Just checking...

**Bravura** · 2006-10-15, 03:01

Hey all, recently I had contracted some major virus through MSN Messenger ("Hey is that your picture?" auto-message thing) and have been spending the last week trying to clean my PC of it.

I think my PC is clean for the most part but just incase I'd like someone more experienced to check it out. (I also ran an on-line Anti Virus scan as stated in one of the stickies, which found nothing.)

Originally Posted by HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 8:30:56 PM, on 14/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\hijackthis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [ggf6379b] RUNDLL32.EXE w0e3ae22.dll,n 005637960000000a0e3ae22
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1155676927265
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...66/mcfscan.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by125fd.bay125.hotmail.msn.co...x/HMAtchmt.ocx
O20 - Winlogon Notify: avldr - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe

Also, I'm not sure if this is related but everytime I start my PC I get this error:

And ever since the incident I havent been able to acsess Windows Firewall: http://i10.tinypic.com/2hd2q85.jpg, nor Windows Update (All my updates fail on installation.)

Any help will be appreciated, thanks.

**Rawe** · 2006-10-15, 13:37

Hello and welcome

Please run a scan with HijackThis and check the following objects for removal:

O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O4 - HKLM\..\Run: [ggf6379b] RUNDLL32.EXE w0e3ae22.dll,n 005637960000000a0e3ae22

Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.

-----

Navigate to, and delete the following file if present:

C:\WINDOWS\System32\w0e3ae22.dll

(If you can't find it, make sure you can see hidden files, if you cant delete it, boot into Safe Mode and try again. Make sure you rehide hidden files)

Empty recycle bin.

-----

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") to download sharedaccess.reg and save it to your desktop.

Double-click the file.
when asked to merge with registry, hit YES.
The Services entry will be created.
Please reboot.
Click Start -> Run and type in: cmd.exe
On Command Prompt, type NETSH FIREWALL RESET
Hit Enter.
Then go to the Control Panel and launch the Windows Firewall again. Try to access your Firewall settings again.

-------

Finally.......

Please download Combofix to your desktop:

Double-click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

**Bravura** · 2006-10-15, 17:41

Awesome, thank you!

Anyways, here is my new HijackThis log:

Originally Posted by Hijack This

Logfile of HijackThis v1.99.1
Scan saved at 11:35:28 AM, on 15/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/reso...lscbase969.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1155676927265
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by125fd.bay125.hotmail.msn.co...x/HMAtchmt.ocx
O20 - Winlogon Notify: avldr - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe

And my Combofix log:

Originally Posted by Combofix

Kev - 06-10-15 11:26:51.54 Service Pack 2
ComboFix 06.10.14.1 - Running from: "C:\Documents and Settings\JuliaY.ADP-YNYU50FGYSX\Desktop"

((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\JuliaY.ADP-YNYU50FGYSX\Application Data\Dxccwrd.dll
C:\Documents and Settings\JuliaY.ADP-YNYU50FGYSX\Application Data\Dxcknwrd.dll
C:\Documents and Settings\JuliaY.ADP-YNYU50FGYSX\Application Data\Dxcuknwrd.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\JuliaY.ADP-YNYU50FGYSX\Application Data\SSTEM~1
C:\QooBox\Purity\Program Files\Common Files\WNSXS~1

((((((((((((((((((((((((((((((( Files Created from 2006-09-15 to 2006-10-15 ))))))))))))))))))))))))))))))))))

2006-10-14 16:11 57,344 --a------ C:\WINDOWS\system32\pavipc.dll
2006-10-14 14:08 26,752 --a------ C:\WINDOWS\system32\drivers\ShldDrv.sys
2006-10-14 14:08 165,120 --a------ C:\WINDOWS\system32\drivers\PavProc.sys
2006-10-12 19:30 163,840 --a------ C:\WINDOWS\system32\igfxres.dll
2006-10-11 20:02 2 --a------ C:\WINDOWS\system32\wintsvcc.exe
2006-10-09 19:02 92,544 --a------ C:\WINDOWS\system32\drivers\av5flt.sys
2006-10-08 14:36 <DIR> d-------- C:\WINDOWS\McAfee.com
2006-10-05 22:29 1,233 --a------ C:\WINDOWS\system32\ggf6379b.sys
2006-10-01 23:06 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2006-10-01 23:06 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2006-10-01 23:06 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2006-10-01 23:06 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2006-10-01 23:06 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2006-10-01 23:06 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2006-09-17 17:51 91,136 -ra------ C:\WINDOWS\system32\msls2.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2006-10-15 11:27 -------- d-------- C:\Program Files\Common Files
2006-10-15 11:22 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-15 11:10 -------- d-------- C:\Program Files\hijackthis
2006-10-15 00:19 -------- d-------- C:\Documents and Settings\JuliaY.ADP-YNYU50FGYSX\Application Data\Windows Live Safety Center
2006-10-15 00:13 -------- d-------- C:\Program Files\Windows Live Safety Center
2006-10-14 21:54 -------- d---s---- C:\Documents and Settings\JuliaY.ADP-YNYU50FGYSX\Application Data\Microsoft
2006-10-14 19:02 -------- d-------- C:\Program Files\Windows Defender
2006-10-14 18:54 -------- d-------- C:\Program Files\Internet Explorer
2006-10-14 18:46 -------- d-------- C:\Program Files\BitComet
2006-10-14 16:11 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-14 14:08 -------- d-------- C:\Program Files\Common Files\Panda Software
2006-10-09 19:07 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-10-09 17:44 -------- d-------- C:\Program Files\QuickTime
2006-10-09 17:44 -------- d-------- C:\Program Files\iTunes
2006-10-09 16:21 -------- d-------- C:\Program Files\Outlook Express
2006-10-05 23:14 -------- d-------- C:\Program Files\FFDShow
2006-09-17 18:05 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-08-25 21:33 -------- d-------- C:\Program Files\Intel
2006-08-25 20:44 -------- d-------- C:\Program Files\Dell
2006-08-25 20:08 -------- d-------- C:\Program Files\Analog Devices
2006-08-25 02:05 -------- d-------- C:\Program Files\Movie Maker
2006-08-24 19:43 -------- d-------- C:\Program Files\Valve
2006-08-21 22:29 -------- d-------- C:\Documents and Settings\JuliaY.ADP-YNYU50FGYSX\Application Data\Media Player Classic
2006-08-21 18:41 -------- d-------- C:\Program Files\Java
2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 05:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-16 19:18 -------- d-------- C:\Documents and Settings\JuliaY.ADP-YNYU50FGYSX\Application Data\AdobeUM
2006-08-16 12:00 6144 --a------ C:\WINDOWS\system32\ff_vfw.dll
2006-08-15 17:42 -------- d-------- C:\Program Files\Windows Media Player
2006-08-09 02:19 1069 --a------ C:\Documents and Settings\JuliaY.ADP-YNYU50FGYSX\Application Data\AdobeDLM.log
2006-08-08 22:51 0 --a--c--- C:\Documents and Settings\JuliaY.ADP-YNYU50FGYSX\Application Data\dm.ini
2006-08-08 21:41 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2006-08-07 23:05 0 -rahs---- C:\MSDOS.SYS
2006-08-07 23:05 0 -rahs---- C:\IO.SYS
2006-08-04 11:37 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-08-04 11:37 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2006-07-28 09:30 62744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2006-07-28 09:30 236824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-26 22:05 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-07-26 22:05 109568 --------- C:\WINDOWS\system32\pxinsi64.exe
2006-07-26 22:05 108544 --------- C:\WINDOWS\system32\pxcpyi64.exe
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"BitComet"="\"C:\\Program Files\\BitComet\\BitComet.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"AdaptecDirectCD"="C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,40,01,00,00,00,00,00,00,40,01,00,00,c2,01,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 06-10-15 11:29:23.48
C:\ComboFix.txt ... 06-10-15 11:29

**Rawe** · 2006-10-16, 11:18

Looks like you've got a rootkit there. We'll run three different rootkit scanners to make sure we get them all. Make sure you only by the instructions, don't delete/disinfect anything before checking the logs first.

Please download AVG Anti-Rootkit to your desktop.

Double-click the installation file
Just click Next, let it go with default settings.
Once the installation is ready, reboot.
Run AVG Anti-Rootkit Beta.exe.
Click Search for rootkits.
When finished, click Save result to file.
Post back with the results. (Not sure where they are located, either in C:\Program Files\GRISOFT\AVG Anti-Rootkit Beta\ folder or on your desktop.)

-------

Download GMER:

Unzip it and double-click GMER.exe
Click the rootkit-tab and click scan.
Once done, click Copy.
This will copy the results to clipboard.
Paste the results in your next reply along with the others requested.

-----

Finally run this scan....

Please download and save Blacklight to your desktop:

Double-click blbeta.exe.
Accept the agreement.
Click Scan.
Click Next.

You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there. Post this along with the AVG and Gmer logs. Do NOT delete anything without me checking first

**Bravura** · 2006-10-17, 02:39

Done and done.

Originally Posted by AVG

C:\WINDOWS\system32:lzx32.sys Hidden driver file

As for GMER, my computer reset half way through the scan, bringing me to a screen saying "Windows has detected an error and must reset" or something along those lines, I tried it again in Safe Mode but the same thing happened, however by just starting up the program I get this log:

[As I was typeing this message for the first time (This being the second), my PC reset and now the log looks different (There used to be a line like the one in the AVG scan)]

Originally Posted by GMER

GMER 1.0.11.11390 - http://www.gmer.net
Rootkit 2006-10-16 20:31:50
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.11 ----

SSDT \SystemRoot\System32\Drivers\ShldDrv.SYS ZwEnumerateKey
SSDT \SystemRoot\System32\Drivers\ShldDrv.SYS ZwEnumerateValueKey

---- Devices - GMER 1.0.11 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F966F810] ShldDrv.SYS
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F966FBD8] ShldDrv.SYS

---- EOF - GMER 1.0.11 ----

[After my PC reset, I re-ran the AVG and the scan found nothing]

And for Blacklight...

**Bravura** · 2006-10-17, 03:04

Hmmm... It seems that my ComboFix log has changed as well...

Originally Posted by ComboFix

Kev - 06-10-16 21:02:09.96 Service Pack 2
ComboFix 06.10.14.1 - Running from: "C:\Documents and Settings\JuliaY.ADP-YNYU50FGYSX\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\JuliaY.ADP-YNYU50FGYSX\Application Data\SSTEM~1
C:\QooBox\Purity\Program Files\Common Files\WNSXS~1

((((((((((((((((((((((((((((((( Files Created from 2006-09-16 to 2006-10-16 ))))))))))))))))))))))))))))))))))

2006-10-14 16:11 57,344 --a------ C:\WINDOWS\system32\pavipc.dll
2006-10-14 14:08 26,752 --a------ C:\WINDOWS\system32\drivers\ShldDrv.sys
2006-10-14 14:08 165,120 --a------ C:\WINDOWS\system32\drivers\PavProc.sys
2006-10-12 19:30 163,840 --a------ C:\WINDOWS\system32\igfxres.dll
2006-10-11 20:02 2 --a------ C:\WINDOWS\system32\wintsvcc.exe
2006-10-09 19:02 92,544 --a------ C:\WINDOWS\system32\drivers\av5flt.sys
2006-10-08 14:36 <DIR> d-------- C:\WINDOWS\McAfee.com
2006-10-05 22:29 1,233 --a------ C:\WINDOWS\system32\ggf6379b.sys
2006-10-01 23:06 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2006-10-01 23:06 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2006-10-01 23:06 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2006-10-01 23:06 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2006-10-01 23:06 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2006-10-01 23:06 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2006-09-17 17:51 91,136 -ra------ C:\WINDOWS\system32\msls2.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-16 21:00 -------- d-------- C:\Program Files\hijackthis
2006-10-16 20:40 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-16 19:18 -------- d-------- C:\Program Files\GRISOFT
2006-10-15 11:27 -------- d-------- C:\Program Files\Common Files
2006-10-15 00:19 -------- d-------- C:\Documents and Settings\JuliaY.ADP-YNYU50FGYSX\Application Data\Windows Live Safety Center
2006-10-15 00:13 -------- d-------- C:\Program Files\Windows Live Safety Center
2006-10-14 21:54 -------- d---s---- C:\Documents and Settings\JuliaY.ADP-YNYU50FGYSX\Application Data\Microsoft
2006-10-14 19:02 -------- d-------- C:\Program Files\Windows Defender
2006-10-14 18:54 -------- d-------- C:\Program Files\Internet Explorer
2006-10-14 18:46 -------- d-------- C:\Program Files\BitComet
2006-10-14 16:11 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-14 14:08 -------- d-------- C:\Program Files\Common Files\Panda Software
2006-10-09 19:07 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-10-09 17:44 -------- d-------- C:\Program Files\QuickTime
2006-10-09 17:44 -------- d-------- C:\Program Files\iTunes
2006-10-09 16:21 -------- d-------- C:\Program Files\Outlook Express
2006-10-05 23:14 -------- d-------- C:\Program Files\FFDShow
2006-09-17 18:05 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-08-25 21:33 -------- d-------- C:\Program Files\Intel
2006-08-25 20:44 -------- d-------- C:\Program Files\Dell
2006-08-25 20:08 -------- d-------- C:\Program Files\Analog Devices
2006-08-25 02:05 -------- d-------- C:\Program Files\Movie Maker
2006-08-24 19:43 -------- d-------- C:\Program Files\Valve
2006-08-21 22:29 -------- d-------- C:\Documents and Settings\JuliaY.ADP-YNYU50FGYSX\Application Data\Media Player Classic
2006-08-21 18:41 -------- d-------- C:\Program Files\Java
2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 05:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-16 19:18 -------- d-------- C:\Documents and Settings\JuliaY.ADP-YNYU50FGYSX\Application Data\AdobeUM
2006-08-16 12:00 6144 --a------ C:\WINDOWS\system32\ff_vfw.dll
2006-08-09 02:19 1069 --a------ C:\Documents and Settings\JuliaY.ADP-YNYU50FGYSX\Application Data\AdobeDLM.log
2006-08-08 22:51 0 --a--c--- C:\Documents and Settings\JuliaY.ADP-YNYU50FGYSX\Application Data\dm.ini
2006-08-08 21:41 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2006-08-07 23:05 0 -rahs---- C:\MSDOS.SYS
2006-08-07 23:05 0 -rahs---- C:\IO.SYS
2006-08-04 11:37 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-08-04 11:37 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2006-07-28 09:30 62744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2006-07-28 09:30 236824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-26 22:05 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-07-26 22:05 109568 --------- C:\WINDOWS\system32\pxinsi64.exe
2006-07-26 22:05 108544 --------- C:\WINDOWS\system32\pxcpyi64.exe
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"BitComet"="\"C:\\Program Files\\BitComet\\BitComet.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"AdaptecDirectCD"="C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 06-10-16 21:03:08.98
C:\ComboFix.txt ... 06-10-16 21:03

Thread: Just checking...

Thread Tools

Display

Hybrid View

Just checking...

Posting Permissions