GeekPolice
Would you like to react to this message? Create an account in a few clicks or log in to continue.

GeekPoliceLog in

 


descriptionMassive Rustock-N infection!  No updates, no access to C: dr EmptyMassive Rustock-N infection! No updates, no access to C: drive, No restore!

more_horiz
After opening a file I downloaded, my computer was unable to access the internet(even though the network connection was supposedly fine), it was unable to update my anti-virus or spyware(avg, spybot & ad-aware), and I am unable to access the C: Drive or the Recovery Drive as well. In addition, the computer frequently crashes, and will only work in Safe Mode. The Internet will only work sporadically in Safe Mode with Networking. Upon visiting one site, it claimed that I was infected with "Rustock-N" and could not allow me to connect to their servers. I detected and removed several major attempted hijackings with Ad-aware, but am still unable to do the things listed above. My anti-virus claims nothing is being detected, although it does register a "change to boot disk". Any help would be much appreciated. I would consider myself an intermediate in computer knowledge.

descriptionMassive Rustock-N infection!  No updates, no access to C: dr EmptyRe: Massive Rustock-N infection! No updates, no access to C: dr

more_horiz
1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE or HERE.

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Leave the script box empty.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.

descriptionMassive Rustock-N infection!  No updates, no access to C: dr EmptyRe: Massive Rustock-N infection! No updates, no access to C: dr

more_horiz
So i got the avenger software and did what you asked, but my computer did not restart properly. After going to the Windows load screen, the computer crashed and rebooted. I went back to safe mode with networking, where I am typing this response. No black box or any such window appeared. Should I attempt this again?

descriptionMassive Rustock-N infection!  No updates, no access to C: dr EmptyRe: Massive Rustock-N infection! No updates, no access to C: dr

more_horiz
okay, update: I DID get it started in normal mode eventually, and got the file. It said that there was another driver found, and it disabled that driver. I'm going to paste that information here. However, the internet only worked briefly in normal mode, and the C: drive could not be accessed still. Also, the recurring "svchost.exe" error that was occurring in normal mode stopped.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "gaopdxserv.sys" found!
ImagePath: \systemroot\system32\drivers\gaopdxfvkkymix.sys
Driver disabled successfully.

Rootkit scan completed.


Completed script processing.

*******************

Finished! Terminate.

descriptionMassive Rustock-N infection!  No updates, no access to C: dr EmptyRe: Massive Rustock-N infection! No updates, no access to C: dr

more_horiz
Hello.
I know about the C drive error, it's caused by an autorun.inf file.
We have to kill the rootkit first though.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Drivers to delete:
gaopdxserv.sys

Files to delete:
C:\WINDOWS\system32\drivers\gaopdxfvkkymix.sys


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.

descriptionMassive Rustock-N infection!  No updates, no access to C: dr EmptyRe: Massive Rustock-N infection! No updates, no access to C: dr

more_horiz
okay, there are still problems with crashing in normal mode. Eventually, however, I was able to restart in Safe mode with networking. Here is the avenger readout, although it looks the same as the last one.
ogfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "gaopdxserv.sys" found!
ImagePath: \systemroot\system32\drivers\gaopdxfvkkymix.sys
Driver disabled successfully.

descriptionMassive Rustock-N infection!  No updates, no access to C: dr EmptyRe: Massive Rustock-N infection! No updates, no access to C: dr

more_horiz
in normal mode now, safe mode is crashing, too. Message appears at startup, Windows- No Disk "Exception processing message c00000013 Paratmeters......

Here is the avenger script

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "gaopdxserv.sys" found!
ImagePath: \systemroot\system32\drivers\gaopdxfvkkymix.sys
Driver disabled successfully.

Rootkit scan completed.

Driver "gaopdxserv.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\gaopdxfvkkymix.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

descriptionMassive Rustock-N infection!  No updates, no access to C: dr EmptyRe: Massive Rustock-N infection! No updates, no access to C: dr

more_horiz
in normal mode now, safe mode is crashing, too. Message appears at startup, Windows- No Disk "Exception processing message c00000013 Paratmeters......



This is caused by something you've got pluged into a USB slot during startup.
USB external hardrive/USB printer cable/USB memory stick/whatever

Unplug them during boot and the error should go away.
See if MBAM will run now.

descriptionMassive Rustock-N infection!  No updates, no access to C: dr EmptyRe: Massive Rustock-N infection! No updates, no access to C: dr

more_horiz
Okay, startup in normal mode successful! Still no access to C: drive, no updates. Internet works sporadically now, as it did in Safe Mode with networking. Desktop appearance has stopped changing. Svchost.exe error has stopped. Sorry for sounding like a noob, but what is MBAM?

descriptionMassive Rustock-N infection!  No updates, no access to C: dr EmptyRe: Massive Rustock-N infection! No updates, no access to C: dr

more_horiz
Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.

descriptionMassive Rustock-N infection!  No updates, no access to C: dr EmptyRe: Massive Rustock-N infection! No updates, no access to C: dr

more_horiz
okay, downloaded the software no problem, but I still am not able to update. All other anti-virus and anti-malware software on the computer also unable to update. The error message for MBAM claims I may need to check my firewall settings, but at the moment my windows firewall is off and so is zonealarm.

descriptionMassive Rustock-N infection!  No updates, no access to C: dr EmptyRe: Massive Rustock-N infection! No updates, no access to C: dr

more_horiz
Hmm.
Re-run the avenger, don't insert a script, instructions here if needed.
http://www.geekpolice.net/virus-spyware-malware-removal-f11/massive-rustock-n-infection-no-updates-no-access-to-c-drive-no-restore-t7289.htm#44725

descriptionMassive Rustock-N infection!  No updates, no access to C: dr EmptyRe: Massive Rustock-N infection! No updates, no access to C: dr

more_horiz
So, here is what happened. still unable to update AVG or other programs.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished! Terminate.

descriptionMassive Rustock-N infection!  No updates, no access to C: dr EmptyRe: Massive Rustock-N infection! No updates, no access to C: dr

more_horiz
Okay, lets have a look around.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    Link 1
    Link 2
    Link 3
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.

descriptionMassive Rustock-N infection!  No updates, no access to C: dr EmptyRe: Massive Rustock-N infection! No updates, no access to C: dr

more_horiz
Here are the contents of the DDS.txt file

DDS (Ver_09-02-01.01) - NTFSx86
Run by John Hursey at 21:59:13.37 on Mon 03/09/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1271.700 [GMT -5:00]

AV: AVG 7.5.557 *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\John Hursey\Desktop\dds.com
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
mWinlogon: SFCDisable=-99 (0xffffff9d)
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechCameraAssistant] c:\program files\logitech\video\CameraAssistant.exe
mRun: [LogitechVideo[inspector]] c:\program files\logitech\video\InstallHelper.exe /inspect
mRun: [LogitechCameraService(E)] c:\windows\system32\ElkCtrl.exe /automation
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
mExplorerRun: [CbXndQ6Zdl] c:\documents and settings\all users.windows\application data\uhozipmp\evwrwxif.exe
StartupFolder: c:\docume~1\johnhu~1\startm~1\programs\startup\memeoa~1.lnk - c:\docume~1\johnhu~1\applic~1\microsoft\installer\{39a908fd-7322-41ae-b374-c7a076b2fc97}\NewShortcut4_51A847D327C24F7797772AF2A4E486ED.exe
StartupFolder: c:\docume~1\johnhu~1\startm~1\programs\startup\memeoa~2.lnk - c:\program files\memeo\autosync\MemeoLauncher.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
TCP: NameServer = 85.255.112.130,85.255.112.184
TCP: {8612A567-092A-4E74-93D8-790D8E125B1B} = 85.255.112.130,85.255.112.184
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\puresp.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SSODL: enadmhlp - {2634C132-BF37-871C-861F-007D13D55A15} - No File
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\johnhu~1\applic~1\mozilla\firefox\profiles\erbc6ly5.default\
FF - prefs.js: browser.search.selectedEngine - Answers.com
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\john hursey\application data\mozilla\firefox\profiles\erbc6ly5.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2009-3-1 42376]
R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-10-29 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2007-10-29 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2007-10-29 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-10-29 10760]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2009-3-1 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2009-3-1 81288]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2007-10-29 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2007-10-29 49664]
R2 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2007-10-29 406528]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2007-10-29 4960]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-3-1 356920]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-3-1 1073544]
S0 ufrwncw;ufrwncw;c:\windows\system32\drivers\kynfcmd.sys --> c:\windows\system32\drivers\kynfcmd.sys [?]
S0 wlcirvr;wlcirvr;c:\windows\system32\drivers\sdvrypjv.sys --> c:\windows\system32\drivers\sdvrypjv.sys [?]

=============== Created Last 30 ================

2009-03-07 08:47 --d----- c:\docume~1\johnhu~1\applic~1\Malwarebytes
2009-03-07 08:47 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-07 08:47 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-07 08:47 --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2009-03-07 08:47 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-06 02:19 34,816 a------- c:\windows\system32\drivers\gaopdxserv.sys
2009-03-04 23:56 85,504 a------- c:\windows\system32\drivers\gaopdxfwkpasxg.sys
2009-03-04 17:19 35,328 a------- c:\windows\system32\drivers\gaopdxtjwqbuhd.sys
2009-03-01 14:41 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2009-03-01 14:41 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2009-03-01 14:41 42,376 a------- c:\windows\system32\drivers\ikfilesec.sys
2009-03-01 14:41 29,576 a------- c:\windows\system32\drivers\kcom.sys
2009-03-01 14:41 --d----- c:\program files\Spyware Doctor
2009-03-01 14:41 --d----- c:\docume~1\johnhu~1\applic~1\PC Tools
2009-03-01 14:38 --d----- c:\docume~1\johnhu~1\applic~1\GetRightToGo
2009-02-28 10:53 --d----- c:\program files\CCleaner
2009-02-28 09:44 79,872 a------- c:\windows\system32\drivers\gaopdxodovmyqv.sys
2009-02-26 09:49 4 a------- c:\windows\system32\gaopdxcounter
2009-02-26 09:49 285 ---shr-- C:\autorun.inf
2009-02-25 03:10 8,461,312 -c------ c:\windows\system32\dllcache\shell32.dll

==================== Find3M ====================

2009-01-01 04:52 167 a------- c:\documents and settings\john hursey\xrt_log.dat
2008-12-29 21:18 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-22 23:50 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-20 18:56 827,904 a------- c:\windows\system32\wininet.dll
2008-11-16 16:33 27,136 a------- c:\documents and settings\john hursey\xrt_temp1.exe
2008-09-05 13:20 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090520080906\index.dat
2008-09-06 14:29 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090620080907\index.dat
2008-09-07 00:44 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090720080908\index.dat

============= FINISH: 22:00:42.87 ===============

descriptionMassive Rustock-N infection!  No updates, no access to C: dr EmptyRe: Massive Rustock-N infection! No updates, no access to C: dr

more_horiz
Please download the current version of HijackThis from HERE

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.

descriptionMassive Rustock-N infection!  No updates, no access to C: dr EmptyRe: Massive Rustock-N infection! No updates, no access to C: dr

more_horiz
and here you go, sir. By the way, I may have mentioned this earlier, but I really appreciate you helping me so far. I wouldn't have made it all the way here without you, so thanks. If you're ever in St. Louis and you want a free meal, come to my restaurant and consider yourself hooked up.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:16:45 PM, on 3/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20978)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKLM\..\Policies\Explorer\Run: [CbXndQ6Zdl] C:\Documents and Settings\All Users.WINDOWS\Application Data\uhozipmp\evwrwxif.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: Memeo AutoBackup Launcher.lnk = ?
O4 - Startup: Memeo AutoSync Launcher.lnk = C:\Program Files\Memeo\AutoSync\MemeoLauncher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8612A567-092A-4E74-93D8-790D8E125B1B}: NameServer = 85.255.112.130,85.255.112.184
O17 - HKLM\System\CS8\Services\Tcpip\Parameters: NameServer = 85.255.112.130,85.255.112.184
O17 - HKLM\System\CS9\Services\Tcpip\Parameters: NameServer = 85.255.112.130,85.255.112.184
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.130,85.255.112.184
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O21 - SSODL: enadmhlp - {2634C132-BF37-871C-861F-007D13D55A15} - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 9525 bytes

descriptionMassive Rustock-N infection!  No updates, no access to C: dr EmptyRe: Massive Rustock-N infection! No updates, no access to C: dr

more_horiz
Hello.
There's a few things to do here.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
    O4 - HKLM\..\Policies\Explorer\Run: [CbXndQ6Zdl] C:\Documents and Settings\All Users.WINDOWS\Application Data\uhozipmp\evwrwxif.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8612A567-092A-4E74-93D8-790D8E125B1B}: NameServer = 85.255.112.130,85.255.112.184
    O17 - HKLM\System\CS8\Services\Tcpip\Parameters: NameServer = 85.255.112.130,85.255.112.184
    O17 - HKLM\System\CS9\Services\Tcpip\Parameters: NameServer = 85.255.112.130,85.255.112.184
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.130,85.255.112.184
    O21 - SSODL: enadmhlp - {2634C132-BF37-871C-861F-007D13D55A15} - (no file)


  • Press "Fix Checked"
  • Close Hijack This.

Now lets remove leftovers.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Drivers to disable:
ufrwncw
wlcirvr

Drivers to delete:
ufrwncw
wlcirvr

Files to delete:
c:\windows\system32\drivers\kynfcmd.sys
c:\windows\system32\drivers\sdvrypjv.sys
c:\windows\system32\drivers\gaopdxserv.sys
c:\windows\system32\drivers\gaopdxfwkpasxg.sys
c:\windows\system32\drivers\gaopdxtjwqbuhd.sys
c:\windows\system32\drivers\gaopdxodovmyqv.sys
c:\windows\system32\gaopdxcounter
C:\autorun.inf

Folders to delete:
c:\documents and settings\all users.windows\application data\uhozipmp


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.

descriptionMassive Rustock-N infection!  No updates, no access to C: dr EmptyRe: Massive Rustock-N infection! No updates, no access to C: dr

more_horiz
All right, so the computer restarted, I'll put the logfile on to show you what happened. Just from a cursory glance, AVG updated fine and the C: drive is now available. I will be running the MBAM software shortly. Just so I know, what did I just do? Delete drivers? Why?

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "ufrwncw" disabled successfully.
Driver "wlcirvr" disabled successfully.
Driver "ufrwncw" deleted successfully.
Driver "wlcirvr" deleted successfully.

Error: file "c:\windows\system32\drivers\kynfcmd.sys" not found!
Deletion of file "c:\windows\system32\drivers\kynfcmd.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\drivers\sdvrypjv.sys" not found!
Deletion of file "c:\windows\system32\drivers\sdvrypjv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows\system32\drivers\gaopdxserv.sys" deleted successfully.
File "c:\windows\system32\drivers\gaopdxfwkpasxg.sys" deleted successfully.
File "c:\windows\system32\drivers\gaopdxtjwqbuhd.sys" deleted successfully.
File "c:\windows\system32\drivers\gaopdxodovmyqv.sys" deleted successfully.
File "c:\windows\system32\gaopdxcounter" deleted successfully.
File "C:\autorun.inf" deleted successfully.
Folder "c:\documents and settings\all users.windows\application data\uhozipmp" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

descriptionMassive Rustock-N infection!  No updates, no access to C: dr EmptyRe: Massive Rustock-N infection! No updates, no access to C: dr

more_horiz
Hello.
The drivers deleted were just leftovers, the files from them weren't there.
The rest are more leftovers from the DNS hijacker rootkit.

Please run DDS, I want to check something. Post the new DDS log when done.

descriptionMassive Rustock-N infection!  No updates, no access to C: dr EmptyRe: Massive Rustock-N infection! No updates, no access to C: dr

more_horiz
posting DDS logfile, but also, something I just noticed. I am still unable to access my L: drive, a "My book" storage device. When I double clicked on it on "my computer" it claimed that RECYCLERS were preventing exploring the drive. When I unplugged and re-plugged in the UBC device, my AVG detected a threat. I healed it, which AVG said was successful, but still can't access the drive.

here is the dds logfile:

DDS (Ver_09-02-01.01) - NTFSx86
Run by John Hursey at 15:50:44.04 on Wed 03/11/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1271.540 [GMT -5:00]

AV: AVG 7.5.557 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\John Hursey\Desktop\dds.com
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
mWinlogon: SFCDisable=-99 (0xffffff9d)
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechCameraAssistant] c:\program files\logitech\video\CameraAssistant.exe
mRun: [LogitechVideo[inspector]] c:\program files\logitech\video\InstallHelper.exe /inspect
mRun: [LogitechCameraService(E)] c:\windows\system32\ElkCtrl.exe /automation
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
StartupFolder: c:\docume~1\johnhu~1\startm~1\programs\startup\memeoa~1.lnk - c:\docume~1\johnhu~1\applic~1\microsoft\installer\{39a908fd-7322-41ae-b374-c7a076b2fc97}\NewShortcut4_51A847D327C24F7797772AF2A4E486ED.exe
StartupFolder: c:\docume~1\johnhu~1\startm~1\programs\startup\memeoa~2.lnk - c:\program files\memeo\autosync\MemeoLauncher.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\puresp.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\johnhu~1\applic~1\mozilla\firefox\profiles\erbc6ly5.default\
FF - prefs.js: browser.search.selectedEngine - Answers.com
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\john hursey\application data\mozilla\firefox\profiles\erbc6ly5.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2009-3-1 42376]
R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-10-29 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2007-10-29 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2007-10-29 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-10-29 10760]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2009-3-1 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2009-3-1 81288]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2007-10-29 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2007-10-29 49664]
R2 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2007-10-29 406528]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2007-10-29 4960]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-3-1 356920]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-3-1 1073544]

=============== Created Last 30 ================

2009-03-10 18:15 --d----- c:\program files\Trend Micro
2009-03-07 08:47 --d----- c:\docume~1\johnhu~1\applic~1\Malwarebytes
2009-03-07 08:47 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-07 08:47 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-07 08:47 --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2009-03-07 08:47 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-01 14:41 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2009-03-01 14:41 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2009-03-01 14:41 42,376 a------- c:\windows\system32\drivers\ikfilesec.sys
2009-03-01 14:41 29,576 a------- c:\windows\system32\drivers\kcom.sys
2009-03-01 14:41 --d----- c:\program files\Spyware Doctor
2009-03-01 14:41 --d----- c:\docume~1\johnhu~1\applic~1\PC Tools
2009-03-01 14:38 --d----- c:\docume~1\johnhu~1\applic~1\GetRightToGo
2009-02-28 10:53 --d----- c:\program files\CCleaner
2009-02-25 03:10 8,461,312 -c------ c:\windows\system32\dllcache\shell32.dll

==================== Find3M ====================

2009-01-01 04:52 167 a------- c:\documents and settings\john hursey\xrt_log.dat
2008-12-29 21:18 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-22 23:50 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-20 18:56 827,904 a------- c:\windows\system32\wininet.dll
2008-11-16 16:33 27,136 a------- c:\documents and settings\john hursey\xrt_temp1.exe
2008-09-05 13:20 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090520080906\index.dat
2008-09-06 14:29 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090620080907\index.dat
2008-09-07 00:44 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090720080908\index.dat

============= FINISH: 15:52:31.12 ===============

descriptionMassive Rustock-N infection!  No updates, no access to C: dr EmptyRe: Massive Rustock-N infection! No updates, no access to C: dr

more_horiz
Hello.
Plug in the L:\ removable drive again, because there's a leftover autorun.inf.
When you plug it in, hold down the shift key on your keyboard, this should by pass the autorun and it won't set off AVG. DO NOT open the drive.

Please download the OTMoveIt3 by OldTimer.

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :files
    L:\autorun.inf

    :reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "SFCDisable"=-


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

descriptionMassive Rustock-N infection!  No updates, no access to C: dr EmptyRe: Massive Rustock-N infection! No updates, no access to C: dr

more_horiz
here is the results. i was not asked to reboot. Still cannot access My Book
========== FILES ==========
L:\autorun.inf moved successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\SFCDisable deleted successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 03112009_163137

descriptionMassive Rustock-N infection!  No updates, no access to C: dr EmptyRe: Massive Rustock-N infection! No updates, no access to C: dr

more_horiz
Hmm.
Lets try something this way.
  1. Open My Computer.
  2. Go to Tools > Folder Options.
  3. Select the View tab.
  4. Scroll down to Hidden files and folders.
  5. Select Show hidden files and folders.
  6. Uncheck (untick) Hide extensions of known file types.
  7. Uncheck (untick) Hide protected operating system files (Recommended).
  8. Click Yes when prompted.
  9. Click OK.

Now go back to the main "My Computer" window, RIGHT CLICK drive L:\ > Select "Explore"
Find any autorun.ini or autorun.inf and delete them.

descriptionMassive Rustock-N infection!  No updates, no access to C: dr EmptyRe: Massive Rustock-N infection! No updates, no access to C: dr

more_horiz
okay, slight problem. After I plugged the USB into the port and held shift, I got an error message saying something to the effect of data loss error, corruption error, something like that, I don't know because the computer crashed shortly afterward. On restart, there is no My Book device recognized by the computer, and plugging and un-plugging the cord does nothing. No icons, no device found, no *ding* when you take it out of the USB slot. Tried to plug in my ipod to see if THAT would work, it seemed fine. Suggestions?

descriptionMassive Rustock-N infection!  No updates, no access to C: dr EmptyRe: Massive Rustock-N infection! No updates, no access to C: dr

more_horiz
Could be the damage suffered from the malware infection getting onto the My Book, there's no reason for an autorun.inf to be on any internal or external drive.

Give me a while to think this over and I'll get back to you soon.

descriptionMassive Rustock-N infection!  No updates, no access to C: dr EmptyRe: Massive Rustock-N infection! No updates, no access to C: dr

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum