Author Topic: Infection found on memory scan; Nothing on boot-time scan (Read 10079 times)

LotharMathias · « **on:** August 06, 2009, 08:02:45 PM »

Hello All, I am new to this forum.

I was running a virus scan with Webroot SpySweeper (Considering all of the forums I have looked at recently, Webroot is not mentioned anywhere, so did I make a wrong decision in using them?) and got a windows blue screen (DRIVER_IRQL_NOT_LESS_OR_EQUAL). After that, when SpySweeper tried to open, I got an error window saying the installation was damaged and to re-install the product. Needless to say I have not been able to re-install it.

I downloaded Avast! and it has taken off numerous trojans and viruses, not all during the same scan. Recently, when I start Avast!, during the memory test, it says there is a trojan (Win32:Fasec) at c:\windows\system32\uacxfpbtimlxr.dll. I tried moving it, but it was in use; I tried renaming it and forcing rename on reboot, but it did not help; I even tried deleting it, but it was in use. A friend of mine recommended using task manager to end processes one at a time until the process using the .dll was ended and then move the file to the chest. This did not work.

I have downloaded malwarebytes, but cannot get it to open. Same with spybot S&D. I tried renaming the install file, but to no avail.

I am still getting the blue windows stop screens with the same DRIVER message. I can boot in safe mode and everything works fine, but when I try normal mode, it is hit or miss as to when the blue screen will come.

Thank you all for your help in advance. I really appreciate it.

Lisandro · « **Reply #1 on:** August 06, 2009, 08:06:40 PM »

Webroot SpySweeper is consider a good antispyware, but as being not free, not that mentions in forums. Some users report high use of system resources.

Can you schedule a boot-time scanning?
Start avast! > Right click the skin > Schedule a boot-time scanning.
Select for scanning archives.
Boot.
If infected files are found, it's safer to send them to Chest instead of deleting them.
This way you can further analysis them.

micky77 · « **Reply #2 on:** August 06, 2009, 08:31:44 PM »

You possibly have CLB Rootkit infection aka WinNT-Alureon , download Rootrepeal from any of the links provided, RAR or ZIP. This program requires no installation.Run it, then copy/paste the log here http://rootrepeal.googlepages.com/

LotharMathias · « **Reply #3 on:** August 07, 2009, 01:48:55 AM »

Tech – I am able to do a boot time scan; however, it has not found any infected files as of yet. I agree about deleting, it was my last resort after not being able to move or rename the file.

Micky77 – Here is the log:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:      2009/08/06 18:50
Program Version:      Version 1.3.3.0
Windows Version:      Windows XP SP3
==================================================

Drivers
-------------------
Name: 1394BUS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS
Address: 0xF8595000   Size: 57344   File Visible: -   Signed: -
Status: -

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF84E6000   Size: 187776   File Visible: -   Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000   Size: 2189056   File Visible: -   Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xF7F82000   Size: 138496   File Visible: -   Signed: -
Status: -

Name: aswTdi.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswTdi.SYS
Address: 0xF8675000   Size: 41664   File Visible: -   Signed: -
Status: -

Name: asyncmac.sys
Image Path: C:\WINDOWS\system32\DRIVERS\asyncmac.sys
Address: 0xF7801000   Size: 14336   File Visible: -   Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF8480000   Size: 96512   File Visible: -   Signed: -
Status: -

Name: BATTC.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\BATTC.SYS
Address: 0xF894D000   Size: 16384   File Visible: -   Signed: -
Status: -

Name: bcm4sbxp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
Address: 0xF85B5000   Size: 44928   File Visible: -   Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF8A53000   Size: 4224   File Visible: -   Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF8945000   Size: 12288   File Visible: -   Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xF85E5000   Size: 62976   File Visible: -   Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xF8575000   Size: 53248   File Visible: -   Signed: -
Status: -

Name: compbatt.sys
Image Path: compbatt.sys
Address: 0xF8949000   Size: 10240   File Visible: -   Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF8565000   Size: 36352   File Visible: -   Signed: -
Status: -

Name: drvmcdb.sys
Image Path: drvmcdb.sys
Address: 0xF844B000   Size: 85344   File Visible: -   Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF7EA7000   Size: 98304   File Visible: No   Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8A65000   Size: 8192   File Visible: No   Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xF81E2000   Size: 12288   File Visible: -   Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF000000   Size: 73728   File Visible: -   Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF8C3A000   Size: 4096   File Visible: -   Signed: -
Status: -

Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xF8169000   Size: 143744   File Visible: -   Signed: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xF8460000   Size: 129792   File Visible: -   Signed: -
Status: -

Name: framebuf.dll
Image Path: C:\WINDOWS\System32\framebuf.dll
Address: 0xBFF50000   Size: 12288   File Visible: -   Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF8A4F000   Size: 7936   File Visible: -   Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF8498000   Size: 125056   File Visible: -   Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806EE000   Size: 131840   File Visible: -   Signed: -
Status: -

Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xF8685000   Size: 36864   File Visible: -   Signed: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xF88FD000   Size: 28672   File Visible: -   Signed: -
Status: -

Name: hidusb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xF89F9000   Size: 10368   File Visible: -   Signed: -
Status: -

Name: i2omgmt.SYS
Image Path: C:\WINDOWS\System32\Drivers\i2omgmt.SYS
Address: 0xF8313000   Size: 8576   File Visible: -   Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xF85C5000   Size: 52480   File Visible: -   Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xF85D5000   Size: 42112   File Visible: -   Signed: -
Status: -

Name: intelide.sys
Image Path: intelide.sys
Address: 0xF8A39000   Size: 5504   File Visible: -   Signed: -
Status: -

Name: IPFilter.sys
Image Path: C:\WINDOWS\system32\DRIVERS\IPFilter.sys
Address: 0xF89D5000   Size: 11136   File Visible: -   Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xF8037000   Size: 152832   File Visible: -   Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xF8156000   Size: 75264   File Visible: -   Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF8535000   Size: 37248   File Visible: -   Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xF8805000   Size: 24576   File Visible: -   Signed: -
Status: -

Name: kbdhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Address: 0xF8A2D000   Size: 14592   File Visible: -   Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF8A35000   Size: 8192   File Visible: -   Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xF82AC000   Size: 143360   File Visible: -   Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF8434000   Size: 92288   File Visible: -   Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xF87FD000   Size: 23040   File Visible: -   Signed: -
Status: -

Name: mouhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Address: 0xF81FE000   Size: 12160   File Visible: -   Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF8545000   Size: 42368   File Visible: -   Signed: -
Status: -

To be continued…

LotharMathias · « **Reply #4 on:** August 07, 2009, 01:50:00 AM »

Here is the rest of the log:

Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xF7EBF000   Size: 455296   File Visible: -   Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF88A5000   Size: 19072   File Visible: -   Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xF8635000   Size: 35072   File Visible: -   Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xF89FD000   Size: 15488   File Visible: -   Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF834C000   Size: 105344   File Visible: -   Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF837A000   Size: 182656   File Visible: -   Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xF89E9000   Size: 10112   File Visible: -   Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xF7B73000   Size: 14592   File Visible: -   Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xF8295000   Size: 91520   File Visible: -   Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF8665000   Size: 40576   File Visible: -   Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xF8695000   Size: 34688   File Visible: -   Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xF800F000   Size: 162816   File Visible: -   Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF88B5000   Size: 30848   File Visible: -   Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF83A7000   Size: 574976   File Visible: -   Signed: -
Status: -

Name: ntoskrnl.exe
Image Path: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000   Size: 2189056   File Visible: -   Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF8C6D000   Size: 2944   File Visible: -   Signed: -
Status: -

Name: ohci1394.sys
Image Path: ohci1394.sys
Address: 0xF8585000   Size: 61696   File Visible: -   Signed: -
Status: -

Name: omci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\omci.sys
Address: 0xF8865000   Size: 17088   File Visible: -   Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF87BD000   Size: 19712   File Visible: -   Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF84D5000   Size: 68224   File Visible: -   Signed: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xF8AFD000   Size: 3328   File Visible: -   Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xF87B5000   Size: 28672   File Visible: -   Signed: -
Status: -

Name: pcmcia.sys
Image Path: pcmcia.sys
Address: 0xF84B7000   Size: 120192   File Visible: -   Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000   Size: 2189056   File Visible: -   Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xF8284000   Size: 69120   File Visible: -   Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xF883D000   Size: 17792   File Visible: -   Signed: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xF87C5000   Size: 19936   File Visible: -   Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xF89CD000   Size: 8832   File Visible: -   Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xF8605000   Size: 51328   File Visible: -   Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xF8615000   Size: 41472   File Visible: -   Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xF8625000   Size: 48384   File Visible: -   Signed: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xF884D000   Size: 16512   File Visible: -   Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000   Size: 2189056   File Visible: -   Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xF7F57000   Size: 175744   File Visible: -   Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF8A57000   Size: 4224   File Visible: -   Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xF85F5000   Size: 57600   File Visible: -   Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF734D000   Size: 49152   File Visible: No   Signed: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xF786D000   Size: 333952   File Visible: -   Signed: -
Status: -

Name: sscdbhk5.sys
Image Path: C:\WINDOWS\system32\drivers\sscdbhk5.sys
Address: 0xF8A3D000   Size: 5568   File Visible: -   Signed: -
Status: -

Name: ssrtln.sys
Image Path: C:\WINDOWS\system32\drivers\ssrtln.sys
Address: 0xF888D000   Size: 23488   File Visible: -   Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xF8A43000   Size: 4352   File Visible: -   Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xF80FD000   Size: 361600   File Visible: -   Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xF882D000   Size: 20480   File Visible: -   Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xF8645000   Size: 40704   File Visible: -   Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xF8226000   Size: 384768   File Visible: -   Signed: -
Status: -

Name: usbccgp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbccgp.sys
Address: 0xF88E5000   Size: 32128   File Visible: -   Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xF8A47000   Size: 8192   File Visible: -   Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF87ED000   Size: 30208   File Visible: -   Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xF8655000   Size: 59520   File Visible: -   Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xF82CF000   Size: 147456   File Visible: -   Signed: -
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Address: 0xF87E5000   Size: 20608   File Visible: -   Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF8895000   Size: 20992   File Visible: -   Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\System32\drivers\VIDEOPRT.SYS
Address: 0xF81C2000   Size: 81920   File Visible: -   Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF8555000   Size: 52352   File Visible: -   Signed: -
Status: -

Name: vsdatant.sys
Image Path: C:\WINDOWS\System32\vsdatant.sys
Address: 0xF7FA4000   Size: 438272   File Visible: -   Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF891D000   Size: 20480   File Visible: -   Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000   Size: 1847296   File Visible: -   Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000   Size: 1847296   File Visible: -   Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xF8A37000   Size: 8192   File Visible: -   Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000   Size: 2189056   File Visible: -   Signed: -
Status: -

LotharMathias · « **Reply #5 on:** August 07, 2009, 02:08:25 AM »

Some other symptoms on my computer include:

Multiple instances of iexplorer.exe pop up in my task manager.

Our laptop has three users: me, my wife, and my son. My son and I have never had any trouble with anything on the internet. When my wife would log on, Internet Explorer would open several sessions and go to random websites. What is wierd is that she uses Mozilla Firefox. My son and I use IE. After several days of this and after running virus scans with SpySweeper, when I would log onto my desktop I would hear sounds from a website but IE would not be open. Now the blue screens are common place and I can only seem to work in safe mode with networking. I have yet to get a blue screen in safe mode.

For a little while, my son and I could log onto our respective desktops and work normally, but when logging onto my wife's, the blue screen would pop up. Now, it seems as if my desktop triggers a lot of blue screens and my wife is able to use hers normally. Don't you love computers. I guess that is all for now. Thanks to everybody for all the help.

Jtaylor83 · « **Reply #6 on:** August 07, 2009, 05:40:03 AM »

Download ComboFix and save it onto your desktop (rename ComboFix before you save or else it will not run properly)

Double Click on ComboFix > click Run > click Yes to agree.

ComboFix will say "This machine does not have 'Microsoft Windows Recovery Console' installed". Click Yes to Install the Windows Recovery Console.

Once the Recovery Console is installed, Click Yes to continue scanning.

Once ComboFix has finished scanning, it will create a log. Post the CFix log,

LotharMathias · « **Reply #7 on:** August 07, 2009, 10:29:02 PM »

Jtaylor83 - I got the program and ran it once. A window popped up during the scan saying that there was some rootkit activity and to write down the following files as "we may need them later":

c:\windows\system32\drivers\UAChtivmpitbb.sys
c:\windows\system32\UACodaiynwquw.dll
c:\windows\system32\UACkbguxwwwyl.dll
c:\windows\system32\UACyapulqbwsi.dat
c:\windows\system32\UACqskcltliwr.db
c:\windows\system32\UACxfpbtimlxr.dll (This is the file Avast! would always find on its memory test)
c:\windows\system32\UACwdbosnmnes.dll
c:\windows\system32\UACchuikidbwt.dll

It then rebooted. Toward the end of the scan, it said it was creating the log file and told me where it would be saved. Notepad opened up and nothing was there. I looked where the log should have been saved and it was not there. I switched over to my user and started getting error windows saying unknown hard error with dsca.exe, agent.exe, and explorer.exe. When the hard error with explorer.exe came, the desktop disappeared.

After rebooting and running the combofix again, this is the log file it created:

ComboFix 09-08-07.03 - LotharMathias 08/07/2009 15:45.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.284 [GMT -4:00]
Running from: c:\documents and settings\LotharMathias\Desktop\champions.exe
AV: avast! antivirus 4.8.1335 [VPS 090807-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FOPN

((((((((((((((((((((((((( Files Created from 2009-07-07 to 2009-08-07 )))))))))))))))))))))))))))))))
.

2009-08-06 12:45 . 2009-08-06 12:45   --------   d-----w-   c:\windows\.jagex_cache_32
2009-08-06 12:42 . 2009-08-06 12:42   0   ----a-w-   c:\documents and settings\Dad\jagex_runescape_preferences.dat
2009-08-05 21:13 . 2009-08-06 12:24   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2009-08-03 13:32 . 2009-08-03 13:32   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-01 19:12 . 2009-08-01 19:12   --------   d-sh--w-   c:\documents and settings\Administrator\PrivacIE
2009-08-01 14:09 . 2009-08-01 14:09   --------   d-----w-   c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-08-01 14:00 . 2009-08-01 14:00   --------   d-----w-   c:\program files\Webroot
2009-07-29 21:20 . 2009-07-29 21:20   --------   d-----w-   c:\documents and settings\Dad\Application Data\Uniblue
2009-07-29 00:10 . 2009-07-29 17:22   4212   ---ha-w-   c:\windows\system32\zllictbl.dat
2009-07-29 00:09 . 2009-07-29 00:09   --------   d-----w-   c:\program files\Zone Labs
2009-07-29 00:08 . 2009-08-07 00:30   --------   d-----w-   c:\windows\Internet Logs
2009-07-28 21:14 . 2009-07-28 21:14   --------   d-----w-   c:\documents and settings\Jared\Application Data\IObit
2009-07-28 18:35 . 2009-07-28 18:35   --------   d-----w-   c:\documents and settings\LotharMathias\Application Data\IObit
2009-07-28 17:00 . 2009-07-28 17:00   --------   d-sh--w-   c:\documents and settings\LotharMathias\IECompatCache
2009-07-28 16:50 . 2009-07-28 16:50   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-28 16:50 . 2009-07-28 16:50   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2009-07-28 12:34 . 2009-07-28 12:34   --------   d-----w-   c:\windows\Logs
2009-07-27 01:25 . 2009-07-27 01:25   552   ----a-w-   c:\windows\system32\d3d8caps.dat
2009-07-26 21:54 . 2009-02-05 20:06   23152   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2009-07-26 21:54 . 2009-02-05 20:06   51376   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2009-07-26 21:54 . 2009-02-05 20:05   26944   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2009-07-26 21:53 . 2009-02-05 20:04   97480   ----a-w-   c:\windows\system32\AvastSS.scr
2009-07-26 21:53 . 2009-02-05 20:08   93296   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2009-07-26 21:53 . 2009-02-05 20:08   94032   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2009-07-26 21:53 . 2009-02-05 20:07   114768   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2009-07-26 21:53 . 2009-02-05 20:07   20560   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2009-07-26 21:53 . 2009-02-05 20:11   1256296   ----a-w-   c:\windows\system32\aswBoot.exe
2009-07-26 21:53 . 2009-07-26 21:53   --------   d-----w-   c:\program files\Alwil Software
2009-07-25 23:37 . 2009-07-25 23:37   --------   d-----w-   c:\documents and settings\Dad\Application Data\IObit
2009-07-25 23:37 . 2009-07-25 23:37   --------   d-----w-   c:\program files\IObit
2009-07-25 18:19 . 2009-07-25 18:19   136   ----a-w-   c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2009-07-25 18:17 . 2009-07-25 18:17   --------   d-sh--w-   c:\documents and settings\Administrator\IETldCache
2009-07-18 22:45 . 2009-07-18 22:45   --------   d-----w-   c:\documents and settings\LotharMathias\Local Settings\Application Data\PowerDVD
2009-07-17 17:55 . 2009-07-17 17:56   --------   d-----w-   c:\documents and settings\Dad\Local Settings\Application Data\PowerDVD
2009-07-13 22:27 . 2009-07-13 22:28   --------   d-----w-   c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-07 19:57 . 2008-09-19 21:10   --------   d-----w-   c:\program files\Common Files\Akamai
2009-08-06 16:56 . 2008-09-04 15:51   12464   ----a-w-   c:\windows\system32\drivers\CDAC15BA.SYS
2009-08-02 16:12 . 2009-08-02 14:16   775168   ----a-w-   c:\windows\isRS-000.tmp
2009-08-02 16:04 . 2009-04-30 20:07   164   ----a-w-   c:\windows\install.dat
2009-08-01 14:26 . 2009-05-26 16:18   --------   d-----w-   c:\program files\Microsoft Silverlight
2009-07-29 21:43 . 2008-08-29 12:22   59   ----a-w-   c:\windows\wpd99.drv
2009-07-28 21:56 . 2009-02-15 18:44   34   ----a-w-   c:\documents and settings\Jared\jagex_runescape_preferences.dat
2009-07-28 12:37 . 2009-07-28 12:37   2311   ----a-w-   c:\documents and settings\All Users\Application Data\xml159.tmp
2009-07-28 12:37 . 2009-07-28 12:37   13685   ----a-w-   c:\documents and settings\All Users\Application Data\xml158.tmp
2009-07-28 12:37 . 2009-07-28 12:37   8858   ----a-w-   c:\documents and settings\All Users\Application Data\xml157.tmp
2009-07-27 00:32 . 2008-08-29 18:41   --------   d-----w-   c:\documents and settings\All Users\Application Data\eFax Messenger 4.3 Setup
2009-07-19 01:40 . 2005-08-10 14:13   51296   ----a-w-   c:\documents and settings\LotharMathias\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-14 12:18 . 2008-10-10 13:43   51296   ----a-w-   c:\documents and settings\Dad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-03 17:09 . 2004-08-10 17:51   915456   ----a-w-   c:\windows\system32\wininet.dll
2009-06-21 12:49 . 2009-02-12 17:00   --------   d-----w-   c:\program files\Stella
2009-06-16 14:36 . 2004-08-10 17:51   119808   ----a-w-   c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-10 17:51   81920   ----a-w-   c:\windows\system32\fontsub.dll
2009-06-06 23:02 . 2008-09-19 20:40   51296   ----a-w-   c:\documents and settings\Jared\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-03 19:09 . 2004-08-10 17:51   1291264   ----a-w-   c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-07_19.26.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-07 19:56 . 2009-08-07 19:56   16384 c:\windows\Temp\Perflib_Perfdata_630.dat
+ 2009-08-07 19:42 . 2009-08-07 19:42   16384 c:\windows\Temp\Perflib_Perfdata_5cc.dat
+ 2009-08-07 19:56 . 2009-08-07 19:56   16384 c:\windows\Temp\Perflib_Perfdata_5c8.dat
- 2009-08-07 18:42 . 2009-08-07 18:42   8192 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
+ 2009-08-07 19:54 . 2009-08-07 19:54   8192 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
+ 2009-08-07 19:54 . 2009-08-07 19:54   8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
- 2009-08-07 18:42 . 2009-08-07 18:42   8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
- 2009-08-07 18:42 . 2009-08-07 18:42   172032 c:\windows\ERDNT\subs\Users\00000006\UsrClass.dat
+ 2009-08-07 19:54 . 2009-08-07 19:54   172032 c:\windows\ERDNT\subs\Users\00000006\UsrClass.dat
+ 2009-08-07 19:54 . 2009-08-07 19:54   233472 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
- 2009-08-07 18:42 . 2009-08-07 18:42   233472 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
+ 2009-08-07 19:54 . 2009-08-07 19:54   233472 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
- 2009-08-07 18:42 . 2009-08-07 18:42   233472 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
- 2009-08-07 18:42 . 2009-08-07 18:42   4005888 c:\windows\ERDNT\subs\Users\00000005\NTUser.dat
+ 2009-08-07 19:54 . 2009-08-07 19:54   4005888 c:\windows\ERDNT\subs\Users\00000005\NTUser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

To be continued…

LotharMathias · « **Reply #8 on:** August 07, 2009, 10:31:50 PM »

Here is part two of the log:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-03-04 606208]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-08-05 98304]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-09-14 131072]
"SideWinderTrayV4"="c:\progra~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe" [2000-06-28 24649]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
dlbcserv.lnk - c:\program files\Dell Photo Printer 720\dlbcserv.exe [2006-11-25 315392]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0stera

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Documents and Settings\\Jared\\Local Settings\\Application Data\\Xenocode\\ApplianceCaches\\KumaClient.exe_v4B8EBC79\\Native\\STUBEXE\\@DOCUMENTS@\\Kuma Games\\Kuma.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Dad\\Local Settings\\Application Data\\Xenocode\\ApplianceCaches\\KumaClient.exe_v02D7169E\\Native\\STUBEXE\\@APPDIR@\\Kuma.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
"1481:TCP"= 1481:TCP:Akamai NetSession Interface
"1772:TCP"= 1772:TCP:Akamai NetSession Interface
"2128:TCP"= 2128:TCP:Akamai NetSession Interface
"2402:TCP"= 2402:TCP:Akamai NetSession Interface
"2495:TCP"= 2495:TCP:Akamai NetSession Interface
"1273:TCP"= 1273:TCP:Akamai NetSession Interface
"1276:TCP"= 1276:TCP:Akamai NetSession Interface
"1042:TCP"= 1042:TCP:Akamai NetSession Interface
"1406:TCP"= 1406:TCP:Akamai NetSession Interface
"1271:TCP"= 1271:TCP:Akamai NetSession Interface
"1385:TCP"= 1385:TCP:Akamai NetSession Interface
"3212:TCP"= 3212:TCP:Akamai NetSession Interface
"4105:TCP"= 4105:TCP:Akamai NetSession Interface
"1062:TCP"= 1062:TCP:Akamai NetSession Interface
"1256:TCP"= 1256:TCP:Akamai NetSession Interface
"1649:TCP"= 1649:TCP:Akamai NetSession Interface
"1839:TCP"= 1839:TCP:Akamai NetSession Interface
"3354:TCP"= 3354:TCP:Akamai NetSession Interface
"3394:TCP"= 3394:TCP:Akamai NetSession Interface
"3827:TCP"= 3827:TCP:Akamai NetSession Interface
"3568:TCP"= 3568:TCP:Akamai NetSession Interface
"3821:TCP"= 3821:TCP:Akamai NetSession Interface
"2280:TCP"= 2280:TCP:Akamai NetSession Interface
"2564:TCP"= 2564:TCP:Akamai NetSession Interface
"3495:TCP"= 3495:TCP:Akamai NetSession Interface
"3510:TCP"= 3510:TCP:Akamai NetSession Interface
"1041:TCP"= 1041:TCP:Akamai NetSession Interface
"1751:TCP"= 1751:TCP:Akamai NetSession Interface
"2760:TCP"= 2760:TCP:Akamai NetSession Interface
"3224:TCP"= 3224:TCP:Akamai NetSession Interface
"1264:TCP"= 1264:TCP:Akamai NetSession Interface
"1322:TCP"= 1322:TCP:Akamai NetSession Interface
"1329:TCP"= 1329:TCP:Akamai NetSession Interface
"1339:TCP"= 1339:TCP:Akamai NetSession Interface
"1643:TCP"= 1643:TCP:Akamai NetSession Interface
"2524:TCP"= 2524:TCP:Akamai NetSession Interface
"1440:TCP"= 1440:TCP:Akamai NetSession Interface
"1988:TCP"= 1988:TCP:Akamai NetSession Interface
"2336:TCP"= 2336:TCP:Akamai NetSession Interface
"1293:TCP"= 1293:TCP:Akamai NetSession Interface
"1629:TCP"= 1629:TCP:Akamai NetSession Interface
"1949:TCP"= 1949:TCP:Akamai NetSession Interface
"2085:TCP"= 2085:TCP:Akamai NetSession Interface
"1364:TCP"= 1364:TCP:Akamai NetSession Interface
"1234:TCP"= 1234:TCP:Akamai NetSession Interface
"1483:TCP"= 1483:TCP:Akamai NetSession Interface
"1394:TCP"= 1394:TCP:Akamai NetSession Interface
"1621:TCP"= 1621:TCP:Akamai NetSession Interface
"2038:TCP"= 2038:TCP:Akamai NetSession Interface
"2284:TCP"= 2284:TCP:Akamai NetSession Interface
"1165:TCP"= 1165:TCP:Akamai NetSession Interface
"1045:TCP"= 1045:TCP:Akamai NetSession Interface
"3384:TCP"= 3384:TCP:Akamai NetSession Interface
"3440:TCP"= 3440:TCP:Akamai NetSession Interface
"1218:TCP"= 1218:TCP:Akamai NetSession Interface
"1149:TCP"= 1149:TCP:Akamai NetSession Interface
"1097:TCP"= 1097:TCP:Akamai NetSession Interface
"1170:TCP"= 1170:TCP:Akamai NetSession Interface
"1059:TCP"= 1059:TCP:Akamai NetSession Interface
"1168:TCP"= 1168:TCP:Akamai NetSession Interface
"2385:TCP"= 2385:TCP:Akamai NetSession Interface
"1221:TCP"= 1221:TCP:Akamai NetSession Interface
"1228:TCP"= 1228:TCP:Akamai NetSession Interface
"2044:TCP"= 2044:TCP:Akamai NetSession Interface
"2062:TCP"= 2062:TCP:Akamai NetSession Interface
"1249:TCP"= 1249:TCP:Akamai NetSession Interface
"2848:TCP"= 2848:TCP:Akamai NetSession Interface
"1745:TCP"= 1745:TCP:Akamai NetSession Interface
"1297:TCP"= 1297:TCP:Akamai NetSession Interface
"1101:TCP"= 1101:TCP:Akamai NetSession Interface
"1121:TCP"= 1121:TCP:Akamai NetSession Interface
"1142:TCP"= 1142:TCP:Akamai NetSession Interface
"1361:TCP"= 1361:TCP:Akamai NetSession Interface
"1526:TCP"= 1526:TCP:Akamai NetSession Interface
"1316:TCP"= 1316:TCP:Akamai NetSession Interface
"1430:TCP"= 1430:TCP:Akamai NetSession Interface
"1693:TCP"= 1693:TCP:Akamai NetSession Interface
"2008:TCP"= 2008:TCP:Akamai NetSession Interface
"2303:TCP"= 2303:TCP:Akamai NetSession Interface
"1682:TCP"= 1682:TCP:Akamai NetSession Interface
"1992:TCP"= 1992:TCP:Akamai NetSession Interface
"2391:TCP"= 2391:TCP:Akamai NetSession Interface
"1191:TCP"= 1191:TCP:Akamai NetSession Interface
"1335:TCP"= 1335:TCP:Akamai NetSession Interface
"1431:TCP"= 1431:TCP:Akamai NetSession Interface
"1522:TCP"= 1522:TCP:Akamai NetSession Interface
"2033:TCP"= 2033:TCP:Akamai NetSession Interface
"1110:TCP"= 1110:TCP:Akamai NetSession Interface

To be continued…

LotharMathias · « **Reply #9 on:** August 07, 2009, 10:32:25 PM »

Here is part three of the log:

"1374:TCP"= 1374:TCP:Akamai NetSession Interface
"1169:TCP"= 1169:TCP:Akamai NetSession Interface
"2326:TCP"= 2326:TCP:Akamai NetSession Interface
"2443:TCP"= 2443:TCP:Akamai NetSession Interface
"2466:TCP"= 2466:TCP:Akamai NetSession Interface
"1038:TCP"= 1038:TCP:Akamai NetSession Interface
"2224:TCP"= 2224:TCP:Akamai NetSession Interface
"1151:TCP"= 1151:TCP:Akamai NetSession Interface
"1376:TCP"= 1376:TCP:Akamai NetSession Interface
"1947:TCP"= 1947:TCP:Akamai NetSession Interface
"1959:TCP"= 1959:TCP:Akamai NetSession Interface
"1716:TCP"= 1716:TCP:Akamai NetSession Interface
"1312:TCP"= 1312:TCP:Akamai NetSession Interface
"1175:TCP"= 1175:TCP:Akamai NetSession Interface
"1197:TCP"= 1197:TCP:Akamai NetSession Interface
"2374:TCP"= 2374:TCP:Akamai NetSession Interface
"2118:TCP"= 2118:TCP:Akamai NetSession Interface
"1346:TCP"= 1346:TCP:Akamai NetSession Interface
"1937:TCP"= 1937:TCP:Akamai NetSession Interface
"2526:TCP"= 2526:TCP:Akamai NetSession Interface
"2556:TCP"= 2556:TCP:Akamai NetSession Interface
"1302:TCP"= 1302:TCP:Akamai NetSession Interface
"1060:TCP"= 1060:TCP:Akamai NetSession Interface
"1741:TCP"= 1741:TCP:Akamai NetSession Interface
"2561:TCP"= 2561:TCP:Akamai NetSession Interface
"2601:TCP"= 2601:TCP:Akamai NetSession Interface
"1604:TCP"= 1604:TCP:Akamai NetSession Interface
"1052:TCP"= 1052:TCP:Akamai NetSession Interface
"1543:TCP"= 1543:TCP:Akamai NetSession Interface
"1214:TCP"= 1214:TCP:Akamai NetSession Interface
"1415:TCP"= 1415:TCP:Akamai NetSession Interface
"1421:TCP"= 1421:TCP:Akamai NetSession Interface
"1535:TCP"= 1535:TCP:Akamai NetSession Interface
"1058:TCP"= 1058:TCP:Akamai NetSession Interface
"1063:TCP"= 1063:TCP:Akamai NetSession Interface
"1069:TCP"= 1069:TCP:Akamai NetSession Interface
"1081:TCP"= 1081:TCP:Akamai NetSession Interface
"1722:TCP"= 1722:TCP:Akamai NetSession Interface
"1396:TCP"= 1396:TCP:Akamai NetSession Interface
"1529:TCP"= 1529:TCP:Akamai NetSession Interface
"3248:TCP"= 3248:TCP:Akamai NetSession Interface
"1066:TCP"= 1066:TCP:Akamai NetSession Interface
"1514:TCP"= 1514:TCP:Akamai NetSession Interface
"1579:TCP"= 1579:TCP:Akamai NetSession Interface
"1679:TCP"= 1679:TCP:Akamai NetSession Interface
"1279:TCP"= 1279:TCP:Akamai NetSession Interface
"1475:TCP"= 1475:TCP:Akamai NetSession Interface
"1146:TCP"= 1146:TCP:Akamai NetSession Interface
"1429:TCP"= 1429:TCP:Akamai NetSession Interface
"1178:TCP"= 1178:TCP:Akamai NetSession Interface
"1341:TCP"= 1341:TCP:Akamai NetSession Interface
"1595:TCP"= 1595:TCP:Akamai NetSession Interface
"1608:TCP"= 1608:TCP:Akamai NetSession Interface
"2267:TCP"= 2267:TCP:Akamai NetSession Interface
"2278:TCP"= 2278:TCP:Akamai NetSession Interface
"1363:TCP"= 1363:TCP:Akamai NetSession Interface
"1578:TCP"= 1578:TCP:Akamai NetSession Interface
"1304:TCP"= 1304:TCP:Akamai NetSession Interface
"1834:TCP"= 1834:TCP:Akamai NetSession Interface
"1770:TCP"= 1770:TCP:Akamai NetSession Interface
"2060:TCP"= 2060:TCP:Akamai NetSession Interface
"1248:TCP"= 1248:TCP:Akamai NetSession Interface
"1692:TCP"= 1692:TCP:Akamai NetSession Interface
"1703:TCP"= 1703:TCP:Akamai NetSession Interface
"2002:TCP"= 2002:TCP:Akamai NetSession Interface
"2546:TCP"= 2546:TCP:Akamai NetSession Interface
"2574:TCP"= 2574:TCP:Akamai NetSession Interface
"2638:TCP"= 2638:TCP:Akamai NetSession Interface
"1048:TCP"= 1048:TCP:Akamai NetSession Interface
"1547:TCP"= 1547:TCP:Akamai NetSession Interface
"2293:TCP"= 2293:TCP:Akamai NetSession Interface
"2427:TCP"= 2427:TCP:Akamai NetSession Interface
"1230:TCP"= 1230:TCP:Akamai NetSession Interface
"1237:TCP"= 1237:TCP:Akamai NetSession Interface
"1266:TCP"= 1266:TCP:Akamai NetSession Interface
"3971:TCP"= 3971:TCP:Akamai NetSession Interface
"4798:TCP"= 4798:TCP:Akamai NetSession Interface
"2591:TCP"= 2591:TCP:Akamai NetSession Interface
"1046:TCP"= 1046:TCP:Akamai NetSession Interface
"1310:TCP"= 1310:TCP:Akamai NetSession Interface
"1572:TCP"= 1572:TCP:Akamai NetSession Interface
"1651:TCP"= 1651:TCP:Akamai NetSession Interface
"1935:TCP"= 1935:TCP:Akamai NetSession Interface
"2112:TCP"= 2112:TCP:Akamai NetSession Interface
"3416:TCP"= 3416:TCP:Akamai NetSession Interface
"3867:TCP"= 3867:TCP:Akamai NetSession Interface
"4243:TCP"= 4243:TCP:Akamai NetSession Interface
"1269:TCP"= 1269:TCP:Akamai NetSession Interface
"1384:TCP"= 1384:TCP:Akamai NetSession Interface
"1252:TCP"= 1252:TCP:Akamai NetSession Interface
"1050:TCP"= 1050:TCP:Akamai NetSession Interface
"2604:TCP"= 2604:TCP:Akamai NetSession Interface
"2790:TCP"= 2790:TCP:Akamai NetSession Interface
"2907:TCP"= 2907:TCP:Akamai NetSession Interface
"2917:TCP"= 2917:TCP:Akamai NetSession Interface
"1924:TCP"= 1924:TCP:Akamai NetSession Interface
"1351:TCP"= 1351:TCP:Akamai NetSession Interface
"2665:TCP"= 2665:TCP:Akamai NetSession Interface
"4481:TCP"= 4481:TCP:Akamai NetSession Interface
"2258:TCP"= 2258:TCP:Akamai NetSession Interface

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [7/26/2009 5:53 PM 114768]
R2 Akamai;Akamai;c:\windows\System32\svchost.exe -k Akamai [8/10/2004 1:51 PM 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/26/2009 5:53 PM 20560]
R2 litsgt;litsgt;c:\windows\system32\drivers\litsgt.sys [3/29/2007 12:39 AM 137344]
R2 tansgt;tansgt;c:\windows\system32\drivers\tansgt.sys [3/29/2007 12:39 AM 12032]
S2 gjqt;gjqt;c:\windows\system32\drivers\nlduee.sys --> c:\windows\system32\drivers\nlduee.sys [?]
S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;c:\windows\system32\drivers\SWUSBFLT.SYS [9/19/2008 4:47 PM 3968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-04 c:\windows\Tasks\AWC Update.job
- c:\program files\IObit\Advanced SystemCare 3\IObitUpdate.exe [2009-07-25 14:15]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.rr.com/flash/index.cfm
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\LotharMathias\Application Data\Mozilla\Firefox\Profiles\otz4jxe1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.rr.com/flash/index.cfm
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-07 15:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(944)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\drivers\CDAC11BA.EXE
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2009-08-07 16:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-07 20:03

Pre-Run: 22,227,779,584 bytes free
Post-Run: 22,186,668,032 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
386

micky77 · « **Reply #10 on:** August 08, 2009, 12:54:27 AM »

Until JTaylor replies,try rootrepeal,once more, the bloody file,is there c:\windows\system32\drivers\UAChtivmpitbb.sys. I cannot understand why,its not being shown.Follow the instructions(Install RootRepeal and select *Files* then scan only.) from the the link, and copy/paste one more log. Thanks

http://www.malwarebytes.org/forums/index.php?showtopic=12709

I think the reason the file is not showing,is because, by default,the scanner,chooses,drivers,not,files.please choose, files

Jtaylor83 · « **Reply #11 on:** August 08, 2009, 04:34:43 AM »

You may also try Trend Micro Rootkit Buster.

So far ComboFix haven't found the rootkits.

You'll need to look for these files manually and upload them to VirusTotal and post the links for each of them.

c:\windows\system32\drivers\UAChtivmpitbb.sys
c:\windows\system32\UACodaiynwquw.dll
c:\windows\system32\UACkbguxwwwyl.dll
c:\windows\system32\UACyapulqbwsi.dat
c:\windows\system32\UACqskcltliwr.db
c:\windows\system32\UACxfpbtimlxr.dll
c:\windows\system32\UACwdbosnmnes.dll
c:\windows\system32\UACchuikidbwt.dll

micky77 · « **Reply #12 on:** August 08, 2009, 09:06:05 AM »

Quote from: Jtaylor83 on August 08, 2009, 04:34:43 AM

You'll need to look for these files manually

I doubt very much you will find
c:\windows\system32\drivers\UAChtivmpitbb.sys, thats the rootkit,and its probably invisible. Hopefully rootrepeal can find it, then you can deal with the other files

LotharMathias · « **Reply #13 on:** August 08, 2009, 02:52:14 PM »

I think the rootkit is gone.

Here is the log from RootRepeal:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:      2009/08/08 08:33
Program Version:      Version 1.3.3.0
Windows Version:      Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\dad\local settings\temp\~df18ee.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Previously when I would try and run chkdsk from the command line, it would tell me to schedule the boot time scan and I would restart. The scan would always say the file was RAW and could not continue. Now, it runs fine. I have not gotten any other errors like the "hard errors" yesterday.

I ran Avast! twice last night and both times there was nothing on the memory test and nothing on the scan.

I suspect that the first time combofix ran, it fixed the problem and there was an error in generating the report. The second time combofix ran, there was nothing to be found.

When I search C: for any files starting with "UAC", it finds three of the eight I previously listed and they are all in c:\Qoobox\Quarantine. Also, the files have a .vir extension now:

Service_UACd.sys.reg in folder c:\Qoobox\Quarantine\Registry_backups
UACgskcltliwr.db.vir in folder c:\Qoobox\Quarantine\C\WINDOWS\system32
uacinit.dll.vir in folder c:\Qoobox\Quarantine\C\WINDOWS\system32
UACkbguxwwwyl.dll.vir in folder c:\Qoobox\Quarantine\C\WINDOWS\system32
UACyapulqbwsi.dat.vir in folder c:\Qoobox\Quarantine\C\WINDOWS\system32

Thank you all for your help. I will let you know if anything pops back up. Would it be prudent at this point to create a system restore point? I ran all the scans with system restore disabled and have since installed COMODO Internet Security firewall. I was using ZoneAlarm until I ran across a test of different firewalls and found ZoneAlarm offered little protection. COMODO was the highest rated free firewall. Thanks again.

micky77 · « **Reply #14 on:** August 08, 2009, 03:17:14 PM »

edit

Author Topic: Infection found on memory scan; Nothing on boot-time scan (Read 10079 times)

LotharMathias

Infection found on memory scan; Nothing on boot-time scan

Lisandro

Re: Infection found on memory scan; Nothing on boot-time scan

micky77

Re: Infection found on memory scan; Nothing on boot-time scan

LotharMathias

Re: Infection found on memory scan; Nothing on boot-time scan

LotharMathias

Re: Infection found on memory scan; Nothing on boot-time scan

LotharMathias

Re: Infection found on memory scan; Nothing on boot-time scan

Jtaylor83

Re: Infection found on memory scan; Nothing on boot-time scan

LotharMathias

Re: Infection found on memory scan; Nothing on boot-time scan

LotharMathias

Re: Infection found on memory scan; Nothing on boot-time scan

LotharMathias

Re: Infection found on memory scan; Nothing on boot-time scan

micky77

Re: Infection found on memory scan; Nothing on boot-time scan

Jtaylor83

Re: Infection found on memory scan; Nothing on boot-time scan

micky77

Re: Infection found on memory scan; Nothing on boot-time scan

LotharMathias

Re: Infection found on memory scan; Nothing on boot-time scan

micky77

Re: Infection found on memory scan; Nothing on boot-time scan