0

I'll patch conficker now. And hey, your plan of attack has cleared out an awful lot of the bugs, so I'm not complaining :P.

Yeah . . . But if we don't get them all, they'll come right back.
The thing is, those scans we already ran should've been more effective.

-- Did you disable DNS Client service (a few posts back)?

-- Let's take a small step back and do this - Probably should have done it a while back, but we got caught up in going a different direction. You should have put this on Flash drive, but I'm just copy&pasting my usual directions to save time:

-- Download DDS by sUBs and save it to your Desktop
-- If your AV has a script blocker, please disable it
-- DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).

- Copy&Paste the DDS.txt into your next post.
- Please post Attach.txt as an attachment to your post - there is no need to Zip it. If you don’t know how to post an attachment, please Copy&Paste it along with the DDS.txt scanlog.

PP :)

0

I think I disabled the DNS client service....


Breakthrough! MalwareBytes updated! DB version 3034 now, running a scan.


DDS (Ver_09-10-26.01) - NTFSx86
Run by Greg Rolls at 4:39:20.51 on 26/10/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.2047.1582 [GMT 0:00]

AV: avast! antivirus 4.8.1229 [VPS 090103-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\wltray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mail.Ru\Agent\MAgent.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Documents and Settings\Greg Rolls\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ntlworld.com/broadband
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: {00000000-5736-4205-0008-781cd0e19f00} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {DC59A0D4-0ED6-4A73-B356-1B977F2A7725} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes0527.dll
uRun: [RemoteCenter] c:\program files\creative\mediasource\remotecontrol\RCMan.EXE
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
mRun: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [CTDVDDET] c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDet.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [DeadAIM] rundll32.exe "c:\program files\aim\\DeadAIM.ocm",ExportedCheckODLs
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_02\bin\jusched.exe
mRun: [gcasServ] "c:\program files\microsoft antispyware\gcasServ.exe"
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [Motive SmartBridge] c:\progra~1\ntl\broadb~1\smartb~1\MotiveSB.exe
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [wltray.exe] c:\windows\system32\wltray.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [MAgent] c:\program files\mail.ru\agent\MAgent.exe -LM
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\broadb~1.lnk - c:\program files\ntl\broadband medic\bin\matcli.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\KEM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\paltalk.lnk - c:\program files\paltalk messenger\paltalk.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - c:\program files\paltalk messenger\Paltalk.exe
IE: {7558B7E5-7B26-4201-BEDB-00D5FF534523} - c:\program files\mail.ru\agent\magent.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_02\bin\npjpi150_02.dll
IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\program files\yahoo!\messenger\yhexbmes0527.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1215584651857
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1215584643842
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: Microsoft.AntiSpyware.ShellExecuteHook.1: {9ef34ff2-3396-4527-9d27-04c8c1c67806} - c:\program files\microsoft antispyware\shellextension.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gregro~1\applic~1\mozilla\firefox\profiles\gzs7vvqp.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\opera\program\plugins\np32dsw.dll
FF - plugin: c:\program files\opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\opera\program\plugins\nprjplug.dll
FF - plugin: c:\program files\opera\program\plugins\nprpjplug.dll
FF - plugin: c:\windows\system32\c2mp\npdivx32.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-4 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-11-4 20560]
R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\PfModNT.sys [2005-1-13 15840]
S2 sekvhtb;Security System;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S3 iMSPCLOj;iMSPCLOj;\??\c:\docume~1\gregro~1\locals~1\temp\imspcloj.sys --> c:\docume~1\gregro~1\locals~1\temp\iMSPCLOj.sys [?]
S3 qvycltyk;qvycltyk;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]

=============== Created Last 30 ================

2009-10-24 20:48:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-24 20:48:40 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-24 20:48:40 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-24 15:11:56 0 d-s---w- C:\Combo-Fix
2009-10-22 20:18:34 0 d-sha-r- C:\cmdcons
2009-10-22 00:16:07 0 d-----w- c:\docume~1\gregro~1\applic~1\Malwarebytes
2009-10-22 00:16:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-21 01:47:59 98816 ----a-w- c:\windows\sed.exe
2009-10-21 01:47:59 236544 ----a-w- c:\windows\PEV.exe
2009-10-21 01:47:59 161792 ----a-w- c:\windows\SWREG.exe
2009-10-15 06:29:40 0 d-----w- c:\program files\Spyware Doctor
2009-10-15 06:09:33 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-15 06:03:54 120 ----a-w- c:\windows\Sboqomatumoye.dat
2009-10-15 06:03:54 0 ----a-w- c:\windows\Ohamozu.bin
2009-10-15 06:01:49 131731 ----a-w- c:\windows\system32\dbsinit.exe
2009-10-15 06:00:47 92 ----a-w- c:\windows\system32\wwp.htm
2009-10-08 01:33:00 0 d-----w- c:\windows\pss

==================== Find3M ====================


============= FINISH: 4:39:47.21 ===============

Edited by Asezat: MalwareBytes.....

Attachments
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 13/01/2005 13:08:27
System Uptime: 26/10/2009 04:35:45 (0 hours ago)

Motherboard: MSI |  | MS-6702
Processor: AMD Athlon(tm) 64 Processor 3400+ | Socket-754 | 2400/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 186 GiB total, 9.97 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is CDROM ()
G: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: 
Description: Multimedia Audio Controller
Device ID: PCI\VEN_1106&DEV_3059&SUBSYS_00801462&REV_60\3&61AAA01&0&8D
Manufacturer: 
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_1106&DEV_3059&SUBSYS_00801462&REV_60\3&61AAA01&0&8D
Service: 

==== System Restore Points ===================

RP1: 20/10/2009 07:07:01 - System Checkpoint
RP2: 21/10/2009 16:24:30 - Removed Ad-Aware
RP3: 21/10/2009 16:26:55 - Removed Steganos Internet Anonym Pro 7.1.4
RP4: 21/10/2009 16:27:41 - Configured CM 03-04
RP5: 22/10/2009 17:31:04 - System Checkpoint
RP6: 23/10/2009 20:56:28 - System Checkpoint
RP7: 24/10/2009 20:56:44 - System Checkpoint
RP8: 26/10/2009 02:43:10 - Cleaned registry with Windows Live OneCare safety scanner

==== Installed Programs ======================

Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 7.0
Adobe Shockwave Player
Advanced Sound Recorder v6.0
AOL Instant Messenger
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Control Panel
ATI Display Driver
ATI HydraVision
AutoUpdate
avast! Antivirus
BitTorrent
broadband medic
BroadJump Client Foundation
BT Voyager Wireless Utility
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help English
CDRWIN
Cole2k Media - Codec Pack (Advanced) 6.1.0
Creative MediaSource
Creative System Information
DeadAIM
Diablo II
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
FINAL FANTASY XI
FINAL FANTASY XI: Chains of Promathia
FINAL FANTASY XI: Rise of the Zilart
Football Manager 2005
Google Earth
IrfanView (remove only)
iTunes
J2SE Runtime Environment 5.0 Update 2
Lineage II
Logitech SetPoint
Mail.Ru Agent 5.5 (build 2842, for all users)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft AntiSpyware
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office Excel Viewer 2003
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Works 7.0
mIRC
Mozilla Firefox (3.5.3)
MSVCRT
Nero Suite
Oblivion
Opera
Paltalk Messenger
PaltalkScene
PlayOnline Viewer and Tetra Master
Power Tab Editor 1.7
PowerDVD
QuickTime
Real Lives 2007
RealPlayer
Security Update for CAPICOM (KB931906)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Segoe UI
Skins
Skype 3.5
Sound Blaster Audigy 2 ZS
Spybot - Search & Destroy
TeamSpeak 2 RC2
The Proxomitron Ver. Naoko-4.5
Trillian
Update for Windows XP (KB898461)
Update for Windows XP (KB942763)
Ventrilo Client
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 0.9.9
WebFldrs XP
Winamp (remove only)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB890175
WinRAR archyvatorius
WinZip
World of Warcraft
Yahoo! Messenger
Yahoo! Messenger Explorer Bar
Yahoo! Messenger with BT Communicator

==== End Of File ===========================
0

OK - We'll rip the visible baddies out with a different tool. Seeing as it's pretty late, I'll post the steps Monday evening.

PP :)

EDIT: Maybe won't need to manually rip them out after all . . . Be sure to have MBAM remove what it finds and go ahead and reboot.

See if you can update at Windows Updates (patches, etc...) and whether you can now connect to some of the other blocked sites (superantispyware, etc...)

Also - verify whether DNS Client is running (status & startup type) in Services (START > RUN >type services.msc)

Gotta run - way behind on work due to lots of sports viewing today.... :)
PP

Edited by PhilliePhan: MBAM

0

Yeah, it is running. I guess I thought the flush was shutting it down, or something. I'll shoot for the conficker patch again, then turn it off.

0

One nice, new MBAM log.

Malwarebytes' Anti-Malware 1.41
Database version: 3034
Windows 5.1.2600 Service Pack 2

26/10/2009 05:51:12
mbam-log-2009-10-26 (05-51-12).txt

Scan type: Full Scan (C:\|)
Objects scanned: 223863
Time elapsed: 57 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\dbsinit.exe (Rogue.DB) -> Quarantined and deleted successfully.

0

One nice, new MBAM log.

Well . . . for some reason it is not getting at the malware I think is responsible for poisoning DNS.

Time to get a bit medieval on it....

Please Download The Avenger v2 by Swandog46 if it is not handy on your flash drive.
http://swandog46.geekstogo.com/avenger.zip

-- Extract Avenger.exe from the ZIP to your Desktop
-- Highlight the complete text in Red below and copy it using Ctrl+C or RightClick > Copy:



Drivers to delete:
sekvhtb
iMSPCLOj
qvycltyk
qqpcv
rzwrcfbg

Files to delete:
c:\windows\Sboqomatumoye.dat
c:\windows\Ohamozu.bin
c:\windows\system32\dbsinit.exe
c:\windows\system32\wwp.htm
c:\windows\system32\01.tmp
c:\windows\system32\02.tmp
c:\docume~1\gregro~1\locals~1\temp\imspcloj.sys
c:\windows\system32\ptdtaqc.dll


-- Now, DoubleClick avenger.exe on your desktop to run it
-- Read the Warning Prompt and press OK
-- Paste the script you just copied into the textbox, using Ctrl+V or RightClick > Paste
-- Press Execute
-- Answer YES to the confirmation prompts and allow your computer to reboot.
In some cases, The Avenger will reboot your machine a second time. No worries.
-- After reboot, The Avenger should open a log – please post that for me.

PP :)

0

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "sekvhtb" deleted successfully.
Driver "iMSPCLOj" deleted successfully.
Driver "qvycltyk" deleted successfully.

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\qqpcv" not found!
Deletion of driver "qqpcv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\rzwrcfbg" not found!
Deletion of driver "rzwrcfbg" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows\Sboqomatumoye.dat" deleted successfully.
File "c:\windows\Ohamozu.bin" deleted successfully.

Error: file "c:\windows\system32\dbsinit.exe" not found!
Deletion of file "c:\windows\system32\dbsinit.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows\system32\wwp.htm" deleted successfully.

Error: file "c:\windows\system32\01.tmp" not found!
Deletion of file "c:\windows\system32\01.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\02.tmp" not found!
Deletion of file "c:\windows\system32\02.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\docume~1\gregro~1\locals~1\temp\imspcloj.sys" not found!
Deletion of file "c:\docume~1\gregro~1\locals~1\temp\imspcloj.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\ptdtaqc.dll" not found!
Deletion of file "c:\windows\system32\ptdtaqc.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

0

Great - another step forward.

We need to make sure this machine is as clean as we can get it before undertaking the patching process. You have a ton of Windows updates to download and install (along with removing and updating other programs). The Microsoft updates will likely take hours.
But, you really shouldn't do that until we are fairly certain nothing more is lurking in the shadows.

To that end, let's do this:

If you do not have it handy, Download RootRepeal.exe and save it on the root of C drive ---> C:\RootRepeal.exe
http://ad13.geekstogo.com/RootRepeal.exe
http://rootrepeal.psikotick.com/RootRepeal.exe

-- Open RootRepeal and click the Report Tab
-- Click the Scan Button.
-- Check ALL Seven Boxes
-- Click OK.
-- Check the box for your main system drive (Usually C:\) and Click OK.
-- Allow the scan to run for as long as it takes. When it finishes, Click Save Report.
Save the log to your desktop where you can find it easily and post it for me.

--Then, please run a fresh DDS scan and post the DDS.txt. I do not need to see Attach.txt.

If those come out OK, we can have a go at updating the machine or pulling data off and reformatting - however you wish to proceed.

PP :)

0

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/26 19:35
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: addsrupj.SYS
Image Path: C:\WINDOWS\System32\Drivers\addsrupj.SYS
Address: 0xB345F000 Size: 303104 File Visible: No Signed: -
Status: -

Name: dump_diskdump.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_diskdump.sys
Address: 0xB96A5000 Size: 16384 File Visible: No Signed: -
Status: -

Name: dump_viamraid.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_viamraid.sys
Address: 0xAAFCD000 Size: 73728 File Visible: No Signed: -
Status: -

Name: PCI_NTPNP0044
Image Path: \Driver\PCI_NTPNP0044
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rejqm.sys
Image Path: rejqm.sys
Address: 0xBA0A8000 Size: 61440 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xBA2E8000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\Greg Rolls\My Documents\WHORES~1.MPG:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaafe7618

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaafe74d4

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaafe79b2

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaafe70ac

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "sptd.sys" at address 0xb9ed3a92

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "sptd.sys" at address 0xb9ed3e20

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaafe75ae

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaafe6fec

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaafe7050

#: 160 Function Name: NtQueryKey
Status: Hooked by "sptd.sys" at address 0xb9ed3ef8

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaafe76ce

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaafe768e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaafe780e

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x89e4b1e8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x89e4b1e8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x89e4b1e8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x89e4b1e8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89e4b1e8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89e4b1e8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x89e4b1e8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x89e4b1e8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89e4b1e8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89e4b1e8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89e4b1e8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89e4b1e8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89e4b1e8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89e4b1e8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89e4b1e8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89e4b1e8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x89e4b1e8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x89e4b1e8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x89e4b1e8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x89e4b1e8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x89e4b1e8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x89e4b1e8 Size: 151

Object: Hidden Code [Driver: addsrupjЅ瑎潦沘荈Ђఆ浍瑓⩓, IRP_MJ_CREATE]
Process: System Address: 0x891e13b8 Size: 463

Object: Hidden Code [Driver: addsrupjЅ瑎潦沘荈Ђఆ浍瑓⩓, IRP_MJ_CLOSE]
Process: System Address: 0x891e13b8 Size: 463

Object: Hidden Code [Driver: addsrupjЅ瑎潦沘荈Ђఆ浍瑓⩓, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x891e13b8 Size: 463

Object: Hidden Code [Driver: addsrupjЅ瑎潦沘荈Ђఆ浍瑓⩓, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x891e13b8 Size: 463

Object: Hidden Code [Driver: addsrupjЅ瑎潦沘荈Ђఆ浍瑓⩓, IRP_MJ_POWER]
Process: System Address: 0x891e13b8 Size: 463

Object: Hidden Code [Driver: addsrupjЅ瑎潦沘荈Ђఆ浍瑓⩓, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x891e13b8 Size: 463

Object: Hidden Code [Driver: addsrupjЅ瑎潦沘荈Ђఆ浍瑓⩓, IRP_MJ_PNP]
Process: System Address: 0x891e13b8 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x891963c0 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x891963c0 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x891963c0 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x891963c0 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x891963c0 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x891963c0 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x891963c0 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x891963c0 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x891963c0 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x891963c0 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x891963c0 Size: 463

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x89e4d1e8 Size: 463

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x89e4d1e8 Size: 463

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89e4d1e8 Size: 463

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89e4d1e8 Size: 463

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x89e4d1e8 Size: 463

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89e4d1e8 Size: 463

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x89e4d1e8 Size: 463

Object: Hidden Code [Driver: viamraid, IRP_MJ_CREATE]
Process: System Address: 0x89de01e8 Size: 463

Object: Hidden Code [Driver: viamraid, IRP_MJ_CLOSE]
Process: System Address: 0x89de01e8 Size: 463

Object: Hidden Code [Driver: viamraid, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89de01e8 Size: 463

Object: Hidden Code [Driver: viamraid, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89de01e8 Size: 463

Object: Hidden Code [Driver: viamraid, IRP_MJ_POWER]
Process: System Address: 0x89de01e8 Size: 463

Object: Hidden Code [Driver: viamraid, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89de01e8 Size: 463

Object: Hidden Code [Driver: viamraid, IRP_MJ_PNP]
Process: System Address: 0x89de01e8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x89de11e8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x89de11e8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x89de11e8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x89de11e8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89de11e8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89de11e8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89de11e8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89de11e8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x89de11e8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89de11e8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x89de11e8 Size: 463

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x890ca980 Size: 463

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x890ca980 Size: 463

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x890ca980 Size: 463

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x890ca980 Size: 463

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x890ca980 Size: 463

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x890ca980 Size: 463

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x890ca980 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x89e4e1e8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x89e4e1e8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x89e4e1e8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89e4e1e8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89e4e1e8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89e4e1e8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89e4e1e8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x89e4e1e8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x89e4e1e8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89e4e1e8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x89e4e1e8 Size: 463

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x87c981e8 Size: 463

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x87c981e8 Size: 463

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x87c981e8 Size: 463

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x87c981e8 Size: 463

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x87c981e8 Size: 463

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x87c981e8 Size: 463

Object: Hidden Code [Driver: UlSata, IRP_MJ_CREATE]
Process: System Address: 0x89e4c1e8 Size: 463

Object: Hidden Code [Driver: UlSata, IRP_MJ_CLOSE]
Process: System Address: 0x89e4c1e8 Size: 463

Object: Hidden Code [Driver: UlSata, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89e4c1e8 Size: 463

Object: Hidden Code [Driver: UlSata, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89e4c1e8 Size: 463

Object: Hidden Code [Driver: UlSata, IRP_MJ_POWER]
Process: System Address: 0x89e4c1e8 Size: 463

Object: Hidden Code [Driver: UlSata, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89e4c1e8 Size: 463

Object: Hidden Code [Driver: UlSata, IRP_MJ_PNP]
Process: System Address: 0x89e4c1e8 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x89051560 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x89051560 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89051560 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89051560 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x89051560 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89051560 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x89051560 Size: 463

Object: Hidden Code [Driver: vaxscsi, IRP_MJ_CREATE]
Process: System Address: 0x8904d4e0 Size: 390

Object: Hidden Code [Driver: vaxscsi, IRP_MJ_CLOSE]
Process: System Address: 0x8904d4e0 Size: 390

Object: Hidden Code [Driver: vaxscsi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8904d4e0 Size: 390

Object: Hidden Code [Driver: vaxscsi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8904d4e0 Size: 390

Object: Hidden Code [Driver: vaxscsi, IRP_MJ_POWER]
Process: System Address: 0x8904d4e0 Size: 390

Object: Hidden Code [Driver: vaxscsi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8904d4e0 Size: 390

Object: Hidden Code [Driver: vaxscsi, IRP_MJ_PNP]
Process: System Address: 0x8904d4e0 Size: 390

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x87c35980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x87c35980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x87c35980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x87c35980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x87c35980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x87c35980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x87c35980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x87c35980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x87c35980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x87c35980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x87c35980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x87c35980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x87c35980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x87c35980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x87c35980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x87c35980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x87c35980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x87c35980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x87c35980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x87c35980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x87c35980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x87c35980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x87c35980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x87c35980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x87c35980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x87c35980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x87c35980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x87c35980 Size: 463

Object: Hidden Code [Driver: CdfsЅఆ䵃慖, IRP_MJ_CREATE]
Process: System Address: 0x87c39980 Size: 463

Object: Hidden Code [Driver: CdfsЅఆ䵃慖, IRP_MJ_CLOSE]
Process: System Address: 0x87c39980 Size: 463

Object: Hidden Code [Driver: CdfsЅఆ䵃慖, IRP_MJ_READ]
Process: System Address: 0x87c39980 Size: 463

Object: Hidden Code [Driver: CdfsЅఆ䵃慖, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x87c39980 Size: 463

Object: Hidden Code [Driver: CdfsЅఆ䵃慖, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x87c39980 Size: 463

Object: Hidden Code [Driver: CdfsЅఆ䵃慖, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x87c39980 Size: 463

Object: Hidden Code [Driver: CdfsЅఆ䵃慖, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x87c39980 Size: 463

Object: Hidden Code [Driver: CdfsЅఆ䵃慖, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x87c39980 Size: 463

Object: Hidden Code [Driver: CdfsЅఆ䵃慖, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x87c39980 Size: 463

Object: Hidden Code [Driver: CdfsЅఆ䵃慖, IRP_MJ_SHUTDOWN]
Process: System Address: 0x87c39980 Size: 463

Object: Hidden Code [Driver: CdfsЅఆ䵃慖, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x87c39980 Size: 463

Object: Hidden Code [Driver: CdfsЅఆ䵃慖, IRP_MJ_CLEANUP]
Process: System Address: 0x87c39980 Size: 463

Object: Hidden Code [Driver: CdfsЅఆ䵃慖, IRP_MJ_PNP]
Process: System Address: 0x87c39980 Size: 463

==EOF==

Running DDS again now.

0

DDS!


DDS (Ver_09-10-26.01) - NTFSx86
Run by Greg Rolls at 19:56:44.60 on 26/10/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.2047.1270 [GMT 0:00]

AV: avast! antivirus 4.8.1229 [VPS 090103-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\wltray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Mail.Ru\Agent\MAgent.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Greg Rolls\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ntlworld.com/broadband
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: {00000000-5736-4205-0008-781cd0e19f00} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {DC59A0D4-0ED6-4A73-B356-1B977F2A7725} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes0527.dll
uRun: [RemoteCenter] c:\program files\creative\mediasource\remotecontrol\RCMan.EXE
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [CTDVDDET] c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDet.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_02\bin\jusched.exe
mRun: [gcasServ] "c:\program files\microsoft antispyware\gcasServ.exe"
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [Motive SmartBridge] c:\progra~1\ntl\broadb~1\smartb~1\MotiveSB.exe
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [wltray.exe] c:\windows\system32\wltray.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [MAgent] c:\program files\mail.ru\agent\MAgent.exe -LM
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\broadb~1.lnk - c:\program files\ntl\broadband medic\bin\matcli.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\KEM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\paltalk.lnk - c:\program files\paltalk messenger\paltalk.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - c:\program files\paltalk messenger\Paltalk.exe
IE: {7558B7E5-7B26-4201-BEDB-00D5FF534523} - c:\program files\mail.ru\agent\magent.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_02\bin\npjpi150_02.dll
IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\program files\yahoo!\messenger\yhexbmes0527.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1215584651857
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1215584643842
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: Microsoft.AntiSpyware.ShellExecuteHook.1: {9ef34ff2-3396-4527-9d27-04c8c1c67806} - c:\program files\microsoft antispyware\shellextension.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gregro~1\applic~1\mozilla\firefox\profiles\gzs7vvqp.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\opera\program\plugins\np32dsw.dll
FF - plugin: c:\program files\opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\opera\program\plugins\nprjplug.dll
FF - plugin: c:\program files\opera\program\plugins\nprpjplug.dll
FF - plugin: c:\windows\system32\c2mp\npdivx32.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-4 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-11-4 20560]
R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\PfModNT.sys [2005-1-13 15840]

=============== Created Last 30 ================

2009-10-24 20:48:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-24 20:48:40 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-24 20:48:40 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-24 15:11:56 0 d-s---w- C:\Combo-Fix
2009-10-22 20:18:34 0 d-sha-r- C:\cmdcons
2009-10-22 00:16:07 0 d-----w- c:\docume~1\gregro~1\applic~1\Malwarebytes
2009-10-22 00:16:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-21 01:47:59 98816 ----a-w- c:\windows\sed.exe
2009-10-21 01:47:59 236544 ----a-w- c:\windows\PEV.exe
2009-10-21 01:47:59 161792 ----a-w- c:\windows\SWREG.exe
2009-10-15 06:29:40 0 d-----w- c:\program files\Spyware Doctor
2009-10-15 06:09:33 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-08 01:33:00 0 d-----w- c:\windows\pss

==================== Find3M ====================


============= FINISH: 19:57:01.48 ===============

0

OK - DDS looks OK (not including outdated stuff).

I would like to run one more tool - couple things I want to double-check from Root Repeal log. I'd hate to have you update Windows while a rootkit is operational, so better safe than sorry:

Please download GMER Rootkit Scanner:
http://www.gmer.net/download.php

-- DoubleClick the .exe file and allow the gmer.sys driver to load.
-- If you receive a warning about Rootkit Activity and GMER asks if you want to run a scan, Click NO

Along the Right side of the GMER GUI there will be a number of checked boxes (GMER GUI). Uncheck the following ...
- Sections
- IAT/EAT
- Drives or Partitions other than Systemdrive (usually C:\)
- Show All (be sure you don't miss this one)

-- Then, click the Scan Button
Allow the scan as long as it needs and then save the log to where you can easily find it and post it for me.

***Do not run any other programs while GMER is scanning and DO NOT take any action for any found items until I can have a look.

PP :)

Edited by PhilliePhan: n/a

0

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-27 00:13:30
Windows 5.1.2600 Service Pack 2
Running: s0y1fq2r.exe; Driver: C:\DOCUME~1\GREGRO~1\LOCALS~1\Temp\awxyraod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xAAFE7618]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xAAFE74D4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xAAFE79B2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xAAFE70AC]
SSDT sptd.sys ZwEnumerateKey [0xB9ED3A92]
SSDT sptd.sys ZwEnumerateValueKey [0xB9ED3E20]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xAAFE75AE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xAAFE6FEC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xAAFE7050]
SSDT sptd.sys ZwQueryKey [0xB9ED3EF8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xAAFE76CE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xAAFE768E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xAAFE780E]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 89E4B1E8

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\usbuhci \Device\USBPDO-0 890CA980
Device \Driver\usbuhci \Device\USBPDO-1 890CA980
Device \Driver\dmio \Device\DmControl\DmIoDaemon 89DE11E8
Device \Driver\dmio \Device\DmControl\DmConfig 89DE11E8
Device \Driver\dmio \Device\DmControl\DmPnP 89DE11E8
Device \Driver\dmio \Device\DmControl\DmInfo 89DE11E8
Device \Driver\usbuhci \Device\USBPDO-2 890CA980
Device \Driver\PCI_NTPNP0044 \Device\00000053 sptd.sys
Device \Driver\usbuhci \Device\USBPDO-3 890CA980
Device \Driver\PCI_NTPNP0044 \Device\00000054 sptd.sys
Device \Driver\usbehci \Device\USBPDO-4 89051560

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Ftdisk \Device\HarddiskVolume1 89E4E1E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{6E5763C7-ED84-4506-8AA5-C70E0B4FF8B6} 87C981E8
Device \Driver\Cdrom \Device\CdRom0 891963C0
Device \Driver\Cdrom \Device\CdRom1 891963C0
Device \Driver\atapi \Device\Ide\IdePort0 89E4D1E8
Device \Driver\atapi \Device\Ide\IdePort1 89E4D1E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-e 89E4D1E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-6 89E4D1E8
Device \Driver\Cdrom \Device\CdRom2 891963C0
Device \Driver\Cdrom \Device\CdRom3 891963C0
Device \Driver\NetBT \Device\NetBt_Wins_Export 87C981E8
Device \Driver\NetBT \Device\NetbiosSmb 87C981E8

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\usbuhci \Device\USBFDO-0 890CA980
Device \Driver\usbuhci \Device\USBFDO-1 890CA980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 87C35980
Device \Driver\usbuhci \Device\USBFDO-2 890CA980
Device \FileSystem\MRxSmb \Device\LanmanRedirector 87C35980
Device \Driver\usbuhci \Device\USBFDO-3 890CA980
Device \Driver\usbehci \Device\USBFDO-4 89051560
Device \Driver\Ftdisk \Device\FtControl 89E4E1E8
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1 8904D4E0
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1Port4Path0Target0Lun0 8904D4E0
Device \Driver\viamraid \Device\Scsi\viamraid1 89DE01E8
Device \Driver\addsrupj \Device\Scsi\addsrupj1 891E13B8
Device \Driver\viamraid \Device\Scsi\viamraid1Port2Path0Target0Lun0 89DE01E8
Device \Driver\addsrupj \Device\Scsi\addsrupj1Port5Path0Target0Lun0 891E13B8
Device \Driver\UlSata \Device\Scsi\UlSata1 89E4C1E8
Device \FileSystem\Cdfs \Cdfs 87C39980

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 1686824868
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -1698483869
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x88 0xBD 0xF8 0x01 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x86 0x69 0xD0 0x7C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xB9 0x25 0xC7 0xA4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x09 0x4B 0x77 0x7C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x78 0xE1 0x9E 0xB0 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xD7 0xE2 0xB5 0xE4 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x88 0xBD 0xF8 0x01 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x86 0x69 0xD0 0x7C ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xB9 0x25 0xC7 0xA4 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x09 0x4B 0x77 0x7C ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x78 0xE1 0x9E 0xB0 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xD7 0xE2 0xB5 0xE4 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- EOF - GMER 1.0.15 ----


I don't know if it found anything or not.

0

I don't know if it found anything or not.

That looks OK to me - A couple items I do not know, but doubt they are bad.

Well . . . At this point I believe we have gotten your computer as clean as we possibly can in a Forum setting.
:cool:

Long road, huh?

Anyhoo, now you can probably remove any important data safely.

You will also need to decide whether you want to then reinstall Windows or merely proceed with the necessary updates.
Bear in mind that you are going to need the updates in both cases.

Besides the Windows updates, you'll need AV / Java / and others.
I can give suggestions if you need them.

Let me know how you want to go forward.

PP :)

0

Excellent! Thank you very much for all your help!

Well, for now, I'm going to take all my stuff off, back it up, but not reformat yet. I will inside the next month or so... but honestly I don't have it in me to dig around deep just now :P. If you could give me a list of the updates I'll need, I'd be most appreciative.

0

Excellent! Thank you very much for all your help!

You're welcome - Happy to help! :)

Let's remove Combofix and the files/folders it created:
• Click Start > Run
• Type or Copy&Paste Combofix /u into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

This will remove Combofix and it’s components from your machine.
It will also reset your clock, re-hide System and Hidden Files and hide File Extensions.
Last, but certainly not least, doing this will reset System Restore.

If you could give me a list of the updates I'll need, I'd be most appreciative.

First and Foremost - Get Your Windows Updates. They are the first line of defense!
Windows Updates


In ADD/REMOVE Programs:

Uninstall Adobe Reader 7.0 and install Adobe Reader 9.2

Uninstall or Update avast! Antivirus
I suggest Removing avast! and installing Comodo Firewall + AntiVirus for Windows - It's FREE!

Uninstall J2SE Runtime Environment 5.0 Update 2
Then Install the latest Java from here ---> http://java.com/en/

Uninstall Microsoft AntiSpyware and replace it with Windows Defender for it's "real time" protection. Alternately, you might try Winpatrol, but it is not free....

Uninstall or Update Spybot - Search & Destroy
Personally, I prefer SpywareBlaster which operates much in the same way as SpyBot's Immunize feature.
I'd go with SpywareBlaster and keep MBAM handy for "on demand" scanning.

Uninstall Viewpoint Media Player if you so desire - It's foistware.

That's pretty much it off the top of my head. Any questions or further issues, let me know.
Otherwise, I think you can mark this thread as "solved . . . at long last."

Cheers :)
PP

Edited by PhilliePhan: n/a

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.