# The Application or DLL is not a Valid Windows Image



## Resu (Oct 4, 2009)

I'm having some trouble. Every time I go to run a program on my Windows XP I keep getting alerts that look like this;










Okay, so i've done y'all a HijackThis LogFile;



> *Logfile of Trend Micro HijackThis v2.0.2
> Scan saved at 19:13:54, on 04/10/2009
> Platform: Windows XP SP3 (WinNT 5.01.2600)
> MSIE: Internet Explorer v7.00 (7.00.6000.21073)
> ...


*Can anyone help?*


----------



## Resu (Oct 4, 2009)

Bump


----------



## Resu (Oct 4, 2009)

Bump!


----------



## emeraldnzl (Nov 3, 2007)

Hello Resu,

Welcome to TSG.

One thing: Please don't post your logs in quotes it makes them hard to follow and can be confusing as we use quotes from time to time. Just post them normally.

Please download *RootRepeal.zip* and unzip it to your Desktop.
Double click *RootRepeal.exe* to start the program
Click on the *Report* tab at the bottom of the program window
Click the *Scan* button
In the *Select Scan* dialog, check:
*
[*]Drivers
[*]Files
[*]Processes
[*]SSDT
[*]Stealth Objects
[*]Hidden Services*

Click the *OK* button
In the next dialog, select *all drives* showing
Click *OK* to start the scan
_Note: The scan can take some time. *DO NOT* run any other programs while the scan is running_​
When the scan is complete, the *Save Report* button will become available
Click this and save the report to your Desktop as RootRepeal.txt
Go to *File*, then *Exit* to close the program
Post the contents of RootRepeal.txt in your next reply.

Note: Unless otherwise instructed always post the logs in the forum. If reports don't fit on one post. It might be necessary to break the logs up to get them on the forum. Just use as many posts as you need, that's fine.


----------



## Resu (Oct 4, 2009)

*Thanks. Heres that thing you were asking for *
_ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/10 19:40
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF3D0E000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7BA3000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF34B0000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SYMDS.SYS
Image Path: SYMDS.SYS
Address: 0xF73DC000 Size: 352256 File Visible: No Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xF7516000 Size: 180224 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: C:\Documents and Settings\HelpAssistant\mytemp
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HelpAssistant\Tracing
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HelpAssistant\WINDOWS
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\system32\kbiwkmaompjcjg.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmbfwbwyow.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmhrmujewy.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmpxthxlvr.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmqpxxrxho.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmuilmtymt.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmvdkxdotf.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmyfroducf.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\termsrv32.dll
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\Temp\kbiwkmxwendsmbdm.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\kbiwkmbduafucbcq.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\kbiwkmbtqspjuuqp.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\kbiwkmbvsvtthenb.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\kbiwkmeexoqoriwt.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\kbiwkmfpmkonivst.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\kbiwkmfpuorsenln.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\kbiwkmfqhgfnlnsm.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\kbiwkmhpymewxtiv.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\kbiwkmhxrpoxvbqj.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\kbiwkmiqouqdecye.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\kbiwkmpirlgbcbxf.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\kbiwkmpufpfuyuvb.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\kbiwkmriqmdecbqo.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\kbiwkmrxifvptkbq.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\kbiwkmsipmpeqvtk.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\kbiwkmthencxtqsh.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\kbiwkmufjwrpqdic.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\kbiwkmxgkidxrrpu.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\kbiwkmsqsrkyen.sys
Status: Invisible to the Windows API!

Path: c:\documents and settings\simmons\application data\mozilla\firefox\profiles\cerdyxmv.default\sessionstore.js
Status: Size mismatch (API: 18872, Raw: 17208)

Path: C:\Documents and Settings\Simmons\Local Settings\Apps\2.0\A1CXDZ08.3OW\B97EW3DW.YKG\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Simmons\Local Settings\Apps\2.0\A1CXDZ08.3OW\B97EW3DW.YKG\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

Path: Volume H:\
Status: MBR Rootkit Detected!

Stealth Objects
-------------------
Object: Hidden Module [Name: kbiwkmqpxxrxho.dll]
Process: svchost.exe (PID: 1232) Address: 0x00980000 Size: 24576

Object: Hidden Module [Name: kbiwkmhrmujewy.dll]
Process: svchost.exe (PID: 1232) Address: 0x10000000 Size: 57344

Object: Hidden Module [Name: kbiwkmpxthxlvr.dll]
Process: Explorer.EXE (PID: 4076) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: kbiwkmpxthxlvr.dll]
Process: firefox.exe (PID: 2072) Address: 0x01010000 Size: 32768

Object: Hidden Code [Driver: ACPI, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85b84d40 Size: 708

Hidden Services
-------------------
Service Name: kbiwkmitktivkf
Image Path: C:\WINDOWS\system32\drivers\kbiwkmsqsrkyen.sys

==EOF==_


----------



## emeraldnzl (Nov 3, 2007)

Hello Resu,

Download *Combofix* from either of the links below. You* must **rename it *before saving it. Save it to your desktop.

*Link 1*
*Link 2*


















--------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

Double click on *Combo-Fix.exe* & follow the prompts.

When finished, it will produce a report for you. 
Please post the *C:\ComboFix.txt * for review.


----------



## Resu (Oct 4, 2009)

ComboFix 09-10-10.02 - Simmons 11/10/2009 18:10.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.628 [GMT 1:00]
Running from: c:\documents and settings\Simmons\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Default User\Application Data\Desktopicon
c:\documents and settings\Default User\Application Data\Desktopicon\eBayShortcuts.exe
c:\documents and settings\LocalService\Application Data\twain_32
c:\documents and settings\LocalService\Application Data\twain_32\user.ds
c:\documents and settings\LogMeInRemoteUser\Application Data\Desktopicon
c:\documents and settings\LogMeInRemoteUser\Application Data\Desktopicon\eBayShortcuts.exe
c:\documents and settings\NetworkService\Application Data\twain_32
c:\documents and settings\NetworkService\Application Data\twain_32\user.ds
c:\documents and settings\Simmons\Application Data\Desktopicon
c:\documents and settings\Simmons\Application Data\Desktopicon\eBayShortcuts.exe
c:\documents and settings\Simmons\Application Data\twain_32
c:\documents and settings\Simmons\Application Data\twain_32\user.ds
c:\program files\Uninstall Fun Web Products.dll
c:\windows\Installer\9f18e.msi
c:\windows\Installer\bc9d66.msi
c:\windows\run.log
c:\windows\system32\blat.exe
c:\windows\system32\Cache
c:\windows\system32\config\systemprofile\Application Data\Desktopicon
c:\windows\system32\config\systemprofile\Application Data\Desktopicon\eBayShortcuts.exe
c:\windows\system32\drivers\UACwevpwndbwe.sys
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\twain_32
c:\windows\system32\twain_32\local.ds
c:\windows\system32\twain_32\user.ds
c:\windows\system32\twain_32\user.ds.cla
c:\windows\system32\UACdlriqaimkf.db
c:\windows\system32\uacinit.dll
c:\windows\system32\UACndlvvbrpjk.dat
c:\windows\system32\UACwxdostcmci.dll
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
c:\windows\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job
H:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-09-11 to 2009-10-11 )))))))))))))))))))))))))))))))
.

2009-10-10 18:42 . 2009-10-10 18:42 -------- d-----w- c:\documents and settings\HelpAssistant\WINDOWS
2009-10-10 18:33 . 2009-10-11 17:08 -------- d-----w- c:\documents and settings\HelpAssistant
2009-10-04 18:12 . 2009-10-04 18:12 -------- d-----w- c:\program files\Trend Micro
2009-10-04 12:32 . 2009-10-04 12:40 -------- d-----w- c:\documents and settings\Simmons\Application Data\LogMeIn Rescue
2009-10-04 12:32 . 2009-10-04 12:32 -------- d-----w- c:\program files\LogMeIn Rescue
2009-10-04 12:26 . 2009-10-04 12:26 -------- d-----w- c:\windows\LMI522.tmp
2009-10-04 09:45 . 2009-10-04 14:38 -------- d-----w- c:\documents and settings\Simmons\Application Data\U3
2009-10-04 07:38 . 2009-08-30 00:17 47408 ----a-r- c:\windows\system32\drivers\SymIM.sys
2009-10-03 23:52 . 2009-10-04 07:34 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-03 23:52 . 2009-10-03 23:52 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-10-03 23:52 . 2009-10-03 23:52 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-10-03 23:52 . 2009-10-03 23:52 -------- d-----w- c:\program files\Symantec
2009-10-03 23:52 . 2009-10-03 23:52 -------- d-----w- c:\program files\Norton AntiVirus
2009-10-03 23:50 . 2009-10-03 23:50 -------- d-----w- c:\program files\NortonInstaller
2009-10-03 22:12 . 2009-10-03 22:12 -------- d-----w- c:\documents and settings\Simmons\Local Settings\Application Data\Tific
2009-10-03 22:12 . 2009-10-03 22:12 -------- d-----w- c:\documents and settings\Simmons\Application Data\Tific
2009-10-03 21:58 . 2009-10-03 23:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-10-03 21:58 . 2009-10-03 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-10-03 21:24 . 2009-10-03 21:24 -------- d-----w- c:\documents and settings\Simmons\Local Settings\Application Data\ICS
2009-10-03 21:03 . 2009-10-03 21:03 -------- d-----w- c:\documents and settings\Simmons\Local Settings\Application Data\Symantec
2009-10-03 20:51 . 2009-10-03 23:45 -------- d-----w- c:\windows\system32\drivers\NAV
2009-10-03 20:51 . 2009-10-03 20:51 -------- d-----w- c:\program files\Windows Sidebar
2009-09-29 20:43 . 2009-09-29 20:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Musicnotes
2009-09-26 20:29 . 2005-09-05 10:33 81920 ----a-r- c:\windows\system32\srctrl.dll
2009-09-26 20:29 . 2009-09-26 20:29 -------- d-----w- c:\program files\LGGSM
2009-09-19 11:57 . 2009-09-19 11:57 -------- d-----w- c:\documents and settings\Simmons\mytemp
2009-09-18 20:06 . 2009-09-18 20:06 -------- d-----w- C:\My Music
2009-09-18 18:31 . 2009-09-18 18:31 203776 ----a-w- c:\windows\system32\clrviddc.dll
2009-09-18 18:26 . 2009-09-18 18:26 -------- d-----w- c:\program files\Common Files\xing shared
2009-09-18 18:26 . 2009-09-18 18:26 -------- d-----w- c:\program files\real
2009-09-15 17:11 . 2009-09-15 17:13 3 ----a-w- c:\windows\sbacknt.bin
2009-09-15 17:10 . 2009-09-15 17:34 -------- d-----w- c:\program files\vghd
2009-09-15 17:10 . 2009-09-15 17:10 152904 ----a-w- c:\windows\system32\vghd.scr
2009-09-15 17:10 . 2009-09-15 17:13 -------- d-----w- c:\documents and settings\Simmons\Application Data\vghd
2009-09-12 17:32 . 2008-04-14 03:42 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-09-12 17:32 . 2008-04-13 22:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-09-12 17:32 . 2001-08-17 20:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-09-12 16:30 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-04 07:41 . 2009-08-12 23:41 435976 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-03 23:52 . 2009-10-03 23:52 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-10-03 23:52 . 2009-10-03 23:52 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-10-03 23:46 . 2009-09-06 14:52 310216 --sha-w- c:\windows\system32\cvsloops.dat
2009-10-03 21:00 . 2009-06-06 18:49 111608 ----a-w- c:\documents and settings\Simmons\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-28 19:27 . 2009-09-08 16:35 197151 --sha-w- c:\windows\system32\lUretadpU.dat
2009-09-28 14:15 . 2009-06-06 23:27 -------- d-----w- c:\documents and settings\Simmons\Application Data\FrostWire
2009-09-26 20:29 . 2008-09-07 23:50 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-22 17:34 . 2009-09-01 19:51 -------- d-----w- c:\program files\HooTech
2009-09-18 18:26 . 2009-08-07 20:40 -------- d-----w- c:\program files\Common Files\Real
2009-09-13 16:26 . 2008-09-08 22:27 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-12 21:14 . 2008-09-09 09:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-02 16:39 . 2009-06-09 18:56 -------- d-----w- c:\program files\CamStudio
2009-08-31 15:33 . 2009-08-31 15:33 -------- d-----w- c:\documents and settings\Simmons\Application Data\Apple Computer
2009-08-27 12:05 . 2009-07-07 19:21 -------- d-----w- c:\documents and settings\Simmons\Application Data\uTorrent
2009-08-26 16:47 . 2009-07-29 23:43 -------- d-----w- c:\program files\DivX
2009-08-26 16:46 . 2009-08-26 16:46 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-08-25 18:46 . 2009-08-25 18:46 -------- d-----w- c:\program files\Common Files\Macromedia Shared
2009-08-25 18:46 . 2009-08-25 18:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Macrovision
2009-08-25 18:44 . 2009-08-25 18:44 -------- d-----w- c:\program files\Macromedia
2009-08-25 18:24 . 2009-08-25 18:24 -------- d-----w- c:\program files\uTorrent
2009-08-25 14:46 . 2009-06-13 19:30 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-12 23:24 . 2009-08-12 23:24 111928 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-08-12 23:24 . 2009-08-12 23:24 -------- d-----w- c:\documents and settings\Simmons\Application Data\id Software
2009-08-12 23:24 . 2009-08-12 23:24 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-08-12 23:24 . 2009-08-12 23:24 2373712 ----a-w- c:\windows\system32\pbsvc.exe
2009-08-12 23:24 . 2009-08-12 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\id Software
2009-08-07 20:40 . 2008-09-07 23:50 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-08-07 20:40 . 2008-09-07 23:50 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-08-05 09:01 . 2008-04-14 04:42 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-18 20:16 . 2009-06-28 19:11 25280 ----a-w- c:\windows\system32\drivers\hamachi.sys
2009-07-18 10:01 . 2009-07-18 10:01 130 ----a-w- c:\documents and settings\Simmons\Local Settings\Application Data\fusioncache.dat
2009-07-17 19:01 . 2008-04-14 04:41 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2008-04-26 14:08 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[-] 2008-09-08 . D24EA301E2B36C4E975FD216CA85D8E7 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\TCPIP.SYS
[-] 2008-09-08 . D24EA301E2B36C4E975FD216CA85D8E7 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\TCPIP.SYS
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2008-04-26 . 68F06FE0021B01E670AF37B8C5964FDF . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys

[-] 2008-04-26 14:08 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll

c:\windows\system32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"Uniblue RegistryBooster 2009"="c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe" [2008-08-26 2019624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-04 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"VX1000"="c:\windows\vVX1000.exe" [2009-06-26 757248]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-18 198160]
"MsmqIntCert"="mqrt.dll" - c:\windows\system32\mqrt.dll [2008-04-14 177152]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-10-04 1626112]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\Alcxmntr.exe [2004-09-07 57344]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2006-08-03 577536]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2009-06-29 124928]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-16 19:35 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop
"85:TCP"= 85:TCP:BroadWave Web Server

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1100000.088\SymDS.sys [04/10/2009 00:52 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1100000.088\SymEFA.sys [04/10/2009 00:52 169008]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20090829.001\BHDrvx86.sys [04/10/2009 00:52 506928]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [08/09/2008 16:27 13696]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1100000.088\ccHPx86.sys [04/10/2009 00:52 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1100000.088\Ironx86.sys [04/10/2009 00:52 114736]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [06/06/2009 18:52 47640]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\17.0.0.136\ccSvcHst.exe [04/10/2009 00:52 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [04/10/2009 00:54 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20090828.002\IDSxpx86.sys [04/10/2009 00:52 329080]
S0 3112Rx47;3112Rx47;c:\windows\system32\drivers\3112Rx47.sys [26/04/2008 15:51 110128]
S1 ShldDrv;Panda File Shield Driver; [x]
S2 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S2 PavProc;Panda Process Protection Driver;\??\c:\windows\system32\DRIVERS\PavProc.sys --> c:\windows\system32\DRIVERS\PavProc.sys [?]
S2 XAMPP;XAMPP Service;c:\xampp\service.exe --> c:\xampp\service.exe [?]
S3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys --> c:\windows\system32\drivers\av5flt.sys [?]
S3 ComFiltr;Panda Anti-Dialer;\??\c:\windows\system32\DRIVERS\COMFiltr.sys --> c:\windows\system32\DRIVERS\COMFiltr.sys [?]
S3 PavSRK.sys;PavSRK.sys;\??\c:\windows\system32\PavSRK.sys --> c:\windows\system32\PavSRK.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [11/07/2008 01:28 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [10/07/2008 02:49 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [11/07/2008 01:28 369688]
.
Contents of the 'Scheduled Tasks' folder

2009-09-15 c:\windows\Tasks\Microsoft_Hardware_Launch_vVX1000_exe.job
- c:\windows\vVX1000.exe [2009-06-26 16:21]

2009-09-12 c:\windows\Tasks\NSSstub.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2009-09-06 10:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\Microsoft Office\Office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Simmons\Application Data\Mozilla\Firefox\Profiles\cerdyxmv.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\Simmons\Application Data\Mozilla\Firefox\Profiles\cerdyxmv.default\extensions\[email protected]\components\nsTwitterFoxSign.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\Simmons\Application Data\Mozilla\Firefox\Profiles\cerdyxmv.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npjustintvpublish.dll
FF - plugin: c:\documents and settings\Simmons\Application Data\Mozilla\Firefox\Profiles\cerdyxmv.default\extensions\[email protected]\platform\WINNT\plugins\npRescue.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKU-Default-Run-True Transparency - c:\program files\Utilities\True Transparency\TrueTransparency.exe
HKU-Default-Run-LClock - c:\program files\LClock\LClock.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-11 18:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(988)
c:\windows\system32\LMIinit.dll

- - - - - - - > 'lsass.exe'(1048)
c:\windows\system32\WININET.dll
.
Completion time: 2009-10-11 18:23
ComboFix-quarantined-files.txt 2009-10-11 17:23

Pre-Run: 223,156,318,208 bytes free
Post-Run: 223,142,821,888 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
h:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /noexecute=alwaysoff

262 --- E O F --- 2009-10-11 16:17


----------



## emeraldnzl (Nov 3, 2007)

Hello Resu,

You have a Keylogger infection on your machine. We have removed part of it but there is still some to go.

Assume that all your passwords and sensitive security information have been looked at from an outside source. If your computer is/was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

*Moving on*

There are some missing/corrupt files there. We will repair some of them in this post but we can't get them all.

Tell me when you post back if you have your Windows Installation CD.

*Now*

Your Java is out to date. Older versions are vunerable to attack.

Please follow these steps:


Download from here *Java Runtime Environment (JDK) Update * 
Scroll to where it says *"Windows XP/Vista/2000/2003/2008 online" * and download and follow the instructions.

Reboot your computer. 
You also need to uininstall older versions of Java.

 Click *Start* > *Control Panel* > *Add or Remove Programs*
 Remove all Java updates except the latest one you have just installed.
*Next*

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open *notepad* and copy/paste the text in the quotebox below into it:



> KillAll::
> 
> File::
> c:\windows\system32\lUretadpU.dat
> ...


Save this as *CFScript.txt*, in the same location as ComboFix.exe










Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at *C:\ComboFix.txt*. Please post that here for further review.


----------



## Resu (Oct 4, 2009)

ComboFix 09-10-10.02 - Simmons 11/10/2009 18:10.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.628 [GMT 1:00]
Running from: c:\documents and settings\Simmons\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Default User\Application Data\Desktopicon
c:\documents and settings\Default User\Application Data\Desktopicon\eBayShortcuts.exe
c:\documents and settings\LocalService\Application Data\twain_32
c:\documents and settings\LocalService\Application Data\twain_32\user.ds
c:\documents and settings\LogMeInRemoteUser\Application Data\Desktopicon
c:\documents and settings\LogMeInRemoteUser\Application Data\Desktopicon\eBayShortcuts.exe
c:\documents and settings\NetworkService\Application Data\twain_32
c:\documents and settings\NetworkService\Application Data\twain_32\user.ds
c:\documents and settings\Simmons\Application Data\Desktopicon
c:\documents and settings\Simmons\Application Data\Desktopicon\eBayShortcuts.exe
c:\documents and settings\Simmons\Application Data\twain_32
c:\documents and settings\Simmons\Application Data\twain_32\user.ds
c:\program files\Uninstall Fun Web Products.dll
c:\windows\Installer\9f18e.msi
c:\windows\Installer\bc9d66.msi
c:\windows\run.log
c:\windows\system32\blat.exe
c:\windows\system32\Cache
c:\windows\system32\config\systemprofile\Application Data\Desktopicon
c:\windows\system32\config\systemprofile\Application Data\Desktopicon\eBayShortcuts.exe
c:\windows\system32\drivers\UACwevpwndbwe.sys
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\twain_32
c:\windows\system32\twain_32\local.ds
c:\windows\system32\twain_32\user.ds
c:\windows\system32\twain_32\user.ds.cla
c:\windows\system32\UACdlriqaimkf.db
c:\windows\system32\uacinit.dll
c:\windows\system32\UACndlvvbrpjk.dat
c:\windows\system32\UACwxdostcmci.dll
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
c:\windows\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job
H:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-09-11 to 2009-10-11 )))))))))))))))))))))))))))))))
.

2009-10-10 18:42 . 2009-10-10 18:42 -------- d-----w- c:\documents and settings\HelpAssistant\WINDOWS
2009-10-10 18:33 . 2009-10-11 17:08 -------- d-----w- c:\documents and settings\HelpAssistant
2009-10-04 18:12 . 2009-10-04 18:12 -------- d-----w- c:\program files\Trend Micro
2009-10-04 12:32 . 2009-10-04 12:40 -------- d-----w- c:\documents and settings\Simmons\Application Data\LogMeIn Rescue
2009-10-04 12:32 . 2009-10-04 12:32 -------- d-----w- c:\program files\LogMeIn Rescue
2009-10-04 12:26 . 2009-10-04 12:26 -------- d-----w- c:\windows\LMI522.tmp
2009-10-04 09:45 . 2009-10-04 14:38 -------- d-----w- c:\documents and settings\Simmons\Application Data\U3
2009-10-04 07:38 . 2009-08-30 00:17 47408 ----a-r- c:\windows\system32\drivers\SymIM.sys
2009-10-03 23:52 . 2009-10-04 07:34 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-03 23:52 . 2009-10-03 23:52 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-10-03 23:52 . 2009-10-03 23:52 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-10-03 23:52 . 2009-10-03 23:52 -------- d-----w- c:\program files\Symantec
2009-10-03 23:52 . 2009-10-03 23:52 -------- d-----w- c:\program files\Norton AntiVirus
2009-10-03 23:50 . 2009-10-03 23:50 -------- d-----w- c:\program files\NortonInstaller
2009-10-03 22:12 . 2009-10-03 22:12 -------- d-----w- c:\documents and settings\Simmons\Local Settings\Application Data\Tific
2009-10-03 22:12 . 2009-10-03 22:12 -------- d-----w- c:\documents and settings\Simmons\Application Data\Tific
2009-10-03 21:58 . 2009-10-03 23:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-10-03 21:58 . 2009-10-03 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-10-03 21:24 . 2009-10-03 21:24 -------- d-----w- c:\documents and settings\Simmons\Local Settings\Application Data\ICS
2009-10-03 21:03 . 2009-10-03 21:03 -------- d-----w- c:\documents and settings\Simmons\Local Settings\Application Data\Symantec
2009-10-03 20:51 . 2009-10-03 23:45 -------- d-----w- c:\windows\system32\drivers\NAV
2009-10-03 20:51 . 2009-10-03 20:51 -------- d-----w- c:\program files\Windows Sidebar
2009-09-29 20:43 . 2009-09-29 20:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Musicnotes
2009-09-26 20:29 . 2005-09-05 10:33 81920 ----a-r- c:\windows\system32\srctrl.dll
2009-09-26 20:29 . 2009-09-26 20:29 -------- d-----w- c:\program files\LGGSM
2009-09-19 11:57 . 2009-09-19 11:57 -------- d-----w- c:\documents and settings\Simmons\mytemp
2009-09-18 20:06 . 2009-09-18 20:06 -------- d-----w- C:\My Music
2009-09-18 18:31 . 2009-09-18 18:31 203776 ----a-w- c:\windows\system32\clrviddc.dll
2009-09-18 18:26 . 2009-09-18 18:26 -------- d-----w- c:\program files\Common Files\xing shared
2009-09-18 18:26 . 2009-09-18 18:26 -------- d-----w- c:\program files\real
2009-09-15 17:11 . 2009-09-15 17:13 3 ----a-w- c:\windows\sbacknt.bin
2009-09-15 17:10 . 2009-09-15 17:34 -------- d-----w- c:\program files\vghd
2009-09-15 17:10 . 2009-09-15 17:10 152904 ----a-w- c:\windows\system32\vghd.scr
2009-09-15 17:10 . 2009-09-15 17:13 -------- d-----w- c:\documents and settings\Simmons\Application Data\vghd
2009-09-12 17:32 . 2008-04-14 03:42 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-09-12 17:32 . 2008-04-13 22:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-09-12 17:32 . 2001-08-17 20:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-09-12 16:30 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-04 07:41 . 2009-08-12 23:41 435976 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-03 23:52 . 2009-10-03 23:52 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-10-03 23:52 . 2009-10-03 23:52 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-10-03 23:46 . 2009-09-06 14:52 310216 --sha-w- c:\windows\system32\cvsloops.dat
2009-10-03 21:00 . 2009-06-06 18:49 111608 ----a-w- c:\documents and settings\Simmons\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-28 19:27 . 2009-09-08 16:35 197151 --sha-w- c:\windows\system32\lUretadpU.dat
2009-09-28 14:15 . 2009-06-06 23:27 -------- d-----w- c:\documents and settings\Simmons\Application Data\FrostWire
2009-09-26 20:29 . 2008-09-07 23:50 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-22 17:34 . 2009-09-01 19:51 -------- d-----w- c:\program files\HooTech
2009-09-18 18:26 . 2009-08-07 20:40 -------- d-----w- c:\program files\Common Files\Real
2009-09-13 16:26 . 2008-09-08 22:27 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-12 21:14 . 2008-09-09 09:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-02 16:39 . 2009-06-09 18:56 -------- d-----w- c:\program files\CamStudio
2009-08-31 15:33 . 2009-08-31 15:33 -------- d-----w- c:\documents and settings\Simmons\Application Data\Apple Computer
2009-08-27 12:05 . 2009-07-07 19:21 -------- d-----w- c:\documents and settings\Simmons\Application Data\uTorrent
2009-08-26 16:47 . 2009-07-29 23:43 -------- d-----w- c:\program files\DivX
2009-08-26 16:46 . 2009-08-26 16:46 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-08-25 18:46 . 2009-08-25 18:46 -------- d-----w- c:\program files\Common Files\Macromedia Shared
2009-08-25 18:46 . 2009-08-25 18:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Macrovision
2009-08-25 18:44 . 2009-08-25 18:44 -------- d-----w- c:\program files\Macromedia
2009-08-25 18:24 . 2009-08-25 18:24 -------- d-----w- c:\program files\uTorrent
2009-08-25 14:46 . 2009-06-13 19:30 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-12 23:24 . 2009-08-12 23:24 111928 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-08-12 23:24 . 2009-08-12 23:24 -------- d-----w- c:\documents and settings\Simmons\Application Data\id Software
2009-08-12 23:24 . 2009-08-12 23:24 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-08-12 23:24 . 2009-08-12 23:24 2373712 ----a-w- c:\windows\system32\pbsvc.exe
2009-08-12 23:24 . 2009-08-12 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\id Software
2009-08-07 20:40 . 2008-09-07 23:50 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-08-07 20:40 . 2008-09-07 23:50 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-08-05 09:01 . 2008-04-14 04:42 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-18 20:16 . 2009-06-28 19:11 25280 ----a-w- c:\windows\system32\drivers\hamachi.sys
2009-07-18 10:01 . 2009-07-18 10:01 130 ----a-w- c:\documents and settings\Simmons\Local Settings\Application Data\fusioncache.dat
2009-07-17 19:01 . 2008-04-14 04:41 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2008-04-26 14:08 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[-] 2008-09-08 . D24EA301E2B36C4E975FD216CA85D8E7 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\TCPIP.SYS
[-] 2008-09-08 . D24EA301E2B36C4E975FD216CA85D8E7 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\TCPIP.SYS
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2008-04-26 . 68F06FE0021B01E670AF37B8C5964FDF . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys

[-] 2008-04-26 14:08 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll

c:\windows\system32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"Uniblue RegistryBooster 2009"="c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe" [2008-08-26 2019624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-04 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"VX1000"="c:\windows\vVX1000.exe" [2009-06-26 757248]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-18 198160]
"MsmqIntCert"="mqrt.dll" - c:\windows\system32\mqrt.dll [2008-04-14 177152]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-10-04 1626112]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\Alcxmntr.exe [2004-09-07 57344]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2006-08-03 577536]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2009-06-29 124928]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-16 19:35 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop
"85:TCP"= 85:TCP:BroadWave Web Server

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1100000.088\SymDS.sys [04/10/2009 00:52 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1100000.088\SymEFA.sys [04/10/2009 00:52 169008]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20090829.001\BHDrvx86.sys [04/10/2009 00:52 506928]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [08/09/2008 16:27 13696]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1100000.088\ccHPx86.sys [04/10/2009 00:52 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1100000.088\Ironx86.sys [04/10/2009 00:52 114736]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [06/06/2009 18:52 47640]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\17.0.0.136\ccSvcHst.exe [04/10/2009 00:52 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [04/10/2009 00:54 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20090828.002\IDSxpx86.sys [04/10/2009 00:52 329080]
S0 3112Rx47;3112Rx47;c:\windows\system32\drivers\3112Rx47.sys [26/04/2008 15:51 110128]
S1 ShldDrv;Panda File Shield Driver; [x]
S2 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S2 PavProc;Panda Process Protection Driver;\??\c:\windows\system32\DRIVERS\PavProc.sys --> c:\windows\system32\DRIVERS\PavProc.sys [?]
S2 XAMPP;XAMPP Service;c:\xampp\service.exe --> c:\xampp\service.exe [?]
S3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys --> c:\windows\system32\drivers\av5flt.sys [?]
S3 ComFiltr;Panda Anti-Dialer;\??\c:\windows\system32\DRIVERS\COMFiltr.sys --> c:\windows\system32\DRIVERS\COMFiltr.sys [?]
S3 PavSRK.sys;PavSRK.sys;\??\c:\windows\system32\PavSRK.sys --> c:\windows\system32\PavSRK.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [11/07/2008 01:28 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [10/07/2008 02:49 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [11/07/2008 01:28 369688]
.
Contents of the 'Scheduled Tasks' folder

2009-09-15 c:\windows\Tasks\Microsoft_Hardware_Launch_vVX1000_exe.job
- c:\windows\vVX1000.exe [2009-06-26 16:21]

2009-09-12 c:\windows\Tasks\NSSstub.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2009-09-06 10:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\Microsoft Office\Office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Simmons\Application Data\Mozilla\Firefox\Profiles\cerdyxmv.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\Simmons\Application Data\Mozilla\Firefox\Profiles\cerdyxmv.default\extensions\[email protected]\components\nsTwitterFoxSign.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\Simmons\Application Data\Mozilla\Firefox\Profiles\cerdyxmv.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npjustintvpublish.dll
FF - plugin: c:\documents and settings\Simmons\Application Data\Mozilla\Firefox\Profiles\cerdyxmv.default\extensions\[email protected]\platform\WINNT\plugins\npRescue.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKU-Default-Run-True Transparency - c:\program files\Utilities\True Transparency\TrueTransparency.exe
HKU-Default-Run-LClock - c:\program files\LClock\LClock.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-11 18:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(988)
c:\windows\system32\LMIinit.dll

- - - - - - - > 'lsass.exe'(1048)
c:\windows\system32\WININET.dll
.
Completion time: 2009-10-11 18:23
ComboFix-quarantined-files.txt 2009-10-11 17:23

Pre-Run: 223,156,318,208 bytes free
Post-Run: 223,142,821,888 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
h:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /noexecute=alwaysoff

262 --- E O F --- 2009-10-11 16:17


----------



## emeraldnzl (Nov 3, 2007)

Hello Resu,

The log you posted seems to be the same one you posted at post #7.

Did you run the ComboFix script I posted at post #8 ?

If so please post the log for that. It should be on your desktop but if it isn't you can do the following:

Try looking in :\Qoobox folder (most likely C:\Qoobox\ComboFix.txt) and pasting the contents of the text file back here. Note: ComboFix.txt are numbered so if there was more than one run for instance you might find C:\Qoobox\ComboFix2.txt.

Also please answer my question about whether you have your Windows CD.


----------



## Resu (Oct 4, 2009)

Sorry, I did something wrong. Let me do it again 

Oh and, I don't have a Windows CD, The computer I own was from a friend.


----------



## Resu (Oct 4, 2009)

ComboFix 09-10-17.01 - Simmons 18/10/2009 17:02.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.220 [GMT 1:00]
Running from: c:\documents and settings\Simmons\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Simmons\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FILE ::
"c:\windows\system32\cvsloops.dat"
"c:\windows\system32\lUretadpU.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\cvsloops.dat
c:\windows\system32\lUretadpU.dat

.
--------------- FCopy ---------------

c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys --> c:\windows\system32\drivers\TCPIP.SYS
c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys --> c:\windows\system32\dllcache\TCPIP.SYS
c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys --> c:\windows\$NtUninstallKB951748$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_kbiwkmitktivkf
-------\Service_kbiwkmitktivkf

((((((((((((((((((((((((( Files Created from 2009-09-18 to 2009-10-18 )))))))))))))))))))))))))))))))
.

2009-10-18 15:50 . 2009-10-18 15:50 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-13 18:10 . 2009-10-13 18:10 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-13 18:10 . 2009-10-18 11:42 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-13 18:10 . 2009-10-13 18:10 -------- d-----w- c:\documents and settings\Simmons\Application Data\Malwarebytes
2009-10-13 18:09 . 2009-10-13 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-13 18:03 . 2009-10-13 18:03 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-10-13 18:03 . 2009-10-13 18:03 -------- d-----w- c:\program files\MSECACHE
2009-10-13 17:49 . 2009-10-13 17:49 -------- d-----w- c:\program files\Microsoft
2009-10-13 16:24 . 2009-10-13 16:24 -------- d-----w- c:\windows\system32\xircom
2009-10-13 16:24 . 2009-10-13 16:24 -------- d-----w- c:\program files\microsoft frontpage
2009-10-11 16:56 . 2009-10-11 17:23 -------- d-----w- C:\Combo-Fix
2009-10-10 18:42 . 2009-10-11 17:18 -------- d-----w- c:\documents and settings\HelpAssistant\Tracing
2009-10-10 18:33 . 2009-10-18 16:12 -------- d-----w- c:\documents and settings\HelpAssistant
2009-10-04 18:12 . 2009-10-04 18:12 -------- d-----w- c:\program files\Trend Micro
2009-10-04 12:32 . 2009-10-04 12:40 -------- d-----w- c:\documents and settings\Simmons\Application Data\LogMeIn Rescue
2009-10-04 12:32 . 2009-10-04 12:32 -------- d-----w- c:\program files\LogMeIn Rescue
2009-10-04 12:26 . 2009-10-04 12:26 -------- d-----w- c:\windows\LMI522.tmp
2009-10-04 09:45 . 2009-10-04 14:38 -------- d-----w- c:\documents and settings\Simmons\Application Data\U3
2009-10-04 07:38 . 2009-08-30 00:17 47408 ----a-r- c:\windows\system32\drivers\SymIM.sys
2009-10-03 23:52 . 2009-10-04 07:34 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-03 23:52 . 2009-10-03 23:52 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-10-03 23:52 . 2009-10-03 23:52 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-10-03 23:52 . 2009-10-03 23:52 -------- d-----w- c:\program files\Symantec
2009-10-03 23:52 . 2009-10-03 23:52 -------- d-----w- c:\program files\Norton AntiVirus
2009-10-03 23:50 . 2009-10-03 23:50 -------- d-----w- c:\program files\NortonInstaller
2009-10-03 22:12 . 2009-10-03 22:12 -------- d-----w- c:\documents and settings\Simmons\Local Settings\Application Data\Tific
2009-10-03 22:12 . 2009-10-03 22:12 -------- d-----w- c:\documents and settings\Simmons\Application Data\Tific
2009-10-03 21:58 . 2009-10-03 23:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-10-03 21:58 . 2009-10-03 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-10-03 21:24 . 2009-10-03 21:24 -------- d-----w- c:\documents and settings\Simmons\Local Settings\Application Data\ICS
2009-10-03 21:03 . 2009-10-03 21:03 -------- d-----w- c:\documents and settings\Simmons\Local Settings\Application Data\Symantec
2009-10-03 20:51 . 2009-10-03 23:45 -------- d-----w- c:\windows\system32\drivers\NAV
2009-10-03 20:51 . 2009-10-03 20:51 -------- d-----w- c:\program files\Windows Sidebar
2009-09-29 20:43 . 2009-09-29 20:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Musicnotes
2009-09-26 20:29 . 2005-09-05 10:33 81920 ----a-r- c:\windows\system32\srctrl.dll
2009-09-26 20:29 . 2009-09-26 20:29 -------- d-----w- c:\program files\LGGSM
2009-09-19 11:57 . 2009-09-19 11:57 -------- d-----w- c:\documents and settings\Simmons\mytemp
2009-09-18 20:06 . 2009-09-18 20:06 -------- d-----w- C:\My Music

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-18 15:51 . 2008-09-07 23:48 -------- d-----w- c:\program files\Java
2009-10-18 11:41 . 2008-09-08 22:34 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverScanner
2009-10-18 11:41 . 2008-09-08 21:26 -------- d-----w- c:\program files\Uniblue
2009-10-18 11:36 . 2009-08-07 20:40 -------- d-----w- c:\program files\Common Files\Real
2009-10-18 11:20 . 2009-08-12 23:41 435976 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-18 11:14 . 2009-06-07 13:38 -------- d-----w- c:\program files\Microsoft SQL Server
2009-10-18 11:13 . 2008-09-09 10:22 -------- d-----w- c:\program files\Microsoft.NET
2009-10-18 11:10 . 2009-06-09 18:56 -------- d-----w- c:\program files\CamStudio
2009-10-17 21:47 . 2008-09-09 09:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-13 17:49 . 2008-09-08 08:30 -------- d-----w- c:\program files\Windows Live
2009-10-03 23:52 . 2009-10-03 23:52 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-10-03 23:52 . 2009-10-03 23:52 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-10-03 21:00 . 2009-06-06 18:49 111608 ----a-w- c:\documents and settings\Simmons\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-28 14:15 . 2009-06-06 23:27 -------- d-----w- c:\documents and settings\Simmons\Application Data\FrostWire
2009-09-26 20:29 . 2008-09-07 23:50 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-22 17:34 . 2009-09-01 19:51 -------- d-----w- c:\program files\HooTech
2009-09-15 17:34 . 2009-09-15 17:10 -------- d-----w- c:\program files\vghd
2009-09-15 17:13 . 2009-09-15 17:10 -------- d-----w- c:\documents and settings\Simmons\Application Data\vghd
2009-09-15 17:13 . 2009-09-15 17:11 3 ----a-w- c:\windows\sbacknt.bin
2009-09-15 17:10 . 2009-09-15 17:10 152904 ----a-w- c:\windows\system32\vghd.scr
2009-09-13 16:26 . 2008-09-08 22:27 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-11 14:18 . 2008-04-14 04:42 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-08-31 15:33 . 2009-08-31 15:33 -------- d-----w- c:\documents and settings\Simmons\Application Data\Apple Computer
2009-08-27 12:05 . 2009-07-07 19:21 -------- d-----w- c:\documents and settings\Simmons\Application Data\uTorrent
2009-08-26 16:47 . 2009-07-29 23:43 -------- d-----w- c:\program files\DivX
2009-08-26 16:46 . 2009-08-26 16:46 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-08-26 08:00 . 2008-04-14 04:42 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 18:46 . 2009-08-25 18:46 -------- d-----w- c:\program files\Common Files\Macromedia Shared
2009-08-25 18:46 . 2009-08-25 18:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Macrovision
2009-08-25 18:44 . 2009-08-25 18:44 -------- d-----w- c:\program files\Macromedia
2009-08-25 18:24 . 2009-08-25 18:24 -------- d-----w- c:\program files\uTorrent
2009-08-25 14:46 . 2009-06-13 19:30 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-12 23:24 . 2009-08-12 23:24 111928 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-08-12 23:24 . 2009-08-12 23:24 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-08-12 23:24 . 2009-08-12 23:24 2373712 ----a-w- c:\windows\system32\pbsvc.exe
2009-08-07 20:40 . 2008-09-07 23:50 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-08-07 20:40 . 2008-09-07 23:50 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-08-05 09:01 . 2008-04-14 04:42 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 19:44 . 2008-04-24 10:35 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2008-04-24 10:34 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-07-26 15:44 . 2009-07-26 15:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[-] 2008-04-26 14:08 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll

c:\windows\system32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Uniblue RegistryBooster 2009"="c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe" [2008-08-26 2019624]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-04 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"VX1000"="c:\windows\vVX1000.exe" [2009-06-26 757248]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-18 149280]
"MsmqIntCert"="mqrt.dll" - c:\windows\system32\mqrt.dll [2008-04-14 177152]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-10-04 1626112]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\Alcxmntr.exe [2004-09-07 57344]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2006-08-03 577536]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2009-06-29 124928]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-16 19:35 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop
"90:TCP"= 90:TCPATADJH

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1100000.088\SymDS.sys [04/10/2009 00:52 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1100000.088\SymEFA.sys [04/10/2009 00:52 169008]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20090829.001\BHDrvx86.sys [04/10/2009 00:52 506928]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [08/09/2008 16:27 13696]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1100000.088\ccHPx86.sys [04/10/2009 00:52 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1100000.088\Ironx86.sys [04/10/2009 00:52 114736]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [06/06/2009 18:52 47640]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\17.0.0.136\ccSvcHst.exe [04/10/2009 00:52 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [04/10/2009 00:54 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20090828.002\IDSxpx86.sys [04/10/2009 00:52 329080]
S0 3112Rx47;3112Rx47;c:\windows\system32\drivers\3112Rx47.sys [26/04/2008 15:51 110128]
S1 ShldDrv;Panda File Shield Driver; [x]
S2 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S2 PavProc;Panda Process Protection Driver;\??\c:\windows\system32\DRIVERS\PavProc.sys --> c:\windows\system32\DRIVERS\PavProc.sys [?]
S2 XAMPP;XAMPP Service;c:\xampp\service.exe --> c:\xampp\service.exe [?]
S3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys --> c:\windows\system32\drivers\av5flt.sys [?]
S3 ComFiltr;Panda Anti-Dialer;\??\c:\windows\system32\DRIVERS\COMFiltr.sys --> c:\windows\system32\DRIVERS\COMFiltr.sys [?]
S3 PavSRK.sys;PavSRK.sys;\??\c:\windows\system32\PavSRK.sys --> c:\windows\system32\PavSRK.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
Contents of the 'Scheduled Tasks' folder

2009-09-15 c:\windows\Tasks\Microsoft_Hardware_Launch_vVX1000_exe.job
- c:\windows\vVX1000.exe [2009-06-26 16:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\Microsoft Office\Office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Simmons\Application Data\Mozilla\Firefox\Profiles\ewed76uq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-18 17:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\17.0.0.136\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\17.0.0.136\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(996)
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(3336)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\msdtc.exe
c:\windows\ehome\ehSched.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\combofix\CF27710.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehRecvr.exe
.
**************************************************************************
.
Completion time: 2009-10-18 17:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-18 16:18
ComboFix2.txt 2009-10-11 17:23

Pre-Run: 222,228,176,896 bytes free
Post-Run: 222,172,684,288 bytes free

244 --- E O F --- 2009-10-17 21:56


----------



## emeraldnzl (Nov 3, 2007)

Hello Resu,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open *notepad* and copy/paste the text in the quotebox below into it:



> KillAll::
> 
> SRPEEK::
> c:\windows\system32\mspmsnsv.dll
> c:\windows\system32\eventlog.dll


Save this as *CFScript.txt*, in the same location as ComboFix.exe










Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at *C:\ComboFix.txt*. Please post that here for further review.

*Next*

You may have used Malwarebytes before. If you have, and still have it on your machine, please update and run. Post the scan report back here.

If you do not have Malwarebytes please download from *Here*

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy & Paste the entire report in your next reply.
Extra Note:
*If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.*

*So when you return please post
ComboFix.txt
MBAM report
*


----------



## Resu (Oct 4, 2009)

Oh this is just winding me up.

Can't we arrange a remote desktop connection session on LogMeIn?


----------



## emeraldnzl (Nov 3, 2007)

Hello Resu,



> Can't we arrange a remote desktop connection session on LogMeIn?


No not really.

What is the problem?

That CF script I asked you to run is just having a look in System Restore to see if we can find copies of the files we want.

One is missing and one is corrupt.

Without a Windows CD to replace them this is one place we might find copies.

Other than that we could try uninstalling SP3 and reinstalling.

In the end though I guess it's a matter of whether you computer is working OK for you even without those files.

The MBAM scan is a check to make sure we aren't missing anything bad that it looks for.

There is one other scan we need to do for the same reason but I was leaving that until after we have (hopefully) replaced those files.


----------



## Resu (Oct 4, 2009)

Hey. I can't be arsed really.

Sorry, Thanks though. :/


----------



## emeraldnzl (Nov 3, 2007)

Thanks for telling us.


----------

