hi.

Could not use taskbar or .exe shortcuts from desktop

Both in normal mode and safemode?

Before we proceed lets have another rootkit scan.
-----------------------------------------------------------------------

Download RootRepeal.zip to your Desktop and extract the compressed file to it's own folder.

Open the folder and doubleclick on RootRepeal.exe to run it.

• Click on the Report tab, and then click on: Scan
• A window opens asking what to include in the scan.
• Check the following boxes then click OK:

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services​

• You will then be asked which drive to scan.
• Check C: (or the drive your operating system is installed on, if not C)
• Click OK once again.
• The tool will begin scanning and may take a while to complete, so please be patient.

When the scan finishes, click on: Save Report. Save it to your desktop so you may find it easily.

Please attach the report in your next reply.

Mark

 

First, thank you !!!

Issue only occurred during normal mode. Programs worked during SAFE mode

Please see attached per your instructions.

 

hi.

Welcome to TSF :wave:

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

---------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

--------------------------------------------------------------------------

I am sorry to inform you that one or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
--------------------------------------------------------------------------

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

--------------------------------------------------------------------------
At safe mode with networking

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon or locate them at START>ALL PROGRAMS. They may otherwise interfere with our tools. You can find instructions HERE.
  
  Be sure to disable your Antivirus.
  
  
• Double click on Combo-Fix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

important
*when it reboots, reboot it in normal mode and let it continue until it finishes.


Mark

 

Mark.
Again, thank you
Per your request, attached is combo fix log.

Can you recommend virus protection?? What do you use??

Again...thanks..


ComboFix 09-07-06.02 - Owner 07/06/2009 19:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.565 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\a
c:\documents and settings\Owner\Application Data\.#
c:\program files\podmena
c:\recycler\S-1-5-21-1184932872-3872268472-2104885263-500
c:\recycler\S-1-5-21-2309736448-2874532534-3429323896-500
c:\windows\kb913800.exe
c:\windows\system32\drivers\hjgruiwrnbgixd.sys
c:\windows\system32\drivers\nhhiqsce.sys
c:\windows\system32\drivers\str.sys
c:\windows\system32\hjgruifuxrmwqe.dat
c:\windows\system32\hjgruilcnpqduy.dll
c:\windows\system32\hjgruiotowhkyw.dat
c:\windows\system32\hjgruioykmrmpj.dll
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe
c:\windows\system32\wbem\proquota.exe
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\zaponce52597.dat
c:\windows\zaponce52689.dat
c:\windows\zaponce53080.dat
D:\Autorun.inf
K:\Autorun.inf

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruiiyuyavun
-------\Legacy_DLYUOJVSMW
-------\Legacy_PODMENA
-------\Legacy_PODMENADRV
-------\Service_podmena


((((((((((((((((((((((((( Files Created from 2009-06-07 to 2009-07-07 )))))))))))))))))))))))))))))))
.

2009-07-06 18:04 . 2009-07-06 18:04 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-07-06 17:24 . 2009-07-06 17:24 12 ----a-w- c:\documents and settings\Owner\settings.dat
2009-07-06 01:26 . 2009-07-06 01:26 -------- d-----w- c:\documents and settings\Owner\.housecall6.6
2009-06-28 00:45 . 2009-06-28 00:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Shockwave
2009-06-28 00:45 . 2009-06-28 00:45 -------- d-----w- c:\documents and settings\Owner\Application Data\Shockwave
2009-06-28 00:45 . 2009-06-28 00:45 -------- d-----w- c:\program files\Common Files\SWF Studio
2009-06-28 00:34 . 2009-07-03 20:51 -------- d-----w- c:\program files\Microsoft Silverlight
2009-06-16 18:32 . 2009-06-16 18:32 164 ----a-w- c:\windows\install.dat
2009-06-16 12:38 . 2009-06-16 12:38 1 ---h--w- c:\windows\bf23567.dat
2009-06-07 18:35 . 2009-06-07 18:35 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-07 00:48 . 2008-12-25 17:31 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-07-07 00:48 . 2008-12-25 17:30 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-07-06 01:08 . 2005-08-06 00:36 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-05 21:22 . 2007-11-06 23:56 -------- d-----w- c:\program files\Norton Security Scan
2009-06-28 15:55 . 2008-05-11 14:42 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-28 01:09 . 2008-07-14 19:36 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-28 00:34 . 2008-07-14 19:36 -------- d-----w- c:\program files\Shockwave.com
2009-06-16 18:40 . 2006-12-24 19:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2009-06-07 18:36 . 2008-04-27 23:01 -------- d-----w- c:\program files\HP
2009-06-07 18:36 . 2008-04-27 23:24 -------- d-----w- c:\program files\Hewlett-Packard
2009-05-29 18:15 . 2008-11-28 20:35 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2009-05-29 13:19 . 2008-11-28 20:39 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2009-05-24 14:28 . 2009-05-24 14:28 -------- d-----w- c:\program files\SopCast
2009-05-13 20:39 . 2008-01-12 01:36 1563008 ----a-w- c:\windows\WRSetup.dll
2009-05-07 15:32 . 2005-04-13 16:55 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2005-04-13 16:56 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2005-04-13 16:55 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-25 02:55 . 2009-04-25 02:55 2081496 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\Unpack\bfgsetup_s1_l1.exe
2009-04-21 23:27 . 2006-12-24 19:26 23152 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2009-04-21 23:27 . 2006-12-24 19:26 176752 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2009-04-21 23:27 . 2009-04-21 23:27 29808 ----a-w- c:\windows\system32\drivers\ssfs0bbc.sys
2009-04-17 12:26 . 2005-04-13 16:56 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2005-04-13 16:56 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2008-05-13 02:22 . 2008-05-12 03:55 26112 -c--a-w- c:\program files\RoxioMyDVDPremier10 information.doc
2008-05-12 13:30 . 2008-05-12 13:30 162 -c-ha-w- c:\program files\~$xioMyDVDPremier10 information.doc
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-02-24 16:42 66912 ----a-w- c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A525710-5FFB-4A5D-863C-D684812E1DC1}]
2003-09-19 21:31 88064 ----a-w- c:\windows\system32\btsendto_note.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"H/PC Connection Agent"="c:\progra~1\MI3AA1~1\wcescomm.exe" [2006-06-21 1207080]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-12-27 52896]
"SNPSTD2"="c:\windows\vsnpstd2.exe" [2004-01-06 40960]
"USB2Check"="c:\windows\system32\PCLECoInst.dll" [2006-11-06 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-03-26 228088]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-02-13 564496]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-02-13 2196240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"MBBalloon"="c:\program files\HOTALBUMMyBOX\MBBalloon.exe" [2007-11-30 789144]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2006-9-15 225280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MediaChecker.lnk - c:\program files\HOTALBUMMyBOX\MediaChecker.exe [2007-11-30 915096]
WG111v2 Smart Wizard Wireless Setting.lnk - c:\program files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2005-12-21 745472]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=c:\windows\pss\BTTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digimax Viewer 2.1.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digimax Viewer 2.1.lnk
backup=c:\windows\pss\Digimax Viewer 2.1.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1135205439\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1135205439\\ee\\aim6.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"8085:TCP"= 8085:TCPodmena
"53:TCP"= 53:TCP:websrvx

R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [3/26/2009 8:41 PM 15172]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [4/21/2009 6:27 PM 29808]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [12/21/2005 12:21 PM 66048]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/17/2007 8:43 AM 24652]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [6/16/2009 1:36 PM 1205760]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [12/21/2005 12:21 PM 112384]
R3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [12/21/2005 12:21 PM 13532]
S2 dlyuojvsmw;dlyuojvsmw;\??\c:\windows\system32\drivers\nhhiqsce.sys --> c:\windows\system32\drivers\nhhiqsce.sys [?]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [2/3/2008 8:24 AM 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2/3/2008 8:23 AM 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2/3/2008 8:23 AM 166384]
S2 SessionLauncher;SessionLauncher;c:\docume~1\Owner\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\Owner\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]
S3 adxapie;adxapie;\??\c:\docume~1\Owner\LOCALS~1\Temp\adxapie.sys --> c:\docume~1\Owner\LOCALS~1\Temp\adxapie.sys [?]
S3 EraserUtilDrv10821;EraserUtilDrv10821;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10821.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10821.sys [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [2/3/2008 8:24 AM 313840]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2/3/2008 8:23 AM 1112560]
.
Contents of the 'Scheduled Tasks' folder

2009-06-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:34]

2009-07-07 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 17:20]

2009-07-05 c:\windows\Tasks\Norton Security Scan for Owner.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 22:20]

2009-06-26 c:\windows\Tasks\wrSpySweeper_LAB9403AC42E844829E07FF499FC4BA56.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2006-12-24 20:40]

2009-06-26 c:\windows\Tasks\wrSpySweeper_LAB9403AC42E844829E07FF499FC4BA56.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2006-12-24 20:40]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-svcWRSSSDK


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msnbc.com/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Dogpile Cursor Search - c:\documents and settings\All Users\Application Data\Infospace\DogpileToolbar\contextsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Handler: ms-its51 - {F6F1E82D-DE4D-11D2-875C-0000F8105754} - c:\program files\Common Files\Microsoft Shared\Information Retrieval\itss51.dll
DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} - hxxps://as00.estara.com/UI/proxyhttps.php?a=downloads.estara.com./&hash=84cff07021917817a84728c7c9e16ca9&url=http%3A%2F%2Fd.66.155.171.79.downloads.estara.com.%2Fas%2FOneCCDM.php&template=327816&sessionid=455354467_66.155.171.29_49227&=&req=1238200390296OneCC.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-06 19:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2422651582-2935789365-712990506-1006\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\ActiveSync]
"Name"="ActiveSync"
"DisplayName"="Microsoft ActiveSync"
"Param1"="ActiveSync"
"Param2"=""
"Type"="wellknown"
"Order"=dword:00000000
"State"=dword:0000000b

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,66,a2,41,5a,ba,
11,0b,1f,e2,63,26,f1,3f,c8,ff,68,c2,06,cc,a1,92,43,d4,d6,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,a6,19,69,c2,81,
69,84,c4,6a,9c,d6,61,af,45,84,18,ff,2b,8a,d9,04,9c,4c,07,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,ca,56,28,0b,6a,
29,7a,c4,ff,7c,85,e0,43,d4,0e,fe,5a,7e,e3,45,51,bb,f5,dc,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,0d,3b,3a,e4,13,
90,ed,57,86,8c,21,01,be,91,eb,e7,07,f3,6f,66,85,51,20,73,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,13,62,73,48,b6,
7e,62,9e,f5,1d,4d,73,a8,13,5c,05,e9,35,82,37,c4,8c,57,b6,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,03,74,1f,ee,d7,
9b,8c,c6,df,20,58,62,78,6b,cf,c8,65,6d,ae,a8,8e,5f,1f,e8,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,6d,26,58,dc,6c,
2a,9a,8d,fb,a7,78,e6,12,2f,9a,ea,a0,b0,11,e3,cb,74,e9,92,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:aa,52,c6,00,84,3c,26,64,cc,77,f0,60,85,
b1,3b,aa,01,3a,48,fc,e8,04,4a,f1,ba,4d,a1,17,cb,34,de,78,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,e0,f4,0b,75,ff,
fa,ab,82,f6,0f,4e,58,98,5b,89,c9,8f,28,2e,e5,8c,b1,c1,3b,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,5b,04,93,84,42,
26,d9,e3,3d,ce,ea,26,2d,45,aa,78,d9,f9,b6,2c,d4,89,ae,22,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,08,b6,fc,23,d3,
a1,52,9d,2a,b7,cc,b5,b9,7f,41,e7,e7,8f,e9,0b,ad,ec,cd,8f,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,d1,12,c1,ec,e6,
10,4f,1e,6c,43,2d,1e,aa,22,2f,9c,da,55,35,9f,b6,5e,ec,b2,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(7820)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\windows\system32\drivers\KodakCCS.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2009-07-07 19:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-07 00:58

Pre-Run: 132,253,724,672 bytes free
Post-Run: 132,760,231,936 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
338 --- E O F --- 2009-06-29 12:19

 

hi.

Can you recommend virus protection?? What do you use??

I will give you one later. Seems your last antivirus already expired. Am I right? Since when?

We will install it later after some round of removal. Having no antivirus is an open invitation for infection.

It can take as little as eight seconds to infect an unprotected computer.

--------------------------------------------------------------------------

Goto

Click on

Then copy and paste this one in runbox. Then HIT enter.

cmd /c PEV -l "%systemdrive%\proquota.exe" >Log.txt&Log.txt&del Log.txt

A Notepad file will open. Post the contents of Log.txt in your next reply.


Q: Do you have any other computer near in your place?
------------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. You can find instructions HERE.

3. Open notepad and copy/paste the text in the quotebox below into it:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/392055-trojan-backdoor-progdav.html#post2226519

COLLECT::
c:\windows\system32\drivers\nhhiqsce.sys

FILE::
c:\windows\install.dat
c:\windows\bf23567.dat

DRIVER::
dlyuojvsmw

REGISTRY::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"=-
"53:TCP"=-

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

If you do not get a message box, please do the following:

There should be a file named [4]-Submit_date@time.zip with today's date, located here:

C:\QooBox\Quarantine\[4]-Submit_date@time.zip

Using the 'Browse' button, please submit it to this site ==> http://www.bleepingcomputer.com/submit-malware.php?channel=4

Please let me know if you successfully submitted the file. Thanks.

--------------------------------------------------------------------------

In your reply, please post

C:\combofix.txt
The content of log.txt
Answer to my questions

Mark

 

hi.

Do you still need help?

If I don't receive a reply from you within 3 days of this post, this topic will be closed.

Mark

 

Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

http://www.techsupportforum.com/sec...-log-help/305963-new-instructions-read-before-posting-malware-removal-help.html