Rootkit: srosa.sys, hldrrr.exe, rkhdrv40.sys

[Rorschach112]

Hello

Please download OTMoveIt by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\WINDOWS\system32\drivers\down
  
  
• Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
• Click the red Moveit! button.
• Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.

Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")

Click "Exit" to close OTMoveIt.




Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Then reboot and post a new DSS log and tell me how your PC is running

 

[leifhassell]

OTMoveIt Log:

C:\WINDOWS\system32\drivers\down moved successfully.

Created on 01/10/2008 22:06:58


Kaspersky Log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, January 11, 2008 6:59:59 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 11/01/2008
Kaspersky Anti-Virus database records: 507245
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
J:\
Y:\
Z:\

Scan Statistics:
Total number of scanned objects: 295458
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 06:26:32

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\Leif Hassell\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\cert8.db Object is locked skipped
C:\Documents and Settings\Leif Hassell\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\history.dat Object is locked skipped
C:\Documents and Settings\Leif Hassell\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\key3.db Object is locked skipped
C:\Documents and Settings\Leif Hassell\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\parent.lock Object is locked skipped
C:\Documents and Settings\Leif Hassell\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Leif Hassell\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\simplemail\simplemail.sqlite Object is locked skipped
C:\Documents and Settings\Leif Hassell\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Leif Hassell\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Leif Hassell\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Leif Hassell\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Leif Hassell\Local Settings\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Leif Hassell\Local Settings\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Leif Hassell\Local Settings\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Leif Hassell\Local Settings\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Leif Hassell\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Leif Hassell\Local Settings\History\History.IE5\MSHist012008011020080111\index.dat Object is locked skipped
C:\Documents and Settings\Leif Hassell\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Leif Hassell\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Leif Hassell\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0355NAV~.TMP Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0970NAV~.TMP Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{16AE3587-496B-453B-B798-C1A607D8D4A7}\RP205\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\kb828741.cat Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\catsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\catsrvut.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\clbcatex.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\clbcatq.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\colbact.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\comadmin.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\comrepl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\comsvcs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\comuid.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\es.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\migregdb.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\msdtcprx.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\msdtctm.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\msdtcuiu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\mtxclu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\mtxoci.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\txflog.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\evtgprov.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\kb835732.cat Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\browser.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\gdi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\helpctr.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\mf3216.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\netapi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\schannel.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ329048$\reg00001 Object is locked skipped
C:\WINDOWS\$NtUninstallQ329390$\reg00001 Object is locked skipped
C:\WINDOWS\$NtUninstallQ329834$\reg00001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
E:\System Volume Information\_restore{16AE3587-496B-453B-B798-C1A607D8D4A7}\RP205\change.log Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{16AE3587-496B-453B-B798-C1A607D8D4A7}\RP205\change.log Object is locked skipped
Y:\backup\mythconverg.sql.gz.5 Object is locked skipped
Y:\backup\savedfiles.tar.gz.5 Object is locked skipped
Y:\backup\savedfiles.tar.gz.6 Object is locked skipped
Y:\backup\mythconverg.sql.gz.4 Object is locked skipped
Y:\backup\mythconverg.sql.gz.6 Object is locked skipped
Y:\backup\savedfiles.tar.gz.4 Object is locked skipped
Y:\backup\savedfiles.tar.gz.7 Object is locked skipped
Y:\backup\mythconverg.sql.gz.3 Object is locked skipped
Y:\backup\mythconverg.sql.gz.7 Object is locked skipped
Y:\backup\savedfiles.tar.gz.3 Object is locked skipped
Y:\backup\savedfiles.tar.gz.8 Object is locked skipped
Y:\backup\mythconverg.sql.gz.2 Object is locked skipped
Y:\backup\mythconverg.sql.gz.8 Object is locked skipped
Y:\backup\savedfiles.tar.gz.2 Object is locked skipped
Y:\backup\savedfiles.tar.gz.9 Object is locked skipped
Y:\backup\mythconverg.sql.gz.1 Object is locked skipped
Y:\backup\savedfiles.tar.gz.1 Object is locked skipped
Y:\backup\mythconverg.sql.gz Object is locked skipped
Y:\backup\mythconverg.sql.gz.9 Object is locked skipped
Y:\backup\savedfiles.tar.gz Object is locked skipped

Scan process completed.


More in next post.

 

[leifhassell]

DSS Log:

Deckard's System Scanner v20071014.68
Run by Leif Hassell on 2008-01-11 16:59:38
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Leif Hassell.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:59:43 PM, on 1/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
J:\spm.exe
J:\AV Tools\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\LEIFHA~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [DynDNS Updater] "C:\Program Files\DynDNS Updater\DynDNS.exe"
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PMCRemote] C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
O4 - HKCU\..\Run: [PMCLoader] C:\Program Files\Pinnacle\TVCenter Pro\PMCLoader.exe -checktasks
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1187354856624
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1187355034171
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: DiRT Drivers Auto Removal (pr2ah4nc) (pr2ah4nc) - CODEMASTERS - C:\WINDOWS\system32\pr2ah4nc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 9764 bytes

-- Files created between 2007-12-11 and 2008-01-11 -----------------------------

2008-01-09 16:16:46 0 d-------- C:\Program Files\Microsoft Works
2008-01-09 16:05:26 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2008-01-09 16:03:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-09 15:59:46 0 dr-h----- C:\MSOCache
2008-01-03 12:11:29 0 d-------- C:\Program Files\Trend Micro
2008-01-03 12:08:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-03 12:08:34 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-03 11:14:17 0 d--h----- C:\WINDOWS\PIF
2008-01-02 15:53:14 0 d-------- C:\Program Files\DemoForge
2008-01-01 18:36:00 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\Thunderbird
2008-01-01 18:35:41 0 d-------- C:\Program Files\Mozilla Thunderbird
2007-12-31 20:33:46 724992 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2007-12-31 20:32:08 0 d-------- C:\WINDOWS\system32\URTTEMP
2007-12-31 16:59:58 4 --a------ C:\WINDOWS\system32\0229AC
2007-12-31 16:59:35 8413 --a------ C:\WINDOWS\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>
2007-12-31 16:59:35 0 d-------- C:\Program Files\Common Files\Real
2007-12-31 16:59:11 0 d-------- C:\Program Files\Real
2007-12-31 16:57:51 0 d-------- C:\Program Files\Comcast Rhapsody
2007-12-31 16:57:37 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\Real
2007-12-30 12:00:59 0 d-------- C:\Documents and Settings\Leif Hassell\browser - logitech
2007-12-30 12:00:33 0 d-------- C:\Documents and Settings\Leif Hassell\logitech
2007-12-30 11:58:25 0 d-------- C:\Program Files\Common Files\Remote Control Software Common
2007-12-30 11:57:47 0 d------c- C:\WINDOWS\system32\DRVSTORE
2007-12-30 11:57:45 0 d-------- C:\Program Files\Common Files\Remote Control USB Driver
2007-12-30 11:56:57 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\InstallShield
2007-12-29 12:14:32 0 d-------- C:\Program Files\Xpadder
2007-12-29 11:12:34 0 d-------- C:\Program Files\Common Files\Logitech
2007-12-29 11:12:13 0 d-------- C:\Program Files\Logitech
2007-12-28 16:27:16 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\I-O DATA DEVICE,INC
2007-12-28 16:23:13 44544 --a------ C:\WINDOWS\system32\msxml4a.dll <Not Verified; Microsoft Corporation; Microsoft(R) MSXML 4.0 SP1>
2007-12-28 16:23:13 0 d-------- C:\Program Files\I-O DATA DEVICE,INC
2007-12-27 18:50:20 0 d-------- C:\Program Files\devnz
2007-12-23 11:36:39 0 d-------- C:\Program Files\wizdxp
2007-12-16 16:05:54 0 d-------- C:\Program Files\Flagship Studios


-- Find3M Report ---------------------------------------------------------------

2008-01-11 16:57:00 0 d-------- C:\Program Files\Symantec AntiVirus
2008-01-11 16:56:42 0 d-------- C:\Program Files\DynDNS Updater
2008-01-10 17:42:32 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\OpenOffice.org2
2008-01-09 16:16:06 0 d-------- C:\Program Files\MSBuild
2008-01-09 16:14:19 0 d-------- C:\Program Files\Common Files
2008-01-09 16:11:35 0 d-------- C:\Program Files\Microsoft.NET
2008-01-08 20:22:14 0 d-------- C:\Program Files\Mozilla Sunbird
2008-01-08 20:16:17 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-08 20:05:05 0 d-------- C:\Program Files\Symantec
2008-01-08 18:03:22 0 d-------- C:\Program Files\OpenOffice.org 2.3
2008-01-03 13:33:12 0 d-------- C:\Program Files\Mgtweak
2008-01-01 19:14:25 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\Ahead
2007-12-31 20:40:28 0 d-------- C:\Program Files\Winamp
2007-12-30 11:58:09 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-08 10:58:17 0 d-------- C:\Program Files\Codemasters
2007-11-29 20:39:05 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\Magic Set Editor
2007-11-29 20:33:01 0 d-------- C:\Program Files\Magic Set Editor 2
2007-11-28 16:40:47 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\Adobe
2007-11-20 20:31:16 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\U3
2007-11-16 16:09:56 0 d-------- C:\Program Files\AutoIt3
2007-11-15 16:49:03 0 d-------- C:\Program Files\MusicBrainz Picard
2007-11-14 16:38:31 0 d-------- C:\Program Files\Common Files\Control Panels
2007-11-14 16:37:52 0 d-------- C:\Program Files\Common Files\Adobe
2007-11-14 15:17:19 0 d-------- C:\Program Files\Bonjour
2007-11-14 15:03:16 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2007-11-11 19:48:06 0 d-------- C:\Program Files\Atari
2007-11-09 16:26:59 2041 --a------ C:\WINDOWS\mozver.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
10/04/2007 02:06 PM 1135968 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Program Files\Winamp Toolbar\winamptb.dll [10/04/2007 02:06 PM 1135968]

[-HKEY_CLASSES_ROOT\CLSID\{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [04/08/2005 03:52 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [04/17/2005 12:30 PM]
"SoundMan"="SOUNDMAN.EXE" [11/16/2006 03:42 PM C:\WINDOWS\SOUNDMAN.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [06/28/2007 11:43 PM]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [05/14/2003 01:01 AM]
"OneTouch Monitor"="C:\Program Files\Visioneer OneTouch\OneTouchMon.exe" [09/10/2001 07:08 AM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [06/28/2007 11:43 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 05:24 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 09:50 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 12:11 AM]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [05/10/2007 10:46 PM]
"@"="" []
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [10/27/2006 12:47 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DynDNS Updater"="C:\Program Files\DynDNS Updater\DynDNS.exe" [09/17/2006 09:32 AM]
"PPWebCap"="C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM]
"PMCRemote"="C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe" [09/18/2007 01:00 PM]
"PMCLoader"="C:\Program Files\Pinnacle\TVCenter Pro\PMCLoader.exe" [10/10/2007 11:02 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=01000000


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b2ce72c-7e8f-11dc-99e1-0019dbacad3f}]
AutoRun\command- G:\autolauncher4u3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b51f2db-8af1-11dc-99f3-0019dbacad3f}]
AutoRun\command- H:\.\spm.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e328ae98-4eba-11dc-99c9-0019dbacad3f}]
AutoRun\command- G:\autolauncher4u3.exe -a




-- End of Deckard's System Scanner: finished at 2008-01-11 17:00:05 ------------



System operates well, but I still have one unknown hook in my SSDT. It reports as "Unknown" in the file listing; I have yet to figure out what it is.


Thanks.

 

[Rorschach112]

Your logs are clean ! We need to do a few things

Some clean up :

Please double-click OTMoveIt.exe to run it.
Click the Clean up button
Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
Click Yes to the reboot



Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure

• Click Start > Run
• Type Inetcpl.cpl & click OK
• Click on the Security tab
• Click Reset all zones to default level
• Make sure the Internet Zone is selected & Click Custom level
• In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
• Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.