Inactive win32 and now rootkit problem...

lhang18 · 2010/10/19

[Inactive] win32 and now rootkit problem...

I am using avira free antivirus and before it keeps popping on the screen that it had detected and removed win32...until yesterday,.a sony digicam was plugged into my computer. The antivirus detected that the digicam was infected with trojan....and now...not only win32 keeps on popping but it also say's something about rootkit.....here's the dds diagnostic on my computer....

dds.txt

DDS (Ver_10-10-10.03) - NTFSx86
Run by lani at 10:16:36.60 on Wed 10/20/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.504 [GMT 8:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Avira FireWall *enabled* {11638345-E4FC-4BEE-BB73-EC754659C5F6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\lani\My Documents\Downloads\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://search.imesh.com/sidebar.html?src=ssb
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearchAssistant = hxxp://search.imesh.com/sidebar.html?src=ssb
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [EPSON Stylus Photo R230 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiaip.exe /fu "c:\windows\temp\E_S8.tmp" /EF "HKCU "
uRun: [Auto EPSON Stylus Photo R230 Series (Copy 2) on GEORGE] c:\windows\system32\spool\drivers\w32x86\3\e_fatiaip.exe /fu "c:\windows\temp\E_SE2.tmp" /EF "HKCU "
uRun: [Auto EPSON Stylus Photo R230 Series (Copy 1) on GEORGE] c:\windows\system32\spool\drivers\w32x86\3\e_fatiaip.exe /fu "c:\windows\temp\E_SE4.tmp" /EF "HKCU "
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [\\GEORGE\EPSON Stylus Photo R230 Series (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\e_fatiaip.exe /fu "c:\docume~1\lani\locals~1\temp\E_S51.tmp" /EF "HKCU "
uRun: [\\GEORGE\EPSON Stylus Photo R230 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiaip.exe /fu "c:\docume~1\lani\locals~1\temp\E_S54.tmp" /EF "HKCU "
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [api32] c:\docume~1\lani\locals~1\temp\apiqq.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe "
mRun: [BigDog303] c:\windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
StartupFolder: c:\docume~1\lani\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs:
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lani\applic~1\mozilla\firefox\profiles\40e12jcw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2077543&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - ToggleEN Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2077543&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://ph.search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=966134&p=
FF - component: c:\documents and settings\lani\application data\mozilla\firefox\profiles\40e12jcw.default\extensions\{038cb5c7-48ea-4af9-94e0-a1646542e62b}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\lani\application data\mozilla\firefox\profiles\40e12jcw.default\extensions\{038cb5c7-48ea-4af9-94e0-a1646542e62b}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\lani\application data\mozilla\firefox\profiles\40e12jcw.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
FF - component: c:\documents and settings\lani\application data\mozilla\firefox\profiles\40e12jcw.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\lani\application data\mozilla\plugins\np-mswmp.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbaam7a8h ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgberp4a5d4ar ", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-8-26 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-8-26 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-26 40384]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-26 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-26 40384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-18 135664]
S2 ooisjm;Task System;c:\windows\system32\svchost.exe -k netsvcs [2004-8-12 14336]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2009-6-23 207616]

=============== Created Last 30 ================

2010-10-20 02:15:24 -------- d--h--w- c:\windows\PIF
2010-10-19 03:32:05 -------- d-----w- c:\docume~1\lani\applic~1\TeamViewer
2010-10-19 03:32:01 -------- d-----w- c:\program files\TeamViewer
2010-09-23 02:42:49 -------- d-----w- c:\docume~1\lani\applic~1\KodakCredentialStore
2010-09-22 01:27:33 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-09-22 01:27:33 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-09-22 01:26:45 -------- d-----w- c:\program files\iPod
2010-09-22 01:26:40 -------- d-----w- c:\program files\iTunes
2010-09-22 01:26:40 -------- d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-09-22 01:25:31 -------- d-----w- c:\docume~1\lani\locals~1\applic~1\Apple
2010-09-22 01:25:21 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-09-22 01:25:21 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-09-22 01:23:24 -------- d-----w- c:\program files\Conduit
2010-09-22 01:23:24 -------- d-----w- c:\docume~1\lani\locals~1\applic~1\Conduit
2010-09-22 01:23:23 -------- d-----w- c:\program files\ToggleEN

==================== Find3M ====================

2010-09-07 15:12:17 38848 ----a-w- c:\windows\avastSS.scr
2010-08-10 02:28:13 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-07-27 10:44:10 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-27 10:44:10 107808 ----a-w- c:\windows\system32\dns-sd.exe

============= FINISH: 10:16:55.54 ===============

attach.txt

DDS (Ver_10-10-10.03)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 6/23/2009 3:01:30 PM
System Uptime: 10/20/2010 8:27:47 AM (2 hours ago)

Motherboard: ASRock | | 945GCM-S
Processor: Intel(R) Pentium(R) Dual CPU E2200 @ 2.20GHz | CPUSocket | 2193/200mhz
Processor: Intel(R) Pentium(R) Dual CPU E2200 @ 2.20GHz | CPUSocket | 2193/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 59 GiB total, 40.057 GiB free.
D: is FIXED (NTFS) - 90 GiB total, 72.705 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP77: 8/24/2010 12:25:54 PM - System Checkpoint
RP78: 8/25/2010 10:54:46 AM - Removed QuickTime
RP79: 8/26/2010 11:59:44 AM - Configured Print Creations
RP80: 8/26/2010 12:00:06 PM - Configured Print Creations
RP81: 8/26/2010 12:00:33 PM - Removed Print Creations
RP82: 8/26/2010 12:01:42 PM - avast! Pro Antivirus Setup
RP83: 8/26/2010 1:45:34 PM - avast! Free Antivirus Setup
RP84: 8/27/2010 3:25:45 PM - System Checkpoint
RP85: 8/28/2010 4:35:00 PM - System Checkpoint
RP86: 8/31/2010 8:35:04 AM - System Checkpoint
RP87: 9/1/2010 12:33:00 PM - System Checkpoint
RP88: 9/2/2010 12:43:50 PM - System Checkpoint
RP89: 9/3/2010 3:00:06 PM - System Checkpoint
RP90: 9/4/2010 3:43:56 PM - System Checkpoint
RP91: 9/6/2010 12:45:59 PM - System Checkpoint
RP92: 9/7/2010 4:23:14 PM - System Checkpoint
RP93: 9/13/2010 9:25:27 AM - System Checkpoint
RP94: 9/14/2010 12:20:19 PM - System Checkpoint
RP95: 9/15/2010 12:22:23 PM - System Checkpoint
RP96: 9/16/2010 3:57:11 PM - System Checkpoint
RP97: 9/18/2010 12:23:59 PM - System Checkpoint
RP98: 9/20/2010 9:38:08 AM - System Checkpoint
RP99: 9/21/2010 12:28:59 PM - System Checkpoint
RP100: 9/22/2010 9:26:36 AM - Installed iTunes
RP101: 9/23/2010 12:23:50 PM - System Checkpoint
RP102: 9/24/2010 3:31:57 PM - System Checkpoint
RP103: 9/25/2010 3:52:08 PM - System Checkpoint
RP104: 9/27/2010 12:36:00 PM - System Checkpoint
RP105: 9/28/2010 12:36:22 PM - System Checkpoint
RP106: 9/29/2010 1:29:45 PM - System Checkpoint
RP107: 9/30/2010 1:48:57 PM - System Checkpoint
RP108: 10/1/2010 3:54:36 PM - System Checkpoint
RP109: 10/4/2010 12:27:16 PM - System Checkpoint
RP110: 10/6/2010 12:18:49 PM - System Checkpoint
RP111: 10/7/2010 3:45:59 PM - System Checkpoint
RP112: 10/9/2010 10:40:36 AM - System Checkpoint
RP113: 10/11/2010 12:21:04 PM - System Checkpoint
RP114: 10/12/2010 12:22:42 PM - System Checkpoint
RP115: 10/13/2010 12:27:23 PM - System Checkpoint
RP116: 10/14/2010 3:58:07 PM - System Checkpoint
RP117: 10/15/2010 4:38:54 PM - System Checkpoint
RP118: 10/18/2010 12:22:24 PM - System Checkpoint
RP119: 10/19/2010 11:55:36 AM - Removed Bonjour
RP120: 10/19/2010 11:56:08 AM - Removed Microsoft Silverlight
RP121: 10/19/2010 1:17:08 PM - Removed QuickTime

==== Installed Programs ======================

Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge 1.0
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Common File Installer
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Center 1.0
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS2
Adobe Photoshop CS3
Adobe Reader 8.1.2
Adobe Setup
Adobe Stock Photos 1.0
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Apple Application Support
Apple Mobile Device Support
Apple Software Update
avast! Free Antivirus
BufferChm
CCScore
CustomerResearchQFolder
DeviceDiscovery
DeviceManagementQFolder
dj_sf_software
EPSON Easy Photo Print
EPSON Print CD
EPSON Printer Software
EPSON Web-To-Page
ESPR230 User's Guide
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSTOOLS
essvatgt
eSupportQFolder
fflink
Google Chrome
Google Update Helper
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB945060-v3)
HP Customer Participation Program 9.0
HP Imaging Device Functions 9.0
HP Photosmart Essential 2.01
HP Photosmart Essential2.01
HP Smart Web Printing
HP Solution Center 9.0
HP Update
HPProductAssistant
HPSSupply
Intel(R) Graphics Media Accelerator Driver
iTunes
Java(TM) 6 Update 17
Kodak EasyShare software
MarketResearch
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.5.11)
netbrdg
OfotoXMI
PanoStandAlone
PDF Settings
PSSWCORE
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
SFR
SHASTA
skin0001
SKINXSDK
Skype Toolbars
Skypeâ„¢ 4.2
SolutionCenter
SSC Service Utility v4.30
staticcr
Status
TeamViewer 5
TrayApp
UnloadSupport
Update for Windows XP (KB898461)
VideoToolkit01
VLC media player 0.9.9
VPRINTOL
WebFldrs XP
Winamp
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
WinZip 14.0
WIRELESS
Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

10/19/2010 11:55:13 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments " " in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
10/16/2010 8:19:09 AM, error: Service Control Manager [7023] - The Task System service terminated with the following error: The specified module could not be found.
10/16/2010 8:19:07 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments " " in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
10/15/2010 9:00:00 AM, error: Schedule [7901] - The At1.job command failed to start due to the following error: %%2147942402

==== End Of File ===========================

broni · 2010/10/20

STEP 1. Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick Scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

STEP 2. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
Do NOT use the computer while GMER is running!
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

STEP 3. Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

lhang18 · 2010/10/20

i have followed the instructions and here are the logs of gmer and mbrcheck, i wasn't able to save the log of mbam....

GMER 1.0.15.15477 - http://www.gmer.net
Rootkit scan 2010-10-20 15:47:21
Windows 5.1.2600 Service Pack 2
Running: 2o7egees.exe; Driver: C:\DOCUME~1\lani\LOCALS~1\Temp\uxtdapod.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwClose [0xAA095CF0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateKey [0xAA095BAC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteKey [0xAA096160]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteValueKey [0xAA09608A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDuplicateObject [0xAA095782]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenKey [0xAA095C86]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenProcess [0xAA0956C2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenThread [0xAA095726]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwQueryValueKey [0xAA095DA6]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xAA09622E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRestoreKey [0xAA095D66]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwSetValueKey [0xAA095EE6]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xAA0A2BAE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0xAA0A29D2]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0xAA0A2B0C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!ObInsertObject 8056EBBF 5 Bytes JMP AA09FFFA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntoskrnl.exe!NtCreateSection 8056EE25 7 Bytes JMP AA0A29D6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8058B5EC 7 Bytes JMP AA0A2BB2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntoskrnl.exe!ObMakeTemporaryObject 805A9184 5 Bytes JMP AA09E5D4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntoskrnl.exe!ZwLoadDriver 805AD35E 7 Bytes JMP AA0A2B10 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
? thtgbne.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1456] kernel32.dll!SetUnhandledExceptionFilter 7C810386 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtCreateFile + 6 7C90D688 4 Bytes [28, 00, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtCreateFile + B 7C90D68D 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtMapViewOfSection + 6 7C90DC5B 1 Byte [28]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtMapViewOfSection + 6 7C90DC5B 4 Bytes [28, 03, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtMapViewOfSection + B 7C90DC60 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtOpenFile + 6 7C90DD03 4 Bytes [68, 00, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtOpenFile + B 7C90DD08 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtOpenProcess + 6 7C90DD81 4 Bytes [A8, 01, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtOpenProcess + B 7C90DD86 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtOpenProcessToken + 6 7C90DD96 4 Bytes CALL 7B90F39C
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtOpenProcessToken + B 7C90DD9B 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtOpenProcessTokenEx + 6 7C90DDAB 4 Bytes [A8, 02, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtOpenProcessTokenEx + B 7C90DDB0 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtOpenThread + 6 7C90DDFF 4 Bytes [68, 01, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtOpenThread + B 7C90DE04 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtOpenThreadToken + 6 7C90DE14 4 Bytes [68, 02, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtOpenThreadToken + B 7C90DE19 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtOpenThreadTokenEx + 6 7C90DE29 4 Bytes CALL 7B90F430
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtOpenThreadTokenEx + B 7C90DE2E 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtQueryAttributesFile + 6 7C90DEE6 4 Bytes [A8, 00, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtQueryAttributesFile + B 7C90DEEB 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtQueryFullAttributesFile + 6 7C90DFB8 4 Bytes CALL 7B90F5BD
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtQueryFullAttributesFile + B 7C90DFBD 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtSetInformationFile + 6 7C90E5DF 4 Bytes [28, 01, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtSetInformationFile + B 7C90E5E4 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtSetInformationThread + 6 7C90E648 4 Bytes [28, 02, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtSetInformationThread + B 7C90E64D 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtUnmapViewOfSection + 6 7C90E966 1 Byte [68]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtUnmapViewOfSection + 6 7C90E966 4 Bytes [68, 03, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtUnmapViewOfSection + B 7C90E96B 1 Byte [E2]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[748] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00370002
IAT C:\WINDOWS\system32\services.exe[748] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00370000
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1584] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1584] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1584] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1584] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1584] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1584] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1584] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1584] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1584] @ C:\WINDOWS\system32\USER32.dll [GDI32.dll!GetStockObject] [6113909F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1584] @ C:\WINDOWS\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [6113909F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1584] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6113A3BF] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1584] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1584] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1584] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1584] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1584] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [61139856] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1584] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [61139856] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1584] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [61138FE2] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1584] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [61138F66] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1584] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [61138FA4] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1584] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!GetStockObject] [6113909F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1584] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [611390DD] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1584] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [61138FA4] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1584] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [61139856] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1584] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [61138FE2] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1584] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [61139856] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1584] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [611390A5] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1584] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [61138F66] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1584] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1584] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1584] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1584] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1584] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6113A3BF] C:\Program Files\Yahoo!\Messenger\yui.dll

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] ooisjm <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\ooisjm@DisplayName Task System
Reg HKLM\SYSTEM\CurrentControlSet\Services\ooisjm@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\ooisjm@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\ooisjm@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\ooisjm@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\ooisjm@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\ooisjm@Description Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.
Reg HKLM\SYSTEM\CurrentControlSet\Services\ooisjm\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\ooisjm\Parameters@ServiceDll C:\WINDOWS\system32\cbkzr.dll
Reg HKLM\SYSTEM\ControlSet002\Services\ooisjm@DisplayName Task System
Reg HKLM\SYSTEM\ControlSet002\Services\ooisjm@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\ooisjm@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\ooisjm@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\ooisjm@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\ooisjm@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\ooisjm@Description Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.
Reg HKLM\SYSTEM\ControlSet002\Services\ooisjm\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\ooisjm\Parameters@ServiceDll C:\WINDOWS\system32\cbkzr.dll

---- EOF - GMER 1.0.15 ----

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 2 (build 2600)
Logical Drives Mask: 0x0000001d

Kernel Drivers (total 118):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x80701000 \WINDOWS\system32\hal.dll
0xF7AD7000 \WINDOWS\system32\KDCOM.DLL
0xF79E7000 \WINDOWS\system32\BOOTVID.dll
0xF75D7000 thtgbne.sys
0xF7588000 ACPI.sys
0xF7AD9000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7577000 pci.sys
0xF75E7000 isapnp.sys
0xF7B9F000 pciide.sys
0xF7857000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF75F7000 MountMgr.sys
0xF7558000 ftdisk.sys
0xF7ADB000 dmload.sys
0xF7532000 dmio.sys
0xF785F000 PartMgr.sys
0xF7607000 VolSnap.sys
0xF751A000 atapi.sys
0xF7617000 disk.sys
0xF7627000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF74FB000 fltMgr.sys
0xF74E9000 sr.sys
0xF7637000 PxHelp20.sys
0xF74D2000 KSecDD.sys
0xF74BF000 WudfPf.sys
0xF7432000 Ntfs.sys
0xF7405000 NDIS.sys
0xF73EA000 Mup.sys
0xF77D7000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF5F3F000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xF5F2B000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF5F06000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF5EEB000 \SystemRoot\system32\DRIVERS\Rtenicxp.sys
0xF7937000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF5EC8000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF793F000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7947000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF5EB4000 \SystemRoot\system32\DRIVERS\parport.sys
0xF77E7000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF794F000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7957000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF77F7000 \SystemRoot\system32\DRIVERS\serial.sys
0xF7ABB000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF7807000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7817000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF5E91000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7967000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xF7C58000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7827000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7ABF000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF5E7A000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7837000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7847000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7977000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF5E69000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7667000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF797F000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7987000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF5E38000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF6BD1000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7AFD000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF5E04000 \SystemRoot\system32\DRIVERS\update.sys
0xF73C2000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF6BC1000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xAA2DF000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xAA2BD000 \SystemRoot\system32\drivers\portcls.sys
0xF6BA1000 \SystemRoot\system32\drivers\drmk.sys
0xF6B91000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7B11000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF799F000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF7B13000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7CBF000 \SystemRoot\System32\Drivers\Null.SYS
0xF7B15000 \SystemRoot\System32\Drivers\Beep.SYS
0xF79AF000 \SystemRoot\System32\drivers\vga.sys
0xF7B17000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7B19000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF79B7000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF79BF000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7A8F000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAA23A000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAA1E2000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xAA1C1000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF6B71000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xF6B61000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xAA199000 \SystemRoot\system32\DRIVERS\netbt.sys
0xAA177000 \SystemRoot\System32\drivers\afd.sys
0xF6B51000 \SystemRoot\system32\DRIVERS\netbios.sys
0xAA14B000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xAA0B4000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF7677000 \SystemRoot\System32\Drivers\Fips.SYS
0xAA08D000 \SystemRoot\System32\Drivers\aswSP.SYS
0xF79DF000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xF7697000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xAA075000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7B1F000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF7897000 \SystemRoot\System32\watchdog.sys
0xAA2A1000 \SystemRoot\System32\drivers\Dxapi.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7BD3000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF04E000 \SystemRoot\System32\igxpdv32.DLL
0xBF1CC000 \SystemRoot\System32\igxpdx32.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xAA29D000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xA9F51000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA9DB6000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xA97D9000 \SystemRoot\system32\drivers\wdmaud.sys
0xA9C46000 \SystemRoot\system32\drivers\sysaudio.sys
0xA957D000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF7AFB000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xA9322000 \SystemRoot\system32\DRIVERS\srv.sys
0xA9101000 \SystemRoot\System32\Drivers\HTTP.sys
0xF78C7000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xA8CDE000 \??\C:\DOCUME~1\lani\LOCALS~1\Temp\uxtdapod.sys
0xA8CB4000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 49):
0 System Idle Process
4 System
632 C:\WINDOWS\system32\smss.exe
680 csrss.exe
704 C:\WINDOWS\system32\winlogon.exe
748 C:\WINDOWS\system32\services.exe
764 C:\WINDOWS\system32\lsass.exe
928 C:\WINDOWS\system32\svchost.exe
1000 svchost.exe
1096 C:\WINDOWS\system32\svchost.exe
1136 C:\WINDOWS\system32\svchost.exe
1208 svchost.exe
1268 svchost.exe
1456 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
1668 C:\WINDOWS\explorer.exe
1760 C:\WINDOWS\system32\igfxtray.exe
1768 C:\WINDOWS\system32\hkcmd.exe
1788 C:\WINDOWS\system32\igfxpers.exe
1824 C:\WINDOWS\RTHDCPL.EXE
1892 C:\Program Files\Winamp\winampa.exe
1900 C:\WINDOWS\VM303_STI.EXE
1948 C:\Program Files\Java\jre6\bin\jusched.exe
1956 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
1964 C:\Program Files\Alwil Software\Avast5\AvastUI.exe
1972 C:\Program Files\iTunes\iTunesHelper.exe
2032 C:\Program Files\Messenger\msmsgs.exe
128 C:\Program Files\Skype\Phone\Skype.exe
204 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
212 C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
228 C:\Program Files\WinZip\WZQKPICK.EXE
1216 C:\WINDOWS\system32\spoolsv.exe
2088 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
2100 C:\Program Files\Bonjour\mDNSResponder.exe
2140 C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
2316 C:\WINDOWS\system32\svchost.exe
2352 C:\Program Files\Java\jre6\bin\jqs.exe
2440 C:\WINDOWS\system32\svchost.exe
2984 C:\Program Files\iPod\bin\iPodService.exe
3444 C:\WINDOWS\system32\wscntfy.exe
3452 alg.exe
1584 C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
2228 C:\WINDOWS\system32\svchost.exe
2388 C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
3600 C:\Program Files\Java\jre6\bin\jucheck.exe
3720 C:\Program Files\Google\Chrome\Application\chrome.exe
3932 C:\Program Files\Google\Chrome\Application\chrome.exe
3956 C:\Program Files\Google\Chrome\Application\chrome.exe
2028 C:\WINDOWS\system32\notepad.exe
940 C:\Documents and Settings\lani\My Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000000e`a609c000 (NTFS)

PhysicalDrive0 Model Number: SAMSUNGHD161GJ, Rev: 1AC01118

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Done!

broni · 2010/10/20

i wasn't able to save the log of mbam....
Click to expand...

Explain, please.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
Click to expand...

lhang18 · 2010/10/20

thanks....here's the mbam log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4888

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

10/20/2010 2:31:34 PM
mbam-log-2010-10-20 (14-31-34).txt

Scan type: Quick scan
Objects scanned: 135643
Time elapsed: 4 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\MADOWN (Worm.Magania) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\api32 (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\GQNY6NMN\ldfn[1].bmp (Worm.Conficker) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\V8WQ310D\ljnrtlar[1].gif (Worm.Conficker) -> Quarantined and deleted successfully.

broni · 2010/10/20

Download TDSSKiller and save it to your desktop.

Extract (unzip) its contents to your desktop.

Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

If an infected file is detected, the default action will be Cure, click on Continue.

If a suspicious file is detected, the default action will be Skip, click on Continue.

It may ask you to reboot the computer to complete the process. Click on Reboot Now.

If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.

If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

lhang18 · 2010/10/20

i hae downloaded the file and scanned my computer using tdss killer and it says that no infected file found...is my pc really virus and malware free now?thanks by the way....here's the tdss killer log:

2010/10/21 09:46:40.0078 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/10/21 09:46:40.0125 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/10/21 09:46:40.0156 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/10/21 09:46:40.0203 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/10/21 09:46:40.0218 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2010/10/21 09:46:40.0312 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/10/21 09:46:40.0375 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/10/21 09:46:40.0406 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/10/21 09:46:40.0421 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/10/21 09:46:40.0453 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/10/21 09:46:40.0500 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2010/10/21 09:46:40.0546 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
2010/10/21 09:46:40.0593 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/10/21 09:46:40.0625 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/10/21 09:46:40.0671 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/10/21 09:46:40.0687 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/10/21 09:46:40.0703 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/10/21 09:46:40.0750 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/10/21 09:46:40.0765 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/10/21 09:46:40.0796 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/10/21 09:46:40.0828 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2010/10/21 09:46:40.0875 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/10/21 09:46:40.0890 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/10/21 09:46:40.0937 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/10/21 09:46:41.0015 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2010/10/21 09:46:41.0062 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2010/10/21 09:46:41.0093 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/10/21 09:46:41.0109 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/10/21 09:46:41.0125 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/10/21 09:46:41.0171 ZSMC303 (07f90a3574769a28ad3f45ccc61394ec) C:\WINDOWS\system32\Drivers\usbVM303.sys
2010/10/21 09:46:41.0328 ================================================================================
2010/10/21 09:46:41.0328 Scan finished
2010/10/21 09:46:41.0328 ================================================================================

broni · 2010/10/20

Good
However, make sure, you post complete logs in the future (TDSSKiller log is not complete).

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

[color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

[color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Log in or Sign up

Inactive win32 and now rootkit problem...

lhang18 Inactive Thread Starter

broni Moderator Malware Analyst

lhang18 Inactive Thread Starter

broni Moderator Malware Analyst

lhang18 Inactive Thread Starter

broni Moderator Malware Analyst

lhang18 Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Inactive win32 and now rootkit problem...

lhang18 Inactive Thread Starter

broni Moderator Malware Analyst

lhang18 Inactive Thread Starter

broni Moderator Malware Analyst

lhang18 Inactive Thread Starter

broni Moderator Malware Analyst

lhang18 Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches