malware problems; HJT log posted; please help!

i did some google searches and i believe i found a way to run the system repair without losing my files. running repair right now as i type this from a friend's laptop. will post hjt log up soon
 
Losing files is iffy, they say to back them up first before you do a repair, but I have never lost any myself
 
did a system repair on windows xp. computer hasnt frozen yet but all previous problems still exist: IE doesnt work, Windows Media Player doesnt work, iTunes doesnt work. HJT log below:
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:32, on 4/19/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\XXXXX.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.atcomet.com/m/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = gate.temple.edu:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

--
End of file - 6758 bytes
 
Hi,

Do a windows update and install IE7, or you can download and install it here
http://www.microsoft.com/downloads/...BE-3385-447C-8A30-081805B2F90B&displaylang=en

See if this fixes your IE problem, if so than run this free online virus scanner, it should run with the new upgrade of IE and your Java updated



Run this free online scan using Internet Explorer:
Kaspersky Online Virus Scanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Standard
  • Scan Options:
  • Scan Archives
  • Scan Mail Bases
  • Click OK
  • Now under select a target to scan: Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
Post the log along with a New HJT Log into your next reply.
 
firstly, thank you for being willing to help and being patient.

downloading IE7 doesnt seem to do the trick at all. when i open IE7, same problem occurs where the default website doesnt open up, nor does any other website. i tried to google the problem but found nothing. i tried playing around with the firewall settings and things of that sort...nothing.

i hope i dont have to buy a new computer :sad:
 
No problem working with you, that's why where here. We need to determine if this is malware causing these problems or if its software or hardware related.

Run this quick scan, it wont fix anything but I need to see the report.


Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.
 
GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-22 05:32:19
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT d347bus.sys (PnP BIOS Extension/ ) ZwClose [0xF871A818]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreateKey [0xF871A7D0]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreatePagingFile [0xF870EA20]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateKey [0xF870F2A8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateValueKey [0xF871A910]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwOpenKey [0xF871A794]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryKey [0xF870F2C8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryValueKey [0xF871A866]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwSetSystemPowerState [0xF871A0B0]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 12A 804E4964 4 Bytes JMP 9A0CF870

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 82F70030
Device \FileSystem\Fastfat \FatCdrom 82B70D78
Device \Driver\Cdrom \Device\CdRom0 82E288B0
Device \Driver\Cdrom \Device\CdRom1 82E288B0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 82E28A58
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 82E28A58
Device \Driver\atapi \Device\Ide\IdePort0 82E28A58
Device \Driver\atapi \Device\Ide\IdePort1 82E28A58
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f 82E28A58
Device \Driver\Cdrom \Device\CdRom2 82E288B0
Device \FileSystem\Npfs \Device\NamedPipe 82D99938
Device \FileSystem\Msfs \Device\Mailslot 82D9C2D0
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 82E03C60
Device \Driver\d347prt \Device\Scsi\d347prt1 82E03C60
Device \FileSystem\Fastfat \Fat 82B70D78
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 82D9E2E0
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 82D9E2E0
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 82D9E2E0
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 82D9E2E0
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 82D9E2E0
Device \FileSystem\Cdfs \Cdfs 82E41F00

---- Modules - GMER 1.0.15 ----

Module _________ F86C5000-F86DD000 (98304 bytes)

---- Threads - GMER 1.0.15 ----

Thread System [4:228] 82BFE137

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] icvhhpb <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\icvhhpb@DisplayName Center Boot
Reg HKLM\SYSTEM\ControlSet001\Services\icvhhpb@Type 32
Reg HKLM\SYSTEM\ControlSet001\Services\icvhhpb@Start 2
Reg HKLM\SYSTEM\ControlSet001\Services\icvhhpb@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet001\Services\icvhhpb@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet001\Services\icvhhpb@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet001\Services\icvhhpb@Description Protects your computer from spyware
Reg HKLM\SYSTEM\ControlSet001\Services\icvhhpb\Parameters
Reg HKLM\SYSTEM\ControlSet001\Services\icvhhpb\Parameters@ServiceDll C:\WINDOWS\system32\xqatbn.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@khjeh 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z0 0xBE 0x01 0x44 0x7F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\icvhhpb@DisplayName Center Boot
Reg HKLM\SYSTEM\CurrentControlSet\Services\icvhhpb@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\icvhhpb@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\icvhhpb@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\icvhhpb@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\icvhhpb@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\icvhhpb@Description Protects your computer from spyware
Reg HKLM\SYSTEM\CurrentControlSet\Services\icvhhpb\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\icvhhpb\Parameters@ServiceDll C:\WINDOWS\system32\xqatbn.dll
Reg HKLM\SYSTEM\ControlSet004\Services\icvhhpb@DisplayName Center Boot
Reg HKLM\SYSTEM\ControlSet004\Services\icvhhpb@Type 32
Reg HKLM\SYSTEM\ControlSet004\Services\icvhhpb@Start 2
Reg HKLM\SYSTEM\ControlSet004\Services\icvhhpb@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet004\Services\icvhhpb@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet004\Services\icvhhpb@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet004\Services\icvhhpb@Description Protects your computer from spyware
Reg HKLM\SYSTEM\ControlSet004\Services\icvhhpb\Parameters
Reg HKLM\SYSTEM\ControlSet004\Services\icvhhpb\Parameters@ServiceDll C:\WINDOWS\system32\xqatbn.dll

---- EOF - GMER 1.0.15 ----
 
Good Morning,

Looks like some rootkit activity is going on, a rootkit hides from the operating system and goes undetected on most scans, GMER found it. Hang on a bit , I just want someone else to look at it and make sure.
 
hi,

when i was running the scan, a little window poppued up mentioning that some "rootkit activity" was found, and one of the lines in the log showed up in red color
 
Hi,

Lets do this

Backup Your Registry with ERUNT:
  • Download erunt.zip to your Desktop from here:
    http://aumha.org/downloads/erunt.zip
  • Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
  • Inside the new folder, double-click ERUNT.exe to start the program
  • OK all the prompts to back up your registry to the default location.
Note: to restore your registry, go to the backup folder and start ERDNT.exe




Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Rootkit::


Code: 
Rootkit::
C:\WINDOWS\system32\xqatbn.dll

Registry::
[-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\icvhhpb]

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.



Then run GMER again and post the new log
 
Last edited:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:40, on 4/22/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\Gamer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = gate.temple.edu:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

--
End of file - 5801 bytes
 
got an email addy i can send it to? the combofix log is ~500KB, whereas this website does not allow any attachments larger than ~50KB
 
We don't do email for security reasons. If you look up at the top of where you post, in the toolbar you will see an option to attach a file

I need to see the new GMER report
 
GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-24 06:30:31
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT d347bus.sys (PnP BIOS Extension/ ) ZwClose [0xF871A818]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreateKey [0xF871A7D0]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreatePagingFile [0xF870EA20]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateKey [0xF870F2A8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateValueKey [0xF871A910]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwOpenKey [0xF871A794]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryKey [0xF870F2C8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryValueKey [0xF871A866]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwSetSystemPowerState [0xF871A0B0]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 12A 804E4964 4 Bytes JMP 9A0CF870

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 82F6E228
Device \FileSystem\Fastfat \FatCdrom 82B51A10
Device \Driver\ACPI \Device\00000043 82C965A0
Device \Driver\ACPI \Device\00000044 82C965A0
Device \Driver\ACPI \Device\00000053 82C965A0
Device \Driver\ACPI \Device\00000054 82C965A0
Device \Driver\ACPI \Device\00000060 82C965A0
Device \Driver\ACPI \Device\00000055 82C965A0
Device \Driver\ACPI \Device\00000061 82C965A0
Device \Driver\ACPI \Device\00000062 82C965A0
Device \Driver\ACPI \Device\00000049 82C965A0
Device \Driver\ACPI \Device\00000058 82C965A0
Device \Driver\Cdrom \Device\CdRom0 82E29E08
Device \Driver\Cdrom \Device\CdRom1 82E29E08
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 82E29198
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 82E29198
Device \Driver\atapi \Device\Ide\IdePort0 82E29198
Device \Driver\atapi \Device\Ide\IdePort1 82E29198
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f 82E29198
Device \Driver\Cdrom \Device\CdRom2 82E29E08
Device \Driver\ACPI \Device\0000004a 82C965A0
Device \Driver\ACPI \Device\0000004b 82C965A0
Device \Driver\ACPI \Device\0000004c 82C965A0
Device \Driver\ACPI \Device\0000004d 82C965A0
Device \Driver\ACPI \Device\0000004e 82C965A0
Device \Driver\ACPI \Device\0000005d 82C965A0
Device \Driver\ACPI \Device\0000005e 82C965A0
Device \FileSystem\Npfs \Device\NamedPipe 82D9A388
Device \FileSystem\Msfs \Device\Mailslot 82D9B740
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 82E03D50
Device \Driver\d347prt \Device\Scsi\d347prt1 82E03D50
Device \FileSystem\Fastfat \Fat 82B51A10
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 82D9E030
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 82D9E030
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 82D9E030
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 82D9E030
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 82D9E030
Device \FileSystem\Cdfs \Cdfs 82D96280

---- Modules - GMER 1.0.15 ----

Module _________ F86C5000-F86DD000 (98304 bytes)

---- Threads - GMER 1.0.15 ----

Thread System [4:220] 82C7D137

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] icvhhpb <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\icvhhpb@DisplayName Center Boot
Reg HKLM\SYSTEM\ControlSet001\Services\icvhhpb@Type 32
Reg HKLM\SYSTEM\ControlSet001\Services\icvhhpb@Start 2
Reg HKLM\SYSTEM\ControlSet001\Services\icvhhpb@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet001\Services\icvhhpb@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet001\Services\icvhhpb@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet001\Services\icvhhpb@Description Protects your computer from spyware
Reg HKLM\SYSTEM\ControlSet001\Services\icvhhpb\Parameters
Reg HKLM\SYSTEM\ControlSet001\Services\icvhhpb\Parameters@ServiceDll C:\WINDOWS\system32\xqatbn.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@khjeh 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z0 0xA6 0xDC 0xFA 0xC3 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\icvhhpb@DisplayName Center Boot
Reg HKLM\SYSTEM\CurrentControlSet\Services\icvhhpb@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\icvhhpb@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\icvhhpb@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\icvhhpb@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\icvhhpb@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\icvhhpb@Description Protects your computer from spyware
Reg HKLM\SYSTEM\CurrentControlSet\Services\icvhhpb\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\icvhhpb\Parameters@ServiceDll C:\WINDOWS\system32\xqatbn.dll
Reg HKLM\SYSTEM\ControlSet004\Services\icvhhpb@DisplayName Center Boot
Reg HKLM\SYSTEM\ControlSet004\Services\icvhhpb@Type 32
Reg HKLM\SYSTEM\ControlSet004\Services\icvhhpb@Start 2
Reg HKLM\SYSTEM\ControlSet004\Services\icvhhpb@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet004\Services\icvhhpb@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet004\Services\icvhhpb@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet004\Services\icvhhpb@Description Protects your computer from spyware
Reg HKLM\SYSTEM\ControlSet004\Services\icvhhpb\Parameters
Reg HKLM\SYSTEM\ControlSet004\Services\icvhhpb\Parameters@ServiceDll C:\WINDOWS\system32\xqatbn.dll

---- EOF - GMER 1.0.15 ----
 
i posted the GMER log but when i tried to click the button on the top of where i post to attach the combofix log, i got the same error message telling me that the attachment wont upload since the combofix log is greater than 50KB (the log is actually 500 kb). i have to go to classes soon but when i come back tonight, i will take the time out to break the combofix log into smaller notepad files. that will take some time.
 
You must log in or register to reply here.
Back
Top