IPB

Welcome Guest ( Log In | Register )

3 Pages V   1 2 3 >  
 Closed TopicStart new topic
> Constantly Sending Spam, HELP ME PLEASE
pleasehelp
post Jun 27 2008, 04:34 AM
Post #1


Full Member
**

Group: Member
Posts: 18
Joined: 27-June 08
Member No.: 1,100
Hi,
I am having an issue with my computer constantly sending spam through an unknown account. I have ran numerous scans and tried to solve the problem but to no prevail has this worked at all. I have ran Hijackthis and here is my current log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:16:20 AM, on 6/28/2001
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICKA.EXE
C:\Program Files\UnHackMe\hackmon.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [EPSON Stylus Photo R280 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICKA.EXE /FU "C:\WINDOWS\TEMP\E_S8E.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://astech/connectcomputer/nshelp.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.com/hostedimages/active...oad/XUpload.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ASTech.local
O17 - HKLM\Software\..\Telephony: DomainName = ASTech.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ASTech.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ASTech.local
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: winrgq32 - winrgq32.dll (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

--
End of file - 6484 bytes

I have found a few forums offering solutions but nothing similar to mine. Please let me know if there is anything I can do. I am close to just caving in and doing a full system format and starting from scratch. The problem is that I have a large number of documents that are vital on my computer and am unable to fully know what is infected at this point. Oh, I also just ran a scan through "UnHackMe" and Superantispyware. Neither of them have found anything that is harmfull as of right now.
Thank you for any help you have to offer.
Go to the top of the page
 
+Quote Post
Blender
post Jun 27 2008, 05:14 AM
Post #2


I Will Eat Your Malware
Group Icon

Group: Administrator
Posts: 342
Joined: 19-September 06
Member No.: 426
Hi and welcome,

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.

You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts. (On Vista; right click dss.exe and choose run as administrator)
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.


Next:

Download Gmer from here:

http://www.gmer.net/gmer.zip

Unzip it to its own folder.
Disconnect from internet & shut down Antivirus to prevent conflicts.
Also shut down "UnHackme" so no conflict.
Shut down also any other unneeded apps including any open browser windows.
The less stuff we got running the less chance of false positives in log.
Double click gmer.exe to run it.
Allow driver to install if asked (gmer.sys)
You may get a warning at program start that there is possible rootkit activity and do you want to run scan.

Say OK to run scan.
If no warning, just click "scan".
Let the scan finish.
Once done press "save"
In the new window that pops up, give the log a name and save it someplace handy.
Press save.

Re-enable your antivirus, re-connect to internet & post that log here.

Don't be tempted to fix anything yet with Gmer please --- there are likely several legit system hooks due to security software.

If the Gmer log is huge -- please attach it.

Thanks smile.gif
Go to the top of the page
 
+Quote Post
pleasehelp
post Jul 2 2008, 03:39 AM
Post #3


Full Member
**

Group: Member
Posts: 18
Joined: 27-June 08
Member No.: 1,100
Hey,
Thank you so much for responding and showing interest in my problem. Having rediculously slow internet has been killing me. I work nights and have to wind down somehow (normally the internet, there's nothing to watch at 3 am when i'm starting to relax). Well, as requested here are the following logs:


Main.txt


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 RMSvc (Media Center Extender Resource Monitor) - c:\windows\ehome\rmsvc.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: PS/2 Compatible Mouse
Device ID: ACPI\PNP0F13\4&EDE93E0&0
Manufacturer: Microsoft
Name: PS/2 Compatible Mouse
PNP Device ID: ACPI\PNP0F13\4&EDE93E0&0
Service: i8042prt

Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Description: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
Device ID: ACPI\PNP0303\4&EDE93E0&0
Manufacturer: (Standard keyboards)
Name: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\4&EDE93E0&0
Service: i8042prt


-- Files created between 2008-06-01 and 2008-07-01 -----------------------------

2008-07-01 17:05:20 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-01 17:05:01 0 d-------- C:\Documents and Settings\administrator.ASTECHNB\Application Data\Mozilla
2008-06-30 02:04:35 0 d-------- C:\Documents and Settings\administrator.ASTECHNB\.housecall6.6
2008-06-30 01:37:43 0 dr-h----- C:\Documents and Settings\JS\Application Data\yahoo!
2008-06-30 01:36:43 0 d-------- C:\Documents and Settings\JS\Application Data\Winamp
2008-06-29 10:56:23 0 d-------- C:\Program Files\Adobe Media Player
2008-06-29 10:56:17 0 d-------- C:\Program Files\Common Files\Adobe AIR
2008-06-29 10:29:19 0 d-------- C:\WINDOWS\Prefetch
2008-06-29 10:21:37 0 d-------- C:\WINDOWS\system32\scripting
2008-06-29 10:21:36 0 d-------- C:\WINDOWS\l2schemas
2008-06-29 10:21:35 0 d-------- C:\WINDOWS\system32\en
2008-06-29 10:21:35 0 d-------- C:\WINDOWS\system32\bits
2008-06-29 10:18:59 0 d-------- C:\WINDOWS\ServicePackFiles


-- Find3M Report ---------------------------------------------------------------

2008-06-29 10:56:30 0 d-------- C:\Documents and Settings\administrator.ASTECHNB\Application Data\Adobe
2008-06-29 10:56:17 0 d-------- C:\Program Files\Common Files
2008-06-29 10:34:57 0 d-------- C:\Program Files\MSN Messenger
2008-06-29 10:22:04 0 d-------- C:\Program Files\Messenger
2008-06-29 10:21:35 0 d-------- C:\Program Files\Movie Maker
2008-06-29 10:18:39 0 d-------- C:\Program Files\Windows NT
2008-05-12 12:44:40 0 d-------- C:\Program Files\BitDefender


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/19/2007 09:16 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 08:51 PM]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [01/15/2008 06:54 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/13/2008 08:12 PM]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [01/19/2007 12:54 PM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 05:43 PM]
"EPSON Stylus Photo R280 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICKA.exe" [04/13/2007 06:00 AM]
"UnHackMe Monitor"="C:\Program Files\UnHackMe\hackmon.exe" [09/17/2007 03:37 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background

C:\Documents and Settings\administrator.ASTECHNB\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [10/26/2006 11:24:54 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Extender Resource Monitor.lnk - C:\WINDOWS\ehome\RMSysTry.exe [10/20/2005 8:55:40 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 02:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 02:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrgq32]
winrgq32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk
backup=C:\WINDOWS\pss\Extender Resource Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^JS^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\JS\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ApachInc]
rundll32.exe "C:\WINDOWS\system32\tyqvarvr.dll",realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
C:\WINDOWS\avp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Comrade.exe]
C:\Program Files\GameSpy\Comrade\Comrade.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive]
rundll32.exe C:\WINDOWS\system32\drvrev.dll,startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
C:\Program Files\Google\Google Talk\googletalk.exe /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ipmon]
ipmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IpWins]
C:\Program Files\Ipwindows\ipwins.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rbse]
"C:\PROGRA~1\FNTS~1\wuauboot.exe" -vt yazb

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\retadpu2000352.exe 61A847B5BBF72810329B385577FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SManager]
smanager.7.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smgr]
smgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE QWAVE
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- End of Deckard's System Scanner: finished at 2008-07-01 23:26:06 ------------


Here is the extra.txt
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.80GHz
Percentage of Memory in Use: 55%
Physical Memory (total/avail): 503.35 MiB / 225.29 MiB
Pagefile Memory (total/avail): 1996.11 MiB / 1793.42 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1923.93 MiB

C: is Fixed (NTFS) - 37.26 GiB total, 15.82 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Maxtor 6N040T0 - 37.27 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.26 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\administrator.ASTECHNB\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JBEEZEY
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\administrator.ASTECHNB
LOGONSERVER=\\ASTECH
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0409
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
SBSSERVER=ASTECH
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1.AST\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1.AST\LOCALS~1\Temp
USERDNSDOMAIN=ASTECH.LOCAL
USERDOMAIN=ASTECHNB
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\administrator.ASTECHNB
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

J Bleezey (admin)
__sbs_netsetup__ (new local, admin)
MCX1
Administrator (admin)
mk (admin)
JS (admin)
df
administrator.ASTECHNB (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe AIR --> C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR --> MsiExec.exe /I{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}
Adobe Flash Player 9 ActiveX --> MsiExec.exe /X{BB65C393-C76E-4F06-9B0C-2124AA8AF97B}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Media Player --> msiexec /qb /x {1EBB57D4-63FF-87CC-A0F0-D73982CF6008}
Adobe Media Player --> MsiExec.exe /I{1EBB57D4-63FF-87CC-A0F0-D73982CF6008}
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Broadcom Management Programs --> MsiExec.exe /I{FB64BF25-3593-4E4E-AA85-84AEF1D1475F}
Broadcom NetXtreme Ethernet Controller --> MsiExec.exe /X{7E369B27-13E2-41A5-9879-358EE1C8B5AD}
Comcast High-Speed Internet Install Wizard --> C:\Program Files\support.com\uninstall\chsi_uninstaller.exe
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Enhancement Browser Tools Adsonmedia --> C:\WINDOWS\system32\{11453301-9ad7-3fdd-1367-ff1fda945846}.dll-uninst.exe
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
FL Studio 6 --> C:\Program Files\Image-Line\FL Studio 6\uninstall.exe
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Intel® Graphics Media Accelerator Driver --> C:\WINDOWS\system32\igxpun.exe -uninstall
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
Magic ISO Maker v5.4 (build 0256) --> C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
Media Center Extender --> c:\WINDOWS\eHome\DvcConn.exe /uninstall
Media Center Extender --> MsiExec.exe /I{23FE964A-853B-4176-86D7-9E18B5CA1FC0}
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Home and Student 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL
Microsoft Office Home and Student 2007 --> MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server Native Client --> MsiExec.exe /I{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}
Microsoft SQL Server Setup Support Files (English) --> MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (3.0) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Nero Suite --> C:\Program Files\Common Files\Ahead\Uninstall\Setup.exe /uninstall
QuickTime --> MsiExec.exe /I{5B09BD67-4C99-46A1-8161-B7208CE18121}
Realtek High Definition Audio Driver --> RtlUpd.exe -r -m
Security Update for Excel 2007 (KB946974) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Microsoft Office system 2007 (KB951808) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Microsoft Office Word 2007 (KB950113) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Security Update for Office 2007 (KB934062) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {305D509B-F194-4638-9F0F-D9E4C05F9D33}
Security Update for Office 2007 (KB947801) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Security Update for the 2007 Microsoft Office System (KB936960) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {5E5BD655-7AA9-47F9-BB6D-A1D8CE29AC86}
Shadow Copy Client --> MsiExec.exe /I{23E5032B-56CA-4C19-A72E-B50161DB82CA}
Sid Meier's Civilization 4 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CFBCE791-2D53-4FCE-B3FB-D6E01F4112E8}\setup.exe" -l0x9 -removeonly
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
UnHackMe 4.70 release --> "C:\Program Files\UnHackMe\unins000.exe"
Update for Office 2007 (KB932080) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {EDC9CA29-6BC1-471C-828C-7A36109005D7}
Update for Office 2007 (KB934391) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {B3091818-7C56-4C45-BE7D-CA23027A5EA5}
Update for Office 2007 (KB946691) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update Rollup 2 for Windows XP Media Center Edition 2005 --> C:\WINDOWS\$NtUninstallKB900325$\spuninst\spuninst.exe
Warcraft III: All Products --> C:\WINDOWS\War3Unin.exe C:\WINDOWS\War3Unin.dat
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
Windows XP Media Center Edition 2005 KB905589 --> "C:\WINDOWS\$NtUninstallKB905589$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB925766 --> "C:\WINDOWS\$NtUninstallKB925766$\spuninst\spuninst.exe"
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
XML Paper Specification Shared Components Pack 1.0 -->
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG


-- Application Event Log -------------------------------------------------------

Event Record #/Type14237 / Error
Event Submitted/Written: 07/01/2008 10:40:15 PM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Event Record #/Type14234 / Error
Event Submitted/Written: 07/01/2008 10:09:06 PM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Event Record #/Type14233 / Error
Event Submitted/Written: 07/01/2008 04:47:51 PM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Event Record #/Type14229 / Error
Event Submitted/Written: 07/01/2008 02:40:28 PM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Event Record #/Type14227 / Error
Event Submitted/Written: 07/01/2008 02:40:15 PM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type4639 / Error
Event Submitted/Written: 07/01/2008 11:21:02 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 29 minutes.
NtpClient has no source of accurate time.

Event Record #/Type4638 / Warning
Event Submitted/Written: 07/01/2008 11:21:02 PM
Event ID/Source: 14 / W32Time
Event Description:
The time provider NtpClient was unable to find a domain controller to use as a time
source. NtpClient will try again in 30 minutes.

Event Record #/Type4635 / Error
Event Submitted/Written: 07/01/2008 11:06:00 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 15 minutes.
NtpClient has no source of accurate time.

Event Record #/Type4634 / Warning
Event Submitted/Written: 07/01/2008 11:06:00 PM
Event ID/Source: 14 / W32Time
Event Description:
The time provider NtpClient was unable to find a domain controller to use as a time
source. NtpClient will try again in 15 minutes.

Event Record #/Type4633 / Error
Event Submitted/Written: 07/01/2008 11:06:00 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 15 minutes.
NtpClient has no source of accurate time.



-- End of Deckard's System Scanner: finished at 2008-07-01 23:26:06 ------------

If there is any advice you could offer. Please let me know. I have the general knowledge to build a computer from scratch given the right direction, but once things go downhill I'm lost. Everyone offers the "BEST" virus and spamware protection there is on the market.
Thanks again for the response and look forward to some kind of good news. I am now going to run the GMER scan and post the results.
Go to the top of the page
 
+Quote Post
Blender
post Jul 2 2008, 11:43 AM
Post #4


I Will Eat Your Malware
Group Icon

Group: Administrator
Posts: 342
Joined: 19-September 06
Member No.: 426
Hi,

You get the Gmer scan done ok?

FEw things I see we can cleanup while waiting for me to get back in regards to Gmer.
Almost all are just leftovers from msconfig items.

Copy the following text to a new notepad file.
Save as file name fix.reg
As file types: all files
Save to the desktop.

CODE
REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrgq32]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ApachInc]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ipmon]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IpWins]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rbse]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SManager]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smgr]


Once created right click it and choose "merge"
OK the prompt.
Should get success message.

No need for reboot.
You can delete fix.reg when done.

Post fresh hijackthis log please.

Thanks smile.gif
Go to the top of the page
 
+Quote Post
pleasehelp
post Jul 2 2008, 05:28 PM
Post #5


Full Member
**

Group: Member
Posts: 18
Joined: 27-June 08
Member No.: 1,100
Hey,
Sorry for the delay, here's the GMER log. It said that there were several RootKit actions. Thank you. I will be merging the other files and posting a new log here momentarily.

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-07-01 23:52:38
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \??\C:\WINDOWS\system32\xpdx.sys ZwCreateKey [0xF8544A5C] <-- ROOTKIT !!!
SSDT spav.sys ZwEnumerateKey [0xF8293CA2] <-- ROOTKIT !!!
SSDT spav.sys ZwEnumerateValueKey [0xF8294030] <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\system32\xpdx.sys ZwOpenKey [0xF8544B10] <-- ROOTKIT !!!
SSDT spav.sys ZwQueryKey [0xF8294108] <-- ROOTKIT !!!
SSDT spav.sys ZwQueryValueKey [0xF8293F88] <-- ROOTKIT !!!
SSDT spav.sys ZwSetValueKey [0xF829419A] <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\system32\xpdx.sys ZwTerminateProcess [0xF85467D6] <-- ROOTKIT !!!

INT 0x62 ? 82387BF8
INT 0x73 ? 82387BF8
INT 0x82 ? 82387BF8
INT 0x84 ? 8225CBF8
INT 0x94 ? 8225CBF8
INT 0xA4 ? 8225CBF8

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2DA2 8050462E 2 Bytes [ 54, F8 ]
? spav.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F78C38AC 5 Bytes JMP 8225C1D8
.text xpdx.sys F8544101 47 Bytes CALL F8544106 \??\C:\WINDOWS\system32\xpdx.sys
.text xpdx.sys F8544131 68 Bytes [ 8D, B5, 1A, 04, 00, 00, 8D, ... ]
.text xpdx.sys F8544176 38 Bytes [ 0B, FF, 95, 5F, 04, 00, 00, ... ]
.text xpdx.sys F854419D 178 Bytes [ C7, 40, 08, 2E, 65, 78, 65, ... ]
.text xpdx.sys F8544250 577 Bytes CALL F85442B0 \??\C:\WINDOWS\system32\xpdx.sys
.text ...
.text C:\WINDOWS\system32\xpdx.sys section is writeable [0xF8544000, 0x7200, 0xE8000020]
? C:\WINDOWS\system32\xpdx.sys The system cannot find the file specified.

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F8277040] spav.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F827713C] spav.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F82770BE] spav.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F82777FC] spav.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F82776D2] spav.sys

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs xpdx.sys
Device \FileSystem\Ntfs \Ntfs 823851F8
Device \Driver\Tcpip \Device\Ip xpdx.sys
Device \Driver\NetBT \Device\NetBT_Tcpip_{6816AB09-612C-43CE-854D-0A93D4959D8E} 820A9500
Device \Driver\usbuhci \Device\USBPDO-0 8225B1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 823881F8
Device \Driver\dmio \Device\DmControl\DmConfig 823881F8
Device \Driver\dmio \Device\DmControl\DmPnP 823881F8
Device \Driver\dmio \Device\DmControl\DmInfo 823881F8
Device \Driver\usbuhci \Device\USBPDO-1 8225B1F8
Device \Driver\usbuhci \Device\USBPDO-2 8225B1F8
Device \Driver\usbuhci \Device\USBPDO-3 8225B1F8
Device \Driver\usbehci \Device\USBPDO-4 8225A1F8
Device \Driver\Tcpip \Device\Tcp xpdx.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 823891F8
Device \Driver\Cdrom \Device\CdRom0 821EB1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 820A9500
Device \Driver\NetBT \Device\NetbiosSmb 820A9500
Device \Driver\Tcpip \Device\Udp xpdx.sys
Device \Driver\Tcpip \Device\RawIp xpdx.sys
Device \Driver\usbuhci \Device\USBFDO-0 8225B1F8
Device \Driver\usbuhci \Device\USBFDO-1 8225B1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 82024500
Device \Driver\Tcpip \Device\IPMULTICAST xpdx.sys
Device \Driver\usbuhci \Device\USBFDO-2 8225B1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 82024500
Device \Driver\usbuhci \Device\USBFDO-3 8225B1F8
Device \Driver\usbehci \Device\USBFDO-4 8225A1F8
Device \Driver\Ftdisk \Device\FtControl 823891F8
Device \FileSystem\Cdfs \Cdfs 81F331F8

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\system32\xpdx.sys (*** hidden *** ) [SYSTEM] xpdx <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xD2 0x06 0xE7 0x70 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\xpdx@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\xpdx@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\xpdx@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\xpdx@ImagePath \??\C:\WINDOWS\system32\xpdx.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\xpdx@DisplayName xpdx system driver
Reg HKLM\SYSTEM\CurrentControlSet\Services\xpdx@Group Base
Reg HKLM\SYSTEM\CurrentControlSet\Services\xpdx@Checked 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\xpdx\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\xpdx\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xD2 0x06 0xE7 0x70 ...
Reg HKLM\SYSTEM\ControlSet002\Services\xpdx@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\xpdx@Start 1
Reg HKLM\SYSTEM\ControlSet002\Services\xpdx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\xpdx@ImagePath \??\C:\WINDOWS\system32\xpdx.sys
Reg HKLM\SYSTEM\ControlSet002\Services\xpdx@DisplayName xpdx system driver
Reg HKLM\SYSTEM\ControlSet002\Services\xpdx@Group Base
Reg HKLM\SYSTEM\ControlSet002\Services\xpdx@Checked 1
Reg HKLM\SYSTEM\ControlSet002\Services\xpdx\Security
Reg HKLM\SYSTEM\ControlSet002\Services\xpdx\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xD2 0x06 0xE7 0x70 ...
Reg HKLM\SYSTEM\ControlSet003\Services\xpdx@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\xpdx@Start 1
Reg HKLM\SYSTEM\ControlSet003\Services\xpdx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\xpdx@ImagePath \??\C:\WINDOWS\system32\xpdx.sys
Reg HKLM\SYSTEM\ControlSet003\Services\xpdx@DisplayName xpdx system driver
Reg HKLM\SYSTEM\ControlSet003\Services\xpdx@Group Base
Reg HKLM\SYSTEM\ControlSet003\Services\xpdx@Checked 1
Reg HKLM\SYSTEM\ControlSet003\Services\xpdx\Security
Reg HKLM\SYSTEM\ControlSet003\Services\xpdx\Security@Security 0x01 0x00 0x14 0x80 ...

---- EOF - GMER 1.0.14 ----
Go to the top of the page
 
+Quote Post
pleasehelp
post Jul 2 2008, 05:34 PM
Post #6


Full Member
**

Group: Member
Posts: 18
Joined: 27-June 08
Member No.: 1,100
Here is the most recent Deckard scan.

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-07-02 13:31:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:31:14 PM, on 7/2/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICKA.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\administrator.ASTECHNB\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [EPSON Stylus Photo R280 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICKA.EXE /FU "C:\DOCUME~1\ADMINI~1.AST\LOCALS~1\Temp\E_S2.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://astech/connectcomputer/nshelp.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.com/hostedimages/active...oad/XUpload.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ASTech.local
O17 - HKLM\Software\..\Telephony: DomainName = ASTech.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ASTech.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ASTech.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ASTech.local
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

--
End of file - 6490 bytes

-- Files created between 2008-06-02 and 2008-07-02 -----------------------------

2008-07-01 17:05:20 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-01 17:05:01 0 d-------- C:\Documents and Settings\administrator.ASTECHNB\Application Data\Mozilla
2008-06-30 02:04:35 0 d-------- C:\Documents and Settings\administrator.ASTECHNB\.housecall6.6
2008-06-30 01:37:43 0 dr-h----- C:\Documents and Settings\JS\Application Data\yahoo!
2008-06-30 01:36:43 0 d-------- C:\Documents and Settings\JS\Application Data\Winamp
2008-06-29 10:56:23 0 d-------- C:\Program Files\Adobe Media Player
2008-06-29 10:56:17 0 d-------- C:\Program Files\Common Files\Adobe AIR
2008-06-29 10:29:19 0 d-------- C:\WINDOWS\Prefetch
2008-06-29 10:21:37 0 d-------- C:\WINDOWS\system32\scripting
2008-06-29 10:21:36 0 d-------- C:\WINDOWS\l2schemas
2008-06-29 10:21:35 0 d-------- C:\WINDOWS\system32\en
2008-06-29 10:21:35 0 d-------- C:\WINDOWS\system32\bits
2008-06-29 10:18:59 0 d-------- C:\WINDOWS\ServicePackFiles


-- Find3M Report ---------------------------------------------------------------

2008-06-29 10:56:30 0 d-------- C:\Documents and Settings\administrator.ASTECHNB\Application Data\Adobe
2008-06-29 10:56:17 0 d-------- C:\Program Files\Common Files
2008-06-29 10:34:57 0 d-------- C:\Program Files\MSN Messenger
2008-06-29 10:22:04 0 d-------- C:\Program Files\Messenger
2008-06-29 10:21:35 0 d-------- C:\Program Files\Movie Maker
2008-06-29 10:18:39 0 d-------- C:\Program Files\Windows NT
2008-05-12 12:44:40 0 d-------- C:\Program Files\BitDefender


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/19/2007 09:16 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 08:51 PM]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [01/15/2008 06:54 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/13/2008 08:12 PM]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [01/19/2007 12:54 PM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 05:43 PM]
"EPSON Stylus Photo R280 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICKA.exe" [04/13/2007 06:00 AM]
"UnHackMe Monitor"="C:\Program Files\UnHackMe\hackmon.exe" [09/17/2007 03:37 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background

C:\Documents and Settings\administrator.ASTECHNB\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [10/26/2006 11:24:54 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Extender Resource Monitor.lnk - C:\WINDOWS\ehome\RMSysTry.exe [10/20/2005 8:55:40 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 02:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 02:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk
backup=C:\WINDOWS\pss\Extender Resource Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^JS^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\JS\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Comrade.exe]
C:\Program Files\GameSpy\Comrade\Comrade.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
C:\Program Files\Google\Google Talk\googletalk.exe /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE QWAVE
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc

*Newly Created Service* - GMER



-- End of Deckard's System Scanner: finished at 2008-07-02 13:33:26 ------------
Go to the top of the page
 
+Quote Post
Blender
post Jul 3 2008, 06:24 AM
Post #7


I Will Eat Your Malware
Group Icon

Group: Administrator
Posts: 342
Joined: 19-September 06
Member No.: 426
Hi,

Thanks for the logs.
Indeed have Rustock rootkit. This is your spammer.

Download SDFix and save it to your Desktop.

In the event you already have SDFix, please delete it as this is a new version I need you to download.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt. (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally copy and paste the contents of the results file Report.txt back onto the forum


Run Gmer again please as well & post its log.

Next I want to get you to run a virus scan.

Download Dr.Webs CureIt to your desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Double-click the drweb-cureit.exe file and allow it to run the express scan.

This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.

Once the short scan has finished, select the "full system scan"

Click the green arrow > to the right and the scan will begin.

At the first infection, select 'Yes to all' if it asks if you want to cure/move the file.

When the scan has finished, click the "Select all" toggle button (if available) next to the files found

Then click the green cup icon right below and select Move incurable

This will move any infected files to the %userprofile%\DoctorWeb\quarantaine-folder that can't be cured (in case if we need samples).

Then, from the main Dr.Web CureIt menu (top left), click File and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv

Close Dr.Web Cureit and Restart your computer to completely remove any stubborn files in reboot.

Post back with the DrWeb.csv report please.


Let me know how the system is running please.

Thanks smile.gif

ps.
You really should get an antivirus program installed.
You risk getting hit again without it.

Few decent free o