Win32:Rootkit-gen virus problem . Windows XP case

Hi !

I guess, I have a Win32:Rootkit-gen virus on my Fujisu laptop.

Few hours ago my Avast spyware informed me of danger caused by arp1394.sys file from C://WINDOWS/system32/drivers. I chose to quarantine the file, but then there came another warning (about another file from the same directory), so I chose to quarantine it too, but then came another... . I rebooted computer and Avast started to scan my system (before loading Windows) but it took so long that I decided to stop it.
I guess, that could be a mistake...

Now, my Windows XP doesn't work properly, for example :
- I lost internet connection (I used to connect wth a router)
- computer mouse doesn't work
- my Windows XP desktop preferences changed

I tried to look around for solutions ( I use another computer), but don't think, that I can cope with it on my own. I don't understand the algorithm, that you use to read all these logs.

I would be very grateful if somebody could help me or tell me what I should do ( maybe there are walkthroughs that I haven't found yet).

hey, I just saw that I should run a SpyBot S&D 1.5 scan and put log from Hijackthis. I'll do it as fast as possible.

I couldn't install SpyBot S&D 1.5, because I have no internet connection.

Firstly, I ran Avast 4.8.1201 scan. I had another infected files in C://windows/system32/drivers directory :
aec.sys

CO_MON.sys

HDAudBus.sys

ialmnt5.sys

RtkHDAud.sys


I added them to quarantine

Then I ran Hijackthis. Here is the log file :

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 00:36, on 2008-11-17

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\odClientService.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\MATLAB7\webserver\bin\win32\matlabserver.exe

c:\WINDOWS\system32\o2flash.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\explorer.exe

C:\Program Files\TortoiseSVN\bin\TSVNCache.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\OdTray.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\OpenOffice.org 2.2\program\soffice.exe

C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN

C:\Program Files\Alwil Software\Avast4\ashSimpl.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\mspaint.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\HijackThis\HijackThis.exe



O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\OdTray.exe"

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [EdHTML] C:\Program Files\Binboy\EdHTMLv5.0\EdHTML.exe /none

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: @c:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: @c:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1193259505906

O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe (file missing)

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: IBM Rational ClearQuest Mail Service (MailService) - IBM Corporation - C:\Program Files\Rational\ClearQuest\mailservice.exe

O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB7\webserver\bin\win32\matlabserver.exe

O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - c:\WINDOWS\system32\o2flash.exe

O23 - Service: Odyssey Client for Fujitsu Siemens Computers (odClientService) - Funk Software, Inc. - C:\Program Files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\odClientService.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe



--

End of file - 7004 bytes


and here is what was generated into another file ( it was suggested to paste in the "IMPORTANT instructions" ) :

Adobe Flash Player 10 Plugin

Adobe Reader 7.0.5 - Polish

Adobe Shockwave Player

Apple Software Update

Archiwizator WinRAR

Autodesk MapGuide(R) Viewer ActiveX Control Release 6.5

avast! Antivirus

Free FLV Converter V 5.2

GPL Ghostscript 8.54

GPL Ghostscript Fonts

GSview 4.9

High Definition Audio Driver Package - KB888111

HijackThis 2.0.2

Hotfix for Windows Media Player 10 (KB903157)

Hotfix for Windows XP (KB952287)

IBM Rational RequisitePro

InfraRecorder

Intel(R) Graphics Media Accelerator Driver

J2SE Runtime Environment 5.0 Update 11

Java(TM) 6 Update 2

Java(TM) 6 Update 7

Java(TM) SE Development Kit 6 Update 2

Java(TM) SE Runtime Environment 6 Update 1

LiveUpdate 3.0 (Symantec Corporation)

Lizardtech DjVu Control

Localization Pack for Microsoft Windows XP Media Center Edition

Macromedia Flash Player 8

MATLAB Family of Products Release 14

MCE Software Encoder 1.0

MDI viewer 0.1

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Hotfix (KB928366)

Microsoft .NET Framework 1.1 Polish Language Pack

Microsoft .NET Framework 2.0 Service Pack 1

Microsoft Office 2000 Professional

Microsoft Visual C++ 2005 Redistributable

Motorola SM56 Data Fax Modem

Mozilla Firefox (3.0.4)

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

Nero BurnRights

Nero Digital

Nero OEM

NeroVision Express Content

O2Micro Flash Memory Card Windows Driver V2.04

Odyssey Client for Fujitsu Siemens Computers

OpenOffice.org 2.2

PowerDVD

PowerQuest PartitionMagic 7.0 Demo

RealPlayer

Realtek High Definition Audio Driver

Security Update for CAPICOM (KB931906)

Security Update for CAPICOM (KB931906)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 10 (KB936782)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB950759)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953155)

Security Update for Windows XP (KB953838)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956390)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

SPSS 16.0 Evaluation Version

Standalone irssi for Windows

Subversion 1.4.5-r25188

Symantec KB-DocID:2003093015493306

Update for Windows Media Player 10 (KB913800)

Update for Windows Media Player 10 (KB926251)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update Rollup 2 for Windows XP Media Center Edition 2005

Windows Media Format Runtime

Windows Media Player Firefox Plugin

Windows Messenger 5.1

Windows Messenger 5.1 MUI Pack

Windows XP Media Center Edition 2005 KB919803

Windows XP Service Pack 3

WinSCP 3.8.2

Wolfram Notebook Indexer 1.1

XStandard



I hope that this time I didn't cause any waste of your time - sorry for not preparing as good as I could :/

Transfer the setup file from good computer to sick computer:



* Please download Malwarebytes' Anti-Malware from HERE or HERE

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and zLaunch Malwarebytes Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.


Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


If no go on internet connection after the above try this:


Download LSPfix here:
LSP-Fix - a free program to repair damaged Winsock 2 stacks
Or here:
LSPFix download and review - repairs Winsock 2 settings from SnapFiles
or here:
|MG| LSP - Fix

To run it be sure you are NOT connected to the Internet. Pull the plug.

Launch the application, and click the "I know what I'm doing" checkbox.

Then click Finish.

Reboot your computer.


Post a new hijackthis log please with feed back on what going on now please.

__________________
Stalking and killing Spyware

Have we helped you? Please consider a donation to help keep D-A-L free. Click on donate below



MALWARE: READ FIRST Procedures:
|_ SpyBot V1.5 _|_ HijackThis Log __V2.0.2 _|



ASAP: promoting a high standard and quality of security support no matter where you seek help.

Hi, Neal !

Thank you very much for your help. I tried to follow your commands.

I downloaded all the files from your links. Unfortunately, I wasn't able to update Malwarebytes' Anti-Malware, because I had no internet connection. The version I used was 1.30 and I think, that it's the newest one.

Sorry for empty lines in my posts, but I'm using Ubuntu now.

Here is the log from MBAM (I had to translate the commands from other language, so the commands may be a little odd for you) :

Malwarebytes' Anti-Malware 1.30

Base definition version: 1306

Windows 5.1.2600 Service Pack 3



2008-11-20 09:34:11

mbam-log-2008-11-20 (09-34-11).txt



Scan Type: Full Scan (C:\|D:\|)

Scanned objects: 265979

Passed: 1 hour(s), 29 minute(s), 26 second(s)



Infected processes in memory: 0

Infected memory modules: 0

Infected registry keys: 1

Infected registry values: 0

Infected registry files: 0

Infected folders: 1

Infected files: 1



Infected processes in memory:

(No threatening files found)



Infected memory modules:

(No threatening files found)


Infected registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe (Trojan.Agent) -> Quarantined and deleted successfully.



Infected registry values:

(No threatening files found)


Infected folders:

C:\Program Files\Microsoft Common (Trojan.Agent) -> Quarantined and deleted successfully.



Infected files:

C:\Program Files\Microsoft Common\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.


Here is a new HijackThis log :

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:30, on 2008-11-20

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\odClientService.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

c:\WINDOWS\system32\o2flash.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\OdTray.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\OpenOffice.org 2.2\program\soffice.exe

C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\lukasz\My Documents\programy\antywir\LSPFix.exe

C:\WINDOWS\system32\mspaint.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\HijackThis\HijackThis.exe



O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\OdTray.exe"

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [EdHTML] C:\Program Files\Binboy\EdHTMLv5.0\EdHTML.exe /none

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: @c:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: @c:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1193259505906

O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe (file missing)

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: IBM Rational ClearQuest Mail Service (MailService) - IBM Corporation - C:\Program Files\Rational\ClearQuest\mailservice.exe

O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB7\webserver\bin\win32\matlabserver.exe

O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - c:\WINDOWS\system32\o2flash.exe

O23 - Service: Odyssey Client for Fujitsu Siemens Computers (odClientService) - Funk Software, Inc. - C:\Program Files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\odClientService.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe



--

End of file - 7025 bytes


As I mentioned, I've been disconnected from the web since my Avast alerted me about virus problem ( and I rebooted my comp about 4 minutes later). LSPfix didn't worked for me.

Here is the "Repair summary" from LSPfix :

0 NameSpace provider entries removed
0 NameSpace provider entries renumbered
0 Protocol provider entries removed
0 Protocol provider entries renumbered

I checked "I know what Im doing" checkbox and there were three files in the "Keep" box (I did nothing with them) :

mswsock.dll Tcpip
winrnr.dll NTDS
rsvpsp.dll (Protocol Handler)

I still have no internet connection and my computer mouse isn't reacting. When my Windows XP is starting I can see that the "internet connection" icon in the rigth-down corner of the screen shows that I have the connection. After circa 10 seconds it turns to "no connection". I think that it behaved a bit different way earlier - firstly it was "no connection" then "connection" and in the end "connected". But probably I'm wrong.

Thanks for your interest once again.

Try to transfer this:



Visit this page below to familiarize yourself to the tool below and download from one of the links provided.

A guide and tutorial on using ComboFix




If you have previously downloaded ComboFix,please delete that version now.



It is IMPORTANT that it is saved directly to your desktop

Close any open browsers.

Disconnect from the Internet.

Please do not re-connect your machine back to the Internet until Combofix has completely finished.

Disable your antivirus program and any realtime malware scanners and script blockers now


How To Disable



Double click on combofix.exe and follow the prompts.

When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Note:
Do not mouseclick combofix's window while it's running.

That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Re-enable your anti-virus and re-connect back to the internet and post the combofix log.



*Note*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

ComboFix SHOULD NOT be used unless requested by a forum helper.

__________________
Stalking and killing Spyware

Have we helped you? Please consider a donation to help keep D-A-L free. Click on donate below



MALWARE: READ FIRST Procedures:
|_ SpyBot V1.5 _|_ HijackThis Log __V2.0.2 _|



ASAP: promoting a high standard and quality of security support no matter where you seek help.

Hi,
I followed your orders. Nothing uncommon happened nor did anything change in a state of my Windows XP.

Here is the requested ComboFix.txt log (I translated some text from another language):

ComboFix 08-11-20.02 - lukasz 2008-11-22 22:01:27.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1250.1.1033.18.622 [GMT 1:00]

Started from: c:\documents and settings\lukasz\Desktop\ComboFix.exe

Following commands were used :: c:\documents and settings\lukasz\My Documents\programs\antyvir\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

* New return points were created

.



((((((((((((((((((((((((((((((((((((((( Deleted )))))))))))))))))))))))))))))))))))))))))))))))))

.



c:\windows\Downloaded Program Files\setup.inf

c:\windows\system32\Cache



.

((((((((((((((((((((((((( Files created from 2008-10-22 to 2008-11-22 )))))))))))))))))))))))))))))))

.



2008-11-20 08:01 . 2008-11-20 08:01 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2008-11-20 08:01 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-11-20 08:01 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-11-20 00:45 . 2008-11-20 00:45 <DIR> d-------- c:\documents and settings\lukasz\Application Data\Malwarebytes

2008-11-20 00:44 . 2008-11-20 00:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-11-12 09:05 . 2008-09-04 18:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll

2008-11-12 09:05 . 2008-10-24 12:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

2008-11-10 11:14 . 2008-11-10 11:14 <DIR> d-------- c:\program files\BizAgi

2008-11-10 11:14 . 2008-11-10 11:14 <DIR> d-------- c:\documents and settings\lukasz\Application Data\InstallShield Installation Information

2008-11-08 16:57 . 2008-11-08 16:57 <DIR> d-------- c:\program files\MDIviewer

2008-10-28 23:45 . 2008-10-28 23:50 619 --a------ c:\windows\cdplayer.ini

2008-10-28 22:03 . 2008-10-28 22:03 <DIR> d-------- c:\program files\irssi

2008-10-26 16:20 . 2008-10-29 21:22 <DIR> d-------- c:\program files\SopCast

2008-10-26 14:53 . 2008-10-26 14:53 <DIR> d-------- c:\program files\Common Files\xing shared

2008-10-26 14:52 . 2008-10-26 14:52 <DIR> d-------- c:\program files\Real

2008-10-25 21:16 . 2008-10-25 21:17 <DIR> d-------- c:\program files\SmartDraw 2009

2008-10-25 11:27 . 2008-10-25 11:27 56 --ah----- c:\windows\system32\ezsidmv.dat

2008-10-25 11:25 . 2008-11-16 09:43 <DIR> d-------- c:\program files\Skype

2008-10-25 11:25 . 2008-11-16 09:54 <DIR> d-------- c:\documents and settings\lukasz\Application Data\Skype

2008-10-24 19:32 . 2008-10-15 17:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll



.

(((((((((((((((((((((((((((((((((((((((( Section Find3M )))))))))))))))))))))))))))))))))))))))))))))))))) ))

.

2008-11-22 20:57 --------- d-----w c:\documents and settings\lukasz\Application Data\OpenOffice.org2

2008-11-16 08:43 --------- d-----w c:\documents and settings\All Users\Application Data\Skype

2008-11-16 08:35 --------- d-----w c:\documents and settings\lukasz\Application Data\skypePM

2008-11-15 12:39 --------- d-----w c:\documents and settings\lukasz\Application Data\Tinn-R

2008-10-26 13:53 --------- d-----w c:\program files\Common Files\Real

2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys

2008-10-21 21:25 --------- d--h--w c:\program files\InstallShield Installation Information

2008-10-21 21:25 --------- d-----w c:\program files\PowerQuest

2008-10-19 21:03 --------- d-----w c:\documents and settings\lukasz\Application Data\InfraRecorder

2008-10-19 21:02 --------- d-----w c:\program files\InfraRecorder

2008-10-11 19:40 --------- d-----w c:\program files\Tinn-R

2008-10-11 19:36 --------- d-----w c:\program files\R

2008-10-03 20:07 --------- d-----w c:\program files\Free FLV Converter

2008-09-30 15:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll

2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys

2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll

2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll

2008-08-28 07:46 74,752 ----a-w c:\windows\system32\msw3prt.dll

2008-08-28 07:46 104,960 ----a-w c:\windows\system32\win32spl.dll

2008-01-23 17:58 81,920 ----a-w c:\documents and settings\lukasz\fftGpu.exe

2008-01-13 14:03 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat

2007-07-10 19:56 271,776 ----a-w c:\documents and settings\lukasz\Accelerator.dll

2007-06-03 11:06 454,656 ----a-w c:\documents and settings\lukasz\putty.exe

.



((((((((((((((((((((((((((((((((((((( Start registry entries ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Attention* empty entries and default, correct entries are not displayed

REGEDIT4



[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\1T ortoiseSVN]

@="{30351346-7B7D-4FCC-81B4-1E394CA267EB}"

[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]

2008-02-16 11:35 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll



[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\2T ortoiseSVN]

@="{30351347-7B7D-4FCC-81B4-1E394CA267EB}"

[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]

2008-02-16 11:35 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll



[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\3T ortoiseSVN]

@="{30351348-7B7D-4FCC-81B4-1E394CA267EB}"

[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]

2008-02-16 11:35 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll



[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\4T ortoiseSVN]

@="{3035134B-7B7D-4FCC-81B4-1E394CA267EB}"

[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]

2008-02-16 11:35 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll



[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\5T ortoiseSVN]

@="{3035134C-7B7D-4FCC-81B4-1E394CA267EB}"

[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]

2008-02-16 11:35 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll



[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\6T ortoiseSVN]

@="{3035134D-7B7D-4FCC-81B4-1E394CA267EB}"

[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]

2008-02-16 11:35 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll



[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\7T ortoiseSVN]

@="{3035134E-7B7D-4FCC-81B4-1E394CA267EB}"

[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]

2008-02-16 11:35 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.e xe" [2001-07-09 155648]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-04-15 45056]

"OdTray.exe"="c:\program files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\OdTray.exe" [2005-05-18 1015871]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp. exe" [2008-07-19 78008]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-26 185896]

"RTHDCPL"="RTHDCPL.EXE" [2006-09-06 c:\windows\RTHDCPL.EXE]

"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]

"SMSERIAL"="sm56hlpr.exe" [2006-01-20 c:\windows\sm56hlpr.exe]



[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]



c:\documents and settings\lukasz\Start Menu\Programs\Startup\

OpenOffice.org 2.2.lnk - c:\program files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 393216]



c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]



[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]

2007-02-14 21:04 106496 c:\windows\system32\odyEvent.dll



[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.iv31"= c:\windows\system32\ir32_32.dll

"vidc.iv32"= c:\windows\system32\ir32_32.dll



[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001



[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001



[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]

"DisableUnicastResponsesToMulticastBroadcast"= 1 (0x1)



[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\Msmsgs.exe"=

"c:\\Program Files\\SPSSInc\\SPSS16EV\\spss.com"=

"c:\\Program Files\\SPSSInc\\SPSS16EV\\spss.exe"=

"c:\\Program Files\\SPSSInc\\SPSS16EV\\SPSSWinWrapIDE.exe"=

"c:\\Program Files\\Gadu-Gadu\\gg.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=



[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]

"2799:UDP"= 2799:UDP:Altova License Metering Port (UDP)

"2799:TCP"= 2799:TCP:Altova License Metering Port (TCP)



R0 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2medi a.sys [2006-02-27 34880]

R0 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.s ys [2006-02-20 29056]

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-06-28 78416]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswF sBlk.sys [2008-06-28 20560]

R3 odysseyIM4;Odyssey Network Agent Miniport;c:\windows\system32\DRIVERS\odysseyIM4.sy s [2005-05-18 173056]

S2 MailService;IBM Rational ClearQuest Mail Service;"c:\program files\Rational\ClearQuest\mailservice.exe" [2007-05-15 73795]



*Newly Created Service* - PROCEXP90

.

- - - - DELETED EMPTY ENTRIES - - - -



HKCU-Run-EdHTML - c:\program files\Binboy\EdHTMLv5.0\EdHTML.exe





.

------- Supplementing scan -------

.

FireFox -: Profile - c:\documents and settings\lukasz\Application Data\Mozilla\Firefox\Profiles\e8k8fqem.default\

FireFox -: prefs.js - STARTUP.HOMEPAGE - Yahoo!

FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll

FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdjvu.dll

FF -: plugin - c:\xstandard\Bin\NPXStandard.dll

.



************************************************** ************************



catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-11-22 22:08:43

Windows 5.1.2600 Service Pack 3 NTFS



Scanning hidden processes ...



Scanning hidden autostart entries ...



Scanning hidden files ...



Scanning finished positively

Hidden files: 0



************************************************** ************************

.

Time of finish: 2008-11-22 22:11:10

ComboFix-quarantined-files.txt 2008-11-22 21:10:59



Before: 23*966*244*864 bytes free

After: 26,142,199,808 bytes free



174 --- E O F --- 2008-11-12 08:34:56

After further digging and research it appears you have or had a backdoor trojan. No telling what kind of damage was done by this, if further trojans are on your PC this next tool should remove them, hopefully.



Download SDFIX and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

• In Safe Mode, right click the SDFix.zip folder and choose Extract All,
• Open the extracted folder and double click RunThis.bat to start the script.
• Type Y to begin the script.
• It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• Your system will take longer that normal to restart as the fixtool will be running and removing files.
• When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
• Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

__________________
Stalking and killing Spyware

Have we helped you? Please consider a donation to help keep D-A-L free. Click on donate below



MALWARE: READ FIRST Procedures:
|_ SpyBot V1.5 _|_ HijackThis Log __V2.0.2 _|



ASAP: promoting a high standard and quality of security support no matter where you seek help.

Hi, Neal !

Thank you once again for your help.
I did what you had asked me to do. Nothing uncommon happened and nothing changed in a state of Windows XP ( I mean that the functionality mentioned in my first post is still missing).

"backdoor trojan" - it souds terrible :/.

Here is Report.txt file :


/******************************/

SDFix: Version 1.240

Run by lukasz on 2008-11-25 at 20:06



Microsoft Windows XP [Wersja 5.1.2600]

Running From: C:\Documents and Settings\lukasz\Desktop\SDFix



Checking Services :





Restoring Default Security Values

Restoring Default Hosts File



Rebooting





Checking Files :



No Trojan Files Found













Removing Temp Files



ADS Check :







Final Check :



catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-11-25 20:36:25

Windows 5.1.2600 Service Pack 3 NTFS



scanning hidden processes ...



scanning hidden services & system hive ...



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\sptd\Cfg]

"s1"=dword:8c6ec5df

"s2"=dword:22b1dcfe

"h0"=dword:00000001



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"h0"=dword:00000000

"khjeh"=hex:1d,7f,5c,3a,7b,79,c5,c9,7f,4e,9c,da,62 ,43,81,e3,a9,e2,e6,17,6d,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"h0"=dword:00000000

"khjeh"=hex:1d,7f,5c,3a,7b,79,c5,c9,7f,4e,9c,da,62 ,43,81,e3,a9,e2,e6,17,6d,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"h0"=dword:00000000

"khjeh"=hex:1d,7f,5c,3a,7b,79,c5,c9,7f,4e,9c,da,62 ,43,81,e3,a9,e2,e6,17,6d,..



scanning hidden registry entries ...



scanning hidden files ...



scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0





Remaining Services :









Authorized Application Key Export:



[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\Messenger\\Msmsgs.exe"="C:\\Program Files\\Messenger\\Msmsgs.exe:*:Enabled:Windows Messenger"

"C:\\Program Files\\SPSSInc\\SPSS16EV\\spss.com"="C:\\Program Files\\SPSSInc\\SPSS16EV\\spss.com:*isabled:SPSS 16.0 Evaluation Version (1033:com)"

"C:\\Program Files\\SPSSInc\\SPSS16EV\\spss.exe"="C:\\Program Files\\SPSSInc\\SPSS16EV\\spss.exe:*isabled:SPSS 16.0 Evaluation Version (1033:exe)"

"C:\\Program Files\\SPSSInc\\SPSS16EV\\SPSSWinWrapIDE.exe"="C:\ \Program Files\\SPSSInc\\SPSS16EV\\SPSSWinWrapIDE.exe:*is abled:SPSS Basic Script Editor (1033)"

"C:\\Program Files\\Gadu-Gadu\\gg.exe"="C:\\Program Files\\Gadu-Gadu\\gg.exe:*:Enabled:Gadu-Gadu - program gˆ˘wny"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS \\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"

"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"="C:\\Program Files\\SopCast\\adv\\SopAdver.exe:*:Enabled:SopCas t Adver"



[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"



Remaining Files :







Files with Hidden Attributes :



Wed 12 Sep 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

Wed 12 Sep 2007 11,115 A.SH. --- "C:\Documents and Settings\lukasz\My Documents\My Music\Kopia zapasowa licencji\drmv2key.bak"

Tue 30 Sep 2008 270,336 A.SH. --- "C:\Documents and Settings\lukasz\My Documents\My Pictures\monachium'08\SIV4.tmp"

Wed 19 Mar 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\bdtjy64.dll"

Wed 19 Mar 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\bq0s78x.dll"

Wed 19 Mar 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\cu2hbva.dll"

Wed 19 Mar 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\d4fda8y.dll"

Wed 19 Mar 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\djivdhz.dll"

Wed 19 Mar 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\el2tuaj.dll"

Wed 19 Mar 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\enapv9e.dll"

Wed 19 Mar 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\euepdfr.dll"

Wed 19 Mar 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\he13dew.dll"

Wed 19 Mar 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\hvope6v.dll"

Wed 19 Mar 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\ima0fgo.dll"

Wed 19 Mar 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\j8lxujc.dll"

Wed 19 Mar 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\kbifuyd.dll"

Wed 19 Mar 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\lh9lrsa.dll"

Wed 19 Mar 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\lwo6rih.dll"

Wed 19 Mar 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\mh0i459.dll"

Wed 19 Mar 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\mkx84zy.dll"

Wed 19 Mar 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\nxssew1.dll"

Wed 19 Mar 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\oo5p94t.dll"

Wed 19 Mar 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\phkkuzt.dll"

Wed 19 Mar 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\pmpxh1k.dll"

Wed 19 Mar 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\poag0na.dll"

Wed 19 Mar 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\pynnc7c.dll"

Wed 19 Mar 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\qpydf4t.dll"

Wed 19 Mar 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\qsnkpp3.dll"

Wed 19 Mar 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\r2ea1d5.dll"

Wed 19 Mar 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\sqvwuhc.dll"

Wed 19 Mar 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\sricxjn.dll"

Wed 19 Mar 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\t5kv8cm.dll"

Wed 19 Mar 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\tdaopvo.dll"

Wed 19 Mar 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\ul5oq5d.dll"

Wed 19 Mar 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\vpb2fuy.dll"

Wed 19 Mar 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\vtru8bt.dll"

Wed 19 Mar 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\wakkf0z.dll"

Wed 19 Mar 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\wwv1o1p.dll"

Wed 19 Mar 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\x0h7yih.dll"

Wed 19 Mar 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\yr3gmrj.dll"

Wed 19 Mar 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\z0c2gau.dll"

Wed 19 Mar 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\zjttmco.dll"

Wed 19 Mar 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\zyhacve.dll"



Finished!


/*********************/

Here is a new HijackThis log


Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:49:20, on 2008-11-25

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\odClientService.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\MATLAB7\webserver\bin\win32\matlabserver.exe

c:\WINDOWS\system32\o2flash.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\TortoiseSVN\bin\TSVNCache.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\OdTray.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\OpenOffice.org 2.2\program\soffice.exe

C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\HijackThis\HijackThis.exe



R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE

O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\OdTray.exe"

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: @c:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: @c:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1193259505906

O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe (file missing)

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: IBM Rational ClearQuest Mail Service (MailService) - IBM Corporation - C:\Program Files\Rational\ClearQuest\mailservice.exe

O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB7\webserver\bin\win32\matlabserver.exe

O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - c:\WINDOWS\system32\o2flash.exe

O23 - Service: Odyssey Client for Fujitsu Siemens Computers (odClientService) - Funk Software, Inc. - C:\Program Files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\odClientService.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe



--

End of file - 7206 bytes

Nothing was found by SDFix

Since you use Avast let's get rid of symantec still showing on your system, you should only have one anti-virus program running.

Please run symantec uninstaller:

Download and run the Norton Removal Tool


Run hijackthis and click on "scan system only" button and put checks next to these if still there


O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe



Please close ALL browser windows (including this one).

Everything closed out but hijackthis and click on "fix checked"

Reboot your PC


What is this below, did you know you had it? It is not showing in add/remove list

SafeNet Sentinel

__________________
Stalking and killing Spyware

Have we helped you? Please consider a donation to help keep D-A-L free. Click on donate below



MALWARE: READ FIRST Procedures:
|_ SpyBot V1.5 _|_ HijackThis Log __V2.0.2 _|



ASAP: promoting a high standard and quality of security support no matter where you seek help.