Smitfraud.C.CoreService

M

Mark_59

New member
Having trouble with a bug and perhaps making the problem worse.

Windows XP boots up without a start bar

SpyBot S&D reports several alerts: SmitFraud, Virtumonde, with advice to get help removing.

I get an error message saying that AntiVir can't be started, yet AntiVir opens a dialog alerting an infection TR/drop.agent.dgo.188 in the file c:\windows\system32\jkklh.exe and c:\windows\system32\jkklh.dll
Windows defender never did start and I believe HijackThis is corrupted as there is a duplicate file named HiJackThis .exe
Also references to hggghig - C:\WINDOWS\SYSTEM32\hggghig.dll

Logfile of HijackThis v1.99.1
Scan saved at 12:08:58 PM, on 1/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avscan.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Defender\MSASCui .exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt .exe
C:\Program Files\Hijack This\HijackThis.exe
C:\Program Files\Hijack This\HijackThis .exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.new.rr.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pv
er={SUB_PVER}&ar=home
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\jkklj.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.new.rr.com"); (C:\Documents and Settings\Mark\Application Data\Mozilla\Profiles\default\trlwcpsv.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Mark\Application Data\Mozilla\Profiles\default\trlwcpsv.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3B556978-10EB-4F71-A61E-A736354D1269} - C:\WINDOWS\system32\hggghig.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {881E8AAE-D26B-4EDA-AF9F-00213910E63B} - C:\WINDOWS\system32\jkklj.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Jet Detection] d:\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Hijack This\HijackThis.exe /startupscan
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk.disabled
O8 - Extra context menu item: Append to existing PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O15 - Trusted Zone: http://safety.live.com
O15 - Trusted Zone: http://support.microsoft.com
O15 - Trusted Zone: http://windowsupdate.microsoft.com
O15 - Trusted Zone: http://www.microsoft.com
O15 - Trusted Zone: *.microsoft.com
O15 - Trusted Zone: http://www.new.rr.com
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.4.1_02) -
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Plug-in 1.4.1_02) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = new.rr.com
O17 - HKLM\Software\..\Telephony: DomainName = new.rr.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = new.rr.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = new.rr.com
O20 - Winlogon Notify: hggghig - C:\WINDOWS\SYSTEM32\hggghig.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Sure would appreciate some assistance. The ships taking on water and she's sinking fast.

Thanks
Mark
 
Hi Mark_59

Yes, you seem to have vundo file infector which corrupts startup programs and may result in re-installing/uninstalling them.

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log
- combofix report
 
Thanks

Hi Shaba,

The HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:35:09 AM, on 1/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.new.rr.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\MARK\Application Data\Mozilla\Profiles\default\trlwcpsv.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\MARK\Application Data\Mozilla\Profiles\default\trlwcpsv.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O8 - Extra context menu item: Append to existing PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O15 - Trusted Zone: http://safety.live.com
O15 - Trusted Zone: http://www.new.rr.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = new.rr.com
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4044 bytes

The ComboFix log:
ComboFix 08-01-18.4 - Mark 2008-01-18 9:12:45.2 - NTFSx86
Running from: C:\Documents and Settings\Mark\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete
.
---- Previous Run -------
.
C:\Program Files\Avira\AntiVir Personal Edition Classic\avgnt.exe
C:\Program Files\Creative\Splash Screen\CTEaxSpl .EXE
C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Defender\MSASCui .exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\temp\tn3
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig .exe
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig.exe
C:\WINDOWS\system.exe
C:\WINDOWS\system32\e9
C:\WINDOWS\system32\e9\farstadcom2.exe
C:\WINDOWS\system32\explorer.exe
C:\WINDOWS\system32\hggghig.dll
C:\WINDOWS\system32\jkklj.dll
C:\WINDOWS\system32\jkklj.exe
C:\WINDOWS\system32\jlkkj.ini
C:\WINDOWS\system32\jlkkj.ini2
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\RCX1.tmp
C:\WINDOWS\system32\RCX2.tmp
C:\WINDOWS\system32\RCX3.tmp
C:\WINDOWS\system32\RCX4.tmp
C:\WINDOWS\system32\RCX5.tmp
C:\WINDOWS\system32\RCXC.tmp
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

Code: 
 <pre>
C:\Program Files\Creative\Splash Screen\CTEaxSpl .EXE ---> QooBox
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe ---> QooBox
C:\Program Files\Windows Defender\MSASCui .exe ---> QooBox
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig  .exe ---> QooBox
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig .exe ---> MSConfig.exe
</pre>
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\nm




((((((((((((((((((((((((( Files Created from 2007-12-18 to 2008-01-18 )))))))))))))))))))))))))))))))
.

2008-01-18 09:19 . 2008-01-18 09:19 <DIR> d-------- C:\Temp\tn3
2008-01-18 08:23 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-17 06:45 . 2008-01-17 06:48 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-01-16 15:10 . 2001-08-18 06:00 438,774 --a------ C:\txtsetup.sif
2008-01-16 15:10 . 2004-08-03 23:00 260,272 --a------ C:\$LDR$
2008-01-16 15:10 . 2008-01-15 23:26 194 --ahs---- C:\BOOT.BAK
2008-01-16 13:30 . 2004-08-04 01:56 502,272 --a------ C:\WINDOWS\system32\winlogon.exe
2008-01-16 13:03 . 2004-08-04 00:56 1,032,192 --a------ C:\WINDOWS\system32\explorer.ex_
2008-01-15 20:55 . 2008-01-17 13:56 <DIR> d-------- C:\Program Files\Avira
2008-01-15 20:55 . 2008-01-15 20:55 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Avira
2008-01-15 09:54 . 2008-01-15 09:54 <DIR> d-------- C:\Program Files\Yahoo!
2008-01-15 09:54 . 2008-01-15 09:54 <DIR> d-------- C:\Program Files\CCleaner
2008-01-15 09:16 . 2008-01-15 09:55 <DIR> d-------- C:\VundoFix Backups
2008-01-14 23:16 . 2008-01-18 09:17 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-14 17:01 . 2008-01-18 08:29 <DIR> d-------- C:\Program Files\Windows Defender
2008-01-14 15:33 . 2007-03-14 22:19 196,608 --a------ C:\WINDOWS\system32\EasySoap.dll
2008-01-14 15:33 . 2007-03-14 22:07 147,456 --a------ C:\WINDOWS\system32\libexpat.dll
2008-01-14 15:33 . 2007-03-14 22:18 73,728 --a------ C:\WINDOWS\system32\zlib1.dll
2008-01-12 23:10 . 2007-12-11 13:14 151,552 --a------ C:\WINDOWS\system32\rushmaxk.exe
2008-01-12 23:10 . 2007-12-11 13:14 151,552 --a------ C:\WINDOWS\system32\bkmoopob.exe
2008-01-12 23:10 . 2007-12-13 12:25 139,264 --a------ C:\WINDOWS\system32\mobjchku.exe
2008-01-12 23:09 . 2008-01-12 23:09 <DIR> d-------- C:\WINDOWS\system32\edcA17
2008-01-12 23:09 . 2008-01-12 23:09 86,016 --a------ C:\WINDOWS\system32\drivers\usbcamd22.sys
2008-01-02 19:15 . 2008-01-02 19:15 <DIR> d-------- C:\WINDOWS\Profiles
2008-01-02 19:15 . 2008-01-02 19:15 <DIR> d-------- C:\Documents and Settings\Mark\Application Data\InterTrust
2008-01-01 15:58 . 2008-01-01 15:58 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-01-01 15:57 . 2008-01-16 11:30 <DIR> d-------- C:\Documents and Settings\Mark\Application Data\U3
2007-12-26 00:18 . 2008-01-18 09:19 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-18 15:19 --------- d-----w C:\Documents and Settings\Mark\Application Data\nView_Wallpaper
2008-01-16 18:15 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy1.4
2008-01-15 05:52 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-01-13 06:53 --------- d-----w C:\Program Files\QuickTime
2008-01-13 06:52 --------- d-----w C:\Program Files\hp deskjet 990c series
2008-01-13 05:31 --------- d-----w C:\Program Files\Mouse
2008-01-03 01:15 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-20 12:11 --------- d-----w C:\Program Files\Google
2007-12-05 03:38 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\InterVideo
2007-12-01 06:01 45,040 ----a-w C:\Documents and Settings\Mark\Application Data\GDIPFONTCACHEV1.DAT
2007-04-24 05:03 144 ----a-w C:\Program Files\INSTALL.LOG
2004-11-08 17:08 0 -csh--r C:\WINDOWS\cvchost.exe
2004-11-08 17:08 0 --sh--r C:\WINDOWS\dl.exe
2004-11-08 17:08 0 -csh--r C:\WINDOWS\dllhelp.exe
2004-11-08 17:08 0 -csh--r C:\WINDOWS\dlm.exe
2004-11-08 17:08 0 -csh--r C:\WINDOWS\msstasks.exe
2004-11-08 17:08 0 -csh--r C:\WINDOWS\mssys.com
2004-11-08 17:08 0 -csh--r C:\WINDOWS\mstaskss.exe
2004-11-08 17:08 0 -csh--r C:\WINDOWS\msxmidi.exe
2004-11-08 17:08 0 -csh--r C:\WINDOWS\ntldr.exe
2004-11-08 17:08 0 -csh--w C:\WINDOWS\rocky.exe
2004-11-08 17:08 0 -csh--r C:\WINDOWS\system\system.exe
2004-11-08 17:08 0 -csh--r C:\WINDOWS\system\wmscrop.exe
2004-11-08 17:08 0 -csha-r C:\WINDOWS\system32\d2kpax.dll
2004-11-08 17:08 0 -csha-r C:\WINDOWS\system32\d2kpax.exe
2004-11-08 17:08 0 -csha-r C:\WINDOWS\system32\jac.dll
2004-11-08 17:08 0 -csha-r C:\WINDOWS\system32\msxslab.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2007-06-28 23:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2007-06-28 23:43 81920 C:\WINDOWS\system32\nvmctray.dll]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 23:43 8466432]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 13:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"CTHelper"="CTHELPER.EXE" [2003-10-06 13:57 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"WheelMouse"="Amoumain.exe" []
"CTStartup"="C:\Program Files\Creative\Splash Screen\CTEaxSpl.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\jkklj.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Adobe Acrobat Synchronizer"=D:\Adobe\CS2\Acrobat 8\Acrobat\AdobeCollabSync.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{65871d50-b8b4-11dc-99ea-00e018a54938}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{abda4dba-776c-11dc-99b2-806d6172696f}]
\Shell\AutoRun\command - G:\Setup.exe
\Shell\setup\command - G:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-01 10:00:05 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-18 09:19:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-18 9:22:56 - machine was rebooted [Mark]
ComboFix-quarantined-files.txt 2008-01-18 15:22:53
.
2008-01-09 09:07:55 --- E O F ---

Note: Drag and drop is not working on the infected machine. I noticed in some of the other situations the instructions are to drag and drop a script file onto ComboFix.

RPC services that I've been getting errors on and I don't know if there are some corrupted service dependencies that are messing with the system. In addition to not being allowed to drag and drop icons the copy process is available but paste is greyed out.

Just to let you know. I'm concerned that the system has been so corrupted that even if I get the infection cleared up I'll not have a viable operating system to work with.

I'm considering purchasing a harddrive reinstalling the OS onto that new harddrive and then formating the existing drive that is corrupted. I first need to retrieve some data files from the infected drive. My question is this infections seems contained to system files and dll's and I've not seen evidence of the corruption on either of the other drives. What will need to be done to insure I don't move the infection across to the new OS if that is the route that I end up going down?

Thanks so much!
Mark
 
Hi

Well first you will need to decide whether or not we attempt to clean that machine :)
 
Hi Shaba,

Seems there are requirements of dragging and dropping script files about the desktop and the infected computer does not seem capable of allowing me to do that.

Just getting the ComboFix application to the desktop was a pain as I'm downloading from one computer copying the files to a transfer disk and moving them to the other computer.

Couldn't drag it couldn't copy and paste it but there was an option to "send to the desktop" which did seem to work.

So if there is a means of performing the clean which does not depend on drag and drop I'd be all for that.

In the hopes of repairing the system; following instructions on Microsofts site, I integrated SP2 into my Windows XP disk, but encountered too many missing files to do an "in-place" upgrade using that integrated installation. Now I have a dual boot set up going on. One to the failed installation process and one to XP home edition.

So I guess solving one problem without some assurance of solving the other problem would be a "waste" of time. Mostly yours, as my time is, for all intensive purposes, "free" and I learn something along the way so it's difficult to thrash the process as a "waste" of my time. But you and your time?... well, I don't wish to be a waste of your time if it comes down to winning the battle but loosing the war.

Thanks so much.
Mark
 
Hi

Ok, we can try to clean you.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Delete these:
    C:\WINDOWS\system32\bkmoopob.exe
    C:\WINDOWS\system32\mobjchku.exe
    C:\WINDOWS\system32\edcA17
    C:\WINDOWS\cvchost.exe
    C:\WINDOWS\dl.exe
    C:\WINDOWS\dllhelp.exe
    C:\WINDOWS\dlm.exe
    C:\WINDOWS\msstasks.exe
    C:\WINDOWS\mssys.com
    C:\WINDOWS\mstaskss.exe
    C:\WINDOWS\msxmidi.exe
    C:\WINDOWS\ntldr.exe
    C:\WINDOWS\rocky.exe
    C:\WINDOWS\system\system.exe
    C:\WINDOWS\system\wmscrop.exe
    C:\WINDOWS\system32\d2kpax.dll
    C:\WINDOWS\system32\d2kpax.exe
    C:\WINDOWS\system32\jac.dll
    C:\WINDOWS\system32\msxslab.dll
    C:\Temp\tn3

    Empty Recycle Bin.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
 
Sorry about the brain fart, things seemed to run just as predicted as soon as I got myself out of my preconception.

The SDFix Log:

SDFix: Version 1.127

Run by Mark on Fri 01/18/2008 at 02:28 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDfix\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:



Could Not Remove C:\WINDOWS\system32\drivers\core.cache.dsk

Folder C:\Temp\tn3 - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-18 14:38:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------
C:\WINDOWS\system32\drivers\core.cache.dsk Found

File Backups: - C:\SDfix\SDFix\backups\backups.zip

Files with Hidden Attributes:

Tue 15 Jan 2008 194 A.SH. --- "C:\BOOT.BAK"
Wed 4 Aug 2004 93,184 A.SH. --- "C:\Program Files\Internet Explorer\iexplore.exe"
Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Mon 17 Dec 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users.WINDOWS\DRM\DRMv1.bak"
Tue 11 Apr 2006 2,461,696 A..H. --- "C:\Documents and Settings\Mark\Application Data\U3\temp\Launchpad Removal.exe"

Finished!

And the fresh HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:45:31 PM, on 1/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.new.rr.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\MARK\Application Data\Mozilla\Profiles\default\trlwcpsv.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\MARK\Application Data\Mozilla\Profiles\default\trlwcpsv.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O8 - Extra context menu item: Append to existing PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O15 - Trusted Zone: http://safety.live.com
O15 - Trusted Zone: http://www.new.rr.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = new.rr.com
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4142 bytes

Thanks

Mark
 
Hi

Looks like that core.cache.dsk doesn't want to leave.

Re-run combofix

Post:

- a fresh HijackThis log
- combofix report
 
ComboFix

Ran ComboFix again and got a blue screen error:
"A problem has been detected and windows has been shut down to prevent damage to your computer.

The problem seems to be caused by the following file: Mup.sys

An attempt was made to write to read-only memory, if this is the first time you've seen this stop error screen, restart your computer . If this screen appears again follow these steps:

Check to make sure any new hardware or software is properly installed. If this is a new installation ask your hardware or software manufacturer for any windows updates you might need.

If problems continue disable or remove any newly installed hardware of software, disable BIOS memory options such as caching or shadowing. If you need to use safe mode to remove or disable components, restart your computer, press F8 to select advanced startup options and then select safe mode.

***STOP: 0x000000BE (0xf7684DB, 0x20BC3121, 0xBA60B3B4, 0x0000000B)

*** Mup.sys - Address F76846DB base at F7679000, datestamp 41107ef8"

The computer restarted and I noticed there is a new folder named "Catchme.zip" on the desktop but no ComboFix log to post.

Ran it again

ComboFix 08-01-18.4 - Mark 2008-01-19 8:46:11.4 - NTFSx86
Running from: C:\Documents and Settings\Mark\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete
.
---- Previous Run -------
.
C:\temp\tn3

.
((((((((((((((((((((((((( Files Created from 2007-12-19 to 2008-01-19 )))))))))))))))))))))))))))))))
.

2008-01-19 08:53 . 2008-01-19 08:53 <DIR> d-------- C:\Temp\tn3
2008-01-18 14:36 . 2008-01-19 08:51 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-18 14:26 . 2008-01-18 14:26 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-18 11:15 . 2008-01-18 11:15 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-18 08:23 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-17 06:45 . 2008-01-18 11:23 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-01-16 15:10 . 2001-08-18 06:00 438,774 --a------ C:\txtsetup.sif
2008-01-16 15:10 . 2004-08-03 23:00 260,272 --a------ C:\$LDR$
2008-01-16 15:10 . 2008-01-15 23:26 194 --ahs---- C:\BOOT.BAK
2008-01-16 13:30 . 2004-08-04 01:56 502,272 --a------ C:\WINDOWS\system32\winlogon.exe
2008-01-16 13:03 . 2004-08-04 00:56 1,032,192 --a------ C:\WINDOWS\system32\explorer.ex_
2008-01-15 20:55 . 2008-01-17 13:56 <DIR> d-------- C:\Program Files\Avira
2008-01-15 20:55 . 2008-01-15 20:55 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Avira
2008-01-15 09:54 . 2008-01-15 09:54 <DIR> d-------- C:\Program Files\Yahoo!
2008-01-15 09:54 . 2008-01-15 09:54 <DIR> d-------- C:\Program Files\CCleaner
2008-01-15 09:16 . 2008-01-15 09:55 <DIR> d-------- C:\VundoFix Backups
2008-01-14 17:01 . 2008-01-18 08:29 <DIR> d-------- C:\Program Files\Windows Defender
2008-01-14 15:33 . 2007-03-14 22:19 196,608 --a------ C:\WINDOWS\system32\EasySoap.dll
2008-01-14 15:33 . 2007-03-14 22:07 147,456 --a------ C:\WINDOWS\system32\libexpat.dll
2008-01-14 15:33 . 2007-03-14 22:18 73,728 --a------ C:\WINDOWS\system32\zlib1.dll
2008-01-12 23:10 . 2007-12-11 13:14 151,552 --a------ C:\WINDOWS\system32\rushmaxk.exe
2008-01-12 23:09 . 2008-01-12 23:09 86,016 --a------ C:\WINDOWS\system32\drivers\usbcamd22.sys
2008-01-02 19:15 . 2008-01-02 19:15 <DIR> d-------- C:\WINDOWS\Profiles
2008-01-02 19:15 . 2008-01-02 19:15 <DIR> d-------- C:\Documents and Settings\Mark\Application Data\InterTrust
2008-01-01 15:58 . 2008-01-01 15:58 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-01-01 15:57 . 2008-01-18 14:47 <DIR> d-------- C:\Documents and Settings\Mark\Application Data\U3
2007-12-26 00:18 . 2008-01-19 08:53 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-19 14:53 --------- d-----w C:\Documents and Settings\Mark\Application Data\nView_Wallpaper
2008-01-16 18:15 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy1.4
2008-01-15 05:52 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-01-13 06:53 --------- d-----w C:\Program Files\QuickTime
2008-01-13 06:52 --------- d-----w C:\Program Files\hp deskjet 990c series
2008-01-13 05:31 --------- d-----w C:\Program Files\Mouse
2008-01-03 01:15 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-20 12:11 --------- d-----w C:\Program Files\Google
2007-12-05 03:38 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\InterVideo
2007-12-01 06:01 45,040 ----a-w C:\Documents and Settings\Mark\Application Data\GDIPFONTCACHEV1.DAT
2007-04-24 05:03 144 ----a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((( snapshot@2008-01-18_ 9.22.32.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-17 13:17:32 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-01-18 20:26:59 7,618,560 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-01-18 20:26:59 90,112 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-01-17 13:17:32 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-01-18 20:26:44 7,618,560 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2008-01-18 20:26:44 90,112 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2008-01-18 13:50:42 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-19 13:50:43 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-01-18 13:50:42 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-19 13:50:43 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-19 14:52:10 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_4e8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2007-06-28 23:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2007-06-28 23:43 81920 C:\WINDOWS\system32\nvmctray.dll]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 23:43 8466432]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 13:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"CTHelper"="CTHELPER.EXE" [2003-10-06 13:57 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"WheelMouse"="Amoumain.exe" []
"CTStartup"="C:\Program Files\Creative\Splash Screen\CTEaxSpl.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\jkklj.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Adobe Acrobat Synchronizer"=D:\Adobe\CS2\Acrobat 8\Acrobat\AdobeCollabSync.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{65871d50-b8b4-11dc-99ea-00e018a54938}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{abda4dba-776c-11dc-99b2-806d6172696f}]
\Shell\AutoRun\command - G:\Setup.exe
\Shell\setup\command - G:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-01 10:00:05 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-19 08:53:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-19 8:57:11 - machine was rebooted [Mark]
ComboFix-quarantined-files.txt 2008-01-19 14:57:08
ComboFix2.txt 2008-01-18 15:22:56
.
2008-01-09 09:07:55 --- E O F ---




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:02:10 AM, on 1/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Mark\Application Data\U3\0000152E58604DEC\LaunchPad.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.new.rr.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\MARK\Application Data\Mozilla\Profiles\default\trlwcpsv.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\MARK\Application Data\Mozilla\Profiles\default\trlwcpsv.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O8 - Extra context menu item: Append to existing PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Adobe\CS2\Acrobat 8\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O15 - Trusted Zone: http://safety.live.com
O15 - Trusted Zone: http://www.new.rr.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = new.rr.com
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4225 bytes


Thanks
 
Hi

Please click this link-->Jotti

Copy/paste the first file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).

C:\WINDOWS\system32\drivers\usbcamd22.sys
C:\WINDOWS\system32\rushmaxk.exe


Repeat steps for all files on the list.

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
 
Jotti site reports:
for the file: C:\WINDOWS\system32\drivers\usbcamd22.sys

"The file uploaded is zero bytes. It is very likely a firewall or piece of malware is preventing you from uploading the file."

for the file: C:\WINDOWS\system32\rushmaxk.exe
I was not able to copy and paste from a browser window into notepad, but the scanner reported nothing found for all the scanners.
 
Hi

* Download GMER from
here:
Unzip it and start GMER.exe
Click the rootkit-tab and click scan.

Once done, click the Copy button.
This will copy the results to clipboard.
Paste the results in your next reply.
 
GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2008-01-19 14:34:10
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.13 ----

SSDT F48CE9A8 ZwClose
SSDT F48CE7E4 ZwCreateKey
SSDT F7F84A54 ZwCreateThread
SSDT F48CE900 ZwDeleteKey
SSDT F48CE928 ZwDeleteValueKey
SSDT F48CE9A2 ZwLoadKey
SSDT F48CE687 ZwOpenKey
SSDT F7F84A40 ZwOpenProcess
SSDT F7F84A45 ZwOpenThread
SSDT F48CE886 ZwQueryValueKey
SSDT F48CE952 ZwReplaceKey
SSDT F48CE97A ZwRestoreKey
SSDT F48CE834 ZwSetValueKey
SSDT F7F84A4F ZwTerminateProcess
SSDT F7F84A4A ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.13 ----

.text ntoskrnl.exe!_abnormal_termination + F0 804E274C 1 Byte [ E4 ]
.text ntoskrnl.exe!_abnormal_termination + F2 804E274E 2 Bytes [ 8C, F4 ]
? C:\WINDOWS\System32\drivers\usbcamd22.sys The process cannot access the file because it is being used by another process.

---- Devices - GMER 1.0.13 ----

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F7CD6F1C] VET-REC.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F7CD70A4] VET-REC.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F7CD7240] VET-REC.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F7CD7010] VET-REC.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F7CD6FF0] VET-REC.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F77871DE] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F77871DE] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F7787454] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F77871DE] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F7BD6CFA] VET-FILT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F7BD6A7C] VET-FILT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F7BD6F00] VET-FILT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F7BD70F0] VET-FILT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F7BD70F0] VET-FILT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F7BD6A7C] VET-FILT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F7BD6A7C] VET-FILT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F7BD6A7C] VET-FILT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F7BD6A7C] VET-FILT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F7BD6A7C] VET-FILT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F7BD6A7C] VET-FILT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F7BD6A7C] VET-FILT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F7BD6A7C] VET-FILT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F7BD730C] VET-FILT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F7BD6A7C] VET-FILT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F7BD6A7C] VET-FILT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F7BD6976] VET-FILT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F7BD6A7C] VET-FILT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F7BD6A7C] VET-FILT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F7BD6A7C] VET-FILT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F7BD6A7C] VET-FILT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F7BD6A7C] VET-FILT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F7BD738C] VET-FILT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F7BD75C0] VET-FILT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F7BD6A7C] VET-FILT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F7BD6A7C] VET-FILT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F7BD6A7C] VET-FILT.SYS

Device \Driver\usbcamd22 \Device\usbcamd22 IRP_MJ_CREATE F48CC58A
Device \Driver\usbcamd22 \Device\usbcamd22 IRP_MJ_CLOSE F48CC58A
Device \Driver\usbcamd22 \Device\usbcamd22 IRP_MJ_DEVICE_CONTROL F48CC707
 
part b

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [F7CD6F1C] VET-REC.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [F7CD70A4] VET-REC.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [F7CD7240] VET-REC.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [F7CD7010] VET-REC.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [F7CD6FF0] VET-REC.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [F7CD6EB6] VET-REC.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [F77871DE] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [F77871DE] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [F7787454] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [F77871DE] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [F777AF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [F777AF4C] fltmgr.sys

---- Files - GMER 1.0.13 ----

ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Drawings:AFP_AfpInfo
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Drawings:AFP_AfpInfo
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Drawings:AFP_Resource
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Drawings:AFP_AfpInfo
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Drawings:AFP_Resource
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Drawings:AFP_AfpInfo
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Drawings:AFP_Resource
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Drawings:AFP_AfpInfo
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Drawings:AFP_Resource
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Drawings:AFP_AfpInfo
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Drawings:AFP_Resource
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Drawings:AFP_AfpInfo
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Drawings:AFP_Resource
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Drawings:AFP_AfpInfo
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Drawings:AFP_Resource
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Drawings:AFP_AfpInfo
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Drawings:AFP_AfpInfo
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Drawings:AFP_Resource
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Drawings:AFP_AfpInfo
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Drawings:AFP_Resource
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Drawings:AFP_AfpInfo
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Drawings:AFP_Resource
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Drawings:AFP_AfpInfo
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Drawings:AFP_Resource
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Drawings:AFP_AfpInfo
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Drawings:AFP_Resource
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Drawings:AFP_AfpInfo
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Drawings:AFP_Resource
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Drawings:AFP_AfpInfo
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Drawings:AFP_Resource
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Drawings:AFP_AfpInfo
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Drawings:AFP_Resource
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Drawings:AFP_AfpInfo
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Drawings:AFP_Resource
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Drawings:AFP_AfpInfo
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Drawings:AFP_Resource
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Drawings:AFP_AfpInfo
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Drawings:AFP_Resource
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Drawings:AFP_AfpInfo
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Drawings:AFP_Resource
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Instructor Files\GradCertificate:AFP_AfpInfo
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Instructor Files\GradCertificate:AFP_Resource
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Instructor Files\GradCertificate:AFP_AfpInfo
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Instructor Files\GradCertificate:AFP_Resource
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Instructor Files\Trainer:AFP_AfpInfo
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\MFH Level 1\Instructor Files\Trainer:AFP_Resource
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\Seminar Prep\Web Graphics\ICON:AFP_AfpInfo
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\Seminars\ICON:AFP_AfpInfo
ADS E:\Mark's Data\My Business\FVTC\DTP Classes\Classes and Seminars\Seminars\ICON:AFP_Resource

---- EOF - GMER 1.0.13 ----
 
LOL, No... not in the same sense that I recongized new.rr.com. And yes in the sense that it has showed up as a file that virus scanners don't seem to be able to deal with.
 
Hi

Then we attempt this next:

Open notepad and copy/paste the text in the quotebox below into it:

Code: 
File::
C:\WINDOWS\system32\drivers\usbcamd22.sys
C:\WINDOWS\system32\rushmaxk.exe

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
 
I'm running into a problem. I haven't figured a way to work around. The infected system doesn't allow me to drag and drop, nor copy and paste.
 
You must log in or register to reply here.
Back
Top