Infection found on memory scan; Nothing on boot-time scan

Viruses and worms
1

Hello All, I am new to this forum.

I was running a virus scan with Webroot SpySweeper (Considering all of the forums I have looked at recently, Webroot is not mentioned anywhere, so did I make a wrong decision in using them?) and got a windows blue screen (DRIVER_IRQL_NOT_LESS_OR_EQUAL). After that, when SpySweeper tried to open, I got an error window saying the installation was damaged and to re-install the product. Needless to say I have not been able to re-install it.

I downloaded Avast! and it has taken off numerous trojans and viruses, not all during the same scan. Recently, when I start Avast!, during the memory test, it says there is a trojan (Win32:Fasec) at c:\windows\system32\uacxfpbtimlxr.dll. I tried moving it, but it was in use; I tried renaming it and forcing rename on reboot, but it did not help; I even tried deleting it, but it was in use. A friend of mine recommended using task manager to end processes one at a time until the process using the .dll was ended and then move the file to the chest. This did not work.

I have downloaded malwarebytes, but cannot get it to open. Same with spybot S&D. I tried renaming the install file, but to no avail.

I am still getting the blue windows stop screens with the same DRIVER message. I can boot in safe mode and everything works fine, but when I try normal mode, it is hit or miss as to when the blue screen will come.

Thank you all for your help in advance. I really appreciate it.

2

Webroot SpySweeper is consider a good antispyware, but as being not free, not that mentions in forums. Some users report high use of system resources.

Can you schedule a boot-time scanning?
Start avast! > Right click the skin > Schedule a boot-time scanning.
Select for scanning archives.
Boot.
If infected files are found, it’s safer to send them to Chest instead of deleting them.
This way you can further analysis them.

3

You possibly have CLB Rootkit infection aka WinNT-Alureon , download Rootrepeal from any of the links provided, RAR or ZIP. This program requires no installation.Run it, then copy/paste the log here http://rootrepeal.googlepages.com/

4

Tech – I am able to do a boot time scan; however, it has not found any infected files as of yet. I agree about deleting, it was my last resort after not being able to move or rename the file.

Micky77 – Here is the log:

ROOTREPEAL (c) AD, 2007-2009

Scan Start Time: 2009/08/06 18:50
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3

Drivers

Name: 1394BUS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS
Address: 0xF8595000 Size: 57344 File Visible: - Signed: -
Status: -

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF84E6000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xF7F82000 Size: 138496 File Visible: - Signed: -
Status: -

Name: aswTdi.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswTdi.SYS
Address: 0xF8675000 Size: 41664 File Visible: - Signed: -
Status: -

Name: asyncmac.sys
Image Path: C:\WINDOWS\system32\DRIVERS\asyncmac.sys
Address: 0xF7801000 Size: 14336 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF8480000 Size: 96512 File Visible: - Signed: -
Status: -

Name: BATTC.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\BATTC.SYS
Address: 0xF894D000 Size: 16384 File Visible: - Signed: -
Status: -

Name: bcm4sbxp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
Address: 0xF85B5000 Size: 44928 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF8A53000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF8945000 Size: 12288 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xF85E5000 Size: 62976 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xF8575000 Size: 53248 File Visible: - Signed: -
Status: -

Name: compbatt.sys
Image Path: compbatt.sys
Address: 0xF8949000 Size: 10240 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF8565000 Size: 36352 File Visible: - Signed: -
Status: -

Name: drvmcdb.sys
Image Path: drvmcdb.sys
Address: 0xF844B000 Size: 85344 File Visible: - Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF7EA7000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8A65000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xF81E2000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF000000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF8C3A000 Size: 4096 File Visible: - Signed: -
Status: -

Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xF8169000 Size: 143744 File Visible: - Signed: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xF8460000 Size: 129792 File Visible: - Signed: -
Status: -

Name: framebuf.dll
Image Path: C:\WINDOWS\System32\framebuf.dll
Address: 0xBFF50000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF8A4F000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF8498000 Size: 125056 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806EE000 Size: 131840 File Visible: - Signed: -
Status: -

Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xF8685000 Size: 36864 File Visible: - Signed: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xF88FD000 Size: 28672 File Visible: - Signed: -
Status: -

Name: hidusb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xF89F9000 Size: 10368 File Visible: - Signed: -
Status: -

Name: i2omgmt.SYS
Image Path: C:\WINDOWS\System32\Drivers\i2omgmt.SYS
Address: 0xF8313000 Size: 8576 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xF85C5000 Size: 52480 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xF85D5000 Size: 42112 File Visible: - Signed: -
Status: -

Name: intelide.sys
Image Path: intelide.sys
Address: 0xF8A39000 Size: 5504 File Visible: - Signed: -
Status: -

Name: IPFilter.sys
Image Path: C:\WINDOWS\system32\DRIVERS\IPFilter.sys
Address: 0xF89D5000 Size: 11136 File Visible: - Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xF8037000 Size: 152832 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xF8156000 Size: 75264 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF8535000 Size: 37248 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xF8805000 Size: 24576 File Visible: - Signed: -
Status: -

Name: kbdhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Address: 0xF8A2D000 Size: 14592 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF8A35000 Size: 8192 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xF82AC000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF8434000 Size: 92288 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xF87FD000 Size: 23040 File Visible: - Signed: -
Status: -

Name: mouhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Address: 0xF81FE000 Size: 12160 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF8545000 Size: 42368 File Visible: - Signed: -
Status: -

To be continued…

5

Here is the rest of the log:

Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xF7EBF000 Size: 455296 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF88A5000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xF8635000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xF89FD000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF834C000 Size: 105344 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF837A000 Size: 182656 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xF89E9000 Size: 10112 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xF7B73000 Size: 14592 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xF8295000 Size: 91520 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF8665000 Size: 40576 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xF8695000 Size: 34688 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xF800F000 Size: 162816 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF88B5000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF83A7000 Size: 574976 File Visible: - Signed: -
Status: -

Name: ntoskrnl.exe
Image Path: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF8C6D000 Size: 2944 File Visible: - Signed: -
Status: -

Name: ohci1394.sys
Image Path: ohci1394.sys
Address: 0xF8585000 Size: 61696 File Visible: - Signed: -
Status: -

Name: omci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\omci.sys
Address: 0xF8865000 Size: 17088 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF87BD000 Size: 19712 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF84D5000 Size: 68224 File Visible: - Signed: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xF8AFD000 Size: 3328 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xF87B5000 Size: 28672 File Visible: - Signed: -
Status: -

Name: pcmcia.sys
Image Path: pcmcia.sys
Address: 0xF84B7000 Size: 120192 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xF8284000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xF883D000 Size: 17792 File Visible: - Signed: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xF87C5000 Size: 19936 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xF89CD000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xF8605000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xF8615000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xF8625000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xF884D000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xF7F57000 Size: 175744 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF8A57000 Size: 4224 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xF85F5000 Size: 57600 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF734D000 Size: 49152 File Visible: No Signed: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xF786D000 Size: 333952 File Visible: - Signed: -
Status: -

Name: sscdbhk5.sys
Image Path: C:\WINDOWS\system32\drivers\sscdbhk5.sys
Address: 0xF8A3D000 Size: 5568 File Visible: - Signed: -
Status: -

Name: ssrtln.sys
Image Path: C:\WINDOWS\system32\drivers\ssrtln.sys
Address: 0xF888D000 Size: 23488 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xF8A43000 Size: 4352 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xF80FD000 Size: 361600 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xF882D000 Size: 20480 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xF8645000 Size: 40704 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xF8226000 Size: 384768 File Visible: - Signed: -
Status: -

Name: usbccgp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbccgp.sys
Address: 0xF88E5000 Size: 32128 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xF8A47000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF87ED000 Size: 30208 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xF8655000 Size: 59520 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xF82CF000 Size: 147456 File Visible: - Signed: -
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Address: 0xF87E5000 Size: 20608 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF8895000 Size: 20992 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\System32\drivers\VIDEOPRT.SYS
Address: 0xF81C2000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF8555000 Size: 52352 File Visible: - Signed: -
Status: -

Name: vsdatant.sys
Image Path: C:\WINDOWS\System32\vsdatant.sys
Address: 0xF7FA4000 Size: 438272 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF891D000 Size: 20480 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xF8A37000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -
Status: -

6

Some other symptoms on my computer include:

Multiple instances of iexplorer.exe pop up in my task manager.

Our laptop has three users: me, my wife, and my son. My son and I have never had any trouble with anything on the internet. When my wife would log on, Internet Explorer would open several sessions and go to random websites. What is wierd is that she uses Mozilla Firefox. My son and I use IE. After several days of this and after running virus scans with SpySweeper, when I would log onto my desktop I would hear sounds from a website but IE would not be open. Now the blue screens are common place and I can only seem to work in safe mode with networking. I have yet to get a blue screen in safe mode.

For a little while, my son and I could log onto our respective desktops and work normally, but when logging onto my wife’s, the blue screen would pop up. Now, it seems as if my desktop triggers a lot of blue screens and my wife is able to use hers normally. Don’t you love computers. I guess that is all for now. Thanks to everybody for all the help.

7

Download ComboFix and save it onto your desktop (rename ComboFix before you save or else it will not run properly)

Double Click on ComboFix > click Run > click Yes to agree.

ComboFix will say “This machine does not have ‘Microsoft Windows Recovery Console’ installed”. Click Yes to Install the Windows Recovery Console.

Once the Recovery Console is installed, Click Yes to continue scanning.

Once ComboFix has finished scanning, it will create a log. Post the CFix log,

8

Jtaylor83 - I got the program and ran it once. A window popped up during the scan saying that there was some rootkit activity and to write down the following files as “we may need them later”:

c:\windows\system32\drivers\UAChtivmpitbb.sys
c:\windows\system32\UACodaiynwquw.dll
c:\windows\system32\UACkbguxwwwyl.dll
c:\windows\system32\UACyapulqbwsi.dat
c:\windows\system32\UACqskcltliwr.db
c:\windows\system32\UACxfpbtimlxr.dll (This is the file Avast! would always find on its memory test)
c:\windows\system32\UACwdbosnmnes.dll
c:\windows\system32\UACchuikidbwt.dll

It then rebooted. Toward the end of the scan, it said it was creating the log file and told me where it would be saved. Notepad opened up and nothing was there. I looked where the log should have been saved and it was not there. I switched over to my user and started getting error windows saying unknown hard error with dsca.exe, agent.exe, and explorer.exe. When the hard error with explorer.exe came, the desktop disappeared.

After rebooting and running the combofix again, this is the log file it created:

ComboFix 09-08-07.03 - LotharMathias 08/07/2009 15:45.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.284 [GMT -4:00]
Running from: c:\documents and settings\LotharMathias\Desktop\champions.exe
AV: avast! antivirus 4.8.1335 [VPS 090807-0] On-access scanning disabled (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

  • Created a new restore point
    .

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FOPN

((((((((((((((((((((((((( Files Created from 2009-07-07 to 2009-08-07 )))))))))))))))))))))))))))))))
.

2009-08-06 12:45 . 2009-08-06 12:45 -------- d-----w- c:\windows.jagex_cache_32
2009-08-06 12:42 . 2009-08-06 12:42 0 ----a-w- c:\documents and settings\Dad\jagex_runescape_preferences.dat
2009-08-05 21:13 . 2009-08-06 12:24 -------- d—a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-03 13:32 . 2009-08-03 13:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-01 19:12 . 2009-08-01 19:12 -------- d-sh–w- c:\documents and settings\Administrator\PrivacIE
2009-08-01 14:09 . 2009-08-01 14:09 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-08-01 14:00 . 2009-08-01 14:00 -------- d-----w- c:\program files\Webroot
2009-07-29 21:20 . 2009-07-29 21:20 -------- d-----w- c:\documents and settings\Dad\Application Data\Uniblue
2009-07-29 00:10 . 2009-07-29 17:22 4212 —ha-w- c:\windows\system32\zllictbl.dat
2009-07-29 00:09 . 2009-07-29 00:09 -------- d-----w- c:\program files\Zone Labs
2009-07-29 00:08 . 2009-08-07 00:30 -------- d-----w- c:\windows\Internet Logs
2009-07-28 21:14 . 2009-07-28 21:14 -------- d-----w- c:\documents and settings\Jared\Application Data\IObit
2009-07-28 18:35 . 2009-07-28 18:35 -------- d-----w- c:\documents and settings\LotharMathias\Application Data\IObit
2009-07-28 17:00 . 2009-07-28 17:00 -------- d-sh–w- c:\documents and settings\LotharMathias\IECompatCache
2009-07-28 16:50 . 2009-07-28 16:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-28 16:50 . 2009-07-28 16:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-28 12:34 . 2009-07-28 12:34 -------- d-----w- c:\windows\Logs
2009-07-27 01:25 . 2009-07-27 01:25 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-07-26 21:54 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-07-26 21:54 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-07-26 21:54 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-07-26 21:53 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-07-26 21:53 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-07-26 21:53 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-07-26 21:53 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-07-26 21:53 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-07-26 21:53 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-07-26 21:53 . 2009-07-26 21:53 -------- d-----w- c:\program files\Alwil Software
2009-07-25 23:37 . 2009-07-25 23:37 -------- d-----w- c:\documents and settings\Dad\Application Data\IObit
2009-07-25 23:37 . 2009-07-25 23:37 -------- d-----w- c:\program files\IObit
2009-07-25 18:19 . 2009-07-25 18:19 136 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2009-07-25 18:17 . 2009-07-25 18:17 -------- d-sh–w- c:\documents and settings\Administrator\IETldCache
2009-07-18 22:45 . 2009-07-18 22:45 -------- d-----w- c:\documents and settings\LotharMathias\Local Settings\Application Data\PowerDVD
2009-07-17 17:55 . 2009-07-17 17:56 -------- d-----w- c:\documents and settings\Dad\Local Settings\Application Data\PowerDVD
2009-07-13 22:27 . 2009-07-13 22:28 -------- d-----w- c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-07 19:57 . 2008-09-19 21:10 -------- d-----w- c:\program files\Common Files\Akamai
2009-08-06 16:56 . 2008-09-04 15:51 12464 ----a-w- c:\windows\system32\drivers\CDAC15BA.SYS
2009-08-02 16:12 . 2009-08-02 14:16 775168 ----a-w- c:\windows\isRS-000.tmp
2009-08-02 16:04 . 2009-04-30 20:07 164 ----a-w- c:\windows\install.dat
2009-08-01 14:26 . 2009-05-26 16:18 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-29 21:43 . 2008-08-29 12:22 59 ----a-w- c:\windows\wpd99.drv
2009-07-28 21:56 . 2009-02-15 18:44 34 ----a-w- c:\documents and settings\Jared\jagex_runescape_preferences.dat
2009-07-28 12:37 . 2009-07-28 12:37 2311 ----a-w- c:\documents and settings\All Users\Application Data\xml159.tmp
2009-07-28 12:37 . 2009-07-28 12:37 13685 ----a-w- c:\documents and settings\All Users\Application Data\xml158.tmp
2009-07-28 12:37 . 2009-07-28 12:37 8858 ----a-w- c:\documents and settings\All Users\Application Data\xml157.tmp
2009-07-27 00:32 . 2008-08-29 18:41 -------- d-----w- c:\documents and settings\All Users\Application Data\eFax Messenger 4.3 Setup
2009-07-19 01:40 . 2005-08-10 14:13 51296 ----a-w- c:\documents and settings\LotharMathias\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-14 12:18 . 2008-10-10 13:43 51296 ----a-w- c:\documents and settings\Dad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-03 17:09 . 2004-08-10 17:51 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-21 12:49 . 2009-02-12 17:00 -------- d-----w- c:\program files\Stella
2009-06-16 14:36 . 2004-08-10 17:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-10 17:51 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-06 23:02 . 2008-09-19 20:40 51296 ----a-w- c:\documents and settings\Jared\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-03 19:09 . 2004-08-10 17:51 1291264 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-07_19.26.28 )))))))))))))))))))))))))))))))))))))))))
.

  • 2009-08-07 19:56 . 2009-08-07 19:56 16384 c:\windows\Temp\Perflib_Perfdata_630.dat
  • 2009-08-07 19:42 . 2009-08-07 19:42 16384 c:\windows\Temp\Perflib_Perfdata_5cc.dat
  • 2009-08-07 19:56 . 2009-08-07 19:56 16384 c:\windows\Temp\Perflib_Perfdata_5c8.dat
  • 2009-08-07 18:42 . 2009-08-07 18:42 8192 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
  • 2009-08-07 19:54 . 2009-08-07 19:54 8192 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
  • 2009-08-07 19:54 . 2009-08-07 19:54 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
  • 2009-08-07 18:42 . 2009-08-07 18:42 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
  • 2009-08-07 18:42 . 2009-08-07 18:42 172032 c:\windows\ERDNT\subs\Users\00000006\UsrClass.dat
  • 2009-08-07 19:54 . 2009-08-07 19:54 172032 c:\windows\ERDNT\subs\Users\00000006\UsrClass.dat
  • 2009-08-07 19:54 . 2009-08-07 19:54 233472 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
  • 2009-08-07 18:42 . 2009-08-07 18:42 233472 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
  • 2009-08-07 19:54 . 2009-08-07 19:54 233472 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
  • 2009-08-07 18:42 . 2009-08-07 18:42 233472 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
  • 2009-08-07 18:42 . 2009-08-07 18:42 4005888 c:\windows\ERDNT\subs\Users\00000005\NTUser.dat
  • 2009-08-07 19:54 . 2009-08-07 19:54 4005888 c:\windows\ERDNT\subs\Users\00000005\NTUser.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    Note empty entries & legit default entries are not shown
    REGEDIT4

To be continued…

9

Here is part two of the log:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Dell QuickSet”=“c:\program files\Dell\QuickSet\quickset.exe” [2005-03-04 606208]
“ISUSPM Startup”=“c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe” [2004-07-27 221184]
“ISUSScheduler”=“c:\program files\Common Files\InstallShield\UpdateService\issch.exe” [2004-07-27 81920]
“DellSupportCenter”=“c:\program files\Dell Support Center\bin\sprtcmd.exe” [2008-08-13 206064]
“QuickTime Task”=“c:\program files\QuickTime\qttask.exe” [2005-08-05 98304]
“MMTray”=“c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe” [2004-09-14 131072]
“SideWinderTrayV4”=“c:\progra~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe” [2000-06-28 24649]
“dscactivate”=“c:\program files\Dell Support Center\gs_agent\custom\dsca.exe” [2007-11-15 16384]
“Adobe Reader Speed Launcher”=“c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2008-10-15 39792]
“avast!”=“c:\progra~1\ALWILS~1\Avast4\ashDisp.exe” [2009-02-05 81000]

c:\documents and settings\All Users\Start Menu\Programs\Startup
dlbcserv.lnk - c:\program files\Dell Photo Printer 720\dlbcserv.exe [2006-11-25 315392]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0stera

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“AntiVirusOverride”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“c:\WINDOWS\system32\LEXPPS.EXE”=
“c:\Documents and Settings\Jared\Local Settings\Application Data\Xenocode\ApplianceCaches\KumaClient.exe_v4B8EBC79\Native\STUBEXE\@DOCUMENTS@\Kuma Games\Kuma.exe”=
“%windir%\Network Diagnostic\xpnetdiag.exe”=
“c:\Documents and Settings\Dad\Local Settings\Application Data\Xenocode\ApplianceCaches\KumaClient.exe_v02D7169E\Native\STUBEXE\@APPDIR@\Kuma.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“9420:TCP”= 9420:TCP:Akamai NetSession Interface
“5000:UDP”= 5000:UDP:Akamai NetSession Interface
“1481:TCP”= 1481:TCP:Akamai NetSession Interface
“1772:TCP”= 1772:TCP:Akamai NetSession Interface
“2128:TCP”= 2128:TCP:Akamai NetSession Interface
“2402:TCP”= 2402:TCP:Akamai NetSession Interface
“2495:TCP”= 2495:TCP:Akamai NetSession Interface
“1273:TCP”= 1273:TCP:Akamai NetSession Interface
“1276:TCP”= 1276:TCP:Akamai NetSession Interface
“1042:TCP”= 1042:TCP:Akamai NetSession Interface
“1406:TCP”= 1406:TCP:Akamai NetSession Interface
“1271:TCP”= 1271:TCP:Akamai NetSession Interface
“1385:TCP”= 1385:TCP:Akamai NetSession Interface
“3212:TCP”= 3212:TCP:Akamai NetSession Interface
“4105:TCP”= 4105:TCP:Akamai NetSession Interface
“1062:TCP”= 1062:TCP:Akamai NetSession Interface
“1256:TCP”= 1256:TCP:Akamai NetSession Interface
“1649:TCP”= 1649:TCP:Akamai NetSession Interface
“1839:TCP”= 1839:TCP:Akamai NetSession Interface
“3354:TCP”= 3354:TCP:Akamai NetSession Interface
“3394:TCP”= 3394:TCP:Akamai NetSession Interface
“3827:TCP”= 3827:TCP:Akamai NetSession Interface
“3568:TCP”= 3568:TCP:Akamai NetSession Interface
“3821:TCP”= 3821:TCP:Akamai NetSession Interface
“2280:TCP”= 2280:TCP:Akamai NetSession Interface
“2564:TCP”= 2564:TCP:Akamai NetSession Interface
“3495:TCP”= 3495:TCP:Akamai NetSession Interface
“3510:TCP”= 3510:TCP:Akamai NetSession Interface
“1041:TCP”= 1041:TCP:Akamai NetSession Interface
“1751:TCP”= 1751:TCP:Akamai NetSession Interface
“2760:TCP”= 2760:TCP:Akamai NetSession Interface
“3224:TCP”= 3224:TCP:Akamai NetSession Interface
“1264:TCP”= 1264:TCP:Akamai NetSession Interface
“1322:TCP”= 1322:TCP:Akamai NetSession Interface
“1329:TCP”= 1329:TCP:Akamai NetSession Interface
“1339:TCP”= 1339:TCP:Akamai NetSession Interface
“1643:TCP”= 1643:TCP:Akamai NetSession Interface
“2524:TCP”= 2524:TCP:Akamai NetSession Interface
“1440:TCP”= 1440:TCP:Akamai NetSession Interface
“1988:TCP”= 1988:TCP:Akamai NetSession Interface
“2336:TCP”= 2336:TCP:Akamai NetSession Interface
“1293:TCP”= 1293:TCP:Akamai NetSession Interface
“1629:TCP”= 1629:TCP:Akamai NetSession Interface
“1949:TCP”= 1949:TCP:Akamai NetSession Interface
“2085:TCP”= 2085:TCP:Akamai NetSession Interface
“1364:TCP”= 1364:TCP:Akamai NetSession Interface
“1234:TCP”= 1234:TCP:Akamai NetSession Interface
“1483:TCP”= 1483:TCP:Akamai NetSession Interface
“1394:TCP”= 1394:TCP:Akamai NetSession Interface
“1621:TCP”= 1621:TCP:Akamai NetSession Interface
“2038:TCP”= 2038:TCP:Akamai NetSession Interface
“2284:TCP”= 2284:TCP:Akamai NetSession Interface
“1165:TCP”= 1165:TCP:Akamai NetSession Interface
“1045:TCP”= 1045:TCP:Akamai NetSession Interface
“3384:TCP”= 3384:TCP:Akamai NetSession Interface
“3440:TCP”= 3440:TCP:Akamai NetSession Interface
“1218:TCP”= 1218:TCP:Akamai NetSession Interface
“1149:TCP”= 1149:TCP:Akamai NetSession Interface
“1097:TCP”= 1097:TCP:Akamai NetSession Interface
“1170:TCP”= 1170:TCP:Akamai NetSession Interface
“1059:TCP”= 1059:TCP:Akamai NetSession Interface
“1168:TCP”= 1168:TCP:Akamai NetSession Interface
“2385:TCP”= 2385:TCP:Akamai NetSession Interface
“1221:TCP”= 1221:TCP:Akamai NetSession Interface
“1228:TCP”= 1228:TCP:Akamai NetSession Interface
“2044:TCP”= 2044:TCP:Akamai NetSession Interface
“2062:TCP”= 2062:TCP:Akamai NetSession Interface
“1249:TCP”= 1249:TCP:Akamai NetSession Interface
“2848:TCP”= 2848:TCP:Akamai NetSession Interface
“1745:TCP”= 1745:TCP:Akamai NetSession Interface
“1297:TCP”= 1297:TCP:Akamai NetSession Interface
“1101:TCP”= 1101:TCP:Akamai NetSession Interface
“1121:TCP”= 1121:TCP:Akamai NetSession Interface
“1142:TCP”= 1142:TCP:Akamai NetSession Interface
“1361:TCP”= 1361:TCP:Akamai NetSession Interface
“1526:TCP”= 1526:TCP:Akamai NetSession Interface
“1316:TCP”= 1316:TCP:Akamai NetSession Interface
“1430:TCP”= 1430:TCP:Akamai NetSession Interface
“1693:TCP”= 1693:TCP:Akamai NetSession Interface
“2008:TCP”= 2008:TCP:Akamai NetSession Interface
“2303:TCP”= 2303:TCP:Akamai NetSession Interface
“1682:TCP”= 1682:TCP:Akamai NetSession Interface
“1992:TCP”= 1992:TCP:Akamai NetSession Interface
“2391:TCP”= 2391:TCP:Akamai NetSession Interface
“1191:TCP”= 1191:TCP:Akamai NetSession Interface
“1335:TCP”= 1335:TCP:Akamai NetSession Interface
“1431:TCP”= 1431:TCP:Akamai NetSession Interface
“1522:TCP”= 1522:TCP:Akamai NetSession Interface
“2033:TCP”= 2033:TCP:Akamai NetSession Interface
“1110:TCP”= 1110:TCP:Akamai NetSession Interface

To be continued…

10

Here is part three of the log:

“1374:TCP”= 1374:TCP:Akamai NetSession Interface
“1169:TCP”= 1169:TCP:Akamai NetSession Interface
“2326:TCP”= 2326:TCP:Akamai NetSession Interface
“2443:TCP”= 2443:TCP:Akamai NetSession Interface
“2466:TCP”= 2466:TCP:Akamai NetSession Interface
“1038:TCP”= 1038:TCP:Akamai NetSession Interface
“2224:TCP”= 2224:TCP:Akamai NetSession Interface
“1151:TCP”= 1151:TCP:Akamai NetSession Interface
“1376:TCP”= 1376:TCP:Akamai NetSession Interface
“1947:TCP”= 1947:TCP:Akamai NetSession Interface
“1959:TCP”= 1959:TCP:Akamai NetSession Interface
“1716:TCP”= 1716:TCP:Akamai NetSession Interface
“1312:TCP”= 1312:TCP:Akamai NetSession Interface
“1175:TCP”= 1175:TCP:Akamai NetSession Interface
“1197:TCP”= 1197:TCP:Akamai NetSession Interface
“2374:TCP”= 2374:TCP:Akamai NetSession Interface
“2118:TCP”= 2118:TCP:Akamai NetSession Interface
“1346:TCP”= 1346:TCP:Akamai NetSession Interface
“1937:TCP”= 1937:TCP:Akamai NetSession Interface
“2526:TCP”= 2526:TCP:Akamai NetSession Interface
“2556:TCP”= 2556:TCP:Akamai NetSession Interface
“1302:TCP”= 1302:TCP:Akamai NetSession Interface
“1060:TCP”= 1060:TCP:Akamai NetSession Interface
“1741:TCP”= 1741:TCP:Akamai NetSession Interface
“2561:TCP”= 2561:TCP:Akamai NetSession Interface
“2601:TCP”= 2601:TCP:Akamai NetSession Interface
“1604:TCP”= 1604:TCP:Akamai NetSession Interface
“1052:TCP”= 1052:TCP:Akamai NetSession Interface
“1543:TCP”= 1543:TCP:Akamai NetSession Interface
“1214:TCP”= 1214:TCP:Akamai NetSession Interface
“1415:TCP”= 1415:TCP:Akamai NetSession Interface
“1421:TCP”= 1421:TCP:Akamai NetSession Interface
“1535:TCP”= 1535:TCP:Akamai NetSession Interface
“1058:TCP”= 1058:TCP:Akamai NetSession Interface
“1063:TCP”= 1063:TCP:Akamai NetSession Interface
“1069:TCP”= 1069:TCP:Akamai NetSession Interface
“1081:TCP”= 1081:TCP:Akamai NetSession Interface
“1722:TCP”= 1722:TCP:Akamai NetSession Interface
“1396:TCP”= 1396:TCP:Akamai NetSession Interface
“1529:TCP”= 1529:TCP:Akamai NetSession Interface
“3248:TCP”= 3248:TCP:Akamai NetSession Interface
“1066:TCP”= 1066:TCP:Akamai NetSession Interface
“1514:TCP”= 1514:TCP:Akamai NetSession Interface
“1579:TCP”= 1579:TCP:Akamai NetSession Interface
“1679:TCP”= 1679:TCP:Akamai NetSession Interface
“1279:TCP”= 1279:TCP:Akamai NetSession Interface
“1475:TCP”= 1475:TCP:Akamai NetSession Interface
“1146:TCP”= 1146:TCP:Akamai NetSession Interface
“1429:TCP”= 1429:TCP:Akamai NetSession Interface
“1178:TCP”= 1178:TCP:Akamai NetSession Interface
“1341:TCP”= 1341:TCP:Akamai NetSession Interface
“1595:TCP”= 1595:TCP:Akamai NetSession Interface
“1608:TCP”= 1608:TCP:Akamai NetSession Interface
“2267:TCP”= 2267:TCP:Akamai NetSession Interface
“2278:TCP”= 2278:TCP:Akamai NetSession Interface
“1363:TCP”= 1363:TCP:Akamai NetSession Interface
“1578:TCP”= 1578:TCP:Akamai NetSession Interface
“1304:TCP”= 1304:TCP:Akamai NetSession Interface
“1834:TCP”= 1834:TCP:Akamai NetSession Interface
“1770:TCP”= 1770:TCP:Akamai NetSession Interface
“2060:TCP”= 2060:TCP:Akamai NetSession Interface
“1248:TCP”= 1248:TCP:Akamai NetSession Interface
“1692:TCP”= 1692:TCP:Akamai NetSession Interface
“1703:TCP”= 1703:TCP:Akamai NetSession Interface
“2002:TCP”= 2002:TCP:Akamai NetSession Interface
“2546:TCP”= 2546:TCP:Akamai NetSession Interface
“2574:TCP”= 2574:TCP:Akamai NetSession Interface
“2638:TCP”= 2638:TCP:Akamai NetSession Interface
“1048:TCP”= 1048:TCP:Akamai NetSession Interface
“1547:TCP”= 1547:TCP:Akamai NetSession Interface
“2293:TCP”= 2293:TCP:Akamai NetSession Interface
“2427:TCP”= 2427:TCP:Akamai NetSession Interface
“1230:TCP”= 1230:TCP:Akamai NetSession Interface
“1237:TCP”= 1237:TCP:Akamai NetSession Interface
“1266:TCP”= 1266:TCP:Akamai NetSession Interface
“3971:TCP”= 3971:TCP:Akamai NetSession Interface
“4798:TCP”= 4798:TCP:Akamai NetSession Interface
“2591:TCP”= 2591:TCP:Akamai NetSession Interface
“1046:TCP”= 1046:TCP:Akamai NetSession Interface
“1310:TCP”= 1310:TCP:Akamai NetSession Interface
“1572:TCP”= 1572:TCP:Akamai NetSession Interface
“1651:TCP”= 1651:TCP:Akamai NetSession Interface
“1935:TCP”= 1935:TCP:Akamai NetSession Interface
“2112:TCP”= 2112:TCP:Akamai NetSession Interface
“3416:TCP”= 3416:TCP:Akamai NetSession Interface
“3867:TCP”= 3867:TCP:Akamai NetSession Interface
“4243:TCP”= 4243:TCP:Akamai NetSession Interface
“1269:TCP”= 1269:TCP:Akamai NetSession Interface
“1384:TCP”= 1384:TCP:Akamai NetSession Interface
“1252:TCP”= 1252:TCP:Akamai NetSession Interface
“1050:TCP”= 1050:TCP:Akamai NetSession Interface
“2604:TCP”= 2604:TCP:Akamai NetSession Interface
“2790:TCP”= 2790:TCP:Akamai NetSession Interface
“2907:TCP”= 2907:TCP:Akamai NetSession Interface
“2917:TCP”= 2917:TCP:Akamai NetSession Interface
“1924:TCP”= 1924:TCP:Akamai NetSession Interface
“1351:TCP”= 1351:TCP:Akamai NetSession Interface
“2665:TCP”= 2665:TCP:Akamai NetSession Interface
“4481:TCP”= 4481:TCP:Akamai NetSession Interface
“2258:TCP”= 2258:TCP:Akamai NetSession Interface

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
“AllowInboundEchoRequest”= 1 (0x1)

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [7/26/2009 5:53 PM 114768]
R2 Akamai;Akamai;c:\windows\System32\svchost.exe -k Akamai [8/10/2004 1:51 PM 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/26/2009 5:53 PM 20560]
R2 litsgt;litsgt;c:\windows\system32\drivers\litsgt.sys [3/29/2007 12:39 AM 137344]
R2 tansgt;tansgt;c:\windows\system32\drivers\tansgt.sys [3/29/2007 12:39 AM 12032]
S2 gjqt;gjqt;c:\windows\system32\drivers\nlduee.sys → c:\windows\system32\drivers\nlduee.sys [?]
S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;c:\windows\system32\drivers\SWUSBFLT.SYS [9/19/2008 4:47 PM 3968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
“c:\windows\system32\rundll32.exe” “c:\windows\system32\iedkcs32.dll”,BrandIEActiveSetup SIGNUP
.
Contents of the ‘Scheduled Tasks’ folder

2009-08-04 c:\windows\Tasks\AWC Update.job

  • c:\program files\IObit\Advanced SystemCare 3\IObitUpdate.exe [2009-07-25 14:15]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.rr.com/flash/index.cfm
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\LotharMathias\Application Data\Mozilla\Firefox\Profiles\otz4jxe1.default
    FF - prefs.js: browser.startup.homepage - hxxp://www.rr.com/flash/index.cfm
    FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
    .

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-07 15:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
--------------------- DLLs Loaded Under Running Processes ---------------------

              • ‘winlogon.exe’(664)
                c:\windows\system32\Ati2evxx.dll

              • ‘explorer.exe’(944)
                c:\windows\system32\WININET.dll
                c:\windows\system32\ieframe.dll
                c:\windows\system32\mshtml.dll
                c:\windows\system32\msls31.dll
                c:\windows\IME\SPGRMR.DLL
                c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
                c:\windows\system32\webcheck.dll
                c:\windows\system32\WPDShServiceObj.dll
                c:\windows\system32\PortableDeviceTypes.dll
                c:\windows\system32\PortableDeviceApi.dll
                .
                ------------------------ Other Running Processes ------------------------
                .
                c:\windows\system32\ati2evxx.exe
                c:\program files\Alwil Software\Avast4\aswUpdSv.exe
                c:\program files\Alwil Software\Avast4\ashServ.exe
                c:\windows\system32\ati2evxx.exe
                c:\windows\system32\LEXBCES.EXE
                c:\windows\system32\LEXPPS.EXE
                c:\windows\system32\drivers\CDAC11BA.EXE
                c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
                c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
                c:\program files\Dell Support Center\bin\sprtsvc.exe
                c:\program files\Alwil Software\Avast4\ashMaiSv.exe
                c:\program files\Alwil Software\Avast4\ashWebSv.exe
                .

.
Completion time: 2009-08-07 16:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-07 20:03

Pre-Run: 22,227,779,584 bytes free
Post-Run: 22,186,668,032 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
386

11

Until JTaylor replies,try rootrepeal,once more, the bloody file,is there c:\windows\system32\drivers\UAChtivmpitbb.sys. I cannot understand why,its not being shown.Follow the instructions(Install RootRepeal and select Files then scan only.) from the the link, and copy/paste one more log. Thanks

http://www.malwarebytes.org/forums/index.php?showtopic=12709

I think the reason the file is not showing,is because, by default,the scanner,chooses,drivers,not,files.please choose, files :wink:

12

You may also try Trend Micro Rootkit Buster.

So far ComboFix haven’t found the rootkits.

You’ll need to look for these files manually and upload them to VirusTotal and post the links for each of them.

c:\windows\system32\drivers\UAChtivmpitbb.sys
c:\windows\system32\UACodaiynwquw.dll
c:\windows\system32\UACkbguxwwwyl.dll
c:\windows\system32\UACyapulqbwsi.dat
c:\windows\system32\UACqskcltliwr.db
c:\windows\system32\UACxfpbtimlxr.dll
c:\windows\system32\UACwdbosnmnes.dll
c:\windows\system32\UACchuikidbwt.dll

13

I doubt very much you will find
c:\windows\system32\drivers\UAChtivmpitbb.sys, thats the rootkit,and its probably invisible. Hopefully rootrepeal can find it, then you can deal with the other files

14

I think the rootkit is gone.

Here is the log from RootRepeal:

ROOTREPEAL (c) AD, 2007-2009

Scan Start Time: 2009/08/08 08:33
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3

Hidden/Locked Files

Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\dad\local settings\temp~df18ee.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Previously when I would try and run chkdsk from the command line, it would tell me to schedule the boot time scan and I would restart. The scan would always say the file was RAW and could not continue. Now, it runs fine. I have not gotten any other errors like the “hard errors” yesterday.

I ran Avast! twice last night and both times there was nothing on the memory test and nothing on the scan.

I suspect that the first time combofix ran, it fixed the problem and there was an error in generating the report. The second time combofix ran, there was nothing to be found.

When I search C: for any files starting with “UAC”, it finds three of the eight I previously listed and they are all in c:\Qoobox\Quarantine. Also, the files have a .vir extension now:

Service_UACd.sys.reg in folder c:\Qoobox\Quarantine\Registry_backups
UACgskcltliwr.db.vir in folder c:\Qoobox\Quarantine\C\WINDOWS\system32
uacinit.dll.vir in folder c:\Qoobox\Quarantine\C\WINDOWS\system32
UACkbguxwwwyl.dll.vir in folder c:\Qoobox\Quarantine\C\WINDOWS\system32
UACyapulqbwsi.dat.vir in folder c:\Qoobox\Quarantine\C\WINDOWS\system32

Thank you all for your help. I will let you know if anything pops back up. Would it be prudent at this point to create a system restore point? I ran all the scans with system restore disabled and have since installed COMODO Internet Security firewall. I was using ZoneAlarm until I ran across a test of different firewalls and found ZoneAlarm offered little protection. COMODO was the highest rated free firewall. Thanks again.

15

edit