Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hjt Log And Rootkit Log


  • Please log in to reply
1 reply to this topic

#1 soundbyte

soundbyte

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:57 AM

Posted 26 February 2008 - 02:12 PM

I've been getting extreme internet connection slowdowns. They seem to be linked to a bombardment of incoming events to several ports, especially 26799. I've previously run Ad-Aware.

Below is my HJT and Rootkit log. Any suggestions would be appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:54:47 AM, on 2/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\Explorer.EXE
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Mozy\mozybackup.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\Program Files\McAfee.com\Personal Firewall\MPFTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Macro Express3\MacExp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Henry\Desktop\Download Files\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://indigo.kron.com/exchange/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ita.sel.sony.com/support/pc/vai...noupdates.shtml
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - (no file)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Program Files\Copernic Desktop Search 2\DesktopSearchBand201013011.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [MPFEXE] "C:\Program Files\McAfee.com\Personal Firewall\MPFTray.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Macro Express 3.lnk = C:\Program Files\Macro Express3\MacExp.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Passcards - {45DB34C3-955C-11D3-ABEF-444553540001} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPass.html
O9 - Extra 'Tools' menuitem: Passcards Editor - {45DB34C3-955C-11D3-ABEF-444553540001} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/support/pops/mdldetect/VaioInfo.CAB
O16 - DPF: {127CE7BA-AD89-4108-A913-C52EFC037C36} (OMN Player Support (version 1,0,0,8)) - http://kdx.omn.org/securedelivery/omn/PlayerSupport.cab
O16 - DPF: {15F98A00-6250-11D7-873C-000AE611C760} (TicketCtrl Class) - https://a248.e.akamai.net/7/248/528/efax_v3.../TicketReg2.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2776DDE9-D4B2-4BF7-9F98-ADC1A1B80AF5} (OMN Media Publisher) - http://kdx.omn.org/securedelivery/omn/MediaPublisher.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite...vex-2.0.5.1.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1122689717290
O16 - DPF: {701DC9DC-ACD5-4E94-85E3-F3F1ED68611A} (CWebClientCtl Object) - http://download.paltalk.com/webclient_prod...ebclientctl.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/products/protected/mvt/mvt.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {81296632-05C2-4A99-8271-77EBCFE7844A} (NPEVPCFG.UserControl1) - http://www.voicetovideo.net/confighelp/NPEVPCFG.CAB
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab
O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - https://www24.wirelesssync.vzw.com/en/SyncInstall.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE54} -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - https://pc.mywebexpc.com/client/v_mywebex-aa/ra/ieatgpc.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} - http://entimg.msn.com/client/msnmusax3209.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: GoToAssist - C:\WINDOWS\
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Unknown owner - C:\Program Files\Mozy\mozybackup.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 15379 bytes

================================


McAfee® Rootkit Detective 1.1 scan report
On 26-02-2008 at 10:04:27
OS-Version 5.1.2600
Service Pack 2.0
====================================

Object-Type: SSDT-hook
Object-Name: ZwCreateKey
Object-Path: C:\WINDOWS\system32\drivers\sptd.sys

Object-Type: SSDT-hook
Object-Name: ZwEnumerateKey
Object-Path: C:\WINDOWS\system32\drivers\sptd.sys

Object-Type: SSDT-hook
Object-Name: ZwEnumerateValueKey
Object-Path: C:\WINDOWS\system32\drivers\sptd.sys

Object-Type: SSDT-hook
Object-Name: ZwOpenKey
Object-Path: C:\WINDOWS\system32\drivers\sptd.sys

Object-Type: SSDT-hook
Object-Name: ZwQueryKey
Object-Path: C:\WINDOWS\system32\drivers\sptd.sys

Object-Type: SSDT-hook
Object-Name: ZwQueryValueKey
Object-Path: C:\WINDOWS\system32\drivers\sptd.sys

Object-Type: SSDT-hook
Object-Name: ZwSetValueKey
Object-Path: C:\WINDOWS\system32\drivers\sptd.sys

Object-Type: IRP-hook
Object-Name: \Driver\Ftdisk->IRP_MJ_SYSTEM_CONTROL
Object-Path:

Object-Type: IRP-hook
Object-Name: \Driver\Ftdisk->IRP_MJ_POWER
Object-Path:

Object-Type: IRP-hook
Object-Name: \Driver\Ftdisk->IRP_MJ_CLEANUP
Object-Path:

Object-Type: IRP-hook
Object-Name: \Driver\Ftdisk->IRP_MJ_SHUTDOWN
Object-Path:

Object-Type: IRP-hook
Object-Name: \Driver\Ftdisk->IRP_MJ_INTERNAL_DEVICE_CONTROL
Object-Path:

Object-Type: IRP-hook
Object-Name: \Driver\Ftdisk->IRP_MJ_DEVICE_CONTROL
Object-Path:

Object-Type: IRP-hook
Object-Name: \Driver\Ftdisk->IRP_MJ_FLUSH_BUFFERS
Object-Path:

Object-Type: IRP-hook
Object-Name: \Driver\Ftdisk->IRP_MJ_WRITE
Object-Path:

Object-Type: IRP-hook
Object-Name: \Driver\Ftdisk->IRP_MJ_READ
Object-Path:

Object-Type: IRP-hook
Object-Name: \Driver\Ftdisk->IRP_MJ_CREATE
Object-Path:

Object-Type: Registry-key
Object-Name: 000a3a6f74faE
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000a3a6f74fa
Status: Hidden

Object-Type: Registry-value
Object-Name: (Default)
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg
Status: Unable to access registry key

Object-Type: Registry-value
Object-Name: s1
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg
Status: Hidden

Object-Type: Registry-value
Object-Name: s2
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg
Status: Hidden

Object-Type: Registry-value
Object-Name: g0
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg
Status: Hidden

Object-Type: Registry-key
Object-Name: 000a3a6f74faolSet002\Services\sptd\Cfg
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\000a3a6f74fa
Status: Hidden

Object-Type: Registry-key
Object-Name: 000a3a6f74faolSet004\Services\BTHPORT\Parameters\Keys\000a3a6f74fa
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000a3a6f74fa
Status: Hidden

Object-Type: Registry-value
Object-Name: (Default)
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg
Status: Unable to access registry key

Object-Type: Registry-value
Object-Name: s1
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg
Status: Hidden

Object-Type: Registry-value
Object-Name: s2
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg
Status: Hidden

Object-Type: Registry-value
Object-Name: g0
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg
Status: Hidden

Object-Type: Registry-value
Object-Name: LastDateDay
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Acronis\Scheduler
Status: Hidden

Object-Type: Registry-value
Object-Name: LastDateMonth
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Acronis\Scheduler
Status: Hidden

Object-Type: Registry-value
Object-Name: LastDateYear
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Acronis\Scheduler
Status: Hidden

Object-Type: Registry-value
Object-Name: LastTimeSecond
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Acronis\Scheduler
Status: Hidden

Object-Type: Registry-value
Object-Name: LastTimeMinute
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Acronis\Scheduler
Status: Hidden

Object-Type: Registry-value
Object-Name: LastTimeHour
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Acronis\Scheduler
Status: Hidden

Object-Type: Registry-value
Object-Name: ThreadingModel
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5645C8C2-E277-11CF-8FDA-00AA00A14F93}\InprocServer32
Status: Registy value-data mismatch

Object-Type: Registry-key
Object-Name: DataWARE\Classes\CLSID\{5645C8C2-E277-11CF-8FDA-00AA00A14F93}\InprocServer32
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data
Status: Hidden

Object-Type: Registry-key
Object-Name: a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771 System Provider\*Local Machine*\Data
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771
Status: Hidden

Object-Type: Registry-key
Object-Name: 00000000-0000-0000-0000-000000000000 System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000
Status: Hidden

Object-Type: Registry-key
Object-Name: {6340E680-FF06-435f-8767-B79D88AEBD4D}ystem Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000\{6340E680-FF06-435f-8767-B79D88AEBD4D}
Status: Hidden

Object-Type: Registry-value
Object-Name: Item Data
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000\{6340E680-FF06-435f-8767-B79D88AEBD4D}
Status: Hidden

Object-Type: Registry-value
Object-Name: Display String
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000
Status: Hidden

Object-Type: Registry-value
Object-Name: Display String
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771
Status: Hidden

Object-Type: Registry-key
Object-Name: Data 2RE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2
Status: Hidden

Object-Type: Registry-key
Object-Name: WindowsE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2\Windows
Status: Hidden

Object-Type: Registry-value
Object-Name: Value
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2\Windows
Status: Hidden

Object-Type: Registry-value
Object-Name: password
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\mozy\userinfo
Status: Hidden

Object-Type: Registry-value
Object-Name: encryption_type
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\mozy\userinfo
Status: Hidden

Object-Type: Process
Object-Name: ehrecvr.exe
Pid: 340
Object-Path: C:\WINDOWS\eHome\ehRecvr.exe
Status: Visible

Object-Type: Process
Object-Name: HPZipm12.exe
Pid: 836
Object-Path: C:\WINDOWS\system32\HPZipm12.exe
Status: Visible

Object-Type: Process
Object-Name: SonicStageMonit
Pid: 2076
Object-Path: C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
Status: Visible

Object-Type: Process
Object-Name: System Idle Process
Pid: 0
Object-Path:
Status: Visible

Object-Type: Process
Object-Name: ehSched.exe
Pid: 372
Object-Path: C:\WINDOWS\eHome\ehSched.exe
Status: Visible

Object-Type: Process
Object-Name: notepad.exe
Pid: 2264
Object-Path: C:\WINDOWS\system32\NOTEPAD.EXE
Status: Visible

Object-Type: Process
Object-Name: IAANTmon.exe
Pid: 716
Object-Path: C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
Status: Visible

Object-Type: Process
Object-Name: Rootkit_Detecti
Pid: 3320
Object-Path: C:\Documents and Settings\Henry\Local Settings\Temp\McafeeRootkitDetective\Rootkit_Detective.exe
Status: Visible

Object-Type: Process
Object-Name: System
Pid: 4
Object-Path:
Status: Visible

Object-Type: Process
Object-Name: sprtsvc.exe
Pid: 2112
Object-Path: C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
Status: Visible

Object-Type: Process
Object-Name: dllhost.exe
Pid: 2856
Object-Path: C:\WINDOWS\system32\dllhost.exe
Status: Visible

Object-Type: Process
Object-Name: wcescomm.exe
Pid: 3972
Object-Path: C:\Program Files\Microsoft ActiveSync\wcescomm.exe
Status: Visible

Object-Type: Process
Object-Name: services.exe
Pid: 936
Object-Path: C:\WINDOWS\system32\services.exe
Status: Visible

Object-Type: Process
Object-Name: NBService.exe
Pid: 1184
Object-Path: C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
Status: Visible

Object-Type: Process
Object-Name: GoogleToolbarNo
Pid: 4036
Object-Path: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
Status: Visible

Object-Type: Process
Object-Name: MacExp.exe
Pid: 2424
Object-Path: C:\Program Files\Macro Express3\MacExp.exe
Status: Visible

Object-Type: File/Folder
Object-Name: catalog.wci
Pid: n/a
Object-Path: C:\System Volume Information\catalog.wci
Status: Hidden

Object-Type: Process
Object-Name: svchost.exe
Pid: 1248
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 256
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: GoogleUpdaterSe
Pid: 504
Object-Path: C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
Status: Visible

Object-Type: Process
Object-Name: McTskshd.exe
Pid: 1496
Object-Path: c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
Status: Visible

Object-Type: Process
Object-Name: MpfService.exe
Pid: 628
Object-Path: C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
Status: Visible

Object-Type: Process
Object-Name: rapimgr.exe
Pid: 1992
Object-Path: C:\PROGRA~1\MICROS~4\rapimgr.exe
Status: Visible

Object-Type: Process
Object-Name: YahooMessenger.
Pid: 2984
Object-Path: C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
Status: Visible

Object-Type: Process
Object-Name: mcagent.exe
Pid: 3388
Object-Path: C:\PROGRA~1\mcafee.com\agent\McAgent.exe
Status: Visible

Object-Type: Process
Object-Name: alg.exe
Pid: 3512
Object-Path: C:\WINDOWS\System32\alg.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 320
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: MpfAgent.exe
Pid: 1808
Object-Path: C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 664
Object-Path: C:\WINDOWS\System32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: mozybackup.exe
Pid: 2028
Object-Path: C:\Program Files\Mozy\mozybackup.exe
Status: Visible

Object-Type: Process
Object-Name: explorer.exe
Pid: 728
Object-Path: C:\WINDOWS\Explorer.EXE
Status: Visible

Object-Type: Process
Object-Name: HiJackThis.exe
Pid: 2836
Object-Path: C:\Documents and Settings\Henry\Desktop\Download Files\HiJackThis.exe
Status: Visible

Object-Type: Process
Object-Name: LBTServ.exe
Pid: 1444
Object-Path: C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
Status: Visible

Object-Type: Process
Object-Name: FolderSizeSvc.e
Pid: 452
Object-Path: C:\Program Files\FolderSize\FolderSizeSvc.exe
Status: Visible

Object-Type: Process
Object-Name: Mcdetect.exe
Pid: 1320
Object-Path: c:\program files\mcafee.com\agent\mcdetect.exe
Status: Visible

Object-Type: Process
Object-Name: MpfTray.exe
Pid: 3428
Object-Path: C:\Program Files\McAfee.com\Personal Firewall\MPFTray.exe
Status: Visible

Object-Type: Process
Object-Name: iTunesHelper.ex
Pid: 3552
Object-Path: C:\Program Files\iTunes\iTunesHelper.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 1476
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: firefox.exe
Pid: 3212
Object-Path: C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
Status: Visible

Object-Type: Process
Object-Name: winlogon.exe
Pid: 888
Object-Path: C:\WINDOWS\system32\winlogon.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 1136
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: spoolsv.exe
Pid: 1880
Object-Path: C:\WINDOWS\system32\spoolsv.exe
Status: Visible

Object-Type: Process
Object-Name: AppleMobileDevi
Pid: 268
Object-Path: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 2128
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: mcvsshld.exe
Pid: 1664
Object-Path: c:\program files\mcafee.com\vso\mcvsshld.exe
Status: Visible

Object-Type: Process
Object-Name: SetPoint.exe
Pid: 3928
Object-Path: C:\Program Files\Logitech\SetPoint\SetPoint.exe
Status: Visible

Object-Type: Process
Object-Name: csrss.exe
Pid: 860
Object-Path: C:\WINDOWS\system32\csrss.exe
Status: Visible

Object-Type: Process
Object-Name: ati2evxx.exe
Pid: 1108
Object-Path: C:\WINDOWS\system32\Ati2evxx.exe
Status: Visible

Object-Type: Process
Object-Name: wmiapsrv.exe
Pid: 2224
Object-Path: C:\WINDOWS\system32\wbem\wmiapsrv.exe
Status: Visible

Object-Type: Process
Object-Name: iPodService.exe
Pid: 2720
Object-Path: C:\Program Files\iPod\bin\iPodService.exe
Status: Visible

Object-Type: Process
Object-Name: KHALMNPR.exe
Pid: 4084
Object-Path: C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
Status: Visible

Object-Type: Process
Object-Name: lsass.exe
Pid: 956
Object-Path: C:\WINDOWS\system32\lsass.exe
Status: Visible

Object-Type: Process
Object-Name: procexp.exe
Pid: 1948
Object-Path: C:\DOCUMENTS AND SETTINGS\HENRY\LOCAL SETTINGS\TEMP\PROCESSEXPLORER\PROCEXP.EXE
Status: Visible

Object-Type: Process
Object-Name: smss.exe
Pid: 740
Object-Path: C:\WINDOWS\System32\smss.exe
Status: Visible

Object-Type: Process
Object-Name: McShield.exe
Pid: 1360
Object-Path: c:\PROGRA~1\mcafee.com\vso\mcshield.exe
Status: Visible

Object-Type: Process
Object-Name: oasclnt.exe
Pid: 1608
Object-Path: c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 1392
Object-Path: C:\WINDOWS\System32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: McVSEscn.exe
Pid: 2044
Object-Path: c:\progra~1\mcafee.com\vso\mcvsescn.exe
Status: Visible

Object-Type: Process
Object-Name: revouninstaller
Pid: 2540
Object-Path: C:\Program Files\VS Revo Group\Revo Uninstaller\revouninstaller.exe
Status: Visible

Object-Type: Process
Object-Name: OUTLOOK.EXE
Pid: 3656
Object-Path: C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
Status: Visible

Scan complete. Found hidden Processes and Files: 1 .
Total files scanned: 206752

Edited by soundbyte, 26 February 2008 - 02:36 PM.


BC AdBot (Login to Remove)

 


m

#2 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:12:57 PM

Posted 05 March 2008 - 11:38 PM

Hi and welcome,

Sorry for delay.

If you still need help please do the following:

Go to add/remove programs and Uninstall Coppernic Desktop Search, reboot when done and post a fresh hijackthis log here.
let me know if coppernic removal went OK and if doing that reduces some of the traffic you are seeing.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users