[Resolved] Hijack this log. Comres.dll corrupted

**divad213** · 09-11-2009

Here is the rootrepeal log file...

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/11/10 04:58
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF5390000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7AB7000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP9530
Image Path: \Driver\PCI_PNP9530
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF0BD0000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sphq.sys
Image Path: sphq.sys
Address: 0xF744E000 Size: 1048576 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\drivers\sfi.dat
Status: Locked to the Windows API!

Path: \\?\C:\Program Files\COMODO\COMODO Internet Security\Quarantine\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\01.tmp
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\01.tmp.info
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\01.tmp1
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\01.tmp1.info
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\dohgym.dll
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\dohgym.dll.info
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\f_00171b
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\f_00171b.info
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\hidec.exe
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\hidec.exe.info
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\iexplore.exe
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\iexplore.exe.info
Status: Invisible to the Windows API!

SSDT
-------------------
#: 011 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55ead46

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55ea250

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55ea8ea

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55eb2c2

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55ea132

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55ec254

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55ec52c

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55e9cf8

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55eaf2c

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55eb0dc

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55e9a5a

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "sphq.sys" at address 0xf746dca2

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "sphq.sys" at address 0xf746e030

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55ebed6

#: 105 Function Name: NtMakeTemporaryObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55ea4d4

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55eab2e

#: 119 Function Name: NtOpenKey
Status: Hooked by "sphq.sys" at address 0xf744f0c0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55e978a

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55ea764

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55e9902

#: 160 Function Name: NtQueryKey
Status: Hooked by "sphq.sys" at address 0xf746e108

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "sphq.sys" at address 0xf746df88

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55eb688

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55eb9f0

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55ebc72

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55ec084

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55eb488

#: 249 Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55ea46e

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55ea658

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55e9ffc

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55e9eca

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x857671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x857671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x857671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x857671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x857671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x857671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x857671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x857671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x857671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x857671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x857671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x857671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x857671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x857671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x857671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x857671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x857671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x857671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x857671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x857671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x857671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x857671f8 Size: 121

Object: Hidden Code [Driver: Udfs؅瑇灭؁ః瑎て, IRP_MJ_CREATE]
Process: System Address: 0x8408e1f8 Size: 121

Object: Hidden Code [Driver: Udfs؅瑇灭؁ః瑎て, IRP_MJ_CLOSE]
Process: System Address: 0x8408e1f8 Size: 121

Object: Hidden Code [Driver: Udfs؅瑇灭؁ః瑎て, IRP_MJ_READ]
Process: System Address: 0x8408e1f8 Size: 121

Object: Hidden Code [Driver: Udfs؅瑇灭؁ః瑎て, IRP_MJ_WRITE]
Process: System Address: 0x8408e1f8 Size: 121

Object: Hidden Code [Driver: Udfs؅瑇灭؁ః瑎て, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8408e1f8 Size: 121

Object: Hidden Code [Driver: Udfs؅瑇灭؁ః瑎て, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8408e1f8 Size: 121

Object: Hidden Code [Driver: Udfs؅瑇灭؁ః瑎て, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8408e1f8 Size: 121

Object: Hidden Code [Driver: Udfs؅瑇灭؁ః瑎て, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8408e1f8 Size: 121

Object: Hidden Code [Driver: Udfs؅瑇灭؁ః瑎て, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8408e1f8 Size: 121

Object: Hidden Code [Driver: Udfs؅瑇灭؁ః瑎て, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8408e1f8 Size: 121

Object: Hidden Code [Driver: Udfs؅瑇灭؁ః瑎て, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8408e1f8 Size: 121

Object: Hidden Code [Driver: Udfs؅瑇灭؁ః瑎て, IRP_MJ_CLEANUP]
Process: System Address: 0x8408e1f8 Size: 121

Object: Hidden Code [Driver: Udfs؅瑇灭؁ః瑎て, IRP_MJ_PNP]
Process: System Address: 0x8408e1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x857681f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x857681f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x857681f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x857681f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x857681f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x857681f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x857681f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x854fa1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x854fa1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x854fa1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x854fa1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x854fa1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x854fa1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x854fa1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x854fa1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x854fa1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x854fa1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x854fa1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x857d81f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x857d81f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x857d81f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x857d81f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x857d81f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x857d81f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x857d81f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x857d81f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x857d81f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x857d81f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x857d81f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x854f31f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x854f31f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x854f31f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x854f31f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x854f31f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x854f31f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x854f31f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x857691f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x857691f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x857691f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x857691f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x857691f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x857691f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x857691f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x857691f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x857691f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x857691f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x857691f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x853d2500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x853d2500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x853d2500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x853d2500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x853d2500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x853d2500 Size: 121

Object: Hidden Code [Driver: a7qu1zzv؅扏煓؁ం扏楄, IRP_MJ_CREATE]
Process: System Address: 0x855431f8 Size: 121

Object: Hidden Code [Driver: a7qu1zzv؅扏煓؁ం扏楄, IRP_MJ_CLOSE]
Process: System Address: 0x855431f8 Size: 121

Object: Hidden Code [Driver: a7qu1zzv؅扏煓؁ం扏楄, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x855431f8 Size: 121

Object: Hidden Code [Driver: a7qu1zzv؅扏煓؁ం扏楄, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x855431f8 Size: 121

Object: Hidden Code [Driver: a7qu1zzv؅扏煓؁ం扏楄, IRP_MJ_POWER]
Process: System Address: 0x855431f8 Size: 121

Object: Hidden Code [Driver: a7qu1zzv؅扏煓؁ం扏楄, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x855431f8 Size: 121

Object: Hidden Code [Driver: a7qu1zzv؅扏煓؁ం扏楄, IRP_MJ_PNP]
Process: System Address: 0x855431f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x855761f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x855761f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x855761f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x855761f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x855761f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x855761f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x855761f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x853be500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x853be500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x853be500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x853be500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x853be500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x853be500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x853be500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x853be500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x853be500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x853be500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x853be500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x853be500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x853be500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x853be500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x853be500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x853be500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x853be500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x853be500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x853be500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x853be500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x853be500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x853be500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x853be500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x853be500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x853be500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x853be500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x853be500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x853be500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ఍敓x, IRP_MJ_CREATE]
Process: System Address: 0x85397500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ఍敓x, IRP_MJ_CLOSE]
Process: System Address: 0x85397500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ఍敓x, IRP_MJ_READ]
Process: System Address: 0x85397500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ఍敓x, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x85397500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ఍敓x, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x85397500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ఍敓x, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x85397500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ఍敓x, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x85397500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ఍敓x, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x85397500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ఍敓x, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85397500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ఍敓x, IRP_MJ_SHUTDOWN]
Process: System Address: 0x85397500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ఍敓x, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x85397500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ఍敓x, IRP_MJ_CLEANUP]
Process: System Address: 0x85397500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ఍敓x, IRP_MJ_PNP]
Process: System Address: 0x85397500 Size: 121

Hidden Services
-------------------
Service Name: irfdm
Image Path: %SystemRoot%\system32\svchost.exe -k netsvcs

Service Name: mwdzcxgqu
Image Path: %SystemRoot%\system32\svchost.exe -k netsvcs

Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55ee308

#: 122 Function Name: NtGdiDeleteObjectApp
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55eea2c

#: 227 Function Name: NtGdiMaskBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55ee43c

#: 233 Function Name: NtGdiOpenDCW
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55ee8ec

#: 237 Function Name: NtGdiPlgBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55ee57c

#: 292 Function Name: NtGdiStretchBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55ee6b0

#: 310 Function Name: NtUserBlockInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55ee188

#: 319 Function Name: NtUserCallHwndParamLock
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55ed3da

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55ede58

#: 389 Function Name: NtUserGetClipboardData
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55ee7ea

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55edbc6

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55edd08

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55ed8aa

#: 465 Function Name: NtUserMoveWindow
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55ed112

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55ed55c

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55ed708

#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55edfa8

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55eda6c

#: 509 Function Name: NtUserSetClipboardViewer
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55ee09e

#: 529 Function Name: NtUserSetParent
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55ed282

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55eea92

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf55eecc6

==EOF==

Thanks..

**broni** · 09-11-2009

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

File::
c:\windows\system32\dohgym.dll
c:\windows\soundman.exe
c:\windows\system32\01.tmp


Folder::

Driver::
irfdm
mwdzcxgqu
jpfxpmg
ylyafz
batjce

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SoundMan"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\jpfxpmg]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ylyafz]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\irfdm]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mwdzcxgqu]


RegLockDel::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

**divad213** · 10-11-2009

Here are the new logs..

ComboFix 09-11-09.01 - Administrator 11/10/2009 18:05.17.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.959.735 [GMT 8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

FILE ::
"c:\windows\soundman.exe"
"c:\windows\system32\01.tmp"
"c:\windows\system32\dohgym.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\soundman.exe
c:\windows\system32\dohgym.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BATJCE
-------\Legacy_IRFDM
-------\Legacy_MWDZCXGQU
-------\Legacy_NDISFLT
-------\Service_irfdm
-------\Service_mwdzcxgqu

((((((((((((((((((((((((( Files Created from 2009-10-10 to 2009-11-10 )))))))))))))))))))))))))))))))
.

2009-11-06 17:17 . 2007-12-26 09:30 1970176 ----a-w- c:\windows\system32\d3dx9.dll
2009-11-06 17:17 . 2007-12-26 09:30 679936 ----a-w- c:\windows\system32\D3DX81ab.dll
2009-11-06 17:17 . 2009-11-07 15:43 -------- d-----w- c:\program files\Cheat Engine
2009-11-05 01:07 . 2009-11-05 01:09 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb
2009-11-04 14:11 . 2009-11-04 14:12 -------- d-----w- c:\program files\Realtek AC97
2009-11-03 10:28 . 2009-11-09 10:15 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-11-03 10:23 . 2009-11-03 10:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2009-11-03 10:23 . 2009-11-03 10:23 87104 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-11-03 10:23 . 2009-11-03 10:23 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-11-03 10:23 . 2009-11-03 10:23 179792 ----a-w- c:\windows\system32\guard32.dll
2009-11-03 10:23 . 2009-11-03 10:23 132296 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-11-03 10:23 . 2009-11-03 10:23 -------- d-----w- c:\program files\COMODO
2009-10-28 11:42 . 2006-02-23 03:39 11264 ----a-r- c:\windows\system32\drivers\xfilt_2.sys
2009-10-24 14:05 . 2009-10-24 14:05 -------- d-----w- c:\program files\Trend Micro
2009-10-23 11:29 . 2004-08-04 12:00 792064 ------w- c:\windows\system32\comres.dll
2009-10-22 12:59 . 2009-10-22 12:59 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\ UIREPAIR.DLL
2009-10-22 12:58 . 2009-10-22 12:58 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-22 12:58 . 2009-10-22 12:58 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-22 12:58 . 2009-10-22 12:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-10-22 12:58 . 2009-10-22 12:58 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-22 12:27 . 2009-10-22 12:27 -------- d-----w- c:\program files\Common Files\Thunder Network
2009-10-22 12:27 . 2009-10-22 12:27 -------- d-----w- c:\program files\Common Files\Java
2009-10-21 11:47 . 2009-10-21 11:47 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2009-10-17 16:04 . 2009-10-17 16:06 -------- d-----w- C:\BOXING
2009-10-14 02:33 . 2009-11-01 12:33 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2009-10-13 11:00 . 2009-10-13 11:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\dvdcss
2009-10-13 09:05 . 2005-05-18 02:55 32768 ----a-w- c:\windows\VMZoom.exe
2009-10-13 09:05 . 2005-05-18 02:54 24576 ----a-w- c:\windows\VMPipe.dll
2009-10-13 09:05 . 2009-10-13 09:05 -------- d-----w- c:\windows\EffectResources
2009-10-13 09:05 . 2009-10-13 09:05 -------- d-----w- c:\windows\CatRoot
2009-10-13 09:05 . 2009-10-13 09:05 -------- d-----w- c:\program files\Vimicro
2009-10-13 09:05 . 2005-10-27 06:34 390849 ----a-w- c:\windows\system32\drivers\usbVM303.sys
2009-10-13 09:05 . 2005-10-25 04:56 90112 ----a-w- c:\windows\VM303_STI.EXE
2009-10-13 09:05 . 2005-05-03 07:51 176128 ----a-w- c:\windows\amcap.exe
2009-10-13 09:05 . 2005-05-02 08:45 53248 ----a-w- c:\windows\Sti303.exe
2009-10-13 09:05 . 2005-04-30 10:46 81920 ----a-w- c:\windows\system32\VM303STI.dll
2009-10-13 09:05 . 2005-04-30 10:46 102400 ----a-w- c:\windows\VM303Cap.exe
2009-10-13 08:50 . 2004-08-03 15:08 26496 -c--a-w- c:\windows\system32\dllcache\usbstor.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-11-10 05:23 . 2009-10-12 15:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2009-11-07 09:24 . 2009-10-12 14:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-11-04 23:52 . 2004-08-04 12:00 368160 ----a-w- c:\windows\system32\dsound.dll.tmp
2009-11-04 14:12 . 2009-10-12 15:44 -------- d-----w- c:\program files\AvRack
2009-10-25 11:54 . 2009-10-12 14:40 17848 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-22 12:25 . 2004-08-04 12:00 121856 ----a-w- c:\windows\system32\stobject.dll
2009-10-22 12:21 . 2009-10-12 15:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\Winamp
2009-10-19 23:29 . 2009-10-12 14:31 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-10-19 10:17 . 2009-10-12 15:39 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-13 09:05 . 2009-10-12 14:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-13 09:05 . 2009-10-12 14:40 -------- d-----w- c:\program files\Common Files\InstallShield
2009-10-12 16:26 . 2009-10-12 16:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-12 16:25 . 2009-10-12 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-12 15:56 . 2009-10-12 15:56 -------- d-----w- c:\program files\Microsoft.NET
2009-10-12 15:56 . 2009-10-12 15:56 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-10-12 15:47 . 2009-10-12 15:47 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-10-12 15:45 . 2009-10-12 15:45 717296 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-10-12 15:45 . 2009-10-12 15:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\DAEMON Tools
2009-10-12 15:44 . 2009-10-12 15:44 -------- d-----w- c:\program files\Realtek Sound Manager
2009-10-12 15:35 . 2009-10-12 15:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-10-12 15:35 . 2009-10-12 15:35 -------- d-----w- c:\program files\Yahoo!
2009-10-12 15:26 . 2009-10-12 15:26 0 ----a-w- c:\windows\nsreg.dat
2009-10-12 15:17 . 2009-10-12 15:17 -------- d-----w- c:\program files\Google
2009-10-12 14:46 . 2009-10-12 14:46 -------- d-----w- c:\program files\S3
2009-10-12 14:40 . 2009-10-12 14:40 -------- d-----w- c:\program files\VIA
2009-10-12 14:32 . 2009-10-12 14:32 -------- d-----w- c:\program files\microsoft frontpage
2009-10-12 14:28 . 2009-10-12 14:28 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-09-24 12:16 . 2009-10-12 15:35 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-09-10 06:54 . 2009-10-12 16:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 06:53 . 2009-10-12 16:25 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
.

------- Sigcheck -------

[-] 2009-03-21 . 32272BF10467C8ACF1F83138C61D541E . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-04 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"BigDog303"="c:\windows\VM303_STI.EXE" [2005-10-25 90112]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 07:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"UPS"=3 (0x3)
"Spooler"=2 (0x2)
"ImapiService"=3 (0x3)
"ALG"=3 (0x3)
"ose"=3 (0x3)
"cmdAgent"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"3961:TCP"= 3961:TCP:bbcckgsb

R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [10/12/2009 10:42 PM 11264]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [11/3/2009 6:23 PM 132296]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [11/3/2009 6:23 PM 25160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 9:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 9:24 PM 74480]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 9:24 PM 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-2147080445-682003330-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-12 15:18]

2009-11-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-2147080445-682003330-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-12 15:18]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
TCP: {ACA44DAA-F941-4928-BC6E-22A1D3B1E1CB} = 202.78.97.41 210.4.2.61
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gdaf2k58.default\
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dl l
FF - plugin: d:\program files\Adobe\Reader 9.0\Reader\browser\nppdf32.dll
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SoundMan - SOUNDMAN.EXE

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-11-10 18:11
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
BigDog303 = c:\windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)????????????????0?????????@???????????? ??

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, GMER - Rootkit Detector and Remover

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys xfilt.sys ACPI.sys hal.dll >>UNKNOWN [0x857D81F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x857d81f8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
************************************************** ************************
.
Completion time: 2009-11-10 18:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-10 10:12
ComboFix2.txt 2009-11-09 10:28
ComboFix3.txt 2009-11-07 01:46
ComboFix4.txt 2009-11-03 21:14

Pre-Run: 12,986,638,336 bytes free
Post-Run: 12,962,385,920 bytes free

- - End Of File - - 84044F1D147A31CA0C3F616B0618B721

Hijack this log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:17:05 PM, on 11/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{ACA44DAA-F941-4928-BC6E-22A1D3B1E1CB}: NameServer = 202.78.97.41 210.4.2.61
O20 - AppInit_DLLs: c:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

--
End of file - 2476 bytes

Thanks..

**broni** · 11-11-2009

If you have Windows CD...(if you don't have Windows CD, scroll down)

1. Insert your Windows XP CD into your CD and assure that your CD-ROM drive is capable of booting the CD.
2. Once you have booted from CD, do NOT select the option that states: Press F2 to initiate the Automated System Recovery (ASR) tool.
You’re going to proceed until you see the following screen, at which point you will press the “R” key to enter the recovery console:

3. After you have selected the appropriate option from step two, you will be prompted to select a valid Windows installation (typically number 1).
Select the installation number, and hit Enter.
If there is an administrator password for the administrator account, enter it and hit Enter (if asked for the password, and you don't know it, you're out of luck).
You will be greeted with this screen, which indicates a recovery console at the ready:

4. Now at the prompt, type in fixmbr. Your damaged MBR will now be replaced with a new master boot record.

5. Restart computer.

6. Re-run Combofix and HJT. Post their logs.

If you don't have Windows CD...
Download Windows Recovery Console: http://www.thecomputerparamedic.com/files/rc.iso
Download, and install free Imgburn: The Official ImgBurn Website
Using Imgburn, burn rc.iso to a CD.
Boot to the CD...let it finish loading.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Then, follow instructions from Step #3 above.

**divad213** · 11-11-2009

i followed the first steps but after inputting fixmbr it says that if i am not having trouble accessing my drives i should not go on with the process.. what should i do?

**broni** · 12-11-2009

Please, go ahead and do it.

**divad213** · 12-11-2009

Here are the new logfiles after the fixmbr command....

ComboFix 09-11-09.01 - Administrator 11/12/2009 19:57.18.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.959.644 [GMT 8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NDISFLT

((((((((((((((((((((((((( Files Created from 2009-10-12 to 2009-11-12 )))))))))))))))))))))))))))))))
.

2009-11-06 17:17 . 2007-12-26 09:30 1970176 ----a-w- c:\windows\system32\d3dx9.dll
2009-11-06 17:17 . 2007-12-26 09:30 679936 ----a-w- c:\windows\system32\D3DX81ab.dll
2009-11-06 17:17 . 2009-11-07 15:43 -------- d-----w- c:\program files\Cheat Engine
2009-11-05 01:07 . 2009-11-05 01:09 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb
2009-11-04 14:11 . 2009-11-04 14:12 -------- d-----w- c:\program files\Realtek AC97
2009-11-03 10:28 . 2009-11-09 10:15 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-11-03 10:23 . 2009-11-03 10:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2009-11-03 10:23 . 2009-11-03 10:23 87104 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-11-03 10:23 . 2009-11-03 10:23 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-11-03 10:23 . 2009-11-03 10:23 179792 ----a-w- c:\windows\system32\guard32.dll
2009-11-03 10:23 . 2009-11-03 10:23 132296 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-11-03 10:23 . 2009-11-03 10:23 -------- d-----w- c:\program files\COMODO
2009-10-28 11:42 . 2006-02-23 03:39 11264 ----a-r- c:\windows\system32\drivers\xfilt_2.sys
2009-10-24 14:05 . 2009-10-24 14:05 -------- d-----w- c:\program files\Trend Micro
2009-10-23 11:29 . 2004-08-04 12:00 792064 ------w- c:\windows\system32\comres.dll
2009-10-22 12:59 . 2009-10-22 12:59 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\ UIREPAIR.DLL
2009-10-22 12:58 . 2009-10-22 12:58 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-22 12:58 . 2009-10-22 12:58 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-22 12:58 . 2009-10-22 12:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-10-22 12:58 . 2009-10-22 12:58 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-22 12:27 . 2009-10-22 12:27 -------- d-----w- c:\program files\Common Files\Thunder Network
2009-10-22 12:27 . 2009-10-22 12:27 -------- d-----w- c:\program files\Common Files\Java
2009-10-21 11:47 . 2009-10-21 11:47 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2009-10-17 16:04 . 2009-10-17 16:06 -------- d-----w- C:\BOXING
2009-10-14 02:33 . 2009-11-11 22:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-11-12 10:00 . 2009-10-12 14:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-11-12 07:53 . 2009-10-12 15:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2009-11-04 23:52 . 2004-08-04 12:00 368160 ----a-w- c:\windows\system32\dsound.dll.tmp
2009-11-04 14:12 . 2009-10-12 15:44 -------- d-----w- c:\program files\AvRack
2009-10-25 11:54 . 2009-10-12 14:40 17848 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-22 12:25 . 2004-08-04 12:00 121856 ----a-w- c:\windows\system32\stobject.dll
2009-10-22 12:21 . 2009-10-12 15:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\Winamp
2009-10-19 23:29 . 2009-10-12 14:31 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-10-19 10:17 . 2009-10-12 15:39 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-13 11:01 . 2009-10-13 11:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\dvdcss
2009-10-13 09:05 . 2009-10-12 14:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-13 09:05 . 2009-10-13 09:05 -------- d-----w- c:\program files\Vimicro
2009-10-13 09:05 . 2009-10-12 14:40 -------- d-----w- c:\program files\Common Files\InstallShield
2009-10-12 16:26 . 2009-10-12 16:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-12 16:25 . 2009-10-12 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-12 15:56 . 2009-10-12 15:56 -------- d-----w- c:\program files\Microsoft.NET
2009-10-12 15:56 . 2009-10-12 15:56 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-10-12 15:47 . 2009-10-12 15:47 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-10-12 15:45 . 2009-10-12 15:45 717296 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-10-12 15:45 . 2009-10-12 15:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\DAEMON Tools
2009-10-12 15:44 . 2009-10-12 15:44 -------- d-----w- c:\program files\Realtek Sound Manager
2009-10-12 15:35 . 2009-10-12 15:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-10-12 15:35 . 2009-10-12 15:35 -------- d-----w- c:\program files\Yahoo!
2009-10-12 15:26 . 2009-10-12 15:26 0 ----a-w- c:\windows\nsreg.dat
2009-10-12 15:17 . 2009-10-12 15:17 -------- d-----w- c:\program files\Google
2009-10-12 14:46 . 2009-10-12 14:46 -------- d-----w- c:\program files\S3
2009-10-12 14:40 . 2009-10-12 14:40 -------- d-----w- c:\program files\VIA
2009-10-12 14:32 . 2009-10-12 14:32 -------- d-----w- c:\program files\microsoft frontpage
2009-10-12 14:28 . 2009-10-12 14:28 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-09-24 12:16 . 2009-10-12 15:35 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-09-10 06:54 . 2009-10-12 16:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 06:53 . 2009-10-12 16:25 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2004-08-04 12:00 . 2004-08-04 12:00 156520 --sha-r- c:\windows\system32\dohgym.dll
.

------- Sigcheck -------

[-] 2009-03-21 . 32272BF10467C8ACF1F83138C61D541E . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-04 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"BigDog303"="c:\windows\VM303_STI.EXE" [2005-10-25 90112]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 07:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"UPS"=3 (0x3)
"Spooler"=2 (0x2)
"ImapiService"=3 (0x3)
"ALG"=3 (0x3)
"ose"=3 (0x3)
"cmdAgent"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"3961:TCP"= 3961:TCP:bbcckgsb

R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [10/12/2009 10:42 PM 11264]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [11/3/2009 6:23 PM 132296]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [11/3/2009 6:23 PM 25160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 9:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 9:24 PM 74480]
S2 dtnvahwh;Network Config;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 8:00 PM 14336]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 9:24 PM 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
dtnvahwh
.
Contents of the 'Scheduled Tasks' folder

2009-11-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-2147080445-682003330-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-12 15:18]

2009-11-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-2147080445-682003330-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-12 15:18]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
TCP: {ACA44DAA-F941-4928-BC6E-22A1D3B1E1CB} = 202.78.97.41 210.4.2.61
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gdaf2k58.default\
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dl l
FF - plugin: d:\program files\Adobe\Reader 9.0\Reader\browser\nppdf32.dll
.

************************************************** ************************
scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
BigDog303 = c:\windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)????????????????0?????????@???????????? ??

scanning hidden files ...

scan completed successfully
hidden files:

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\d tnvahwh]
"ServiceDll"="c:\windows\system32\dohgym.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wdfmgr.exe
.
************************************************** ************************
.
Completion time: 2009-11-12 20:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-12 12:03
ComboFix2.txt 2009-11-10 10:12
ComboFix3.txt 2009-11-09 10:28
ComboFix4.txt 2009-11-07 01:46
ComboFix5.txt 2009-11-12 11:56

Pre-Run: 12,974,604,288 bytes free
Post-Run: 12,951,506,944 bytes free

- - End Of File - - 9EE60AFDA14ED381576BF66B79F1A408

hijack this

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:12:38 PM, on 11/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{ACA44DAA-F941-4928-BC6E-22A1D3B1E1CB}: NameServer = 202.78.97.41 210.4.2.61
O20 - AppInit_DLLs: c:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

--
End of file - 2322 bytes

Thanks...

**broni** · 12-11-2009

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

File::
c:\windows\system32\dohgym.dll


Folder::

Driver::
dtnvahwh


Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dtnvahwh]

RegLockDel::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

**divad213** · 13-11-2009

New logfiles...

ComboFix 09-11-09.01 - Administrator 11/13/2009 5:37.19.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.959.715 [GMT 8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
* Created a new restore point

FILE ::
"c:\windows\system32\dohgym.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\firmware.inf
c:\windows\system32\dohgym.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DTNVAHWH
-------\Legacy_NDISFLT
-------\Service_dtnvahwh

((((((((((((((((((((((((( Files Created from 2009-10-12 to 2009-11-12 )))))))))))))))))))))))))))))))
.

2009-11-12 21:29 . 2009-11-12 21:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\COMODO
2009-11-06 17:17 . 2007-12-26 09:30 1970176 ----a-w- c:\windows\system32\d3dx9.dll
2009-11-06 17:17 . 2007-12-26 09:30 679936 ----a-w- c:\windows\system32\D3DX81ab.dll
2009-11-06 17:17 . 2009-11-07 15:43 -------- d-----w- c:\program files\Cheat Engine
2009-11-05 01:07 . 2009-11-05 01:09 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb
2009-11-04 14:11 . 2009-11-04 14:12 -------- d-----w- c:\program files\Realtek AC97
2009-11-03 10:28 . 2009-11-09 10:15 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-11-03 10:23 . 2009-11-03 10:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2009-11-03 10:23 . 2009-11-03 10:23 87104 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-11-03 10:23 . 2009-11-03 10:23 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-11-03 10:23 . 2009-11-03 10:23 179792 ----a-w- c:\windows\system32\guard32.dll
2009-11-03 10:23 . 2009-11-03 10:23 132296 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-11-03 10:23 . 2009-11-03 10:23 -------- d-----w- c:\program files\COMODO
2009-10-28 11:42 . 2006-02-23 03:39 11264 ----a-r- c:\windows\system32\drivers\xfilt_2.sys
2009-10-24 14:05 . 2009-10-24 14:05 -------- d-----w- c:\program files\Trend Micro
2009-10-23 11:29 . 2004-08-04 12:00 792064 ------w- c:\windows\system32\comres.dll
2009-10-22 12:59 . 2009-10-22 12:59 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\ UIREPAIR.DLL
2009-10-22 12:58 . 2009-10-22 12:58 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-22 12:58 . 2009-10-22 12:58 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-22 12:58 . 2009-10-22 12:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-10-22 12:58 . 2009-10-22 12:58 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-22 12:27 . 2009-10-22 12:27 -------- d-----w- c:\program files\Common Files\Thunder Network
2009-10-22 12:27 . 2009-10-22 12:27 -------- d-----w- c:\program files\Common Files\Java
2009-10-21 11:47 . 2009-10-21 11:47 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2009-10-17 16:04 . 2009-10-17 16:06 -------- d-----w- C:\BOXING
2009-10-14 02:33 . 2009-11-11 22:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-11-12 10:00 . 2009-10-12 14:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-11-12 07:53 . 2009-10-12 15:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2009-11-04 23:52 . 2004-08-04 12:00 368160 ----a-w- c:\windows\system32\dsound.dll.tmp
2009-11-04 14:12 . 2009-10-12 15:44 -------- d-----w- c:\program files\AvRack
2009-10-25 11:54 . 2009-10-12 14:40 17848 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-22 12:25 . 2004-08-04 12:00 121856 ----a-w- c:\windows\system32\stobject.dll
2009-10-22 12:21 . 2009-10-12 15:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\Winamp
2009-10-19 23:29 . 2009-10-12 14:31 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-10-19 10:17 . 2009-10-12 15:39 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-13 11:01 . 2009-10-13 11:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\dvdcss
2009-10-13 09:05 . 2009-10-12 14:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-13 09:05 . 2009-10-13 09:05 -------- d-----w- c:\program files\Vimicro
2009-10-13 09:05 . 2009-10-12 14:40 -------- d-----w- c:\program files\Common Files\InstallShield
2009-10-12 16:26 . 2009-10-12 16:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-12 16:25 . 2009-10-12 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-12 15:56 . 2009-10-12 15:56 -------- d-----w- c:\program files\Microsoft.NET
2009-10-12 15:56 . 2009-10-12 15:56 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-10-12 15:47 . 2009-10-12 15:47 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-10-12 15:45 . 2009-10-12 15:45 717296 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-10-12 15:45 . 2009-10-12 15:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\DAEMON Tools
2009-10-12 15:44 . 2009-10-12 15:44 -------- d-----w- c:\program files\Realtek Sound Manager
2009-10-12 15:35 . 2009-10-12 15:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-10-12 15:35 . 2009-10-12 15:35 -------- d-----w- c:\program files\Yahoo!
2009-10-12 15:26 . 2009-10-12 15:26 0 ----a-w- c:\windows\nsreg.dat
2009-10-12 15:17 . 2009-10-12 15:17 -------- d-----w- c:\program files\Google
2009-10-12 14:46 . 2009-10-12 14:46 -------- d-----w- c:\program files\S3
2009-10-12 14:40 . 2009-10-12 14:40 -------- d-----w- c:\program files\VIA
2009-10-12 14:32 . 2009-10-12 14:32 -------- d-----w- c:\program files\microsoft frontpage
2009-10-12 14:28 . 2009-10-12 14:28 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-09-24 12:16 . 2009-10-12 15:35 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-09-10 06:54 . 2009-10-12 16:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 06:53 . 2009-10-12 16:25 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
.

------- Sigcheck -------

[-] 2009-03-21 . 32272BF10467C8ACF1F83138C61D541E . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-04 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"BigDog303"="c:\windows\VM303_STI.EXE" [2005-10-25 90112]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-11-03 1799952]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 07:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"UPS"=3 (0x3)
"Spooler"=2 (0x2)
"ImapiService"=3 (0x3)
"ALG"=3 (0x3)
"ose"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"3961:TCP"= 3961:TCP:bbcckgsb

R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [10/12/2009 10:42 PM 11264]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [11/3/2009 6:23 PM 132296]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [11/3/2009 6:23 PM 25160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 9:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 9:24 PM 74480]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 9:24 PM 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-2147080445-682003330-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-12 15:18]

2009-11-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-2147080445-682003330-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-12 15:18]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
TCP: {ACA44DAA-F941-4928-BC6E-22A1D3B1E1CB} = 202.78.97.41 210.4.2.61
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gdaf2k58.default\
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dl l
FF - plugin: d:\program files\Adobe\Reader 9.0\Reader\browser\nppdf32.dll
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-11-13 05:43
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
BigDog303 = c:\windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)????????????????0?????????@???????????? ??

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, GMER - Rootkit Detector and Remover

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys xfilt.sys ACPI.sys hal.dll >>UNKNOWN [0x857D81F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x857d81f8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
************************************************** ************************
.
Completion time: 2009-11-12 5:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-12 21:45
ComboFix2.txt 2009-11-10 10:12
ComboFix3.txt 2009-11-09 10:28
ComboFix4.txt 2009-11-07 01:46
ComboFix5.txt 2009-11-12 11:56

Pre-Run: 13,076,979,712 bytes free
Post-Run: 13,048,061,952 bytes free

- - End Of File - - 264014DC071884249297B0A2D36C714C

hijack this...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:03:00 PM, on 11/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: c:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

--
End of file - 2320 bytes

Thanks...

**broni** · 13-11-2009

Uninstall Combofix:
Go Start > Run
Type in:
combofix /u
Note the space between the "combofix" and the "/u"
Restart computer.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.
This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, select Complete scan.
Click the green arrow at the right, and the scan will start.
Click Yes to all if it asks if you want to cure/move the file.
When the scan has finished, in the menu, click File and choose Save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Post fresh HijackThis log as well.

[Resolved] Hijack this log. Comres.dll corrupted

re: [Resolved] Hijack this log. Comres.dll corrupted

Similar Threads

hijack log(RESOLVED)

Hijack This Log(RESOLVED)

Hijack this log.(RESOLVED)

Hijack this log- does this look okay? (Resolved)

new hijack log. Thanks (Resolved)