CheckIt\86\AddToTrustList.js
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra 'Tools' menuitem: CheckIt &86 - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O9 - Extra button: Security InfoCenter - {CEF2D273-7F43-4445-B9DF-FD095524C49F} - http://winsafesurf.com/ (file missing) (HKCU)
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_98.dll' missing
O12 - Plugin for .xml: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15-3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - http://207.207.60.50/SiteRoots/main/Install/CentraDownloader.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O21 - SSODL: cFTVVCykuvN - {A487CC3A-0E2D-6690-3AF9-FB949BD9E8EF} - C:\WINDOWS\system32\xvrtd.dll (file missing)
O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - C:\WINDOWS\system32\tfuo.dll (file missing)
O22 - SharedTaskScheduler: bedstead - {b23dc537-3e13-44c7-bf67-d8405eb377f7} - (no file)
O22 - SharedTaskScheduler: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - C:\WINDOWS\system32\tfuo.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
End of file - 10559 bytes
jefraz2003
29 Posts
0
September 11th, 2007 02:00
Checking Services:
core
DomainService
ICF
system32\drivers\core.sys
C:\WINDOWS\system32\txumdvuw.exe /service
C:\WINDOWS\system32\svchost.exe:exe.exe
DomainService - Deleted
ICF - Deleted
C:\WINDOWS\ServicePackFiles\i386\mswsock.dll
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\dllcache\mswsock.dll
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\dllcache\mswsock.dll
"C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys" 360448 01/13/2006 01:07 PM
"C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys" 360576 04/20/2006 08:18 AM
"C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys" 332928 09/03/2002 01:06 PM
"C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys" 359040 08/04/2004 02:14 AM
"C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys" 359808 05/25/2005 03:04 PM
"C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys" 359808 01/12/2006 10:28 PM
"C:\WINDOWS\ServicePackFiles\i386\tcpip.sys" 359040 08/04/2004 02:14 AM
"C:\WINDOWS\system32\dllcache\tcpip.sys" 375296 08/11/2007 04:14 PM
"C:\WINDOWS\system32\drivers\tcpip.sys" 375296 08/11/2007 04:14 PM
C:\WINDOWS\system32\drivers\tcpip.sys
Restoring Windows Default Hosts File
Restoring Missing Security Center Service
Restoring Missing SharedAccess Service
Normal Mode:
Checking Files:
C:\WINDOWS\SYSTEM32\184329~1.DLL - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun1.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun10.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun11.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun12.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun2.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun3.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun4.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun6.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun7.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun8.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun1.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun11.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun12.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun14.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun15.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun16.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun19.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun2.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun20.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun21.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun22.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun23.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun24.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun25.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun3.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun4.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun5.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun6.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun7.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun8.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\v3xd1.g22me - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\v4xd3.ga2me - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\v4xd6.gam5e - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\v5xd4.ga2me - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\v6xdt4.game - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\v3xd1.g22me - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\v4xd3.ga2me - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\v4xd6.gam5e - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\v5xd4.ga2me - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\v6xdt4.game - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\vx1dt3.game - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\vx3dt2.game - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\vx1dt3.game - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\vx3dt2.game - Deleted
C:\WINDOWS\system32\gmc.exe.exe - Deleted
C:\WINDOWS\ServicePackFiles\www.google.com\favicon.ico - Deleted
C:\WINDOWS\ServicePackFiles\www.google.com\index.html - Deleted
C:\WINDOWS\ServicePackFiles\www.google.com\thank.html - Deleted
C:\WINDOWS\ServicePackFiles\www.google.com\Google_files\hp0.gif - Deleted
C:\WINDOWS\ServicePackFiles\www.google.com\Google_files\hp1.gif - Deleted
C:\WINDOWS\ServicePackFiles\www.google.com\Google_files\hp2.gif - Deleted
C:\WINDOWS\ServicePackFiles\www.google.com\Google_files\hp3.gif - Deleted
C:\WINDOWS\ServicePackFiles\www.google.com\images\logo_sm.gif - Deleted
C:\Program Files\InetGet2\popinstall.exe - Deleted
C:\Program Files\WinPop\UnInstall.exe - Deleted
C:\Documents and Settings\All Users\Documents\Settings\partnership.dll - Deleted
C:\i - Deleted
C:\WINDOWS\csrss.exe - Deleted
C:\WINDOWS\ServicePackFiles\winlogon.exe - Deleted
C:\WINDOWS\spooldr.exe - Deleted
C:\WINDOWS\system32\cmd.com - Deleted
C:\WINDOWS\system32\dllh8jkd1q1.exe - Deleted
C:\WINDOWS\system32\dllh8jkd1q2.exe - Deleted
C:\WINDOWS\system32\dllh8jkd1q5.exe - Deleted
C:\WINDOWS\system32\dllh8jkd1q6.exe - Deleted
C:\WINDOWS\system32\dllh8jkd1q7.exe - Deleted
C:\WINDOWS\system32\dllh8jkd1q8.exe - Deleted
C:\WINDOWS\system32\drivers\core.cache.dsk - Deleted
C:\WINDOWS\system32\drivers\fee - Deleted
C:\WINDOWS\system32\drivers\symavc32.sys - Deleted
C:\WINDOWS\system32\f06WtR\f06WtR1083.exe - Deleted
C:\WINDOWS\system32\install.exe - Deleted
C:\WINDOWS\system32\kernelwind32.exe - Deleted
C:\WINDOWS\system32\kr_done1 - Deleted
C:\WINDOWS\system32\ldinfo.ldr - Deleted
C:\WINDOWS\system32\msnav32.ax - Deleted
C:\WINDOWS\system32\mstdmc.exe - Deleted
C:\WINDOWS\system32\n.ini - Deleted
C:\WINDOWS\system32\netstat.com - Deleted
C:\WINDOWS\system32\ping.com - Deleted
C:\WINDOWS\system32\regedit.com - Deleted
C:\WINDOWS\system32\skna455101.exe - Deleted
C:\WINDOWS\system32\spoolsvv.exe - Deleted
C:\WINDOWS\system32\svcp.csv - Deleted
C:\WINDOWS\system32\svrhost.exe - Deleted
C:\WINDOWS\system32\taskkill.com - Deleted
C:\WINDOWS\system32\tasklist.com - Deleted
C:\WINDOWS\system32\TISKY008.exe - Deleted
C:\WINDOWS\system32\tmpmpt1.tmp - Deleted
C:\WINDOWS\system32\tracert.com - Deleted
C:\WINDOWS\system32\vedxg3am1et3.exe - Deleted
C:\WINDOWS\system32\vedxg4am1et2.exe - Deleted
C:\WINDOWS\system32\vedxg6ame4.exe - Deleted
C:\WINDOWS\system32\vedxga3me2.exe - Deleted
C:\WINDOWS\system32\vedxga4m1et4.exe - Deleted
C:\WINDOWS\system32\vedxga5me3.exe - Deleted
C:\WINDOWS\system32\vx.tll - Deleted
C:\WINDOWS\system32\waverevenue.exe - Deleted
C:\WINDOWS\system32\WinCore32.exe - Deleted
C:\WINDOWS\system32\winsub.xml - Deleted
C:\WINDOWS\system32\zxdnt3d.cfg - Deleted
C:\WINDOWS\Uninst2.htm - Deleted
C:\WINDOWS\Unist1.htm - Deleted
C:\WINDOWS\winvip.exe - Deleted
C:\WINDOWS\wr.txt - Deleted
Folder C:\Documents and Settings\All Users\Documents\Settings - Removed
Folder C:\Program Files\InetGet2 - Removed
Folder C:\Program Files\WinPop - Removed
Folder C:\Temp\fse - Removed
Folder C:\WINDOWS\ServicePackFiles\www.google.com - Removed
Folder C:\WINDOWS\system32\f06WtR - Removed
Folder "C:\Documents and Settings\Joe Frazier\www.google.com" - Removed
No streams found.
No streams found.
: ADS Found!
svchost.exe: deleted 58880 bytes in 1 streams.
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
------------------
Rootkit Srizbi/Agent.EA Registry Value Detected, Use a Rootkit scanner !
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
---------------
C:\WINDOWS\system32\dlinsth.dll
C:\WINDOWS\system32\gebya.dll
C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\mlljj.dll
C:\WINDOWS\system32\sstqo.dll
C:\WINDOWS\system32\sstqp.dll
C:\Documents and Settings\Joe Frazier\Application Data\U3\temp\Launchpad Removal.exe
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\WINDOWS\system32\msgnmsger.exe
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp
C:\Documents and Settings\LocalService\Local Settings\Temp\par60BF.tmp
C:\Documents and Settings\NetworkService\Local Settings\Temp\BIT21.tmp
C:\Documents and Settings\NetworkService\Local Settings\Temp\par60AB.tmp
C:\Documents and Settings\NetworkService\Local Settings\Temp\par6BAF.tmp
C:\Program Files\InterActual\InterActual Player\itiA.tmp
C:\WINDOWS\SoftwareDistribution\Download\02bf78654a17f7da57a4be756b6657c6\BIT156.tmp
C:\WINDOWS\SoftwareDistribution\Download\0bf48c56e2f3f29bfbf4f4fd00ad98dd\BIT159.tmp
C:\WINDOWS\SoftwareDistribution\Download\1ba295bef2d06eaaa6232f30382de26b\BIT153.tmp
C:\WINDOWS\SoftwareDistribution\Download\2a2715f6180c3bfa2a58178525f24c67\BIT158.tmp
C:\WINDOWS\SoftwareDistribution\Download\30e59c18bd4207d3aa8ebf77e5b45caa\BIT150.tmp
C:\WINDOWS\SoftwareDistribution\Download\4982a61e2216973813f44f56425bf3d9\BIT151.tmp
C:\WINDOWS\SoftwareDistribution\Download\723d12ccbc22f288fb53cd47a25782f9\BIT15B.tmp
C:\WINDOWS\SoftwareDistribution\Download\a0fe7704776ce2219611aa89e7b4dfca\BIT15A.tmp
C:\WINDOWS\SoftwareDistribution\Download\ae9bc65d0f581db8e80ca74b7951e935\BIT154.tmp
C:\WINDOWS\SoftwareDistribution\Download\dc6733dab87a46fa9320681df7d8d3c5\BIT152.tmp
C:\WINDOWS\SoftwareDistribution\Download\e7e98304794d11e8128641bb5cbd922c\BIT157.tmp
C:\WINDOWS\SoftwareDistribution\Download\f54d9f16cafb3a043d81262b001f62f8\BIT155.tmp
C:\WINDOWS\ServicePackFiles\8\livetri.zip
C:\WINDOWS\ServicePackFiles\8\norton$20antivirus_14.2_english_livetri.zip
jefraz2003
29 Posts
0
September 12th, 2007 01:00
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F8520AE0] Wpe29.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Control\GroupOrderList@System Reserved?Boot Bus Extender?System Bus Extender?SCSI miniport?Port?Primary Disk?SCSI Class?SCSI CDROM Class?FSFilter Infrastructure?FSFilter System?FSFilter Bottom?FSFilter Copy Protection?FSFilter Security Enhancer?FSFilter Open File?FSFilter Physical Quota Management?FSFilter Encryption?FSFilter Compression?FSFilter HSM?FSFilter Cluster File System?FSFilter System Recovery?FSFilter Quota Management?FSFilter Content Screener?FSFilter Continuous Backup?FSFilter Replication?FSFilter Anti-Virus?FSFilter Undelete?FSFilter Activity Monitor?FSFilter Top?Filter?Boot File System?Base?Pointer Port?Keyboard Port?Pointer Class?Keyboard Class?Video Init?Video?Video Save?File System?Event Log?Streams Drivers?NDIS Wrapper?COM Infrastructure?UIGroup?LocalValidation?PlugPlay?PNP_TDI?NDIS?TDI?NetBIOSGroup?ShellSvcGroup?SchedulerGroup?SpoolerGroup?AudioGroup?SmartCardGroup?NetworkProvider?RemoteValidation?NetDDEGroup?Parallel arbitrator?Extended Base?PCI Con 0x02 0x00 0x00 0x00 ...
jefraz2003
29 Posts
0
September 12th, 2007 01:00
ADS C:\System Volume Information\_restore{1F0DC798-E797-4DEA-801A-E0B5F9D68924}\RP1187\A0162908.exe:exe.exe
File C:\WINDOWS\system32\drivers\Wpe29.sys
jefraz2003
29 Posts
0
September 12th, 2007 01:00
Rootkit scan 2007-09-11 21:55:24
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.13 ----
Code Wpe29.sys ZwOpenKey
PAGE ntoskrnl.exe!ZwEnumerateKey
1972vet
3.3K Posts
0
September 12th, 2007 14:00
Download Panda Anti-Rootkit (AntiRootkit.Zip) v1.0.7:
- Create a folder called C:\PAVARK and extract Anti-Rootkit.zip to that folder.
- Close any other programs you have running as this will require a reboot
- Open Panda Anti-Rootkit by double-clicking its executable file (PAVARK.EXE)
- Accept the license agreement, and if it Panda asks to update - allow it to do so.
- After updating, you should be running Panda ARK v. 1.08
- Elect to do an in-depth scan by checking that option.
- Next, reboot so Panda so can detect rootkit activity during system startup
- When the scan completes, Click the "Advanced Report" button.
- The the "Advanced Report" display will show the location and file name of the rootkit(s) it found
- When the scan completes, post back your results.
Thanks!jefraz2003
29 Posts
0
September 13th, 2007 21:00
1972vet
3.3K Posts
0
September 14th, 2007 03:00
this time, check the box next to each of those entries and click Remove rootkits.
When that completes, reboot and run the sdfix.exe again.
Please post back THAT log. Thanks!