Inactive [InActive] Mirar ??!!

phloggo · 2009/01/11

I read through the posts and cannot fix this. Mostly due to the fact that I can't navigate to any anti-virus sites or download combofix. I was able to download RootRepeal.

Here's the results:
ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time: 2009/01/11 20:57
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF5208000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A81000 Size: 8192 File Visible: No
Status: -

Name: PCI_PNP3214
Image Path: \Driver\PCI_PNP3214
Address: 0x00000000 Size: 0 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF29BB000 Size: 45056 File Visible: No
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No
Status: -

Name: spwi.sys
Image Path: spwi.sys
Address: 0xF740F000 Size: 1036288 File Visible: No
Status: -

Name: TDSSpplt.sys
Image Path: C:\WINDOWS\system32\drivers\TDSSpplt.sys
Address: 0xF54D7000 Size: 73728 File Visible: -
Status: Hidden from Windows API!

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\TDSSarxx.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\TDSSdxcp.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\TDSSkkao.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\TDSSmtve.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\TDSSnvuo.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\TDSSoity.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\TDSSvoqm.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\43d492b7-208c-4261-b25e-eb442dc76cd6.tmp
Status: Allocation size mismatch (API: 65536, Raw: 0)

Path: C:\WINDOWS\Temp\TDSS509b.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\TDSS5127.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\TDSSpplt.sys
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\d6701f53.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\Avg8\Log\avgcore.log
Status: Size mismatch (API: 965590, Raw: 964854)

Path: C:\Documents and Settings\main\Local Settings\Temporary Internet Files\Content.IE5\826VJ0TE\lmb_iau_slowredtraffwatchbtngnpfpadbd15s40k_avg69mo_tp_1008_300x250[1].swf
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\main\Local Settings\Temporary Internet Files\Content.IE5\826VJ0TE\showFolder[2].htm
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\main\Local Settings\Temporary Internet Files\Content.IE5\C3F8HM6P\flash_activate[1].js
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\main\Local Settings\Temporary Internet Files\Content.IE5\C3F8HM6P\welcome[1].htm
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\main\Local Settings\Temporary Internet Files\Content.IE5\CCT2K4ZL\87712deb3cc8f2a8b01b89cdb7dcb631[1].swf
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\main\Local Settings\Temporary Internet Files\Content.IE5\CCT2K4ZL\index[5].htm
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\main\Local Settings\Temporary Internet Files\Content.IE5\CCT2K4ZL\showMessage[1].htm
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\main\Local Settings\Temporary Internet Files\Content.IE5\KI6G7AB9\_ain8v9eaaovtswqwgaeybw9qqma%2C1_91099_aiz8v9eaajerswqwdalixgaes0s%2C1_90493_aif8v9eaarhqswqcvwxap1wcwlk%2C1_89876_ain8v9eaakhdswprraaf5hskave%2C,;ord=1231725640[1]
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 035 Function Name: NtCreateEvent
Status: Hooked by "C:\WINDOWS\System32\drivers\d6701f53.sys" at address 0xf7696215

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\drivers\d6701f53.sys" at address 0xf7694305

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spwi.sys" at address 0xf742dca2

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spwi.sys" at address 0xf742e030

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\drivers\d6701f53.sys" at address 0xf76943b9

#: 160 Function Name: NtQueryKey
Status: Hooked by "spwi.sys" at address 0xf742e108

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spwi.sys" at address 0xf742df88

#: 247 Function Name: NtSetValueKey
Status: Hooked by "spwi.sys" at address 0xf742e19a

Stealth Objects
-------------------
Object: Hidden Module [Name: TDSSnvuo.dll]
Process: winlogon.exe (PID: 648) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSnvuo.dll]
Process: services.exe (PID: 696) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSnvuo.dll]
Process: lsass.exe (PID: 716) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSnvuo.dll]
Process: svchost.exe (PID: 884) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSoity.dll]
Process: svchost.exe (PID: 884) Address: 0x00990000 Size: 81920

Object: Hidden Module [Name: TDSSnvuo.dll]
Process: svchost.exe (PID: 1028) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSnvuo.dll]
Process: Explorer.EXE (PID: 1496) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSnvuo.dll]
Process: spoolsv.exe (PID: 1532) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSnvuo.dll]
Process: lxcrmon.exe (PID: 1972) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSnvuo.dll]
Process: ezprint.exe (PID: 1988) Address: 0x00b80000 Size: 126976

Object: Hidden Module [Name: TDSSnvuo.dll]
Process: jusched.exe (PID: 168) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSnvuo.dll]
Process: PWRISOVM.EXE (PID: 184) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSnvuo.dll]
Process: winampa.exe (PID: 256) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSnvuo.dll]
Process: msmsgs.exe (PID: 880) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSnvuo.dll]
Process: svchost.exe (PID: 1256) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSnvuo.dll]
Process: sqlwriter.exe (PID: 1176) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSnvuo.dll]
Process: ctfmon.exe (PID: 1208) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSnvuo.dll]
Process: btdna.exe (PID: 1348) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSnvuo.dll]
Process: svchost.exe (PID: 1056) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSnvuo.dll]
Process: avgtray.exe (PID: 2444) Address: 0x00a70000 Size: 126976

Object: Hidden Module [Name: TDSSnvuo.dll]
Process: taskmgr.exe (PID: 3332) Address: 0x008d0000 Size: 126976

Object: Hidden Module [Name: TDSSnvuo.dll]
Process: wscntfy.exe (PID: 2184) Address: 0x007e0000 Size: 126976

Object: Hidden Module [Name: TDSSnvuo.dll]
Process: rundll32.exe (PID: 1560) Address: 0x009c0000 Size: 126976

Object: Hidden Module [Name: TDSSnvuo.dll]
Process: rundll32.exe (PID: 2496) Address: 0x00ad0000 Size: 126976

Object: Hidden Module [Name: TDSSnvuo.dll]
Process: avgscanx.exe (PID: 3284) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSnvuo.dll]
Process: avgwdsvc.exe (PID: 2580) Address: 0x003e0000 Size: 126976

Object: Hidden Module [Name: TDSSnvuo.dll]
Process: avgrsx.exe (PID: 3996) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSnvuo.dll]
Process: csrssc.exe (PID: 1836) Address: 0x00910000 Size: 126976

Object: Hidden Module [Name: TDSSnvuo.dll]
Process: RootRepeal.exe (PID: 3776) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSnvuo.dll]
Process: iexplore.exe (PID: 292) Address: 0x00ad0000 Size: 126976

Object: Hidden Module [Name: TDSSnvuo.dll]
Process: aAvgApi.exe (PID: 852) Address: 0x009a0000 Size: 126976

Object: Hidden Code [ETHREAD: 0x82c9eb60]
Process: System Address: 0xf54d9d66 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x82f6f1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x82f6f1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x82f6f1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x82f6f1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x82f6f1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x82f6f1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x82f6f1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82f6f1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x82f6f1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x82f6f1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x82f6f1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x82f6f1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82f6f1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82f6f1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x82f6f1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x82f6f1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x82f6f1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x82f6f1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x82f6f1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x82f6f1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x82f6f1f8 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x82b5c500 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x82b5c500 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x82b5c500 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x82b5c500 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x82b5c500 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x82b5c500 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x82b5c500 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x82b5c500 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82b5c500 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x82b5c500 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x82b5c500 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x82b5c500 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x82b5c500 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82b5c500 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82b5c500 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x82b5c500 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x82b5c500 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x82b5c500 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x82c62390 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x82c62390 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x82c62390 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x82c62390 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82c62390 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82c62390 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82c62390 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82c62390 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x82c62390 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82c62390 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x82c62390 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x82fdc1f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x82fdc1f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x82fdc1f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x82fdc1f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82fdc1f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82fdc1f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82fdc1f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82fdc1f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x82fdc1f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82fdc1f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x82fdc1f8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x82e191f8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x82e191f8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82e191f8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82e191f8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x82e191f8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82e191f8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x82e191f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x82f711f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x82f711f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x82f711f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82f711f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82f711f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82f711f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82f711f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x82f711f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x82f711f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82f711f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x82f711f8 Size: -

Object: Hidden Code [Driver: WINDOWS, IRP_MJ_CREATE]
Process: System Address: 0x82e40500 Size: -

Object: Hidden Code [Driver: WINDOWS, IRP_MJ_CLOSE]
Process: System Address: 0x82e40500 Size: -

Object: Hidden Code [Driver: WINDOWS, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82e40500 Size: -

Object: Hidden Code [Driver: WINDOWS, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82e40500 Size: -

Object: Hidden Code [Driver: WINDOWS, IRP_MJ_POWER]
Process: System Address: 0x82e40500 Size: -

Object: Hidden Code [Driver: WINDOWS, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82e40500 Size: -

Object: Hidden Code [Driver: WINDOWS, IRP_MJ_PNP]
Process: System Address: 0x82e40500 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x82cac500 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x82cac500 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82cac500 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82cac500 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x82cac500 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x82cac500 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x82c94338 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x82c94338 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82c94338 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82c94338 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x82c94338 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82c94338 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x82c94338 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x82b2e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x82b2e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x82b2e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x82b2e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x82b2e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x82b2e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x82b2e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x82b2e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x82b2e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82b2e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x82b2e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x82b2e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x82b2e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x82b2e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82b2e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82b2e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82b2e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x82b2e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x82b2e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x82b2e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x82b2e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x82b2e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x82b2e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82b2e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x82b2e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x82b2e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x82b2e1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x82b2e1f8 Size: -

Object: Hidden Code [Driver: CdfsЅః瑎て, IRP_MJ_CREATE]
Process: System Address: 0x82b50500 Size: -

Object: Hidden Code [Driver: CdfsЅః瑎て, IRP_MJ_CLOSE]
Process: System Address: 0x82b50500 Size: -

Object: Hidden Code [Driver: CdfsЅః瑎て, IRP_MJ_READ]
Process: System Address: 0x82b50500 Size: -

Object: Hidden Code [Driver: CdfsЅః瑎て, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x82b50500 Size: -

Object: Hidden Code [Driver: CdfsЅః瑎て, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x82b50500 Size: -

Object: Hidden Code [Driver: CdfsЅః瑎て, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x82b50500 Size: -

Object: Hidden Code [Driver: CdfsЅః瑎て, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x82b50500 Size: -

Object: Hidden Code [Driver: CdfsЅః瑎て, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x82b50500 Size: -

Object: Hidden Code [Driver: CdfsЅః瑎て, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82b50500 Size: -

Object: Hidden Code [Driver: CdfsЅః瑎て, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82b50500 Size: -

Object: Hidden Code [Driver: CdfsЅః瑎て, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x82b50500 Size: -

Object: Hidden Code [Driver: CdfsЅః瑎て, IRP_MJ_CLEANUP]
Process: System Address: 0x82b50500 Size: -

Object: Hidden Code [Driver: CdfsЅః瑎て, IRP_MJ_PNP]
Process: System Address: 0x82b50500 Size: -

Hidden Services
-------------------
Service Name: d6701f53
Image Path: C:\WINDOWS\System32\drivers\d6701f53.sys

Service Name: TDSSserv.sys
Image Path: C:\WINDOWS\system32\drivers\TDSSpplt.sys

phloggo · 2009/01/11

Also, there was a fake security center. Complete with a sheild in the tray. I can't update AVG. And I no longer have administrator privileges to run regedit. Can't open hard drives unless I right-click and choose explore. Excuse me for being brief, only a few keystrokes are displayed when I type. This took 10 minutes to type.

noahdfear · 2009/01/11

Welcome to WindowsBBS phloggo

Open RootRepeal again and select the drivers tab then click scan.
Right click each of the following files and select in order

Dump File

Force Delete

Reboot and run the RootRepeal Drivers scan again.
If the files remain, right click and select

Wipe File

Restart once more and verify the files are gone.

Try downloading ComboFix once more and run as instructed below.

Download ComboFix by sUBs from here, saving the file to your desktop.

Disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

Close all open programs and windows

Double click ComboFix.exe and follow the prompts.

It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

**NOTE - I recommend you allow the Recovery Console to be downloaded and installed if or when prompted.

noahdfear · 2009/01/11

Just realized I forgot to list the files.

C:\WINDOWS\system32\drivers\TDSSpplt.sys
C:\WINDOWS\system32\drivers\d6701f53.sys

phloggo · 2009/01/12

Thanks. Going to do that now. I remembered some other things I didn't mention earlier. For 2-3 days, there were little black dots around the cursor. It started w/ one, then two, then a bunch. Also, there was an asterisk in the C of COMPAQ on startup the first time there were real problems. That was today.

phloggo · 2009/01/12

Thanks Dave.
OK, I dumped & force deleted the first file. But I couldn't find "C:\WINDOWS\system32\drivers\d6701f53.sys" anywhere. I'm typing this before the restart and I can almost go at normal speed.

Thanks, Brian.

phloggo · 2009/01/12

C:\WINDOWS\system32\drivers\TDSSpplt.sys appears to be gone. I still can't download combofix. I can see the file download box just long enough to tell it was there. I tried downloading malwarebytes from cnet & was redirected to the next one on the site. I have HJT now if that helps any.

noahdfear · 2009/01/12

Please run RootRepeal again.
Select the Report tab and click scan.
Check all boxes then click OK.
Click scan once again.
When it completes save the report and post it here.

phloggo · 2009/01/12

Here's the report. I installed Ad-Aware and quarantined Mirar and several others just now. Hooray! AVG is updating! Going to try downloading ComboFix after restart.

ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time: 2009/01/12 13:19
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF73C9000 Size: 187776 File Visible: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2189184 File Visible: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xF5142000 Size: 138496 File Visible: -
Status: -

Name: aja9roir.SYS
Image Path: C:\WINDOWS\System32\Drivers\aja9roir.SYS
Address: 0xF676E000 Size: 413696 File Visible: -
Status: -

Name: amdk7.sys
Image Path: C:\WINDOWS\System32\DRIVERS\amdk7.sys
Address: 0xF76DD000 Size: 37760 File Visible: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF735B000 Size: 98304 File Visible: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0x00000000 Size: 0 File Visible: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\System32\DRIVERS\audstub.sys
Address: 0xF7B72000 Size: 3072 File Visible: -
Status: -

Name: avgldx86.sys
Image Path: C:\WINDOWS\System32\Drivers\avgldx86.sys
Address: 0xF4FF2000 Size: 91264 File Visible: -
Status: -

Name: avgmfx86.sys
Image Path: C:\WINDOWS\System32\Drivers\avgmfx86.sys
Address: 0xF78ED000 Size: 20160 File Visible: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF7A59000 Size: 4224 File Visible: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF793D000 Size: 12288 File Visible: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xF765D000 Size: 63744 File Visible: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Address: 0xF770D000 Size: 62976 File Visible: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Address: 0xF756D000 Size: 53248 File Visible: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF755D000 Size: 36352 File Visible: -
Status: -

Name: dmio.sys
Image Path: dmio.sys
Address: 0xF7373000 Size: 153344 File Visible: -
Status: -

Name: dmload.sys
Image Path: dmload.sys
Address: 0xF7A33000 Size: 5888 File Visible: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF773D000 Size: 61440 File Visible: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF4F12000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A5F000 Size: 8192 File Visible: No
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xF5112000 Size: 12288 File Visible: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF000000 Size: 73728 File Visible: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF7C6E000 Size: 4096 File Visible: -
Status: -

Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xF31F8000 Size: 143744 File Visible: -
Status: -

Name: fdc.sys
Image Path: C:\WINDOWS\System32\DRIVERS\fdc.sys
Address: 0xF783D000 Size: 27392 File Visible: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF761D000 Size: 44544 File Visible: -
Status: -

Name: flpydisk.sys
Image Path: C:\WINDOWS\System32\DRIVERS\flpydisk.sys
Address: 0xF78BD000 Size: 20480 File Visible: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xF733B000 Size: 129792 File Visible: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF7A57000 Size: 7936 File Visible: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF7399000 Size: 125056 File Visible: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806EE000 Size: 131840 File Visible: -
Status: -

Name: hardlock.sys
Image Path: C:\WINDOWS\system32\drivers\hardlock.sys
Address: 0xF321C000 Size: 676864 File Visible: -
Status: -

Name: Haspnt.sys
Image Path: C:\WINDOWS\system32\drivers\Haspnt.sys
Address: 0xF3F2A000 Size: 47616 File Visible: -
Status: -

Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\HIDCLASS.SYS
Address: 0xF764D000 Size: 36864 File Visible: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xF78CD000 Size: 28672 File Visible: -
Status: -

Name: hidusb.sys
Image Path: C:\WINDOWS\System32\DRIVERS\hidusb.sys
Address: 0xF513E000 Size: 10368 File Visible: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xF2855000 Size: 264832 File Visible: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\i8042prt.sys
Address: 0xF76FD000 Size: 52480 File Visible: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xF772D000 Size: 42112 File Visible: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipnat.sys
Address: 0xF5009000 Size: 152832 File Visible: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipsec.sys
Address: 0xF51E5000 Size: 75264 File Visible: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF752D000 Size: 37248 File Visible: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
Address: 0xF784D000 Size: 24576 File Visible: -
Status: -

Name: kbdhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Address: 0xF5132000 Size: 14592 File Visible: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7A2D000 Size: 8192 File Visible: -
Status: -

Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xF0264000 Size: 172416 File Visible: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ks.sys
Address: 0xF6E64000 Size: 143360 File Visible: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF7312000 Size: 92288 File Visible: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF7A5B000 Size: 4224 File Visible: -
Status: -

Name: Modem.SYS
Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xF781D000 Size: 30080 File Visible: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mouclass.sys
Address: 0xF7845000 Size: 23040 File Visible: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF753D000 Size: 42368 File Visible: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mrxdav.sys
Address: 0xF32EA000 Size: 180608 File Visible: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
Address: 0xF502F000 Size: 455296 File Visible: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF78DD000 Size: 19072 File Visible: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\System32\DRIVERS\msgpc.sys
Address: 0xF777D000 Size: 35072 File Visible: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mssmbios.sys
Address: 0xF79D1000 Size: 15488 File Visible: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF7148000 Size: 105344 File Visible: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF7258000 Size: 182656 File Visible: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndistapi.sys
Address: 0xF710C000 Size: 10112 File Visible: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndisuio.sys
Address: 0xF3F86000 Size: 14592 File Visible: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndiswan.sys
Address: 0xF64A7000 Size: 91520 File Visible: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF779D000 Size: 40576 File Visible: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\netbios.sys
Address: 0xF75ED000 Size: 34688 File Visible: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\netbt.sys
Address: 0xF5164000 Size: 162816 File Visible: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF78E5000 Size: 30848 File Visible: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF7285000 Size: 574976 File Visible: -
Status: -

Name: ntoskrnl.exe
Image Path: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000 Size: 2189184 File Visible: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF7B77000 Size: 2944 File Visible: -
Status: -

Name: nv4_disp.dll
Image Path: C:\WINDOWS\System32\nv4_disp.dll
Address: 0xBF012000 Size: 4276224 File Visible: -
Status: -

Name: nv4_mini.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
Address: 0xF6F30000 Size: 1897408 File Visible: -
Status: -

Name: parport.sys
Image Path: C:\WINDOWS\System32\DRIVERS\parport.sys
Address: 0xF6E87000 Size: 80128 File Visible: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF77B5000 Size: 19712 File Visible: -
Status: -

Name: ParVdm.SYS
Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xF7AF1000 Size: 6784 File Visible: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF73B8000 Size: 68224 File Visible: -
Status: -

Name: PCI_PNP3054
Image Path: \Driver\PCI_PNP3054
Address: 0x00000000 Size: 0 File Visible: No
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Address: 0xF77AD000 Size: 28672 File Visible: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2189184 File Visible: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xF6DD3000 Size: 147456 File Visible: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\System32\DRIVERS\psched.sys
Address: 0xF6496000 Size: 69120 File Visible: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ptilink.sys
Address: 0xF78A5000 Size: 17792 File Visible: -
Status: -

Name: ptserlp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ptserlp.sys
Address: 0xF6F00000 Size: 112544 File Visible: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xF757D000 Size: 35712 File Visible: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rasacd.sys
Address: 0xF7A21000 Size: 8832 File Visible: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
Address: 0xF774D000 Size: 51328 File Visible: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspppoe.sys
Address: 0xF775D000 Size: 41472 File Visible: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspptp.sys
Address: 0xF776D000 Size: 48384 File Visible: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspti.sys
Address: 0xF78AD000 Size: 16512 File Visible: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2189184 File Visible: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rdbss.sys
Address: 0xF509F000 Size: 175744 File Visible: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF7A5D000 Size: 4224 File Visible: -
Status: -

Name: rdpdr.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rdpdr.sys
Address: 0xF639E000 Size: 196224 File Visible: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\System32\DRIVERS\redbook.sys
Address: 0xF771D000 Size: 57600 File Visible: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF0D2E000 Size: 45056 File Visible: No
Status: -

Name: SCDEmu.SYS
Image Path: C:\WINDOWS\System32\Drivers\SCDEmu.SYS
Address: 0xF760D000 Size: 53248 File Visible: -
Status: -

Name: SCSIPORT.SYS
Image Path: C:\WINDOWS\System32\Drivers\SCSIPORT.SYS
Address: 0xF73F7000 Size: 98304 File Visible: -
Status: -

Name: SENSUPGD.SYS
Image Path: C:\WINDOWS\system32\drivers\SENSUPGD.SYS
Address: 0xF7B4D000 Size: 4096 File Visible: -

Status: -

Name: serenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\serenum.sys
Address: 0xF7A01000 Size: 15744 File Visible: -
Status: -

Name: serial.sys
Image Path: C:\WINDOWS\System32\DRIVERS\serial.sys
Address: 0xF76ED000 Size: 64512 File Visible: -
Status: -

Name: SMC1211.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\SMC1211.SYS
Address: 0xF7835000 Size: 21504 File Visible: -
Status: -

Name: smwdm.sys
Image Path: C:\WINDOWS\system32\drivers\smwdm.sys
Address: 0xF6DF7000 Size: 443584 File Visible: -
Status: -

Name: spsj.sys
Image Path: spsj.sys
Address: 0xF740F000 Size: 1036288 File Visible: No
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF7329000 Size: 73472 File Visible: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\System32\DRIVERS\srv.sys
Address: 0xF30DE000 Size: 333824 File Visible: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\swenum.sys
Address: 0xF7A4F000 Size: 4352 File Visible: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xF4F9A000 Size: 60800 File Visible: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Address: 0xF518C000 Size: 361344 File Visible: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\TDI.SYS
Address: 0xF789D000 Size: 20480 File Visible: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\termdd.sys
Address: 0xF778D000 Size: 40704 File Visible: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\System32\DRIVERS\update.sys
Address: 0xF6340000 Size: 384768 File Visible: -
Status: -

Name: usbccgp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbccgp.sys
Address: 0xF78FD000 Size: 32128 File Visible: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBD.SYS
Address: 0xF7A55000 Size: 8192 File Visible: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF782D000 Size: 30208 File Visible: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbhub.sys
Address: 0xF75CD000 Size: 59520 File Visible: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS
Address: 0xF6EDC000 Size: 147456 File Visible: -
Status: -

Name: usbprint.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbprint.sys
Address: 0xF7905000 Size: 25856 File Visible: -
Status: -

Name: usbscan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbscan.sys
Address: 0xF513A000 Size: 15104 File Visible: -
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbuhci.sys
Address: 0xF7825000 Size: 20608 File Visible: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF78D5000 Size: 20992 File Visible: -
Status: -

Name: viaagp.sys
Image Path: viaagp.sys
Address: 0xF759D000 Size: 42240 File Visible: -
Status: -

Name: viaide.sys
Image Path: viaide.sys
Address: 0xF7A31000 Size: 5376 File Visible: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xF6F1C000 Size: 81920 File Visible: -
Status: -

Name: vmodem.sys
Image Path: vmodem.sys
Address: 0xF7162000 Size: 604224 File Visible: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF754D000 Size: 52352 File Visible: -
Status: -

Name: vpctcom.sys
Image Path: vpctcom.sys
Address: 0xF71F6000 Size: 397472 File Visible: -
Status: -

Name: vvoice.sys
Image Path: vvoice.sys
Address: 0xF758D000 Size: 64576 File Visible: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\wanarp.sys
Address: 0xF762D000 Size: 34560 File Visible: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF790D000 Size: 20480 File Visible: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xF345D000 Size: 83072 File Visible: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\WMILIB.SYS
Address: 0xF7A2F000 Size: 8192 File Visible: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2189184 File Visible: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\fNXbLnnn.ini2
Status: Size mismatch (API: 734210, Raw: 733673)

Processes
-------------------
Path: System
PID: 4 Status: -

Path: C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
PID: 240 Status: -

Path: C:\Program Files\Internet Explorer\iexplore.exe
PID: 284 Status: -

Path: C:\Program Files\Java\jre6\bin\jusched.exe
PID: 288 Status: -

Path: C:\Program Files\Common Files\Motive\McciCMService.exe
PID: 448 Status: -

Path: C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
PID: 532 Status: -

Path: C:\WINDOWS\system32\smss.exe
PID: 552 Status: -

Path: C:\WINDOWS\system32\csrss.exe
PID: 608 Status: -

Path: C:\WINDOWS\system32\winlogon.exe
PID: 632 Status: -

Path: C:\WINDOWS\system32\services.exe
PID: 708 Status: -

Path: C:\WINDOWS\system32\lsass.exe
PID: 720 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 756 Status: -

Path: C:\Program Files\AVG\AVG8\avgrsx.exe
PID: 896 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 960 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1048 Status: -

Path: C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
PID: 1060 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1120 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1188 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1324 Status: -

Path: G:\Program Files\PowerISO\PWRISOVM.EXE
PID: 1384 Status: -

Path: C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
PID: 1424 Status: -

Path: C:\WINDOWS\system32\spoolsv.exe
PID: 1532 Status: -

Path: C:\Program Files\Java\jre6\bin\jqs.exe
PID: 1604 Status: -

Path: C:\WINDOWS\explorer.exe
PID: 1728 Status: -

Path: G:\Program Files\Winamp\winampa.exe
PID: 1780 Status: -

Path: C:\WINDOWS\system32\pctspk.exe
PID: 1888 Status: -

Path: C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
PID: 1904 Status: -

Path: C:\Documents and Settings\main\Application Data\svchost.exe
PID: 1924 Status: -

Path: C:\Program Files\Lexmark 2400 Series\ezprint.exe
PID: 1944 Status: -

Path: C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PID: 2012 Status: -

Path: C:\PROGRA~1\AVG\AVG8\avgtray.exe
PID: 2116 Status: -

Path: C:\Program Files\Internet Explorer\iexplore.exe
PID: 2140 Status: -

Path: C:\WINDOWS\Temp\winloggn.exe
PID: 2148 Status: -

Path: C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PID: 2180 Status: -

Path: C:\WINDOWS\system32\rundll32.exe
PID: 2276 Status: -

Path: C:\WINDOWS\system32\ctfmon.exe
PID: 2360 Status: -

Path: C:\WINDOWS\system32\lxcrcoms.exe
PID: 2368 Status: -

Path: C:\Program Files\DNA\btdna.exe
PID: 2380 Status: -

Path: C:\Documents and Settings\main\Desktop\RootRepeal\RootRepeal.exe
PID: 2460 Status: -

Path: C:\Documents and Settings\main\Application Data\cogad\cogad.exe
PID: 2492 Status: -

Path: C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
PID: 2540 Status: -

Path: C:\WINDOWS\system32\wscntfy.exe
PID: 3096 Status: -

Path: C:\WINDOWS\system32\alg.exe
PID: 3540 Status: -

SSDT
-------------------
#: 000 Function Name: NtAcceptConnectPort
Status: Not hooked

#: 001 Function Name: NtAccessCheck
Status: Not hooked

#: 002 Function Name: NtAccessCheckAndAuditAlarm
Status: Not hooked

#: 003 Function Name: NtAccessCheckByType
Status: Not hooked

#: 004 Function Name: NtAccessCheckByTypeAndAuditAlarm
Status: Not hooked

#: 005 Function Name: NtAccessCheckByTypeResultList
Status: Not hooked

#: 006 Function Name: NtAccessCheckByTypeResultListAndAuditAlarm
Status: Not hooked

#: 007 Function Name: NtAccessCheckByTypeResultListAndAuditAlarmByHandle
Status: Not hooked

#: 008 Function Name: NtAddAtom
Status: Not hooked

#: 009 Function Name: NtAddBootEntry
Status: Not hooked

#: 010 Function Name: NtAdjustGroupsToken
Status: Not hooked

#: 011 Function Name: NtAdjustPrivilegesToken
Status: Not hooked

#: 012 Function Name: NtAlertResumeThread
Status: Not hooked

#: 013 Function Name: NtAlertThread
Status: Not hooked

#: 014 Function Name: NtAllocateLocallyUniqueId
Status: Not hooked

#: 015 Function Name: NtAllocateUserPhysicalPages
Status: Not hooked

#: 016 Function Name: NtAllocateUuids
Status: Not hooked

#: 017 Function Name: NtAllocateVirtualMemory
Status: Not hooked

#: 018 Function Name: NtAreMappedFilesTheSame
Status: Not hooked

#: 019 Function Name: NtAssignProcessToJobObject
Status: Not hooked

#: 020 Function Name: NtCallbackReturn
Status: Not hooked

#: 021 Function Name: NtCancelDeviceWakeupRequest
Status: Not hooked

#: 022 Function Name: NtCancelIoFile
Status: Not hooked

#: 023 Function Name: NtCancelTimer
Status: Not hooked

#: 024 Function Name: NtClearEvent
Status: Not hooked

#: 025 Function Name: NtClose
Status: Not hooked

#: 026 Function Name: NtCloseObjectAuditAlarm
Status: Not hooked

#: 027 Function Name: NtCompactKeys
Status: Not hooked

#: 028 Function Name: NtCompareTokens
Status: Not hooked

#: 029 Function Name: NtCompleteConnectPort
Status: Not hooked

#: 030 Function Name: NtCompressKey
Status: Not hooked

#: 031 Function Name: NtConnectPort
Status: Not hooked

#: 032 Function Name: NtContinue
Status: Not hooked

#: 033 Function Name: NtCreateDebugObject
Status: Not hooked

#: 034 Function Name: NtCreateDirectoryObject
Status: Not hooked

#: 035 Function Name: NtCreateEvent
Status: Not hooked

#: 036 Function Name: NtCreateEventPair
Status: Not hooked

#: 037 Function Name: NtCreateFile
Status: Not hooked

#: 038 Function Name: NtCreateIoCompletion
Status: Not hooked

#: 039 Function Name: NtCreateJobObject
Status: Not hooked

#: 040 Function Name: NtCreateJobSet
Status: Not hooked

#: 041 Function Name: NtCreateKey
Status: Hooked by "spsj.sys" at address 0xf74100e0

#: 042 Function Name: NtCreateMailslotFile
Status: Not hooked

#: 043 Function Name: NtCreateMutant
Status: Not hooked

#: 044 Function Name: NtCreateNamedPipeFile
Status: Not hooked

#: 045 Function Name: NtCreatePagingFile
Status: Not hooked

#: 046 Function Name: NtCreatePort
Status: Not hooked

#: 047 Function Name: NtCreateProcess
Status: Not hooked

#: 048 Function Name: NtCreateProcessEx
Status: Not hooked

#: 049 Function Name: NtCreateProfile
Status: Not hooked

#: 050 Function Name: NtCreateSection
Status: Not hooked

#: 051 Function Name: NtCreateSemaphore
Status: Not hooked

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Not hooked

#: 053 Function Name: NtCreateThread
Status: Not hooked

#: 054 Function Name: NtCreateTimer
Status: Not hooked

#: 055 Function Name: NtCreateToken
Status: Not hooked

#: 056 Function Name: NtCreateWaitablePort
Status: Not hooked

#: 057 Function Name: NtDebugActiveProcess
Status: Not hooked

#: 058 Function Name: NtDebugContinue
Status: Not hooked

#: 059 Function Name: NtDelayExecution
Status: Not hooked

#: 060 Function Name: NtDeleteAtom
Status: Not hooked

#: 061 Function Name: NtDeleteBootEntry
Status: Not hooked

#: 062 Function Name: NtDeleteFile
Status: Not hooked

#: 063 Function Name: NtDeleteKey
Status: Not hooked

#: 064 Function Name: NtDeleteObjectAuditAlarm
Status: Not hooked

#: 065 Function Name: NtDeleteValueKey
Status: Not hooked

#: 066 Function Name: NtDeviceIoControlFile
Status: Not hooked

#: 067 Function Name: NtDisplayString
Status: Not hooked

#: 068 Function Name: NtDuplicateObject
Status: Not hooked

#: 069 Function Name: NtDuplicateToken
Status: Not hooked

#: 070 Function Name: NtEnumerateBootEntries
Status: Not hooked

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spsj.sys" at address 0xf742dca2

#: 072 Function Name: NtEnumerateSystemEnvironmentValuesEx
Status: Not hooked

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spsj.sys" at address 0xf742e030

#: 074 Function Name: NtExtendSection
Status: Not hooked

#: 075 Function Name: NtFilterToken
Status: Not hooked

#: 076 Function Name: NtFindAtom
Status: Not hooked

#: 077 Function Name: NtFlushBuffersFile
Status: Not hooked

#: 078 Function Name: NtFlushInstructionCache
Status: Not hooked

#: 079 Function Name: NtFlushKey
Status: Not hooked

#: 080 Function Name: NtFlushVirtualMemory
Status: Not hooked

#: 081 Function Name: NtFlushWriteBuffer
Status: Not hooked

#: 082 Function Name: NtFreeUserPhysicalPages
Status: Not hooked

#: 083 Function Name: NtFreeVirtualMemory
Status: Not hooked

#: 084 Function Name: NtFsControlFile
Status: Not hooked

#: 085 Function Name: NtGetContextThread
Status: Not hooked

#: 086 Function Name: NtGetDevicePowerState
Status: Not hooked

#: 087 Function Name: NtGetPlugPlayEvent
Status: Not hooked

#: 088 Function Name: NtGetWriteWatch
Status: Not hooked

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Not hooked

#: 090 Function Name: NtImpersonateClientOfPort
Status: Not hooked

#: 091 Function Name: NtImpersonateThread
Status: Not hooked

#: 092 Function Name: NtInitializeRegistry
Status: Not hooked

#: 093 Function Name: NtInitiatePowerAction
Status: Not hooked

#: 094 Function Name: NtIsProcessInJob
Status: Not hooked

#: 095 Function Name: NtIsSystemResumeAutomatic
Status: Not hooked

#: 096 Function Name: NtListenPort
Status: Not hooked

#: 097 Function Name: NtLoadDriver
Status: Not hooked

#: 098 Function Name: NtLoadKey
Status: Not hooked

#: 099 Function Name: NtLoadKey2
Status: Not hooked

#: 100 Function Name: NtLockFile
Status: Not hooked

#: 101 Function Name: NtLockProductActivationKeys
Status: Not hooked

#: 102 Function Name: NtLockRegistryKey
Status: Not hooked

#: 103 Function Name: NtLockVirtualMemory
Status: Not hooked

#: 104 Function Name: NtMakePermanentObject
Status: Not hooked

#: 105 Function Name: NtMakeTemporaryObject
Status: Not hooked

#: 106 Function Name: NtMapUserPhysicalPages
Status: Not hooked

#: 107 Function Name: NtMapUserPhysicalPagesScatter
Status: Not hooked

#: 108 Function Name: NtMapViewOfSection
Status: Not hooked

#: 109 Function Name: NtModifyBootEntry
Status: Not hooked

#: 110 Function Name: NtNotifyChangeDirectoryFile
Status: Not hooked

#: 111 Function Name: NtNotifyChangeKey
Status: Not hooked

#: 112 Function Name: NtNotifyChangeMultipleKeys
Status: Not hooked

#: 113 Function Name: NtOpenDirectoryObject
Status: Not hooked

#: 114 Function Name: NtOpenEvent
Status: Not hooked

#: 115 Function Name: NtOpenEventPair
Status: Not hooked

#: 116 Function Name: NtOpenFile
Status: Not hooked

#: 117 Function Name: NtOpenIoCompletion
Status: Not hooked

#: 118 Function Name: NtOpenJobObject
Status: Not hooked

#: 119 Function Name: NtOpenKey
Status: Hooked by "spsj.sys" at address 0xf74100c0

#: 120 Function Name: NtOpenMutant
Status: Not hooked

#: 121 Function Name: NtOpenObjectAuditAlarm
Status: Not hooked

#: 122 Function Name: NtOpenProcess
Status: Not hooked

#: 123 Function Name: NtOpenProcessToken
Status: Not hooked

#: 124 Function Name: NtOpenProcessTokenEx
Status: Not hooked

#: 125 Function Name: NtOpenSection
Status: Not hooked

#: 126 Function Name: NtOpenSemaphore
Status: Not hooked

#: 127 Function Name: NtOpenSymbolicLinkObject
Status: Not hooked

#: 128 Function Name: NtOpenThread
Status: Not hooked

#: 129 Function Name: NtOpenThreadToken
Status: Not hooked

#: 130 Function Name: NtOpenThreadTokenEx
Status: Not hooked

#: 131 Function Name: NtOpenTimer
Status: Not hooked

#: 132 Function Name: NtPlugPlayControl
Status: Not hooked

#: 133 Function Name: NtPowerInformation
Status: Not hooked

#: 134 Function Name: NtPrivilegeCheck
Status: Not hooked

#: 135 Function Name: NtPrivilegeObjectAuditAlarm
Status: Not hooked

#: 136 Function Name: NtPrivilegedServiceAuditAlarm
Status: Not hooked

#: 137 Function Name: NtProtectVirtualMemory
Status: Not hooked

#: 138 Function Name: NtPulseEvent
Status: Not hooked

#: 139 Function Name: NtQueryAttributesFile
Status: Not hooked

#: 140 Function Name: NtQueryBootEntryOrder
Status: Not hooked

#: 141 Function Name: NtQueryBootOptions
Status: Not hooked

#: 142 Function Name: NtQueryDebugFilterState
Status: Not hooked

#: 143 Function Name: NtQueryDefaultLocale
Status: Not hooked

#: 144 Function Name: NtQueryDefaultUILanguage
Status: Not hooked

#: 145 Function Name: NtQueryDirectoryFile
Status: Not hooked

#: 146 Function Name: NtQueryDirectoryObject
Status: NStealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x82fdb1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x82fdb1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x82fdb1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x82fdb1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x82fdb1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x82fdb1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x82fdb1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x82fdb1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82fdb1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x82fdb1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x82fdb1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x82fdb1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x82fdb1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82fdb1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82fdb1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x82fdb1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x82fdb1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x82fdb1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x82fdb1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x82fdb1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x82fdb1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x82fdb1f8 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x82c9f500 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x82c9f500 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x82c9f500 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x82c9f500 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x82c9f500 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x82c9f500 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x82c9f500 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x82c9f500 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82c9f500 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x82c9f500 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x82c9f500 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x82c9f500 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x82c9f500 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82c9f500 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82c9f500 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x82c9f500 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x82c9f500 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x82c9f500 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x82d0a1f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x82d0a1f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x82d0a1f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x82d0a1f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82d0a1f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82d0a1f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82d0a1f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82d0a1f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x82d0a1f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82d0a1f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x82d0a1f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x82f701f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x82f701f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x82f701f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x82f701f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82f701f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82f701f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82f701f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82f701f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x82f701f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82f701f8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x82f701f8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x82dbc1f8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x82dbc1f8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82dbc1f8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82dbc1f8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x82dbc1f8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82dbc1f8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x82dbc1f8 Size: -

Object: Hidden Code [Driver: aja9roirȅ扏煓ȁం扏楄멨떸苑Ȃం扏济, IRP_MJ_CREATE]
Process: System Address: 0x82cde1f8 Size: -

Object: Hidden Code [Driver: aja9roirȅ扏煓ȁం扏楄멨떸苑Ȃం扏济, IRP_MJ_CLOSE]
Process: System Address: 0x82cde1f8 Size: -

Object: Hidden Code [Driver: aja9roirȅ扏煓ȁం扏楄멨떸苑Ȃం扏济, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82cde1f8 Size: -

Object: Hidden Code [Driver: aja9roirȅ扏煓ȁం扏楄멨떸苑Ȃం扏济, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82cde1f8 Size: -

Object: Hidden Code [Driver: aja9roirȅ扏煓ȁం扏楄멨떸苑Ȃం扏济, IRP_MJ_POWER]
Process: System Address: 0x82cde1f8 Size: -

Object: Hidden Code [Driver: aja9roirȅ扏煓ȁం扏楄멨떸苑Ȃం扏济, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82cde1f8 Size: -

Object: Hidden Code [Driver: aja9roirȅ扏煓ȁం扏楄멨떸苑Ȃం扏济, IRP_MJ_PNP]
Process: System Address: 0x82cde1f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x82fdd1f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x82fdd1f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x82fdd1f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82fdd1f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82fdd1f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82fdd1f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82fdd1f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x82fdd1f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x82fdd1f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82fdd1f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x82fdd1f8 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x82aaf1f8 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x82aaf1f8 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82aaf1f8 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82aaf1f8 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x82aaf1f8 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x82aaf1f8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x82da51f8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x82da51f8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82da51f8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82da51f8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x82da51f8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82da51f8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x82da51f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x82b081f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x82b081f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x82b081f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x82b081f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x82b081f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x82b081f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x82b081f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x82b081f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x82b081f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82b081f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x82b081f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x82b081f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x82b081f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x82b081f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82b081f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82b081f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82b081f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x82b081f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x82b081f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x82b081f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x82b081f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x82b081f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x82b081f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82b081f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x82b081f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x82b081f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x82b081f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x82b081f8 Size: -

Object: Hidden Code [Driver: Cdfsȅఉ瑎捦܉@考, IRP_MJ_CREATE]
Process: System Address: 0x82c60500 Size: -

Object: Hidden Code [Driver: Cdfsȅఉ瑎捦܉@考, IRP_MJ_CLOSE]
Process: System Address: 0x82c60500 Size: -

Object: Hidden Code [Driver: Cdfsȅఉ瑎捦܉@考, IRP_MJ_READ]
Process: System Address: 0x82c60500 Size: -

Object: Hidden Code [Driver: Cdfsȅఉ瑎捦܉@考, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x82c60500 Size: -

Object: Hidden Code [Driver: Cdfsȅఉ瑎捦܉@考, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x82c60500 Size: -

Object: Hidden Code [Driver: Cdfsȅఉ瑎捦܉@考, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x82c60500 Size: -

Object: Hidden Code [Driver: Cdfsȅఉ瑎捦܉@考, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x82c60500 Size: -

Object: Hidden Code [Driver: Cdfsȅఉ瑎捦܉@考, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x82c60500 Size: -

Object: Hidden Code [Driver: Cdfsȅఉ瑎捦܉@考, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82c60500 Size: -

Object: Hidden Code [Driver: Cdfsȅఉ瑎捦܉@考, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82c60500 Size: -

Object: Hidden Code [Driver: Cdfsȅఉ瑎捦܉@考, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x82c60500 Size: -

Object: Hidden Code [Driver: Cdfsȅఉ瑎捦܉@考, IRP_MJ_CLEANUP]
Process: System Address: 0x82c60500 Size: -

Object: Hidden Code [Driver: Cdfsȅఉ瑎捦܉@考, IRP_MJ_PNP]
Process: System Address: 0x82c60500 Size: -

Hidden Services
-------------------
Service Name: TDSSserv.sys
Image Path: C:\WINDOWS\system32\drivers\TDSSpplt.sys

phloggo · 2009/01/12

OK, here's the combofix log

ComboFix 09-01-11.04 - main 2009-01-12 13:55:30.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.768.437 [GMT -5:00]
Running from: c:\documents and settings\main\Desktop\TheCat.exe
AV: AVG Internet Security *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\main\LOCALS~1\Temp\tmp1.tmp
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\main\Application Data\SpeedRunner
c:\documents and settings\main\Application Data\SpeedRunner\config.cfg
c:\documents and settings\main\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\main\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\Mjcore
c:\program files\Mjcore\Mjcore.dll
C:\resycled
c:\resycled\boot.com
c:\windows\system32\drivers\msqpdxserv.sys
c:\windows\system32\Drivers\TDSSpplt.sys
c:\windows\system32\dwpsag.dll
c:\windows\system32\efcDWqOI.dll
c:\windows\system32\fNXbLnnn.ini
c:\windows\system32\fNXbLnnn.ini2
c:\windows\system32\nnnLbXNf.dll
c:\windows\system32\spools.exe
c:\windows\system32\TDSSdxcp.dll
c:\windows\system32\TDSSkkao.log
c:\windows\system32\TDSSmtve.dat
c:\windows\system32\uyokqrin.dll
c:\windows\Temp\2867544108.exe
F:\Autorun.inf
F:\resycled
f:\resycled\boot.com
G:\resycled
g:\resycled\boot.com
H:\Autorun.inf
H:\resycled
h:\resycled\boot.com

----- BITS: Possible infected sites -----

hxxp://speedytorrents.net
hxxp://childhe.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_AVG
-------\Service_TDSSserv.sys

((((((((((((((((((((((((( Files Created from 2008-12-12 to 2009-01-12 )))))))))))))))))))))))))))))))
.

2009-01-12 13:26 . 2009-01-12 13:26 12,552 --a------ c:\windows\system32\drivers\avgrkx86.sys
2009-01-12 02:47 . 2009-01-12 02:47 <DIR> d-------- c:\program files\Trend Micro
2009-01-12 02:44 . 2009-01-12 02:44 <DIR> d-------- c:\program files\Lavasoft
2009-01-12 02:44 . 2009-01-12 02:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-12 00:53 . 2009-01-12 00:53 <DIR> d-------- c:\windows\umiq
2009-01-12 00:53 . 2009-01-12 02:59 <DIR> d-------- c:\program files\Common Files\umiq
2009-01-11 19:23 . 2009-01-12 13:52 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-11 19:14 . 2009-01-11 19:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\InstallShield
2009-01-11 19:12 . 2009-01-11 19:12 1,256,329 --ahs---- c:\windows\system32\wbtxlgio.ini
2009-01-11 18:50 . 2009-01-11 18:50 <DIR> d-------- c:\documents and settings\main\Application Data\aAvgApi
2009-01-11 18:26 . 2009-01-11 20:33 <DIR> d-------- c:\program files\Webtools
2009-01-11 18:15 . 2009-01-12 13:26 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-11 18:14 . 2009-01-12 13:59 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-11 18:14 . 2009-01-11 18:58 <DIR> d-------- c:\documents and settings\main\Application Data\AVGTOOLBAR
2009-01-11 18:14 . 2009-01-12 13:26 324,872 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-11 13:52 . 2009-01-11 13:52 <DIR> d-------- c:\program files\totalvid
2009-01-11 13:52 . 2009-01-12 13:39 <DIR> d-------- c:\documents and settings\main\Application Data\cogad
2009-01-11 13:52 . 2009-01-11 22:15 0 --a------ c:\windows\system32\drivers\d6701f53.sys
2009-01-11 13:51 . 2009-01-11 13:51 <DIR> d-------- c:\documents and settings\main\Application Data\_ca29e34c79e4843dd796f1512916024d
2009-01-11 13:51 . 2009-01-08 21:05 788,209 --a------ c:\documents and settings\main\Application Data\svchost.exe
2009-01-11 13:51 . 2009-01-11 13:51 46,080 --a------ c:\windows\system32\ljJDTmll.dll
2009-01-11 13:51 . 2009-01-11 13:51 33 --a------ c:\documents and settings\main\Application Data\__t.bin
2009-01-11 13:38 . 2009-01-12 14:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
2009-01-10 07:44 . 2009-01-10 07:46 <DIR> d-------- c:\program files\SoundSpectrum
2009-01-10 07:41 . 2009-01-10 07:41 <DIR> d-------- c:\program files\aVis
2009-01-08 06:38 . 2009-01-08 06:38 <DIR> d-------- c:\documents and settings\main\Application Data\fltk.org
2009-01-06 11:06 . 2009-01-06 11:06 <DIR> d-------- c:\documents and settings\main\Application Data\mirkes.de
2009-01-06 09:08 . 2009-01-06 09:29 43,520 --a------ c:\windows\system32\CmdLineExt03.dll
2009-01-06 08:19 . 1996-07-18 13:06 297,472 --a------ c:\windows\uninst.exe
2009-01-06 08:15 . 2008-02-22 06:30 334,792 --a------ c:\windows\system32\_AxShlEx.dll
2009-01-06 08:14 . 2009-01-11 22:02 <DIR> d-------- c:\program files\free-downloads.net
2009-01-06 08:14 . 2009-01-11 22:02 <DIR> d-------- c:\program files\Conduit
2009-01-06 08:14 . 2009-01-06 08:14 <DIR> d-------- c:\program files\Alcohol Soft
2009-01-06 08:09 . 2009-01-06 08:09 716,272 --a------ c:\windows\system32\drivers\sptd.sys
2009-01-06 04:28 . 2004-04-16 10:24 61,440 --a------ c:\windows\system32\ISUSPM.cpl
2009-01-06 02:09 . 2009-01-06 02:09 <DIR> d-------- c:\program files\MSXML 4.0
2009-01-06 01:49 . 2007-03-13 21:18 10,752 --a------ c:\windows\system32\ff_vfw.dll
2009-01-06 01:49 . 2007-03-13 21:18 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2009-01-06 01:22 . 2009-01-06 01:22 <DIR> d-------- c:\program files\Common Files\NSV
2009-01-04 23:18 . 2006-01-26 15:12 327,680 --a------ c:\windows\system32\haspms32.dll
2009-01-04 20:44 . 2009-01-04 23:18 <DIR> d-------- c:\program files\Common Files\ALLDATA Shared
2009-01-04 20:44 . 2002-09-21 00:33 1,089,536 --a------ c:\windows\system32\ROBOEX32.DLL
2009-01-04 20:44 . 2004-07-14 12:54 676,864 --a------ c:\windows\system32\drivers\hardlock.sys
2009-01-04 20:44 . 2005-05-26 14:33 446,464 --a------ c:\windows\system32\hhactivex.dll
2009-01-04 20:44 . 2003-04-18 15:29 82,432 --a------ c:\windows\system32\msxml4r.dll
2009-01-04 20:44 . 2000-08-04 17:25 49,152 --a------ c:\windows\system32\INETWH32.dll
2009-01-04 20:44 . 2009-01-04 20:44 47,616 --a------ c:\windows\system32\drivers\Haspnt.sys
2009-01-04 20:44 . 2003-04-18 15:29 44,544 --a------ c:\windows\system32\msxml4a.dll
2009-01-04 20:44 . 2009-01-04 20:44 6,656 --a------ c:\windows\system32\haspvdd.dll
2009-01-04 20:44 . 2009-01-03 03:10 2,577 --a------ c:\windows\system32\config.hsp
2009-01-04 20:44 . 2009-01-04 20:44 383 --a------ c:\windows\system32\haspdos.sys
2009-01-04 19:41 . 2009-01-04 19:41 624 --a------ c:\windows\system32\license.955200
2009-01-04 19:40 . 2009-01-04 19:41 <DIR> d-------- c:\program files\NVIDIA Corporation
2009-01-04 19:40 . 2002-11-21 11:06 671,744 -ra------ c:\windows\system32\DolbyHph.dll
2009-01-04 19:40 . 2002-11-21 13:57 24,576 -ra------ c:\windows\system32\msxml3a.dll
2009-01-04 17:23 . 2009-01-04 17:23 <DIR> d-------- c:\program files\ATTToolbar
2009-01-04 17:23 . 2009-01-04 17:26 <DIR> d-------- c:\documents and settings\main\Application Data\ATTToolbar
2009-01-04 17:23 . 2009-01-04 18:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\ATTToolbar
2009-01-04 16:52 . 2009-01-04 17:20 <DIR> d-------- c:\documents and settings\main\Application Data\Motive
2009-01-04 16:51 . 2009-01-04 17:23 <DIR> d-------- c:\program files\Common Files\Motive
2009-01-04 16:51 . 2009-01-04 16:51 <DIR> d-------- c:\program files\ATT-HSI
2009-01-04 16:48 . 2009-01-04 16:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Motive
2009-01-04 16:12 . 2009-01-04 16:12 0 --a------ c:\windows\nsreg.dat
2009-01-04 15:43 . 2009-01-04 15:43 <DIR> d-------- c:\windows\Logs
2009-01-04 15:43 . 2005-05-26 15:34 2,297,552 --a------ c:\windows\system32\d3dx9_26.dll
2009-01-04 15:40 . 2009-01-04 15:40 <DIR> d-------- c:\program files\Common Files\Apple
2009-01-04 15:40 . 2009-01-04 15:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-04 15:39 . 2009-01-04 15:39 <DIR> d-------- c:\program files\Apple Software Update
2009-01-04 15:39 . 2009-01-04 15:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-01-04 15:29 . 2009-01-04 15:29 <DIR> d-------- c:\windows\SQLTools9_KB954606_ENU
2009-01-04 15:27 . 2009-01-04 15:27 <DIR> d-------- c:\windows\SQL9_KB954606_ENU
2009-01-04 15:00 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-01-04 15:00 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2009-01-04 06:33 . 2009-01-04 06:33 <DIR> d-------- C:\kit_files
2009-01-04 06:32 . 2009-01-04 06:32 <DIR> d-------- C:\TRANSFER
2009-01-04 06:32 . 2009-01-11 11:32 <DIR> d-------- C:\hunni
2009-01-04 06:24 . 2009-01-04 06:24 <DIR> d-------- c:\program files\Lexmark Tools For Office
2009-01-04 06:23 . 2009-01-04 06:23 0 --a------ c:\windows\MKDEWE.TRN
2009-01-04 03:57 . 2009-01-04 03:57 <DIR> d-------- c:\program files\MSBuild
2009-01-04 03:57 . 2009-01-04 03:57 <DIR> d-------- c:\program files\Microsoft Works
2009-01-04 03:53 . 2009-01-04 03:53 <DIR> d-------- c:\program files\Microsoft Visual Studio 8
2009-01-04 03:52 . 2009-01-04 03:56 <DIR> d-------- c:\windows\SHELLNEW
2009-01-04 03:52 . 2009-01-04 15:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-04 03:51 . 2009-01-04 03:51 <DIR> dr-h----- C:\MSOCache
2009-01-04 01:41 . 2009-01-04 01:42 <DIR> d-------- c:\documents and settings\main\Application Data\vlc
2009-01-04 01:32 . 2009-01-04 01:32 <DIR> d-------- C:\ATI
2009-01-04 01:32 . 2006-01-26 08:57 520,192 --a------ c:\windows\system32\ati2sgag.exe
2009-01-04 00:34 . 2009-01-11 01:45 69 --a------ c:\windows\NeroDigital.ini
2009-01-04 00:15 . 2009-01-04 03:45 <DIR> d-------- c:\documents and settings\main\Application Data\Winamp
2009-01-03 22:54 . 2009-01-11 13:38 <DIR> d-------- c:\documents and settings\main\Application Data\BitTorrent
2009-01-03 22:49 . 2008-12-05 22:18 499,712 --a------ c:\windows\system32\msvcp71.dll
2009-01-03 22:49 . 2008-12-05 22:18 348,160 --a------ c:\windows\system32\msvcr71.dll
2009-01-03 22:48 . 2009-01-03 22:51 <DIR> d-------- c:\windows\system32\Adobe
2009-01-03 22:44 . 2009-01-03 22:44 <DIR> d-------- c:\windows\Sun
2009-01-03 22:44 . 2009-01-03 22:43 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-03 22:44 . 2009-01-03 22:43 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-03 22:43 . 2009-01-03 22:43 <DIR> d-------- c:\program files\Java
2009-01-03 22:11 . 2009-01-03 22:13 <DIR> d-------- c:\program files\Microsoft Small Business
2009-01-03 22:08 . 2009-01-04 03:55 <DIR> d-------- c:\program files\Microsoft.NET
2009-01-03 22:07 . 2009-01-03 22:07 <DIR> d-------- c:\program files\MSXML 6.0
2009-01-03 22:06 . 2009-01-04 15:29 <DIR> d-------- c:\program files\Microsoft SQL Server
2009-01-03 21:59 . 2009-01-12 14:00 <DIR> d-------- c:\program files\DNA
2009-01-03 21:59 . 2009-01-12 14:00 <DIR> d-------- c:\documents and settings\main\Application Data\DNA
2009-01-03 21:31 . 2009-01-03 21:31 <DIR> d-------- c:\program files\Common Files\Ahead
2009-01-03 21:31 . 2009-01-03 21:31 <DIR> d-------- c:\program files\Ahead
2009-01-03 21:31 . 2004-07-26 16:16 1,568,768 --a------ c:\windows\system32\ImagX7.dll
2009-01-03 21:31 . 2004-07-26 16:16 476,320 --a------ c:\windows\system32\ImagXpr7.dll
2009-01-03 21:31 . 2004-07-26 16:16 471,040 --a------ c:\windows\system32\ImagXRA7.dll
2009-01-03 21:31 . 2004-07-09 08:43 364,544 --a------ c:\windows\system32\TwnLib4.dll
2009-01-03 21:31 . 2004-07-26 16:16 262,144 --a------ c:\windows\system32\ImagXR7.dll
2009-01-03 21:31 . 2006-01-12 15:40 155,648 --a------ c:\windows\system32\NeroCheck.exe
2009-01-03 21:31 . 2005-09-01 11:03 127,488 --------- c:\windows\system32\drivers\imagesrv.sys
2009-01-03 21:31 . 2000-06-26 10:45 106,496 --a------ c:\windows\system32\TwnLib20.dll
2009-01-03 21:31 . 2005-09-01 11:03 5,888 --------- c:\windows\system32\drivers\imagedrv.sys
2009-01-03 21:24 . 2009-01-03 21:24 <DIR> d-------- c:\program files\VideoLAN
2009-01-03 15:48 . 2008-04-13 19:11 21,504 --a------ c:\windows\system32\hidserv.dll
2009-01-03 15:48 . 2008-04-13 19:11 21,504 --a--c--- c:\windows\system32\dllcache\hidserv.dll
2009-01-03 15:48 . 2008-04-13 13:39 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2009-01-03 15:48 . 2008-04-13 13:39 14,592 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2009-01-03 15:39 . 2009-01-03 15:39 <DIR> d-------- c:\program files\Western Digital
2009-01-03 15:39 . 2009-01-06 07:26 <DIR> d-------- c:\program files\Common Files\InstallShield
2009-01-03 15:34 . 2009-01-03 15:34 <DIR> d-------- c:\program files\Seagate
2009-01-03 15:27 . 2009-01-03 15:27 <DIR> d-------- c:\program files\Windows Media Connect 2
2009-01-03 15:26 . 2009-01-03 15:26 <DIR> d-------- c:\windows\system32\LogFiles
2009-01-03 15:26 . 2009-01-03 15:27 <DIR> d-------- c:\windows\system32\drivers\UMDF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-03 08:19 --------- d-----w c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-01-03 08:10 --------- d-----w c:\program files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"BitTorrent DNA "= "c:\program files\DNA\btdna.exe" [2009-01-03 342848]
"alcoholautomount "= "c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-01-06 4608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lxcrmon.exe "= "c:\program files\Lexmark 2400 Series\lxcrmon.exe" [2006-03-06 286720]
"EzPrint "= "c:\program files\Lexmark 2400 Series\ezprint.exe" [2006-02-07 98304]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"NeroFilterCheck "= "c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-01-03 136600]
"PWRISOVM.EXE "= "g:\program files\PowerISO\PWRISOVM.EXE" [2008-11-02 167936]
"LXCRCATS "= "c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2006-02-24 65536]
"WinampAgent "= "g:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"QuickTime Task "= "g:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"*svchostBoot "= "c:\documents and settings\main\Application Data\svchost.exe" [2009-01-08 788209]
"AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-12 1601304]
"isusscheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"isuspm startup "= "c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 196608]
"s3tray2 "= "S3tray2.exe" [2001-10-12 c:\windows\system32\S3tray2.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-12 13:26 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "=avgrsstx.dll dwpsag.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 c:\windows\system32\nnnLbXNf

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\emu\\NES\\nestcl95.exe "=
"g:\\emulators\\games\\nes\\Games Released in the US\\nestcl95.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
"g:\\Program Files\\BitTorrent\\bittorrent.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe "=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\WINDOWS\\system32\\sessmgr.exe "=
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"c:\\Program Files\\DNA\\btdna.exe "=

R1 avgldx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-11 324872]
R3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;c:\windows\system32\drivers\SMC1211.sys [2001-07-11 23153]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-11 298264]
R4 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-08-05 29184016]
S1 d6701f53;d6701f53;c:\windows\system32\drivers\d6701f53.sys [2009-01-11 0]
.
Contents of the 'Scheduled Tasks' folder

2009-01-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-12 c:\windows\Tasks\zfgtbthe.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{7CD06695-0441-4B6E-AE57-118EA2E3C646} - c:\windows\system32\nnnLbXNf.dll
HKCU-Run-cogad - c:\documents and settings\main\Application Data\cogad\cogad.exe
HKCU-Run-lrijh8s73jhbfgfd - c:\windows\TEMP\winloggn.exe
HKLM-Run-Managing Services - c:\windows\system32\spools.exe
HKLM-Run-04d10325 - c:\windows\system32\oiglxtbw.dll

.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: www.avg.com
FF - ProfilePath - c:\documents and settings\main\Application Data\Mozilla\Firefox\Profiles\ljhaciiu.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\main\Application Data\Mozilla\Firefox\Profiles\ljhaciiu.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - component: g:\program files\Mozilla Firefox\components\iamfamous.dll
FF - component: g:\program files\Mozilla Firefox\components\srff.dll
FF - plugin: g:\program files\QuickTime\Plugins\npqtplugin.dll
FF - plugin: g:\program files\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: g:\program files\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: g:\program files\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: g:\program files\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: g:\program files\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: g:\program files\QuickTime\Plugins\npqtplugin7.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-12 14:00:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCRCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16?????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(648)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WgaTray.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\pctspk.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\AVG\AVG8\avgdiagex.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\lxcrcoms.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-12 14:03:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-12 19:02:42

Pre-Run: 7,112,269,824 bytes free
Post-Run: 7,257,649,152 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

309

phloggo · 2009/01/12

Upon reboot from ComboFix there were a few error messages:

Windows - No Disk
Exception proccessing message c0000013 Parameters 75b6bf7c 4 75b6bf7c 75b6bf7c

Options were: Cancel, Try Again, Continue. I chose continue and the message popped up again. So, I chose cancel.

RUNDLL

Error loading C:\Windows\System32\oiglxtbw.dll - Access is denied

AVG8TrayMainWnd

Do you want to force threat removal?
The one above popped up repeatedly.

Also, the dots around the cursor are back. 3 dots over the pointer, one by the hand. Other than that things seem pretty good now. More dots are appearing over the cursor. At least the machine is useable for its main functions, invoicing & research. Once again, thank you for your help thus far.

noahdfear · 2009/01/12

Please run ComboFix again. Allow it to update if prompted. Post the new log here.

phloggo · 2009/01/12

Hey Dave,

No update prompt but here's the log:

ComboFix 09-01-11.04 - main 2009-01-12 17:10:27.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.768.434 [GMT -5:00]
Running from: c:\documents and settings\main\Desktop\TheCat.exe
AV: AVG Anti-Virus *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\wbtxlgio.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_AVG

((((((((((((((((((((((((( Files Created from 2008-12-12 to 2009-01-12 )))))))))))))))))))))))))))))))
.

2009-01-12 17:09 . 2009-01-12 17:09 <DIR> d-------- C:\32788R22FWJFW
2009-01-12 13:26 . 2009-01-12 13:26 12,552 --a------ c:\windows\system32\drivers\avgrkx86.sys
2009-01-12 02:47 . 2009-01-12 02:47 <DIR> d-------- c:\program files\Trend Micro
2009-01-12 02:44 . 2009-01-12 02:44 <DIR> d-------- c:\program files\Lavasoft
2009-01-12 02:44 . 2009-01-12 02:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-12 00:53 . 2009-01-12 00:53 <DIR> d-------- c:\windows\umiq
2009-01-12 00:53 . 2009-01-12 02:59 <DIR> d-------- c:\program files\Common Files\umiq
2009-01-11 19:23 . 2009-01-12 17:05 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-11 19:14 . 2009-01-11 19:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\InstallShield
2009-01-11 18:50 . 2009-01-11 18:50 <DIR> d-------- c:\documents and settings\main\Application Data\aAvgApi
2009-01-11 18:26 . 2009-01-11 20:33 <DIR> d-------- c:\program files\Webtools
2009-01-11 18:15 . 2009-01-12 13:26 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-11 18:14 . 2009-01-12 13:59 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-11 18:14 . 2009-01-11 18:58 <DIR> d-------- c:\documents and settings\main\Application Data\AVGTOOLBAR
2009-01-11 18:14 . 2009-01-12 13:26 324,872 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-11 13:52 . 2009-01-11 13:52 <DIR> d-------- c:\program files\totalvid
2009-01-11 13:52 . 2009-01-12 13:39 <DIR> d-------- c:\documents and settings\main\Application Data\cogad
2009-01-11 13:52 . 2009-01-11 22:15 0 --a------ c:\windows\system32\drivers\d6701f53.sys
2009-01-11 13:51 . 2009-01-11 13:51 <DIR> d-------- c:\documents and settings\main\Application Data\_ca29e34c79e4843dd796f1512916024d
2009-01-11 13:51 . 2009-01-08 21:05 788,209 --a------ c:\documents and settings\main\Application Data\svchost.exe
2009-01-11 13:51 . 2009-01-11 13:51 33 --a------ c:\documents and settings\main\Application Data\__t.bin
2009-01-11 13:38 . 2009-01-12 14:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
2009-01-10 07:44 . 2009-01-10 07:46 <DIR> d-------- c:\program files\SoundSpectrum
2009-01-10 07:41 . 2009-01-10 07:41 <DIR> d-------- c:\program files\aVis
2009-01-08 06:38 . 2009-01-08 06:38 <DIR> d-------- c:\documents and settings\main\Application Data\fltk.org
2009-01-06 11:06 . 2009-01-06 11:06 <DIR> d-------- c:\documents and settings\main\Application Data\mirkes.de
2009-01-06 09:08 . 2009-01-06 09:29 43,520 --a------ c:\windows\system32\CmdLineExt03.dll
2009-01-06 08:19 . 1996-07-18 13:06 297,472 --a------ c:\windows\uninst.exe
2009-01-06 08:15 . 2008-02-22 06:30 334,792 --a------ c:\windows\system32\_AxShlEx.dll
2009-01-06 08:14 . 2009-01-11 22:02 <DIR> d-------- c:\program files\free-downloads.net
2009-01-06 08:14 . 2009-01-11 22:02 <DIR> d-------- c:\program files\Conduit
2009-01-06 08:14 . 2009-01-06 08:14 <DIR> d-------- c:\program files\Alcohol Soft
2009-01-06 08:09 . 2009-01-06 08:09 716,272 --a------ c:\windows\system32\drivers\sptd.sys
2009-01-06 04:28 . 2004-04-16 10:24 61,440 --a------ c:\windows\system32\ISUSPM.cpl
2009-01-06 02:09 . 2009-01-06 02:09 <DIR> d-------- c:\program files\MSXML 4.0
2009-01-06 01:49 . 2007-03-13 21:18 10,752 --a------ c:\windows\system32\ff_vfw.dll
2009-01-06 01:49 . 2007-03-13 21:18 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2009-01-06 01:22 . 2009-01-06 01:22 <DIR> d-------- c:\program files\Common Files\NSV
2009-01-04 23:18 . 2006-01-26 15:12 327,680 --a------ c:\windows\system32\haspms32.dll
2009-01-04 20:44 . 2009-01-04 23:18 <DIR> d-------- c:\program files\Common Files\ALLDATA Shared
2009-01-04 20:44 . 2002-09-21 00:33 1,089,536 --a------ c:\windows\system32\ROBOEX32.DLL
2009-01-04 20:44 . 2004-07-14 12:54 676,864 --a------ c:\windows\system32\drivers\hardlock.sys
2009-01-04 20:44 . 2005-05-26 14:33 446,464 --a------ c:\windows\system32\hhactivex.dll
2009-01-04 20:44 . 2003-04-18 15:29 82,432 --a------ c:\windows\system32\msxml4r.dll
2009-01-04 20:44 . 2000-08-04 17:25 49,152 --a------ c:\windows\system32\INETWH32.dll
2009-01-04 20:44 . 2009-01-04 20:44 47,616 --a------ c:\windows\system32\drivers\Haspnt.sys
2009-01-04 20:44 . 2003-04-18 15:29 44,544 --a------ c:\windows\system32\msxml4a.dll
2009-01-04 20:44 . 2009-01-04 20:44 6,656 --a------ c:\windows\system32\haspvdd.dll
2009-01-04 20:44 . 2009-01-03 03:10 2,577 --a------ c:\windows\system32\config.hsp
2009-01-04 20:44 . 2009-01-04 20:44 383 --a------ c:\windows\system32\haspdos.sys
2009-01-04 19:41 . 2009-01-04 19:41 624 --a------ c:\windows\system32\license.955200
2009-01-04 19:40 . 2009-01-04 19:41 <DIR> d-------- c:\program files\NVIDIA Corporation
2009-01-04 19:40 . 2002-11-21 11:06 671,744 -ra------ c:\windows\system32\DolbyHph.dll
2009-01-04 19:40 . 2002-11-21 13:57 24,576 -ra------ c:\windows\system32\msxml3a.dll
2009-01-04 17:23 . 2009-01-04 17:23 <DIR> d-------- c:\program files\ATTToolbar
2009-01-04 17:23 . 2009-01-04 17:26 <DIR> d-------- c:\documents and settings\main\Application Data\ATTToolbar
2009-01-04 17:23 . 2009-01-04 18:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\ATTToolbar
2009-01-04 16:52 . 2009-01-04 17:20 <DIR> d-------- c:\documents and settings\main\Application Data\Motive
2009-01-04 16:51 . 2009-01-04 17:23 <DIR> d-------- c:\program files\Common Files\Motive
2009-01-04 16:51 . 2009-01-04 16:51 <DIR> d-------- c:\program files\ATT-HSI
2009-01-04 16:48 . 2009-01-04 16:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Motive
2009-01-04 16:12 . 2009-01-04 16:12 0 --a------ c:\windows\nsreg.dat
2009-01-04 15:43 . 2009-01-04 15:43 <DIR> d-------- c:\windows\Logs
2009-01-04 15:43 . 2005-05-26 15:34 2,297,552 --a------ c:\windows\system32\d3dx9_26.dll
2009-01-04 15:40 . 2009-01-04 15:40 <DIR> d-------- c:\program files\Common Files\Apple
2009-01-04 15:40 . 2009-01-04 15:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-04 15:39 . 2009-01-04 15:39 <DIR> d-------- c:\program files\Apple Software Update
2009-01-04 15:39 . 2009-01-04 15:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-01-04 15:29 . 2009-01-04 15:29 <DIR> d-------- c:\windows\SQLTools9_KB954606_ENU
2009-01-04 15:27 . 2009-01-04 15:27 <DIR> d-------- c:\windows\SQL9_KB954606_ENU
2009-01-04 15:00 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-01-04 15:00 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2009-01-04 06:33 . 2009-01-04 06:33 <DIR> d-------- C:\kit_files
2009-01-04 06:32 . 2009-01-04 06:32 <DIR> d-------- C:\TRANSFER
2009-01-04 06:32 . 2009-01-12 17:08 <DIR> d-------- C:\hunni
2009-01-04 06:24 . 2009-01-04 06:24 <DIR> d-------- c:\program files\Lexmark Tools For Office
2009-01-04 06:23 . 2009-01-04 06:23 0 --a------ c:\windows\MKDEWE.TRN
2009-01-04 03:57 . 2009-01-04 03:57 <DIR> d-------- c:\program files\MSBuild
2009-01-04 03:57 . 2009-01-04 03:57 <DIR> d-------- c:\program files\Microsoft Works
2009-01-04 03:53 . 2009-01-04 03:53 <DIR> d-------- c:\program files\Microsoft Visual Studio 8
2009-01-04 03:52 . 2009-01-04 03:56 <DIR> d-------- c:\windows\SHELLNEW
2009-01-04 03:52 . 2009-01-04 15:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-04 03:51 . 2009-01-04 03:51 <DIR> dr-h----- C:\MSOCache
2009-01-04 01:41 . 2009-01-04 01:42 <DIR> d-------- c:\documents and settings\main\Application Data\vlc
2009-01-04 01:32 . 2009-01-04 01:32 <DIR> d-------- C:\ATI
2009-01-04 01:32 . 2006-01-26 08:57 520,192 --a------ c:\windows\system32\ati2sgag.exe
2009-01-04 00:34 . 2009-01-11 01:45 69 --a------ c:\windows\NeroDigital.ini
2009-01-04 00:15 . 2009-01-04 03:45 <DIR> d-------- c:\documents and settings\main\Application Data\Winamp
2009-01-03 22:54 . 2009-01-11 13:38 <DIR> d-------- c:\documents and settings\main\Application Data\BitTorrent
2009-01-03 22:49 . 2008-12-05 22:18 499,712 --a------ c:\windows\system32\msvcp71.dll
2009-01-03 22:49 . 2008-12-05 22:18 348,160 --a------ c:\windows\system32\msvcr71.dll
2009-01-03 22:48 . 2009-01-03 22:51 <DIR> d-------- c:\windows\system32\Adobe
2009-01-03 22:44 . 2009-01-03 22:44 <DIR> d-------- c:\windows\Sun
2009-01-03 22:44 . 2009-01-03 22:43 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-03 22:44 . 2009-01-03 22:43 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-03 22:43 . 2009-01-03 22:43 <DIR> d-------- c:\program files\Java
2009-01-03 22:11 . 2009-01-03 22:13 <DIR> d-------- c:\program files\Microsoft Small Business
2009-01-03 22:08 . 2009-01-04 03:55 <DIR> d-------- c:\program files\Microsoft.NET
2009-01-03 22:07 . 2009-01-03 22:07 <DIR> d-------- c:\program files\MSXML 6.0
2009-01-03 22:06 . 2009-01-04 15:29 <DIR> d-------- c:\program files\Microsoft SQL Server
2009-01-03 21:59 . 2009-01-12 17:14 <DIR> d-------- c:\program files\DNA
2009-01-03 21:59 . 2009-01-12 17:14 <DIR> d-------- c:\documents and settings\main\Application Data\DNA
2009-01-03 21:31 . 2009-01-03 21:31 <DIR> d-------- c:\program files\Common Files\Ahead
2009-01-03 21:31 . 2009-01-03 21:31 <DIR> d-------- c:\program files\Ahead
2009-01-03 21:31 . 2004-07-26 16:16 1,568,768 --a------ c:\windows\system32\ImagX7.dll
2009-01-03 21:31 . 2004-07-26 16:16 476,320 --a------ c:\windows\system32\ImagXpr7.dll
2009-01-03 21:31 . 2004-07-26 16:16 471,040 --a------ c:\windows\system32\ImagXRA7.dll
2009-01-03 21:31 . 2004-07-09 08:43 364,544 --a------ c:\windows\system32\TwnLib4.dll
2009-01-03 21:31 . 2004-07-26 16:16 262,144 --a------ c:\windows\system32\ImagXR7.dll
2009-01-03 21:31 . 2006-01-12 15:40 155,648 --a------ c:\windows\system32\NeroCheck.exe
2009-01-03 21:31 . 2005-09-01 11:03 127,488 --------- c:\windows\system32\drivers\imagesrv.sys
2009-01-03 21:31 . 2000-06-26 10:45 106,496 --a------ c:\windows\system32\TwnLib20.dll
2009-01-03 21:31 . 2005-09-01 11:03 5,888 --------- c:\windows\system32\drivers\imagedrv.sys
2009-01-03 21:24 . 2009-01-03 21:24 <DIR> d-------- c:\program files\VideoLAN
2009-01-03 15:48 . 2008-04-13 19:11 21,504 --a------ c:\windows\system32\hidserv.dll
2009-01-03 15:48 . 2008-04-13 19:11 21,504 --a--c--- c:\windows\system32\dllcache\hidserv.dll
2009-01-03 15:48 . 2008-04-13 13:39 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2009-01-03 15:48 . 2008-04-13 13:39 14,592 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2009-01-03 15:39 . 2009-01-03 15:39 <DIR> d-------- c:\program files\Western Digital
2009-01-03 15:39 . 2009-01-06 07:26 <DIR> d-------- c:\program files\Common Files\InstallShield
2009-01-03 15:34 . 2009-01-03 15:34 <DIR> d-------- c:\program files\Seagate
2009-01-03 15:27 . 2009-01-03 15:27 <DIR> d-------- c:\program files\Windows Media Connect 2
2009-01-03 15:26 . 2009-01-03 15:26 <DIR> d-------- c:\windows\system32\LogFiles
2009-01-03 15:26 . 2009-01-03 15:27 <DIR> d-------- c:\windows\system32\drivers\UMDF
2009-01-03 14:37 . 2009-01-03 14:37 <DIR> d-------- c:\documents and settings\main\Application Data\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-03 08:19 --------- d-----w c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-01-03 08:10 --------- d-----w c:\program files\microsoft frontpage
.

((((((((((((((((((((((((((((( snapshot@2009-01-12_14.01.36.95 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-12 22:14:16 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_764.dat
+ 2009-01-12 22:14:30 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_b18.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"BitTorrent DNA "= "c:\program files\DNA\btdna.exe" [2009-01-03 342848]
"alcoholautomount "= "c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-01-06 4608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lxcrmon.exe "= "c:\program files\Lexmark 2400 Series\lxcrmon.exe" [2006-03-06 286720]
"EzPrint "= "c:\program files\Lexmark 2400 Series\ezprint.exe" [2006-02-07 98304]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"NeroFilterCheck "= "c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-01-03 136600]
"PWRISOVM.EXE "= "g:\program files\PowerISO\PWRISOVM.EXE" [2008-11-02 167936]
"LXCRCATS "= "c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2006-02-24 65536]
"WinampAgent "= "g:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"QuickTime Task "= "g:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"*svchostBoot "= "c:\documents and settings\main\Application Data\svchost.exe" [2009-01-08 788209]
"AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-12 1601304]
"isusscheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"isuspm startup "= "c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 196608]
"s3tray2 "= "S3tray2.exe" [2001-10-12 c:\windows\system32\S3tray2.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-12 13:26 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "=avgrsstx.dll dwpsag.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\emu\\NES\\nestcl95.exe "=
"g:\\emulators\\games\\nes\\Games Released in the US\\nestcl95.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
"g:\\Program Files\\BitTorrent\\bittorrent.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe "=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\WINDOWS\\system32\\sessmgr.exe "=
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"c:\\Program Files\\DNA\\btdna.exe "=

R1 avgldx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-11 324872]
R3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;c:\windows\system32\drivers\SMC1211.sys [2001-07-11 23153]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-11 298264]
R4 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-08-05 29184016]
S1 d6701f53;d6701f53;c:\windows\system32\drivers\d6701f53.sys [2009-01-11 0]
.
Contents of the 'Scheduled Tasks' folder

2009-01-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-12 c:\windows\Tasks\zfgtbthe.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: www.avg.com
FF - ProfilePath - c:\documents and settings\main\Application Data\Mozilla\Firefox\Profiles\ljhaciiu.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\main\Application Data\Mozilla\Firefox\Profiles\ljhaciiu.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - component: g:\program files\Mozilla Firefox\components\iamfamous.dll
FF - component: g:\program files\Mozilla Firefox\components\srff.dll
FF - plugin: g:\program files\QuickTime\Plugins\npqtplugin.dll
FF - plugin: g:\program files\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: g:\program files\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: g:\program files\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: g:\program files\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: g:\program files\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: g:\program files\QuickTime\Plugins\npqtplugin7.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-12 17:14:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCRCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(648)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\WgaTray.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\pctspk.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\lxcrcoms.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-12 17:16:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-12 22:16:00
ComboFix2.txt 2009-01-12 19:03:09

Pre-Run: 7,264,006,144 bytes free
Post-Run: 7,258,263,552 bytes free

261

noahdfear · 2009/01/13

Once again, disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)
Code:
File::
c:\windows\system32\drivers\d6701f53.sys
c:\documents and settings\main\Application Data\svchost.exe
c:\documents and settings\main\Application Data\__t.bin
c:\windows\Tasks\zfgtbthe.job
Folder::
c:\windows\umiq
c:\program files\Common Files\umiq
c:\program files\totalvid
c:\documents and settings\main\Application Data\cogad
c:\documents and settings\main\Application Data\_ca29e34c79e4843dd796f1512916024d
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "*svchostBoot "=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
 "AppInit_DLLs "= "avgrsstx.dll "
Driver::
d6701f53
FireFox::
FF - component: g:\program files\Mozilla Firefox\components\iamfamous.dll
FF - component: g:\program files\Mozilla Firefox\components\srff.dll
Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.

Now, I feel compelled to ask, why are you running BitTorrent on a business comp? I'm not passing judgment on file-sharing as a concept. However, I will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs are here,
here and here.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

phloggo · 2009/01/13

Here's the log:

ComboFix 09-01-11.04 - main 2009-01-13 2:48:45.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.768.350 [GMT -5:00]
Running from: c:\documents and settings\main\Desktop\TheCat.exe
Command switches used :: c:\documents and settings\main\Desktop\CFScript.txt
AV: AVG Anti-Virus *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\documents and settings\main\Application Data\__t.bin
c:\documents and settings\main\Application Data\svchost.exe
c:\windows\system32\drivers\d6701f53.sys
c:\windows\Tasks\zfgtbthe.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\main\Application Data\__t.bin
c:\documents and settings\main\Application Data\_ca29e34c79e4843dd796f1512916024d
c:\documents and settings\main\Application Data\_ca29e34c79e4843dd796f1512916024d\control.ini
c:\documents and settings\main\Application Data\_ca29e34c79e4843dd796f1512916024d\down\4203008.exe
c:\documents and settings\main\Application Data\_ca29e34c79e4843dd796f1512916024d\save.ini
c:\documents and settings\main\Application Data\cogad
c:\documents and settings\main\Application Data\svchost.exe
c:\program files\Common Files\umiq
c:\program files\Common Files\umiq\umiqa.lck
c:\program files\Common Files\umiq\umiqd\class-barrel
c:\program files\Common Files\umiq\umiqd\vocabulary
c:\program files\Common Files\umiq\umiqh
c:\program files\Common Files\umiq\umiql.lck
c:\program files\Common Files\umiq\umiqm.lck
c:\program files\totalvid
c:\program files\totalvid\Uninstall.exe
c:\windows\system32\drivers\d6701f53.sys
c:\windows\Tasks\zfgtbthe.job
c:\windows\umiq
c:\windows\umiq\umiq.dat
c:\windows\umiq\wu
g:\program files\Mozilla Firefox\components\iamfamous.dll
g:\program files\Mozilla Firefox\components\srff.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_AVG
-------\Service_d6701f53

((((((((((((((((((((((((( Files Created from 2008-12-13 to 2009-01-13 )))))))))))))))))))))))))))))))
.

2009-01-12 19:20 . 2009-01-12 19:20 <DIR> d-------- c:\program files\Yahoo!
2009-01-12 19:20 . 2009-01-12 19:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!
2009-01-12 13:26 . 2009-01-12 13:26 12,552 --a------ c:\windows\system32\drivers\avgrkx86.sys
2009-01-12 02:47 . 2009-01-12 02:47 <DIR> d-------- c:\program files\Trend Micro
2009-01-12 02:44 . 2009-01-12 02:44 <DIR> d-------- c:\program files\Lavasoft
2009-01-12 02:44 . 2009-01-12 02:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-11 19:23 . 2009-01-13 02:20 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-11 19:14 . 2009-01-11 19:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\InstallShield
2009-01-11 18:50 . 2009-01-11 18:50 <DIR> d-------- c:\documents and settings\main\Application Data\aAvgApi
2009-01-11 18:26 . 2009-01-11 20:33 <DIR> d-------- c:\program files\Webtools
2009-01-11 18:15 . 2009-01-12 13:26 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-11 18:14 . 2009-01-12 18:47 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-11 18:14 . 2009-01-11 18:58 <DIR> d-------- c:\documents and settings\main\Application Data\AVGTOOLBAR
2009-01-11 18:14 . 2009-01-12 13:26 324,872 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-11 13:38 . 2009-01-12 14:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
2009-01-10 07:44 . 2009-01-10 07:46 <DIR> d-------- c:\program files\SoundSpectrum
2009-01-10 07:41 . 2009-01-10 07:41 <DIR> d-------- c:\program files\aVis
2009-01-08 06:38 . 2009-01-08 06:38 <DIR> d-------- c:\documents and settings\main\Application Data\fltk.org
2009-01-06 11:06 . 2009-01-06 11:06 <DIR> d-------- c:\documents and settings\main\Application Data\mirkes.de
2009-01-06 09:08 . 2009-01-06 09:29 43,520 --a------ c:\windows\system32\CmdLineExt03.dll
2009-01-06 08:19 . 1996-07-18 13:06 297,472 --a------ c:\windows\uninst.exe
2009-01-06 08:15 . 2008-02-22 06:30 334,792 --a------ c:\windows\system32\_AxShlEx.dll
2009-01-06 08:14 . 2009-01-11 22:02 <DIR> d-------- c:\program files\free-downloads.net
2009-01-06 08:14 . 2009-01-11 22:02 <DIR> d-------- c:\program files\Conduit
2009-01-06 08:14 . 2009-01-06 08:14 <DIR> d-------- c:\program files\Alcohol Soft
2009-01-06 08:09 . 2009-01-06 08:09 716,272 --a------ c:\windows\system32\drivers\sptd.sys
2009-01-06 04:28 . 2004-04-16 10:24 61,440 --a------ c:\windows\system32\ISUSPM.cpl
2009-01-06 02:09 . 2009-01-06 02:09 <DIR> d-------- c:\program files\MSXML 4.0
2009-01-06 01:49 . 2007-03-13 21:18 10,752 --a------ c:\windows\system32\ff_vfw.dll
2009-01-06 01:49 . 2007-03-13 21:18 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2009-01-06 01:22 . 2009-01-06 01:22 <DIR> d-------- c:\program files\Common Files\NSV
2009-01-04 23:18 . 2006-01-26 15:12 327,680 --a------ c:\windows\system32\haspms32.dll
2009-01-04 20:44 . 2009-01-04 23:18 <DIR> d-------- c:\program files\Common Files\ALLDATA Shared
2009-01-04 20:44 . 2002-09-21 00:33 1,089,536 --a------ c:\windows\system32\ROBOEX32.DLL
2009-01-04 20:44 . 2004-07-14 12:54 676,864 --a------ c:\windows\system32\drivers\hardlock.sys
2009-01-04 20:44 . 2005-05-26 14:33 446,464 --a------ c:\windows\system32\hhactivex.dll
2009-01-04 20:44 . 2003-04-18 15:29 82,432 --a------ c:\windows\system32\msxml4r.dll
2009-01-04 20:44 . 2000-08-04 17:25 49,152 --a------ c:\windows\system32\INETWH32.dll
2009-01-04 20:44 . 2009-01-04 20:44 47,616 --a------ c:\windows\system32\drivers\Haspnt.sys
2009-01-04 20:44 . 2003-04-18 15:29 44,544 --a------ c:\windows\system32\msxml4a.dll
2009-01-04 20:44 . 2009-01-04 20:44 6,656 --a------ c:\windows\system32\haspvdd.dll
2009-01-04 20:44 . 2009-01-03 03:10 2,577 --a------ c:\windows\system32\config.hsp
2009-01-04 20:44 . 2009-01-04 20:44 383 --a------ c:\windows\system32\haspdos.sys
2009-01-04 19:41 . 2009-01-04 19:41 624 --a------ c:\windows\system32\license.955200
2009-01-04 19:40 . 2009-01-04 19:41 <DIR> d-------- c:\program files\NVIDIA Corporation
2009-01-04 19:40 . 2002-11-21 11:06 671,744 -ra------ c:\windows\system32\DolbyHph.dll
2009-01-04 19:40 . 2002-11-21 13:57 24,576 -ra------ c:\windows\system32\msxml3a.dll
2009-01-04 17:23 . 2009-01-04 17:23 <DIR> d-------- c:\program files\ATTToolbar
2009-01-04 17:23 . 2009-01-04 17:26 <DIR> d-------- c:\documents and settings\main\Application Data\ATTToolbar
2009-01-04 17:23 . 2009-01-04 18:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\ATTToolbar
2009-01-04 16:52 . 2009-01-04 17:20 <DIR> d-------- c:\documents and settings\main\Application Data\Motive
2009-01-04 16:51 . 2009-01-04 17:23 <DIR> d-------- c:\program files\Common Files\Motive
2009-01-04 16:51 . 2009-01-04 16:51 <DIR> d-------- c:\program files\ATT-HSI
2009-01-04 16:48 . 2009-01-04 16:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Motive
2009-01-04 16:12 . 2009-01-04 16:12 0 --a------ c:\windows\nsreg.dat
2009-01-04 15:43 . 2009-01-04 15:43 <DIR> d-------- c:\windows\Logs
2009-01-04 15:43 . 2005-05-26 15:34 2,297,552 --a------ c:\windows\system32\d3dx9_26.dll
2009-01-04 15:40 . 2009-01-04 15:40 <DIR> d-------- c:\program files\Common Files\Apple
2009-01-04 15:40 . 2009-01-04 15:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-04 15:39 . 2009-01-04 15:39 <DIR> d-------- c:\program files\Apple Software Update
2009-01-04 15:39 . 2009-01-04 15:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-01-04 15:29 . 2009-01-04 15:29 <DIR> d-------- c:\windows\SQLTools9_KB954606_ENU
2009-01-04 15:27 . 2009-01-04 15:27 <DIR> d-------- c:\windows\SQL9_KB954606_ENU
2009-01-04 15:00 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-01-04 15:00 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2009-01-04 06:33 . 2009-01-04 06:33 <DIR> d-------- C:\kit_files
2009-01-04 06:32 . 2009-01-04 06:32 <DIR> d-------- C:\TRANSFER
2009-01-04 06:32 . 2009-01-12 17:46 <DIR> d-------- C:\hunni
2009-01-04 06:24 . 2009-01-04 06:24 <DIR> d-------- c:\program files\Lexmark Tools For Office
2009-01-04 06:23 . 2009-01-04 06:23 0 --a------ c:\windows\MKDEWE.TRN
2009-01-04 03:57 . 2009-01-04 03:57 <DIR> d-------- c:\program files\MSBuild
2009-01-04 03:57 . 2009-01-04 03:57 <DIR> d-------- c:\program files\Microsoft Works
2009-01-04 03:53 . 2009-01-04 03:53 <DIR> d-------- c:\program files\Microsoft Visual Studio 8
2009-01-04 03:52 . 2009-01-04 03:56 <DIR> d-------- c:\windows\SHELLNEW
2009-01-04 03:52 . 2009-01-04 15:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-04 03:51 . 2009-01-04 03:51 <DIR> dr-h----- C:\MSOCache
2009-01-04 01:41 . 2009-01-04 01:42 <DIR> d-------- c:\documents and settings\main\Application Data\vlc
2009-01-04 01:32 . 2009-01-04 01:32 <DIR> d-------- C:\ATI
2009-01-04 01:32 . 2006-01-26 08:57 520,192 --a------ c:\windows\system32\ati2sgag.exe
2009-01-04 00:34 . 2009-01-13 01:40 69 --a------ c:\windows\NeroDigital.ini
2009-01-04 00:15 . 2009-01-12 20:37 <DIR> d-------- c:\documents and settings\main\Application Data\Winamp
2009-01-03 22:54 . 2009-01-11 13:38 <DIR> d-------- c:\documents and settings\main\Application Data\BitTorrent
2009-01-03 22:49 . 2008-12-05 22:18 499,712 --a------ c:\windows\system32\msvcp71.dll
2009-01-03 22:49 . 2008-12-05 22:18 348,160 --a------ c:\windows\system32\msvcr71.dll
2009-01-03 22:48 . 2009-01-03 22:51 <DIR> d-------- c:\windows\system32\Adobe
2009-01-03 22:44 . 2009-01-03 22:44 <DIR> d-------- c:\windows\Sun
2009-01-03 22:44 . 2009-01-03 22:43 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-03 22:44 . 2009-01-03 22:43 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-03 22:43 . 2009-01-03 22:43 <DIR> d-------- c:\program files\Java
2009-01-03 22:11 . 2009-01-03 22:13 <DIR> d-------- c:\program files\Microsoft Small Business
2009-01-03 22:08 . 2009-01-04 03:55 <DIR> d-------- c:\program files\Microsoft.NET
2009-01-03 22:07 . 2009-01-03 22:07 <DIR> d-------- c:\program files\MSXML 6.0
2009-01-03 22:06 . 2009-01-04 15:29 <DIR> d-------- c:\program files\Microsoft SQL Server
2009-01-03 21:59 . 2009-01-13 02:53 <DIR> d-------- c:\program files\DNA
2009-01-03 21:59 . 2009-01-13 02:53 <DIR> d-------- c:\documents and settings\main\Application Data\DNA
2009-01-03 21:31 . 2009-01-03 21:31 <DIR> d-------- c:\program files\Common Files\Ahead
2009-01-03 21:31 . 2009-01-03 21:31 <DIR> d-------- c:\program files\Ahead
2009-01-03 21:31 . 2004-07-26 16:16 1,568,768 --a------ c:\windows\system32\ImagX7.dll
2009-01-03 21:31 . 2004-07-26 16:16 476,320 --a------ c:\windows\system32\ImagXpr7.dll
2009-01-03 21:31 . 2004-07-26 16:16 471,040 --a------ c:\windows\system32\ImagXRA7.dll
2009-01-03 21:31 . 2004-07-09 08:43 364,544 --a------ c:\windows\system32\TwnLib4.dll
2009-01-03 21:31 . 2004-07-26 16:16 262,144 --a------ c:\windows\system32\ImagXR7.dll
2009-01-03 21:31 . 2006-01-12 15:40 155,648 --a------ c:\windows\system32\NeroCheck.exe
2009-01-03 21:31 . 2005-09-01 11:03 127,488 --------- c:\windows\system32\drivers\imagesrv.sys
2009-01-03 21:31 . 2000-06-26 10:45 106,496 --a------ c:\windows\system32\TwnLib20.dll
2009-01-03 21:31 . 2005-09-01 11:03 5,888 --------- c:\windows\system32\drivers\imagedrv.sys
2009-01-03 21:24 . 2009-01-03 21:24 <DIR> d-------- c:\program files\VideoLAN
2009-01-03 15:48 . 2008-04-13 19:11 21,504 --a------ c:\windows\system32\hidserv.dll
2009-01-03 15:48 . 2008-04-13 19:11 21,504 --a--c--- c:\windows\system32\dllcache\hidserv.dll
2009-01-03 15:48 . 2008-04-13 13:39 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2009-01-03 15:48 . 2008-04-13 13:39 14,592 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2009-01-03 15:39 . 2009-01-03 15:39 <DIR> d-------- c:\program files\Western Digital
2009-01-03 15:39 . 2009-01-06 07:26 <DIR> d-------- c:\program files\Common Files\InstallShield
2009-01-03 15:34 . 2009-01-03 15:34 <DIR> d-------- c:\program files\Seagate
2009-01-03 15:27 . 2009-01-03 15:27 <DIR> d-------- c:\program files\Windows Media Connect 2
2009-01-03 15:26 . 2009-01-03 15:26 <DIR> d-------- c:\windows\system32\LogFiles
2009-01-03 15:26 . 2009-01-03 15:27 <DIR> d-------- c:\windows\system32\drivers\UMDF
2009-01-03 14:37 . 2009-01-03 14:37 <DIR> d-------- c:\documents and settings\main\Application Data\DivX
2009-01-03 14:36 . 2009-01-03 14:37 <DIR> d-------- c:\windows\system32\URTTemp
2009-01-03 14:32 . 2009-01-12 02:36 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-03 14:31 . 2009-01-03 14:32 <DIR> d-------- c:\program files\DivX
2009-01-03 14:28 . 2009-01-03 14:30 <DIR> d-------- c:\program files\Common Files\Adobe
2009-01-03 14:27 . 2009-01-03 14:27 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-03 14:24 . 2009-01-03 14:24 <DIR> d-------- C:\games
2009-01-03 14:23 . 2009-01-03 14:25 <DIR> d-------- C:\emu

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-03 08:19 --------- d-----w c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-01-03 08:10 --------- d-----w c:\program files\microsoft frontpage
.

((((((((((((((((((((((((((((( snapshot@2009-01-12_14.01.36.95 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-13 07:53:11 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_c0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"BitTorrent DNA "= "c:\program files\DNA\btdna.exe" [2009-01-03 342848]
"alcoholautomount "= "c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-01-06 4608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lxcrmon.exe "= "c:\program files\Lexmark 2400 Series\lxcrmon.exe" [2006-03-06 286720]
"EzPrint "= "c:\program files\Lexmark 2400 Series\ezprint.exe" [2006-02-07 98304]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"NeroFilterCheck "= "c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-01-03 136600]
"PWRISOVM.EXE "= "g:\program files\PowerISO\PWRISOVM.EXE" [2008-11-02 167936]
"LXCRCATS "= "c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2006-02-24 65536]
"WinampAgent "= "g:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"QuickTime Task "= "g:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-12 1601304]
"isusscheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"isuspm startup "= "c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 196608]
"s3tray2 "= "S3tray2.exe" [2001-10-12 c:\windows\system32\S3tray2.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-12 13:26 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\emu\\NES\\nestcl95.exe "=
"g:\\emulators\\games\\nes\\Games Released in the US\\nestcl95.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
"g:\\Program Files\\BitTorrent\\bittorrent.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe "=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\WINDOWS\\system32\\sessmgr.exe "=
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"c:\\Program Files\\DNA\\btdna.exe "=
"g:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=

R1 avgldx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-11 324872]
R3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;c:\windows\system32\drivers\SMC1211.sys [2001-07-11 23153]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-11 298264]
R4 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-08-05 29184016]
.
Contents of the 'Scheduled Tasks' folder

2009-01-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: www.avg.com
FF - ProfilePath - c:\documents and settings\main\Application Data\Mozilla\Firefox\Profiles\ljhaciiu.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\main\Application Data\Mozilla\Firefox\Profiles\ljhaciiu.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: g:\program files\QuickTime\Plugins\npqtplugin.dll
FF - plugin: g:\program files\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: g:\program files\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: g:\program files\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: g:\program files\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: g:\program files\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: g:\program files\QuickTime\Plugins\npqtplugin7.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-13 02:53:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCRCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(640)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\WgaTray.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\pctspk.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\lxcrcoms.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-13 2:55:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-13 07:55:00
ComboFix2.txt 2009-01-12 22:16:07
ComboFix3.txt 2009-01-12 19:03:09

Pre-Run: 7,227,777,024 bytes free
Post-Run: 7,243,366,400 bytes free

286

The business computer is also my computer. I recently started a small business.

phloggo · 2009/01/13

I saved this page in my favorites when I started this thread. After running ComboFix WindowsBBS icon is displayed by the link like it was before. Sometimes this changes to a windows style flag or a stylized "g" in a box.
Also, after running combofix, AVG detects a threat: cookie main@atdmt. If I click heal, AVG cannot find the specified file. If I click "move to vault ", the status changes to deleted.
And, I still have random braille-looking dot formations around the cursors. Always changing. I set my pointers to inverted. The dots don't invert.
On the plus side my internet activity light on the modem has quieted down.

noahdfear · 2009/01/13

Want to do a double check with another rootkit scanner. Download GMER Rootkit Scanner from here.

Extract the contents of the zipped file to desktop.

Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .

If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

In the right panel, you will see several boxes that have been checked. Uncheck the following ...

Sections

IAT/EAT

Drives/Partition other than Systemdrive (typically C:\)

Show All (don't miss this one)

Then click the Scan button & wait for it to finish.

Once done click on the [Save..] button, and in the File name area, type in ark.txt

Save it where you can easily find it, such as your desktop then post the contents here.

**Caution**
Rootkit scans often produce false positives. Do NOT take action on any <---- ROOKIT entries

Next, do an online scan with Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take several minutes.

Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.

Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

Click View scan report at the bottom.

Click the Save Report As... button.

Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs.

Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Post the Kaspersky log here.

Log in or Sign up

Inactive [InActive] Mirar ??!!

phloggo Inactive Thread Starter

phloggo Inactive Thread Starter

noahdfear Inactive

noahdfear Inactive

phloggo Inactive Thread Starter

phloggo Inactive Thread Starter

phloggo Inactive Thread Starter

noahdfear Inactive

phloggo Inactive Thread Starter

phloggo Inactive Thread Starter

phloggo Inactive Thread Starter

noahdfear Inactive

phloggo Inactive Thread Starter

noahdfear Inactive

phloggo Inactive Thread Starter

phloggo Inactive Thread Starter

noahdfear Inactive

Share This Page

Log in or Sign up

Inactive [InActive] Mirar ??!!

phloggo Inactive Thread Starter

phloggo Inactive Thread Starter

noahdfear Inactive

noahdfear Inactive

phloggo Inactive Thread Starter

phloggo Inactive Thread Starter

phloggo Inactive Thread Starter

noahdfear Inactive

phloggo Inactive Thread Starter

phloggo Inactive Thread Starter

phloggo Inactive Thread Starter

noahdfear Inactive

phloggo Inactive Thread Starter

noahdfear Inactive

phloggo Inactive Thread Starter

phloggo Inactive Thread Starter

noahdfear Inactive

Share This Page

Useful Searches